Using Management Center for Firewalls 1.2 - Configuring Device-Level Settings [CiscoWorks Management Center for Firewalls]

Basic settings identify those settings that are required for the firewall to operate correctly on the network.
Advanced settings are optional features that provide advanced processing or security features.

Basic Settings

This section describes the settings that define the basic features installed on the firewall device and the settings that control the types of connections that can be made to the firewall device for administration. This section includes:

Setting the Firewall OS Version

Identifying the correct operating system (OS) version running on a firewall device ensures that Firewall MC generates the command syntax expected by the installed operating system.

Firewall MC 1.2 supports PIX Firewall software version 6.0(x) through 6.3(x) CLI commands, and Firewall Services Module (FWSM) software version 1.1(x) CLI commands; however, not all commands are fully supported in this release. A complete list of commands, along with the supported devices and software versions, can be found at:

http://www.cisco.com/en/US/products/sw/cscowork/ps3992/ products_device_support_tables_list.html

Step 1 Select Configuration > Device Settings > Firewall Device OS Version.

The Firewall Device OS Version page appears.

Step 2 Do one of the following:

To generate a configuration file using the last-detected version of the operating system, click the Last Detected Firewall OS Version radio button.
To generate a configuration file using a specific version, click the Supported firewall OS version radio button, then select the desired version of the operating system from the Supported Firewall OS Version list.

Note If you created a device manually, you must click the Supported Firewall OS Version radio button, then specify the operating system version for that device.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Firewall OS Version Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Last detected firewall	When selected, instructs Firewall MC to automatically generate a configuration file for the last detected firewall device OS version as it is discovered on the target device.
Supported firewall OS version list	When selected, instructs Firewall MC to generate a configuration file for a specific OS version from a list of available OS versions that support PIX Firewalls (PIXs) and Firewall Services Modules (FWSMs).

Configuring Interfaces

The Interfaces feature allows you to define, enable, disable, and edit network interface configurations. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. You can define interfaces manually, or you can import interface information using a comma-separated values (CSV) file. (See Importing an Interface.) When disabled, the interface does not transmit or receive data, but the configuration information is retained. To access this feature, select Configuration > Device Settings > Interfaces.

If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall.

Tip If you imported an existing firewall device, you do not need to complete this procedure unless you want to modify the settings defined for the remaining interfaces.

Adding or Editing an Interface

The Interfaces page allows you to define the name, security level, type, speed, MTU, and IP address of an interface. You can enter a static IP address for an interface, or you can specify that the IP address be obtained using a DHCP client or PPPoE functionality. You can disable inactive interfaces, and you can import interface information using a comma-separated values (CSV) file. For more information on importing interfaces, see Importing an Interface.

Make sure that the number of interfaces and their respective hardware IDs defined in the GUI match those on the physical device. For example, if you define only ethernet0 and ethernet1 in the GUI when the device also contains ethernet2, Firewall MC tries to remove all configuration settings for the undefined interface, such as its IP address, during deployment. This causes deployment errors and possible failure, depending on the settings you established for error handling.

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Do one of the following:

To add a row, click Add.

The Add Interface Name page appears.

To edit a row, select the check box for the row, then click Edit.

The Add Interface Name page appears.

Note If you change an interface, we recommend that you perform a clear translation. See Configuring Management Controls.

Step 3 Do one of the following:

To define an interface for a Firewall Services Module (FWSM), go to Step 4.
To define an interface for a PIX Firewall, go to Step 5.

Step 4 To define an interface for a FWSM:

a. Enter the identification number of the Virtual Local Area Network (VLAN) associated with the FWSM interface in the VLAN ID field. Values are 1-4095.

b. Select the Interface Enable check box.

c. Enter the interface name.

Note The inside and outside interfaces are partially defined for the Global group by default; however, you must edit the interfaces to include the additional information.

d. Enter the security level that the interface will enforce. Valid values are 0-100 (100 = greatest security level).

Outside interface is always 0.
Inside interface is always 100.
DMZ is 1-99. (Interfaces set to the same security level cannot communicate with each other.)

Note You can define a dynamic NAT rule only for an interface that has a higher security level than the interface on which the traffic goes out, which has a global IP address pool assigned to it. Static NAT rules can be defined between interfaces of any security level.

e. Click Next.

f. To configure the static IP address for this interface, go to Step 7.

Step 5 To define an interface for a PIX Firewall:

a. Enter the hardware ID that identifies the network interface located on the PIX Firewall. If you are defining a VLAN interface, enter the hardware ID of the physical interface that the VLAN is associated with. Possible values are:

ethernet0.
ethernet1 to ethernetn.
gb-ethernetn (where n = number of network interfaces in PIX Firewall).

b. If you are defining a VLAN interface, enter the identification number of the Virtual Local Area Network (VLAN) associated with the interface in the VLAN ID field, then select the type of VLAN interface, logical or physical, from the VLAN interface type list. Values for VLAN ID are 1-4095.

Note The number of logical interfaces that you can configure on a PIX Firewall varies according to the model. For more information, refer to the documentation for your PIX Firewall.

c. Select the Interface Enable check box.

d. Enter the interface name.

Note The inside and outside interfaces are partially defined for the Global group by default; however, you must edit the interfaces to include the additional information.

e. If you are defining a physical interface, select the physical-level interface speed from the list. For more information, see Speed (used for PIX Firewall only) in the Field-Level Elements and Descriptions table.

Note We recommend that you specify the speed of the network interfaces, instead of using auto speed sensing, in case your network environment includes switches or other devices that do not handle autosensing correctly.

f. If you are defining a physical interface, enter the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Values are 64-65,535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.

g. Enter the security level that the interface will enforce. Values are 0-100
(100 = greatest security level).

Outside interface is always 0.
Inside interface is always 100.
DMZ is 1-99. (Interfaces set to the same security level cannot communicate with each other.)

h. Select the type of IP address for this interface. Options are:

DHCP—Assigns a dynamic IP address and mask to the interface. If you are configuring DHCP, click the DHCP radio button, then go to Step 6.
Static—Assigns a static IP address and mask to the interface. If you are configuring a static IP address, click the Static radio button, then go to Step 7.
PPPoE—Provides an authenticated method of assigning an IP address to the interface. If you are configuring PPPoE, click the PPPoE radio button, then go to Step 8.

Note You can configure DHCP and PPPoE on the outside interface only.

Step 6 To configure DHCP on this interface:

a. To cause a default route to be created if one does not exist, select the Enable DHCP Set Route check box.

b. To enable the DHCP Retry feature, select the Enable DHCP Retry check box and then use the Retry Count field to enter the number of attempts to allow before an error is returned. Values are 4-16.

c. Click Next.

The interface summary page appears.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

d. Go to Step 9.

Step 7 To configure a static IP address on this interface:

a. Enter the IP address. The IP address must be unique for each interface.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

b. Enter the network mask. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

c. Click Next.

The interface summary page appears.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

d. Go to Step 9.

Step 8 To configure PPPoE on this interface:

a. Enter the Virtual Private Dial-up Network (VPDN) username for authentication in the User Name field.

b. To indicate that the VPDN username and password have already been configured as store-local on the PIX Firewall, select the Use Local check box.

Note If you select this option, Firewall MC does not generate the VPDN username/password command for this user and does not remove the existing password for this user during deployment.

c. If you did not select the Use Local check box, enter the VPDN password that corresponds with the username in the Password field and Confirm Password field.

d. Select the protocol to use for authentication. Options are:

PAP—Password Authentication Protocol.
CHAP—Challenge Handshake Authentication Protocol.
MSCHAP—Microsoft Challenge Handshake Authentication Protocol.

e. To create a default route if one does not exist, select the Enable PPPoE Set Route check box.

f. To use a static IP address, select the Enable Static IP Address check box, then add the IP address and subnet mask in the fields provided.

g. Click Next.

The interface summary page appears.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

Step 9 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Important Note About Deploying a PPPoE Configuration

If you deploy a PPPoE configuration to a firewall device that already has PPPoE configured on the outside interface (ip address outside pppoe), any existing PPPoE connection to an access concentrator is reset and cleared. The firewall device must then reauthenticate itself and reconnect to the access concentrator.

Interfaces Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Hardware ID (used for PIX Firewall only)	Displays network interface located on PIX Firewall. Possible values are: ethernet0 to ethernetn. gb-ethernetn. Note n = number of network interfaces in PIX Firewall.
VLAN ID	Displays the Virtual Local Area Network (VLAN) associated with the interface. Valid values are 1-4095.
VLAN interface type	Type of VLAN interface. Options are: logical—VLAN is associated with a logical interface. physical—VLAN is on the same network as its underlying hardware interface.
Speed (used for PIX Firewall only)	Physical-level interface speed. Options are: 10baset—10-Mbps Ethernet half-duplex. 10full—10-Mbps Ethernet full-duplex. 100basetx—100-Mbps Ethernet half-duplex. 100full—100-Mbps Ethernet full-duplex. 1000sxfull—1000-Mbps Ethernet full-duplex. 1000basesx—1000-Mbps Ethernet half-duplex. 1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex. (We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.) 1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex. 1000full nonnegotiate—1000-Mbps Ethernet full-duplex. aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface. bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface. auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card. Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.
Interface name	Logical name of interface that relates to use. Supported interface names are: Inside—Connects to your internal network. Must be most secure interface. See Security Level. DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network. Outside—Connects to an external network or public Internet. Must be least secure interface. See Security Level.
Security level	Security level that interface will enforce. Values are 0-100 (100 = greatest security level). Outside interface is always 0. Inside interface is always 100. DMZ is between 1-99. Note Because Firewall MC applies a default set of rules to an interface, the remaining security levels matter only if you plan to use dynamic NAT between two or more interfaces. You can define a dynamic NAT rule only for an interface that has a higher security level than the interface on which the traffic goes out, which has a global IP address pool assigned to it. Static NAT rules can be defined between interfaces of any security level.
MTU	Maximum transmission unit. Number of bytes in the MTU. The value depends on the type of network connected to the interface. Values are 64-65,535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.
IP address	IP address of interface. IP address must be unique for each interface. The IP Address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.
Subnet mask	Network mask for IP address of interface. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24). Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
Type	Specifies the address type for the interface. Options are: DHCP—Assigns a dynamic IP address and mask to the interface. Static—Assigns a static IP address and mask to the interface. PPPoE—Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE on the outside interface of a firewall device only.
Enabled	Indicates whether the interface is active (enabled) or shut down (disabled).
Import button	Imports multiple interfaces using a comma-separated values (CSV) file.
Poll button	Gets the current status of VLAN interfaces from a Firewall Services Module (FWSM).
Interface enable check box	Enables the interface. Value set to true in the wizard summary. Value set to enabled in the Interfaces table.
Enable DHCP set route check box	Enables DHCP set route. The DHCP set route command tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns.
Enable DHCP retry check box	Enables DHCP to retry making a connection. When enabled, set to true in the summary page.
Retry count	Used when DHCP Retry Enable check box is selected. Number of tries before an error is returned. Values are 4-16.
Username	Virtual Private Dial-Up Network (VPDN) username to use for authentication.
Use local check box	Select the Use Local check box to indicate that the VPDN username and password have already been configured as store-local on the firewall device. Note If you select this option, Firewall MC does not generate the VPDN username/password command for this user and does not remove the existing password for this user during deployment.
Password	VPDN password used for authentication.
Confirm password	Reenter the VPDN password.
Protocol	The protocol used for authentication. Options are: PAP—Password Authentication Protocol. CHAP—Challenge Handshake Authentication Protocol. MSCHAP—Microsoft Challenge Handshake Authentication Protocol.
Enable PPPoE set route check box	Enables PPPoE set route. The PPPoE set route command tells the firewall device to set the default route using the default gateway parameter the PPPoE server returns.
Enable static IP address check box	Enables use of a static address on this interface.

Deleting an Interface

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Select the check box for the interface, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The interface is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Importing an Interface

This import method allows you to import interfaces in bulk using a comma-separated values (CSV) file. The default import directory is C:\Program Files\CSCOpx\MDC\PIXMC\import (assuming C:\Progam Files\ was the install directory). To change the default import directory, see Configuring Import Controls.

The CSV format has one row of data per interface, with several fields per row. The information required for each interface included in the CSV file depends on the configuration of the device and interface. For more information on the fields and values to use for a particular interface, see Interfaces Field-Level Elements and Descriptions.

The number of logical VLAN interfaces that you can configure on a PIX Firewall varies according to the PIX Firewall model. For more information, refer to the documentation for your PIX Firewall.

Note To designate a line as a comment and prevent it from being imported, place a semicolon in front of that line.

The CSV format provides the following interface information:

Value 1 - Hardware ID (Used only for PIX Firewall).
Value 2 - VLAN ID.
Value 3 - Media type (Used only for PIX Firewall).
Value 4 - Interface name.
Value 5 - Security level.
Value 6 - MTU (Used only for PIX Firewall).
Value 7 - Address type (Static, PPPoE, or DHCP).
Value 8 - IP address.
Value 9 - Subnet mask.
Value 10 - DHCP/PPPoE set route enable (Used only for outside interfaces on PIX Firewalls).
Value 11 - DHCP retry enable (Used only for outside interfaces on PIX Firewalls).
Value 12 - DHCP retry count (Used only for outside interfaces on PIX Firewalls).
Value 13 - PPPoE user name (Used only for outside interfaces on PIX Firewalls).
Value 14 - PPPoE password (Used only for outside interfaces on PIX Firewalls).
Value 15 - PPPoE use local enable. Values are True or False. (Used only for outside interfaces on PIX Firewalls.)
Value 16 - PPPoE authentication type. Values are PAP, CHAP, or MSCHAP. (Used only for outside interfaces on PIX Firewalls.)
Value 17 - Interface enable. Values are True or False.

You can write CSV information as shown in the following examples:

Example 8-1 PPPoE interface for a PIX Firewall

 ether4,,10baset,outside,0,,PPPoE,1.2.3.4,24,true,,,joe,,true,CHAP,true

Example 8-2 VLAN interface for FWSM

 ,1,,vlanTest,96,1500,Static,2.3.4.5,24,,,,,,,,true

Example 8-3 Static interface for a PIX Firewall

 ether5,,10baset,pixTest,95,1500,Static,3.4.5.6,24,,,,,,,,true

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Click Import.

The Enter Interface File Name page appears.

Step 3 Enter the path and name of the CSV file to import or click Browse to navigate to the file location.

Step 4 Click Next.

The Interface Import Details page appears.

Note If errors exist in the CSV file, the Interface Import Errors page appears. Any interfaces that contain errors will not be imported. You can continue to import the interfaces that do not contain errors, or you can cancel the import wizard, correct the errors, then reimport the interfaces.

Step 5 Review the interface details, then click Next.

The interface summary page appears.

Step 6 Verify the information is correct, then click Finish.

The interfaces are imported and are displayed in the Interfaces table. Changes are applied to the firewall device configuration files when they are generated.

Polling an FWSM for VLAN Information

The VLAN polling feature allows you to get the current status of VLAN interfaces from a Firewall Services Module (FWSM). You can use this feature to update Firewall MC with the current VLAN information.

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Click Poll.

Firewall MC displays the Status of VLANs page, which contains a table showing the VLANs that are defined on the specified FWSM and those that are defined in Firewall MC. The Status of VLANs page is informational only, but you can use this information to update Firewall MC with the current VLAN information.

Note You must enter the device contact information for the FWSM you are polling before clicking Poll. See Configuring Firewall Device Contact Info.

Step 3 Click Close.

Configuring Firewall Device Administration

Firewall device administration consists of:

Configuring Passwords
Configuring Firewall Device Contact Info
Configuring HTTPS (SSL)
Configuring Telnet
Configuring Secure Shell
Configuring SNMP
Configuring ICMP Interface Rules
Configuring AAA Admin Authentication

Configuring Passwords

The Password feature allows you to set the enable and Telnet passwords. If you are a system administrator, you can log in to the firewall device using the following types of already configured connections:

Serial console port.
Telnet.
Secure Sockets Layer (SSL).
SSH (Secure Shell).

You can define RADIUS or TACACS servers to authenticate any of these connection types. To access this feature, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

If you are an administrator using the CLI, you must use the enable password to enter privilege mode. Privilege mode enables you to view or change the firewall device configuration. The enable password is also required to authenticate administrators who are trying to connect by serial port, Telnet, SSH, HTTPS, or SSL.

The default Telnet password is "cisco". The same password is used to define authentication for administrators using SSH if firewall device administrative AAA authentication is not defined for the SSH protocol. To gain access to the PIX Firewall console using SSH: From the SSH client, enter the username pix and enter the Telnet password.

If you will use a AAA authentication server to authenticate users, you do not need to complete the Password page.

Note SSH permits up to 100 characters in a username and up to 50 characters in a password.

Important Notes and Restrictions for Passwords

Firewall device passwords can be a maximum of 16 characters.
SSH permits up to 100 characters in a username and up to 50 in a password.
Passwords can consist of alphanumeric or special characters except for the question mark, space, or *-*-*-*-*-*-*-*- string.
Passwords are case-sensitive; for example, an uppercase "A" is recognized differently from a lowercase "a."

Note Make sure Caps Lock or Num Lock on your keyboard is not set when you enter passwords.

Passwords should not be any word or syllable that would be found in a dictionary of common languages, the word "password," your date of birth, organization name, or anything easy to guess about you or your organization.
Passwords should be stored in a manner consistent with the security policy of your organization. After you change a password, you cannot view it again.

Setting a Password

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Password.

The Password page appears.

Step 2 Enter the new enable password.

The enable password sets the enable password on the firewall device so that you can enter privilege mode when administering CLI commands. See Important Notes and Restrictions for Passwords.

Note Use the same enable password that you entered during bootstrapping. See "Preparing Your Firewall Devices."

Step 3 Reenter the new enable password in the Confirm New Password field.

Note If you are deploying to a device, you must enter the enable password in the contact information for that device. See Configuring Firewall Device Contact Info.

Step 4 Enter the new Telnet password to set the Telnet password on the firewall device so you can connect to a device using Telnet.

Step 5 Reenter the new Telnet password in the Confirm New Password field.

Step 6 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Password Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enable password	Sets the enable password on the firewall device, which allows you to enter privilege mode when administering from the CLI. A case-sensitive password of up to 16 alphanumeric and special characters. Any character can be used except a question mark, space or -------- string. Fields are: New Password—Enter new password. Confirm New Password—Reenter new password. Note Use the same enable password that you entered during bootstrapping.
Telnet password	Sets the Telnet password on the firewall device, which allows you to connect using Telnet. A case-sensitive password of up to 16 alphanumeric and special characters. Any character can be used except a question mark, space or -------- string. Fields are: New Password—Enter new password. Confirm New Password—Reenter new password.

Configuring Firewall Device Contact Info

The Firewall Device Contact Info feature allows you to authenticate a firewall device using the current username, password, and IP address. The username and password credentials are used by Firewall MC and AUS to authenticate to a firewall device. You can use the enable password with an empty username or a AAA username with associated password depending on the target firewall device setting. You can also enter a future username, password, and IP address, which will be recognized after the configuration files and activity reports are deployed to devices. To access the Firewall Device Contact Info feature, select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info.

Use the Firewall Device Contact Info feature if you are deploying configuration files to an AUS or directly to devices.

AUS—The AUS supports a feature that allows you to initiate an immediate auto update request on the AUS. The credentials defined in the Firewall MC GUI are passed to the AUS. This enables the AUS to authenticate with the device during the immediate auto update. See the AUS online help for more information.
Firewall MC direct deployment to devices—The credentials defined in the Firewall MC GUI are used to authenticate Firewall MC to the firewall devices.

Applying Firewall Device Contact Info

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info.

The Firewall Device Contact Info page appears.

Step 2 Enter the username that the firewall device uses to authenticate with AAA in the Current Username field.

Step 3 Enter the IP address (optional) that Firewall MC uses to contact a firewall device using HTTPS.

Step 4 Enter the current password. Use one of the following:

AAA server password if AAA authentication is used on the target firewall device.
Local enable password if no AAA server is used.

Step 5 Reenter the current password in the Confirm Current Password field.

Step 6 Enter the future username that the firewall device will use to authenticate with AAA. If no AAA server is used, leave the field blank.

Note Future fields are used if the elements will be changed on the target firewall device after the configuration file is deployed.

Step 7 Enter the future IP address that Firewall MC should use to contact a firewall device using HTTPS.

Step 8 Enter the future password.

Step 9 Reenter the future password in the Confirm Future Password field.

Step 10 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Firewall Device Contact Info Field-Level Elements and Descriptions

Note

If you are using the immediate auto update feature, you do not have to complete the GUI elements labeled "future."

If you are deploying directly to devices, you must complete the GUI elements labeled "future."

Configuring HTTPS (SSL)

The HTTPS (SSL) feature allows you to configure rules that permit only specific hosts or networks to connect to the firewall device using HTTPS. To access this feature, select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

A secure connection is needed so that a PC or workstation client running a network browser or Firewall MC or both can communicate with the firewall device. The rules restrict HTTPS access through a firewall device interface to a specific IP address and netmask. Any HTTPS connection tries that comply with the rules must be authenticated through a configured AAA server or the enable password. Once established, Secure Sockets Layer (SSL) protocol is used to encrypt the data.

Adding or Editing an HTTPS (SSL) Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

The HTTPS (SSL) page appears.

Step 2 Do one of the following:

To add a new row to the table, click Add.

The Enter HTTPS Client page appears.

To edit a row, select the check box for the row, then click Edit.

The Enter HTTPS Client page appears.

Step 3 Enter the name of the firewall device interface that permits SSL connections. If you are using a wizard, a list displays all interfaces defined at the current scope.

Step 4 Enter the IP address that specifies the host or network authorized to initiate an HTTPS connection to a firewall device.

Step 5 Enter the IP mask.

Step 6 Click Next.

The HTTPS (SSL) summary page appears.

Step 7 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

HTTPS (SSL) Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Interface name	Name of interface that permits SSL connections. Note If you are using a wizard, a list displays all interfaces defined at the current scope.
IP address	Specifies host or network authorized to initiate an HTTPS connection to firewall device.
Mask	Network mask for IP address of each host or network permitted to connect to firewall device through specified interface. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24). Note If you do not specify a network mask, the default is 255.255.255.255 regardless of the class of IP address.

Deleting an HTTPS (SSL) Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

The HTTPS (SSL) page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Telnet

The Telnet feature allows you to configure rules that permit specific hosts or networks to connect to the firewall device through Telnet. The rules restrict administrative Telnet access through a firewall device to a specific IP address and netmask. Connection tries that comply with the rules must be authenticated by a configured AAA server or the Telnet password. To access this feature, select Configuration > Device Settings > Firewall Device Administration > Telnet.

If you will be using a AAA authentication server to authenticate users, you do not need to complete this page.

Applying a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Enter the timeout value. Values are 1 to 60 minutes.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit a Telnet rule.

Adding or Editing a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Do one of the following:

To add a new row to the table, click Add.

The Enter Telnet Client page appears.

To edit a row, select the check box for the row, then click Edit.

The Enter Telnet Client page appears.

Step 3 Select the interface that should receive Telnet packets from the client. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address of the host or network that can access the firewall device Telnet console.

Step 5 Enter the IP address netmask.

Step 6 Click Next.

The Telnet summary page appears.

Step 7 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

Telnet Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Timeout (minutes)	Number of minutes Telnet session can remain idle before firewall device closes it. Values are 1-60 minutes. Default is 5.
Interface name	Interface that receives Telnet packets from the client. Note If you are using a wizard, a list displays all interfaces defined at the current scope.
IP address	IP address of host or network that can access PIX Firewall Telnet console.
Mask	Netmask for IP address of each host or network permitted to connect to firewall device through specified interface. Default is 255.255.255.255 regardless of class. Note To limit access to a single IP address, use 255.255.255.255. Do not use the subnetwork mask of the internal network.

Deleting a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Secure Shell

The Secure Shell feature allows you to configure rules that permit only specific hosts or networks to connect to the firewall device for administrative access using the Secure Shell (SSH) protocol. The rules restrict SSH access through a firewall device interface to a specific IP address and netmask. SSH connection attempts that comply with the rules must be authenticated by a preconfigured AAA Server or the Telnet password. To access this feature, select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

Note SSH is not required to use Firewall MC.

Applying SSH

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

The Secure Shell page appears.

Step 2 Verify the timeout value, which displays the number of minutes the secure shell session can remain idle before the firewall device closes it. Values are 1 to 60 minutes. Default is 5.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit an SSH rule.

Adding or Editing SSH

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

Step 2 The Secure Shell page appears.

Step 3 Do one of the following:

To add a new row, click Add.

The Enter SSH Client page appears.

To edit a row, select the check box, then click Edit.

The Enter SSH Client page appears.

Step 4 Select the interface name of the firewall device that permits SSH connections. The list displays all interfaces defined at the current scope.

Step 5 Enter the IP address.

Step 6 Enter the netmask.

Step 7 Click Next.

The SSH summary page appears.

Step 8 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

SSH Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Timeout (minutes)	Number of minutes Secure Shell session can remain idle before firewall device closes it. Values are 1-60 minutes. Default is 5.
Interface name	Name of firewall device interface that permits SSH connections. Note If you are using a wizard, a list displays all interfaces defined at the current scope.
IP address	IP address and netmask of the host or network authorized to initiate an SSH connection to the firewall device.
Mask	Netmask for IP address of each host or network permitted to connect to firewall device through specified interface. Note If you do not specify a netmask, the default is 255.255.255.255 regardless of the class.

Deleting SSH

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

The Secure Shell page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring SNMP

The SNMP feature allows you to configure the firewall device for monitoring by Simple Network Management Protocol (SNMP) management stations. SNMP defines a standard way for network management stations or workstations to monitor the health and status of many types of devices, including switches, routers, and the firewall device. To access this feature, select Configuration > Device Settings > Firewall Device Administration > SNMP.

Configuring MIBs

The firewall device supports these MIBs that management stations can browse:

MIB II—System and Interface groups only.
Cisco Firewall MIB—cfwSystem group only.
Cisco Memory Pool MIB.
Cisco syslog MIB—Browsing of the Cisco syslog MIB is not supported. All SNMP variables supported in the firewall device are read-only (RO).

Note For Cisco MIB files and object identifiers (OIDs), see: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Configuring OIDs

The SNMP MIB mib-2.system.sysObjectID variable now provides one of the following firewall device platform-specific OIDs. You can use a management station such as CiscoView to view:

501—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall501 (same as .1.3.6.1.4.1.9.1.417).
506—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall506 (same as .1.3.6.1.4.1.9.1.389).
506E—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall506E (same as .1.3.6.1.4.1.9.1.450).
515—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall515 (same as .1.3.6.1.4.1.9.1.390).
515E—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall515E (same as .1.3.6.1.4.1.9.1.451).
520—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall520 (same as .1.3.6.1.4.1.9.1.391).
525—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall525 (same as .1.3.6.1.4.1.9.1.392).
535—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall535 (same as .1.3.6.1.4.1.9.1.393).

For other firewall device platforms:

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall (same as .1.3.6.1.4.1.9.1.227).

Configuring Traps

The firewall device supports many SNMP traps. SNMP trap settings can also be configured from Firewall MC. The logging feature allows you to enable or disable the sending of messages to an SNMP management station and to set the SNMP message level. Firewall MC supports a maximum of 32 management stations.

Applying Settings to an SNMP Management Station

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Verify the password community string, which the SNMP management station uses when sending requests to a firewall device. The default is "public".

Step 3 Enter the name of the system administrator for the firewall device.

Step 4 Enter the firewall device location.

Step 5 Select the Send syslog as SNMP traps check box.

Step 6 Select the logging level from the list. See Logging level list in the Field-Level Elements and Descriptions table.

Step 7 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit an SNMP rule.

Adding or Editing an SNMP Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Do one of the following:

To add a new row, click Add.

The Enter SNMP Client page appears.

To edit a row, select the check box for the row, then click Edit.

The Enter SNMP Client page appears.

Step 3 Select the interface name from the list. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address.

Step 5 Determine whether to set polling or trap information, then select the respective check box.

Poll check box—When selected, allows the firewall device to respond to periodic requests from the management station for syslog events or other information.
Trap check box—When selected, sends syslog events when they occur.

Step 6 Click Next.

The SNMP summary page appears.

Step 7 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during the configuration process are displayed as true in the wizard summary page.

SNMP Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Password (community string)	Password used by SNMP management station when sending requests to firewall device. SNMP community string is a shared secret among SNMP management stations and network nodes being managed. Firewall devices use the password to determine if an incoming SNMP request is valid. Password is case-sensitive and can be up to 32 characters. Spaces are not permitted. Default is "public."
System administrator name	Name of firewall device system administrator. Text is case-sensitive and can be up to 127 characters. Spaces accepted, but multiple spaces are shortened to a single space.
Firewall device location	Specify firewall device location. Text is case-sensitive and can be up to 127 characters. Spaces accepted, but multiple spaces shortened to a single space.
Send syslog as SNMP traps check box	When selected, sends syslog as SNMP traps. See logging level type.
Logging level list	List of logging messages to be sent to SNMP management station. Note The logging levels generated by the firewall device are an ordered list of recorded events; each subsequent logging level option includes all events generated by the previous logging level. Emergency (level 0)—System unusable. Generates messages that identify system instabilities. Alerts (level 1)—Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action. Critical (level 2)—Critical condition. Generates messages that identify critical system issues. Errors (level 3)—Error condition. Generates messages that identify system errors during operation. Warnings (level 4)—Warning condition. Generates messages that identify system warnings, for example, device might be configured incorrectly. Notifications (level 5)—Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.






Logging level list (cont.)	Informational (level 6)—Informational message only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records. Note This setting directly affects the level of reports you can generate about network activity for this firewall device. We recommend that you select Information to ensure that all report data is available. Debugging (level 7)—Appears during debugging only. Generates messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Disabled—No logging.
Logging level list (cont.)
Interface name	Logical name of interface that defines from where packets leave to reach the SNMP management station, for example, inside or outside. Note The list displays all interfaces defined at the current scope.
IP address	Displays IP address of SNMP management station to which firewall device will send trap events and receive requests or polls.
Poll/Trap check boxes	Poll check box—When selected, allows firewall device to respond to periodic requests from management station for syslog events or other information. When enabled, set to true when you view the summary page. Trap check box—When selected, sends syslog events when they occur. When enabled, set to true when you view the summary page.

Deleting SNMP Client Information

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring ICMP Interface Rules

ICMP enables a network device to ping an IP address to discover the presence, identity, and function of other devices and to test intermediate communications links and network availability. The ICMP feature can enable or disable the ping response or echo of an interface on the firewall device. To access this feature, select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The rules table configures an access list that permits or denies ICMP traffic terminating at the firewall device. A permit or deny action is specified for each interface added to the rules table. If no interfaces are added to the rules table, the default action for each interface is to permit ICMP traffic.

When an interface receives an ICMP packet, the firewall device searches the access list. If the first matched entry is a permit entry, the packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the firewall device discards the packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed.

Note We recommend that you grant permission for ICMP unreachable messages (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU discovery.

Inserting or Editing an ICMP Interface Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The ICMP Interface Rules page appears.

Step 2 Do one of the following:

To add a row, click Insert. The Create ICMP Rule page appears.
To edit a row, select the check box for the row, then click Edit. The Create ICMP Rule page appears.

Step 3 Select the ICMP message type from the list. See ICMP message type in the Field-Level Elements and Descriptions table.

Step 4 Select the name of the interface at which the ICMP packet arrives using the list box.

Step 5 Enter the source IP of each host or network added to the ICMP rule table (access list) for the interface.

Step 6 Enter the source IP mask.

Step 7 Determine the action for the rule (permit or deny), then click the respective radio button.

Permit—Permits the ability to ping a firewall device interface.
Deny—Denies the ability to ping a firewall device interface.

Step 8 Click Next.

The ICMP summary page appears.

Step 9 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated.

ICMP Interface Rules Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Interface name	Name of interface at which the ICMP packet arrives. Note If you are using a wizard, a list displays all interfaces defined at the current scope.
Action	Options are: Permit—Permits ability to ping a firewall device interface. Deny—Denies ability to ping a firewall device interface.
Source IP address	IP address of each host or network added to ICMP rule table (access list) for interface.
Source IP mask	Network mask for source IP address. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24).
ICMP message type	Type of ICMP packet to which permit or deny action is applied. Options are: Echo reply (0.) Unreachable (3). Source quench (4). Redirect (5). Alternate address (6). Echo request (8). Router advertisement (9). Router solicitation (10). Time exceeded (11). Parameter problem (12). Timestamp reply (13). Timestamp request (14). Information request (15). Information reply (16). Mask request (17). Mask reply (18). Conversion error (31). Mobile redirect (32). All types. Note We recommend that you permit unreachable message type 3.

Deleting an ICMP Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The ICMP Interface Rules page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring AAA Admin Authentication

The AAA Admin Authentication feature allows you to enable AAA access to a firewall device. When AAA authentication is enabled, all administrative requests are authenticated against and authorized by the AAA server. Local Enable and Telnet passwords are ignored when AAA authentication is enabled. To access this feature, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

If you are not using a AAA authentication server to authenticate users, you must complete the Passwords page to define enable and Telnet passwords. See Configuring Passwords.

Note If you are using a AAA server for authentication, you must define a AAA server group before you enable this feature. To access the AAA server group, select Configuration > Building Blocks > AAA Server Group.

Applying AAA Admin Authentication

Before You Begin

Define a AAA server group. See Defining AAA Server Groups.
Configure the LOCAL database or the AAA server that you want to use for authentication. You must define a user profile with the commands that the user is permitted to execute, and you should test the authentication method before deploying a configuration that uses AAA authentication for device access. Failure to do so can result in a lockout condition.

Step 1 Select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

The AAA Admin Authentication page appears.

Step 2 For each type of access, select the server group to use for AAA authentication. Disable, LOCAL, and any previously defined server groups are listed as options. To define a server group, see Defining AAA Server Groups.)

Firewall MC generates the aaa authentication [serial | enable | telnet | ssh | http] console <server_tag> command for each type of access specified. For information on the services that can be authenticated, see AAA Admin Authentication Field-Level Elements and Descriptions.

Caution Before you enable AAA authentication for access to a firewall device, make sure that you have configured the LOCAL database or the AAA server that you want to use for authentication. You must define a user profile with the commands that the user is permitted to execute, and should test the authentication method before deploying a configuration that uses AAA authentication for device access. Failure to do so can result in a lockout condition.

If you have locked yourself out of the firewall device and the aaa authentication http console <server_tag> command is not defined on the device, you can gain access to the PIX Firewall using PIX Device Manager with no username and the PIX Firewall enable password. If the aaa commands are defined but the HTTP authentication requests timeout, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using PIX Device Manager with the username pix and the enable password. By default, the enable password is not set.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

AAA Admin Authentication Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Privilege mode	Allows AAA authentication of privilege mode using a specified AAA Server Group. Options are: Disabled—Default. Local—Enable and Telnet passwords are used to authenticate instead of a AAA server. All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.
HTTP console	Allows AAA authentication of HTTP console using a specified AAA Server Group. HTTP console is used to remotely connect to the device using HTTP (port 80) or HTTPS (port 443). This is the delivery mechanism used by Firewall MC and PIX Device Manager. Options are: Disabled—Default. Local—Enable and Telnet passwords are used to authenticate instead of a AAA server. All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.
Serial connection	Allows AAA authentication of serial connections to the firewall device using a specified AAA Server Group. Options are: Disabled—Default. Local—Enable and Telnet passwords are used to authenticate instead of a AAA server. All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.
SSH connection	Allows AAA authentication of SSH connections (port 22) to the device using a specified AAA Server Group. Options are: Disabled—Default. Local—Enable and Telnet passwords are used to authenticate instead of a AAA server. All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.
Telnet connection	Allows AAA authentication of Telnet connections (port 23) to the device using a specified AAA Server Group. Options are: Disabled—Default. Local—Enable and Telnet passwords are used to authenticate instead of a AAA server. All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.

Configuring Authentication Prompts

The Authentication Prompts feature allows you to change the AAA challenge text for HTTP, FTP, and Telnet access. This text is displayed above the username and password prompts that users see when logging in. To access this feature, select Configuration > Device Settings > Servers and Services > Authentication Prompts.

Note

Microsoft Internet Explorer displays up to a 37 character authentication prompt.

Netscape Navigator displays up to a 120 character authentication prompt.
Telnet and FTP display up to a 235 character authentication prompt.

Enabling Authentication Prompts

Step 1 Select Configuration > Device Settings > Servers and Services > Authentication Prompts.

The Authentication Prompt page appears.

Step 2 Select the Enable prompt check box, then enter the AAA challenge prompt string in the corresponding text box. The text can be up to 235 characters.

Note If you deselect the check box, the text string is saved but not used by the firewall device. This is true of all check boxes on this page.

Step 3 Select the Enable user-accepted message check box, then enter the prompt string in the corresponding text box to have user authentication via Telnet accepted.

Step 4 Select the Enable user-rejected message check box, then enter the prompt string in the corresponding text box to have user authentication via Telnet rejected.

Step 5 Click Apply.

Changes are applied to the firewall device configuration files when generated.

Authentication Prompts Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enable prompt check box and corresponding text field	When selected, displays AAA challenge prompt string. When enabled, set to true when you view the summary page. Corresponding string field is protected by check box: If check box selected, corresponding field is used to enter text string. String can be up to 235 characters. If check box deselected, text string is saved but not used by firewall device.
Enable user-accepted message check box and corresponding text field	When selected, displays prompt string if user authentication via Telnet is accepted. When enabled, set to true when you view the summary page. Corresponding string field is protected by check box: If check box selected, corresponding field is used to enter text string. If check box deselected, text string is saved but not used by firewall device.
Enable user-rejected message check box and corresponding text field	When selected, displays prompt string if user authentication via Telnet is rejected. When enabled, set to true when you view the summary page. Corresponding string field is protected by check box: If check box selected, corresponding field is used to enter text string. If check box deselected, text string is saved but not used by firewall device.

Advanced Settings

Advanced settings are optional features that provide advanced processing or security features. This section includes the following topics:

Configuring IDS Policy
Configuring IDS Signatures
Configuring Anti-Spoofing
Configuring Fragments
Configuring TCP Options
Configuring Timeouts
Configuring Basic Fixups
Configuring Multimedia Fixups
Configuring Flood Guard

Configuring IDS Policy

The IDS Policy feature allows you to define Cisco Intrusion Detection System (IDS) policies. IDS policies instruct the firewall device to audit IP traffic going through the firewall. The firewall device looks for defined attack and informational signatures. For each IDS policy, you can instruct the firewall device to send an alarm (syslog), drop the offending packet, reset the offending connection, or a combination of the three. You can also enable your IDS policies selectively on one or more firewall device interfaces. To access this feature, select Configuration > Device Settings > Advanced Security > IDS Policy.

The firewall device audits IP traffic by checking the IP packets as they arrive at an interface. If a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. The firewall device supports both inbound and outbound auditing.

Applying an IDS Policy

Step 1 Select Configuration > Device Settings > Advanced Security > IDS Policy.

The IDS Policy page appears.

Step 2 Determine whether you want an alarm, drop, or reset for each of the policies listed, then select the respective check box or check boxes.

Alarm—Uses an IDS message that is used internally to indicate a network exploit in progress or a potential security problem. When selected, a message is displayed.
Drop—Drops the offending packet.
Reset—Resets the TCP session in which the attack signature was detected. (Available for TCP-based attacks only.)

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

IDS Policy Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Default info actions check boxes	Alarm check box—When selected, uses an IDS message that is used internally to indicate a network exploit in progress or a potential security problem. When selected, displays message. Drop check box—When selected, drops offending packet. Reset check box—(Available for TCP-based attacks only). When selected, sensor resets TCP session in which the attack signature was detected. Note If you are editing default info actions, an info action row is displayed for each interface defined at the current scope.
Default attack actions check boxes	Alarm check box—When selected, uses an IDS message that is used internally to indicate a network exploit in progress or a potential security problem. When selected, displays message. Drop check box—When selected, drops offending packet. Reset check box—(Available for TCP-based attacks only). When selected, sensor resets TCP session in which the attack signature was detected. If you are editing default info actions, an info action row is displayed for each interface defined at the current scope. Note If you are editing default attack actions, an attack action row is displayed for each interface defined at the current scope.
Interface <name> info actions check boxes	Each interface has an info action and an attack action expressed in the table. Interface names might vary, depending on names entered in Configuration > Device Settings > Interface. See Default info actions for options and their descriptions.
Interface <name> attack actions check boxes	Each interface has an info action and an attack action expressed in the table. Interface names might vary, depending on names used in Configuration > Device Settings > Interface. See Default attack actions for options and their descriptions.

Configuring IDS Signatures

The IDS Signatures feature allows you to select which sensor signatures the firewall device IDS will search for. Sensors use a signature-based intrusion detection technology to detect misuse of network resources. Sensors scan network packets for known attack signatures and take user-defined actions when they detect an attack. When a signature is enabled, the firewall device audits the appropriate traffic and logs a message or takes other action if that signature is found. To access this feature, select Configuration > Device Settings > Advanced Security > IDS Signatures.

Signature-based detection, on a basic level, can be compared with virus-checking programs. Cisco Systems produces a list of signatures that the sensor compares to activity on the network. When a match is found, the sensor takes an action, such as logging the event or sending an alarm.

Important Notes About IDS Signatures

Enabling or disabling IDS signatures is meaningful only if you enabled one or more IDS policies from the IDS Policy feature.
The firewall device audits by checking the IP packets as they arrive at an input interface. If a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. PIX Firewall supports both inbound and outbound auditing.
For a list of supported IDS signatures, see the Cisco IDS Signatures home page on Cisco.com at: http://www.cisco.com/pcgi-bin/front.x/csec/idsHome.pl.

Note You must be a registered Cisco.com user to access the Cisco IDS Signatures home page.

Applying IDS Signatures

Step 1 Select Configuration > Device Settings > Advanced Security > IDS Signatures.

The IDS Signatures page appears.

Step 2 From the Enabled column, select IDS signatures to disable, then click Disable => to move the selected IDS signatures to the Disabled column.

Note For definitions of signature types, see Cisco PIX Firewall System Log Messages, Version 6.2 on Cisco.com at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_ syst em_message_guide_book09186a008014638a.html.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

IDS Signature Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enabled column¹	Lists enabled signatures.
Disabled column	Lists disabled signatures.
Disable => button	Moves signature to the Disabled column.
<= Enable button	Moves signature to the Enabled column.

1 For definitions of the various types of signatures, see Cisco PIX Firewall Version 6.1 System Log Messages on Cisco.com at http://www.cisco.com/pcgi-bin/front.x/csec/idsHome.pl.

Configuring Anti-Spoofing

The Anti-Spoofing feature allows you to specify which interfaces to protect from an IP spoofing attack using network filtering. To access this feature, select Configuration > Device Settings > Advanced Security > Anti-Spoofing.

This feature provides Unicast RPF (Reverse Path Forwarding) functionality for the firewall device. It is disabled by default. Because of the danger of IP spoofing in the IP protocol, measures must be taken to reduce this risk. Unicast RPF, or reverse route lookups, prevents manipulation under certain circumstances. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. It does not screen outbound packets. For more information on anti-spoofing, see RFC2267.

Caution Before using this feature, add static routes for every network that can be accessed on the interfaces. Enable this feature only if routing is fully specified. Otherwise, the firewall device will stop traffic on the interface you specify.

Applying Anti-Spoofing

Step 1 Select Configuration > Device Settings > Advanced Security > Anti-Spoofing.

The Anti-Spoofing page appears.

Step 2 Do one of the following:

To enable anti-spoofing for the inside interface, select the appropriate check box. Anti-spoofing is enabled on the outside interface by default.
To disable anti-spoofing on the outside interface, deselect the check box.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Anti-Spoofing Field-Level Elements and Descriptions

Element

Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable anti-spoofing inside and outside check boxes

When selected, enables anti-spoofing on that interface for your device. The number and labels of rows depend on interfaces defined at the current scope. When enabled, set to true when you view the summary page. Default setting is enabled on outside interface.

Note To disable anti-spoofing, deselect the check box. When disabled, set to false when you view the configuration file.

Configuring Fragments

The Fragments feature allows you to configure the IP fragment database for each firewall device interface. It provides additional packet-fragmentation management and improves compatibility with a Network File System (NFS) to allow remote file access across a network. To access this feature, select Configuration > Device Settings > Advanced Security > Fragment.

Adding or Editing a Fragment

Step 1 Select Configuration > Device Settings > Advanced Security > Fragment.

The Fragment page appears.

Step 2 Do one of the following:

To add a row, click Add.

The Create Fragment page appears.

To edit a row, select the check box for the row, then click Edit.

The Create Fragment page appears.

Step 3 Select the interface name. The list displays all interfaces defined at the current scope.

Step 4 Verify the maximum number of packets allowed in the fragment database. Default is 200.

Step 5 Verify the maximum number of elements allowed in the fragment set. Default is 24.

Step 6 Verify the timeout value, which is the maximum number of seconds to assemble a fragment set. Default is 5.

Step 7 Click Next.

The fragment summary page appears.

Step 8 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Fragment Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Interface name	Logical name of interface that relates to use. Note If you are using a wizard, a list displays all interfaces defined at the current scope.
Size	Maximum number of packets in fragment database. Default is 200.
Chain length	Maximum number of elements allowed in fragment set. Default is 24.
Timeout	Maximum number of seconds allowed to assemble a fragment set. Default is 5.

Deleting a Fragment

Step 1 Select Configuration > Device Settings > Advanced Security > Fragment.

The Fragment table appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring TCP Options

The TCP Options feature allows you to set various parameters for TCP connections. To access this feature, select Configuration > Device Settings > Advanced Security > TCP Options.

Applying TCP Options

Step 1 Select Configuration > Device Settings > Advanced Security > TCP Options.

The TCP Options page appears.

Step 2 Select the Force maximum segment size check box to enforce a maximum segment size for all TCP sessions through a firewall device, then enter the size of the byte in the corresponding text box. This setting is used primarily to ensure that a TCP session does not fragment.

Step 3 Select the Force TCP connection to linger in TIME_WAIT state at least 15 seconds check box to force a firewall device to retain its TCP connection information/state for at least 15 seconds after a normal TCP close-down sequence is seen. This helps to ensure that both sides of a TCP session receive close-down packets.

Step 4 Select the Reset inbound check box to send TCP resets (instead of dropping the packets) for all TCP sessions that:

Arrive at the outside interface.
Try to transit to a firewall device.
Are denied by a firewall device based on access rules.

If you deselect the check box, the firewall device discards packets of all such sessions.

Step 5 Select the Reset outbound check box to send TCP resets for all TCP sessions that:

Arrive at the outside interface.
End at the outside interface.
Are denied by a firewall device based on access rules.

If you deselect the check box, the firewall device discards packets of all such sessions.

Step 6 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

TCP Options Field-Level Elements and Descriptions

Element	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Force maximum segment size check box (bytes)	When selected, enforces maximum segment size (MSS) for all TCP sessions through firewall device. Used primarily to ensure that TCP session does not fragment. If MSS exceeds maximum, firewall device rewrites MSS within TCP packet to maximum specified.
Force TCP connection to linger in TIME_WAIT state at least 15 seconds check box	When selected, forces firewall device to retain its TCP connection information/state for at least 15 seconds after normal TCP close-down sequence is seen. Helps to ensure that both sides of TCP session receive close-down packets.
Reset inbound check box	When selected, sends TCP resets for all TCP sessions that: Arrive at outside interface. Attempt to transit firewall device. Are denied by firewall device based on access rules. When deselected, firewall device discards packets of all such sessions.
Reset outbound check box	When selected, sends TCP resets for all TCP sessions that: Arrive at outside interface. End at outside interface. Are denied by firewall device based on access rules. When deselected, firewall device discards packets of all such sessions.

Configuring Timeouts

The Timeout feature allows you to set the maximum idle time for use with the firewall device. All times are displayed in the format hh:mm:ss. To access this feature, select Configuration > Device Settings > Advanced Security > Timeouts.

Applying Timeouts

Step 1 Select Configuration > Device Settings > Advanced Security > Timeouts.

The Timeouts page appears.

Step 2 Verify the timeout values for the protocols listed. (See Timeouts Field-Level Elements and Descriptions.) Timeout values are displayed in the format hh:mm:ss.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Timeouts Field-Level Elements and Descriptions

Note Timeout values are displayed in the format hh:mm:ss.

Element¹	Description
Inherit settings check box	When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Enforce/Mandate settings for children check box	When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. Note A grayed-out check box disallows changes at the current scope.
Connection	Changes idle time to wait for a connection slot to be freed. Enter 00:00:00 to disable timeout. Duration must be at least 5 minutes. Default is 1 hour.
Half-closed	Changes idle time to wait for a TCP half-closed connection to close. Enter 00:00:00 to disable timeout. Minimum is 5 minutes. Default is 10 minutes.
H.323	Changes idle time to wait for an H.323 service connection to close. Enter 00:00:00 to disable timeout. Duration must be at least 5 minutes. Default is 5 minutes.
SIP	Changes idle time to wait for an SIP signaling port connection to close. Enter 00:00:00 to disable timeout. Default is 30 minutes.
SIP media	Changes idle time to wait for an SIP media port connection to close. Enter 00:00:00 to disable timeout. Default is 2 minutes.
Authorization absolute	Changes length of time until authentication and authorization cache times out and you must reauthenticate a new connection. Length of time must be shorter than Translation Slot value. System waits to reprompt you until you start a new connection, such as clicking link in browser. Enter 00:00:00 to disable caching. Note Do not set this value to zero if passive FTP is used on the connections.
Authorization inactivity (0 is inactive)	Changes idle time until authentication and authorization cache times out and you have to reauthenticate a new connection. Duration must be shorter than Translation Slot value.
Translation slot	Changes idle time to wait for a translation slot to be freed. Duration must be at least 1 minute. Default is 3 hours.
UDP	Changes idle time to wait until UDP connection closes. Duration must be at least 1 minute. Default is 2 minutes.
RPC	Changes idle time to wait for an RPC slot to be freed. Enter 00:00:00 to disable timeout. Duration must be at least 1 minute. Default is 10 minutes.
H.225	Idle time after which H.225 signaling closes. Default is 1 hour. Timeout value of 00:00:00 means never tear down H.225 signaling. Timeout value of 00:00:01 disables timer and closes TCP connection immediately after all calls are cleared.
MGCP	Sets length of time for Media Gateway Control Protocol (MGCP) inactivity timer. Default is 5 minutes.

1 00:00:00 = hh:mm:ss.

Configuring Basic Fixups

The Fixups feature is an informational list of services, protocols, and port numbers to which a firewall device applies the Adaptive Security Algorithm (ASA). The default ports or those you specify are the ports at which the firewall device listens for each service. To access this feature, select Configuration > Device Settings > Advanced Security > Basic Fixups.

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, but other applications have fixed port assignments that you cannot change.

Applying Basic Fixups

Step 1 Select Configuration > Device Settings > Advanced Security > Basic Fixups.

The Basic Fixups page appears.

Step 2 Select the check boxes for the fixup protocols to enable, then enter the ports or port ranges in the corresponding text field where needed. See Basic Fixups Field-Level Elements and Descriptions.

In each Fixup row you select, you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.
For each check box you select, you must identify a port value.
To disable a fixup protocol, deselect the corresponding check box. Firewall MC generates a no fixup protocol protocol command in the generated configuration file.

Note Other fixups exist, but the Protocol and Fixup Port Range table displays only those that can be changed.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Basic Fixups Field-Level Elements and Descriptions

Note

In each Fixup row (unless specified), you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.

For each check box you select, you must identify a port value.
To disable a fixup protocol, deselect the corresponding check box. From this, Firewall MC generates a no fixup protocol protocol command in the generated configuration file.
Other fixups exist, but in the Protocol and Fixup Port Range table displays only those that can be changed.

Configuring Multimedia Fixups

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, while other applications have fixed port assignments that you cannot change.

Applying Multimedia Fixups

Step 1 Select Configuration > Device Settings > Advanced Security > Multimedia Fixups.

The Multimedia Fixups page appears.

Step 2 Select the check boxes for the fixup protocols to enable, then enter the ports or port ranges in the corresponding text field where needed. See Multimedia Fixups Field-Level Elements and Descriptions.

For each fixup row selected, you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.
For each check box selected, a port value must be identified.
To disable a fixup protocol, deselect the corresponding check box. Firewall MC generates a no fixup protocol <protocol> command in the generated configuration file.

Note Other fixups exist, but only those that can be changed are displayed in the Protocol and Fixup Port Range table.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Multimedia Fixups Field-Level Elements and Descriptions

Note

For each Fixup row (unless specified), you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.

For each check box you select, you must identify a port value.
To disable a fixup protocol, deselect the corresponding check box. From this, Firewall MC generates a no fixup protocol protocol command in the generated configuration file.
Other fixups exist, but only those that can be changed are displayed in the Protocol and Fixup Port Range table.

Configuring Flood Guard

The Flood Guard feature lets you reclaim firewall device resources if the user-authentication subsystem runs out of resources. If an inbound or outbound user-authentication connection is being attacked or overused, the firewall device actively reclaims TCP user resources. To access this feature, select Configuration > Device Settings > Advanced Security > Flood Guard.

Enabling Flood Guard

Step 1 Select Configuration > Device Settings > Advanced Security > Flood Guard.

The Flood Guard page appears.

Step 2 Select the Enable Flood Guard check box to enable flood guard.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to firewall devices at deployment.

Flood Guard Field-Level Elements and Descriptions

Element

Description

Inherit settings check box

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable flood guard check box

When selected, enables flood guard. Value is set to true when you view the summary information.

Table of Contents

Configuring Device-Level Settings

Basic Settings

Setting the Firewall OS Version

Firewall OS Version Field-Level Elements and Descriptions

Configuring Interfaces

Adding or Editing an Interface

Important Note About Deploying a PPPoE Configuration

Interfaces Field-Level Elements and Descriptions

Deleting an Interface

Importing an Interface

Polling an FWSM for VLAN Information

Configuring Firewall Device Administration

Configuring Passwords

Important Notes and Restrictions for Passwords

Setting a Password

Password Field-Level Elements and Descriptions

Configuring Firewall Device Contact Info

Applying Firewall Device Contact Info

Firewall Device Contact Info Field-Level Elements and Descriptions

Configuring HTTPS (SSL)

Adding or Editing an HTTPS (SSL) Rule

HTTPS (SSL) Field-Level Elements and Descriptions

Deleting an HTTPS (SSL) Rule

Configuring Telnet

Applying a Telnet Rule

Adding or Editing a Telnet Rule

Telnet Field-Level Elements and Descriptions

Deleting a Telnet Rule

Configuring Secure Shell

Applying SSH

Adding or Editing SSH

SSH Field-Level Elements and Descriptions

Deleting SSH

Configuring SNMP

Configuring MIBs

Configuring OIDs

Configuring Traps

Applying Settings to an SNMP Management Station

Adding or Editing an SNMP Rule

SNMP Field-Level Elements and Descriptions

Deleting SNMP Client Information

Configuring ICMP Interface Rules

Inserting or Editing an ICMP Interface Rule

ICMP Interface Rules Field-Level Elements and Descriptions

Deleting an ICMP Rule

Configuring AAA Admin Authentication

Applying AAA Admin Authentication

Before You Begin

AAA Admin Authentication Field-Level Elements and Descriptions

Configuring Authentication Prompts

Enabling Authentication Prompts

Authentication Prompts Field-Level Elements and Descriptions

Advanced Settings

Configuring IDS Policy

Applying an IDS Policy

IDS Policy Field-Level Elements and Descriptions

Configuring IDS Signatures

Important Notes About IDS Signatures

Applying IDS Signatures

IDS Signature Field-Level Elements and Descriptions

Configuring Anti-Spoofing

Applying Anti-Spoofing

Anti-Spoofing Field-Level Elements and Descriptions

Configuring Fragments

Adding or Editing a Fragment

Fragment Field-Level Elements and Descriptions

Deleting a Fragment

Configuring TCP Options

Applying TCP Options

TCP Options Field-Level Elements and Descriptions

Configuring Timeouts

Applying Timeouts

Timeouts Field-Level Elements and Descriptions

Configuring Basic Fixups

Applying Basic Fixups

Basic Fixups Field-Level Elements and Descriptions

Configuring Multimedia Fixups

Applying Multimedia Fixups

Multimedia Fixups Field-Level Elements and Descriptions