Cisco Cisco Prime Security Manager 9.0
5
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
OL-32019-01
Restrictions
IPv6 Restrictions
For the most part, you can use IPv6 addresses in CX and ASA policies and configuration settings.
However, in the following cases, the ASA will allow IPv6 addresses, but you cannot configure or use
them with PRSM:
However, in the following cases, the ASA will allow IPv6 addresses, but you cannot configure or use
them with PRSM:
•
ASA management address—You cannot import an ASA that uses an IPv6 address for the
management interface.
management interface.
•
Bridge groups—An IPv6 address for a bridge group interface is not supported. If you configure an
IPv6 address, it will be ignored and left unmanaged.
IPv6 address, it will be ignored and left unmanaged.
ASA Service Policy Object Restrictions
PRSM does not support the following service object commands. If you use these commands on the ASA,
you will not be able to add the ASA to the PRSM inventory.
you will not be able to add the ASA to the PRSM inventory.
•
port-object
•
object-group service {tcp | udp | tcp-udp | icmp-type | protocol}
To manage the ASA, you must first convert all of these unsupported commands to use the object service
or object-group service (without qualifier) commands.
or object-group service (without qualifier) commands.
Your other option is to import the ASA in monitor-only mode. In monitor-only mode, PRSM does not
discover the ASA configuration, nor does it manage it. You will not be able change the configuration
through PRSM. Monitor-only mode is a good option if you want to use other applications to configure
the ASA, such as ASDM or Cisco Security Manager.
discover the ASA configuration, nor does it manage it. You will not be able change the configuration
through PRSM. Monitor-only mode is a good option if you want to use other applications to configure
the ASA, such as ASDM or Cisco Security Manager.
Tip
Cisco provides an off-line tool that will convert the unsupported service object commands, and the ACLs
that use them, to the required style. You can use the tool to convert an ASA configuration, then verify it
yourself before you manually apply the changes to the ASA. You can then add the device to the PRSM
inventory. The tool is called CSM to PRSM Migration Tool and is available as a download from the Cisco
Prime Security Manager software download page. The readme file in the download includes instructions
on using the tool.
that use them, to the required style. You can use the tool to convert an ASA configuration, then verify it
yourself before you manually apply the changes to the ASA. You can then add the device to the PRSM
inventory. The tool is called CSM to PRSM Migration Tool and is available as a download from the Cisco
Prime Security Manager software download page. The readme file in the download includes instructions
on using the tool.
ASA Object Deployment Restrictions
Objects are deployed to an ASA only if they are used in policies assigned to the ASA. This restriction
includes objects that were discovered from an ASA: if the object is in the configuration, but not used by
a policy, it is not redeployed when you commit changes to the ASA.
includes objects that were discovered from an ASA: if the object is in the configuration, but not used by
a policy, it is not redeployed when you commit changes to the ASA.
This can result in odd behavior if you repeatedly add and remove an ASA from the inventory. Unused
objects might be renamed during device discovery, but the objects under the new name will not get
recreated on the ASA when you commit the device to the inventory. Because objects are not deleted from
PRSM when you remove a device, those objects under the new name remain in the database.
objects might be renamed during device discovery, but the objects under the new name will not get
recreated on the ASA when you commit the device to the inventory. Because objects are not deleted from
PRSM when you remove a device, those objects under the new name remain in the database.
To avoid such issues, ensure that every object in the ASA configuration is actually used.