Table Of Contents
Release Notes for Cisco PDM Version 4.1(3) for Firewall Services Module
Switch and Router System Requirements
Maximum Configuration File Size
PC and Workstation Requirements
Features Introduced in PDM Version 4.1
Resource Manager for Access List Memory Pool
Resource Class for PDM Sessions
Suspend/Resume Failover Configuration Sync
System Log Message Enhancements
CLI Commands Not Fully Supported in FWSM
CLI Commands Ignored in Multiple Mode when in System Mode
Miscellaneous CLI Command Operation Limitations
CLI Commands Ignored by PDM in FWSM
Resolved Caveats - Version 4.1(3)
Resolved Caveats - Version 4.1(2)
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco PDM Version 4.1(3) for Firewall Services Module
October 2005
Introduction
Cisco PDM Version 4.1(3) is a web-based application used to configure and monitor the Firewall Services Module (FWSM) on a Catalyst 6500 series switch or Cisco 7600 series router. PDM Version 4.1(3) requires FWSM Release 2.3 or 2.2 and supports all of the configuration features in this release. For more information, see FWSM Technical Documentation and the FWSM FAQ (Frequently Asked Questions) sections in Cisco.com.message.
Note
PDM Version 4.1(3) is a single image that supports FWSM Release 2.3 and 2.2. It does not support FWSM Release 1.1 or the PIX operating system.
This document includes the following sections:
•
•
•
•
•
•
PDM Software Overview
PDM Version 4.1(3) is a single image that provides secure administration of the FWSM. PDM is implemented as a signed Java applet, which downloads to your PC or workstation when you point your browser at the FWSM and does not require a plug-in or other software to be preinstalled. PDM manages FWSM Release 2.3 and 2.2 when it runs in single or multiple context modes.
PDM provides a graphical user interface to the FWSM to administer it without requiring knowledge of the command-line interface (CLI). PDM also maintains compatibility with the FWSM CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the FWSM, as well as print or export graphs of the traffic through the FWSM and of system activity.
To help you use PDM, the application provides online help as well as a help table of contents, index, and glossary.
Switch and Router System Requirements
The switch and router models that are supported by the FWSM are as follows:
•
–
–
•
–
–
For more information about supported supervisor engine and software versions and the supported Cisco IOS software, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Version 2.3.
Note
For more information on switch or router requirements for FWSM, go to the following website: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/index.htm.
The following sections list the system requirements for PDM Version 4.1(3) software.
FWSM Requirements
The FWSM must meet the following requirements to successfully install and run PDM:
•
•
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/index.htm
Caution
Browser Requirements
The following are required to access one or more firewalls through PDM:
•
•
Maximum Configuration File Size
For optimum performance, we recommend a configuration file of no more than 500 KB when using PDM.
FWSM Firewall configuration files over 500 KB may interfere with the performance of PDM on your workstation in the following situations:
•
•
•
PC and Workstation Requirements
PDM has different requirements depending on the platform from which it is accessed. PDM is not supported for use on computers equipped with the Macintosh operating system, or other versions of the Windows operating systems.
Supported Platforms
Table 1 lists the supported and recommended platforms for PDM Version 4.1(3).
Note
Table 1 Supported Platforms for PDM Version 4.1(3)
Windows
Windows 2000 (Service Pack 3 or higher) or Windows XP operating systems1 (English or Japanese versions)
Internet Explorer 6.0 with native JVM (VM 3809 or higher) , Java Plug-in 1.4.2 or Java Plug-in 1.5.0 (5.0)
Netscape 7.1 or 7.2 with Java Plug-in 1.4.2 or Java Plug-in 1.5.0 (5.0)
Any Pentium III or Pentium-compatible processor running at 450 MHz or higher.
At least 256 MB of RAM. We recommend 192 MB or more.
A 1024 x 768 pixel display and at least High Color (16-bit).
SUN Solaris
Sun Solaris 8 or 9
Mozilla 1.7.3 with Java Plug-in 1.4.2
SPARC microprocessor.
At least 256 MB of RAM.
A 1024 x 768 pixel display and at least 256 colors. High Color (16-bit) recommended.
Linux
Red Hat Linux 9 or Red Hat Enterprise Linux WS version 3
Mozilla 1.7.3 with Java Plug-in 1.4.2
At least 128 MB of RAM. 256 MB recommended.
A 1024 x 768 pixel display with at least 256 colors. High Color (16-bit) recommended.
1 PDM is not supported on Windows 3.1, 95, 98, ME or Windows NT 4.
Note
Features Introduced in PDM Version 4.1
No new features have been introduced in PDM Version 4.1(3) since PDM Version 4.1(2). The purpose of this release is to resolve open caveats. The following sections describe the features introduced in PDM Version 4.1 since PDM Version 4.0:
•
•
•
•
•
•
HTTPS Authentication Proxy
This feature provides a secure mechanism for exchanging username and password information between an HTTP client and FWSM using HTTPS.
Access List Per User Override
This feature allows an external server to override the configuration of the access rules policy for that interface. This feature only applies to inbound access lists.
Resource Manager for Access List Memory Pool
This feature lets you manage resources for access lists, including the access list memory pool or access list tree instances, which are used when compiling access lists.
Resource Class for PDM Sessions
This feature lets you specify the number of PDM sessions for a particular context.
Suspend/Resume Failover Configuration Sync
This feature provides the ability to disable failover synchronization from an active device to a standby device.
Same Security Intra Interface
This feature allows a packet to come in and go out on the same interface. A router might forward a packet to the FWSM so that it can apply the user firewall policy on that packet.
TFTP Fixup
This feature inspects the TFTP protocol and dynamically creates a connection and xlate if necessary to permit file transfer between a TFTP client and server. This feature was included in FWSM 2.2.
System Log Message Enhancements
These enhancements allow you to specify the amount of memory that can be allocated for the system log messages per context and to optionally deny connections if the syslog queue is full.
Important Notes
This section describes important notes for PDM software Version 4.1.
One-time Password
PDM does not support the one-time password (OTP) authentication mechanism.
Fixups
Both fixup SIP over TCP and fixup SIP over UDP are supported in FWSM Release 1.1, but fixup SIP over UDP cannot be disabled in FWSM Release 1.1. Fixup SIP over UDP can only be disabled in FWSM Release 2.x.
CLI Command Support
This section indicates which CLIs PDM supports.
Fully Supported CLI Commands
PDM parses these commands when uploading or creating the FWSM configuration and gives you full access to all PDM user-interface tabs.
Table 2 lists the CLI commands that PDM fully supports. PDM parses these commands in the FWSM configuration and allows PDM to operate successfully.
Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
CLI Commands Not Fully Supported in FWSM
Table 3 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.
CLI Commands Ignored in Multiple Mode when in System Mode
Table 4 lists the CLI commands that are ignored when PDM 4.1 is operating in multiple mode and set to system mode.
Table 4 Ignored CLI Commands
banner
enable password
ftp mode passive
logging
password
timeout
username
sysopt nodnsalias
Miscellaneous CLI Command Operation Limitations
Table 5 lists miscellaneous CLI command limitations in PDM 4.1(3).
CLI Commands Ignored by PDM in FWSM
These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM. To see ignored commands, select Options > Show Commands Ignored by PDM on Firewall.
PDM Sessions
The FWSM can be configured to support up to five PDM sessions in single mode or five PDM sessions per context in multiple mode up to a total of 32 PDM sessions.
Caveats
The following sections describe the caveats for PDM software Version 4.1(3).
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are taken directly from the Cisco Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•
•
•
Note
http://www.cisco.com/support/bugtools
Open Caveats - Version 4.1(3)
The caveats in Table 6 are yet to be resolved in this version.
Resolved Caveats - Version 4.1(3)
The caveats in Table 7 are resolved in Version 4.1(3)
Resolved Caveats - Version 4.1(2)
The caveats in Table 8 were resolved in Version 4.1(2).
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
•
•
A current list of security advisories and notices for Cisco products is available at this URL:
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•
•
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R
Copyright © 2005, Cisco Systems, Inc. All rights reserved.
Guest
