A. Cisco Prime Security Manager is the management tool for the Cisco ASA 5500-X Series Next-Generation Firewalls (NGFW). This application is built on Web 2.0 technologies and supports both single-device and multidevice manager form factors to help manage the following capabilities:
• Application Visibility and Control to help block applications, users and devices
• Web Security Essentials, which includes URL filtering and Web reputation
• Intrusion Prevention on the Cisco Next-Generation Firewalls
• Stateful inspection capabilities to configure layer 3/Layer 4 access control rules
Q. Who should deploy Cisco Prime Security Manager?
A. Cisco Prime Security Manager is designed to meet the needs of small to large enterprise environments that use Cisco ASA 5500-X Series NGFW, In particular, customers looking to manage core firewall capabilities and Network Address Translation (NAT) are encouraged to deploy this management tool.
Q. What are the features of Cisco Prime Security Manager?
A. Cisco Prime Security Manager provides a range of features for the Cisco ASA 5500-X NGFW platform:
• Preloaded on-box single-device management
• Offered as a Central Management Application for multi-device management
• Top-n traffic-pattern reports (on sources, destinations, devices, and so on) with multiple levels of drill-down
• Object import from the Cisco ASA 5500-X Series NGFW appliances
• Behavior-based policy management for the Cisco ASA 5500-X NGFW solution
• Event analysis for the Cisco ASA 5500-X NGFW
• Proactive health monitoring for the Cisco ASA 5500-X NGFW
• License management for the Cisco ASA 5500-X NGFW
For a detailed summary of Cisco Prime Security Manager features and benefits, please refer to the data sheet available at: http://www.cisco.com/go/prsm.
Q. What is new in the latest release of Cisco Prime Security Manager?
A. The following features are new to the latest Prime Security Manager release.
New Policy Model
Users can now view, create, and modify policies using the 5-tuple policy table for both NGFW Services and ASA-X.
Per-Device Configuration
The group-device configuration has been removed. Users can now import devices and manage them individually.
Repository View
Users can see all their devices and configurations from a single inventory view.
Policy Sharing
Users can share policy sets (for example, Human Resource Servers) and configurations such as syslogs across multiple devices.
ASA-X Device Support
Users can manage core fundamentals of the ASA-X device (firewall, NAT, and events).
ASA-X Command-Line Interface Preview
ASA-X users can also now preview CLI configurations before they deploy the changes to the devices.
ASA-X and NGFW Services High-Availability Dashboard
Device high-availability support has been added to the user interface with dedicated dashboard widgets.
Import Workflow
Users now have more control over the import of NGFW Services in ASA deployments.
Q. How is Cisco Prime Security Manager delivered, and what are the licensing considerations?
A. Every Cisco ASA 5500-X NGFW comes with a preloaded on-box, single-device management version of Cisco Prime Security Manager. This version also has limited storage available for event logging and reporting purposes. In all but the simplest Cisco ASA NGFW deployments, it is recommended that customers purchase the Cisco Prime Security Manager centralized management solution.
The multidevice version of Cisco Prime Security Manager is designed for centralized management of multiple ASA NGFW appliances. This version is available as a VMware ESX-based virtual appliance and in physical appliance form factors.
Licensing in both cases is based on the number of Cisco ASA NGFW appliances that need to be managed. Customers who already have Cisco Prime Security Manager to manage a specific number of devices, but who find that they now need to manage a greater number of devices, can procure licenses to manage the additional devices. Note that these licenses can be applied to existing Prime Security Manager installations, whether they are based on virtual or physical appliance form factors.
Q. What kind of literature is available for Cisco Prime Security Manager?
Cisco Software Application Support (SAS) is not available for Cisco Prime Security Manager.
Q. What options are available to evaluate Cisco Prime Security Manager?
A. Anybody with a valid Cisco.com account can download Cisco Prime Security Manager and use the software for up to 90 days in evaluation mode. Visit http://www.cisco.com/go/prsm and click the Download Software link. There is no separate evaluation license. The product operates automatically in evaluation mode in the absence of an installed permanent license file.
Q. What directory realm configuration settings are imported from the Cisco ASA NGFW platform?
A. The following settings are imported, but with certain restrictions:
• Lightweight Directory Access Protocol (LDAP) directory realms are imported.
• The Active Directory (AD) realm is imported only if no AD realm is defined in Prime Security Manager.
• If an AD realm is defined on both ASA Next-Generation Firewall and Prime Security Manager, they must be identical, or the device import will fail.
Q. What decryption configuration settings are imported from the Cisco ASA Next-Generation Firewall platform?
A. The following settings are imported, but with certain restrictions:
• If decryption is enabled on ASA Next-Generation Firewall or on Prime Security Manager but not both, it will be enabled on the other.
• If decryption is enabled on both ASA NGFW and Prime Security Manager, the certificate and settings must be identical or device import will fail.
Q. What license configuration settings are imported from the Cisco ASA Next-Generation Firewall platform?
A. The following settings are imported, but with certain restrictions:
• Valid licenses on a device are imported. Application services, URL filtering, and web reputation are the valid licenses on the Cisco ASA 5500-X NGFW.
• Invalid licenses, or licenses that are identical to ones already in Prime Security Manager, are replaced with the copies in Prime Security Manager.
• Evaluation licenses are not imported.
Q. What configuration settings are not imported from the Cisco ASA 5500-X Series Next-Generation Firewalls?
Q. What will be the response by Prime Security Manager if a user makes CLI changes on ASA-X?
A. Users have two options:
• Abort and alert: This aborts the current deployment and lets users investigate.
• Overwrite: This always overwrites the changes from Prime Security Manager over the out-of-band changes.
Q. How many devices will Prime Security Manager support?
A. Prime Security Manager will support up to 100 devices (NGFW Services and ASA 5500-X), as long as they fall under these limits:
• 10,000 objects
• 5000 policies
• 15,000 events/sec
Q. What does "100-device support" mean?
A. Prime Security Manager will support any one of the following:
• 100 NGFW Services devices
• 100 ASA 5500-X devices
• 100 ASA 5500-X and NGFW Services devices in combination
Q. What ASA-X models do this application support?
A. This tool will support all ASA-X devices with ASA Software Release 9.0 or later. Note that ASA 5505 is not supported by this tool.
Q. Can I manage firewall and NAT policies with this new release and everything else with Cisco Adaptive Security Device Manager?
A. Yes. You can manage policies with this tool and let the device-specific configurations be carried out by ASDM. Here are examples:
• Firewall policies by Cisco Prime Security Manager
• NAT policies by Cisco Prime Security Manager
• Syslog configuration by Cisco Prime Security Manager
• Interface Roles by Cisco Prime Security Manager
• Interface configuration by ASDM
• Routing by ASDM
• VPN by ASDM
• Packet tracer by ASDM
Q. How does policy sharing work in the new Prime Security Manager?
A. Users can import policies and then share policy sets across multiple devices. Although policy rules (within a policy set) cannot be shared across devices, users can create universal policies that can apply either to a single device or to multiple devices. These then become mandatory rules that only an administrator can change.
Q. Is there a single policy rule for both ASA 5500-X hardware platform and NGFW Services?
A. No. These are managed by separate configurations. This separation helps ensure that the ASA-X policies are configured first, followed by the NGFW Services policies.
Q. What built-in PDF reports do we get in this new release?
A. The chart below outlines the reports.
Administrative
Policy changes
Top 25 policies by number of transactions
Traffic summary
Users and Devices
Top 25 users
Top 25 devices
Threat Analyses
Top 25 threats
Top 25 attackers
Top 25 targets
Top 25 policies with maximum threats
Applications and Web Destinations
Top 25 applications
Top 25 application types
Top 25 web destinations
Top 25 web categories
Q. Which ASA-X features are and are not supported in Cisco Prime Security Manager?
A. The following chart lists these features.
ASA-X Features Supported in Prime Security Manager
ASA-X Features Not Supported in Prime Security Manager
