Руководство Пользователя для Cisco Cisco Security Manager 4.11
Cisco Security Manager 4.11 API Specification (Version 2.3)
Page 45
3 CSM Configuration Service API
The configuration service provides access to read and write the configuration of network and CSM policy objects.
The state of a policy may either be committed or deployed. It is possible that a committed policy is one that has not
yet been deployed to a device. The configuration service API policy methods will return committed policies only.
The policy commit and deployment to the device are two separate operations. It is possible that the current running
device configuration does not reflect all policy configuration changes until they are deployed successfully. See the
class definitions of BasePolicy and BasePolicyObject for details on how the configuration state is captured.
The state of a policy may either be committed or deployed. It is possible that a committed policy is one that has not
yet been deployed to a device. The configuration service API policy methods will return committed policies only.
The policy commit and deployment to the device are two separate operations. It is possible that the current running
device configuration does not reflect all policy configuration changes until they are deployed successfully. See the
class definitions of BasePolicy and BasePolicyObject for details on how the configuration state is captured.
The configState attribute for BasePolicy and BasePolicyObject elements (section 3.1.1 and 3.1.2) indicates this
state. If the config state is “committed” the device for which this config has been fetched has pending committed
changes that are not yet deployed. If the config state is “deployed” then it means that all committed changes have
been deployed i.e. the CSM policy and the device are in sync.
state. If the config state is “committed” the device for which this config has been fetched has pending committed
changes that are not yet deployed. If the config state is “deployed” then it means that all committed changes have
been deployed i.e. the CSM policy and the device are in sync.
Selective Policy Management is a CSM feature that allows a CSM administrator to selectively manage policies in
CSM. Data corresponding to any policy not selected for management will not be maintained in the CSM policy
database. And such policy data will not be returned by this API. Please consider using the Utility Service API under
such cases.
CSM. Data corresponding to any policy not selected for management will not be maintained in the CSM policy
database. And such policy data will not be returned by this API. Please consider using the Utility Service API under
such cases.
3.1 Object Model
The following sections describe the object model used by the CSM Configuration Service.
3.1.1 Base Policy
The CSM object model consists of two primary classes - a “Policy” class that denotes a specific policy such as AAA
policy, Interface Policy, Firewall Access Rule etc. Policy classes can additionally reference “Policy Objects” (also
called as Building Blocks) that are used to denote reusable objects such as network addresses, services, port lists etc.
As an example, a “Firewall Policy” can define source and destinations addresses as a “Network Policy Objects”.
Once defined policy objects are reusable and could be used by multiple policies.
policy, Interface Policy, Firewall Access Rule etc. Policy classes can additionally reference “Policy Objects” (also
called as Building Blocks) that are used to denote reusable objects such as network addresses, services, port lists etc.
As an example, a “Firewall Policy” can define source and destinations addresses as a “Network Policy Objects”.
Once defined policy objects are reusable and could be used by multiple policies.
All Policy classes extend from a “BasePolicy” class and all “Policy Objects” extend from a base class called as
“BasePolicyObject”. The following class diagram denotes this relationship.
“BasePolicyObject”. The following class diagram denotes this relationship.