Administration Context
Security Appliances with multiple security contexts enabled use a special context to manage
the system interfaces, as well as all other contexts contained on the firewall. As described
previously, the admin context is created by the Security Appliance when enabled in multiple
security context and uses the admin.cfg file to store the admin context configuration.
Unlike in single mode, where the system configuration controls the network resources, in
multiple-security context mode, the admin context handles all the system network resources
for the Security Appliance. This is required because the system execution space does not
contain any traffic-passing interfaces. All policies and interfaces that have been configured
on the admin context will be used by the system to communicate with other devices.
The authentication, authorization, and accounting (AAA) feature commands are not
accepted in the admin context. This will require local database credentials for individual
logins. It is recommended that restrictions be placed on logins created in the local database
to limit system execution space.
The admin context is also used to acquire a configuration file from a remote location for
another security context. Additionally, these network settings configure appropriate systemlevel
syslog options to send syslog data for remote capture.
The admin context is designed to allow a security administrator control over other security
contexts. To create new security contexts or change the admin context, a security administrator
must log into the admin context.
At times, a department or division head requires control over department or division firewall
configurations. This can be accommodated through the assignment of context administrators.
These administrators can only configure and manage the specific context to which they
are assigned and cannot configure or view system resources or the administration context.
To stop different contexts from inadvertently affecting each other, system resources and
VLAN management are done outside the multiple security contexts and within the system
configuration.
An admin context can also be used as a regular security context. This can be a bit tricky, as
all policies applied to the admin context affect the system as well as the assigned interfaces
for the context. If the first new security context is created before an admin context has been
created, the new security context is labeled as the admin context. An already configured
security context can be assigned to act as the admin context. This will convert the current
admin context to a regular security context and will install the newly assigned context as the
admin context. To do this, use the admin-context command in global configuration mode:
admin-context name
NOTE You can only use a context as an admin context if its configuration file resides on
the internal Flash memory.