Table of Contents

Preparing the Firewall MC Environment

Firewall MC is designed with flexibility to support varied user environments. Before using Firewall MC, you should configure the system based on how you intend to use it. This section describes various settings that you can configure to control the way Firewall MC works. These options include:

Selecting the Administrative Model and Authentication Mode

Use of Firewall MC requires that your username and password be authenticated. After your username and password are authenticated, your authorization is based on the privileges that you have. Your role is a collection of privileges that dictate the type of system access you have. If you are not authorized for certain Firewall MC tasks or for certain devices, the related Firewall MC controls are hidden or disabled.

Note When you use workflow with formal approval disabled, the button for completing (submitting) an activity or job is labeled Approve and there is no Submit button. However, you must have submittal privileges, not approval privileges, to click the Approve button in this case.

To work around this problem, make sure submittal privileges are assigned to users who must use the Approve button.

Your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. When you install CiscoWorks Common Services, the CiscoWorks Server provides administrative account services. By default, CiscoWorks manages authentication and authorization. You can change your AAA provider to Cisco Secure ACS before or after you install Firewall MC. See User Guide for CiscoWorks Common Services 2.2 for details.

When changing between CiscoWorks and Cisco Secure ACS authentication, you might not be able to manage the same activities and jobs. This is because you could have different privileges in the two authorization systems. As a result, you should always approve or undo remaining activities, and deploy or undo remaining jobs before changing the authentication scheme.

For more information, see "Understanding User Roles and Permissions."

CiscoWorks Server Roles and Firewall MC Privileges

CiscoWorks has predetermined roles that correspond to likely functions within your organization. Any username assigned one or more role has access to the privileges enabled by the role in Firewall MC. Roles are not set up hierarchically; each role does not include all privileges of the role below it. Instead, these roles are based on user needs.

Cisco Secure ACS Roles and Privileges

Cisco Secure ACS 3.1, and later, supports roles that are specific to Firewall MC. User authentication with Cisco Secure ACS is more sophisticated than CiscoWorks authentication because Cisco Secure ACS provides for a variety of privilege combinations that you can control. These include finer control over the definition of user permission sets and user group permission sets, as well as the application of such permissions to devices and device sets.

Because Cisco Secure ACS is designed to apply user and administrative privileges in relation to AAA clients, you must represent the CiscoWorks Server on which Firewall MC is running—and each firewall device—as AAA clients in Cisco Secure ACS. For details, see Configuring Authentication and Authorization in User Guide for CiscoWorks Common Services 2.2.

To use Cisco Secure ACS, ensure that:

For example, to import a PIX Firewall, ensure that the shared profile includes the show config command in the authorized command set, the device definition under Network Access Restrictions, and user role that includes administrative privileges.

If, for example, you have the privilege for importing firewall devices, you must have device-level permission to administer each firewall. Likewise, if you have the privilege for deploying on Firewall MC, you must have Firewall MC permission to deploy a configuration file to a PIX Firewall. If you do not have the needed permission on the device, the deployment fails.

For an understanding of TACACS+ security advantages, see the User Guide for Cisco Secure ACS.

Figure 3-1 shows how the Cisco Secure ACS user-interface page defines Firewall MC roles and permissions.

Cisco Secure ACS assigns eight default roles to Firewall MC, but you can add or delete user-defined roles when you customize your role and permission settings. Also, if you select options under Approve, Edit, Deploy, or Control, the related view privilege is selected implicitly.

Selecting the Workflow Mode

Firewall MC provides workflow support that allows you to assign different roles and responsibilities to different users. You can configure workflow to provide the most simple and streamlined user experience, or you can configure advanced workflow options to differentiate user responsibilities and enhance auditability.

If you are using the Workflow Setup option (Admin > Workflow Setup), you can specify whether to use jobs and activities to track changes made in Firewall MC and whether those jobs or activities should be approved formally before you can perform the next phase of the workflow. Before you select workflow options, you must understand how the different options affect the operation of Firewall MC.

Understanding the Workflow Process

Many organizations benefit from having a separation of responsibility when defining, implementing, and deploying corporate firewall policies. For example, a security administrator might be responsible for defining a device configuration file, another administrator for approving the configuration file, and a network operator for deploying the resulting configuration to a device. This separation of responsibility helps maintain the integrity of deployed device configurations.

Firewall MC supports this separation of responsibility by using activities and jobs, also referred to as workflow. Activities control policy changes, and jobs define deployment of configuration files. For more information, see Using Firewall MC with Workflow Enabled. You can set up Firewall MC to require formal approval for activities, jobs, or both. For more information, see Requiring a Formal Approval Phase. Workflow and the formal approval process is disabled by default, but you can enable either by selecting Admin > Workflow Setup.

Other organizations might prefer a more streamlined approach to administering their corporate firewall policies. For these organizations, the workflow feature can be turned off, eliminating the need for you to define activities and jobs; activities are defined automatically by Firewall MC and no jobs are required to deploy configurations. For more information, see Using Firewall MC with Workflow Disabled.

Using Firewall MC with Workflow Disabled

When workflow is disabled (default), you do not need to define activities for tracking changes in Firewall MC; instead, Firewall MC defines activities automatically when you modify a device's configuration. You also do not need to define jobs to deploy configurations. After you make configuration changes, you can deploy those changes by clicking the Save and Deploy icon in the activity bar of the Devices and Configuration tabs, or you can discard the changes by clicking the Undo icon. When you click the Save and Deploy icon, new configurations are generated for any modified devices. You can then deploy the new configurations, or you can save them and deploy them later. For more information, see Managing Deployment with Workflow Disabled.

Note   The Deployment tab is visible only when workflow is disabled. When you enable workflow, the Deployment tab is replaced by the Workflow tab, and you manage deployments using jobs. For more information on using jobs for deployment, see Using Job Management, page 15-17.

Important Notes about Using Firewall MC when Workflow is Disabled

Using Firewall MC with Workflow Enabled

When workflow is enabled, you use activities to track changes to configurations and use jobs to track the deployment of these configurations to the firewall devices that you manage.

Understanding Activities

An activity is a collection of policy changes typically made for a single purpose. For example, an activity might be created to collect the changes needed to address a problem identified in a trouble ticket filed with your help desk. Alternatively, an activity might be created to implement a new policy.

Before you can begin importing devices and adding configuration settings and rules, you must define an activity. An activity is accomplished by one or more people in succession. To access this feature, select Workflow > Activity Management.

After an activity is completed, it can be submitted for approval (if the approval process is enabled). If the activity is approved, it is committed and ready to be deployed through the use of a job. If the activity is rejected, the submitter has the option to modify the activity and again submit for approval, or delete the activity from the system and begin again.

Note   If the approval process is disabled (the default), the activity submit and approval process is a single step.

Figure 3-2 shows activity workflow with the approval process enabled. If the approval process is disabled, the submit action is not used.

For more information on activities, see Managing Activities With Workflow Enabled.

Understanding Jobs

A job represents a set of configuration files to be deployed to devices, configuration files, or an AUS. After a job is defined, it can be submitted
for approval.

If the job is approved, it is ready for deployment. If the job is rejected, the submitter has the option to modify the job and submit again for approval, or to delete the job and begin again. To access this feature, select Workflow > Job Management.

Figure 3-3 shows job workflow with the approval process enabled. The approved job is then deployed to the network. If the approval process is disabled, the submit and approve actions are not used.

After a job is approved, the final stage is to deploy the job. This downloads configuration files to specified devices on your network, saves them as files, or sends them to an AUS.

A rollback feature is also available when workflow is enabled. The rollback feature allows you to revert back to the previous configuration files that existed before deploying a job. To access these features (Deploy and Rollback), select Workflow > Job Management.

For more information on jobs, see Managing Deployment With Workflow Enabled.

Requiring a Formal Approval Phase

Many organizations benefit from separating responsibility for defining, approving, and deploying corporate firewall policies. This separation helps maintain the integrity of deployed device configurations and defines a clear audit trail. If your organization requires that policy changes must be defined by one person and approved by another, then you should enable the formal approval phase in Firewall MC.

Firewall MC supports this separation of responsibility by using activities and jobs, which define tasks that are accomplished by one or more people in succession. (See Managing Activities With Workflow Enabled and Managing Deployment With Workflow Enabled for more information about activities and jobs.)

By default, workflow and these approval options are disabled, but you can enable one or both if your organization requires a formal approval process. Firewall MC supports two different formal approval phases:

Approving Activities

This approval phase separates the person who defines policy from the person who defines a job. An activity must receive formal approval before it can be included as part of a job.

In the following figure, A represents two additional states, Submitted and Rejected, and identifies four possible actions: Submit, Approve, Reject, and Open. By default, when you submit an activity, the state moves directly to Approved. If activity approval is enabled, when you submit an activity, it moves to the new Submitted state, where it can be formally rejected or approved. To move to the Approved state, it must be approved.

Approving Jobs

This approval phase separates the person who defines jobs from the person who deploys a job. A job must receive formal approval before it can be deployed.

In the following figure, B represents a Submitted state and identifies three possible actions: Submit, Approve, and Reject. By default, when you Submit a job, the state moves to Approved. If you enable job approval, when you submit a job, it moves to the new Submitted state, where it can be formally rejected or approved. To move to the Approved state, it must be approved.

Setting Workflow Options

The Workflow Setup feature allows you to configure the way you use Firewall MC to make changes to your configurations and deploy those configurations to the firewall devices you manage.

Tip You do not need to open an activity to perform tasks from the Admin tab; however, you must be logged into Firewall MC with permission to access the options within this tab.

The Workflow Setup page appears.

Step 2   To disable workflow:

---

Note    Workflow is disabled by default. You need to perform this procedure only if you previously enabled workflow and now want to turn this feature off.

---

Step 3   To enable workflow, select the Use Workflow check box.

Step 4   To require that all activities be approved before being included in a job, select the Require Activity Approval check box. To turn this feature off, deselect the Require Activity Approval check box. Workflow must be enabled for you to use this feature.

---

Note    When you enable this option, all in-progress activities are subject to formal approval. However, if you want to disable the option, you must approve any submitted activities first. Otherwise, the following error message results: Operation Failed. Another user has already closed the activity.

---

Step 5   To require that all jobs be approved before being deployed, select the Require Job Approval check box. To turn this feature off, deselect the Require Job Approval check box. Workflow must be enabled for you to use this feature.

---

Note    When you enable this option, all in-progress jobs are subject to formal approval. However, if you want to disable the option, you must approve any submitted jobs first.

---

Step 6   To save your changes, click Apply.

Workflow Setup Field-Level Elements and Descriptions

Configuring Global Firewall MC Controls

The MC Settings feature controls how Firewall MC operates when it discovers commands configured outside of Firewall MC and discovers unsupported and error commands imported to Firewall MC. It identifies the directories in which imported and deployed configurations reside. Topics to be discussed are:

Configuring Management Controls

The Management feature allows you to control Firewall MC operation. To access this feature, select Configuration > MC Settings > Management.

When you modify a firewall device configuration outside of Firewall MC, the changes are temporary unless you save them (write memory command) in the device's nonvolatile storage (Flash memory). Each time the device is rebooted, it reads its configuration from nonvolatile storage. As a result, temporary changes are lost if they are not saved.

Firewall MC detects any permanent changes made to a device by a method other than Firewall MC. You can request that Firewall MC fail the deployment when other methods are detected. If you request that Firewall MC deploy a configuration to a device to which permanent changes have been made, a warning is generated in the deploy status window.

To retain changes made to a firewall device configuration by a means other than Firewall MC, you can delete the device, then reimport it; however, doing so results in the need to redefine device name, group, and hierarchy information. See Important Notes About Importing Devices to better understand the implications of using this method.

Setting Management Controls

The Management page appears.

Step 2   Select the appropriate Identity Address Translation Rules radio button to control whether Firewall MC automatically generates an internal address translation rule that associates an address to itself if no user-specified translation rule is present.

Step 3   Select how Firewall MC should respond to unknown commands.

Step 4   Select the configuration optimization level to use on file generation.

---

Note    If you indicated that you want to keep groups during generation (Configuration > MC Settings > Object Grouping), optimization on rules using groups will not take place. To allow optimization settings to take precedence over group operations, change the Group Operation setting to Defer to the optimization level settings.

---

Step 5   Select the configuration optimization level to use during import.

---

Note    If you indicated that you want to keep groups during import (Configuration > MC Settings > Object Grouping), optimization on rules using groups will not take place. To allow optimization settings to take precedence over group operations, change the Group Operation setting to Defer to the optimization level settings.

---

Step 6   Select the Clear XLATE on Deployment check box (recommended).

Step 7   Select how Firewall MC should respond to an external change to a device configuration.

Configuration file is not deployed.

Firewall MC deploys the configuration file if device configuration has been changed by a method other than Firewall MC.

Step 8   Select how Firewall MC should respond when an error during deployment results.

Step 9   Select the default stance that your firewall devices should take for traffic flows for which specific access rules have not been defined. In other words, do they allow or deny traffic flows when an ACL has not been applied to an interface. For more information, see Management Field-Level Elements and Descriptions.

Step 10   Click Apply.

Management Field-Level Elements and Descriptions

Configuring Deployment Controls

The Setting Deployment feature allows you to specify how configuration information should be deployed. These settings are applied to Firewall MC. Options are saving the information to a file, downloading directly to devices, or selecting a server that acts as a repository. To access this feature, select Configuration > MC Settings > Deployment.

The CiscoWorks Auto Update Server (AUS) provides a web-based interface for upgrading device configuration files and software images on PIX Firewalls that use the auto update feature. AUS can be installed on the Firewall MC server. If you decide to install AUS, you must configure it to communicate with other system devices on your network. See Representing Auto Update Servers.

Note   Firewall devices that are configured for failover are not supported by the AUS.

Setting a Deployment Type

The Deployment page appears.

Step 2   Select the method for deployment by clicking the appropriate radio button.

Caution   To prevent unauthorized access to configuration files, make sure the deployment directory is a secured directory.

---

Note    If you deploy a PPPoE configuration to a firewall device that already has PPPoE configured on the outside interface, any existing PPPoE connection to an access concentrator is reset and cleared. The firewall device must then reconnect to the access concentrator and be reauthenticated.

---

Step 3   If you are deploying to a file, enter the directory path.You can click Browse to navigate to the file location.

Step 4   Click Apply.

Important Notes about Deploying to an AUS

Caution   To prevent unauthorized access to configuration files, make sure the deployment directory is a secured directory.

Deployment Field-Level Elements and Descriptions

Element  Description  Inherit settings check box When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. A grayed-out check box disallows changes at the current scope. Enforce/Mandate settings for children check box When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. A grayed-out check box disallows changes at the current scope. Deployment type radio buttons Options are: File—Saves configuration information to a file. Direct to device (Default)—Downloads configuration files directly to devices. Auto Update Server—Downloads configuration files to AUS for later deployment to firewalls operating in auto update mode. Note The AUS supports only firewall device operating systems 6.2 or later. If you will be deploying configuration files using other versions, you will need to deploy to a file or directly to a device. Deployment directory Directory in which configuration files and configuration diffs (activity reports) are stored. Default directory is C:\Program_Files\CSCOpx\MDC\PIXMC\deploy Note You can click Browse to navigate to the location. Caution   If you set up a different deployment directory, make sure it is a secured directory.

Configuring Import Controls

The Importing Devices feature allows you to set the import directory default. You use this directory for selecting configuration files when you import devices from a file or directory. See "Representing Network Assets in Firewall MC." To access this feature, select Configuration > MC Settings > Import.

Caution   Make sure the import directory is a secured directory.

Setting Up an Import Directory

The Import page appears.

Step 2   The Import Control table shows the default import directory path. If you have set up a different import directory, you can click Browse to navigate to its location.

Caution   If you set up a different import directory, make sure it is a secured directory.

Step 3   Click Apply.

Import Field-Level Elements and Descriptions

Element  Description  Inherit settings check box When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?. A grayed-out check box disallows changes at the current scope. Enforce/Mandate settings for children check box When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?. A grayed-out check box disallows changes at the current scope. Import directory Identifies default directory from which configuration files are selected when devices are imported from a file. Default directory is C:\Program_Files\CSCOpx\MDC\PIXMC\import Note You can click Browse to navigate to the location. Caution   If you set up a different import directory, make sure it is a secured directory.

Configuring Feature Tracking Controls

Feature Tracking allows you to specify how Firewall MC handles commands for features that are not supported by the OS version running on a specific device. Typically, unsupported features are configured at the group-level and inherited by the devices within that group. To access this feature, select Configuration > MC Settings > Feature Tracking.

When an unsupported command is encountered during the generation of a configuration file, a caveat error or warning can be inserted at the top of the resulting configuration file as a beginning command. The error or warning has the following structure:

Caveat Error (or Warning): Does not support overridden (or inherited) feature, <feature name>

Setting Feature Tracking Information

The Feature Tracking page appears.

Step 2   Determine how you want to handle commands not supported by Firewall MC by clicking the appropriate radio button. See Feature Tracking Field-Level Elements and Descriptions.

Step 3   Click Apply.

Feature Tracking Field-Level Elements and Descriptions

Configuring Object Grouping Controls

The Object Grouping feature allows you to specify how Firewall MC handles object groups during import and generation. To access this feature, select Configuration > MC Settings > Object Grouping.

Setting Object Grouping Information

The Object Grouping page appears.

Step 2   Determine how you want to handle object groups during import and generation and make the appropriate selections. See Object Grouping Field-Level Elements and Descriptions.

Step 3   Click Apply.

Object Grouping Field-Level Elements and Descriptions