Table Of Contents
Cisco PIX Device Manager Release Notes Version 3.0(4)
This document includes the following sections:
Cisco PIX Device Manager (PDM) is a browser-based Java application for configuring and monitoring the PIX Firewall Version 6.3 software. If the unit is currently running the PIX Firewall Version 6.3 software, the PDM Version 3.0 software is already loaded in the PIX Firewall Flash memory. You should verify that you are running PDM Version 3.0(4).
Note For PIX Firewall Version 6.2, use PDM Version 2.1. For PIX Firewall Version 6.0 and 6.1, use PDM Version 1.1.
PDM Software Overview
PDM Version 3.0(4) will work with all versions of PIX 6.3 and supports the new features in PIX 6.3(5).
PDM Version 3.0 is a single image, which supports only PIX Firewall Version 6.3, and is designed to provide secure administration of the PIX Firewall. PDM is implemented as a signed Java applet, which downloads to your PC or workstation when you point your browser.
PDM provides a graphical user interface to the firewall to administer it without requiring knowledge of the command-line interface (CLI). Additionally, PDM maintains compatibility with the firewall CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the firewall, as well as print or export graphs of traffic through the firewall and system activity.
To help you use PDM, online help is provided throughout the application as well as a help table of contents, index, and glossary.
PDM is available on all Cisco PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running Version 6.3. PDM Version 3.0 is a single image which supports only PIX Firewall Version 6.3. The following sections list the system requirements for PDM Version 3.0 software.
PDM has the following system requirements:
•PDM Version 3.0 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running PIX Firewall software Version 6.3. For instructions on installing PDM, refer to the Cisco PIX Device Manager Installation Guide, at the following website: http://www.cisco.com/en/US/partner/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html
•PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI), Cisco Secure Policy Manager (CSPM) or Management Center for Firewalls. However, subsequent configuration changes using CSPM or Management Center for Firewalls overwrite the PDM configuration.
Caution If you are using CSPM or Management Center for Firewalls, use PDM for monitoring only. All changes made using PDM will be overwritten the next time CSPM or Management Center for Firewalls synchronizes with the PIX Firewall.
This section includes the following topics:
PIX Firewall System Interoperability with PDM
Table 1 lists the PIX Firewall System requirements for PDM Version 3.0.
Table 1 PIX Firewall System Requirements for PDM Version 3.0
Type Description Hardware
PIX 501, 506/506(E), 515/515(E), 520, 525, or 535
Random access memory
See Table 2
PIX Firewall operating system
DES, 3DES, or AES-enabled
The PIX Firewall system ships with PIX Firewall software Version 6.3, which includes a pre-installed DES activation key. If your PIX Firewall is not enabled for DES, 3DES, or AES, and you are a registered Cisco user, you can receive a DES, 3DES, or AES activation key by completing the form at the following URL: http://www.cisco.com/go/license/public. To become a registered Cisco user, go to http://tools.cisco.com/RPF/register/register.do.
Flash Memory Requirements
Table 2 lists Flash memory requirements for PIX Firewall software Version 6.3 in conjunction with PDM Version 3.0 by platform.
Maximum Configuration File Size
For optimum performance, we recommend a configuration file of no more than 100 KB (approximately 1500 lines) when using PDM.
PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation in the following situations:
•While executing commands such as write term and show conf
•Failover (the configuration synchronization time)
•During a system reload
To determine the size of your configuration file, enter the show flashfs command at the PIX Firewall CLI prompt. View the output which begins with "file 1." The number labeled "length" on the same line is the configuration file size in bytes.
For example:pixfirewall# show flashfsflash file system: version:3 magic:0x12345679file 0:origin: 0 length:1925176file 1:origin:2883584 length:2944file 2:origin:3014656 length:32file 3:origin: 0 length:0file 4:origin:3145728 length:131072file 5:origin:8257536 length:308
PIX Firewall platforms have different configuration file size limitations than PDM. See Table 3 for the maximum recommended configuration file size by platform.
Table 3 Maximum Recommended Configuration File Size by Platform
PIX Firewall Version Maximum Configuration
PIX 506/506E, 515/515E, 520
PIX 525, PIX 535 1
1 This applies to PIX Firewall software Version 5.3(2) and later versions. The maximum recommended configuration file size for PIX Firewall software Versions 5.3(1) and earlier is 1 MB.
PIX Firewall software Version 6.3 has the following software requirements:
•The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, download the Boothelper file from cisco.com (http://www.cisco.com/public/sw-center/index.shtml) to get the PIX Firewall image.
•Before upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" in this chapter for new installation requirements.
•Before upgrading from Version 4 or earlier, using Auto Update, IPSec, SSH, PDM, or VPN, you will need a new 56-bit DES activation key, which can be sent to you by completing the form at: http://www.cisco.com/go/license/public
•Use the show version command to verify the software version of your PIX Firewall unit.
Upgrading to a New Software Release
If you registered Cisco user, refer to the Upgrading Software for the Cisco Secure PIX Firewall document at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml
PDM requirements vary depending on the platform.
Note PDM is not supported on Macintosh, Windows 3.1, Windows 95, Windows 98, Windows ME, or Windows NT operating systems.
Note the following when using PDM to access the PIX Firewall unit:
•Minimum Disk Space Requirement—PDM requires a minimum of at least 4 MB of temporary disk space to load into the browser.
•To check which Java Virtual Machine (JVM) version you have, launch PDM. In the main PDM menu, click Help>About Cisco PIX Device Manager. When the About PDM information window appears, it displays your browser specifications in a table. You can download the latest JVM version for Internet Explorer from Microsoft, and you can download the latest Java Plug-in from Sun Microsystems (http://www.java.sun.com).
•HTTP 1.1—Settings for Internet Options>Advanced>HTTP 1.1 settings should use HTTP 1.1 for both proxy and non-proxy connections.
This section includes the following topics:
Table 5 Supported Windows Platforms for PDM 3.0
Operating System Browser JVM Supported Windows Platforms
Microsoft Windows 2000 (Service Pack 4), or
Microsoft Windows XP (English or Japanese versions)
Internet Explorer 6.0
Native1 JVM (VM 3809)
Java Plug-in 1.4.2 or 1.5.0
Java Plug-in 1.4.2 or 1.5.0
1 Native refers to the built-in JVM that ships with the browser.
Table 7 Supported Sun Solaris Platforms for PDM 3.0
Operating System Browser JVM Supported Sun Solaris Platforms1
Sun Solaris 2.8 or 2.9
Java Plug-in 1.4.2
1 Sun Solaris running OpenWindows is not supported.
Red Hat Linux
Table 9 Supported Red Hat Linux Platforms for PDM 3.0
Operating System Browser JVM Supported Red Hat Linux Platforms
Red Hat Linux 9.0 running GNOME or KDE
Red Hat Enterprise Linux WS version 3
Java Plug-in 1.4.2
New Features in PDM Version 3.0(4)
The following were added in PDM Version 3.0(4):
Added support for an optional interface name in Auto Update. This is in Configuration > System Properties > Auto Update.
Added support for the new SIP timeouts. This is in Configuration > System Properties > Advanced > Timeouts.
Version 3.0(4) includes several caveat resolutions.
This section describes important notes for PDM software Version 3.0.
CLI Command Support
PDM Version 3.0 adds support to the PIX Firewall CLI command syntax. Refer to PDM online Help for more information on the supported CLI commands.
Fully Supported CLI Commands
PDM parses these commands when uploading or creating the PIX Firewall configuration and grants you full access to all PDM user-interface tabs.
Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
Table 10 lists the CLI commands that PDM fully supports. PDM parses these commands in the firewall configuration and allows PDM to operate successfully.
CLI Commands not Fully Supported in PIX Firewall
Table 11 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.
CLI Commands Ignored By PDM in PIX Firewall
These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM.
The following commands are otherwise ignored by PDM except that they are displayed in the list of unparseable commands:
•Access lists not applied to any interface and not applied to the aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement.
For example:access-list eng permit ip any server1 255.255.255.255access-list eng permit ip any server2 255.255.255.255access-list eng permit ip any server3 255.255.255.255access-list eng deny ip any any
•A list of outbound command statements without an associated apply command statement.
•Any isakmp client configuration commands.
Note All OSPF subcommands are not supported.
Unsupported CLI Commands and Command Combinations
The following CLI commands or command combinations allow only monitoring and not configuration facilities.
Table 12 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.
Table 12 CLI Commands That Limit You to the PDM Monitoring Tab
outbound id except
access-list acl1 deny igmp any any
In addition, the following command combinations also limit your access to the Monitoring tab only:
•aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM.access-list 101 permit tcp any anyaaa authentication include http inside 22.214.171.124 255.255.255.255 0.0.0.0 0.0.0.0 portalaaa accounting match 101 inside portal
You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.
•Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM.access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0access-group 101 in interface outsideconduit permit icmp any any
Note Certain combinations of access control lists are unsupported.
•Using an access control list (ACL) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255 command limits access.access-group eng in interface perimaccess-group eng in interface outside
•Using an ACL name for multiple purposes such as in access-group and aaa command statements. For example, the following commands would not be parsed by PDM.access-list acl_out permit tcp 10.16.1.0 255.255.255.0 126.96.36.199 255.255.255.224access-group acl_out in interface outsideaaa authentication match acl_out outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement.
For example:access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 188.8.131.52 255.255.255.224aaa authentication match acl_out2 outside AuthIn
•Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM.access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 184.108.40.206 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out2 outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement identical to the first statement and applying that in the aaa authorization command.
For example:access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 220.127.116.11 255.255.255.224access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 18.104.22.168 255.255.255.224aaa authentication match acl_out2 outside AuthInaaa authorization match acl_out3 outside AuthIn
•Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM.outbound 13 deny 0.0.0.0 0.0.0.0 0 0outbound 13 permit 0.0.0.0 0.0.0.0 389 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 30303 tcpoutbound 13 permit 0.0.0.0 0.0.0.0 53 udpapply (inside) 13 outgoing_srcapply (perim) 13 outgoing_src
•Any outbound command statement that contains the except option. You can replace the except option with a permit or deny statement to eliminate the use of the except option. Once the except option is replaced with permit or deny, PDM functions normally.
•User Lacks Privilege. User lacks privilege to run the following basic commands:writeshow pdmshow versionshow curpriv
•ACL and IGMP Access Group. An access list cannot be applied to an interface command and an igmp access group command. The following is not allowed:access-list acl1 deny igmp any anyaccess-group acl1 in interface outsidemulticast interface outsideigmp access-group acl1
•Policy NAT configurations will force PDM into monitor mode. A complete description of how to configure Policy NAT and the related CLI commands is available in the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 at this location:
If any one of the following commands are in the configuration, PDM will be forced into monitor mode:static (inside,outside) 22.214.171.124 access-list NET1static (inside,outside) 126.96.36.199 access-list NET2nat (inside) 1 access-list NET1nat (inside) 2 access-list NET2
Multiple PDM Sessions
PDM allows multiple PCs or workstations to each have one browser session open with the same firewall. A single firewall unit can support up to concurrent 5 PDM sessions. However, only one session per browser per PC or workstation is supported for a particular firewall. Refer to PDM online Help for more information on multiple PDM sessions.
The following sections describe the caveats for PDM software Version 3.0.
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note Please use Bug Navigator II on CCO to view additional caveat information. Bug Navigator II may be accessed at the following website:
Open Caveats - Version 3.0(4)
Resolved Caveats - Version 3.0(4)
Table 14 Resolved Caveats
ID Number Software Release 3.0(4) Corrected Caveat Title
Sharing ACL in crypto and split tunneling causes PDM to hang
PDM IPSec VPNs option times out too soon with many tunnels configure
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the appropriate documentation for your Cisco PIX Firewall system.
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R)
Cisco PIX Device Manager Release Notes
Copyright © 2004 Cisco Systems, Inc.
All rights reserved