Guest

Cisco PIX Device Manager

Cisco PIX Device Manager Release Notes, Version 3.0(4)

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

Cisco PIX Device Manager Release Notes Version 3.0(4)

Contents

Introduction

PDM Software Overview

System Requirements

PDM Requirements

PIX Firewall System Interoperability with PDM

Flash Memory Requirements

Maximum Configuration File Size

Software Requirements

Upgrading to a New Software Release

PC/Workstation Requirements

Supported Platforms

Microsoft Windows

Sun Solaris

Red Hat Linux

New Features in PDM Version 3.0(4)

Important Notes

CLI Command Support

Fully Supported CLI Commands

CLI Commands not Fully Supported in PIX Firewall

CLI Commands Ignored By PDM in PIX Firewall

Unsupported CLI Commands and Command Combinations

Multiple PDM Sessions

Caveats

Open Caveats - Version 3.0(4)

Resolved Caveats - Version 3.0(4)

Obtaining Documentation and Submitting a Service Request


Cisco PIX Device Manager Release Notes Version 3.0(4)

August 2005

Contents

This document includes the following sections:

Introduction

System Requirements

PC/Workstation Requirements

New Features in PDM Version 3.0(4)

Important Notes

New Features in PDM Version 3.0(4)

Important Notes

Caveats

Obtaining Documentation and Submitting a Service Request

Introduction

Cisco PIX Device Manager (PDM) is a browser-based Java application for configuring and monitoring the PIX Firewall Version 6.3 software. If the unit is currently running the PIX Firewall Version 6.3 software, the PDM Version 3.0 software is already loaded in the PIX Firewall Flash memory. You should verify that you are running PDM Version 3.0(4).

Note For PIX Firewall Version 6.2, use PDM Version 2.1. For PIX Firewall Version 6.0 and 6.1, use PDM Version 1.1.

PDM Software Overview

PDM Version 3.0(4) will work with all versions of PIX 6.3 and supports the new features in PIX 6.3(5).

PDM Version 3.0 is a single image, which supports only PIX Firewall Version 6.3, and is designed to provide secure administration of the PIX Firewall. PDM is implemented as a signed Java applet, which downloads to your PC or workstation when you point your browser.

PDM provides a graphical user interface to the firewall to administer it without requiring knowledge of the command-line interface (CLI). Additionally, PDM maintains compatibility with the firewall CLI and includes a tool for using the standard CLI commands within the PDM application. PDM lets you graph many aspects of the firewall, as well as print or export graphs of traffic through the firewall and system activity.

To help you use PDM, online help is provided throughout the application as well as a help table of contents, index, and glossary.

System Requirements

PDM is available on all Cisco PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running Version 6.3. PDM Version 3.0 is a single image which supports only PIX Firewall Version 6.3. The following sections list the system requirements for PDM Version 3.0 software.

PDM Requirements

PDM has the following system requirements:

PDM Version 3.0 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running PIX Firewall software Version 6.3. For instructions on installing PDM, refer to the Cisco PIX Device Manager Installation Guide, at the following website: http://www.cisco.com/en/US/partner/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html

PDM works with any configuration, whether created with the PIX Firewall command-line interface (CLI), Cisco Secure Policy Manager (CSPM) or Management Center for Firewalls. However, subsequent configuration changes using CSPM or Management Center for Firewalls overwrite the PDM configuration.

Caution If you are using CSPM or Management Center for Firewalls, use PDM for monitoring only. All changes made using PDM will be overwritten the next time CSPM or Management Center for Firewalls synchronizes with the PIX Firewall.

This section includes the following topics:

PIX Firewall System Interoperability with PDM

Flash Memory Requirements

Maximum Configuration File Size

Software Requirements

Upgrading to a New Software Release

PIX Firewall System Interoperability with PDM

Table 1 lists the PIX Firewall System requirements for PDM Version 3.0.

Table 1 PIX Firewall System Requirements for PDM Version 3.0 

Type
Description
Hardware

Platform

PIX 501, 506/506(E), 515/515(E), 520, 525, or 535

Random access memory

16 MB

Flash Memory

See Table 2

Software

PIX Firewall operating system

Version 6.3

Encryption

DES, 3DES, or AES-enabled


The PIX Firewall system ships with PIX Firewall software Version 6.3, which includes a pre-installed DES activation key. If your PIX Firewall is not enabled for DES, 3DES, or AES, and you are a registered Cisco user, you can receive a DES, 3DES, or AES activation key by completing the form at the following URL: http://www.cisco.com/go/license/public. To become a registered Cisco user, go to http://tools.cisco.com/RPF/register/register.do.

Flash Memory Requirements

Table 2 lists Flash memory requirements for PIX Firewall software Version 6.3 in conjunction with PDM Version 3.0 by platform.

Table 2 Flash Memory Requirements for PDM Version 3.0

PIX Firewall Model
Flash Memory Required

PIX 501

8 MB

PIX 506/506E

8 MB

PIX 515/515E

16 MB

PIX 520

16 MB (Some PIX 520 units may need a memory upgrade because older units had 2 MB, though newer units have 16 MB)

PIX 525

16 MB

PIX 535

16 MB


Maximum Configuration File Size

For optimum performance, we recommend a configuration file of no more than 100 KB (approximately 1500 lines) when using PDM.

PIX Firewall configuration files over 100 KB may interfere with the performance of PDM on your workstation in the following situations:

While executing commands such as write term and show conf

Failover (the configuration synchronization time)

During a system reload

To determine the size of your configuration file, enter the show flashfs command at the PIX Firewall CLI prompt. View the output which begins with "file 1." The number labeled "length" on the same line is the configuration file size in bytes.

For example: 

pixfirewall# show flashfs

flash file system: version:3 magic:0x12345679

  file 0:origin:      0 length:1925176

  file 1:origin:2883584 length:2944

  file 2:origin:3014656 length:32

  file 3:origin:      0 length:0

  file 4:origin:3145728 length:131072

  file 5:origin:8257536 length:308

PIX Firewall platforms have different configuration file size limitations than PDM. See Table 3 for the maximum recommended configuration file size by platform.

Table 3 Maximum Recommended Configuration File Size by Platform

PIX Firewall Version
Maximum Configuration

PIX 501

256 KB

PIX 506/506E, 515/515E, 520

1 MB

PIX 525, PIX 535 1

2 MB

1 This applies to PIX Firewall software Version 5.3(2) and later versions. The maximum recommended configuration file size for PIX Firewall software Versions 5.3(1) and earlier is 1 MB.


Software Requirements

PIX Firewall software Version 6.3 has the following software requirements:

The PIX Firewall image no longer fits on a diskette. If you are using a PIX Firewall unit with a diskette drive, download the Boothelper file from cisco.com (http://www.cisco.com/public/sw-center/index.shtml) to get the PIX Firewall image.

Before upgrading from a previous PIX Firewall version, save your configuration and write down your activation key and serial number. Refer to "Upgrading to a New Software Release" in this chapter for new installation requirements.

Before upgrading from Version 4 or earlier, using Auto Update, IPSec, SSH, PDM, or VPN, you will need a new 56-bit DES activation key, which can be sent to you by completing the form at: http://www.cisco.com/go/license/public

Use the show version command to verify the software version of your PIX Firewall unit.

Upgrading to a New Software Release

If you registered Cisco user, refer to the Upgrading Software for the Cisco Secure PIX Firewall document at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

PC/Workstation Requirements

PDM requirements vary depending on the platform.

Note PDM is not supported on Macintosh, Windows 3.1, Windows 95, Windows 98, Windows ME, or Windows NT operating systems.

Note the following when using PDM to access the PIX Firewall unit:

Minimum Disk Space Requirement—PDM requires a minimum of at least 4 MB of temporary disk space to load into the browser.

To check which Java Virtual Machine (JVM) version you have, launch PDM. In the main PDM menu, click Help>About Cisco PIX Device Manager. When the About PDM information window appears, it displays your browser specifications in a table. You can download the latest JVM version for Internet Explorer from Microsoft, and you can download the latest Java Plug-in from Sun Microsystems (http://www.java.sun.com).

HTTP 1.1—Settings for Internet Options>Advanced>HTTP 1.1 settings should use HTTP 1.1 for both proxy and non-proxy connections.

Supported Platforms

This section includes the following topics:

Microsoft Windows

Sun Solaris

Red Hat Linux

Microsoft Windows

Table 4 and Table 5 list the requirements for Windows platforms using PDM 3.0.

Table 4 Hardware Requirements and Network Connectivity for Windows Platforms for PDM 3.0

Type
Requirements
Hardware

Processor

Pentium III or equivalent running at 450 Mhz or higher

Random Access Memory

256 MB

Display Resolution and Colors

1024 x 768 pixels and 256 colors

Network Connection

Connection speed

56 Kbps; 384 Kbps (DSL or cable) recommended


Table 5 Supported Windows Platforms for PDM 3.0

Operating System
Browser
JVM
Supported Windows Platforms

Microsoft Windows 2000 (Service Pack 4), or
Microsoft Windows XP (English or Japanese versions)

Internet Explorer 6.0

Native1 JVM (VM 3809)
or
Java Plug-in 1.4.2 or 1.5.0

Netscape 7.2

Java Plug-in 1.4.2 or 1.5.0

1 Native refers to the built-in JVM that ships with the browser.


Sun Solaris

Table 6 and Table 7 list the requirements for Sun Solaris platforms using PDM 3.0.

Table 6 Hardware and Network Connectivity Requirements for Sun Solaris Platforms for PDM 3.0

Type
Requirements
Hardware

Processor

SPARC

Random Access Memory

At least 256 MB

Display Resolution and Colors

At least 1024 x 768 pixels and 256 colors

Network Connection

Connection speed

56 Kbps; 384 Kbps (DSL or cable) recommended


Table 7 Supported Sun Solaris Platforms for PDM 3.0

Operating System
Browser
JVM
Supported Sun Solaris Platforms1

Sun Solaris 2.8 or 2.9

Mozilla 1.4

Java Plug-in 1.4.2

1 Sun Solaris running OpenWindows is not supported.


Red Hat Linux

Table 8 and Table 9 list the requirements for Red Hat Linux platforms using PDM 3.0.

Table 8 Hardware and Network Connectivity Requirements for Linux Platforms for PDM 3.0

Type
Requirements
Hardware

Processor

Pentium III or equivalent running at 450 Mhz or higher

Random Access Memory

At least 256 MB

Display Resolution and Colors

At least 1024 x 768 pixels and 256 colors

Network Connection

Connection speed

56 Kbps; 384 Kbps (DSL or cable) recommended


Table 9 Supported Red Hat Linux Platforms for PDM 3.0

Operating System
Browser
JVM
Supported Red Hat Linux Platforms

Red Hat Linux 9.0 running GNOME or KDE

Red Hat Enterprise Linux WS version 3

Mozilla 1.4

Java Plug-in 1.4.2


New Features in PDM Version 3.0(4)

The following were added in PDM Version 3.0(4):

Added support for an optional interface name in Auto Update. This is in Configuration > System Properties > Auto Update.

Added support for the new SIP timeouts. This is in Configuration > System Properties > Advanced > Timeouts.

Version 3.0(4) includes several caveat resolutions.

Important Notes

This section describes important notes for PDM software Version 3.0.

CLI Command Support

PDM Version 3.0 adds support to the PIX Firewall CLI command syntax. Refer to PDM online Help for more information on the supported CLI commands.

Fully Supported CLI Commands

PDM parses these commands when uploading or creating the PIX Firewall configuration and grants you full access to all PDM user-interface tabs.

Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.

Table 10 lists the CLI commands that PDM fully supports. PDM parses these commands in the firewall configuration and allows PDM to operate successfully.

Table 10 CLI Commands That PDM Parses and Fully Supports in Configuration 

PIX Commands

aaa command, include option

aaa command, match acl_name option

aaa-server

access-list and access-group

access-list compiled

apply

ca

clock

auth-prompt

conduit

crypto map

crypto dynamic-map

crypto ipsec

dhcpd

dhcpre

domain-name

enable password

failover

failover lan and

show failover lan detail

filter

fixup protocol

fragment

global

hostname

http

icmp

igmp

interface

ip address

ip audit

ip local pool

ip verify reverse-path

isakmp identity [address | hostname]

logging

mroute

multicast

name

nameif

nat

nat [(if_name)] 0 access-list acl_name

ntp

object-group (network, service)

outbound

passwd

pdm

pdm group

pdm history

pdm location

pdm logging

privilege

remote-management

rip

route

service resetinbound

snmp-deny

snmp-server

ssh

static (used for inbound PAT)

sysopt

telnet

tftp-server

timeout

url-block

url-cache

url-server

username

vpdn

vpnclient

vpngroup


CLI Commands not Fully Supported in PIX Firewall

Table 11 lists commands that cannot be changed. PDM parses these commands in the firewall configuration and handles them transparently.

Table 11 CLI Commands not Fully Supported That Cannot be Changed with PDM 

PIX Firewall Commands

arp

floodguard

established

object-group icmp-type

object-group network (with nested, mixed object types)

object-group protocol

sysopt ipsec pl-compatible

sysopt nodnsalias inbound

sysopt nodnsalias outbound

sysopt route dnat

sysopt security fraggaurd

sysopt uauth allow-http-cache

virtual


CLI Commands Ignored By PDM in PIX Firewall

These CLI commands are displayed in the list of unparseable commands in PDM. However, PDM does not change or remove these commands from your configuration, and the presence of these commands does not limit your access to the user-interface tabs in PDM.

The following commands are otherwise ignored by PDM except that they are displayed in the list of unparseable commands:

Access lists not applied to any interface and not applied to the aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement.

For example: 

access-list eng permit ip any server1 255.255.255.255

access-list eng permit ip any server2 255.255.255.255

access-list eng permit ip any server3 255.255.255.255

access-list eng deny ip any any

A list of outbound command statements without an associated apply command statement.

Any isakmp client configuration commands.

Note All OSPF subcommands are not supported.

Unsupported CLI Commands and Command Combinations

The following CLI commands or command combinations allow only monitoring and not configuration facilities.

Table 12 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.

Table 12 CLI Commands That Limit You to the PDM Monitoring Tab

Command

alias

outbound id except

access-list acl1 deny igmp any any
access-group acl1


In addition, the following command combinations also limit your access to the Monitoring tab only:

aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM. 

access-list 101 permit tcp any any 

aaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portal

aaa accounting match 101 inside portal

You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.

Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM. 

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0

access-group 101 in interface outside

conduit permit icmp any any

Note Certain combinations of access control lists are unsupported.

Using an access control list (ACL) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255 command limits access. 

access-group eng in interface perim

access-group eng in interface outside

Using an ACL name for multiple purposes such as in access-group and aaa command statements. For example, the following commands would not be parsed by PDM. 

access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-group acl_out in interface outside

aaa authentication match acl_out outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement.

For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM. 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out2 outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement identical to the first statement and applying that in the aaa authorization command.

For example: 

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out3 outside AuthIn

Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM. 

outbound 13 deny 0.0.0.0 0.0.0.0 0 0                                                                                                  

outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp

outbound 13 permit 0.0.0.0 0.0.0.0 53 udp

apply (inside) 13 outgoing_src

apply (perim) 13 outgoing_src

Any outbound command statement that contains the except option. You can replace the except option with a permit or deny statement to eliminate the use of the except option. Once the except option is replaced with permit or deny, PDM functions normally.

User Lacks Privilege. User lacks privilege to run the following basic commands: 

write 

show pdm 

show version 

show curpriv

ACL and IGMP Access Group. An access list cannot be applied to an interface command and an igmp access group command. The following is not allowed: 

access-list acl1 deny igmp any any 

access-group acl1 in interface outside 

multicast interface outside 

igmp access-group acl1

Policy NAT configurations will force PDM into monitor mode. A complete description of how to configure Policy NAT and the related CLI commands is available in the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3 at this location:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a5d.shtml

If any one of the following commands are in the configuration, PDM will be forced into monitor mode: 

static (inside,outside) 209.165.202.129 access-list NET1

static (inside,outside) 209.165.202.130 access-list NET2

nat (inside) 1 access-list NET1

nat (inside) 2 access-list NET2

Multiple PDM Sessions

PDM allows multiple PCs or workstations to each have one browser session open with the same firewall. A single firewall unit can support up to concurrent 5 PDM sessions. However, only one session per browser per PC or workstation is supported for a particular firewall. Refer to PDM online Help for more information on multiple PDM sessions.

Caveats

The following sections describe the caveats for PDM software Version 3.0.

For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note Please use Bug Navigator II on CCO to view additional caveat information. Bug Navigator II may be accessed at the following website:

http://www.cisco.com/support/bugtools

Open Caveats - Version 3.0(4)

Table 13 Open Caveats 

ID Number
Software Release 3.0(4)
Corrected
Caveat Title

CSCdx28710

No

PDM shows wrong interface on outbound deny ACL

CSCdx44905

No

Match access list uses subnet wider than ip local pool

CSCeb02365

No

PDM not parse ACL ip any any when no pdm loc&no nat&apply outside

CSCeb03161

No

Mozilla: Filter rule/add: Cannot select an action

CSCee26060

No

PDM: Access Rules - Search by Host/Network not working

CSCef15485

No

Choice list sometimes blank on Solaris and Red Hat Linux

CSCef16686

No

PDM with Sparc Solaris 9 Mozilla without DNS resolved will crash

CSCef18357

No

PDM could not fully configure LAN based failover.

CSCef18532

No

enable_15 user not able to login via PDM, but works sometimes

CSCef20659

No

PDM took 15 mins to bring up after clear PDM cache and close Mozilla

CSCeg01314

No

Unable to insert ACL using PDM

CSCeg71623

No

PDM should not change config if logged in as a read-only user

CSCeh35678

No

PDM hangs with sec level < 100 and using aaa authen include/exclude

CSCeh35699

No

AAA table sometimes switches the source/dest address

CSCeh35717

No

In AAA table, PDM sometimes thinks rule is null when it is not.

CSCeh50272

No

Network obj groups are created even when identity statics are used

CSCeh62138

No

PDM checkbox description is aligned incorrectly and gets cut out

CSCeh62216

No

PDM could not close gracefully under Mozilla 1.4 and JRE 1.5.0_02

CSCeh62358

No

PDM does not allow user to type IP address to add host/network

CSCei72423

No

Error in sending command when disabling auto-update timeout

CSCei78238

No

Changes not discarded when Discard is selected and switching to Home

CSCsb54762

No

PDM doesn't recognize globals defined with names


Resolved Caveats - Version 3.0(4)

Table 14 Resolved Caveats 

ID Number
Software Release 3.0(4)
Corrected
Caveat Title

CSCeg29046

Yes

Sharing ACL in crypto and split tunneling causes PDM to hang

CSCeh60241

Yes

PDM IPSec VPNs option times out too soon with many tunnels configure


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

This document is to be used in conjunction with the appropriate documentation for your Cisco PIX Firewall system.

CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R)

Cisco PIX Device Manager Release Notes
Copyright © 2004 Cisco Systems, Inc.
All rights reserved