-
Using Management Center for Firewalls 1.2
-
Preface
-
Getting Started With Firewall MC
-
Task Flow Checklists
-
Preparing the Firewall MC Environment
-
Managing Activities
-
Preparing Your Network
-
Creating an Inheritance and Grouping Strategy
-
Representing Network Assets in Firewall MC
-
Configuring Device-Level Settings
-
Configuring Routing Rules
-
Defining Your Policy Building Blocks
-
Configuring Access Rules
-
Configuring Translation Rules
-
Manually Defining Rules Using CLI Syntax
-
Generating and Verifying Configuration Files
-
Deploying Configuration Files
-
Monitoring and Reports
-
Configuring VPN Settings
-
Configuring Failover
-
Maintaining your Firewall MC Server
-
Troubleshooting
-
Understanding User Roles and Permissions
-
Index
-
Table of Contents
Representing Network Assets in Firewall MCCreating Firewall Devices
Representing PIX Firewalls that Use Conduit and Outbound Commands
Converting Outbound Lists
Important Notes Regarding Specific Service
Using the Conduit and Outbound List Conversion Tool
Creating the Firewall Using Import from File
Importing Configuration Files
Importing Multiple Firewall Configurations from a CSV File
Discovering Settings from a Firewall
How Unsupported Commands Are Handled
Understanding Import Messages
Moving a Device
Deleting a Device
Managing Devices Field-Level Elements and Descriptions
Enabling Cache
Inserting or Editing a URL Filter Server
URL Filter Server Field-Level Elements and Descriptions
Configuring DHCP Relay Servers
Editing DHCP Relay Agents
Configuring TFTP Servers
Representing Auto Update Servers
Representing Network Assets in Firewall MC
In Firewall MC, you can represent two types of devices:
Firewall devices represent the devices for which you are defining network policies; the supporting servers define network objects referenced in rule definitions or network devices about which the firewall devices must know to conduction normal network operations, such as user authentication and obtaining address leases.
Different techniques for defining representations of firewall devices and the supporting devices are described, which include:
Creating Firewall Devices
To represent a firewall device to be managed by Firewall MC, use the import feature to either manually define the contact and configuration settings for a device, import the current settings directly from the device, or import settings for one or more devices from a *.csv file. To access this feature select Devices > Importing Devices.
The Importing Devices feature allows you to add new devices and configuration files to the system. Wizards guide you with your selections.
Table 7-1 shows import types supported by Firewall MC.
Important Notes About Importing Devices
:! PIX Version 6.n(n) (a comment immediately followed by an exclamation mark)
When the file is deployed by Firewall MC, the file always uses the first format listed, which the firewall device can safely ignore as a comment.
- Firewall MC imports and generates only configuration files with ACLs. Conduits and outbound lists are not supported. Therefore, you must use the conversion tool on configurations with conduits and outbound lists before importing them into Firewall MC. See Representing PIX Firewalls that Use Conduit and Outbound Commands.
- If Firewall MC imports a configuration file that contains an unknown command, the default setting of the Firewall MC results in an error. To receive a warning instead, change the setting by selecting Configuration > MC Settings > Management. If the warning setting is used, commands are placed as an ending command. To view ending commands, select Configuration > Device Settings > Config Additions > Ending Commands.
- When you create a device, Firewall MC does not prohibit you from adding a device with the same name into a group. If you are deploying to a file, the deployed filename is Hostname.cfg. If you have two devices with the same name (in different groups, for example) being deployed to a file in the same directory, one overrides the other.
- Use alphanumeric characters to define the hostname. You can also use the following characters: ' ( ) + - . , / : = ?
- Before you can successfully add a created device to Firewall MC, you must bootstrap the device. See "Bootstrapping PIX Firewalls."
- Devices can be listed only once in the configuration hierarchy.
- When you define a device group name, the name must be different from that of the enclosing group.
- Device groups contained within a single enclosing group must have different names.
- To retain changes made to a firewall device configuration by a means other than Firewall MC, you can delete the device, then reimport it; however, doing so results in the need to redefine device name, group, and hierarchy information.
For example, you created the device My Device, whose scope is Global > Group1 > SubGroupA > My Device. You defined the following building blocks at the device scope:
Network Object Inside Nets = (10.0.0.0/8, 11.0.0.0/8, 12.0.0.0/8)
Network Object Outside Nets = (20.0.0.0/8, 21.0.0.0/8, 22.0.0.0/8)
Service Group My Services = (tcp, udp)
You defined an access rule at the device scope using the building blocks just defined:
Source = Inside Nets, Destination = Outside Nets, Interface = inside, Service = My Services, permit
This rule will expand to become 18 rules in the actual configuration file that will deploy to My Device. If you deploy these changes, then delete and reimport the device, the names and values for the building blocks are lost, but the rules remain (see line items).
Settings are also affected when you reimport the device. For example, for My Device, setting A was set at the Global scope, setting B was set at Group 1 (Global > Group 1), and setting C was set at SubGroup A (Global > Group 1 > SubGroup A). If you delete then reimport My Device, settings A, B, and C will come from the device scope (Global > Group 1> SubGroup A > My Device). Settings previously resulting from the configuration hierarchy are lost.
Representing PIX Firewalls that Use Conduit and Outbound Commands
Firewall MC uses access rules to define network security policies. It uses the concept of access-control lists (ACLs) to describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.
Other tools that define security policies are conduits and outbound lists. Currently Firewall MC does not support conduits and outbound lists. As a result, you must convert configurations that use conduits and outbound lists to ACLs.
If you try to import a configuration file and receive an error message, you must convert the file to a standard output accepted by Firewall MC. A conversion tool is provided with Firewall MC for this purpose. The conversion tool is installed automatically during normal installation. Using the CLI, the conversion tool reads the configuration file named on the command line and writes the converted configuration to the standard output accepted by Firewall MC.
The conversion tool does not try to resolve conflicts between ACL entries generated from conduits and those generated from outbound commands. It simply places the outbound-generated entries first in the output file. If an entry covers all traffic, the conversion tool omits the entry. At the end of every ACL, the conversion tool places an entry to deny all traffic. This complies with the security policy to deny everything unless it is specifically permitted.
 |
Note The latest version of the conversion tool can be downloaded from cisco.com at: http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-pix . |
Converting Conduits
A conduit is an exception to the PIX Firewall Adaptive Security mechanism. It permits connections from one network interface to access hosts on another.
|
Note Conduit commands apply to all but the inside interface. |
The conversion tool checks for overlaps between the global address of the conduit and each of the following:
If no overlaps apply, the conversion tool does not create an ACL entry for the conduit on that particular interface.
Converting Outbound Lists
An outbound list is based on the source IP address, the destination IP address, and the destination port or protocol, as specified by the access rules. Outbound lists control Internet use by specifying:
Firewall MC uses an algorithm to determine which outbound command to apply to a given incoming packet. The conversion tool considers an outbound command with a wider address mask to be a better match, regardless of the service. If the address masks are equal, a more specific service is a better match.
Important Notes Regarding Specific Service
- Specific service types are recognized as a descending list (from the most specific to the least specific):
- If two outbound commands are identical, a permit action is a better match than a deny action.
- If two outbound commands are identical, the order in which they appear in the configuration determines the better match.
- If two outbound commands have the same list ID, the one appearing first is the better match.
- If two outbound commands have different list IDs, the one with the list ID matching the apply command that appears second is the better match.
Using the Conduit and Outbound List Conversion Tool
The following procedure assumes you have attempted to import filename PIX510A but received an error message stating that the import failed. You must convert the file PIX510A using the conversion tool (conv.exe), then rename the file. For the purpose of this procedure, the new filename is PIX510Anew.
Step 1 Open a command prompt window.
Step 2 Enter C:\Program Files\CSCOpx\MDC\bin\pix\
|
Note Program Files\CSCOpx is the default installation directory. If you are using a different directory, enter the directory path accordingly. |
Step 3 Enter the following command, substituting filenames shown with actual filenames, then press Enter.
Step 4 Wait a few seconds for the conversion to be complete. When completed, the converted file is ready for import.
|
Note Although you can convert only one file at a time, you can import multiple configuration files after you have converted all necessary files. |
Creating the Firewall Using Import from File
Firewall MC allows you to import device configurations in two different ways:
- Import whole configuration files for a single device or for multiple devices. See Importing Configuration Files.
- Import device contact information used to connect to a device before importing the configuration. See Importing Multiple Firewall Configurations from a CSV File.
Importing Configuration Files
Firewall MC allows you to import configuration files for a single device or for multiple devices.
Before You Begin
- If you import a firewall device with the same hostname as a device already in Firewall MC, Firewall MC overwrites the existing device with the new device information. Make sure the name of a device being imported is not already used by Firewall MC.
- Make sure information in the configuration file is valid.
- Firewall MC does not support the use of command abbreviations. Always use full-length syntax for a command.
- If the firewall device hostname is not specified in the configuration file you are importing, Firewall MC uses the configuration file name instead. If a hostname is specified, during import, you might see both the filename and the hostname in status messages, but Firewall MC uses the hostname when naming the device. To avoid confusion, make sure that the filename for each configuration matches the hostname specified in the configuration file. For PIX Firewall 6.2 and earlier, the device name can be up to 16 alphanumeric characters. For PIX Firewall 6.3 and later, the device name can be up to 63 alphanumeric characters or any of the following special characters: \Q ( ) + - , . / : =.
- Make sure the OS version is noted in the configuration file being imported.
Step 1 Select Devices > Importing Devices.
The Importing Devices page appears.
Step 2 Click Import.
The Select Target Group page appears.
Step 3 Select the group in which you want the single configuration file to reside.
 |
Tip If you have not defined a group but want to do so, select Devices > Managing Groups. |
Step 4 Click Next.
The Select Entry Type page appears.
Step 5 To import multiple configuration files for multiple devices, go to Step 6.
To import a configuration file for a single device:
The Enter Config File page appears.
|
Note The asterisk represented in the GUI means optional; however, we recommend that you enter contact information if the Firewall MC will deploy directly to the device. |
c. Enter the name of the configuration file to import in the Config filename field. The file is located in the import directory. You can click Browse to navigate to the location.
d. Enter the contact IP address, which is the address Firewall MC uses to contact a firewall device using HTTPS. This is generally a firewall's interface address, but it might be different because of address translation between the Firewall MC server and the firewall.
e. Enter the enable password for the firewall device in the field provided. Go to Step 7.
Step 6 To import multiple configuration files for multiple devices:
The Enter Config File Directory Information page appears.
c. Enter the name of the directory in the field provided. The directory must include at least one configuration file ending in .cfg. To navigate to the directory, click Browse.
Step 7 Click Next.
The wizard summary page appears.
Step 8 Verify the information is correct, then click Finish.
A new window opens displaying a table of devices.
|
Note We recommend that you verify the output before importing the configuration file. |
Importing Multiple Firewall Configurations from a CSV File
This import method allows you to import devices in bulk based on device credentials in a comma-separated values (CSV) file. The default import directory is C:\Program Files\CSCOpx\MDC\PIXMC\import (assuming C:\Program Files\ was the installation directory).
If Resource Manager Essentials (Essentials) is installed on your system, you can export device information from Essentials using a CSV file. Alternatively, you can create a CSV file with device credentials.
The CSV format has one table of data with several columns. A CSV-formatted import file must contain each device's full name or IP address, read-only community string, and passwords. Other information is optional. You can omit empty trailing columns and the separating commas.
The CSV format provides the following device information:
- Value 1 - Device name (include domain unless your site uses DNS) or IP address in dotted decimal notation (required).
- Value 2 - Read-only (RO) community string.
- Value 3 - Read-write (RW) community string.
- Value 4 - Serial number.
- Value 5 - User Field 1.
- Value 6 - User Field 2.
- Value 7 - User Field 3.
- Value 8 - User Field 4.
- Value 9 - Telnet password (required for PIX Firewall and when using Telnet access method).
- Value 10 - Enable password (required).
- Value 11 - Enable secret.
- Value 12 - TACACS+ user (required for TACACS+ authorization).
- Value 13 - TACACS+ password (required for TACACS+ authorization).
- Value 14 - TACACS+ enable user.
- Value 15 - TACACS+ enable password.
- Value 16 - Local user (required for local authorization).
- Value 17 - Local password (required for local authorization).
- Value 18 - RCP user.
- Value 19 - RCP password; comment not used; leave blank.
Consider the following example of a CSV-formatted table (Table 7-2).
Table 7-2 Sample CSV Format Table
|
You can write CSV information as shown in the following example:
|
Note |
- If a column, such as a user field, contains a comma, you must begin and end the column with double quotation marks, for example, "note,1".
Step 1 Select Devices > Importing Devices.
The Importing Devices page appears.
Step 2 Click Import.
The Select Target Group page appears.
Step 3 Select the group in which you want the imported devices to reside.
|
Tip If you have not defined a group but want to do so, select Devices > Managing Groups. |
Step 4 Click Next.
The Select Entry Type page appears.
Step 5 Select Import multiple firewall configurations from a CSV file.
Step 6 Click Next.
The Enter CSV File page appears.
Step 7 Enter the CSV filename in the field provided. You can click Browse to navigate to the filename location. Only one CSV file can be specified at a time.
Step 8 Click Next.
The wizard summary page appears.
Step 9 Verify the information is correct, then click Finish.
A new window opens displaying a table of devices.
Creating Firewalls by Defining the Basics
When you create a device, you identify a hardware device and add it to Firewall MC.
|
Tip After you create a device, you must define a minimum set of device-specific settings before you can generate commands. At a minimum, you must configure the default OS version that Firewall MC uses to generate commands and define the settings for the interfaces installed in the device. To configure these settings, select: |
Step 1 Select Devices > Importing Devices.
The Importing Devices page appears.
Step 2 Click Import.
The Select Target Group page appears.
Step 3 Select the group in which the imported device should reside.
|
Tip If you have not defined a group but want to do so, select Devices > Managing Groups. |
Step 4 Click Next.
The Select Import Type page appears.
Step 5 Select Create Firewall Device.
Step 6 Click Next.
The Define Firewall Device Basic Info page appears.
|
Note The asterisk in the GUI means the field is optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the devices. |
Step 7 Enter a device name to help you differentiate among devices (for example, PIX-510-A).
Step 8 Enter a username needed only if the firewall device is configured to authenticate to a AAA server. If no AAA server is used, leave the Contact Username field blank.
Step 9 Enter the IP address Firewall MC should use to contact the firewall device using HTTPS.
This address is generally the firewall interface address, but it might be different due to address translation between the Firewall MC server and the firewall.
Step 10 Enter the enable password in the field provided. The enable password is used if Firewall MC should communicate directly with a device. Use one of the following:
Step 11 Click Next.
The wizard summary page appears.
Step 12 Verify the information is correct, then click Finish.
You are returned to the Importing Devices table, with the new device listed in the table Import Task column.
Importing Devices Field-Level Elements and Descriptions
|
| 1 The asterisk means optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the devices. |
Discovering Settings from a Firewall
This feature allows you to contact the device directly when discovering the settings.
Step 1 Select Devices > Importing Devices.
The Importing Devices page appears.
Step 2 Click Import.
The Select Target Group page appears.
Step 3 Select the group in which you want the imported device to reside.
|
Tip If you have not defined a group but want to do so, select Devices > Managing Groups. |
Step 4 Click Next.
The Select Entry Type page appears.
Step 5 Select Import configuration from device.
Step 6 Click Next.
The Define Firewall Device Contact Info page appears.
Step 7 Enter the Contact IP address, which is the address Firewall MC uses to contact a firewall device using HTTPS. This is generally a firewall's interface address, but it might be different due to address translation between the Firewall MC server and the firewall.
|
Note You should have specified this IP address for the inside interface during bootstrapping. The inside interface is the one for which you automatically enabled HTTP access using the setup command. |
Step 8 Enter the enable password for the firewall device.
Step 9 Click Next.
The wizard summary page appears.
Step 10 Verify the information is correct, then click Finish.
A new window opens displaying a table of devices.
How Unsupported Commands Are Handled
Firewall MC 1.1.2 supports PIX Firewall software versions 6.0(x) through 6.3(x); however, not all commands are fully supported at this release As a result, specific commands or combinations of commands in a device configuration file can prevent you from importing and deploying jobs.
Firewall MC command support is categorized as follows:
- Supported—Firewall MC fully supports this command. It can import and deploy a configuration with this command.
- Unsupported—Firewall MC does not support the command. Based on the value of the Action on Unknown commands setting, (which you can located by selecting Configuration > MC Settings > Management), Firewall MC generates an error or places the command as an ending command. To view ending commands, select Configuration > Device Settings > Config Additions > Ending Commands.
- Error—Commands in this category can interact unpredictably with Firewall MC features that may be configured in a user interface. If a command in this category appears in a configuration during import or during deployment to a device, Firewall MC generates errors, and the import fails.
- Ignored—Commands in this category do not interact with features configured in the Firewall MC user interface. These commands are copied verbatim during import as an ending command.
- Discarded—Commands in this category are discarded upon import.
- Deprecated—Commands in this category are supported in beginning and ending commands, but can result in overlapping commands with unexpected results. These commands have been outdated by newer CLI constructs and might become obsolete in future versions of CLI. We recommend that you not use deprecated commands.
A complete list of commands in each category can be found in Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2.
Understanding Import Messages
The import status popup window displays information about device imports. The window refreshes automatically every 60 seconds; however, you can click Refresh to update the import status manually. If the import is successful, the message "STATUS_COMPLETED" is displayed in the Status column. If the import is unsuccessful, an error message is displayed.
After the import status is displayed in the Status column, you can select a device in the table, then click View Config. A new window opens with the configuration file displayed.
Close the window after you view the contents, then close the import status popup window. You are returned to the Import Devices table, which shows the imported device information. You can click Refresh to display the updated status.
Managing Devices
The Managing Devices feature allows you to modify or delete existing devices, as well as move them to different groups. You access this feature by selecting Devices > Managing Devices.
Renaming a Device
You can rename a previously defined firewall device that you have represented in Firewall MC. This name is a logical name that does not correspond to the hostname of the firewall device.
Step 1 Select Devices > Managing Devices.
The Managing Devices page appears.
Step 2 Select the device to edit.
Step 3 Click Edit.
The Edit Firewall Device Identity page appears.
Step 4 Enter a name that will help you differentiate among devices in the Firewall Device Name field.
Step 5 Click Next.
The wizard summary page appears.
Step 6 Verify the information is correct, then click Finish.
You are returned to the Managing Devices page with new device information displayed.
Moving a Device
You can move firewall devices from one group to another. This feature is useful for staging incremental rollouts of global policy changes that are defined at the group level or simply for moving the device to a more suitable location within your inheritance model.
Step 1 Select Devices > Managing Devices.
The Managing Devices page appears.
Step 2 Select the device to move, then click Move.
The Select Target Group page appears.
Step 3 Select the target group, then click Next.
The Target Group wizard summary page appears.
Step 4 Verify the information is correct, then click Finish.
You are returned to the Managing Devices page, with new device group information displayed.
Deleting a Device
You can delete a firewall device from Firewall MC. This feature is useful if you have changed the configuration files substantially outside of Firewall MC and you want to preserve those changes. Of course, the settings that are unique to Firewall MC will be lost, as well as any device-level access and translation rules defined in the GUI.
Step 1 Select Devices > Managing Devices.
The Managing Devices page appears.
Step 2 Select the device(s) to delete, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The device is removed from the group.
Managing Devices Field-Level Elements and Descriptions
|
Representing Supporting Devices
Firewall MC allows you to add and edit DHCP and URL filter servers with the Firewall MC GUI. DHCP and filter URL servers allow you to further control your web security features.
Configuring URL Filter Servers
URL filtering lets you prevent internal users from accessing external WWW URLs that you designate using the Websense URL Filtering server. You can have a maximum of 16 URL servers. To access this feature, select Configuration > Settings > Servers and Services > URL Filter Server.
After you define your URL Filtering server(s) and related parameters on this page, use the Filter Rules feature to define the rules for enforcing URL filtering.
Websense Important Notes
- This feature is available only if you have the Websense third-party application, available from http://www.websense.com.
- If you change policy settings within the Websense server application, disable then re-enable the Websense cache to ensure the cached information does not conflict with any new policy settings.
Enabling Cache
By enabling cache you can speed the satisfaction of user requests if more than one user wants to access the same objects. This also reduces the amount of traffic between your network and the Internet, potentially improving your overall network performance and optimizing your bandwidth usage.
Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.
The URL Filter Server page appears.
Step 2 Select the Enable caching check box, then click the appropriate radio button to select whether to base cache entries on the destination or source and destination.
Step 3 Enter the size of the cache file. Value are 1-128 KB. Default is 1.
Step 4 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
You are now ready to insert or edit a URL filter server.
Inserting or Editing a URL Filter Server
Firewall MC allows you to monitor, manage, and restrict employee access to nonbusiness and objectionable content on the Internet. Users can be allowed or denied access to websites or can be coached with information about acceptable use of the Internet.
Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.
The URL Filter Server page appears.
Step 2 Do one of the following:
The Enter URL Filter Server page appears.
Step 3 Select the interface name from the list. The list displays all interfaces defined at the current scope.
Step 4 Enter the IP address of the server that runs the Websense filtering application.
Step 5 Verify the timeout value is correct, which displays the maximum idle time (in seconds) before a firewall device tries to access the next URL server. Default is 5.
Step 6 Click the radio button for the protocol to use.
|
Note Version 4 of these protocols provides greater functionality than version 1 provides. In version 4, when AAA filtering is enabled to perform user authentication, username information is passed to the Websense server so it can perform URL filtering and log URL activity by username. |
Step 7 Click Next.
The URL filter server summary page appears.
|
Note Settings enabled during the configuration process are displayed as true in the wizard summary page. |
Step 8 Verify the information is correct, then click Finish.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
URL Filter Server Field-Level Elements and Descriptions
|
Deleting a URL Filter Server
The following procedure describes how to configure the Dynamic Host Configuration Protocol (DHCP) relay feature.
Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.
The URL Filter Server table appears.
Step 2 Select the check box for the row, then click Delete.
You are prompted to confirm the delete request.
Step 3 Click OK.
The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.
Configuring a DHCP Server
A DHCP server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network.
You can configure the firewall device as a Dynamic Host Configuration Protocol (DHCP) server for hosts connected to its inside interface.
|
Note If your firewall device is also acting as a DHCP client on the outside interface, you can enable autoconfiguration to allow the firewall device to automatically pass the DNS, WINS, and domain name parameters it gets from the outside interface (as a DHCP client) to hosts on its inside network. Alternatively, you can manually specify the DNS, WINS, and domain name parameters. If you specify those parameters manually and autoconfiguration is on, your values take precedence over autoconfiguration. |
Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Server.
Step 2 Select the Enable DHCP on inside interface check box to enable DHCP for the firewall device.
Step 3 Enter the DHCP address pool range information in the fields provided. The IP address range is from lowest to highest (for example, 10.10.1.01-10.10.1.10).
Step 4 Verify the lease length setting, which is the amount of time a DHCP client can use its allocated IP address from the DHCP server before its lease expires. Values are 300-2,147,483,647. Default is 3,600 (1 hour).
Step 5 Verify the ping timeout setting, which is the amount of time the firewall device should wait before declaring timeout on a ping. Default is 750 milliseconds.
Step 6 Select the Enable autoconfiguration check box to instruct the DHCP server to configure domain name, DNS, and WINS information.
Step 7 Enter the valid domain name (for example, cisco.com).
Step 8 Enter the DNS server(s). You can enter up to two DNS servers and IP addresses (Server 1 and Server 2) for a DHCP client.
Step 9 Enter the WINS server(s). You can enter up to two WINS servers and IP addresses (Server 1 and Server 2) for a DHCP client.
Step 10 Enable DHCP option 150:
Step 11 Enable DHCP option 66:
Step 12 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
DHCP Server Field-Level Elements and Descriptions
|
Configuring DHCP Relay Servers
Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Relay Server.
The DHCP Relay Server page appears.
Step 2 Enter the DHCP Relay timeout, in seconds, in the DHCP Relay Timeout field. The default time is 60 seconds.
Step 3 Click Add.
The Enter DHCP Relay Server Information page appears.
Step 4 Select the interface in the Interface Name drop down list.
Step 5 Enter the server's IP address.
Step 6 Click Next.
The Wizard Summary page appears.
The new Relay Server appears in the DHCP Relay Servers list.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
DHCP Relay Server Field-Level Elements and Descriptions
|
Editing DHCP Relay Agents
The DHCP Relay Agent relays requests between the firewall interface of the DHCP server and DHCP clients on a different firewall interface.
The Agent table comes populated with all of the interfaces defined for the devices.
Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Relay Agent.
The DHCP Relay Agent page appears.
Step 2 Select the interface to edit in the DHCP Relay Agent list, and click Edit.
The Enter DHCP Relay Agent Information page appears.
Step 3 Click Add.
The Enter DHCP Relay Server Information page appears.
Step 4 Select the interface in the Interface Name drop down list.
Step 5 Enter the server IP address.
Step 6 Click Next.
The Wizard Summary page appears.
The new Relay Server appears in the DHCP Relay Servers list.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
DHCP Relay Agent Field-Level Elements and Descriptions
|
Configuring TFTP Servers
The TFTP Server feature allows you to configure a firewall device to propagate its configuration files to a fileserver using the Trivial File Transfer Program (TFTP). Only one server is supported.
TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev 2. This feature allows you to configure firewall devices as TFTP clients so a firewall device can transfer a copy of the configuration files to a TFTP server. This enables configuration files to be backed up and propagated to multiple firewall devices.
Step 1 Select Configuration > Device Settings > Servers and Services > TFTP Server.
Step 2 Select the Enable TFTP Server check box to enable TFTP server settings in the configuration.
Step 3 Select the interface from the list. The list displays all interfaces defined at the current scope.
Step 4 Enter the IP address that communicates with the TFTP server.
Step 5 Enter the pathname of the configuration file, beginning with "/" (forward slash) and ending with the filename (where the configuration file will be written).
Step 6 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
TFTP Server Field-Level Elements and Descriptions
|
Representing Auto Update Servers
The Auto Update Server (AUS) feature enables communication between the firewall devices and the AUS. The settings are applied to firewall device configuration files, and they also provide the contact information for the Firewall MC to connect and deploy configuration files to the Auto Update Server. The configuration files are updated at the time of deployment and auto update becomes enabled. To access this feature, select Configuration > Device Settings > Auto Update Server.
Firewall devices must have PIX OS version 6.2 or later to use AUS.
|
Note For the firewall device to contact the AUS initially, these settings must match those used to bootstrap the firewall device. |
For the Firewall MC and firewall devices to communicate, you must also:
- Configure the Unique Identity feature. (See Configuring Unique Identity.)
- Configure HTTPS on firewall devices. (See "Bootstrapping PIX Firewalls.")
|
Note The AUS does not support firewall devices that are configured for failover. |
Step 1 Select Configuration > Device Settings > Auto Update Server > Server and Contact Information.
The Server and Contact Information page appears.
Step 2 Enter the AUS URL path to the servlet that the device uses to receive an auto update.
Step 3 Enter the AUS IP address.
Step 4 Verify the port number for the AUS. Default is 443.
Step 5 Enter the name of the user being used by Firewall MC to contact the AUS. Username is based on type of authentication used.
Step 6 Enter the user password.
Step 7 Reenter the user password in the Confirm Password field.
If the Firewall MC uses a different IP address or port number than another device to contact the AUS server, you must specify the alternate IP address or port number in the Device to AUS Address and Port fields for the other device to use. If the Firewall MC and the other device use the same contact information, skip to Step 8.
To assign a different IP address or port number for the other device:
a. Select the Device to AUS Address and Port (optional) check box.
Step 8 Click Apply.
Applying AUS Settings
Before You Begin
- Configure the Unique Identity feature. See Configuring Unique Identity.
- Configure HTTPS on firewall devices. See "Bootstrapping PIX Firewalls."
Step 1 Select Configuration > Device Settings > Auto Update Server > Device AUS Settings.
The Device AUS Settings page appears.
Step 2 Select the Enable Auto Update Server check box to enable the AUS.
Step 3 Enter the name of the user being used by the firewall device to contact the AUS. Username is based on type of authentication used.
Step 4 Enter the user password.
Step 5 Reenter the user password in the Confirm Password field.
Step 6 Verify that the poll period is correct. Default is 720 minutes.
Step 7 Verify the poll retry count, which is the number of attempts to connect to a device being polled.
Step 8 Verify the poll retry period.
Step 9 To deactivate the firewall device if an update is not received within a certain amount of time, select the Deactivate Device checkbox and enter the amount of time to wait before deactivating the firewall device. Default is to never deactivate.
Step 10 Select the Verify Certificate check box to verify the certificate being used.
Step 11 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are downloaded/deployed to the firewall device if the deployment type is set to "Direct to Device." If the deployment type is AUS, then the configuration files are deployed to the AUS server and then downloaded to the firewall devices when they contact the AUS server.
Auto Update Server Field-Level Elements and Descriptions
|
Configuring Unique Identity
The Unique Identity feature enables you to assign an identifier to each firewall device. These settings are applied to the firewall device configuration file. This feature is generally used by organizations using an Auto Update Server (AUS) and when hostnames are not unique.
Step 1 Select Configuration > Device Settings > Auto Update Server > Unique Identity.
The Unique Identity page appears.
Step 2 Select the method to use for identifying a firewall device. Special characters (`, ", <, >, &, ?) and spaces are not permitted.
Step 3 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Unique Identity Field-Level Elements and Descriptions
|