Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX Firewall Manager FAQ

Document ID: 13816

Updated: Sep 26, 2008

   Print

Introduction

This document contains frequently asked questions (FAQ) about the Cisco PIX Firewall Manager (PFM).

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Q. What are some general tips for the best PFM performance?

  • Try not to install PFM on a machine that runs Microsoft Internet Information Server (IIS). The install works, but you must verify that PFM does not occupy any server ports used by IIS.

  • If any error messages are displayed during the PFM install, capture them (press ALT + PrtScn (Print Screen), cut and paste to a .txt file, and save). Contact the Technical Assistance Center (TAC) immediately. Do not attempt to proceed.

  • Verify that your Windows NT Service Pack (SP) is up-to-date. All Windows NT SPs through SP5 work on all PFM versions. However, the browser that installs the service pack might not be supported. Check the PFM banner page to verify browser compatibility, and download the appropriate supported version.

Q. Where can I get documentation on the PFM?

A. There is no print manual for the PFM. Online help is provided on most PFM screens. Release notes are provided for each revision. Read them before you start installation.

Q. Why does PFM not install? It says I do not have permission to run the installer.

A. These are possible reasons:

  • You might not be logged into the Windows NT machine locally (not the domain) as administrator. At times, users with administrative rights can successfully install the product, but usually even users in the administrator group do not have enough rights to install the product.

  • You might be attempting to install on a primary domain controller (PDC) or a backup domain controller (BDC). PFM installation needs to create a local Security Access Management (SAM) database for PFM access, which is usually not possible with default PDC or BDC installations. Furthermore, when the PFM process is configured for logging, the machine is taxed. Generally, administrators do not want to task critical network servers, such as PDCs or BDCs with additional services.

Q. Why does my NT system speaker beep continuously after the PFM install?

A. The NT beeps indicate an application port conflict. Usually, a syslog application (Cisco Works, PIX Firewall Syslog Server (PFSS) or a third-party application) is already listening on UDP 514, or a Web server already occupies the PFM default TCP port 8080. Complete these steps to troubleshoot:

  1. Uninstall PFM completely. Use Windows Explorer to remove the install directory.
  2. Reboot the machine.
  3. Log in to the machine locally (not the domain) as administrator (not someone with admin rights).

    Note: Do not run setup yet.

  4. Enter the netstat -a | findstr # command at the command prompt, where # is the port number. This verifies that TCP 8080 and UDP 514 are not listed.
    • If UDP is listed, uninstall the application that uses it.

    • If TCP 8080 is listed, choose an available TCP port. 8081 is usually okay.

    • If you uninstall any applications, repeat steps 2 through 4.

      Note: It is important to reboot.

  5. Check for and repair any error messages in the event viewer. Search for the error message at Microsoft Help and Support leavingcisco.com for help with the error messages.
  6. Select Control Panel > Services to verify that the server service runs.
  7. Reinstall PFM.
  8. Reboot the machine. You can log into the domain or whatever you want this time.

Q. I have installed PFM, but it does not run (I do not see the banner page).

A. These are possible reasons:

  • You might not be browsing to the correct address. The correct address is either http://the_nt_ip_address:8080 or http://127.0.0.1:8080. If you selected an alternate port during installation, use the number of the port. Do not attempt to run index.html, because it does not work.

  • Make sure your Windows NT IP Stack is not set to use DHCP. You must be assigned a static address.

  • Make sure this static assigned Windows NT IP address has not changed after installation of PFM.

  • Select Control Panel > Services and make sure the Windows NT server service runs (especially on a Windows NT Workstation). Also, make sure the PFM service is started.

Q. Why do I get the error message "Security violation in all five IP addresses in firewall.html" after I click the configuration link from the banner page?

A. These are possible reasons:

  • You might not be browsing to the correct address. The correct address is either http://the_nt_ip_address:8080 or http://127.0.0.1:8080. If you selected an alternate port during installation, use the number of that port. Do not attempt to run index.html or firewall.html, because these do not work.

  • If your Windows NT box is multi-homed (has more than one NIC) or has multiple IP addresses associated with the NIC, make sure all IP addresses of the machine are listed in Program Files\Cisco\PIX Firewall Manager\jclient\netscape\firewall.html. You can edit this file with a text editor. In some cases, you need to add the Windows NT NetBIOS hostname of this machine as one of the IP address entries in this file. Reboot the server after you edit this file.

  • You might have loaded the Firewall Manager software on a Windows NT box that uses DHCP. Firewall Manager requires a static IP address. If you have changed from DHCP to a static IP address, you need to edit the firewall.html file.

Q. The banner page comes up, and requests a username and password. What is this? Can they be changed from the defaults?

A. The default administrator user name is pixadmin and the default password is cisco. The administrator has read/write configuration abilities.

The default user (read only) username/password is pixuser/cisco. The user manager on the server allows you to add, change, or delete users to the pixadmins or pixusers groups you set up on install.

Q. Is there a log file I can look at to troubleshoot PFM problems?

A. Yes, it is called pfm.log. If you go through this FAQ and still have a problem, the TAC requests this log.

Q. Why does PFM have numerous error messages or not load the configuration after the install?

A. These are possible reasons:

  • You must run the browser displayed on the banner page. Other browser versions are not supported. PFM is optimized for specific versions of the Netscape browser.

  • Make sure you have set up your PIX to allow Telnet from the PFM. Go to a command line, Telnet to the PIX interface, and log in to enable mode to verify.

  • Your PIX has an unsupported interface card in it. Only Singleport 10/100 Ethernet/Fast Ethernet and Token Ring interfaces are supported with this product.

  • Your PIX version and PFM version might not be compatible. Current supported platforms are:

    PIX Major Release Version

    PFM Version

    4.1.x (no interim releases (4.1.x.yyy)

    Version must match 4.1.x exactly.

    4.2.x (no interim releases (4.2.x.yyy)

    Version must match 4.2.x exactly.

    4.3.2 (no interim releases (4.3.2.yyy)

    4.3(2)

    4.4.x (no interim releases (4.4.x.yyy)

    4.3(2)b, or preferably 4.3(2)c1

    5.0(x) (can work with interim releases 5.0.x.yyy, but not tested or supported)

    4.3(2)c1 only

    Releases not listed here

    Check the PFM release notes specific to your PIX version.

    14.3.2c does not support any new features or commands in PIX versions earlier than 4.3(2) and can generate error messages intermittently because of these new features. This should not affect your ability to configure the older, supported features.

    You can download the correct code version from the PIX Software Download ( registered customers only) .

    caution Caution: Always review hardware requirements and version release notes before you perform a platform upgrade to avoid lengthy network outages.

Q. Does PFM run on Windows 2000?

A. PFM only runs on the platform listed in the documentation, which is, Windows NT. The successor to PFM is PIX Device Manager (PDM), which works with browsers on Windows 95, 98, NT, and 2000. PDM is available with PIX 6.0 code.

Q. Does PIX Device Manager (PDM) run on Windows Vista and Windows 2008?

A. PDM works with Java Plug-in 1.4.2, and Vista's Internet Explorer comes with a much later version. In order to access PFM/PDM on Vista or 2008, you must run Sun's JRE v1.4.2. You can download the JRE version from the Sun's website.

Note: Any version newer than Sun's JRE v1.4.2 that is not compatible with PFM/PDM.

Q. How do I change the PFM administrator (pixadmin) and user (pixuser) passwords from the defaults (which are noted in the PFM release notes)?

A. When PFM installs, it sets up the accounts in the Windows NT user database. The passwords for the default users can be changed as passwords for other NT users. Select Start > Programs > Administrative Tools (Common) > User Manager for Domains.

Q. How can I download PFM and PDM?

A. Refer to the PIX Software Download ( registered customers only) to download the PFM and PDM software described in this document.

Q. Can I use Excel 95, 98, or 2000?

A. You cannot use Excel 95 because the macros are not compatible. Excel 98 and 2000 are not supported.

Q. I cannot open the .dbf files required for offline reporting.

A. You cannot generate reports, such as report.xls, stat.dbf, dns.dbf, monday.dbf, from the PFM active files. You must copy these files to a separate directory, and open them in Excel 97.

Q. Why can I not download the <day>.dbf files?

A. You cannot copy the Monday.dbf file to another directory until Tuesday, and the Tuesday.dbf file until Wednesday, and so on.

Q. I downloaded <day>.dbf, but report.xls contains no data.

A. Make sure that logging is configured properly. Complete these steps:

  1. Logging traps output must be set to debug, or these files do not populate.
  2. Verify that the logging host is pointed at the PFM server.
  3. Make sure your configuration shows logging on.
  4. Press the Immediate syslog notification button in the PFM graphical user interface (GUI) to test successful logging. This generates traffic through the PIX. Verify the activity in the GUI pop-up window.

Q. I can open report.xls, but Excel cannot find the .dbf files it needs to run. What is wrong?

A. You are probably using most recently used (MRU), or double-clicking on report.xls from Windows Explorer. Excel 97 tracks MRU files at the bottom of the File menu, and Windows also tracks these in the Start > Documents menu. Do not open report.xls from those locations. If you do, the macros embedded in report.xls do not function properly. You must use the File > Open menu to open report.xls. When you select File > Open, Excel associates that directory with the application. When you use MRU, Excel keeps the file association with the My Documents folder, and report.xls cannot find the .dbf files.

Q. Can I have the password to access and modify the macros embedded in report.xls for my own use?

A. Modifications to that file are not allowed. The product can only be supported when the code is intact. Report.xls is password protected to protect the integrity of the embedded macros. If you have specific needs not addressed by the macro, you can either:

  • Write your own rendition of the macro.

  • Submit an enhancement request through the TAC for future release consideration.

Related Information

Updated: Sep 26, 2008
Document ID: 13816