-
Using Management Center for Firewalls 1.2
-
Preface
-
Getting Started With Firewall MC
-
Task Flow Checklists
-
Preparing the Firewall MC Environment
-
Managing Activities
-
Preparing Your Network
-
Creating an Inheritance and Grouping Strategy
-
Representing Network Assets in Firewall MC
-
Configuring Device-Level Settings
-
Configuring Routing Rules
-
Defining Your Policy Building Blocks
-
Configuring Access Rules
-
Configuring Translation Rules
-
Manually Defining Rules Using CLI Syntax
-
Generating and Verifying Configuration Files
-
Deploying Configuration Files
-
Monitoring and Reports
-
Configuring VPN Settings
-
Configuring Failover
-
Maintaining your Firewall MC Server
-
Troubleshooting
-
Understanding User Roles and Permissions
-
Index
-
Table of Contents
Defining Rules Manually Using CLI SyntaxConfiguring Beginning Commands
Configuring Ending Commands
Adding an Ending Command
Ending Commands Field-Level Elements and Descriptions
Defining Rules Manually Using CLI Syntax
PIX Firewall and Firewall Services Module (FWSM) CLI commands receive different levels of support from Firewall MC 1.2. As a result, you might import a device configuration that includes commands that are not recognized by Firewall MC. Unsupported commands become ending commands in Firewall MC. Ending commands are deployed after all Firewall MC generated commands have been deployed.
You should fully understand the level of support that each command receives from Firewall MC. This understanding will enable you to use commands or command combinations in PIX Firewall and FWSM configuration files so that import operations and deployment jobs succeed. For a list of supported and unsupported commands, see the document entitled Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2, which can be accessed from Cisco.com.
 |
Note You should not need to configure additions for this release of Firewall MC; however, they provide workarounds to commands that are not currently supported. |
Configuring Beginning Commands
The Beginning Commands feature provides a workaround for CLI commands not supported by this product release. Beginning commands are always replaced when the configuration files are deployed. To access this feature, select Configuration > Device Settings > Config Additions > Beginning Commands.
|
Note You should not need to configure beginning commands for this release. |
Adding a Beginning Command
Step 1 Select Configuration > Device Settings > Config Additions > Beginning Commands.
The Beginning Commands page appears.
Step 2 Enter any unsupported CLI commands that you want to appear at the beginning of a configuration file.
Step 3 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Beginning Commands Field-Level Elements and Descriptions
|
Configuring Ending Commands
The Ending Commands feature provides a workaround for CLI commands not supported by this release of Firewall MC. Ending commands appear after all other commands in the configuration file and before the command write mem. To access this feature, select Configuration > Device Settings > Config Additions > Ending Commands.
Ending commands are resent when the configuration files are deployed. Some commands are designed to be one-time operations. You should check the ending commands to see if any need to be removed before the configuration file is deployed.
|
Note You should not need to configure ending commands for this release. |
Firewall MC might not support a particular firewall device OS command, but you can still configure this command on the firewall device by noting the command as an ending command.
The firewall device will generate an error if these commands are already configured on the device should an attempt be made to add them again.
To resolve this, two workarounds are available:
|
Note The setting change will affect the behavior of Firewall MC for all commands being deployed, not just those designated as an ending command. |
For more information, see Configuring Management Controls.
Important Notes About Ending Commands
- If you are deploying to a device, most commands in the Ending Commands section should be removed after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then resent each time the configuration is deployed to a device.
Firewall MC will display an error because the firewall device will show that the object group already exists.
Adding an Ending Command
Step 1 Select Configuration > Device Settings > Config Additions > Ending Commands.
The Ending Commands page appears.
Step 2 Enter any unsupported CLI commands that you want to appear at the end of a configuration file.
Step 3 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
Ending Commands Field-Level Elements and Descriptions
|