×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.
TrueSight Network Automation 8.9 ... Installing Configuring after installation Configuring network spans

Configuring devices to use security contexts

TrueSight Network Automation supports managing devices that can be configured to use security contexts.

The use of multiple security contexts, or virtualization, strengthens security and reduces overall management and support costs by consolidating multiple security devices into a single physical device.

The association of devices with security contexts differs according to device type, as discussed in the following topics:

Associating a Cisco device with security contexts

The following Cisco devices can optionally be configured to use either single or multiple security contexts:

  • Cisco Series Adaptive Security Appliances (ASA)
  • Cisco Application Control Engine Module (ACE)
  • Cisco Firewall Services Module (FWSM)

To add a device with a security context, navigate to Network > Devices > Add.

Devices configured to support security contexts display security context selection menus or view details. Not a Security Context is the default security context selection. System, Admin, and User-Defined are the other options.

In the Add Device dialog box, select the applicable security context. When you select User-Defined, you can enter the name that you want to use for the user-defined security context (for example, CiscoSecContext).


 The following dialog boxes, views, and reports are enabled to support Cisco security contexts.

  • Device view: Network > Devices > View
  • Add device: Network > Devices > Add
  • Edit device: Network > Devices > Edit
  • Device filter: Network > Devices > Filter
  • Commit: Network > Jobs > Add/Edit > Commit
  • Add Rule: Network > Rules > Add/Edit
  • View Rules: Network > Rules > View
  • View Rule Set: Network > Rule Sets > View
  • Trace Report: Reports > Compliance Summary Report > Trace
  • Device Inventory Report: Reports > Device Inventory Report > wizard > Report
  • Edit Device Import Tasks: Admin > Device Import > Edit
  • Edit Dynamic Fields: Admin > Dynamic Fields > Edit
  • View Dynamic Fields: Admin > Dynamic Fields > View

The following table specifies differences between the supported Cisco devices for the System, Admin, and User-Defined security contexts. For more information, see the Cisco documentation.

Feature

Admin (Security Context)

System (Security Context)

User-Defined (Security Context)

Name

ASA/FWSM: user-defined ACE: Admin

ASA/FWSM: system ACE: N/A in system context

User-defined

Accessible over the network

Yes

No. Only via admin context

Yes

Supports remote startup cfg (will not be able to restore if startup is a remote URL)

No

No

ASA/FWSM: Yes ACE: No

Contents of "show context"

ASA/FWSM: shows just admin, has "*" next to it ACE: shows all contexts, admin is first

Shows all contexts, admin has "*" next to name

Shows only current context

Emits syslog messages

Yes

No

Yes

Can "write mem all"

ASA/FWSM: No ACE: Yes

Yes

No

Can reboot

ASA/FWSM: No ACE: Yes

Yes

No

Has config mode

Yes

Yes

ASA/FWSM: Yes ACE: No

Has config copy commands for snapshot (must use tunneling when there is no copy cmd)

Yes (ASA startup only via tftp)

Yes. Uses admin context's network connection

ASA/FWSM: Yes (ASA startup only via tftp) ACE: No

Has config copy commands for the Deploy to Active and Deploy to Stored actions (must use tunneling for the Deploy to Active action when there is no copy cmd)

Yes (ASA only via tftp)

Yes. Uses admin context's network connection

ASA/FWSM: Yes (ASA only via tftp) ACE: No

Has config copy commands for the Deploy to Active and Deploy to Stored actions (must use tunneling for the Deploy to Active action when there is no copy cmd)

Yes (ASA only via tftp)

Yes. Uses admin context's network connection

ASA/FWSM: Yes (ASA only via tftp) ACE: No

Has image copy commands

ASA/FWSM: No ACE: Yes

Yes

No

Back to top

Associating an F5 BIG-IP device with security contexts

Only the User-Defined security context is supported and required for the F5 BIG-IP Load Balancer version 10 and later. Security context is not supported on older device versions, although it is visible in the UI.

The following figure shows security context selection when you add or edit an F5 BIG-IP Load Balancer:

When you select User-Defined security context, in the Name field, enter the name of the administrative partition in which configuration is to be written. The default administrative partition is Common.

Note

To write the configuration in a user-defined administrative partition, the Deploy to Active action should be set to force tunnel transfer mode.

Back to top

Associating a Juniper SRX Gateway device with security contexts

Only the User-Defined security context is supported for Juniper SRX Gateway version 11.2R3.3.

The following figure shows the security context selection when adding or editing a Juniper SRX Gateway:

After you select User-Defined, in the Name field, enter the name of the logical system in which configuration is to be written.

Back to top

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on May 20, 2018
juniper_srx cisco_fwsm asa cisco_asa cisco_ace f5_bigip_load_balancer ace fwsm security_context network_span device configuration

Comments

Log in or register to comment.

Configuring devices
Configuring realms
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.