Using Management Center for Firewalls 1.3 - Defining Your Policy Building Blocks [CiscoWorks Management Center for Firewalls]

Table Of Contents

Defining Your Policy Building Blocks

Important Notes About Building Blocks

Using Categories and Color-Coding

Adding or Editing a Category

Deleting a Category

Defining Network Objects

Understanding the Network Objects User Interface

Adding or Editing a Network Object

Deleting a Network Object

Configuring Service Definitions

Adding or Editing a Service Definition

Deleting a Service Definition

Defining Service Groups

Adding or Editing a Service Group

Deleting a Service Group

Defining AAA Server Groups

Creating or Editing a AAA Server Group

Deleting a AAA Server Group or Element

Defining Address Translation Pools

Creating or Editing an Address Translation Pool

Deleting an Address Translation Pool or Element

Defining IPSec Transform Sets

Adding or Editing an IPSec Transform Set

Deleting an IPSec Transform Set

Defining IPSec Tunnel Templates

Adding or Editing an IPSec Tunnel Template

Deleting an IPSec Tunnel Template

Defining Your Policy Building Blocks

Building blocks allow you to optimize your configuration. Objects such as hosts, protocols, or services can be grouped so you can issue a single command to every item in the group by using the name of the group. You then use the building block components to help you define your access rules and translation rules.

The Building Blocks feature is used to associate names that you can use in place of corresponding data values in settings and rules. This facilitates ease of maintenance.

For example, an access rule might have a source address of 1.2.3.4. As an alternative, you can use building blocks to create a network object named fred-pc with the address 1.2.3.4. You can then create an access rule with the source address as fred-pc.

Building blocks facilitate network updates, as you can identify objects separately but maintain them in a central location. For example, you can identify servers in your network as a network-object building block and the protocols to allow for these services in a service-group building block. You can then create an access rule that permits the service group to the network object. For future changes, you need only update the service group or network object instead of trying to locate each rule in which the servers are used.

Object groups can be imported to Firewall MC and generated for deployment to devices; however, certain object groups are added as ending commands during import; for example:

•If the group is not referenced by any ACL entry.

•If the group is used by an ACL entry in an unbound ACL that is being added as an ending command. The group is added as an ending command even if it is imported. You are prompted to resolve any pending naming conflicts that might occur.

Note An unbound ACL is an access rule that is not linked to an interface; it is configured but not used.

All object groups are retained during import and associated with existing building blocks (if any exist), or new object groups are created. The object group meta-switches can override this. To set the meta-switches, select Configuration > MC Settings > Object Grouping.

The following building blocks will help you define your policy objectives:

•Network objects—You can group a set of network addresses represented by an IP network (name, IP address, IP mask). Network objects are often used when you define access rules. For more information, see Defining Network Objects.

•Service definitions—You can create a single access rule that controls access to multiple protocols. Services are defined by a protocol and ports. Service definitions can be combined into service groups; they are often used when you define access rules. For more information, see Configuring Service Definitions.

•Service groups—You can create a single access rule that controls access to multiple services; for example, you can write a single rule that permits traffic for Telnet and HTTP. Service groups can contain other service groups. Service groups are often used when you define access rules. For more information, see Defining Service Groups.

•AAA server groups—You can define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic, for example, a TACACS+ server for inbound traffic and another for outbound traffic, or outbound HTTP traffic authenticated by a TACACS+ server and inbound traffic authenticated by RADIUS. For more information, see Defining AAA Server Groups.

•Address translation pools—You can create global address pools used in dynamic NAT rules. Address translation pools are used when you define translation rules. For more information, see Defining Address Translation Pools.

•Categories—You can provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks. Categories are color-coded. For more information, see Using Categories and Color-Coding.

•IPSec transform sets—A transform set specifies the IPSec protocol, encryption algorithm, and hash algorithm to use on traffic matching the IPSec policy. You can create IPSec transform sets to specify various combinations of security protocols and algorithms. Transform sets are used in the definition of IPSec tunnel templates which are used for creating site-to-site and dynamic tunnels. For more information, see Defining IPSec Transform Sets.

•IPSec tunnel templates—You can create IPSec tunnel templates to define the tunnel policies that are used to create site-to-site and dynamic tunnels. For more information, see Defining IPSec Tunnel Templates.

Topics to be discussed are:

• Important Notes About Building Blocks

• Using Categories and Color-Coding

• Defining Network Objects

• Configuring Service Definitions

• Defining Service Groups

• Defining AAA Server Groups

• Defining Address Translation Pools

• Defining IPSec Transform Sets

• Defining IPSec Tunnel Templates

Important Notes About Building Blocks

•Object groups can be imported to Firewall MC and generated for deployment to devices; however, some object groups might be added as an ending command during import, for example:

–If the group is not referenced by any ACL entry.

–If the group is used by an ACL entry in an unbound ACL that is being added as an ending command.

•All object groups are retained during import and associated with existing building blocks (if any exist), or new object groups are created.

•You can edit only those objects defined at the current scope.

•Building blocks do not have a one-to-one association.

•If you select an object from the directory tree, all elements defined at the same level and above are applied.

•If you select an object by name and that name is defined at multiple scopes, the version defined nearest the current scope is selected.

•Building blocks can be referenced from access rules, translation rules, or other building blocks. When you delete a building block, all references to that building block become stale. Unless another building block with the same name in a different scope is found, configuration generation fails.

•You can import object groups to Firewall MC that were created on a device previously managed by Firewall MC, and you can import object groups to Firewall MC that were created on a device managed outside of Firewall MC. If Firewall MC does not recognize the object group name, a new group object is defined.

•If you decide to rename a building block, you are prompted to determine if you want all references to the existing object to be renamed.

•If you decide to move a device group or device, all rules defined at the device group or device level are moved with it. Rules that contain references to building blocks are either changed in meaning or become obsolete after the device group or device is moved.

•If you decide to cut, paste, or copy firewall rules, AAA rules, or filter rules that include references to building blocks, the closest building block within the hierarchy is used to resolve the reference.

Using Categories and Color-Coding

The Categories feature provides an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks. To access this feature, select Configuration > Building Blocks > Categories.

A category is assigned a background and foreground color that is displayed in the access rule tables. Depending on your specific needs, you can use color to display rules based on the rule category, building block objects based on the building block category, or both. You can also opt to use no color-coding at all. Default categories and color combinations are provided; however, you can create your own categories and assign different color combinations to them.

The benefits that result from using categories are:

•The object is color-coded, resulting in improved visibility when you view the rule tables.

•The object can be filtered in the rule tables, facilitating rule maintenance.

For example, you might want to create a network object and keep track of its use, as is important for administrative purposes. You can define a category named Administration and assign a color combination to it that appears when the category is used in a rule table. You then define the network object. When you define the network object, you associate the network object with the newly defined category. When you view the access rule table, you can choose whether to use color to display the rules or building blocks associated with the Administration category or to filter the table to display only those items associated with the category.

Note Categories and color combinations are associated with network objects, service definitions, and service group building blocks. No other building blocks support the use of categories and color-coding.

Adding or Editing a Category

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter the name of the category.

Step 4 Enter a description that will help you identify the category. (for example, the brown category).

Step 5 Select the color combination to use. To do this, click the Swatches, HSB, or RGB tab.

•Swatches provides default colors from which you select your background and foreground colors. For more information, see Setting Categories Using Swatches.

•HSB—Hue-Saturation-Brightness. Allows you to define your own values for your color choices. For more information, see Setting Categories Using HSB.

•RGB—Red-Green-Blue. Allows you to define your own values for your color choices. For more information, see Setting Categories Using RGB.

Note Because the description used in Step 4 was the brown category, select a brown tone as the background color and any other color for the foreground.

Step 6 Click Next.

The summary page appears.

Step 7 Verify the information is correct, then click Finish.

If you decide to display color coding when you view the rule tables, the rule or the building block will be displayed in the colors you just defined. You can also filter rules that are associated with the Administration category.

Setting Categories Using Swatches

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears. The color palette defaults to Swatches.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 With Foreground selected, select a swatch from the color grid.

Step 6 Click Background, then select a swatch from the color grid.

Your selections are displayed in the Preview field.

Step 7 Select any needed color changes, then click Next.

The wizard summary page appears.

Step 8 Click Finish.

Color selections are retained and can be used later in rule tables to help you identify rules or building blocks.

Setting Categories Using HSB

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 Click the HSB tab.

Step 6 With Foreground selected, click H (Hue), then drag the arrow to select your color choice.

Step 7 Repeat Step 6 for S (Saturation), and B (Brightness).

Step 8 Click Background. Repeat the steps used to select foreground color choices.

Your color selections are displayed in the Preview field.

Step 9 Choose any needed color changes, then click Next.

The wizard summary page appears.

Step 10 Click Finish.

Color selections are retained and can be used later in rule tables to help you identify rules or building blocks.

Setting Categories Using RGB

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Click Add.

The Enter Category Information page appears.

Step 3 Enter a category name.

Step 4 Enter an optional description.

Step 5 Click the RGB tab.

Step 6 With Foreground selected, drag the Red arrow to select your color value.

Step 7 Repeat Step 6 for Green and Blue.

Step 8 Click Background. Repeat the steps used to select foreground color values.

Your selections are displayed in the Preview field.

Step 9 Choose any needed color changes, then click Next.

The wizard summary page appears.

Step 10 Click Finish.

Color selections are retained and can be used later in rule tables to help you identify rules or building blocks.

Deleting a Category

Step 1 Select Configuration > Building Blocks > Categories.

The Categories page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the Categories table. Reference to the category, along with its respective color-coding, is removed from the rule table.

Defining Network Objects

The Network Objects feature allows you to group a set of network addresses represented by an IP network (name, IP address, IP mask). This information provides the basic identification information for that network. Firewall MC uses the name and IP address and netmask pair to resolve references to the network in the source and destination conditions of access rules and in translation rules. Firewall MC uses the interface value to apply access and translation rules that refer the network to the correct interface. The interface delivers network packets to the network, thus enforcing the rules that refer to that network.

You can access the Network Objects feature in two ways:

•Select Configuration > Building Blocks > Network Objects.

•Select Configuration > Access Rules, then click Add Network Object.

Both methods use the same popup window to define the network object. If you create or edit a network object while configuring an access rule, the resulting network object is listed in the Network Objects table.

Firewall MC network objects are converted to device network object groups.

•Network objects that are used as sources are converted directly to the equivalent device group.

•Network objects that are used as destinations might have to be translated depending on the ACL type and translation trees for the interfaces. They are then converted to the equivalent device group.

The interface of the rule that uses the network object becomes the base interface on which the translations occur. As translations are added to the translated group, identity address translation is used in all cases where the requested address is not found in the translation tree. To access identity address translation, select Configuration > MC Settings > Management. All existing groups with the same base name are checked for matches; duplicates are consolidated.

The following examples will help you to better understand how network objects can be used. Let's say you want to create the network object Corp Network at the Global scope, but you will use different IP addresses depending on the group being addressed. As a result, you can use a variable, which allows different values to be set for a building block for different devices or groups. The values are substituted into the same rule as applied to those different devices and groups.

To access the Network Object feature, select Configuration > Building Blocks > Network Objects. Select the scope, then complete the popup wizard to define the network object. When you return to the Network Objects table, Corp Network is shown in the table ( Figure 10-1).

Figure 10-1 Example 1—Network Object "Corp Network" Defined at the Global Scope with Variable

If you use the object selector to select the device PIX Firewall, then view the Network Objects table for that scope, Corp Network is shown as created at the Global scope with the variable setting enabled. (The variable is set to true.) Notice that the check box is grayed-out, which means you cannot make changes at the device level. ( Figure 10-2).

Figure 10-2 Example 1—Network Object "Corp Network" Shown at the Device Scope

When you define (add) Corp Network at the PIX Firewall scope, the new network object replaces the one defined at the Global scope and assigns an IP address to it ( Figure 10-3). Corp Network can now be edited at the device scope; it is no longer shown as a variable. (The variable is set to false.)

Figure 10-3 Example 1—Network Object "Corp Network" Defined at the Device Scope

To create a mandatory access rule at the Global scope, you can use Corp Network as the source address.

If you view the access rules table for the Mandatory Global scope and the Default PIX Firewall scope, you will see the same access rule in each table. When the configuration file for the PIX Firewall is generated, the access rule uses the network object Corp Network and the IP address defined at the device level. This is displayed in the configuration file as
: acl_mdc_inside_access Access List
access-list acl_mdc_inside_access permit tcp 10.11.12.13 
255.255.255.255 any
In conclusion, the network object defined at the Global scope using a variable must be redefined at the device scope with the same name, which then allows it to be used by access rules or translation rules.

Now consider another example. If you select an object by name and that name is defined at multiple scopes, the version defined nearest the current scope is selected. For this example, assume a service provider has two customers: Customer A and Customer B ( Figure 10-4).

Figure 10-4 Example 2—Network Object Diagram

Customers A and B have the network object Internal Network defined. Customer B uses a device named PIX Firewall. Because PIX Firewall is closer to Customer B than to Customer A in the navigation tree, the device uses the Internal Network defined at the Customer B scope. When you view the Network Objects table at the device scope, the object name is shown as Customer B > Internal Network.

The Network Object tables used for configuring this example are shown in Figure 10-5 through Figure 10-7.

Figure 10-5 Example 2—Network Object "Internal Network" Defined at the Customer B Scope

To access the table in Figure 10-5, select Configuration > Building Blocks > Network Objects. Using the object selector, select Customer B.

Figure 10-6 Example 2—Network Object "Internal Network" Shown at the Device Scope

To access the table in Figure 10-6, select Configuration > Building Blocks > Network Objects. Using the object selector, select PIX Firewall.

After you define the network object at the device scope, the table displays the updated network object Internal Network for the device.

A third example and a standard use of a network object is to define a network object (for example, My Network) at the PIX Firewall level. You can then use the network object only at the device scope ( Figure 10-7).

Figure 10-7 Example 3—Network Object "My Network" Defined at the Device Scope

Understanding the Network Objects User Interface

Figure 10-8 shows the Network Objects user interface.

Figure 10-8 Network Objects User Interface

Figure 10-8 Reference

Name

Description

1

Name

User-defined network-entity name assigned to network object.

2

Content

IP address and mask.

3

Variable

Value used in place of a defined building block. If you are using a variable, value is set to true in the Variable column.

4

Scope

Scope (level) at which network object is defined, for example, Global.

5

Category

Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

6

Action buttons

Options are:

•Add—Adds a row to the table.

•Edit—Edits an existing row in the table.

•View—Shows information in read-only mode.

•Copy—Copies a row in the table.

•Cut—Removes a row in the table.

•Paste—Pastes a row that was copied or cut from a table.

•Delete—Removes a row from the table.

•View All—Displays all rules (mandatory and default) defined from Global down to the current scope.

7

"any" network object

Eliminates the need to define each source and destination for network objects.

8

"no value" network object

Allows you to define rules using a variable; the rules are optional.

Using the "Any" Network Object

The any network object is used to facilitate the policy rule definition process. For example, to allow any external host to communicate with a web server, you can define a policy rule to permit traffic that uses any as the source address, and the IP address and network mask for the web server as the destination address. Use of the any network object eliminates the need for you to define each source and destination for networks and hosts.

Using the "No Value" Variable

You might want to define a building block at the Group scope that contains a variable, then define an access rule at the same group level that refers to the building block.

At the device level, you can define the building block using a specific value for the device. When the rules are evaluated during configuration generation, the access rules defined at the group level use the device-specific values.

Suppose you do not want these access rules to be applied to a device in the group. You can omit defining specific values for the building block. When the rules are evaluated during configuration generation, the access rules defined at the Group scope use the value associated with the variable building block at the Group scope, because no specific value is defined at the device. The building block specifies no value, so Firewall MC discards these rules.

Without the use of no value in the building block, Firewall MC generates errors after trying to find a value for the access rules that refer to the building block.

For example, you want to create a building block named InsideNets at the Global scope and use a variable. No IP address or mask is included. You choose the "no value" building block as part of its value. You define rules to permit traffic to and from InsideNets. You edit a device and define the same building block at the device level that replaces "no value" with an IP address and netmask. When the configuration is generated, the Global rules become meaningful because the variable is replaced with the value defined at the device level.

You then add another device, but you do not want a value for the InsideNets building block. You leave it undefined at the device level. When the configuration is generated, Firewall MC finds the value for InsideNet defined at the Global scope when trying to evaluate the rules referencing that building block. When Firewall MC checks to see what the value is for the device, only no value is found. Firewall MC cannot write a valid rule, so the rule is ignored and no error is generated.

Note If a source or destination in an access rule is associated with no value, Firewall MC ignores the rule and continues.

Adding or Editing a Network Object

Step 1 To access the Network Objects page, do one of the following:

•Select Configuration > Building Blocks > Network Objects.

•Select Configuration > Access Rules > then click Add Network Object.

Step 2 Do one of the following:

•To add a row to the table, click Add.

•To edit a row, select the check box for the row, then click Edit.

Step 3 Enter the name of the network entity to be assigned to the network object.

Step 4 (Optional) Enter a comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Select the Variable check box to use a value in place of a defined building block.

Note This feature enables you to set different values for a building block for different devices or groups; the values are substituted into the same rule as applied to those different devices and groups.

Step 7 Do one of the following:

•Enter the network IP address and mask.

If you do not specify a network mask for an IP address, the wizard defaults to a host mask (32 bit) instead of a network mask (24 bit, etc).

No IP address and mask are needed if you plan to use only nested network objects.

•Click Select, which opens a popup window from which you can select network objects.

Select the available objects from the Available Objects column, then click Select => .

The object is moved to the Selected Objects column.

Click OK.

You are returned to the network object popup window.

Step 8 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 10-1 describes the elements on the Network Objects page.

Table 10-1 Network Objects

Element

Description

Network Entity Name

User-defined network-entity name assigned to network object, for example, Engineering Network, or CMI Web Server. A maximum of 64 characters is allowed.

The network-entity name you enter in the popup wizard is displayed in the network objects table in the Name column.

Description

Optional user-defined description that identifies the network object, for example, a set of networks that includes all engineering workstations.

Variable check box

Value used in place of a defined building block.

•When selected, you can create an access rule at the current scope (or lower), even though no value is given for a building block that is declared as a variable. The values for variables are defined as normal building blocks at lower levels in the hierarchy.

•When deselected, you can create an access rule at the current scope (or lower) using a defined building block.

If you selected the Variable check box in the popup wizard, your selection is displayed as true in the network objects table in the Variable column.

Note This feature allows you to set different values for a building block for different devices or groups; the values are substituted into the same rule as applied to those different devices and groups.

Network IP address/Mask

IP address and mask. If you do not specify a network mask for an IP address, the default setting for a host mask (32 bit) is used instead of a network mask (24 bit).

Note No IP address and mask are needed if you plan to use only nested network objects.

The IP address and mask you enter in the popup wizard are displayed in the Network Objects table in the Content column.

Available Objects

Lists user-defined available objects from which you make your selection.

Selected Objects

Lists all devices selected for activity.

Select => button

Moves selected (nested) devices from Available Objects column to Selected Objects column.

<= Remove button

Moves selected (nested) devices from Selected Objects column to Available Objects column.

Scope

Scope (level) at which network object is defined, for example, Global.

Category

Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

Deleting a Network Object

Step 1 Select Configuration  > Building Blocks > Network Objects.

The Network Objects page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page is refreshed, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Configuring Service Definitions

You can access the Service Definitions feature in one of two ways:

•Select Configuration > Building Blocks > Service Definitions.

•Select Configuration > Access Rules, then click Add Service Definition.

Both methods use the same popup window. If you create or edit a service definition while configuring an access rule, the resulting service definition is listed in the Service Definitions table.

The Service Definition feature enables you to create a single access rule that controls access to multiple protocols, for example, WWW.

Firewall MC service definitions can contain IP protocols, TCP and UDP source and destination ports, and ICMP message types. These are converted into firewall device protocol groups, service groups, and icmp-type groups respectively. You cannot combine service definitions. As a result, a rule that refers to a service definition could result in four groups being created and the rule might be replaced with up to four rules. In addition, the TCP and UDP ports might have to be translated depending on static port-mapping commands that are interface and destination-address specific. As a result, no TCP-UDP groups are generated, and any service and destination network group that requires port translation will be generated without reference to the service definition group.

Adding or Editing a Service Definition

Step 1 To access the Service Definitions feature, do one of the following:

•Select Configuration > Building Blocks > Service Definitions.

•Select Configuration > Access Rules, then click Add Service Definition.

Step 2 Do one of the following:

•To add a row to the table, click Add.

•To edit a row, select the check box for the row, then click Edit.

Step 3 Enter the name of the service.

Step 4 Enter an optional comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Select the transport protocol from the list.

•If you selected IP, enter the IP protocol number. Values are 1-133.

•If you selected ICMP, select the type of message from the list.

•If you selected TCP or UDP, enter the source and destination port or port ranges. Values are 0-65,535.

Step 7 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 10-2 describes the elements on the Service Definitions page.

Table 10-2 Service Definitions

Element

Description

Service Name

User-defined name of a service. Literal names are used instead of port numbers. You can also specify these ports by number. A maximum of 64 characters is allowed.

The service name you enter in the wizard is displayed in the service definitions table in the Name column.

Description

Optional field in which to enter description of service used.

Transport Protocol

Protocol used for service definition.

•ICMP—Uses a dedicated IP protocol number.

•TCP—Uses a dedicated IP protocol number.

•UDP—Uses a dedicated IP protocol number.

•IP—You must enter an IP protocol number.

Note If the protocol uses a dedicated IP protocol number, you can leave the field blank.

IP Protocol Number

Numbers that represent transport protocols. Values are 1-133.

•1—dedicated to ICMP

•6— dedicated to TCP

•17—dedicated to UDP

Message Type

List of ICMP message types.

Source Port

Enter a single value or range of values. Values are 0-65,535. Displays as asterisk (*) in table if you select a complete range.

Note Source port is used for TCP and UDP only.

Destination Port

Enter a single value or range of values. Values are 0-65,535. Displays as asterisk (*) in table if you select a complete range.

Note Destination port is used for TCP and UDP only.

Network

IPV4.

Note The network element cannot be edited.

Scope

Scope (level) at which service definition is defined, for example, Global.

Category

Element used to filter and sort network objects in rule tables. See Using Categories and Color-Coding.

Deleting a Service Definition

Step 1 Select Configuration > Building Blocks > Service Descriptions.

The Service Descriptions page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page refreshes, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining Service Groups

The Service Groups feature enables you to create a single access rule that controls access to multiple services; for example, you can write a single rule that permits traffic for Telnet and HTTP. Service groups can contain other service groups or specified services.

You can access the Service Groups feature in one of two ways:

•Select Configuration > Building Blocks > Service Groups.

•Select Configuration > Access Rules, then click Add Service Group.

Both methods use the same popup window. If you create or edit a service group while configuring an access rule, the resulting service definition is listed in the Service Groups table.

Adding or Editing a Service Group

Note Some elements in the Service Groups table might be grayed out. This is because they are defined at a higher scope and cannot be edited from this level.

Step 1 To access the Service Groups page, do one of the following:

•Select Configuration > Building Blocks > Service Groups.

•Select Configuration > Access Rules, then click Add Service Group.

Step 2 Do one of the following:

•To add a new row in the table, click Add.

•To edit a row, select the check box for the row, then click Edit.

Step 3 Enter the name of the service group.

Step 4 Enter an optional comment in the Description field.

Step 5 Select a category from the list. See Using Categories and Color-Coding.

Step 6 Enter the names of the services. You can enter them manually or click Select, which opens a popup window from which you can select network objects.

a. Select the available objects from the Available Objects column, then click Select => .

The object is moved to the Selected Objects column.

b. Click OK.

You return to the network object popup window.

Step 7 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 10-3 describes the elements in the Service Groups page.

Table 10-3 Service Groups

Element

Description

Service Group Name

User-defined name to identify the service group, for example, WWW. A maximum of 64 characters is allowed.

The service group you enter in the wizard is displayed in the service groups table in the Group Name column.

Description

Optional field to enter comments that identify service group, for example, commonly used Web services.

The description that you enter in the wizard is displayed in the service groups table in the Description column.

Available Services column

Lists sublevel service groups and services available for each service group.

Selected Services column

Lists sublevel service groups and services selected for service group.

Select => button

Moves selected service groups and services from Available Services column to Selected Services column.

<= Remove button

Moves selected service groups and services from Selected Services column to Available Services column.

Scope

Scope (level) at which service group object is defined, for example, Global.

Category

Element used to filter and sort service group objects in rule tables. See Using Categories and Color-Coding.

Deleting a Service Group

Step 1 Select Configuration  > Building Blocks > Service Groups.

The Service Groups page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page refreshes, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining AAA Server Groups

Firewall MC lets you define separate groups of TACACS+ or RADIUS servers for specifying different types of traffic. For example, you could specify a TACACS+ server for inbound traffic and another for outbound traffic, or outbound HTTP traffic authenticated by a TACACS+ server and inbound traffic authenticated by RADIUS.

AAA server groups use tags, which direct different types of traffic to each authentication server. If the first authentication server in the list fails, the AAA subsystem fails over to the next server in the tag group. You can have up to 14 tag groups, and each group can have up to 14 AAA servers, totaling up to 196 AAA servers.

Configuring a AAA server group is a two-tier process. First, you create a AAA server group. Second, you define AAA servers within that group. You have the option of inserting a AAA server while you are creating a AAA server group.

In Firewall MC, the "Group LOCAL protocol local scoped from Global" entry represents the AAA group named LOCAL that exists by default on PIX Firewalls running version 6.2 or later. You cannot modify or disable the default group.

This group is used for administrative authentication; it talks directly to the PIX Firewall instead of a separate AAA server. LOCAL specifies use of the PIX Firewall local user database for local command authorization. The LOCAL group is displayed in the configuration file as
aaa-server LOCAL protocol local.

To set LOCAL for AAA Authentication, select Configuration  > Settings  > AAA Admin Authentication.

Creating or Editing a AAA Server Group

Note While you are creating a AAA server group, you can insert a AAA server.

The following procedure assumes you are defining a server group and identifying a server within that group.

Step 1 Select Configuration  > Building Blocks > AAA Server Group.

The AAA Server Group page appears.

Step 2 Do one of the following:

•To add a server group in the table, click Create.

The Select Group Name page appears.

•To add a server to a group in the table, select the check box for the row after which to insert the new row, then click Insert.

The Define Server page appears.

•To edit a group, select the check box for the row, then click Edit.

The Select Group Name page appears.

•To edit a server, select the check box for the row, then click Edit.

The Define Server page appears.

Step 3 Enter the name of the AAA server group. Spaces are not permitted. A maximum of 14 server groups is permitted.

Step 4 Click the Radius or TACACS protocol radio button to identify the authentication protocol to use for the server group.

Step 5 Click Next.

The Define Server page appears.

Step 6 Select the interface from the list.

Step 7 Enter the IP address.

Step 8 Enter the server key.

Step 9 Verify the timeout value. Default is 5 seconds.

Step 10 Click Next.

The AAA server group summary page appears.

Step 11 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 10-4 describes the elements in the Server Group page.

Table 10-4 AAA Server Group

Element

Description

Group LOCAL protocol local scoped from Global

Default firewall device AAA server group.

Group name

User-defined name that identifies AAA server group, for example, East Coast Servers or RADIUS Servers.

Spaces are not permitted. A maximum of 14 server groups is permitted.

The group name you define in the wizard is displayed in the server group table as a highlighted row.

Authentication protocol radio buttons

Options are:

•RADIUS

•TACACS

The protocol you select in the wizard is displayed in the server group table next to the server group name.

Interface

Logical name of interface that relates to use, for example, inside or outside.

Note If you are using the wizard, a list displays all interfaces defined at the current scope.

Server IP Address

IP address of AAA server.

Server Key

A case-sensitive, alphanumeric keyword of up to 127 characters (U.S. English) that has the same value as the key on the TACACS server. Additional characters are ignored. Key encrypts data between client and server. Key must be the same on both client and server systems. Spaces are not permitted in key, but other special characters are.

The server key you enter is displayed in the AAA server group table in the Key column.

Server Timeout

A retransmission timer that specifies length of time that Firewall MC retries access (four times) to the AAA server before choosing next AAA server. Values are 1-30 seconds. Default is 5.

Deleting a AAA Server Group or Element

Step 1 Select Configuration  > Building Blocks  > AAA Server Group.

The AAA Server Group page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page refreshes, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining Address Translation Pools

The Address Translation Pools feature allows you to create global address pools used in dynamic NAT rules.

Configuring address translation pools is a two-tier process. First, you create a pool. Second, you define the elements within that pool. You have the option of defining the elements while you are creating an address translation pool.

Creating or Editing an Address Translation Pool

Note While you are creating an address translation pool, you can insert an address pool element as part of the procedure.

The following procedure assumes you are defining an address translation pool and identifying a range of pool values within that pool group.

Step 1 Select Configuration  > Building Blocks  > Address Translation Pools.

The Address Translation Pool page appears.

Step 2 Do one of the following:

•To add a pool group to the table, click Create.

The Enter Pool Name page appears.

•To add a pool element to the table, select the check box for the row after which to insert a new row, then click Insert.

The Enter Pool Element page appears.

•To edit a pool, select the check box for the row, then click Edit.

The Enter Pool Name page appears.

•To edit a pool range, select the check box for the row, then click Edit.

The Enter Pool Element page appears.

Step 3 Enter the pool name to identify the address translation pool, for example, external addresses.

Step 4 Click Next.

The Enter Pool Element page appears.

Step 5 Select the interface from the list.

Step 6 To use the interface address as the closing PAT address, select the PAT check box.

Step 7 Enter address ranges and masks.

Step 8 Click Next.

The address translation pool summary page appears.

Step 9 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Note Settings enabled during configuration are displayed as true in the wizard summary page.

Table 10-5 describes the elements in the Address Translation Pool page.

Table 10-5 Address Translation Pool

Element

Description

Interface

Logical name of interface that relates to use. Options are:

•Inside—Connects to your internal network.

•Outside—(Default) Connects to an external network or public Internet.

Interface PAT

Interface address defined as final global address for PAT. When selected, set to true when you view the summary page.

IP address(es)¹

Set of addresses in address translation pool in addition to an interface address. Identifies type and value of addresses for pool. Can identify one of the following types:

•Range of addresses

•PAT address

•PAT address associated with an interface

Value is zero (0) or higher using space or csv elements, for example, 192.168.1.1-192.168.1.5/24; 192.168.1.10-192.168.1.15, 192.168.1.20.

PAT: Use interface address for closing PAT check box

If check box is selected, the interface address is used as the final global address for PAT.

The selected checkbox is displayed as Yes in the address translation pool table in the Interface PAT column.

Address range(s)/Mask (optional)

Set of addresses in the address translation pool in addition to an interface address. Value is zero (0) or greater using space or csv elements, for example, 192.168.1.1-192.168.1.5/24; 192.168.1.10-192.168.1.15, 192.168.1.20.

¹Addresses to which the original addresses will be translated. If Firewall MC is exposing a host or network to users on the Internet, these IP addresses must be valid IP addresses that are registered with ARIN.

Deleting an Address Translation Pool or Element

Step 1 Select Configuration  > Building Blocks  > Address Translation Pools.

The Address Translation Pool page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

As the page refreshes, you are prompted with another popup window if access rules or translation rules are affected by the deletion. You will need to review the rules tables and make corrections as needed.

Step 4 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Defining IPSec Transform Sets

The IPSec Transform Sets feature lets you add, edit, and delete transform sets. Transform sets are used in the definition of IPSec tunnel templates which are used for creating site-to-site and dynamic tunnels. A transform set represents a certain combination of security protocols and algorithms. During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting the data flow. A transform set specifies the IPSec protocol, encryption algorithm, and hash algorithm to use on traffic matching the IPSec policy. When defining a transform set, you can specify the AH (authentication header) protocol, the ESP (encapsulation security protocol) protocol, or both. If you are using the ESP protocol, you can specify either just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. To access this feature, select Configuration > Building Blocks > IPSec Transform Sets.

Adding or Editing an IPSec Transform Set

Step 1 Select Configuration > Building Blocks > IPSec Transform Sets.

The IPSec Transform Sets page appears.

Step 2 Use the Object Selector to select the scope for the IPSec transform set. This scope determines which devices will be able to use the transform set. If you want the transform set to be available to all devices, select the Global group.

Step 3 Do one of the following:

•To add a row to the table, click Add.

•To edit a row, select the check box for the row, then click Edit.

The Enter Transform Set Data dialog box appears.

Step 4 Enter a descriptive name for the transform set.

Step 5 Select the radio button that corresponds to the type of IPSec connection this transform set applies. You can use the IPSec protocols AH and ESP to protect an entire IP payload (Tunnel mode) or just the upper-layer protocols of an IP payload (Transport mode). Tunnel mode is most commonly used for site-to-site VPNs; transport mode is most commonly used with remote access VPNs.

Step 6 To enable ESP encryption, select the algorithm to use for encryption from the ESP Encryption list.

Note•To support 3DES encryption, the firewall must have a 3DES license. Otherwise, only DES is supported.

•To support AES encryption, the firewall must be running PIX OS 6.3(x) or later.

Step 7 To enable ESP authentication, select the algorithm to use for authentication from the ESP Authentication list.

Step 8 To enable AH authentication, select the algorithm to use for authentication from the AH Authentication list.

Step 9 Click OK.

The IPSec transform set is created and added to the list of transform sets on the IPSec Transform Sets page. The transform set can now be used in the definition of IPSec tunnel templates which are used for creating site-to-site and dynamic tunnels.

Table 10-6 describes the elements on the IPSec Transform Sets page and in the Enter Transform Set Data dialog box.

Table 10-6 IPSec Transform Sets

Element

Description

Name

Identifies the name of the transform set.

Mode

Identifies the mode in which IPSec operates. You can use the IPSec protocols AH and ESP to protect an entire IP payload (Tunnel mode) or just the upper-layer protocols of an IP payload (Transport mode). Options are:

•Tunnel Mode (default)—Tunnel mode encapsulates the entire IP packet. The IPSec header is added between the original IP header and a new IP header that is created. Tunnel mode is used when the firewall is protecting traffic to and from hosts positioned behind the firewall. Tunnel mode is the normal way IPSec is implemented between two firewalls (or other security gateways) that are connected over an untrusted network, such as the public Internet.

•Transport Mode—Transport mode encapsulates only the upper-layer protocols of an IP packet. The IPSec header is inserted between the IP header and the upper-layer protocol header (such as TCP). Transport mode requires that both the source and destination hosts support IPSec and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

ESP Encryption

Identifies the ESP encryption algorithm for this transform set. ESP is an IP protocol (type 50) that ensures message privacy through encryption, as well as data integrity, authentication, and replay detection. Encapsulating Security Protocol (ESP) is the IPSec protocol used in the default transform sets provided with PIX Firewall. Options are:

•None—Select None for the ESP Encryption value if this transform set does not use ESP for encryption or authentication. If you select None for ESP Encryption, you must also select None for ESP Authentication. If you are using ESP authentication without encryption, you should select Null for the ESP Encryption value.

•Null—Select Null for the ESP Encryption value if this transform set uses ESP authentication without ESP encryption. If you select Null for ESP Encryption, you must select a value for ESP Authentication.

•DES (Data Encryption Standard)—Performs encryption using 56-bit keys.

•3DES (Triple DES)—Performs encryption three times using 56-bit keys. 3DES is more secure than DES but requires more processing for encryption and decryption. To support 3DES encryption, the firewall must have a 3DES license. Otherwise, only DES is supported.

•AES (Advanced Encryption Standard)—Performs encryption using 128-bit keys. To support AES encryption, the firewall must be running PIX OS 6.3(x) or later.

ESP Encryption (cont.)

•AES-192 (192-bit Advanced Encryption Standard)—Performs encryption using 192-bit keys. To support AES encryption, the firewall must be running PIX OS 6.3(x) or later.

•AES-256 (256-bit Advanced Encryption Standard)—Performs encryption using 256-bit keys. To support AES encryption, the firewall must be running PIX OS 6.3(x) or later.

ESP Authentication

Identifies the ESP hash algorithm used in this transform set. A hash algorithm is used to create a message digest, which is used for ensuring message integrity. Options are:

•None—Does not perform ESP authentication.

•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than does SHA.

AH Authentication

Identifies the Authentication Header hash algorithm used in this transform set. Authentication Header is an IP protocol (type 51) that can ensure data integrity, authentication, and replay detection. AH does not provide encryption and has been largely superseded by ESP. AH may be required when the remote peer does not support ESP.

A hash algorithm is used to create a message digest, which is used for ensuring message integrity. Options are:

•None—Does not perform AH authentication

•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than does SHA.

Scope

The scope at which this building block is available. Devices at or below this scope can use this transform set to create tunnel templates. The scope of an IPSec transform set is determined by the scope that was selected in the Object Selector when you created the IPSec transform set.

Deleting an IPSec Transform Set

Step 1 Select Configuration > Building Blocks > IPSec Transform Sets.

The IPSec Transform Sets page appears.

Step 2 Use the Object Selector to select the scope of the IPSec transform set. For example, if the transform set was created under Global, then you must select Global to delete the transform set.

Step 3 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 4 Click OK.

If the IPSec transform set is used by any IPSec tunnel templates, you are prompted with another popup window informing you of the templates that reference the transform set. You will need to make corrections as needed.

Step 5 Click OK.

The IPSec transform set is deleted from the list of transform sets on the IPSec Transform Sets page.

Defining IPSec Tunnel Templates

The IPSec Tunnel Templates feature allows you to define tunnel policies that are used when creating site-to-site and dynamic tunnels. To access this feature, select Configuration > Building Blocks > IPSec Tunnel Templates.

Adding or Editing an IPSec Tunnel Template

Step 1 Select Configuration > Building Blocks > IPSec Tunnel Templates.

The IPSec Tunnel Templates page appears.

Step 2 Use the Object Selector to select the scope of the IPSec tunnel template. This scope determines which devices will be able to use the template. If you want the IPSec tunnel template to be available to all devices, select the Global group.

Step 3 Do one of the following:

•To add a row to the table, click Add.

•To edit a row, select the check box for the row, then click Edit.

The Enter Tunnel Template Data page appears.

Step 4 Enter a descriptive name for the tunnel template.

Step 5 To identify the lifetime of the IPSec security association:

a. Enter the number of kilobytes of traffic that can flow through the tunnel before the tunnel expires.

b. Enter the number of seconds that the tunnel can be used before the tunnel expires.

Step 6 To enable perfect forward secrecy (PFS):

a. Select the Enable Perfect Forwarding Secrecy check box.

b. Select the required Diffie-Hellman key derivation algorithm:

•Group 1: 768-bit Diffie-Hellman prime modulus.

•Group 2: 1024-bit Diffie-Hellman prime modulus.

•Group 5: 1536-bit Diffie-Hellman prime modulus.

Note Support for Diffie-Hellman Group 5 is introduced with PIX OS version 6.3. PIX OS versions prior to 6.3 only support Diffie-Hellman Group 1 and 2.

The larger the modulus, the higher the security and the more processing time required.

Step 7 Click Next.

The Select IPSec Transform Sets page appears.

Step 8 Identify the transforms sets to use with this template by selecting the desired transform sets in the Available Transform Set list and clicking Select=>. You can select up to six transform sets per template.

Step 9 To reorder the transform sets for this template, select a transform set in the Selected Transform Sets list and click Move Up or Move Down. During the IPSec security association negotiation, the peers search for a transform set that is the same at both peers. You should order the transform sets according to your security policy, typically from most secure to least secure.

Step 10 Click Next.

The Summary page appears.

Step 11 Verify that the information is correct, and then click OK.

The IPSec tunnel template is created and added to the list of templates on the IPSec Tunnel Templates page. The template can now be used to create site-to-site and dynamic tunnels.

Table 10-7 describes the elements on the IPSec Tunnel Templates page and in the Create IPSec Tunnel Templates wizard.

Table 10-7 IPSec Tunnel Templates

Element

Description

Name
(Template Name)

Identifies the name of IPSec tunnel template.

SA Lifetime
(Time)

Identifies the lifetime of the IPSec security association in terms of the length of time (in seconds) it can be used before it expires. The default is 28800 seconds (8 hours).

SA Size
(Size)

Identifies the lifetime of the IPSec security association in terms of the amount of traffic (in kilobytes) that can flow through the tunnel before it expires. The default is 4608000 kilobytes.

PFS

Identifies the Diffie-Hellman group that is used for determining keys when perfect forward secrecy is enabled (DH1, DH2, or DH5). If a particular IPSec tunnel template does not use perfect forward secrecy, the PFS column for that template will contain the word "Disabled".

Perfect forward secrecy is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. This option increases the level of security, but at the same time increases processor overhead. Therefore, use PFS only if the sensitivity of the data mandates it. The strength of the Diffie-Hellman exchange is configurable:

•DH1: 768-bit Diffie-Hellman prime modulus.

•DH2: 1024-bit Diffie-Hellman prime modulus.

•DH5: 1536-bit Diffie-Hellman prime modulus.

Note Support for Diffie-Hellman Group 5 is introduced with PIX OS version 6.3. PIX OS versions prior to 6.3 only support Diffie-Hellman Group 1 and 2.

The larger the modulus, the higher the security and the more processing time required.

Enable Perfect Forwarding Secrecy check box

Controls whether perfect forward secrecy is used with this IPSec tunnel template. To enable perfect forward secrecy, select the Enable Perfect Forwarding Secrecy check box. If you enable perfect forward secrecy, you must select the Diffie-Hellman group to use for deriving keys.

Diffie-Hellman Group

Identifies the Diffie-Hellman key derivation algorithm to use with PFS. Diffie-Hellman is a public key operation that provides a method for two IPSec peers to agree on a key to use.

To perform the Diffie-Hellman operation, both sides must agree to use a number or group for the mathematical calculation. PIX OS versions prior to 6.3 support group 1 (768 bits) and group 2 (1024 bits). PIX OS version 6.3 and later adds support for Group 5 (1536 bits), which provides higher security for the Diffie-Hellman operation. Options are:

•Group 1: 768-bit Diffie-Hellman prime modulus.

•Group 2: 1024-bit Diffie-Hellman prime modulus.

•Group 5: 1536-bit Diffie-Hellman prime modulus.

Transform Sets

Identifies the transforms sets used with this template. During the IPSec security association negotiation, the peers search for a transform set that is the same at both peers.

Available Transform Sets

Lists the IPSec transform sets that can be selected for this IPSec tunnel template. See Defining IPSec Transform Sets.

Selected Transform Sets

Lists the IPSec transform sets that have been selected for this IPSec tunnel template. You can select up to six transform sets per template.

Select=>

Moves the selected transform sets from the Available Transform Set list to the Selected Transform Sets list. You can select multiple transform sets by holding down the Ctrl key while selecting. During the IPSec security association negotiation, the peers search for a transform set that is the same at both peers.

<=Remove

Moves the selected transform sets from the Selected Transform Set list to the Available Transform Sets list. You can select multiple transform sets by holding down the Ctrl key while selecting.

Move Up

Moves the selected transform set in the Selected Transform Sets list up. You should order the transform sets according to your security policy, typically from most secure to least secure.

Move Down

Moves the selected transform set in the Selected Transform Sets list down. You should order the transform sets according to your security policy, typically from most secure to least secure.

Scope

The scope at which this building block is available. Devices at or below this scope can use this tunnel template to create site-to-site and dynamic tunnels. The scope of an IPSec tunnel template is determined by the scope that was selected in the Object Selector when you created the IPSec tunnel template.

Deleting an IPSec Tunnel Template

Step 1 Select Configuration > Building Blocks > IPSec Tunnel Templates.

The IPSec Tunnel Templates page appears.

Step 2 Use the Object Selector to select the scope of the IPSec tunnel template. For example, if the template was created under Global, then you must select Global to delete the template.

Step 3 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 4 Click OK.

If the IPSec tunnel template is used by any site-to-site or dynamic tunnels, you are prompted with another popup window informing you of the tunnels that reference the template. You will need to make corrections as needed.

Step 5 Click OK.

The IPSec tunnel template is deleted from the list of templates on the IPSec Tunnel Templates page.