Using Management Center for Firewalls 1.3
Generating and Verifying Configuration Files
Download this chapter
Generating and Verifying Configuration FilesGenerating and Verifying Configuration Files
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Generating and Verifying Configuration Files

Viewing Configurations

Viewing a Configuration Difference Report

Viewing a Device Settings Report

Understanding Policy Query

Viewing a Policy Query


Generating and Verifying Configuration Files

Generating configuration files for your firewall devices and verifying that those files enforce the expected policy are critical to basic security maintenance. It's also important to make sure that firewall devices are running the expected configurations.

Topics to be discussed are:

Viewing Configurations

Viewing a Configuration Difference Report

Viewing a Device Settings Report

Understanding Policy Query

Viewing a Policy Query

Viewing Configurations

After you populate your system with devices, assign devices to groups, and configure your settings, access rules, and translation rules, you can generate a configuration file to view configuration information for each device so that you can verify content accuracy. If you have approval authority, you can generate a configuration file for each device associated with an activity before you approve the activity. The generated file includes a summary of caveats at the beginning of the file and inline caveats, if any exist. You can click a caveat in the summary to locate the caveat in the configuration file. To access this feature, select Configuration > View Config.

Note You can view configurations only at the device level.

You can also view configurations during deployment. For more information, see "Deploying Configuration Files."

Step 1 Select Configuration > View Config.

The View Config page appears.

Step 2 From the Object Selector, select the firewall device for which to generate a configuration file.

Step 3 Select Generate Config.

Step 4 Wait a few minutes for the data to be compiled.

Timesaver To view the configuration file for another device, select that device in the Object Selector on the View Config page. You do not need to click Generate Config again. The data is compiled each time you select a new device.

Viewing a Configuration Difference Report

Firewall MC provides a report that identifies whether a device's running configuration matches the latest configuration deployed to that device. It also identifies whether a device is using a configuration that can be replaced by a more recent, approved configuration. To access this feature, select Reports > Configuration Differences.

Note This feature is the same as selecting either Generate and View Difference With Last Deployed Config or Generate and View Difference With Running Config from Configuration > View Config.

Firewall MC can compare two different configurations:

Last deployed with last approved configuration—Both configurations are stored in Firewall MC. Both are generated for comparison.

Firewall MC can check a device within a device group and compare the last deployed configuration with the last approved configuration. If the last approved configuration is newer than the last deployed configuration, or if the information differs, the device is identified as a stale device (a device that uses a configuration that can be replaced by a more recent, approved configuration).

Last deployed and current running configuration—The last deployed configuration is generated and compared with the actual configuration obtained from a live device.

Firewall MC runs a device task that fetches the crypto checksum from the device and compares the checksum to the configuration stored in Firewall MC. If the information differs, the device is identified as a stale device.

Step 1 Select Reports > Configuration Differences.

The Configuration Differences page appears.

Step 2 Select a device or device group from the Select Device or Group tree.

Step 3 Select one of the following:

The approved configuration does not match the deployed configuration—Displays devices whose last approved configuration does not match the last deployed configuration.

The deployed configuration does not match the running configuration—Displays devices whose last deployed configuration does not match the running configuration.

Step 4 Click View.

Figure 14-1 shows the Devices with Configuration Differences popup window with the results. The results are similar for both comparison options shown in Step 3.

Figure 14-1 Devices with Configuration Differences Popup Window

Figure 14-1 Reference
Name
Description
1

Devices

Displays a single device or all devices contained within a group.

2

Operations

Displays link to view a configuration difference report or an error message if a device failed to respond.


Step 5 From the popup window, click View Configuration Differences in the Operations column to display the report.

Note For configurations that have never been deployed to the device, a message is shown in the table, but the message does not have a link to view configuration differences.

Figure 14-2 shows the comparison report, which is similar for both comparison options in Step 3.

Figure 14-2 Configuration Differences Report

The time shown in each column indicates when the last deployed configuration was deployed and when the running configuration was pulled from the device for comparison.

Step 6 Close the window after you view its contents.

Viewing a Device Settings Report

Firewall MC allows you to view a report that identifies device settings for a device or device group. This report also identifies whether a particular setting is inherited, mandatory, or overridden.

Step 1 Select Reports > Settings.

The Settings page appears.

Step 2 Select a device or device group from the Select Device and Group tree.

Step 3 Select one of the following:

Show inheritance only—displays only the states of settings (inherited, mandatory, or overridden). See Figure 14-3.

Show inheritance and values—displays states of settings and their values. See  Figure 14-4.

Step 4 Click View.

A popup window displays report information for the device or device group you selected. If the setting is in the override state, the default option was modified by an end user.

Note The report information omits ACLs, NAT rules, and Building Blocks.

Figure 14-3 Inheritance Only Settings Report

Figure 14-4 Inheritance and Values Settings Report

Understanding Policy Query

You might want to know how many rules contain a particular network object or service before you create a new rule, or perhaps you want to clean up redundant rules, or identify and delete rules that have no effect on your network. You can compose a query that describes a set of packets. The results of the query identify all rules in the global policy that could affect the defined packets. Based on the results, you can add or delete rules as needed.The elements on which a query is based are:

Source and destination—Default is any. You can specify a set of network objects or IP networks.

Service—Default is IP. You can specify a set of services, service groups, or protocols and associated port or message types.

Interface—Default is any interface, which is represented as all in the GUI. You can specify incoming interfaces.

Rule type—Some combination of firewall, AAA, and web filter rules.

Actions—Depending on the rule type, you can specify different actions (for example firewall rules have permit and deny actions).

Based on the device hierarchy, you have two approaches for determining which rule tables to consider:

Consider only rules at the current level and above. A single ordered list of rules results. Only a partial set of rules for the devices within the group is displayed. To access this option, select Query this scope only from the GUI.

Consider rules for all devices that are descendents of the current level. Multiple ordered lists result, one for each subgroup or device.To access this option, select Query this scope and contained groups and devices (default) from the GUI.

For a given table, the query is compared to each rule in the table. If an intersection between the query packet and the rule exists, the rule is added to the query results. Calculations are based on a tuplespace (source, destination, and service). The query results identify the following:

Complete Match—All elements expressed in the query report match the query.

Partial Match—Some of the elements expressed in the query report match the query.

No Effect—Rules are blocked by other matching rules, or a conflict exists that has no effect. Some examples are:

You might have two matching rules, A and B. Rule A appears in an ACL list before Rule B. Both rules have the same interface. Rule A's source address, destination address, and services are equivalent to, or contain, those of Rule B. Rule B is blocked by Rule A. Rule B has no effect.

You might have a global mandatory rule that permits a service, but the rule at the device level denies the service. Since rules are recognized on a first-match order, after discovering a match at the mandatory global scope, no other rules are checked. The conflict has no effect.

Viewing a Policy Query

Step 1 Select Reports > Policy Query.

The Policy Query page appears.

Step 2 Select the highest level within the group hierarchy to query. You can click Select to open a popup window from which to make your selection.

Step 3 Select whether your query pertains to only the selected scope or the selected scope and all scopes contained within.

Step 4 Select the rule types to query using the appropriate check boxes.

Step 5 Select whether your query should include enabled or disabled rules (or both) using the appropriate check boxes.

Step 6 Select the source address you want to query. You can click Select to open a popup window from which to make your selection.

Step 7 Select the destination address you want to query. You can click Select to open a popup window from which to make your selection.

Step 8 Select the service you want to query. You can click Select to open a popup window from which to make your selection.

Step 9 Enter the interface you want to query.

Step 10 Click Run.

The resulting report is displayed, as shown in Figure 14-5 and Figure 14-6. Based on the query results, you can add or delete rules as needed.

Figure 14-5 Sample Query Results for Selected Scope Only

Note See Table 14-1 for an explanation of the balloon information.

Figure 14-6 Sample Query Results for Selected Scope, Subgroups, and Devices

Table 14-1 describes the balloon information shown in Policy Query reports.

Table 14-1 Policy Query Report Balloon Descriptions 

 
Element
Description
1

Match Status

Complete Match—All elements expressed in the query report (tuplespace) match the query.

Partial Match—Some of the elements expressed in the query report (tuplespace) match the query; the rules are adjacent, for example, you query for a TCP service with a source port range 1-2, and a rule is defined for a TCP service with a source port range 3-4; or rule information overlaps, for example, you query for a TCP service with a source port range of 1-5 and a rule is defined for only port 1.

No Effect—Rules are either disjointed (for example, rules do not match any of the query) or blocked by other matching rules that precede them.

2

Scope

Table lists rules based on mandatory and default hierarchy.

3

Rule Order

Ordered list identifying rule number in table.

4

Description

Optional description entered when defining the rule.

5

Action

Action is based on rule type.

Firewall Rules—permit or deny.

AAA Rules—authentication or authorization.

Web Filter Rules—filter url.

6

Source Address and Destination Address

IP addresses, network objects, or IP networks.

7

Source Interface

Name of interface to which the generated ACL is assigned.

8

Service

Name of one or more service definitions1 identified for the rule being defined.

9

Enabled

Identifies if the interface is enabled.

True = enabled

False = disabled

1 For more information about service definitions, see Configuring Service Definitions, page 10-24.


Table 14-2 describes the elements on the Policy Query page.

Table 14-2 Policy Query 

Element
Description

Scope

Query this scope only—Generates a single ordered list of rules for the selected scope. Only a partial set of rules for the devices within the group is displayed.

Query this scope and contained groups and devices—Generates multiple ordered lists, one for each subgroup or device.

Rule Types

Firewall Rule

AAA Rule

Web Filter Rule

Enabled or Disabled

Enabled Rules check box—when selected, displays rules that are enabled.

Disabled Rules check box—when selected, displays rules that are disabled.

Actions

Permit check box—when selected, displays rules to permit packet flow.

Deny check box—when selected, displays rules to deny packet flow.

Source Addresses

Source network object1 names or addresses of hosts that are subject to filtering.

Destination Addresses

Destination network object 1 names or addresses of hosts that are subject to filtering.

Services

Name of one or more service definitions2 identified for the rule being defined.

Interfaces

Name of interface to which the generated ACL is assigned.

1 For more information about network objects, see Defining Network Objects, page 10-9.

2 For more information about service definitions, see Configuring Service Definitions, page 10-24.