The information contained in this product bulletin applies to all Cisco PIX(TM) Firewall hardware models running software version 4.3 or later. Version 4.3 requires at least 16 MB (an optional 128 MB upgrade is available). Version 4.3 supports up to four Ethernet interfaces. Three Token Ring interfaces have been tested with the PIX Firewall.
Version 4.3.1 has also received TTAP certification, making the Cisco PIX Firewall the first and only firewall solution certified to be in full compliance with the Common Criteria and the US Government Protection Profile, established and maintained by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST).
This Product Bulletin contains the following information:
New and Changed Information
- TTAP Certification for Cisco PIX Firewall version 4.3.1
- New Features
- PIX Firewall TCP Syslog Server
- Real-Time Clock
- Telnet Console Access from All Internal Interfaces
- Enable AAA Authentication Console
- AAA Port Range Specification
- Disabling and Re-Enabling of Syslog Messages
- PIX Firewall SNMP Object ID
- User-Based Timeout
- Virtual Telnet Logout
- TTAP Certification for Cisco PIX Firewall version 4.3.1
Links to Other Documents
Cisco Systems is pleased to announce the Common Criteria certification of the PIX 520 Firewall. The Common Criteria is an international standard, recognized in the United Kingdom, Canada, Germany, France, Netherlands and the United States that details functional and assurance requirements to test the IT security of a product or system. The PIX Firewall is the first and only firewall to be tested and certified against a Common Criteria based Protection Profile created by the National Institute of Standards and Technology and the National Security Agency.
The Cisco PIX Firewall, v.4.3.1, is the only firewall in the world to be certified of being compliant with the U.S. Government Protection Profile.
Details on Cisco's web site about TTAP certification of the PIX Firewall can be found at:
Additional information can be found on NSA's Common Criteria web site at:
The PIX Firewall Syslog Server (PFSS) runs on a Windows NT system and receives syslog messages from up to 10 PIX Firewalls.
Note The Windows NT filesystem where you install PFSS must be an NTFS partition and not FAT.
Note When you install PFSS on the Windows NT system, write down the values you supply for the disk empty timer and the disk full timer. Once PFSS is installed, the only way you can view this information again is by examining the Windows NT Registry with the regedit command and searching for disk_empty_watch. Also, if you need to view the information in the Registry, do not change it in the Registry. The information can only be changed from the Start>Settings>Control Panel>Services setting. You can view the other parameter values in the pfss.log file that accompanies the daily log files.
Note 1: PFSS and the PIX Firewall Manager cannot be used together even if installed on separate Windows NT systems.
Note 2: If the Windows NT system on which PFSS is installed reaches the percentage of disk full value you set when installing PFSS, the Windows NT system causes the PIX Firewall to stop all of its connections until the log files are removed from the system.
Refer to the logging command page in the Configuration Guide for the PIX Firewall Version 4.3, Chapter 5, "Command Reference" for additional important information about configuring the PIX Firewall for use with PFSS. This page is located at:
Installation and configuration instructions for the PFSS on the Windows NT system are described in the Quick Installation Guide for the PIX Firewall Version 4.3, located at:
The clock set command allows you to set the PIX Firewall's internal clock. The internal clock is used to time stamp syslog messages. You can use the show clock command to display the current time. Note: The clock set command only works until December 31, 2097.
You can now access the PIX Firewall console via Telnet from all internal interfaces.
You can now set the enable option on the aaa authentication console command. This command requires that access to the PIX Firewall console be authenticated from a TACACS+ or RADIUS server. After authentication is successful, all changes to the configuration from the serial console are logged to the syslog servers at syslog level 5. Changes made from Telnet console sessions are not logged.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the PIX username and the enable password.
You can now set port ranges for the TCP and UDP protocols with the aaa authorization command.
You can now disable specific syslog messages with the no logging message syslog_id command, and re-enable specific syslog messages with the logging message syslog_id command. You can display all disabled messages with the show logging disabled command, and re-enable all disabled messages with the clear logging disabled command.
An SNMP object ID (OID) for PIX Firewall now displays in SNMP event traps sent from the PIX Firewall. OID 126.96.36.199.188.8.131.52.227 was assigned as the PIX Firewall system object ID.
You can use the show uauth command to display CiscoSecure version 2.1 or later idletime and timeout values that provide user-based, rather than global, authentication timeouts.
The Cisco Secure user-based timer durations override the duration set with the timeout uauth command.
The virtual telnet command lets you log in to the virtual authentication server on first access and log out on second access to the specified IP address.
clock set - allows you to set the PIX Firewall's internal clock. The current time is used for time stamped syslog messages, which you can set with the logging timestamp command.
show clock - displays the current time.