-
Using Management Center for Firewalls 1.2
-
Preface
-
Getting Started With Firewall MC
-
Task Flow Checklists
-
Preparing the Firewall MC Environment
-
Managing Activities
-
Preparing Your Network
-
Creating an Inheritance and Grouping Strategy
-
Representing Network Assets in Firewall MC
-
Configuring Device-Level Settings
-
Configuring Routing Rules
-
Defining Your Policy Building Blocks
-
Configuring Access Rules
-
Configuring Translation Rules
-
Manually Defining Rules Using CLI Syntax
-
Generating and Verifying Configuration Files
-
Deploying Configuration Files
-
Monitoring and Reports
-
Configuring VPN Settings
-
Configuring Failover
-
Maintaining your Firewall MC Server
-
Troubleshooting
-
Understanding User Roles and Permissions
-
Index
-
Table of Contents
Generating and Verifying Configuration FilesViewing Configurations
Viewing a Configuration Difference Report
Viewing a Device Settings Report
Generating and Verifying Configuration Files
Generating configuration files for your firewall devices and verifying that those files enforce the expected policy is critical to basic security maintenance. It's also important to make sure that firewall devices are running the expected configurations.
Viewing Configurations
After you populate your system with devices, assign devices to groups, and configure your settings, access rules, and translation rules, you can generate a configuration file to view configuration information for each device so that you can verify content accuracy. If you have approval authority, you can generate a configuration file for each device associated with an activity before you approve the activity. The generated file includes a summary of caveats at the beginning of the file and inline caveats, if any exist. You can click a caveat in the summary to locate the caveat in the configuration file. To access this feature, select Configuration > View Config.
 |
Note You can view configurations only at the device level. |
 |
Tip You can also view configurations during the deployment process. For more information, see "Deploying Configuration Files." |
Step 1 Select Configuration > View Config.
Step 2 From the Object Selector, select the firewall device for which you want to generate a configuration file.
Step 3 Select Generate Config.
Step 4 Wait a few minutes for the data to be compiled.
 |
TimeSaver To view the configuration file for another device, select that device in the Object Selector on the View Config page. You do not need to click Generate Config again. The data is compiled each time you select a new device. |
Viewing a Configuration Difference Report
Firewall MC provides a report that identifies whether a device's running configuration matches the latest configuration deployed to that device. It also identifies whether a device is using a configuration that can be replaced by a more recent, approved configuration. To access this feature, select Reports > Configuration Differences.
Firewall MC can compare two different configurations:
Firewall MC can check a device within a device group and compare the last deployed configuration with the last approved configuration. If the last approved configuration is newer than the last deployed configuration, or if the information differs, the device is identified as a stale device (a device that uses a configuration that can be replaced by a more recent, approved configuration).
Firewall MC runs a device task that fetches the crypto checksum from the device and compares the checksum to the configuration stored in Firewall MC. If the information differs, the device is identified as a stale device.
Step 1 Select Reports > Configuration Differences.
The Configuration Differences page appears.
Step 2 Select a device or device group in the Select Device or Group tree.
Step 3 Select one of the following:
- The approved configuration does not match the deployed configuration—Displays devices whose last approved configuration does not match the last deployed configuration.
- The deployed configuration does not match the running configuration—Displays devices whose last deployed configuration does not match the running configuration.
Step 4 Click View.
Figure 14-1 shows the Devices with Configuration Differences popup window with the results, which are similar for both comparison options shown in Step 3.
Figure 14-1 Devices with Configuration Differences Popup Window
|
Step 5 From the popup window, click View Configuration Differences under the Operations column to display the report.
|
Note For configurations that have never been deployed to the device, a message is shown in the table, but it does not have a link to view configuration differences. |
Figure 14-2 shows the comparison report that results, which is similar for both comparison options shown in Step 3.
Figure 14-2 Configuration Differences Report
The time under configuration type indicates when the last deployed configuration was deployed and when the running configuration was pulled from the device for comparison.
Step 6 Close the window after you have viewed its contents.
Viewing a Device Settings Report
Firewall MC allows you to view a report that identifies device settings for a device or device group. This report also identifies whether a particular setting is inherited, mandatory, or overridden. To access this feature, select Reports > Settings.
Step 1 Select Reports > Settings.
Step 2 Select a device or device group from the Select Device and Group tree.
Step 3 Select one of the following:
- Show inheritance only—displays only the states of settings (inherited, mandatory, or overridden). See Figure 14-3.
- Show inheritance and values—displays states of settings and their values. See Figure 14-4.
Step 4 Click View.
A popup window displays report information for the device or device group you selected. If the setting is in the override state, the default option was modified by an end user.
|
Note The report information omits ACLs, NAT rules, and Building Blocks. |
Figure 14-3 Inheritance Only Settings Report
Figure 14-4 Inheritance and Values Settings Report
