Skip to main content

 

 

Cisco Defense Orchestrator

Edit an ASA Network Policy

CDO allows you to edit network policies and policy rules from the policies details page. You can edit an ASA policy in these ways:

Rename a Policy

  1. Select Policies > Network.
  2. Select the network policy you want to rename.
  3. Click Rename edit.pngin the details pane. 
  4. Edit the policy name and then click the blue check box to save your change. 

Add Rules to a Policy

  1. Select Policies > Network.
  2. Select the network policy you want to edit.
  3. Click Edit Policy.
  4. In the details pane, click Click plus.png in the Edit Tools bar to add a rule to the network policy. The new rule is added above the highlighted rule in the policy. Rules are prioritized by position in the list of rules. The higher the rule position in the table, the higher the priority.
  5. Click Save. CDO identifies which device is affected by the change. 
  6. Review the Devices field in the policy details pane. If you have exceeded the optimal number of entries, you will get a warning like, "ACE count exceeded, 500 max entries, 1000 found" depending on the kind of ASA hardware you are running on. 
  7. Open the Devices & Services page, and for the affected devices, click Preview and Write... to preview the configuration changes and write them to the ASA's configuration file. 

Move Rules within a Policy

  1. Select Policies > Network.
  2. Select a network policy.  
  3. In the details pane, click Edit Policy.
  4. Select a rule in the rule table, click cut scissors.png in the Edit Tools bar.
  5. Select the rule you want the rule you just cut to precede. Rules are prioritized by position in the list of rules. The higher the rule, the higher the priority.
  6. Click paste paste.png
  7. Click Save. CDO identifies which device is affected by the change. 
  8. Open the Devices & Services page, and for the affected devices, click Preview and Write... to preview the configuration changes and write them to the ASA's configuration file. 

Move Rules Between Policies

You can copy a rule in one policy and paste it into another.

  1. Select Policies > Network.
  2. Select the network policy with the rule you want to copy. 
  3. In the details pane, click Edit Policy.
  4. Select a rule in the rule table, click copy copy.png in the Edit Tools bar.
  5. Select Policies > Network.
  6. Select the network policy you want to copy the rule to.
  7. In the details pane, click Edit Policy.
  8. Select the rule you want the rule you just copied to precede. Rules are prioritized by position in the list of rules. The higher the rule, the higher the priority.
  9. Click paste paste.png
  10. Click Save. CDO identifies which device is affected by the change. 
  11. Open the Devices & Services page, and for the affected devices, click Preview and Write... to preview the configuration changes and write them to the ASA's configuration file. 

Deactivate Rules in a Policy

Rules are active by default. You can deactivate individual rules within a policy. 

  1. Select Policies > Network.
  2. Select the network policy with the rule you want to deactivate.
  3. Slide the Active setting off.  rule_deactivated.png
  4. Click Save
  5. Click Save. CDO identifies which device is affected by the change. 
  6. Open the Devices & Services page, and for the affected devices, click Preview and Write... to preview the configuration changes and write them to the ASA's configuration file. 

Log Rule Activity

The activity resulting from a network policy rule is not logged by default. You can activate logging for individual rules. 

  1. Select Policies > Network.
  2. Select the network policy with the rule you want to activate.
  3. Click the slider to activate logging. active.png
  4. Click Edit.
  5. Select the logging level and the frequency at which activity from that rule is collected. The following table lists the syslog message severity levels. 

Severity Level

Description

emergencies

System is unusable.

alert

Immediate action is needed.

critical

Critical conditions.

error

Error conditions.

warning

Warning conditions.

notification

Normal but significant conditions.

informational

Informational messages only.

debugging

Debugging messages only.

Note

ASA does not generate syslog messages with a severity level of zero (emergencies).

 
  1. Click Save. CDO identifies which device is affected by the change. 
  2. Open the Devices & Services page, and for the affected devices, click Preview and Write... to preview the configuration changes and write them to the ASA's configuration file. 

Define a Time Range for a Policy

Time-based ASA Network policies allow access to networks and resources based on time of day. The time of day is defined by a time range object. Time range objects have a start time and an end time and can also be defined as a recurring event. 

If time range objects are already defined on the ASA, you can associate them with a network policy. If time range objects do not already exist on the ASA, you will have to create them using the CLI tool in CDO or create them directly on the ASA.

Follow this procedure to add a time range for a network policy:

  1. Select Policies > Network.
  2. Select the network policy you want to edit.
  3. Click Edit Policy.
  4. In the Network Policy box, click the slider to enable time ranges.
  5. Select a time range from the list. 
  6. Click Save
  7. Return to the Devices & Services page and select the device for which you just made the policy edit. You should see that the device is Not Synced.
  8. Click Preview and write...
  9. In the Device Sync box, review the commands that will create the policy and the rules in the policy. 
  10. If you are satisfied with the proposed changes, click Apply Changes to Device.
  • Was this article helpful?