Table Of Contents
Getting Started with Firewall MC
What's New
Logging In to the CiscoWorks Server Desktop
Viewing the Home Page
Understanding the User Interface
GUI
Object Selector
Table Elements
Wizard Elements
Getting Started with Firewall MC
For those of you who are upgrading to Firewall MC 1.3 from a previous version, you might be interested in knowing what new features have been added to this release.
What's New
If you are a previous user of Firewall MC and you upgraded to Firewall MC release 1.3, you will notice the following new design enhancements and features:
•
You can now create or edit building blocks for network objects, service definitions, and service groups from Access Rule tables.
•You can now configure access rules to filter traffic according to the value in the ethertype field of a Layer 2 packet. This applies to FWSM 2.1 in transparent mode. For more information, see Inserting or Editing an Ethertype Rule, page 11-35.
•You can now define these additional web filter rules: Filter Java, Filter ActiveX, Filter HTTPS, and Filter FTP. With the addition of Filter Java and Filter ActiveX, support for working with N2H2 URL servers has also been added. You can also define actions to be taken based on the type of traffic for specific filter rules. For more information, see Inserting or Editing a Web Filter Rule, page 11-29.
•FWSM 2.1 Security Context (virtual firewall support)—You can now configure a single FWSM to behave as multiple virtual firewalls.
•Transparent firewall—You can now define a Virtual Local Area Network (VLAN) interface in transparent mode (L2 Mode). When the FWSM is in transparent mode, it acts as a Layer 2 firewall.
•Support for dynamic policy NAT and static policy PAT rules—You can now define policy translation rules that match on the source and destination conditions of network packets. Although these rules are not visible in the Firewall MC GUI (by default), you can change the default setting to display the rules in the translation tables.
In addition, the order of evaluation has changed. Previous versions of Firewall MC optimized translation rules around a "best match" scheme. As of this release (1.3) Firewall MC defaults to the firewall device logic, which uses a "first match" scheme for all rule types other than dynamic NAT.
•Easy VPN Server—The Easy VPN Server feature allows you to configure a PIX Firewall to operate as an Easy VPN Server that can push a VPN configuration to any Easy VPN Remote device, greatly simplifying configuration and administration. The Easy VPN Server feature is available with software PIX OS Version 6.2 and later.
•IPSec tunnels—You can use Firewall MC to configure and manage the IPSec features of Cisco PIX Firewalls to create VPN tunnels for site-to-site and remote user access.
•Extended ACLs—Support has been added for "Extended ACL" for version checking during configuration generation. The keyword "extended" is supported from the CLI. OSPF ACLs are now augmented with a classification keyword "standard" in the CLI, but are still sent as ending commands in Firewall MC.
•Standby option for IP addresses—The failover standby IP addresses configured through a security context CLI do not trigger an import error in Firewall MC; they are ignored.
•Object grouping—You can specify how Firewall MC handles object groups during device import and configuration generation.
•Syslog by ACL is supported—Logging options can be specified in the GUI. ACL logging global parameters deny-flow-max and alert-interval are also supported.
•Logging message levels—You can now disable logging for an individual message, and the logging level for a certain message can now be customized.
•AAA local database—You can now add users to a local database on a firewall device to be used for AAA authentication.
•Failover—The Failover GUI has been modified to reflect failover requirements based on firewall device OS version being recognized.
•VLAN alias—The new FWSM 2.1 alias feature for developing portable VLAN-based ACLs is now supported.
•Layer 2 (transparent mode) and Layer 3 (routed mode) firewall support—You can now enable traffic between firewall devices located in different networks (routed mode) and within the same subnet (transparent mode).
•Same security interfaces—You can now enable traffic between interfaces that are configured with the same security level.
•Management access—You can now enable or disable the Management Access feature for a single interface.
•Feature tracking—You can specify how Firewall MC handles commands for features that are not supported by the OS version running on a specific device.
•Taking over changes feature—You can now take over a lock held by another user when workflow is disabled.
•New fixups have been added:
– Fixup ICMP error
–MGCP
–TFTP
–DNS
–Fixup RPC (supported as an ending command)
•New Telnet timeouts have been added.
–1-60 for PIX Firewalls
–1-1440 for FWSMs
•New timeouts have been added:
–Timeout ICMP
–Timeout H225 (migrated from PIX Firewall)
–MGCP (migrated from PIX Firewall)
The following features are not supported in this release and related commands can be moved to the ending commands section:
•Outbound ACLs—The "out" keyword in the access-group command is not currently supported.
•Ability to manage security contexts—Use CLI, PIX Device Manager (PDM) or CiscoView to manage security contexts.
•Split around—In Firewall MC 1.0-1.2.1, Firewall MC provided a split-around feature for NAT rules to avoid overlapping addresses. As of this release (1.3), this feature is no longer supported. Instead, a warning message is issued for overlapping addresses.
Before you begin using Firewall MC, you must understand the basic operation of the user interface, including the login procedure and user interface elements. To access Firewall MC, you must log in to the CiscoWorks Server desktop.
The following basic concepts help you get started:
• Logging In to the CiscoWorks Server Desktop
• Understanding the User Interface
Logging In to the CiscoWorks Server Desktop
The CiscoWorks Server desktop ( Figure 1-1) is the interface for all CiscoWorks network management applications. Before you log in, ensure that your browser is configured correctly for CiscoWorks. See Installation and Setup Guide for CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows.
If you are logging in for the first time, use the factory setting "admin" username and password.
Figure 1-1 CiscoWorks Server Login Window
Step 1 Go to the CiscoWorks Server from your browser.
Step 2 Enter admin in both the Name and Password fields of the Login Manager.
Step 3 Click Connect or press Enter. You are now logged in.
Step 4 To change the admin password, select Server Configuration > Setup > Security > Modify My Profile. For additional information, see User Guide for CiscoWorks Common Services 2.2.
The CiscoWorks Server desktop contains drawers for the installed applications. The Firewall MC drawer is in the left pane ( Figure 1-2).
Figure 1-2 Desktop with Firewall MC Drawer Displayed
Step 1 Log in to the CiscoWorks Server desktop.
Step 2 From the navigation tree, select the VPN/Security Management Solution drawer.
Step 3 Select the Management Center folder.
Step 4 Select Firewalls. Firewall MC starts and the Home Page is displayed.
Viewing the Home Page
The Home Page describes the types of tasks you can perform under the various tabs. We recommend that you review and follow one of the task flows detailed in "Task Flow Checklists."
To help you to identify the components comprising the user interface, see Understanding the User Interface.
Figure 1-3 Home Page with Workflow Disabled
Note You can see the Home Page only after you log in to Firewall MC.
Understanding the User Interface
The user interface organizes related tasks and information so as to improve ease-of-use. The interface uses the following organizational elements:
• GUI
• Object Selector
• Table Elements
• Wizard Elements
GUI
Figure 1-4 shows Firewall MC basic GUI elements.
Figure 1-4 Firewall MC Basic GUI Elements
|
Reference
|
Location
|
Description
|
1
|
Path bar
|
Provides a context for the displayed page. Shows tab, option, and current page.
|
2
|
TOC
|
Displays available suboptions.
|
3
|
Padlock icon
|
Represents the locking system used by Firewall MC. Identifies whether devices or device groups are available for editing.
|
4
|
Options bar
|
Displays options available for the selected tab.
|
5
|
Tabs
|
Provides access to product functionality. Click a tab to access its options.
•Devices—Identify devices to configure and manage. Define group hierarchy and arrange devices within that hierarchy; establishes inheritance model.
•Configuration—Enter or edit device configuration information by identifying device- and MC-level settings, access rules, translation rules, and building blocks.
•Deployment—Deploy configurations to devices, a file, or an AUS. Displayed when the workflow feature is disabled (default).
•Workflow—Manage activities and jobs. Deploy configurations based on jobs to devices, a file, or an AUS. Displayed when the workflow feature is enabled.
•Reports—Display reports about activities or device details. Compare settings and rules between actual device and the configuration files within Firewall MC.
•Admin—Perform administrative tasks such as enabling workflow, database maintenance, and create support file to submit support information to Cisco TAC.
|
6
|
Activity bar1
|
Displays activity action icons that change, depending upon what state the activity is in. Viewed from Devices, Configuration, or Deployment tabs only. See Table 1-1 for more information.
|
7
|
Tools
|
Contains Logout, Help, and About buttons.
•Close—Logs you out of Firewall MC, but not CiscoWorks Server.
•Help—Opens a new window that displays context-sensitive help for the displayed page. The window also contains buttons that you use to access the help contents, index, and search tool.
•About—Displays the application version.
|
8
|
Username
|
Identifies the user logged in to Firewall MC.
|
9
|
Instructions box
|
Provides a brief overview of how to use the page.
|
10
|
Page
|
Displays the area in which you perform tasks.
|
11
|
Table
|
Lists items and their components.
|
12
|
Object bar
|
Displays the object (also referred to as the scope) selected in the Object Selector. See Object Selector for more information.
|
13
|
Object Selector handle
|
Opens and closes the Object Selector.
•When selector is closed, click to open.
•When selector is open, click to close.
|
Table 1-1 shows the activity bar icons. The icons vary, depending on the workflow setup you are using.
Table 1-1 Activity Bar Icons
Icon
|
Icon Name
|
Description
|
Workflow Setup
|
|
Add
|
Adds a new activity.
|
Workflow is enabled.
|
|
Open
|
Opens an existing activity.
|
Workflow is enabled.
|
|
Close
|
Closes an activity.
|
Workflow is enabled.
|
|
Save and Deploy
|
Saves and generates a device configuration file. Allows you to deploy the configuration or postpone the deployment until later.
|
Both
|
|
Submit
|
Submits an activity.
|
Workflow is enabled.
|
|
Approve
|
Approves an activity.
|
Workflow is enabled.
|
|
Reject
|
Rejects an activity.
|
Workflow is enabled.
|
|
Undo
|
Discards an activity.
or
Discards any changes made since the last save.
|
Both
|
|
View Details
|
Shows the details of the current changes.
|
Both
|
Object Selector
Figure 1-5 shows object selector elements after you open the object selector with the object selector handle.
Figure 1-5 Firewall MC Object Selector Elements
|
Reference
|
Object
|
Description
|
1
|
Global folder
|
Displays the available groups and devices in the network. Click the plus (+) symbol to see the contents.
|
2
|
Subgroup folder
|
Displays devices contained in that subgroup. Click the plus (+) symbol to see the contents of the folder.
|
3
|
Device
|
Displays the individual object contained in that group or subgroup.
|
4
|
Object Selector handle
|
Opens and closes the Object Selector. Handle is shown in the open position.
|
Table Elements
Figure 1-6 shows table elements.
Figure 1-6 Firewall MC Table Elements
|
Reference
|
Location
|
Description
|
1
|
Check box
|
Used to select a table row. You can select the check box in the table column headings row to select all check boxes in the table.
|
2
|
Row
|
Contains information fields for one item in the table.
|
3
|
Column
|
Contains one information field for all items in the table.
|
4
|
Action buttons
|
Contains buttons that initiate actions or commands for this table. Action buttons will vary depending upon the table you are in and your user permissions.
|
Wizard Elements
Wizards are step-by-step instructions that help you perform tasks in Firewall MC ( Figure 1-7). Wizards contain ordered pages. If a wizard page includes a variable, the TOC displays an ellipsis (...). After you define the variables, the ellipsis is replaced by the used wizard pages.
Note When you are working in a wizard, be sure to use the Back button in the application GUI and not the browser Back button to access a previous wizard page.
Figure 1-7 Firewall MC Wizard Elements
|
Reference
|
Location
|
Description
|
1
|
Wizard steps
|
Displays an ordered list of steps. Ellipses (...) mean the steps that follow depend on which options you select.
|
2
|
Object bar
|
Displays the group or device selected in the Object Selector. Changes made in the wizard are applied to the selected group or device.
|
3
|
Wizard page
|
Displays that area in which you work. It can display the following types of information:
•Field—Area in which you enter values.
•List—Drop-down list of options available.
•Check boxes and radio buttons—Methods used to make your selections.
–Check boxes are used when more than one selection can be made at a time.
–Radio buttons are used when only one selection can be made at a time.
|
4
|
Instructions box
|
Provides a brief overview of how to use the page.
|
5
|
Action buttons
|
Buttons that initiate actions for this page. Buttons that do not work on a particular page are grayed-out.
|
