Managing Security Contexts

Managing Security Contexts
Security contexts can be accessed on two levels. A security administrator can log into the
admin context or system execution space. This will allow the security administrator access
to the configuration of all configured contexts, as well as the ability to create new contexts.
Additionally, users can be set up as security administrators for specific contexts. When users
logs into the Security Appliance, they will be able to see only the security context to which
they have been assigned. Within that context, they can change the configuration file
information and can monitor the context.

Uploading a Configuration Using the config-url Command

Uploading a Configuration Using the config-url Command
To enable a security context, you must specify a configuration file. The config-url command
is used in context-configuration mode to specify where to find the configuration file for the
context:
config-url url
The url argument assigns the context configuration URL. All remote URLs must be accessible
from the admin context:
■ disk0:/[path/]filename—This option is only available for the ASA platform and indicates
the Flash memory DIMM.
■ disk1:/[path/]filename—This option is only available for the ASA platform and indicates
the Flash memory card.
■ flash:/[path/]—This option indicates the Flash memory DIMM.
■ http[s]://[user[:password]@]server[:port]/[path/]filename — This option indicates the
HTTP or HTTPS server from which to download.
■ tftp://[user[:password]@]server[:port]/[path/]filename—This option indicates the TFTP
server from which to download.
■ ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]—This option indicates
the FTP server from which to download.
type can be one of the following:
— Ap—ASCII passive mode
— An—ASCII normal mode
— Ip—(Default) Binary passive mode
— In—Binary normal mode
The configuration file can be stored in several locations:
■ Disk0/flash—Security Appliance’s Flash filesystem
■ disk1—Security Appliance’s compact Flash
■ tftp—TFTP server
■ ftp—FTP server
■ http(s)—WebServer (read only)
The admin context must reside on the local Flash memory DIMM. Configuring a config-url
on a context will cause the context to immediately attempt to retrieve the configuration file.
Make sure all interfaces have been allocated to a context with mapped names before the
config-url command is executed. If a config-url has been configured on a security context
before any interfaces for that context have been assigned mapped names, the newly acquired
context configuration may fail commands referencing the missing interfaces. If the context
cannot retrieve the requested context configuration, the system will create an empty context
configuration file that can be manually configured from the Security Appliance commandline
interface (CLI).
After a context configuration file

has been assigned and loaded into the context, a security
administrator might need to move the remote configuration file to a different location.
Changing the config-url to take the move into consideration can be done by reentering the
234 Chapter 9: Security Contexts
config-url command. By reentering the config-url, the context will immediately attempt to
download the new configuration file and merge it with the current running configuration for
that context. The merge will only add new configurations to the running configuration. To
avoid this, a security administrator can clear the running configuration, though doing so will
disrupt any communications through the context until the new configuration file is acquired.