Table of Contents

Network Device Preparation

Before you can manage a network device, you must bootstrap the device. Bootstrapping configures a device with basic settings that allow the CiscoWorks2000 Server to connect and deploy commands to it. Managed devices are those versions of the PIX Firewall or Cisco Intrusion Detection System supported by a Management Center. This appendix describes how to prepare devices to be managed or monitored by a Management Center, specifically the PIX MC, IDS MC, or Security Monitor. If the required configuration exists on the device, the specific Management Center can import the settings, and you do not have to follow the bootstrap procedures. However, you should review the following procedures to ensure that the device configuration includes the settings required for the Management Center to connect to and discover each device on your network.

Bootstrapping PIX Firewalls

Before you can use PIX MC to manage a PIX Firewall, you must set up the firewall with the minimum configuration. If the firewall is already configured, you should verify that its configuration is correct for PIX MC. The procedures in this section take you through using the command line to verify the configuration verification processes.

Determining When to Bootstrap a PIX Firewall

One of the following two scenarios requires that you bootstrap a PIX Firewall before managing it with PIX MC:

To verify that an existing PIX Firewall can be administered by the CiscoWorks2000 Server, follow these steps from the console terminal connected to the PIX Firewall console port:

The PIX Firewall enters privileged mode.

Step 2   Enter config terminal.

The PIX Firewall enters configuration mode.

Step 3   Enter show http.

Verify that the IP address of the CiscoWorks2000 Server appears in the list and that the HTTP server is enabled. If these two settings exist, you do not need to bootstrap the device. Otherwise, see Bootstrapping an Existing PIX Firewall.

The PIX Firewall lists the allowed hosts and the enable state of the HTTP server.

Step 4   Enter exit.

The PIX Firewall exits configuration mode.

PIX Firewall Configuration Worksheet

Before you bootstrap a PIX Firewall, you must collect the information that describes the basic placement of that PIX Firewall on your network. The following worksheet identifies the information you must provide when bootstrapping a new PIX Firewall.

Bootstrapping an Existing PIX Firewall

To bootstrap an existing PIX Firewall on your network, follow these steps from the console terminal connected to the PIX Firewall console port:

Before You Begin

This procedure assumes the interfaces, IP addresses, and routes have been defined for this PIX Firewall. To configure a new PIX Firewall, see Bootstrapping a New PIX Firewall.

To bootstrap a PIX Firewall that exists on your network, follow these steps:

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 2   Enter config terminal.

The PIX Firewall enters configuration mode.

Step 3   If you have never used Cisco PIX Device Manager (PDM) to manage this PIX Firewall, continue with Step 4 through Step 17. If you are already using PDM to manage this PIX Firewall, skip to Step 18.

If you have configured this PIX Firewall to work with PDM, you may be using an interface other than inside for management. Step 18 allows you to specify an additional administrative host, the CiscoWorks2000 Server, on the appropriate interface. Step 11 assumes the inside interface is used to manage this PIX Firewall.

Step 4   Enter setup.

---

Note    The setup command enables the PIX Firewall HTTP server, allows you to specify the IP address of the CiscoWorks2000 Server that will manage the PIX Firewall, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server. The setup command adds to any existing list of host allowed to manage the device; it does not replace existing settings.

---

The Pre-configure PIX Firewall now through interactive prompts [yes]? prompt appears.

Step 5   Enter y at the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 6   Specify the current enable password for this PIX Firewall, and then press Enter.

The Clock (UTC) prompt appears.

Step 7   Verify the PIX Firewall clock is set to Universal Coordinated Time (also known as Greenwich Mean Time), and then press Enter.

The Year [system year]: prompt appears.

Step 8   Specify current year, or default to the year stored in the host computer, and then press Enter.

The Month [system month]: prompt appears.

Step 9   Specify current month, or default to the month stored in the host computer, and then press Enter.

The Day [system day]: prompt appears.

Step 10   Specify current day, or default to the day stored in the host computer, and then press Enter.

The Time [system time]: prompt appears.

Step 11   Specify current time in hh:mm:ss format, or default to the time stored in the host computer, and then press Enter.

The Inside IP address: prompt appears.

Step 12   Verify the network interface IP address of the PIX Firewall, and then press Enter.

The Inside network mask: prompt appears.

Step 13   Verify the network mask that applies to inside IP address, and then press Enter.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 14   Verify the host name you want to display in the PIX Firewall command line prompt, and then press Enter.

---

Note    The host name for each device must be unique. PIX MC cannot manage multiple devices with the same host name.

---

The Domain name: prompt appears.

Step 15   Verify the DNS domain name of the network on which the PIX Firewall runs, for example, "example.com," and then press Enter

---

Note    The host name and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 16   Specify the IP address of the CiscoWorks2000 Server that will manage this PIX Firewall, and then press Enter.

The Use this configuration and write to flash? prompt appears.

Step 17   Enter yes, and then press Enter.

---

Note    We assume that you want to keep managing or monitoring the PIX Firewall with PDM; therefore, Step 18 explains how to enable an additional administrative host. For security reasons, you should limit the number of administrative hosts to the minimum number required by your organization.

---

The PIX Firewall stores the new configuration to Flash memory. Same as the write memory command. If the answer is yes, the inside interface is enabled and the requested configuration is written to Flash memory. If the user answers anything else, the setup dialog repeats using the values already entered as the defaults for the questions.

If you are using PDM to manage this PIX Firewall, you must specify the IP address of the CiscoWorks2000 Server as defined in Steps 18 and 19. If you completed Steps 4 through 17, you have performed the necessary configuration, skip to Step—20. Otherwise, continue with Step—18.

Step 18   Enter http ip_address [netmask] [if_name].

Specifies that CiscoWorks2000 Server can connect to and configure the PIX Firewall using HTTP.

If you do not specify a network mask, the default is 255.255.255.255 regardless of the class of IP address. The default if_name is inside.

---

Note    Access from any host is allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask. However, this non-restrictive configuration is not recommended.

---

Step 19   Enter write memory.

The PIX Firewall stores the current configuration in Flash memory.

Step 20   Enter exit.

The PIX Firewall exits configuration mode.

Bootstrapping a New PIX Firewall

Bootstrapping a new PIX Firewall differs from an existing PIX Firewall in that you configure only the essential information required for the PIX MC to connect to the inside interface of that PIX Firewall. After you connect to the PIX Firewall, use the PIX MC to define the remaining configuration information, such as the remaining interfaces and routes.

Before You Begin

This procedure makes the following assumptions:

This procedure also assumes the PIX Firewall has been booted for the first time and that the terminal displays the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt, which indicates that the setup command has run automatically. The setup command enables the PIX Firewall HTTP server, allows you to specify the IP address of one host that can managed the PIX Firewall, and populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server.

To bootstrap a new PIX Firewall attached on your network, follow these steps from the console terminal connected to the PIX Firewall console port:

The Enable password [<use current password>]: prompt appears.

Step 2   Specify the current enable password for this PIX Firewall, and then press Enter.

The Clock (UTC) prompt appears.

Step 3   Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time), and then press Enter.

The Year [system year]: prompt appears.

Step 4   Specify current year, or default to the year stored in the host computer, and then press Enter.

The Month [system month]: prompt appears.

Step 5   Specify current month, or default to the month stored in the host computer, and then press Enter.

The Day [system day]: prompt appears.

Step 6   Specify current day, or default to the day stored in the host computer, and then press Enter.

The Time [system time]: prompt appears.

Step 7   Specify current time in hh:mm:ss format, or default to the time stored in the host computer, and then press Enter.

The Inside IP address: prompt appears.

Step 8   Specify the network interface IP address of the PIX Firewall, and then press Enter.

The Inside network mask: prompt appears.

Step 9   Specify the network mask that applies to inside IP address, and then press Enter.

Use 0.0.0.0 to specify a default route. The 0.0.0.0 network mask can be abbreviated as 0.

The Host name: prompt appears.

Step 10   Specify the host name you want to display in the PIX Firewall command line prompt, and then press Enter.

---

Note    The host name for each device must be unique. PIX MC cannot manage multiple devices with the same host name.

---

The Domain name: prompt appears.

Step 11   Specify the DNS domain name of the network on which the PIX Firewall runs, for example, "example.com," and then press Enter

---

Note    The host name and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

---

The IP address of host running PIX Device Manager: prompt appears.

Step 12   Specify the IP address of the CiscoWorks2000 Server that will manage this PIX Firewall, and then press Enter.

The Use this configuration and write to flash? prompt appears.

Step 13   Enter yes, and then press Enter.

The PIX Firewall stores the new configuration to Flash memory. Same as the write memory command. If the answer is yes, the inside interface is enabled and the requested configuration is written to Flash memory. If the user answers anything else, the setup dialog repeats using the values already entered as the defaults for the questions.

Step 14   Enter exit and then press Enter.

The command line interface exits configuration mode.

Verifying PIX Firewall Configuration

You can verify that the PIX Firewall is configured properly by using an HTTPS connection to connect to the PIX Firewall and view the configuration file.

To verify the PIX Firewall configuration, follow these steps:

Step 2   Enter https://ip_address/exec/show%20config, where ip_address is the IP address of the PIX Firewall.

The PIX Firewall prompts for credentials, which verifies that the HTTP server is enabled on this PIX Firewall. If you are not prompted for credentials, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 3   At the username prompt, press Tab.

Step 4   At the password prompt, enter the enable password for the PIX Firewall.

The current configuration running on this PIX Firewall appears (equivalent to the show config command). Your ability to view the configuration verifies that the CiscoWorks2000 Server can administer this PIX Firewall. If you cannot authenticate, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 5   Close the browser.

Bootstrapping Sensors

When you use IDS MC to manage a sensor, you might need to bootstrap the sensor so that the CiscoWorks2000 Server can communicate with it. The bootstrapping procedure you must perform depends on whether you are adding a sensor to your network or you are installing a CiscoWorks2000 Server on a network where a sensor is already running.

To connect to a new sensor and configure its initial settings, you must assemble the sensor and connect the monitor and keyboard or the laplink cable and console. Then, complete the procedure in Bootstrapping a New Sensor.

Use the following examples to determine whether you must bootstrap an existing sensor:

The following sections describes the prerequisites to help you bootstrap sensors on your network. You must bootstrap a sensor to ensure that IDS MC can communicate with the sensor and has administrative privileges.

Determining When to Bootstrap a Sensor

You must always bootstrap a new sensor. If you have an existing sensor on your network, use the nrconns command to verify that communications are established between the CiscoWorks2000 Server and the sensor.

To use the nrconns command to verify that communications are established on the sensor, follow these steps:

Step 2   Scan through the NetRanger error log files by typing more /usr/nr/var/errors.*.

Step 3   Type nrstatus to display a list of running services.

The following services should be running: loggerd, sapd, postofficed, and fileXferd.

Step 4   Type nrconns to display the connection status for the sensor.

If the CiscoWorks2000 Server has not been configured on the sensor, the output of the nrconns command should indicate communication failure:

If communications are established on the sensor, the nrconns command displays the following:

If the nrconns command indicates communication failure, you must bootstrap the sensor. For more information, see Bootstrapping an Existing Sensor.

Sensor Configuration Worksheet

This worksheet contains questions about your sensor and your network. Write the answer to each question in the corresponding box. Then, as you perform the procedure for the sysconfig-sensor setup command, refer to the values you entered in the worksheet to help you specify the parameters.

Note   The sensor configuration values are case sensitive.

Bootstrapping an Existing Sensor

If you install a new CiscoWorks2000 Server on an existing network where a sensor is running, you must bootstrap the sensor. After you complete the bootstrapping task, the CiscoWorks2000 Server can communicate with the sensor.

To bootstrap a sensor that is running on your network, follow these steps:

Step 2   Type sysconfig-sensor at the command prompt.

The following IDS Sensor Initial Configuration Utility menu appears:

IDS Sensor Initial Configuration Utility

Choose a value to configure one of the following parameters:

1-IP Address

2-IP Netmask

3-IP Hostname

4-Default Route

5-Network Access Control

6-Communications Infrastructure

7-System Date, Time and Time Zone

8-Passwords

9-Secure Communications

x-Exit

Step 3   Select 6 - Communications Infrastructure. Then, change the Host ID, Org ID, and IP address for the "Director" to the values of the new CiscoWorks2000 Server. Use the values you entered in the Sensor Configuration Worksheet, to help you set the sensor parameters.

For a detailed explanation of the IDS Sensor Initial Configuration Utility menu, refer to the Cisco Secure Intrusion Detection System Sensor Configuration Note (current version).

Bootstrapping a New Sensor

When you add a sensor to your network, you must bootstrap the sensor so that the CiscoWorks2000 Server can communicate with it.

To bootstrap a new sensor, follow these steps:

Step 2   Type sysconfig-sensor at the command prompt.

The following IDS Sensor Initial Configuration Utility menu appears:

IDS Sensor Initial Configuration Utility

Choose a value to configure one of the following parameters:

1-IP Address

2-IP Netmask

3-IP Hostname

4-Default Route

5-Network Access Control

6-Communications Infrastructure

7-System Date, Time and Time Zone

8-Passwords

9-Secure Communications

x-Exit

Step 3   To configure the sensor, select each number and enter the appropriate information. Use the values you entered in the Sensor Configuration Worksheet, to help you set the sensor parameters.

---

Note    You must set each parameter on the IDS Sensor Initial Configuration Utility menu. The sensor has default values defined for some parameters; however, the default values most likely will not work for your environment. Certain parameters must be unique for each sensor, so errors might result if you use the default values for multiple sensors on your network. Therefore, we recommend that you set each parameter to ensure that they are valid for your specific deployment.

---

Step 4   If you change any parameter that requires a system reboot, the sensor reboots.

For a detailed explanation of the IDS Sensor Initial Configuration Utility menu, refer to the Cisco Secure Intrusion Detection System Sensor Configuration Note (current version).

Verifying Network Connectivity for a Sensor

Test network connectivity if you cannot reach the sensor from the CiscoWorks2000 Server. You can perform this task at any time to ensure that the sensor is running on the network and that the CiscoWorks2000 Server can communicate with it.

The following task outlines the procedures for testing network connectivity for a sensor. This test ensures that the sensor is connected to the network. You can verify that the sensor is reachable so it can be bootstrapped and so it can be reached by the CiscoWorks2000 Server that will manage the sensor.

To test connectivity for a sensor, follow these steps:

Step 2   To verify that the CiscoWorks2000 Server can ping the sensor, type ping at the command prompt, followed by a space and then the IP address of the control interface the CiscoWorks2000 Server connects to for command distribution.

If the ping attempt is successful, the CiscoWorks2000 Server receives a response from the IP address that you pinged. Proceed with Step 3. If the ping is unsuccessful, a request timeout message appears. Skip to Step 4.

Step 3   If the ping attempt is successful, try to Telnet from the CiscoWorks2000 Server to another device on your network.

Step 4   If the ping attempt is unsuccessful, perform the following tests:

If you cannot confirm connectivity for command distribution, you must bootstrap the sensor to ensure that it has a basic configuration that enables it to receive commands from the CiscoWorks2000 Server.