This document contains frequently asked questions (FAQ) about the Cisco PIX Firewall Manager (PFM).
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Try not to install PFM on a machine that runs Microsoft Internet Information Server (IIS). The install works, but you must verify that PFM does not occupy any server ports used by IIS.
If any error messages are displayed during the PFM install, capture them (press ALT + PrtScn (Print Screen), cut and paste to a .txt file, and save). Contact the Technical Assistance Center (TAC) immediately. Do not attempt to proceed.
Verify that your Windows NT Service Pack (SP) is up-to-date. All Windows NT SPs through SP5 work on all PFM versions. However, the browser that installs the service pack might not be supported. Check the PFM banner page to verify browser compatibility, and download the appropriate supported version.
A. There is no print manual for the PFM. Online help is provided on most PFM screens. Release notes are provided for each revision. Read them before you start installation.
A. These are possible reasons:
You might not be logged into the Windows NT machine locally (not the domain) as administrator. At times, users with administrative rights can successfully install the product, but usually even users in the administrator group do not have enough rights to install the product.
You might be attempting to install on a primary domain controller (PDC) or a backup domain controller (BDC). PFM installation needs to create a local Security Access Management (SAM) database for PFM access, which is usually not possible with default PDC or BDC installations. Furthermore, when the PFM process is configured for logging, the machine is taxed. Generally, administrators do not want to task critical network servers, such as PDCs or BDCs with additional services.
A. The NT beeps indicate an application port conflict. Usually, a syslog application (Cisco Works, PIX Firewall Syslog Server (PFSS) or a third-party application) is already listening on UDP 514, or a Web server already occupies the PFM default TCP port 8080. Complete these steps to troubleshoot:
- Uninstall PFM completely. Use Windows Explorer to remove the install directory.
- Reboot the machine.
- Log in to the machine locally (not the domain) as administrator (not someone with admin rights).
Note: Do not run setup yet.
- Enter the netstat -a | findstr # command at the command prompt, where # is the port number. This verifies that TCP 8080 and UDP 514 are not listed.
If UDP is listed, uninstall the application that uses it.
If TCP 8080 is listed, choose an available TCP port. 8081 is usually okay.
If you uninstall any applications, repeat steps 2 through 4.
Note: It is important to reboot.
- Check for and repair any error messages in the event viewer. Search for the error message at Microsoft Help and Support for help with the error messages.
- Select Control Panel > Services to verify that the server service runs.
- Reinstall PFM.
- Reboot the machine. You can log into the domain or whatever you want this time.
A. These are possible reasons:
You might not be browsing to the correct address. The correct address is either http://the_nt_ip_address:8080 or http://127.0.0.1:8080. If you selected an alternate port during installation, use the number of the port. Do not attempt to run index.html, because it does not work.
Make sure your Windows NT IP Stack is not set to use DHCP. You must be assigned a static address.
Make sure this static assigned Windows NT IP address has not changed after installation of PFM.
Select Control Panel > Services and make sure the Windows NT server service runs (especially on a Windows NT Workstation). Also, make sure the PFM service is started.
Q. Why do I get the error message "Security violation in all five IP addresses in firewall.html" after I click the configuration link from the banner page?
A. These are possible reasons:
You might not be browsing to the correct address. The correct address is either http://the_nt_ip_address:8080 or http://127.0.0.1:8080. If you selected an alternate port during installation, use the number of that port. Do not attempt to run index.html or firewall.html, because these do not work.
If your Windows NT box is multi-homed (has more than one NIC) or has multiple IP addresses associated with the NIC, make sure all IP addresses of the machine are listed in Program Files\Cisco\PIX Firewall Manager\jclient\netscape\firewall.html. You can edit this file with a text editor. In some cases, you need to add the Windows NT NetBIOS hostname of this machine as one of the IP address entries in this file. Reboot the server after you edit this file.
You might have loaded the Firewall Manager software on a Windows NT box that uses DHCP. Firewall Manager requires a static IP address. If you have changed from DHCP to a static IP address, you need to edit the firewall.html file.
Q. The banner page comes up, and requests a username and password. What is this? Can they be changed from the defaults?
A. The default administrator user name is pixadmin and the default password is cisco. The administrator has read/write configuration abilities.
The default user (read only) username/password is pixuser/cisco. The user manager on the server allows you to add, change, or delete users to the pixadmins or pixusers groups you set up on install.
A. Yes, it is called pfm.log. If you go through this FAQ and still have a problem, the TAC requests this log.
A. These are possible reasons:
You must run the browser displayed on the banner page. Other browser versions are not supported. PFM is optimized for specific versions of the Netscape browser.
Make sure you have set up your PIX to allow Telnet from the PFM. Go to a command line, Telnet to the PIX interface, and log in to enable mode to verify.
Your PIX has an unsupported interface card in it. Only Singleport 10/100 Ethernet/Fast Ethernet and Token Ring interfaces are supported with this product.
Your PIX version and PFM version might not be compatible. Current supported platforms are:
PIX Major Release Version
4.1.x (no interim releases (4.1.x.yyy)
Version must match 4.1.x exactly.
4.2.x (no interim releases (4.2.x.yyy)
Version must match 4.2.x exactly.
4.3.2 (no interim releases (4.3.2.yyy)
4.4.x (no interim releases (4.4.x.yyy)
4.3(2)b, or preferably 4.3(2)c1
5.0(x) (can work with interim releases 5.0.x.yyy, but not tested or supported)
Releases not listed here
Check the PFM release notes specific to your PIX version.
14.3.2c does not support any new features or commands in PIX versions earlier than 4.3(2) and can generate error messages intermittently because of these new features. This should not affect your ability to configure the older, supported features.
Caution: Always review hardware requirements and version release notes before you perform a platform upgrade to avoid lengthy network outages.
A. PFM only runs on the platform listed in the documentation, which is, Windows NT. The successor to PFM is PIX Device Manager (PDM), which works with browsers on Windows 95, 98, NT, and 2000. PDM is available with PIX 6.0 code.
A. PDM works with Java Plug-in 1.4.2, and Vista's Internet Explorer comes with a much later version. In order to access PFM/PDM on Vista or 2008, you must run Sun's JRE v1.4.2. You can download the JRE version from the Sun's website.
Note: Any version newer than Sun's JRE v1.4.2 that is not compatible with PFM/PDM.
Q. How do I change the PFM administrator (pixadmin) and user (pixuser) passwords from the defaults (which are noted in the PFM release notes)?
A. When PFM installs, it sets up the accounts in the Windows NT user database. The passwords for the default users can be changed as passwords for other NT users. Select Start > Programs > Administrative Tools (Common) > User Manager for Domains.
A. You cannot use Excel 95 because the macros are not compatible. Excel 98 and 2000 are not supported.
A. You cannot generate reports, such as report.xls, stat.dbf, dns.dbf, monday.dbf, from the PFM active files. You must copy these files to a separate directory, and open them in Excel 97.
A. You cannot copy the Monday.dbf file to another directory until Tuesday, and the Tuesday.dbf file until Wednesday, and so on.
A. Make sure that logging is configured properly. Complete these steps:
- Logging traps output must be set to debug, or these files do not populate.
- Verify that the logging host is pointed at the PFM server.
- Make sure your configuration shows logging on.
- Press the Immediate syslog notification button in the PFM graphical user interface (GUI) to test successful logging. This generates traffic through the PIX. Verify the activity in the GUI pop-up window.
A. You are probably using most recently used (MRU), or double-clicking on report.xls from Windows Explorer. Excel 97 tracks MRU files at the bottom of the File menu, and Windows also tracks these in the Start > Documents menu. Do not open report.xls from those locations. If you do, the macros embedded in report.xls do not function properly. You must use the File > Open menu to open report.xls. When you select File > Open, Excel associates that directory with the application. When you use MRU, Excel keeps the file association with the My Documents folder, and report.xls cannot find the .dbf files.
A. Modifications to that file are not allowed. The product can only be supported when the code is intact. Report.xls is password protected to protect the integrity of the embedded macros. If you have specific needs not addressed by the macro, you can either:
Write your own rendition of the macro.
Submit an enhancement request through the TAC for future release consideration.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.