Table Of Contents
Cisco PIX Device Manager Release Notes Version 3.0(3)
This document includes the following sections:
Cisco PIX Device Manager (PDM) is a browser-based Java application for configuring and monitoring the PIX Firewall Version 6.3 software. If the unit is currently running the PIX Firewall Version 6.3 software, the PDM Version 3.0 software is already loaded in the PIX Firewall Flash memory. You should verify that you are running PDM Version 3.0(3).
Note For PIX Firewall Version 6.2, use PDM Version 2.1. For PIX Firewall Version 6.0 and 6.1, use PDM Version 1.1.
PDM Software Overview
PDM Version 3.0(3) will work with all versions of PIX 6.3 and supports the new features in PIX 6.3(4).
PDM Version 3.0 is a single image, which supports only PIX Firewall Version 6.3, and is designed to provide secure administration of the PIX Firewall. PDM is implemented as a signed Java applet, which downloads to your PC or workstation when you point your browser.
PDM provides a graphical user interface to the firewall to administer it without requiring knowledge of the command-line interface (CLI). Additionally, PDM maintains compatibility with the firewall CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the firewall, as well as print or export graphs of traffic through the firewall and system activity.
To help you use PDM, online help is provided throughout the application as well as a help table of contents, index, and glossary.
PDM is available on all Cisco PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running Version 6.3. PDM Version 3.0 is a single image which supports only PIX Firewall Version 6.3. The following sections list the system requirements for PDM Version 3.0 software.
PDM has the following system requirements:
•PDM Version 3.0 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running PIX Firewall software Version 6.3. For instructions on installing PDM, refer to the Cisco PIX Device Manager Installation Guide, at the following website:
•PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI), Cisco Secure Policy Manager (CSPM) or Management Center for PIX Firewall (PIXMC). However, subsequent configuration changes using CSPM or PIXMC overwrite the PDM configuration.
Caution If you are using CSPM or PIXMC, use PDM for monitoring only. All changes made using PDM will be overwritten the next time CSPM or PIXMC synchronizes with the PIX Firewall.
This section includes the following topics:
PIX Firewall System Interoperability with PDM
Table 1 lists the PIX Firewall System requirements for PDM Version 3.0.
Table 1 PIX Firewall System Requirements for PDM Version 3.0
Type Description Hardware
PIX 501, 506/506(E), 515/515(E), 520, 525, or 535
Random access memory
See Table 2
PIX Firewall operating system
DES, 3DES, or AES-enabled
The PIX Firewall system ships with PIX Firewall software Version 6.3, which includes a pre-installed DES activation key. If your PIX Firewall is not enabled for DES, 3DES, or AES, and you are a registered Cisco user, you can receive a DES, 3DES, or AES activation key by completing the form at the following URL: http://www.cisco.com/go/license/public. To become a registered Cisco user, go to http://tools.cisco.com/RPF/register/register.do.
Flash Memory Requirements
Table 2 lists Flash memory requirements for PIX Firewall software Version 6.3 in conjunction with PDM Version 3.0 by platform.
Maximum Configuration File Size
For optimum performance, we recommend a configuration file of no more than 100 KB (approximately 1500 lines) when using PDM.
PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation in the following situations:
•While executing commands such as write term and show conf
•Failover (the configuration synchronization time)
•During a system reload
To determine the size of your configuration file, enter the show flashfs command at the PIX Firewall CLI prompt. View the output which begins with "file 1." The number labeled "length" on the same line is the configuration file size in bytes.
For example:pixfirewall# show flashfsflash file system: version:3 magic:0x12345679file 0:origin: 0 length:1925176file 1:origin:2883584 length:2944file 2:origin:3014656 length:32file 3:origin: 0 length:0file 4:origin:3145728 length:131072file 5:origin:8257536 length:308
PIX Firewall platforms have different configuration file size limitations than PDM. See Table 3 for the maximum recommended configuration file size by platform.
Table 3 Maximum Recommended Configuration File Size by Platform
PIX Firewall Version Maximum Configuration
PIX 506/506E, 515/515E, 520
PIX 525, PIX 535 1
1 This applies to PIX Firewall software Version 5.3(2) and later versions. The maximum recommended configuration file size for PIX Firewall software Versions 5.3(1) and earlier is 1 MB.
PIX Firewall software Version 6.3 has the following software requirements:
•The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, download the Boothelper file from cisco.com (http://www.cisco.com/public/sw-center/index.shtml) to get the PIX Firewall image.
•Before upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" in this chapter for new installation requirements.
•Before upgrading from Version 4 or earlier, using Auto Update, IPSec, SSH, PDM, or VPN, you will need a new 56-bit DES activation key, which can be sent to you by completing the form at: http://www.cisco.com/go/license/public
•Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you registered Cisco user, refer to the Upgrading Software for the Cisco Secure PIX Firewall document at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
PDM requirements vary depending on the platform.
Note PDM is not supported on Macintosh, Windows 3.1, Windows 95, Windows 98, Windows ME, or Windows NT operating systems.
Note the following when using PDM to access the PIX Firewall unit:
•Minimum Disk Space Requirement—PDM requires a minimum of at least 4 MB of temporary disk space to load into the browser.
•To check which Java Virtual Machine (JVM) version you have, launch PDM. In the main PDM menu, click Help>About Cisco PIX Device Manager. When the About PDM information window appears, it displays your browser specifications in a table. You can download the latest JVM version for Internet Explorer from Microsoft, and you can download the latest Java Plug-in from Sun Microsystems (http://www.java.sun.com).
•HTTP 1.1—Settings for Internet Options>Advanced>HTTP 1.1 settings should use HTTP 1.1 for both proxy and non-proxy connections.
This section includes the following topics:
Table 5 Supported and Recommended Windows Platforms for PDM 3.0
Operating System Browser JVM Supported Windows Platforms
Microsoft Windows 2000 (Service Pack 4), or
Microsoft Windows XP (English or Japanese versions)
Internet Explorer 6.0
Native1 JVM (VM 3809)
Java Plug-in 1.4.2 or 1.5.0
Java Plug-in 1.4.2 or 1.5.0
1 Native refers to the built-in JVM that ships with the browser.
Note PDM Version 3.0(3) does not support Windows 3.1, Windows 95, Windows 98, Windows ME, or Windows NT.
Table 7 Supported and Recommended Sun Solaris Platforms for PDM 3.0
Operating System Browser JVM Supported Sun Solaris Platforms1
Sun Solaris 2.8 or 2.9
Java Plug-in 1.4.2
1 Sun Solaris running OpenWindows is not supported.
Red Hat Linux
Table 9 Supported and Recommended Red Hat Linux Platforms for PDM 3.0
Operating System Browser JVM Supported Red Hat Linux Platforms
Red Hat Linux 9.0 running GNOME or KDE
Red Hat Enterprise Linux WS version 3
Java Plug-in 1.4.2
New Features in PDM Version 3.0(3)
This release of PDM Version 3.0(3) was created to fix a compatibility issue with the version 1.42_08 of the Java Plug-in.
Features Introduced in PDM Version 3.0(2)
The following new features are available in PDM Version 3.0(2). Many of these features were introduced to support changes with PIX Firewall Version 6.3(4).
By default, a AAA server failure would prevent you from authenticating and/or authorizing. This feature lets you optionally choose to use the LOCAL database on the Cisco PIX Firewall for authentication and/or authorization in the event of a AAA server failure. You can optionally use the LOCAL Cisco PIX Firewall database for:
1. Authentication and/or authorization to the firewall
2. IKE extended authentication (Xauth)
This feature was introduced with PIX Firewall version 6.3(4).
Virtual LAN (VLAN) support for PIX 506/506E
PDM supports VLANs on the PIX 506/506E. A maximum of two logical interfaces can be configured on these two interface platforms because there is a four interface limit.
Filter except for HTTPS, FTP, Java, and ActiveX
PDM 3.0 allows additional filter actions, namely "do not filter ActiveX," "do not filter Java Applet," "do not filter HTTPS," and "do not filter FTP." These filters let you specify hosts or networks that should not be filtered. For example, if the host or network you specify is included in a Filter ActiveX rule, then you can create a Do Not Filter ActiveX rule to create an exception.
SIP IP Address Privacy
If any two SIP endpoints participating in an IP phone call or instant messaging session use the same internal firewall interface to contact their SIP proxy server on an external firewall interface, enabling SIP IP Address Privacy ensures that all SIP signaling messages go through the SIP proxy server.
This feature is in effect when SIP over TCP Fixup or SIP over UDP Fixup is enabled. By default, this feature is disabled.
If SIP IP Address Privacy is enabled, the firewall will not translate internal and external host IP addresses embedded in the TCP or UDP payload of inbound SIP traffic, ignoring translation rules for those IP addresses.
ISAKMP (IKE) Event Tracing
ISAKMP Event Tracing includes a simple event tracing buffer for troubleshooting. It is helpful for detailed troubleshooting when a syslog server is unavailable, such as in a PIX 501 Easy VPN Remote deployment. You can configure the number of events to log. By default, event tracing is disabled.
Support Netmask in Local Pool
This feature lets you optionally configure a netmask for the IP local pool. This information is sent to the VPN client when it sends a mode configuration request for the netmask. Without this feature, a VPN client such as the Windows VPN 4.x client will simply use the classful netmask because none is provided.
This feature lets you inspect SNMP traffic passing through the firewall. By default, SNMP inspection is disabled.
In addition, you can filter out traffic based on the SNMP protocol version. The SNMP versions are version 1, 2, 2c, and 3.
Extended DNS (EDNS0) Fixup
The Extended DNS (EDNS0) feature adds support for the DNS fixup and support for a UDP DNS response packet greater than 512 bytes. Support for greater than 512 bytes is defined in RFC 2671. Prior to this feature, the firewall simply dropped UDP DNS response packets greater than 512 bytes.
Trivial File Transfer Protocol (TFTP) is a very simple protocol used to transfer files between hosts. The fixup is enabled by default and uses port 69. The ports for TFTP are configurable. This feature was introduced in PIX 6.3(2).
Display VAC Information
The PDM Home Page now indicates whether a VPN accelerator card (VAC) or VAC+ is present or not.
Features Introduced in PDM Version 3.0(1)
The following features were introduced in PDM Version 3.0(1).
VLAN-Based Virtual Interfaces
802.1Q VLAN support comes to the PIX Firewall, providing added flexibility in managing and provisioning the firewall. This feature enables the decoupling of IP interfaces from physical interfaces (hence making it possible to configure logical IP interfaces independent of the number of interface cards installed), and supplies appropriate handling for IEEE 802.1Q tags.
OSPF Dynamic Routing
Route propagation and greatly reduced route convergence times are two of the many benefits that arrive with Open Shortest Path First (OSPF). The PIX Firewall implementation will support intra-area, inter-area and external routes. The distribution of static and connected routes to OSPF processes, and route redistribution between OSPF processes are also included.
PAT for ESP Tunnels
Provides the ability to PAT IP protocol 50 to support a single IPSec user outbound access.
This feature addresses most of the known incompatibilities between NAT and IPSec that have become a major barrier to the deployment of IPSec. The design is based on the IETF NAT wrapper draft to ensure maximum interoperability with Cisco NAT products as well as non-Cisco NAT platforms.
Acting as a DHCP relay agent, the PIX Firewall can assist in dynamic configuration of IP hosts on any of its interfaces. It receives requests from hosts on a given interface and forwards them to a user-configured DHCP server on another interface.
Comments in ACLs
This feature allows users to include comments in access lists to make the ACL easier to understand and scan.
Syslog by ACL
This feature allows users to configure a specific ACL entry with a logging option. When such an option is configured, statistics for each flow that matches the permit or deny conditions of the ACL entry are logged.
This feature adds support for AES on PIX Firewall. It is anticipated that the IETF will mandate AES as required privacy transforms for both IPSec and IKE in the near future. AES supports 128-bit, 192-bit, and 256-bit encryption.
Diffie-Hellman Group 5
This feature adds support for 1536-bit MODP group that has been given the group 5 identifier.
Specify Interface as Address in ACLs
Users running the DHCP client on the PIX Firewall outside interface will no longer have to adjust their access lists every time the outside DHCP address gets changed by their ISP.
CTIQBE, MGCP, PAT for PPTP, PAT for ESP Tunnels, ICMP Error, PAT for Skinny.
CA Enrollment Using X.500
Aggressive Mode is used for preshared keys, and Main Mode (MM) can now be used for RSA-IG based key exchange. This is in conformance with 3002 behavior, where MM is performed whenever possible.
HTTPS Authentication Proxy
This new feature provides a secure method of exchanging information between an HTTP client and PIX Firewall by using HTTPS for the transaction.
Verify Peer Certificate Distinguished Name (DN)
You can now verify and filter out valid but unexpected peers using certificate DN values during IKE negotiation.
In PDM you can specify a key-id or a string for interoperability with other headend VPN devices.
Change level for Syslog Messages
This feature allows users to change the default logging level for a specific ACL entry with a logging option. When such an option is configured, statistics for each flow that matches the permit or deny conditions of the ACL entry are logged.
AAA Proxy Limit
You can limit the number of concurrent proxy connections allowed.
HTTPS/FTP Using Websense
This feature extends the existing Websense-based URL filtering to HTTPS and FTP.
SIP over TCP
You can configure the ports on which the firewall listens for SIP over TCP traffic.
Ability to Disable SIP UDP Fixup
This adds support for valid non-SIP packets being dropped by the PIX Firewall when they use a SIP UDP port.
DHCP Server on any Interface
Any interface can now be configured as a DHCP server.
Management Feature Access
You can now perform PIX Firewall management functions, such as running PDM, on an internal interface with a fixed IP address over an IPSec VPN tunnel.
The new Console panel lets you set the time a console connection remains open when idle.
The new Banner panel lets you configure message of the day, login, and session banners.
Printing has been improved so access lists can be printed and viewed more easily.
RME Syslog Compatibility
This new feature provides the ability to log messages in Cisco EMBLEM format to a syslog server. This feature allows the RME (Resource Manager Essentials) syslog analyzer to parse PIX Firewall messages sent to a syslog host.
PDM Home Page
The new PDM home page lets you view, at a glance, important information about your PIX Firewall such as the status of your interfaces, the version you are running, licensing information, and performance.
Batch Mode when Sending CLIs
PDM is faster in the method it uses to send a series of CLI commands to the firewall. It allows all CLIs to be sent and configured, even if you end up losing the connection because of the changes you make.
This section describes important notes for PDM software Version 3.0.
Interface Security Level
Because traffic is not permitted between interfaces configured with the same security level, PDM does not support this configuration.
CLI Command Support
PDM Version 3.0 adds support to the PIX Firewall CLI command syntax. Refer to PDM online Help for more information on the supported CLI commands.
Fully Supported CLI Commands
PDM parses these commands when uploading or creating the PIX Firewall configuration and grants you full access to all PDM user-interface tabs.
Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
Table 10 lists the CLI commands that PDM fully supports. PDM parses these commands in the firewall configuration and allows PDM to operate successfully.
CLI Commands not Fully Supported in PIX Firewall
Table 11 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.
CLI Commands Ignored By PDM in PIX Firewall
These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM.
The following commands are otherwise ignored by PDM except that they are displayed in the list of unparseable commands:
•Access lists not applied to any interface and not applied to the aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement.
For example:access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any any
•A list of outbound command statements without an associated apply command statement.
•Any isakmp client configuration commands.
Note All OSPF subcommands are not supported.
Unsupported CLI Commands and Command Combinations
The following CLI commands or command combinations allow only monitoring and not configuration facilities.
Table 12 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.
Table 12 CLI Commands That Limit You to the PDM Monitoring Tab
outbound id except
access-list acl1 deny igmp any any
In addition, the following command combinations also limit your access to the Monitoring tab only:
•aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM.access-list 101 permit tcp any anyaaa authentication include http inside 220.127.116.11 255.255.255.255 0.0.0.0 0.0.0.0 portalaaa accounting match 101 inside portal
You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.
•Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM.access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsideconduit permit icmp any any
Note Certain combinations of access control lists are unsupported.
•Using an access control list (ACL) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255 command limits access.access-group eng in interface perimaccess-group eng in interface outside
•Using an ACL name for multiple purposes such as in access-group and aaa command statements. For example, the following commands would not be parsed by PDM.access-list acl_out permit tcp 10.16.1.0 255.255.255.0 18.104.22.168 255.255.255.224access-group acl_out in interface outsideaaa authentication match acl_out outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement.
For example:access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 22.214.171.124 255.255.255.224aaa authentication match acl_out2 outside AuthIn
•Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM.access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 126.96.36.199 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out2 outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement identical to the first statement and applying that in the aaa authorization command.
For example:access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 188.8.131.52 255.255.255.224access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 184.108.40.206 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out3 outside AuthIn
•Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM.outbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpapply (inside) 13 outgoing_srcapply (perim) 13 outgoing_src
•Any outbound command statement that contains the except option. You can replace the except option with a permit or deny statement to eliminate the use of the except option. Once the except option is replaced with permit or deny, PDM functions normally.
•User Lacks Privilege. User lacks privilege to run the following basic commands:writeshow pdmshow versionshow curpriv
•ACL and IGMP Access Group. An access list cannot be applied to an interface command and an igmp access group command. The following is not allowed:access-list acl1 deny igmp any anyaccess-group acl1 in interface outsidemulticast interface outsideigmp access-group acl1
•Policy NAT configurations will force PDM into monitor mode. A complete description of how to configure Policy NAT and the related CLI commands is available in the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 at this location:
If any one of the following commands are in the configuration, PDM will be forced into monitor mode:static (inside,outside) 220.127.116.11 access-list NET1static (inside,outside) 18.104.22.168 access-list NET2nat (inside) 1 access-list NET1nat (inside) 2 access-list NET2
Multiple PDM Sessions
PDM allows multiple PCs or workstations to each have one browser session open with the same firewall. A single firewall unit can support up to concurrent 5 PDM sessions. However, only one session per browser per PC or workstation is supported for a particular firewall. Refer to PDM online Help for more information on multiple PDM sessions.
The following sections describe the caveats for PDM software Version 3.0.
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note Please use Bug Navigator II on CCO to view additional caveat information. Bug Navigator II may be accessed at the following website:
Open Caveats - Version 3.0(3)
The caveats in Table 13 are yet to be resolved in this version.
Resolved Caveats - Version 3.0(3)
The caveats in Table 14 are resolved in this version.
Table 14 Resolved Caveats
ID Number Software Version 3.0(3) Corrected Caveat Title
PDM does not run with Java 1.5.0_02
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)