Using Management Center for Firewalls 1.2 - Defining Your Policy Building Blocks [CiscoWorks Management Center for Firewalls]

Building Blocks allow you to optimize your configuration. Objects such as hosts, protocols, or services can be grouped, allowing you to issue a single command to every item in the group by using the name of the group. The building block components are then used to help you define your access rules and translation rules.

The Building Blocks feature is used to associate names that can be used in place of corresponding data values in settings and rules. This facilitates ease of maintenance.

For example, an access rule might have a source address of 1.2.3.4. As an alternative, you can use building blocks to create a network object named fred-pc with the address 1.2.3.4. You can then create an access rule with the source address as fred-pc.

Building blocks facilitate network updates, as you can identify objects separately but maintain them in a central location. For example, you can identify servers in your network as a network object building block, and the protocols to allow for these services in a service group building block. You can then create an access rule permitting the service group to the network object. For future changes, you need only update the service group or network object instead of trying to locate each rule in which the servers are used.

Object groups can be imported to Firewall MC and generated for deployment to devices; however, certain object groups will be added as ending commands during import. For example:

If the group is not referenced by any ACL entry.
If the group is used by an ACL entry in an unbound ACL that is being added as an ending command. The group is added as an ending command even if the group is imported. You will be prompted to resolve any pending naming conflicts that might occur.

Note An unbound ACL is an access rule that is not linked to an interface; it is configured but not used.

All object groups are retained during import and associated with existing building blocks (if any exist), or new object groups are created. This can be overridden by the object group meta switches. To set the meta switches, select Configuration > MC Settings > Object Grouping.

The following building blocks will help you define your policy objectives:

Network objects—You can group a set of network addresses represented by an IP network (name, IP address, IP mask). Network objects are often used when you define access rules. For more information, see Defining Network Objects.
Service definitions—You can create a single access rule that controls access to multiple protocols. Services are defined by a protocol and ports. Service definitions can be combined into service groups. Service definitions are often used when defining access rules. For more information, see Defining Service Definitions.
Service groups—You can create a single access rule that controls access to multiple services; for example, you can write a single rule that permits traffic for Telnet and HTTP. Service groups can contain other service groups. Service groups are often used when defining access rules. For more information, see Defining Service Groups.
AAA server groups—You can define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic, for example, a TACACS+ server for inbound traffic and another for outbound traffic, or outbound HTTP traffic authenticated by a TACACS+ server and inbound traffic authenticated by RADIUS. For more information, see Defining AAA Server Groups.
Address translation pools—You can create global address pools used in dynamic NAT rules. Address translation pools are used when defining translation rules. For more information, see Defining Address Translation Pools.
Categories—You can provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks. Categories are color-coded. For more information, see Using Categories and Color-Coding.

Important Notes About Building Blocks

Object groups can be imported to Firewall MC and generated for deployment to devices; however, some object groups might be added as an ending command during import:
- If the group is not referenced by any ACL entry.
- If the group is used by an ACL entry in an unbound ACL that is being added as an ending command.
All object groups are retained during import and associated with existing building blocks (if any exist), or new object groups are created.
You can edit only those objects defined at the current scope.
Building blocks do not have a one-to-one association.
If you select an object from the directory tree, all elements defined at the same level and above are applied.
If you select an object by name and that name is defined at multiple scopes, the version defined nearest the current scope is selected.
Building blocks can be referenced from access rules, translation rules, or other building blocks. When you delete a building block, all references to that building block become stale. Unless another building block with the same name in a different scope is found, generation fails.
You can import object groups to Firewall MC that were created on a device previously managed by Firewall MC, and you can import object groups to Firewall MC that were created on a device managed outside of Firewall MC. If Firewall MC does not recognize the object group name, a new group object is defined.
If you decide to rename a building block, you are prompted to determine if you want all references to the existing object to be renamed.
If you decide to move a device group or device, all rules defined at the device group or device level are moved with it. Rules that contain references to building blocks are either changed in meaning or become obsolete after the device group or device is moved.
If you decide to cut, paste, or copy firewall rules, AAA rules, or filter rules that include references to building blocks, the closest building block within the hierarchy is used to resolve the reference.

Using Categories and Color-Coding

The Categories feature provides an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks. To access this feature, select Configuration > Building Blocks > Categories.

A category is assigned a background and foreground color that is displayed in the access rule tables. Depending on your specific needs, you can use color to display rules based on the rule category, building block objects based on the building block category, or both. You can also opt to use no color-coding at all. Default categories and color combinations are provided; however, you can create your own categories and assign different color combinations to them.

The benefits that result from using categories are:

The object is color-coded, resulting in improved visibility when you view the rule tables.
The object can be filtered in the rule tables, facilitating rule maintenance.

For example, you might want to create a network object and keep track of its use, as is important for administrative purposes. You can define a category named Administration and assign a color combination to it that appears when the category is used in a rule table. You then define the network object. When you define the network object, you associate the network object with the newly defined Administration category. When you view the access rule table, you can choose whether to use color to display the rules or building blocks associated with the Administration category or filter the table to display only those items associated with the category.

Note Categories and color combinations are associated with network objects, service definitions, and service group building blocks. No other building blocks support the use of categories and color-coding.

Adding or Editing a Category

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter the name of the category.

Step 4 Enter a description that will help you identify the category. (for example, the brown category).

Step 5 Select the color combination to use. To do this, click the Swatches, HSB, or RGB tab.

Swatches provides predefined colors from which you choose your background and foreground colors. For more information, see Setting Categories Using Swatches.
HSB—Hue-Saturation-Brightness. Allows you to define your own values for your color choices. For more information, see Setting Categories Using HSB.
RGB—Red-Green-Blue. Allows you to define your own values for your color choices. For more information, see Setting Categories Using RGB.

Note Since the description used in Step 4 was the brown category, select a brown tone as the background color and any other color for the foreground.

Step 6 Click Next.

The summary page appears.

Step 7 Verify the information is correct, then click Finish.

If you decide to display color coding when you view the rule tables, depending on your selection, either the rule or the building block will be displayed using the colors you just defined. You can also filter rules that are associated with the Administration category.

Setting Categories Using Swatches

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears. The color palette defaults to Swatches.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 With Foreground selected, choose a swatch from the color grid.

Step 6 Click Background, then select a swatch from the color grid.

Your selections are displayed in the Preview field.

Step 7 Choose any needed color changes, then click Next.

The wizard summary page appears.

Step 8 Click Finish.

Color selections are retained and can later be used in rule tables to help you identify rules or building blocks.

Setting Categories Using HSB

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 Click the HSB tab.

Step 6 With Foreground selected, click H (Hue), then drag the arrow to select your color choice.

Step 7 Repeat Step 6 for S (Saturation), and B (Brightness).

Step 8 Click Background. Repeat the steps used to select foreground color choices.

Your color selections are displayed in the Preview field.

Step 9 Choose any needed color changes, then click Next.

The wizard summary page appears.

Step 10 Click Finish.

Color selections are retained and can later be used in rule tables to help you identify rules or building blocks.

Setting Categories Using RGB

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 Click the RGB tab.

Step 6 With Foreground selected, drag the Red arrow to select your color value.

Step 7 Repeat Step 6 for Green and Blue.

Step 8 Click Background. Repeat the steps used to select foreground color values.

Your selections are displayed in the Preview field.

Step 9 Choose any needed color changes, then click Next.

The wizard summary page appears.

Step 10 Click Finish.

Color selections are retained and can later be used in rule tables to help you identify rules or building blocks.

Deleting a Category

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the Categories table. Reference to the category, along with its respective color-coding, is removed from the rule table.

Defining Network Objects

The Network Objects feature allows you to group a set of network addresses represented by an IP network (name, IP address, IP mask). This information provides the basic identification information for that network. Firewall MC uses the name and IP address and netmask pair to resolve references to the network in the source and destination conditions of access rules and in translation rules. Firewall MC uses the interface value to apply access and translation rules that refer the network to the correct interface. The interface delivers network packets to the network, thus enforcing the rules that refer to that network.

Firewall MC network objects are converted to device network object groups.

Network objects that are used as sources are converted directly to the equivalent device group.
Network objects that are used as destinations might have to be translated based on the ACL type and translation trees for the interfaces, then converted to the equivalent device group.

The interface of the rule that uses the network object becomes the base interface on which the translations occur. As translations are added to the translated group, identity address translation is used in all cases where the requested address is not found in the translation tree. To access identify address translation, select Configuration > MC Settings > Management. All existing groups with the same base name are checked for matches; duplicates are consolidated.

The following examples will help you to better understand how network objects can be used. Let's say you want to create the network object Corp Network at the Global scope, but different IP addresses will be used depending on the group being addressed. As a result, you can use a variable, which allows different values to be set for a building block for different devices or groups. The values are substituted into the same rule as applied to those different devices and groups.

To access the Network Object feature, you select Configuration > Building Blocks > Network Objects. You select the scope, then complete the wizard to define the network object. When you are returned to the Network Objects table, Corp Network is shown in the table (Figure 10-1).

Figure 10-1 Example 1—Network Object "Corp Network" Defined at the Global Scope with Variable

If you use the object selector to select the device PIX Firewall, then view the Network Objects table for that scope, Corp Network is shown as created at the Global scope with the variable setting enabled. (The variable is set to true.) Notice that the check box is grayed-out, which means you cannot make changes at the device level. (Figure 10-2).

Figure 10-2 Example 1—Network Object "Corp Network" Shown at the Device Scope

When you define (add) Corp Network at the PIX Firewall scope, the new network object replaces the one defined at the Global scope and assigns an IP address to it (Figure 10-3). Corp Network can now be edited at the device scope; it is no longer shown as a variable. (The variable is set to false.)

Figure 10-3 Example 1—Network Object "Corp Network" Defined at the Device Scope

To create a mandatory access rule at the Global scope, you can use Corp Network as the source address.

If you view the access rules table for the Mandatory Global scope and the Default PIX Firewall scope, you will see the same access rule in each table. When the configuration file for the PIX Firewall is generated, the access rule uses the network object Corp Network and the IP address defined at the device level. This is displayed in the configuration file as

 : acl_mdc_inside_access Access List

 access-list acl_mdc_inside_access permit tcp 10.11.12.13 255.255.255.255 any

In conclusion, the network object defined at the Global scope using a variable must be redefined at the device scope with the same name, which then allows it to be used by access rules or translation rules.

Now consider another example. If you select an object by name and that name is defined at multiple scopes, the version defined nearest the current scope is selected. For this example, assume a service provider has two customers: Customer A and Customer B (Figure 10-4).

Figure 10-4 Example 2—Network Object Diagram

Customers A and B have the network object Internal Network defined. Customer B uses a device named PIX Firewall. Because PIX Firewall is closer to Customer B than Customer A in the navigation tree, the device will use the network object Internal Network defined at the Customer B scope. When you view the Network Objects table at the device scope, the object name is shown as Customer B > Internal Network.

The Network Object tables used to configure this example are shown in Figure 10-5 through Figure 10-7.

Figure 10-5 Example 2—Network Object "Internal Network" Defined at the Customer B Scope

To access the table in Figure 10-5, you select Configuration > Building Blocks > Network Objects. Using the object selector, you select Customer B.

Figure 10-6 Example 2—Network Object "Internal Network" Shown at the Device Scope

To access the table in Figure 10-6, you select Configuration > Building Blocks > Network Objects. Using the object selector, you select PIX Firewall.

After you define the network object at the device scope, the table displays the updated network object Internal Network for the device.

A third example and a standard use of a network object is to define a network object (for example, My Network) at the PIX Firewall level. The network object is then used only at the device scope (Figure 10-7).

Figure 10-7 Example 3—Network Object "My Network" Defined at the Device Scope

Understanding the Network Objects User Interface

Figure 10-8 shows the Network Objects user interface.

Figure 10-8 Network Objects User Interface

Figure 10-8 Reference	Name	Description
1	Name	User-defined network-entity name assigned to network object.
2	Content	IP address and mask.
3	Variable	Value used in place of a defined building block. If you are using a variable, value is set to true under the Variable column.
4	Scope	Scope (level) at which network object is defined, for example, Global.
5	Category	Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.
6	Action buttons	Options are: Add—Adds a row to a table. Edit—Edits an existing row in a table. View—Shows information in read-only mode. Copy—Copies a row in a table. Cut—Removes a row in a table. Paste—Pastes a row that was copied or cut from a table. Delete—Removes a row from a table. View All—Displays all rules (mandatory and default) defined from Global down to the current scope.
7	"any" network object	Eliminates the need to define each source and destination for network objects.
8	"no value" network object	Allows you to define rules using a variable; the rules are optional.

Using the "Any" Network Object

The "any" network object is used to facilitate the policy rule definition process. For example, if you want to allow "any" external host to communicate with a web server, you can define a policy rule to permit this traffic that uses "any" as the source address and the IP address and network mask for the web server as the destination address. Use of the "any" network object eliminates the need for you to define each source and destination for networks and hosts.

Using the "No Value" Variable

You might want to define a building block at the Group scope that contains a variable, then define an access rule at the same group level that refers to the building block.

At the device level, the building block can be defined using a specific value for the device. When the rules are evaluated during configuration generation, the access rules defined at the group level use the device-specific values.

Suppose you do not want these access rules to be applied to a device in the group. You can omit defining specific values for the building block. When the rules are evaluated during configuration generation, the access rules defined at the Group scope use the value associated with the variable building block at the Group scope, since no specific value is defined at the device. The building block specifies "no value," so Firewall MC discards these rules.

Without the use of "no value" in the building block, Firewall MC will generate errors after attempting to find a value for the access rules that refer to the building block.

For example, you want to create a building block named InsideNets at the Global scope and use a variable. No IP address or mask is included. You choose the "no value" building block to be part of its value. You define rules to permit traffic to and from InsideNets. You edit a device and define the same building block at the device level that replaces "no value" with an IP address and netmask. When the configuration is generated, the Global rules become meaningful on the device, as the variable is replaced with the value defined at the device level.

You then add another device, but you do not want a value for the InsideNets building block. You leave it undefined at the device level. When the configuration is generated, Firewall MC finds the value for InsideNet defined at the Global scope when trying to evaluate the rules referencing that building block. When Firewall MC checks to see what the value is for the device, only "no value" is found. Firewall MC cannot write a valid rule, so the rule is ignored and no error is generated.

Note If a source or destination in an access rule is associated with "no value," Firewall MC ignores the rule and continues.

Adding or Editing a Network Object

Step 1 Select Configuration > Building Blocks > Network Objects.

The Network Objects page appears.

Step 2 Do one of the following:

To add a row in the table, click Add.

The Enter Definition page appears.

To edit a row, select the check box for the row in the table, then click Edit.

The Enter Definition page appears.

Step 3 Enter the network entity name to be assigned to network object.

Step 4 Enter an optional comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Select the Variable check box to use a value in place of a defined building block.

Note This feature allows different values to be set for a building block for different devices or groups; the values are substituted into the same rule as applied to those different devices and groups.

Step 7 Click Next.

The Enter IP(s) page appears.

Step 8 Enter the network IP address and mask.

No IP address and mask are needed if you plan to use only nested network objects.
If you do not specify a network mask for an IP address, the wizard defaults to a host mask (32 bit) instead of a network mask (24 bit, etc).

Step 9 Click Next.

The Select Networks page appears.

Step 10 Select the available object, then click Select =>.

The object is moved to the Selected Objects column.

Step 11 Click Next.

The network objects summary page appears.

Step 12 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Network Objects Field-Level Elements and Descriptions

Element	Description
Network entity name	User-defined network-entity name assigned to network object, for example, Engineering Network, or CMI Web Server. A maximum of 64 characters is allowed. Note The network entity name you enter in the wizard is displayed in the network objects table under the Name column.
Description	Optional user-defined description that identifies the network object, for example, a set of networks that includes all engineering workstations.
Variable check box	Value used in place of a defined building block. When selected, allows you to create an access rule at the current scope (or lower), even though no value is given for a building block that is declared as a variable. The values for variables are defined as normal building blocks at lower levels in the hierarchy. When deselected, allows you to create an access rule at the current scope (or lower) using a defined building block. If you selected the Variable check box in the wizard, your selection is displayed as true in the network objects table under the Variable column. Note This feature allows different values to be set for a building block for different devices or groups; the values are substituted into the same rule as applied to those different devices and groups.
Network IP address/Mask	IP address and mask. If you do not specify a network mask for an IP address, the wizard defaults to a host mask (32 bit) instead of a network mask (24 bit, etc). Note No IP address and mask are needed if you plan to use only nested network objects. The IP address and mask you enter in the wizard are displayed in the Network Objects table under the Content column.
Available objects	Lists user-defined available objects from which you make your selection.
Selected objects	Lists all devices selected for activity.
Select => button	Moves selected (nested) devices from Available Objects column to Selected Objects column.
<= Remove button	Moves selected (nested) devices from Selected Objects column to Available Objects column.
Scope	Scope (level) at which network object is defined, for example, Global.
Category	Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

Deleting a Network Object

Step 1 Select Configuration > Building Blocks > Network Objects.

The Network Objects page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page refreshes, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining Service Definitions

The Service Definition feature allows you to create a single access rule that controls access to multiple protocols, for example, WWW.

Firewall MC service definitions can contain IP protocols, TCP and UDP source and destination ports, and ICMP message types. These are converted into firewall device protocol groups, service groups, and icmp-type groups respectively. Service definitions cannot be combined. As a result, a rule that refers to a service definition could result in four groups being created and the rule might be replaced with up to four rules. In addition, the TCP and UDP ports might have to be translated based on static port mapping commands that are interface and destination-address specific. As a result, no TCP-UDP groups are generated, and any service and destination network group that requires port translation will be generated without reference to the service definition group.

Adding or Editing a Service Definition

Step 1 Select Configuration > Building Blocks > Service Definitions.

The Service Definitions page appears.

Step 2 Do one of the following:

To add a row in the table, click Add.

The Specify Name and Select Transport page appears.

To edit a row, select the check box for the row in the table, then click Edit.

The Specify Name and Select Transport page appears.

Step 3 Enter the name of the service.

Step 4 Enter an optional comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Select the transport protocol from the list.

Note Only IP requires an IP protocol number.

Step 7 Do one of the following:

If you selected ICMP as the transport protocol, click Next. The Select ICMP Values page appears. To select the ICMP values, go to Step 8.
If you selected TCP or UDP as the transport protocol, click Next. The Select TCP/UDP Values page appears. To select the TCP/UDP values, go to Step 9.
If you selected IP as the transport protocol, enter the IP protocol number, then click Next. The service descriptions summary page appears. Go to Step 10.

Step 8 If you selected ICMP as the transport protocol

The Select ICMP Values page appears.

a. Select the type of message from the list.

b. Click Next.

The service descriptions summary page appears. Go to Step 10.

Step 9 If you selected TCP or UDP as the transport protocol:

The Select TCP/UDP Values page appears.

a. Enter the destination port or port range. Values are 0-65,535.

b. Enter the source port or port range. Values are 0-65,535.

c. Click Next.

The service descriptions summary page appears. Go to Step 10.

Step 10 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Service Definitions Field-Level Elements and Descriptions

Element	Description
Service name	User-defined name of a service. Literal names are used instead of port numbers. You can also specify these ports by number. A maximum of 64 characters is allowed. The service name you enter in the wizard is displayed in the service definitions table in the Name column.
Description	Optional field in which to enter description of service used.
Transport protocol	Protocol used for service definition. Options are: ICMP—Uses a dedicated IP protocol number. TCP—Uses a dedicated IP protocol number. UDP—Uses a dedicated IP protocol number. IP—You must enter an IP protocol number. Note If the protocol uses a dedicated IP protocol number, you can leave the field blank.
IP protocol number	Numbers that represent transport protocols. Values are 1-133. 1—dedicated to ICMP 6— dedicated to TCP 17—dedicated to UDP
Message type	List of ICMP message types.
Source port	Enter a single value or range of values. Values are 0-65,535. Displayed as asterisk () in table when complete range selected. Note* Source port is used for TCP and UDP only.
Destination port	Enter a single value or range of values. Values are 0-65,535. Displayed as asterisk () in table when complete range selected. Note* Destination port is used for TCP and UDP only.
Network	IPV4. Note The network element cannot be edited.
Scope	Scope (level) at which service definition is defined, for example, Global.
Category	Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

Deleting a Service Definition

Step 1 Select Configuration > Building Blocks > Service Descriptions.

The Service Descriptions page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining Service Groups

The Service Groups feature allows you to create a single access rule that controls access to multiple services, for example, you can write a single rule that permits traffic for Telnet and HTTP.

Adding or Editing a Service Group

Note Some elements in the Service Groups table might be grayed out. This is because they are defined at a higher scope and cannot be edited from this level.

Step 1 Select Configuration > Building Blocks > Service Groups.

The Service Groups page appears.

Step 2 Do one of the following:

To add a new row in the table, click Add.

The Add Name and Description page appears.

To edit a row, select the check box for the row in the table, then click Edit.

The Add Name and Description page appears.

Step 3 Enter the service group name.

Step 4 Enter an optional comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Click Next.

The Select Services page appears.

Step 7 Select the available object, then click Select =>.

The object is moved to the Selected Objects column.

Step 8 Click Next.

The service groups summary page appears.

Step 9 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Service Groups Field-Level Elements and Descriptions

Element	Description
Service group name	User-defined name to identify the service group, for example, WWW. A maximum of 64 characters is allowed. The service group you enter in the wizard is displayed in the service groups table under the Group Name column.
Description	Optional field to enter comments to identify service group, for example, commonly used Web services. The description that you enter in the wizard is displayed in the service groups table under the Description column.
Available services	Lists services available for each service group.
Selected services	Lists services selected for service group.
Select => button	Moves selected device(s) from Available Objects column to Selected Objects column.
<= Remove button	Moves selected device(s) from Selected Objects column to Available Objects column.
Scope	Scope (level) at which network object is defined, for example, Global.
Category	Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

Deleting a Service Group

Step 1 Select Configuration > Building Blocks > Service Groups.

The Service Groups page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining AAA Server Groups

Firewall MC lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic, for example, a TACACS+ server for inbound traffic and another for outbound traffic, or outbound HTTP traffic authenticated by a TACACS+ server and inbound traffic authenticated by RADIUS.

AAA server groups use tags, which are used to direct different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups, and each group can have up to 14 AAA servers, totaling up to 196 AAA servers.

Configuring an AAA server group is a two-tier process. First, you create an AAA server group. Second, you define AAA servers within that group. You have the option of inserting an AAA server while you are creating an AAA server group.

In Firewall MC, the Group LOCAL protocol local scoped from Global entry represents the AAA group named LOCAL that exists by default on PIX Firewalls running version 6.2 or later. The default group cannot be modified or disabled.

This group is used for administrative authentication and talks directly to the PIX Firewall instead of a separate AAA server. LOCAL specifies use of the PIX Firewall local user database for local command authorization. The LOCAL group is displayed in the configuration file as
aaa-server LOCAL protocol local.

To set LOCAL for AAA Authentication, select Configuration > Settings > AAA Admin Authentication.

Creating or Editing an AAA Server Group

Note While you are creating an AAA server group, you can insert an AAA server.

The following procedure assumes you are defining a server group and identifying a server within that group.

Step 1 Select Configuration > Building Blocks > AAA Server Group.

The AAA Server Group page appears.

Step 2 Do one of the following:

To add a server group in the table, click Create.

The Select Group Name page appears.

To add a server to a group in the table, select the check box for the row in the table after which you want to new row inserted, then click Insert.

The Define Server page appears.

To edit a group, select the check box for the row in the table, then click Edit.

The Select Group Name page appears.

To edit a server, select the check box for the row in the table, then click Edit.

The Define Server page appears.

Step 3 Enter the AAA server group name. Spaces are not permitted. A maximum of 14 server groups is permitted.

Step 4 Click the Radius or TACACS protocol radio button to identify the authentication protocol used for the server group.

Step 5 Click Next.

The Define Server page appears.

Step 6 Select the interface from the list.

Step 7 Enter the IP address.

Step 8 Enter the server key.

Step 9 Verify the timeout value. Default is 5 seconds.

Step 10 Click Next.

The AAA server group summary page appears.

Step 11 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

AAA Server Group Field-Level Elements and Descriptions

Element	Description
Group LOCAL protocol local scoped from Global	Default firewall device AAA server group.
Group name	User-defined name that identifies AAA server group, for example, East Coast Servers or Radius Servers. Spaces are not permitted. A maximum of 14 server groups is permitted. The group name you define in the wizard is displayed in the server group table as a highlighted row.
Authentication protocol radio buttons	Options are: RADIUS TACACS The protocol you select in the wizard is displayed in the server group table next to the server group name.
Interface	Logical name of interface that relates to use, for example, inside or outside. Note If you are using the wizard, a list displays all interfaces defined at the current scope.
Server IP address	IP address of AAA server.
Server key	A case-sensitive, alphanumeric keyword of up to 127 characters that has the same value as the key on the TACACS server. Additional characters are ignored. Key encrypts data between client and server. Key must be the same on both client and server systems. Spaces are not permitted in key, but other special characters are. The server key you enter is displayed in the AAA server group table under the Key column.
Server timeout	A retransmission timer that specifies length of time that Firewall MC retries access (four times) to the AAA server before choosing next AAA server. Values are 1-30 seconds. Default is 5.

Deleting an AAA Server Group or Element

Step 1 Select Configuration > Building Blocks > AAA Server Group.

The AAA Server Group page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining Address Translation Pools

The Address Translation Pools feature allows you to create global address pools used in dynamic NAT rules.

Configuring address translation pools is a two-tier process. First, you create a pool. Second, you define the elements within that pool. You have the option of defining the elements while you are creating an address translation pool.

Creating or Editing an Address Translation Pool

Note While you are creating an address translation pool, you can insert an address pool element as part of the procedure.

The following procedure assumes you are defining an address translation pool and identifying a range of pool values within that pool group.

Step 1 Select Configuration > Building Blocks > Address Translation Pools.

The Address Translation Pool page appears.

Step 2 Do one of the following:

To add a pool group to the table, click Create.

The Enter Pool Name page appears.

To add a pool element to the table, select the check box for the row in the table after which you want to new row inserted, then click Insert.

The Enter Pool Element page appears.

To edit a pool, select the check box for the row in the table, then click Edit.

The Enter Pool Name page appears.

To edit a pool range, select the check box for the row in the table, then click Edit.

The Enter Pool Element page appears.

Step 3 Enter the pool name to identify the address translation pool, for example, external addresses.

Step 4 Click Next.

The Enter Pool Element page appears.

Step 5 Select the interface from the list.

Step 6 To use the interface address as the closing PAT address, select the PAT check box.

Step 7 Enter address ranges and masks.

Step 8 Click Next.

The address translation pool summary page appears.

Step 9 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

Address Translation Pool Field-Level Elements and Descriptions

Element	Description
Interface	Logical name of interface that relates to use. Options are: Inside—Connects to your internal network. Outside—(Default) Connects to an external network or public Internet.
Interface PAT	Interface address defined as final global address for PAT. When selected, set to true when you view the summary page.
IP address(es)¹	Set of addresses in address translation pool in addition to an interface address. Identifies type and value of address(es) for pool. Can identify one of the following types: Range of addresses PAT address PAT address associated with an interface Value is zero (0) or higher using space or csv elements, for example, 192.168.1.1-192.168.1.5/24; 192.168.1.10-192.168.1.15, 192.168.1.20.
PAT: Use interface address for closing PAT check box	If check box is selected, interface address is used as the final global address for PAT. The selected the checkbox in the wizard is displayed as Yes in the address translation pool table under the Interface PAT column.
Address range(s)/Mask (optional)	Set of addresses in the address translation pool in addition to an interface address. Value is zero (0) or higher using space or csv elements, for example, 192.168.1.1-192.168.1.5/24; 192.168.1.10-192.168.1.15, 192.168.1.20.

1 Addresses to which the original addresses will be translated. If Firewall MC is exposing a host or network to users on the Internet, these IP addresses must be valid IP addresses that are registered with ARIN.

Deleting an Address Translation Pool or Element

Step 1 Select Configuration > Building Blocks > Address Translation Pools.

The Address Translation Pool page appears.

Step 2 Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Table of Contents

Defining Your Policy Building Blocks

Important Notes About Building Blocks

Using Categories and Color-Coding

Adding or Editing a Category

Setting Categories Using Swatches

Setting Categories Using HSB

Setting Categories Using RGB

Deleting a Category

Defining Network Objects

Understanding the Network Objects User Interface

Using the "Any" Network Object

Using the "No Value" Variable

Adding or Editing a Network Object

Network Objects Field-Level Elements and Descriptions

Deleting a Network Object

Defining Service Definitions

Adding or Editing a Service Definition

Service Definitions Field-Level Elements and Descriptions

Deleting a Service Definition

Defining Service Groups

Adding or Editing a Service Group

Service Groups Field-Level Elements and Descriptions

Deleting a Service Group

Defining AAA Server Groups

Creating or Editing an AAA Server Group

AAA Server Group Field-Level Elements and Descriptions

Deleting an AAA Server Group or Element

Defining Address Translation Pools

Creating or Editing an Address Translation Pool

Address Translation Pool Field-Level Elements and Descriptions

Deleting an Address Translation Pool or Element