Table Of Contents
Cisco PIX Device Manager Release Notes Version 2.1
Determining the Software Version of the PIX Firewall
Upgrading to a New Software Version
New Features Supported in Version 2.1
Features not Supported by FWSM
CLI Commands not Fully Supported in PIX Firewall and FWSM
CLI Commands Ignored By PDM in PIX Firewall and FWSM
Unsupported CLI Commands and Command Combinations
Resolved Caveats - Version 2.1
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Technical Assistance
Cisco PIX Device Manager Release Notes Version 2.1
September 2002
Contents
This document includes the following sections:
•
Obtaining Technical Assistance
Introduction
Cisco PIX Device Manager (PDM) is a browser-based application for configuring and monitoring a Cisco PIX Firewall and the Firewall Services Module (FWSM) on a Cisco Catalyst 6500. PDM Version 2.1 adds support for the FWSM.
PDM Software Overview
PDM Version 2.1 supports PIX Firewall OS Version 6.2 and FWSM Version 1.1.
PDM is installed as a separate software image, and is designed to provide secure administration of the PIX Firewall and FWSM from most workstations without installing additional software or plug-ins. PDM provides a graphical user interface to the firewall to administer it without requiring knowledge of the command-line interface (CLI). Additionally, PDM maintains compatibility with the firewall CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the firewall as well as print or export graphs of traffic through the firewall and system activity.
To help you use PDM, online Help is provided throughout the application as well as a Help table of contents, index, and glossary.
System Requirements
The following sections list the system requirements for PDM Version 2.1 software.
PDM Firewall Requirements
PDM has the following system requirements:
•
•
Caution
•
For example:
firewall(config)# show flashfsflash file system: version:2 magic:0x12345679file 0: origin: 0 length:1511480file 1: origin: 2883584 length:1639file 2: origin: 0 length:0file 3: origin: 3014656 length:4311804file 4: origin: 8257536 length:280
Note
If you are using a PIX Firewall that is already running PIX Firewall software Version 6.2, then you have met the requirements to run PDM as discussed in this section and can continue to the "Browser Requirements" section. For example, PIX Firewall units that contain PIX Firewall software Version 6.2 ship with a pre-installed DES activation key.
Otherwise, the unit must meet the following requirements to successfully install and run PDM:
•
If your PIX Firewall is not enabled for DES, you can have a new activation key sent to you by completing the form at the following website:
http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324
•
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
•
Browser Requirements
This section lists the hardware requirements for accessing a PIX Firewall unit through PDM:
•
•
http://www.microsoft.com/downloads/search.asp?
Workstation Requirements
PDM requirements depend on the platform from which you run it.
PDM is not supported on Macintosh, Windows 3.1, or Windows 95 operating systems.
This section includes the following topics:
Windows Requirements
This section lists the requirements for running PDM with Windows:
•
•
•
•
•
PDM is not supported on Windows 3.1 or Windows 95.
Note
SUN Solaris Requirements
This section lists the requirements for running PDM on a Sun SPARC:
•
•
•
•
•
Note
Linux Requirements
This section lists the requirements for running PDM with Linux:
•
•
•
•
Determining the Software Version of the PIX Firewall
Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Version
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
New and Changed Information
PDM Version 2.1 adds support for the Firewall Services Module (FWSM), a dedicated firewall blade for the Catalyst 6500 switch. The same image runs on both the FWSM and PIX Firewall platforms. Note that when used with the PIX Firewall, PDM Version 2.1 is a maintenance release upgrade to the previous version, PDM Version 2.0.
PDM does not support the OSPF functionality of the FWSM.
New Features Supported in Version 2.1
PDM Version 2.1 adds support to FWSM. Note that for the PIX Firewall platform, PDM Version 2.1 is a maintenance release from PDM Version 2.0.
Support of VLAN Interfaces
PDM adds support for the 802.1Q VLAN on the FWSM. The Catalyst 6500 supports up to 100 VLAN interfaces.
Syslog Rate Limiting
PDM adds support for syslog rate limiting feature in FWSM.This limits the number of syslog messages per second based on the syslog level or a particular syslog message ID.
Features not Supported by FWSM
This section lists the features that are not supported by FWSM. These features appear in PDM only if you are running PDM on a PIX Firewall platform:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
VPNs
FWSM only supports VPN traffic to the Catalyst and not such traffic through the Catalyst. Because the VPN functionality of the FWSM is limited to management traffic, VPN on FWSM is not supported by PDM.
Wizards
PDM for FWSM does not support the Startup Wizard or VPN Wizard. PDM does not display the Wizard items on the main menu bar when the platform is the FWSM platform. PDM configuring a PIX Firewall supports the Startup Wizard and the VPN Wizard.
Important Notes
This section describes important notes for PDM software Version 2.1.
PDM Support for CLI Commands
PIX Firewall commands that you enter at the command line, but do not appear in the configuration, are not supported in PDM. These are the arp, capture, configure, copy, debug, disable, enable, flashfs, help, pager, perfmon, reload, session, shun, setup, and terminal commands.
The clear uauth, kill, ping, show, who, and write commands that also do not appear in the configuration are incorporated directly into the PDM interface.
Fully Supported CLI Commands
PDM parses these commands when uploading or creating a firewall configuration and grants you full access to all PDM user-interface tabs.
Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
Table 1 lists the CLI commands that PDM fully supports. PDM parses these commands in a Firewall configuration and allows PDM to operate successfully.
CLI Commands not Fully Supported in PIX Firewall and FWSM
Table 2 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.
CLI Commands Ignored By PDM in PIX Firewall and FWSM
These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM.
The following commands are otherwise ignored by PDM except that they are displayed in the list of unparseable commands:
•
For example:
access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any any•
•
Note
Unsupported CLI Commands and Command Combinations
The following CLI commands or command combinations allow only monitoring and not configuration facilities.
Table 3 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.
Table 3 CLI Commands That Limit You to the PDM Monitoring Tab
alias
establish
outbound id except
In addition, the following command combinations also limit your access to the Monitoring tab only:
•
access-list 101 permit tcp any anyaaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portalaaa accounting match 101 inside portalYou can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.
•
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsideconduit permit icmp any any•
access-group eng in interface perimaccess-group eng in interface outside•
access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication match acl_out outside AuthInIn this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement.
For example:
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224aaa authentication match acl_out2 outside AuthIn•
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out2 outside AuthInIn this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement identical to the first statement and applying that in the aaa authorization command.
For example:
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out3 outside AuthIn•
outbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpapply (inside) 13 outgoing_srcapply (perim) 13 outgoing_src•
Virus-Checking Software
The use of virus checking software may dramatically increase the time required for PDM to start. This is especially true for Netscape Communicator on any Windows platform or Windows 2000 running any browser.
Caveats
The following sections describe the caveats for PDM software Version 2.1.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•
•
•
Note
http://www.cisco.com/support/bugtools
Open Caveats - Version 2.1
The caveats in Table 4 are yet to be resolved in this version.
Resolved Caveats - Version 2.1
The caveats in Table 5 are resolved in this version.
PDM and Netscape Version 4.x
While this rarely occurs, when you have a corrupted certificate database and run PDM with Netscape version 4.x, the Netscape browser may crash after you click Grant. (The certificate database is a file called cert7.db, located in the your Netscape directory.)
There are reports that Netscape version 4.73 can corrupt the certificate database if you do the following before you click Grant:
1. Run an applet that uses a digital certificate.
2. Renew the certificate.
3. Run the new applet with the updated certificate.
This can happen on Windows, Sun Solaris, or Linux and is a problem in the Netscape Java Virtual Machine (JVM).
To work around this, remove the corrupted cert7.db file from your Netscape directory. A new cert7.db file is created when you run Netscape again. However, this removes all of the certificates that you have previously accepted as trusted. (This includes certificates that you accepted from other sites as well as certificates that you entered manually.)
Related Documentation
Use this document in conjunction with the PIX Firewall and Cisco VPN Client version 3.x documentation at the following websites:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
Cisco provides PIX Firewall technical tips at the following website:
http://www.cisco.com/warp/public/707/index.shtml#pix
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CCO account you can visit the following websites for assistance:
TAC Customer top issues for PIX Firewall:
http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml
TAC Sample Configs for PIX Firewall:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/public/ordsum.html
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click the Fax or Email option under the "Leave Feedback" at the bottom of the Cisco Documentation home page.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
•
•
•
•
•
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:
•
•
•
•
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
Cisco TAC Web Site
The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:
All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0208R)
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.
Guest
