Cisco PIX Device Manager

Table Of Contents

Release Notes for Cisco PDM Version 4.1(3) for Firewall Services Module

Introduction

PDM Software Overview

Switch and Router System Requirements

FWSM Requirements

Browser Requirements

Maximum Configuration File Size

PC and Workstation Requirements

Supported Platforms

Features Introduced in PDM Version 4.1

HTTPS Authentication Proxy

Access List Per User Override

Resource Manager for Access List Memory Pool

Resource Class for PDM Sessions

Suspend/Resume Failover Configuration Sync

Same Security Intra Interface

TFTP Fixup

System Log Message Enhancements

Important Notes

One-time Password

Fixups

CLI Command Support

Fully Supported CLI Commands

CLI Commands Not Fully Supported in FWSM

CLI Commands Ignored in Multiple Mode when in System Mode

Miscellaneous CLI Command Operation Limitations

CLI Commands Ignored by PDM in FWSM

PDM Sessions

Caveats

Open Caveats - Version 4.1(3)

Resolved Caveats - Version 4.1(3)

Resolved Caveats - Version 4.1(2)

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco PDM Version 4.1(3) for Firewall Services Module

---

October 2005

Introduction

Cisco PDM Version 4.1(3) is a web-based application used to configure and monitor the Firewall Services Module (FWSM) on a Catalyst 6500 series switch or Cisco 7600 series router. PDM Version 4.1(3) requires FWSM Release 2.3 or 2.2 and supports all of the configuration features in this release. For more information, see FWSM Technical Documentation and the FWSM FAQ (Frequently Asked Questions) sections in Cisco.com.message.

---

Note PDM Version 4.1(3) is a single image that supports FWSM Release 2.3 and 2.2. It does not support FWSM Release 1.1 or the PIX operating system.

---

This document includes the following sections:

•Introduction

•Switch and Router System Requirements

•PC and Workstation Requirements

•Features Introduced in PDM Version 4.1

•Important Notes

•Caveats

•Obtaining Documentation and Submitting a Service Request

PDM Software Overview

PDM Version 4.1(3) is a single image that provides secure administration of the FWSM. PDM is implemented as a signed Java applet, which downloads to your PC or workstation when you point your browser at the FWSM and does not require a plug-in or other software to be preinstalled. PDM manages FWSM Release 2.3 and 2.2 when it runs in single or multiple context modes.

PDM provides a graphical user interface to the FWSM to administer it without requiring knowledge of the command-line interface (CLI). PDM also maintains compatibility with the FWSM CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the FWSM, as well as print or export graphs of the traffic through the FWSM and of system activity.

To help you use PDM, the application provides online help as well as a help table of contents, index, and glossary.

Switch and Router System Requirements

The switch and router models that are supported by the FWSM are as follows:

•Catalyst 6500 series switches with the following required components:

–Supervisor engine with Cisco IOS software or Catalyst operating system

–Multilayer Switch Feature Card (MSFC 2) with Cisco IOS software

•Cisco 7600 series routers, with the following required components:

–Supervisor engine with Cisco IOS software

–MSFC 2 with Cisco IOS software

For more information about supported supervisor engine and software versions and the supported Cisco IOS software, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Version 2.3.

---

Note The FWSM does not support a direct connection to a switch WAN port because WAN ports do not use static virtual local area networks (VLANs). However, the WAN port can connect to the MSFC, which can also connect to the FWSM.

---

For more information on switch or router requirements for FWSM, go to the following website: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html.

The following sections list the system requirements for PDM Version 4.1(3) software.

FWSM Requirements

The FWSM must meet the following requirements to successfully install and run PDM:

•Minimum Software Versions-Verify that your FWSM meets the requirements listed in the Release Notes for the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Software Release. You must have Release 2.3 or 2.2 installed on the FWSM before using PDM Version 4.1(3). For more information, refer to the Cisco PDM Installation and Configuration Guide for Firewall Services Module.

•Upgrading Software-When you install a new version of PDM, close all browser sessions before launching PDM. For information on upgrading your FWSM, see the following websites:

http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

---

Caution If you are using Management Center for Firewalls, use PDM for monitoring only. All changes made using PDM will be overwritten the next time Management Center for Firewalls synchronizes with the FWSM.

---

Browser Requirements

The following are required to access one or more firewalls through PDM:

•Java Virtual Machine (JVM)-PDM 4.1(3) supports native JVM on Microsoft Internet Explorer 6.0, Java Plug-in 1.4.2 or Java Plug-in 1.5.0 (5.0). PDM 4.1(3) supports native JVM on Solaris or Red Hat Linux with Java Plug-in 1.4.2.

•HTTP 1.1-For Microsoft Internet Explorer, be sure to use HTTP 1.1 for both proxy and non-proxy connections. This can be changed in Tools > Internet Options > Advanced tab. Scroll down to the "HTTP 1.1 settings" section.

Maximum Configuration File Size

For optimum performance, we recommend a configuration file of no more than 500 KB when using PDM.

FWSM Firewall configuration files over 500 KB may interfere with the performance of PDM on your workstation in the following situations:

•While executing commands such as the write term command and the show running-config command

•Failover (the configuration synchronization time)

•When you click the Refresh button in PDM for the first time

PC and Workstation Requirements

PDM has different requirements depending on the platform from which it is accessed. PDM is not supported for use on computers equipped with the Macintosh operating system, or other versions of the Windows operating systems.

Supported Platforms

Table 1 lists the supported and recommended platforms for PDM Version 4.1(3).

---

Note The Japanese version of Windows (JOS) is supported in the PDM Version 4.1(3) release.

---

Table 1 Supported Platforms for PDM Version 4.1(3)

	Operating System	Browser	Hardware
Windows	Windows 2000 (Service Pack 3 or higher) or Windows XP operating systems1 (English or Japanese versions)	Internet Explorer 6.0 with native JVM (VM 3809 or higher) , Java Plug-in 1.4.2 or Java Plug-in 1.5.0 (5.0) Netscape 7.1 or 7.2 with Java Plug-in 1.4.2 or Java Plug-in 1.5.0 (5.0)	Any Pentium III or Pentium-compatible processor running at 450 MHz or higher. At least 256 MB of RAM. We recommend 192 MB or more. A 1024 x 768 pixel display and at least High Color (16-bit).
SUN Solaris	Sun Solaris 8 or 9	Mozilla 1.7.3 with Java Plug-in 1.4.2	SPARC microprocessor. At least 256 MB of RAM. A 1024 x 768 pixel display and at least 256 colors. High Color (16-bit) recommended.
Linux	Red Hat Linux 9 or Red Hat Enterprise Linux WS version 3	Mozilla 1.7.3 with Java Plug-in 1.4.2	At least 128 MB of RAM. 256 MB recommended. A 1024 x 768 pixel display with at least 256 colors. High Color (16-bit) recommended.

1 PDM is not supported on Windows 3.1, 95, 98, ME or Windows NT 4.

---

Note When using Netscape on some Linux platforms, if you select an item under the Properties tab or the Monitoring tab, the entire PDM window shifts a few pixels to the left and up. This movement happens when you select a panel with a text box or a combo box in it.

---

Features Introduced in PDM Version 4.1

No new features have been introduced in PDM Version 4.1(3) since PDM Version 4.1(2). The purpose of this release is to resolve open caveats. The following sections describe the features introduced in PDM Version 4.1 since PDM Version 4.0:

•HTTPS Authentication Proxy

•Access List Per User Override

•Resource Manager for Access List Memory Pool

•Resource Class for PDM Sessions

•Suspend/Resume Failover Configuration Sync

•Same Security Intra Interface

•TFTP Fixup

•System Log Message Enhancements

•Fixups

•CLI Command Support

•PDM Sessions

HTTPS Authentication Proxy

This feature provides a secure mechanism for exchanging username and password information between an HTTP client and FWSM using HTTPS.

Access List Per User Override

This feature allows an external server to override the configuration of the access rules policy for that interface. This feature only applies to inbound access lists.

Resource Manager for Access List Memory Pool

This feature lets you manage resources for access lists, including the access list memory pool or access list tree instances, which are used when compiling access lists.

Resource Class for PDM Sessions

This feature lets you specify the number of PDM sessions for a particular context.

Suspend/Resume Failover Configuration Sync

This feature provides the ability to disable failover synchronization from an active device to a standby device.

Same Security Intra Interface

This feature allows a packet to come in and go out on the same interface. A router might forward a packet to the FWSM so that it can apply the user firewall policy on that packet.

TFTP Fixup

This feature inspects the TFTP protocol and dynamically creates a connection and xlate if necessary to permit file transfer between a TFTP client and server. This feature was included in FWSM 2.2.

System Log Message Enhancements

These enhancements allow you to specify the amount of memory that can be allocated for the system log messages per context and to optionally deny connections if the syslog queue is full.

Important Notes

This section describes important notes for PDM software Version 4.1.

One-time Password

PDM does not support the one-time password (OTP) authentication mechanism.

Fixups

Both fixup SIP over TCP and fixup SIP over UDP are supported in FWSM Release 1.1, but fixup SIP over UDP cannot be disabled in FWSM Release 1.1. Fixup SIP over UDP can only be disabled in FWSM Release 2.x.

CLI Command Support

This section indicates which CLIs PDM supports.

Fully Supported CLI Commands

PDM parses these commands when uploading or creating the FWSM configuration and gives you full access to all PDM user-interface tabs.

Table 2 lists the CLI commands that PDM fully supports. PDM parses these commands in the FWSM configuration and allows PDM to operate successfully.

Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.

Table 2 Fully Supported CLI Commands 

FWSM Commands
aaa command, include option
aaa command, match acl_name option
aaa-server
access-list and access-group
access-list compiled
access-list ethertype
arp
arp inspection
auth-prompt
class (in System mode)
context (in System mode)
dhcpd
domain-name
enable password
failover
failover lan and show failover lan detail
failover monitor-interface
failover polltime
failover polltime holdtime
filter
fixup protocol
fragment
global
hostname
http
icmp
igmp
interface
ip address
ip audit
ip local pool
ip verify reverse-path
isakmp identity [address | hostname]
logging
mroute
multicast
name
nameif
nat
nat [(if_name)] 0 access-list acl_name
ntp
object-group (network, service)
passwd
pdm
pdm group
pdm history
pdm location
pdm logging
privilege
remote-management
rip
route
router
rpc-server
same-security-traffic
service resetinbound
snmp-server
ssh
static (used for inbound PAT)
sysopt
telnet
tftp-server
timeout
udp
url-block
url-cache
url-server
user-name

CLI Commands Not Fully Supported in FWSM

Table 3 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.

Table 3 CLI Commands Not Fully Supported in FWSM

FWSM Commands	Result
ca authenticate	All VPN-related commands are ignored.
ca enroll	All VPN-related commands are ignored.
capture	Ignored.
crypto	All VPN-related commands are ignored.
established	Ignored.
floodguard	Ignored.
ftp mode passive	Ignored.
gdb enable	Ignored.
object-group icmp-type	View-only.
object-group network	Nested object groups are read-only.
object-group protocol	View-only.
object-group service	Nested object groups cannot be added.
pager	Ignored.
route-map	Ignored.
sysopt connection zombie-timeout	Ignored.
sysopt nodnsalias	Ignored.
sysopt uauth allow-http-cache	Ignored.
terminal	Ignored.
virtual	Ignored.
vpngroup	All VPN-related commands are ignored.

CLI Commands Ignored in Multiple Mode when in System Mode

Table 4 lists the CLI commands that are ignored when PDM 4.1 is operating in multiple mode and set to system mode.

Table 4 Ignored CLI Commands 

FWSM Commands
banner
enable password
ftp mode passive
logging
password
timeout
username
sysopt nodnsalias

Miscellaneous CLI Command Operation Limitations

Table 5 lists miscellaneous CLI command limitations in PDM 4.1(3).

Table 5 Miscellaneous CLI Command Limitations 

FWSM Commands	Result
access-list	Ignored if the access-list is not used anywhere in the configuration.
prefix-list	Ignored if it is not used in an OSPF area (CLI: area <area-id> filter-list prefix).
Discontinuous net masks such as 255.255.0.255. Example CLI: ip address inside 192.168.2.1 255.255.0.255	n/a.
Use of aaa ... include and aaa ... match	Limited to monitor only.
No access to write, show pdm, show version, and show curpriv	PDM will not run.
Sharing of access lists. Example CLI: access-group myACL in interface inside and access-group myACL in interface outside	PDM will display this as expected. However if you make a modification to an access list that is being shared, PDM will prompt you to duplicate this access list so that the access list is no longer shared.

CLI Commands Ignored by PDM in FWSM

These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM. To see ignored commands, select Options > Show Commands Ignored by PDM on Firewall.

PDM Sessions

The FWSM can be configured to support up to five PDM sessions in single mode or five PDM sessions per context in multiple mode up to a total of 32 PDM sessions.

Caveats

The following sections describe the caveats for PDM software Version 4.1(3).

For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are taken directly from the Cisco Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

•Commands are in boldface type.

•Product names and acronyms may be standardized.

•Spelling errors and typos may be corrected.

---

Note To view additional caveat information, use Bug Navigator II on CCO. Bug Navigator II may be accessed at the following website:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

---

Open Caveats - Version 4.1(3)

The caveats in Table 6 are yet to be resolved in this version.

Table 6 Caveats Still Open in Version 4.1(3) 

ID Number	4.1
	Corrected	Caveat Title
CSCdx28710	No	PDM shows wrong interface on outbound deny ACL
CSCdx44905	No	Match access list uses subnet wider than ip local pool
CSCed71185	No	Cannot dismiss a dialog that appears over a status dialog
CSCeg54076	No	Failover enabled popup incorrect or misleading
CSCeg54474	No	PDM gets stuck at 96% after removing context and doing a refresh
CSCeg56569	No	Accessing online help in 2nd PDM session causes a JavaScript error
CSCeg57996	No	After deleting a resource class, security context still shows resource
CSCeg71623	No	PDM should not change config if logged in as a read-only user
CSCeh15426	No	MFW failover monitoring screen caches interfaces from other contexts
CSCeh50272	No	Network object groups are created even when identity statics are used
CSCeh54110	No	Traffic graphs confused if two contexts use same interface names
CSCeh59768	No	PDM takes longer time to add Hosts/Networks Groups

Resolved Caveats - Version 4.1(3)

The caveats in Table 7 are resolved in Version 4.1(3)

Table 7 Caveats Resolved in Version 4.1(3) 

ID Number	4.1(3)
	Corrected	Caveat Title
CSCeh56807	Yes	PDM Help Index does not link properly for some topics
CSCeh56816	Yes	Multi-line commands from cmd-line interface panel; doesn't work in Windows
CSCeh58722	Yes	Help > Index highlights 2 topics together for some topics
CSCeh61485	Yes	Non-English characters are changed in a few panels
CSCeh72375	Yes	Adding 69 into a service group which already contains services fails
CSCeh78484	Yes	PDM: cannot print Access-Rules
CSCei07785	Yes	PDM on FWSM stuck opening at 47% during loading
CSCei45814	Yes	PDM stuck in loop when loading the config
CSCei59832	Yes	Unexpected Null Rules within ACL applied for outbound traffic
CSCsb51730	Yes	PDM displays hosts under the wrong interface in Config -> Hosts/Networks
CSCsb73961	Yes	PDM shouldn't generate "no allocate-acl-partition" CLI on new context
CSCsb86840	Yes	Search by Field on Action field in rules table does not work properly
CSCsb86979	Yes	Unable to add second port for redirection for inside server through PDM
CSCsb89372	Yes	PDM does not allow deletion of translation rules

Resolved Caveats - Version 4.1(2)

The caveats in Table 8 were resolved in Version 4.1(2).

Table 8 Caveats Resolved in Version 4.1(2) 

ID Number	4.1(2)
	Corrected	Caveat Title
CSCef51651	Yes	Non-English chars in comments look strange after rereading
CSCeg50981	Yes	Multiple FWSM PDM sessions may cause ACL/object-group to disappear
CSCeg58454	Yes	Local authorization not enabled but privilege level still enforced
CSCeg77442	Yes	Cannot create access rule any any even with NAT 0 exemption
CSCeg80492	Yes	Border panel titles are truncated in Red Hat Linux
CSCeg83598	Yes	Edit NObj when object group used as source will cause validation err
CSCeg85309	Yes	PDM does not work if logged in as a read-only or monitor-only user
CSCeg85328	Yes	Problem accessing monitor screens as a monitor-only user
CSCeg85337	Yes	Screen becomes blank after going to Rate Limit as a read-only user
CSCeg85343	Yes	Monitor-only user shows up as privilege: NA (0)
CSCeg85348	Yes	Unable to access PDM Log if logged in as a monitor-only user
CSCeh25776	Yes	Non-English chars messed up few of gui screens
CSCeh29194	Yes	PDM:Can not configure logging deny from syslog tab in PDM
CSCeh45853	Yes	PDM does not run with Java 1.5.0_02
CSCee80083	Yes	Fixup help page instructions for enabling/disabling inconsistent
CSCeg39034	Yes	Logging>Logging Setup: Restore Defaults function limited
CSCeg39297	Yes	DOC: Telnet help has invalid information
CSCeg42521	Yes	Online help for same permit intra-intf description missing
CSCeg55247	Yes	Help: invalid option in tcp options help file
CSCeg56007	Yes	PDM Help shows ARP timeout value 0 - 3567586,PDM says 1 - 3567586
CSCeg57683	Yes	Failover online help still has some incorrect info
CSCeg43510	Yes	Disable Secure http warning msg when tcp/0 configured in aaa rules

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

---

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R

Copyright © 2005, Cisco Systems, Inc. All rights reserved.