Using Management Center for Firewalls 1.3
Configuring Device-Level Settings
Download this chapter
Configuring Device-Level SettingsConfiguring Device-Level Settings
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Configuring Device-Level Settings

Basic Settings

Setting the Firewall Operating System Version

Configuring Interfaces

Configuring Transparent Firewall Settings

Configuring Firewall Device Administration

Configuring Authentication Prompts

Advanced Settings

Configuring IDS Policy

Configuring IDS Signatures

Configuring Anti-Spoofing

Configuring Fragments

Configuring TCP Options

Configuring Timeouts

Configuring Basic Fixups

Configuring Multimedia Fixups

Configuring Flood Guard


Configuring Device-Level Settings

Device-level settings are those settings that are specific to a device. We categorize such settings as basic or advanced.

Basic Settings—Identify those settings that are required for the firewall to operate correctly on the network.

Advanced Settings—Optional features that provide advanced processing or security features.

Basic Settings

This section describes the settings that define the basic features installed on the firewall device and the settings that control the types of connections that can be made to the firewall device for administration.

Setting the Firewall Operating System Version

Configuring Interfaces

Configuring Transparent Firewall Settings

Configuring Firewall Device Administration

Configuring Passwords

Configuring Firewall Device Contact Info

Configuring HTTPS (SSL)

Configuring Telnet

Configuring Secure Shell

Configuring Management Access

Configuring SNMP

Configuring ICMP Interface Rules

Configuring AAA Admin Authentication

Configuring User Accounts

Configuring Console Timeout

Configuring Authentication Prompts

Setting the Firewall Operating System Version

Identifying the correct operating system (OS) version running on a firewall device ensures that Firewall MC generates the command syntax expected by the installed operating system.

Firewall MC 1.3 supports

PIX Operating System Versions

6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.3, 6.3.1, 6.3.2, 6.3.3

FWSM Operating System Versions

1.1.1, 1.1.2, 1.1.3, 2.1, 2.1.1


Not all commands are fully supported in this release. A complete list of commands, along with the supported devices and software versions, can be found at:

http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products_device_support_tables_list.html

Step 1 Select Configuration > Device Settings > Firewall OS Version.

The Firewall OS Version page appears.

Step 2 Do one of the following:

To generate a configuration file using the last-detected version of the operating system, click the Last Detected Firewall OS Version radio button.

To generate a configuration file using a specific version, click the Supported Firewall OS Version radio button, then select the desired version of the operating system from the Supported Firewall OS Version list.

Note If you created a device manually, you must click the Supported Firewall OS Version radio button and specify the operating system version for that device.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-1 describes the elements on the Firewall Operating System Version page.

Table 8-1 Firewall Operating System Version 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Generate Config for the following Firewall Operating System Version

Last Detected Firewall OS Version

When selected, instructs Firewall MC to automatically generate a configuration file for the last detected firewall device version of the operating system, as it is discovered on the target device.

Supported Firewall OS Version list

When selected, instructs Firewall MC to generate a configuration file for a specific operating system version from a list of available operating system versions that support PIX Firewalls.

Supported FWSM OS Version list

When selected, instructs Firewall MC to generate a configuration file for a specific version from a list of available versions that support FWSMs.

Note If you selected version 2.0 or earlier, Firewall Mode options are grayed out.

Firewall Modes

Security Context

Options are:

Single—Only one firewall context exists, so the FWSM blade behaves as a single firewall device. Context management is therefore not a factor.

Multiple—Multiple virtually independent firewall contexts exist. Multiple contexts are equivalent to having multiple standalone firewalls. Contexts are conveniently contained within a single card.

In multiple context mode, you can create up to 250 separate security contexts (depending on your software license). Multiple context mode information is not shown as part of the configuration. As a result, no information is displayed if you use the show run command.

Note Switching between single mode and multiple mode is not supported.

Mode

Configuration modes.

Routed—Layer 3 IP interfaces are used. Use of firewalls is between different networks. Also referred to as L3 Mode.

The FWSM is considered to be a router hop in the network. It performs network address translation (NAT) between connected networks and can use Open Shortest Path First (OSPF) or passive Routing Information Protocol (RIP) in single context mode.

Transparent—VLAN-based Layer 2 interfaces are used. Use of firewalls is within the same subnet. Also referred to as L2 Mode.

The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT are required. Transparent mode information is not shown as part of the configuration. As a result, no information is displayed if you use the show run command.


Configuring Interfaces

The Interfaces feature allows you to define, enable, disable, and edit network interface configurations. It also allows you to identify that a firewall supports the same-level interface feature, which allows multiple interfaces to use the same security-level value. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained. To access this feature, select Configuration > Device Settings > Interfaces.

If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall.

Tip If you imported an existing firewall device, you do not need to complete this procedure unless you want to modify the settings defined for the remaining interfaces.

Adding or Editing an Interface

You use the Interfaces page to define the name, security level, type, speed, MTU, and IP address of an interface. You can enter a static IP address for an interface, or you can specify that the IP address be obtained through a DHCP client or PPPoE functionality. You can disable inactive interfaces.

Make sure that the number of interfaces and their respective hardware IDs defined in the GUI match those on the physical device. For example, if you define only ethernet0 and ethernet1 in the GUI when the device also contains ethernet2, Firewall MC tries to remove all configuration settings for the undefined interface, such as its IP address, during deployment. This causes deployment errors and possible failure, depending on the settings you established for error handling.

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Do one of the following:

To add a row, click Add.

The Add Interface Name page appears.

To edit a row, select the check box for the row, then click Edit.

The Add Interface Name page appears.

Note If you change an interface, we recommend that you perform a clear translation. See Configuring Management Controls, page 3-13.

Step 3 Enter the hardware ID that identifies the network interface located on the PIX Firewall. If you are defining a VLAN interface, enter the hardware ID of the physical interface that the VLAN is associated with. Values are:

ethernet0.

ethernet1 to ethernetn.

gb-ethernetn (where n = number of network interfaces in PIX Firewall).

Step 4 If you are defining a VLAN interface:

a. Either specify the alias of the ID or use the prefix vlan with the identification number of the VLAN associated with the interface. Valid identification numbers are 1-4095 (e.g., vlan234). Both the alias and VLAN IDs are specified using the CLI.

b. Specify whether this VLAN is a physical VLAN or a logical VLAN by selecting from the list.

Note The number of logical interfaces that you can configure on a PIX Firewall varies according to the model. For more information, see the documentation for your PIX Firewall.

Step 5 Select the Interface Enable check box.

Step 6 Enter the interface name.

Note The inside and outside interfaces are partially defined for the Global group by default; however, you must edit the interfaces to include the additional information.

Step 7 If you are defining a physical interface, select the physical-level interface speed from the list. For more information, see Speed (used for PIX Firewall only) in the Interfaces table.

Note We recommend that you specify the speed of the network interfaces, instead of using auto speed sensing, in case your network environment includes switches or other devices that do not handle autosensing correctly.

Step 8 If you are defining a physical interface, enter the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Values are 64-65,535 bytes. The default is 1500 for all types except PPPoE, for which the default is 1492.

Step 9 Enter the security level that the interface will enforce. Values are 0-100
(100 = greatest security level).

Outside interface is always 0.

Inside interface is always 100.

DMZ is 1-99.

Note You can define a dynamic NAT rule only for an interface that has a higher security level than the interface on which the traffic goes out and which has a global IP address pool assigned to it. Static NAT rules can be defined between interfaces of any security level.

Step 10 Select the type of IP address for this interface.

Static—Assigns a static IP address and mask to the interface. If you are configuring a static IP address, click the Static radio button, click Next, then go to Step 11.

DHCP—Assigns a dynamic IP address and mask to the interface. If you are configuring DHCP, click the DHCP radio button, click Next, then go to Step 12.

PPPoE—Provides an authenticated method of assigning an IP address to the interface. If you are configuring PPPoE, click the PPPoE radio button, click Next, then go to Step 13.

Note You can configure DHCP and PPPoE only on the outside interface of a PIX Firewall. FWSM does not support DHCP or PPPoE.

Step 11 To configure a static IP address on this interface:

a. Enter the IP address. The IP address must be unique for each interface.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

b. Enter the network mask. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

c. Click Next.

The interface summary page appears.

Settings enabled during configuration are displayed as true in the wizard summary page.

d. Go to Step 14.

Step 12 To configure DHCP on this interface:

a. To cause a default route to be created if one does not exist, select the Enable DHCP Set Route check box.

b. To enable the DHCP Retry feature, select the Enable DHCP Retry check box and then use the Retry Count field to enter the number of tries to allow before an error is returned. Values are 4-16.

c. Click Next.

The interface summary page appears.

Settings enabled during the configuration process are displayed as true in the wizard summary page.

d. Go to Step 14.

Step 13 To configure PPPoE on this interface:

a. Enter the Virtual Private Dial-up Network (VPDN) username for authentication in the User Name field.

b. To show that the VPDN username and password have were already configured as store-local on the PIX Firewall, select the Use Local check box.

Note If you select this option, Firewall MC does not generate the VPDN username/password command for this user and does not remove the existing password for this user during deployment.

c. If you did not select the Use Local check box, enter the VPDN password that corresponds with the username in the Password field and Confirm Password fields.

d. Select the protocol to use for authentication.

PAP—Password Authentication Protocol.

CHAP—Challenge Handshake Authentication Protocol.

MSCHAP—Microsoft Challenge Handshake Authentication Protocol.

e. To create a default route if one does not exist, select the Enable PPPoE Set Route check box.

f. To use a static IP address, select the Enable Static IP Address check box, then add the IP address and subnet mask in the fields provided.

g. Click Next.

The interface summary page appears.

Settings enabled during the configuration process are displayed as true in the wizard summary page.

Step 14 Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-2 describes the elements on the Interfaces page.

Table 8-2 Interfaces 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interfaces

Hardware ID
(used for PIX Firewall only)

Displays network interface located on PIX Firewall. Values are:

ethernet0 to ethernetn.

gb-ethernetn.

Note n = number of network interfaces in PIX Firewall.

VLAN ID/Alias

Displays either the alias for the VLAN or the VLAN ID associated with the interface. When defining a VLAN ID, use the prefix vlan with the identification number of the VLAN associated with the interface. Valid identification numbers are 1-4095 (e.g., vlan234). Both the alias and VLAN IDs are specified using the CLI.

VLAN interface type

Type of VLAN interface.

logical—VLAN is associated with a logical interface.

physical—VLAN is on the same network as its underlying hardware interface.

Speed
(used for PIX Firewall only)

Physical-level interface speed.

10baset—10-Mbps Ethernet half-duplex.

10full—10-Mbps Ethernet full-duplex.

100basetx—100-Mbps Ethernet half-duplex.

100full—100-Mbps Ethernet full-duplex.

1000sxfull—1000-Mbps Ethernet full-duplex.

1000basesx—1000-Mbps Ethernet half-duplex.

1000auto—1000-Mbps Ethernet to auto-negotiate full- or half -duplex. (We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.)

1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.

1000full nonnegotiate—1000-Mbps Ethernet full-duplex.

aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.

bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.

auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.

Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.

Interface Name

Logical name of interface that relates to use. Supported interface names are:

Inside—Connects to your internal network. Must be most secure interface. See Security Level.

DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.

Outside—Connects to an external network or public Internet. Must be least secure interface. See Security Level.

Security Level

Security level that interface will enforce. Values are 0-100 (100 = greatest security level).

Outside interface is always 0.

Inside interface is always 100.

DMZ is between 1-99.

Note Because Firewall MC applies a default set of rules to an interface, the remaining security levels matter only if you plan to use dynamic NAT between two or more interfaces. You can define a dynamic NAT rule only for an interface that has a higher security level than the interface on which the traffic goes out and which has a global IP address pool assigned to it. Static NAT rules can be defined between interfaces of any security level.

MTU

Maximum transmission unit. Number of bytes in the MTU. The value depends on the type of network connected to the interface. Values are 64-65,535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.

IP Address

IP address of interface.

IP address must be unique for each interface.

The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

Subnet mask

Network mask for IP address of interface. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

Type

Specifies the address type for the interface.

DHCP—Assigns a dynamic IP address and mask to the interface.

Static—Assigns a static IP address and mask to the interface.

PPPoE—Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.

Enabled

Indicates whether the interface is active (enabled) or shut down (disabled).

Import button

Imports multiple interfaces using a comma-separated values (CSV) file.

Poll button

Gets the current status of VLAN interfaces from a Firewall Services Module (FWSM).

Interface Enable check box

Enables the interface.

Value is shown in the wizard summary as true.

Value set to enabled in the Interfaces table.

Enable DHCP set route check box

Enables DHCP set route. The DHCP set route command tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns.

Enable DHCP retry check box

Enables DHCP to try again to make a connection. When enabled, the value is shown in the summary as true.

Retry count

Used when DHCP Retry Enable check box is selected. Number of tries before an error is returned. Values are 4-16.

Username

Virtual Private Dial-Up Network (VPDN) username to use for authentication.

Use local check box

Select the Use Local check box to show that the VPDN username and password were already configured as store-local on the firewall device.

Note If you select this option, Firewall MC does not generate the vpdn username password command for this user and does not remove the existing password for this user during deployment.

Password

VPDN password used for authentication.

Confirm password

Reenter the VPDN password.

Protocol

The protocol to use for authentication.

PAP—Password Authentication Protocol.

CHAP—Challenge Handshake Authentication Protocol.

MSCHAP—Microsoft Challenge Handshake Authentication Protocol.

Enable PPPoE set route check box

Enables PPPoE set route. The set route command tells the firewall device to set the default route using the default gateway parameter the PPPoE server returns.

Enable static IP address check box

Enables use of a static address on this interface.

Same Security Level

Enable traffic between interfaces that are configured with the same security level check box

Enables traffic flows between interfaces with the same security level setting. This feature applies to firewall devices running FWSM 2.1 and later. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces.


Enabling Same Security Level Option for a Firewall

For firewalls running FWSM 2.1 or later, the option exists to allow two or more interfaces on that firewall to operate at the same security level and to pass traffic between two such interfaces. When this feature is enabled, you are not required to define translation rules to allow traffic flows between the interfaces.

To enable this option, which is global to all interfaces on the firewall, select the Enable traffic between interfaces that are configured with the same security level check box on the Configuration > Device Settings > Interfaces page.

Note that if you deploy a PPPoE configuration to a firewall device that already has PPPoE configured on the outside interface (ip address outside pppoe), any existing PPPoE connection to an access concentrator is reset and cleared. The firewall device must then reauthenticate itself and reconnect to the access concentrator.

Deleting an Interface

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Select the check box for the interface to delete, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The interface is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Polling an FWSM for VLAN Information

The VLAN polling feature allows you to get the current status of VLAN interfaces from an FWSM. You can use this feature to update Firewall MC with the current VLAN information.

Step 1 Select Configuration > Device Settings > Interfaces.

The Interfaces page appears.

Step 2 Click Poll.

Firewall MC displays the Status of the VLANs page. The page which contains a table showing the VLANs that are defined on the specified FWSM and those that are defined in Firewall MC. The Status of VLANs page is informational only, but you can use this information to update Firewall MC with the current VLAN information.

Note You must enter the device contact information for the FWSM you are polling before clicking Poll. See Configuring Firewall Device Contact Info.

Step 3 Click Close.

Configuring Transparent Firewall Settings

In transparent firewall mode, a firewall device inspects frames instead of network packets to determine whether they should be forwarded between the two VLAN interfaces. While frame-level operations are restricted to layer 2 (OSI protocol reference model), transparent firewalls can also perform protocol-level analysis for specific packets. This analysis occurs if the frame is switched between the two interfaces. Otherwise, the frame is dropped because the destination is assumed to reside on the attached network or to be forwarded by another device.

Transparent firewalls offer several unique benefits over routed firewalls:

Transparent insertion does not require you to re-engineer a network around the firewall.

Traffic can be inspected on the same subnet.

They support multiple security contexts. (See What Is Meant by Security Context?.)

They require only one IP address for each security context for administrative purposes.

Transparent firewalls also reduces the typical work associated with routed firewalls because many traditional features are not applicable in transparent mode. The following features cannot be configured in transparent mode:

Routing rules and routing protocol settings (RIP and OSPF).

All forms of address translation rules (alias, dynamic, static, identity, and policy NAT and PAT) and global address pools.

DHCP relay server and agent.

IP verification setting (lookups for reverse path forwarding).

Note Even though NAT rules cannot be configured, you can still define some settings under the Address Translation area. See Other Properties Controlled by Translation Rules.

Topics to be discussed are:

Identifying the MAC Addresses for the Firewall

Enabling Automatic Discovery of MAC Addresses

Identifying the IP Addresses Used for Management

Identifying the MAC Addresses for the Firewall

The MAC address table identifies MAC addresses and the interface with which they are associated. The firewall uses this information to ensure proper traffic forwarding between the interfaces. If an address is unknown and MAC learning is not enabled for the interface, frames received by an interface destined to that address are dropped by the firewall. To enable forwarding and packet inspection, you must either manually define MAC address and interface pairs in this table or enable MAC learning.

The MAC Address Table page is also where you specify the forwarding table aging timeout, which determines how long the firewall retains dynamically learned MAC addresses in its forwarding table. You can use this value to counter attacks, such as MAC address spoofing, ARP cache poisoning, and overloading the MAC address table. Alternatively, disable MAC learning and define all MAC addresses table entries manually to prevent these attacks from succeeding.

Before You Begin

Verify this firewall supports transparent mode. See Setting the Firewall Operating System Version. Mode changes must be performed using the CLI and must match the settings in Firewall MC. See What Is Meant by Mode?.

You do not need to define MAC addresses if the MAC learning feature is enabled on an interface. See Enabling Automatic Discovery of MAC Addresses.

Step 1 Select Configuration > Device Settings > Transparent Firewall > MAC Address Table.

The MAC Address Table page appears.

Step 2 To specify the number of minutes that pass before a learned MAC address is removed from this table, enter that value in the Dynamic Entry Timeout field.

Step 3 For each interface and MAC address pair that you want to define, click Add.

A popup window appears.

Step 4 From the Interface list, select the interface on which frames from the MAC address are received.

Transparent firewalls support only two VLAN interfaces: inside and outside.

Step 5 In the MAC address field, enter the MAC address.

MAC addresses must be unique to ensure proper forwarding.

Step 6 To enter the new pair in the MAC address table, click OK.

The popup window closes and the new entry appears in the table.

Table 8-3 describes the elements on the MAC Address Table page.

Table 8-3 MAC Address Table 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Dynamic Entry Timeout

Enables and identifies the number of minutes that can pass before learned MAC addresses are purged from the dynamic MAC address table. This value must be between 5 minutes and 12 hours (default is 5 minutes); it is only used if MAC learning is enabled on one or both of the interfaces. To disable clearing of the forwarding table, clear the field (make it blank).

Interface

Identifies the interface to which the MAC address is attached. This VLAN interface is referred to as the source interface.

MAC address

Identifies the MAC address of a node that resides on the same network segment as the VLAN interface.


Enabling Automatic Discovery of MAC Addresses

You can enable automatic discovery of the MAC addresses attached to either of the two VLAN interfaces defined for the firewall operating in transparent mode. A discovered address is added to the dynamic MAC address table (layer 2 forwarding table) to ensure that destination packets are properly forwarded between the interfaces. Any packet destined for an address that is not specifically defined (or automatically discovered) is dropped without further inspection. If automatic discovery is enabled and the destination address is not defined in the MAC address table (see Identifying the MAC Addresses for the Firewall), the interface sends out an ARP request to determine if the address is attached. If it is attached, inspection continues using the Ethertype access rules and then other access rules. Otherwise, the packet/frame is dropped.

Step 1 Select Configuration > Device Settings > Transparent Firewall > MAC Learning.

The MAC Learning page appears.

Step 2 Determine the interfaces for which you want MAC learning enabled, then select the appropriate check boxes.

Step 3 Click Apply.

The next time generated commands are deployed to the firewall device, the selected interfaces will add dynamic entries to the MAC address table.

Table 8-4 describes the elements on the MAC Learning page.

Table 8-4 MAC Learning

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Outside check box

When selected (default), the outside interface uses ARP to discover the MAC addresses residing on the attached subnet.

Inside check box

When selected (default), the inside interface uses ARP to discover the MAC addresses residing on the attached subnet.


Identifying the IP Addresses Used for Management

Although transparent firewalls operate at layer 2, they are managed by an IP address. In addition, supporting services that ride on top of IP, TCP, or UDP use this IP address. These supporting services include ARP requests, AAA, syslog, and WebSense. You must define a unique management IP address for each security context.

Step 1 Select Configuration > Device Settings > Transparent Firewall > Management IP.

The Management IP page appears.

Step 2 In the Management IP Address field, enter the IP address used to managed this transparent firewall.

This address is the IP address that Firewall MC uses to manage the firewall. Although the address resides over both VLAN interfaces, it must be unique for each security context.

Step 3 In the Subnet Mask field, enter the value for the subnetwork mask on which the IP address resides.

Step 4 Click Apply.

Firewall MC uses this address when you try to deploy generated command sets to the firewall device and to update any commands that use the management address.

Table 8-5 describes the elements on the Management IP page.

Table 8-5 Management IP 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Management IP Address

Identifies the IP address associated used to manage the firewall device. You must define an IP address for each security context.

Subnet Mask

The value of the subnetwork mask on which the IP address used to managed the firewall device resides.


Configuring Firewall Device Administration

Firewall device administration consists of:

Configuring Passwords

Configuring Firewall Device Contact Info

Configuring HTTPS (SSL)

Configuring Telnet

Configuring Secure Shell

Configuring Management Access

Configuring SNMP

Configuring ICMP Interface Rules

Configuring AAA Admin Authentication

Configuring User Accounts

Configuring Console Timeout

Configuring Passwords

The Password feature allows you to set the enable and Telnet passwords. If you are a system administrator, you can log in to the firewall device using the following types of previously configured connections:

Serial console port.

Telnet.

Secure Sockets Layer (SSL).

SSH (Secure Shell).

You can define RADIUS or TACACS servers to authenticate any of these connection types. To access this feature, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

If you are an administrator using the CLI, you must use the enable password to enter privilege mode. Privilege mode enables you to view or change the firewall device configuration. The enable password is also required to authenticate administrators who are trying to connect by serial port, Telnet, SSH, HTTPS, or SSL.

The default Telnet password is "cisco". The same password is used to define authentication for administrators using SSH if firewall device administrative AAA authentication is not defined for the SSH protocol. To gain access to the PIX Firewall console using SSH: From the SSH client, enter the username pix and enter the Telnet password.

If you will use a AAA authentication server to authenticate users, you do not need to complete the Password page.

Note SSH permits up to 100 characters in a username and up to 50 characters in a password.

Important Notes and Restrictions for Passwords

Firewall device passwords can be a maximum of 16 characters.

SSH permits up to 100 characters in a username and up to 50 in a password.

Passwords can consist of alphanumeric (U.S. English) or special characters except for the question mark, space, or *-*-*-*-*-*-*-*- string.

Passwords are case-sensitive; for example, an uppercase "A" is recognized differently from a lowercase "a."

Note Make sure Caps Lock and Num Lock are not set when you enter passwords.

Passwords should not be any word or syllable that would be found in a dictionary of common languages, the word "password," your date of birth, organization name, or anything easy to guess about you or your organization.

Passwords should be stored in a manner consistent with the security policy of your organization. After you change a password, you cannot see it again.

Setting a Password

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Password.

The Password page appears.

Step 2 Enter the new enable password.

The enable password sets the enable password on the firewall device so that you can enter privilege mode when administering CLI commands. See Important Notes and Restrictions for Passwords.

Note Use the same enable password that you entered during bootstrapping. See "Preparing Your Firewall Devices."

Step 3 Reenter the new enable password in the Confirm New Password field.

Note If you are deploying to a device, you must enter the enable password in the contact information for that device. See Configuring Firewall Device Contact Info.

Step 4 Enter the new Telnet password to set the Telnet password on the firewall device so you can connect to a device using Telnet.

Step 5 Reenter the new Telnet password in the Confirm New Password field.

Step 6 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-6 describes the elements on the Password page.

Table 8-6 Password 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable password

Sets the enable password on the firewall device, which allows you to enter privilege mode when administering from the CLI. A case-sensitive password of up to 16 alphanumeric (U.S. English) and special characters. Any character can be used except a question mark, space or *-*-*-*-*-*-*-*- string. Fields are:

New Password—Enter new password.

Confirm New Password—Reenter new password.

Note Use the same enable password that you entered during bootstrapping.

Telnet password

Sets the Telnet password on the firewall device, which allows you to connect using Telnet. A case-sensitive password of up to 16 alphanumeric (U.S. English) and special characters. Any character can be used except a question mark, space or *-*-*-*-*-*-*-*- string. Fields are:

New Password—Enter new password.

Confirm New Password—Reenter new password.


Configuring Firewall Device Contact Info

The Firewall Device Contact Info feature allows you to authenticate a firewall device using the current username, password, and IP address. The username and password credentials are used by Firewall MC and AUS to authenticate to a firewall device. You can use the enable password with an empty username or you can use a AAA username with associated password, depending on the target firewall device setting. You can also enter a future username, password, and IP address, which will be recognized after the configuration files and activity reports are deployed to devices. To access the Firewall Device Contact Info feature, select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info.

Use the Firewall Device Contact Info feature if you are deploying configuration files to an AUS or directly to devices.

AUS—The AUS supports a feature that you can use to initiate an immediate auto update request on the AUS. The credentials you defined in the Firewall MC GUI are passed to the AUS. This enables the AUS to authenticate with the device during the immediate auto update. See the AUS online help for more information.

Directly to devices—The credentials defined in the Firewall MC GUI are used to authenticate Firewall MC to the firewall devices.

Applying Firewall Device Contact

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Firewall Device Contact Info.

The Firewall Device Contact Info page appears.

Step 2 In the Current Username field, enter the username that the firewall device uses to authenticate with AAA in the Current Username field.

Step 3 (Optional) Enter the IP address that Firewall MC uses to contact a firewall device using HTTPS.

Step 4 Enter the current password. Use one of the following:

AAA server password if AAA authentication is used on the target firewall device.

Local enable password if no AAA server is used.

Step 5 Reenter the current password in the Confirm Current Password field.

Step 6 Enter the future username that the firewall device will use to authenticate with AAA. If no AAA server is used, leave the field blank.

Note Future fields are used if the elements will be changed on the target firewall device after the configuration file is deployed.

Step 7 Enter the future IP address for Firewall MC to use to contact a firewall device using HTTPS.

Step 8 Enter the future password.

Step 9 Reenter the future password in the Confirm Future Password field.

Step 10 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-7 describes the elements on the Firewall Device Contact Info page.

NoteIf you are using the immediate auto update feature, you do not have to complete the GUI elements labeled "future."

If you are deploying directly to devices, you must complete the GUI elements labeled "future."

Table 8-7 Firewall Device Contact Info 

Element
Description

Current Username1

Name firewall device uses to authenticate with AAA.

Note If no AAA server is used, leave the username field blank.

Current IP Address

Optional IP address Firewall MC when using HTTPS to contact firewall device. Generally a firewall device interface address, but might be different because of address translation between Firewall MC server and firewall device.

Current Password

One of the following:

AAA server password if AAA authentication used on target firewall device.

Local enable password if no AAA server used.

Confirm Current Password

Reenter current password.

Future Username

Name firewall device uses to authenticate with AAA. If no AAA server is used, leave field blank.

Note This field is used if the username and password will be changed on the target firewall device after the configuration file is deployed.

Future IP Address

Optional IP address Firewall MC uses to contact firewall device using HTTPS. Generally a PIX Firewall interface address, but might be different because of address translation between Firewall MC server and firewall device.

Note This field is used if the IP address will be changed on the target firewall device after the configuration file is deployed.

Future Password

One of the following:

AAA server password if AAA authentication used on target firewall device.

Local enable password if no AAA server used.

Note This field is used if the password will be changed on the target firewall device after the configuration file is deployed.

Confirm Future Password

Reenter future password.

1 Use the enable password with an empty username or a AAA username with associated password depending on the target firewall device setting.


Configuring HTTPS (SSL)

The HTTPS (SSL) feature allows you to configure rules that permit only specific hosts or networks to connect to the firewall device using HTTPS. To access this feature, select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

A secure connection is needed so that a PC or workstation client running a network browser or Firewall MC or both can communicate with the firewall device. The rules restrict HTTPS access through a firewall device interface to a specific IP address and netmask. Any HTTPS connection tries that comply with the rules must be authenticated through a configured AAA server or the enable password. Once established, Secure Sockets Layer (SSL) protocol is used to encrypt the data.

Adding or Editing an HTTPS (SSL) Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

The HTTPS (SSL) page appears.

Step 2 Do one of the following:

To add a new row to the table, click Add.

The HTTP Interface dialog box appears.

To edit a row, select the check box for the row, then click Edit.

The HTTP Interface dialog box appears.

Step 3 Select the interface that permits SSL connections. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address that specifies the host or network authorized to initiate an HTTPS connection to a firewall device.

Step 5 Enter the IP mask.

Step 6 Click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-8 describes the elements on the HTTPS (SSL) page.

Table 8-8 HTTPS (SSL) 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Name of interface that permits SSL connections.

Note If you are adding or editing an interface, you select from a list containing all interfaces defined at the current scope.

IP Address

Specifies host or network authorized to initiate an HTTPS connection to firewall device.

Mask

Network mask for IP address of each host or network permitted to connect to firewall device through specified interface. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24).

Note If you do not specify a network mask, the default is 255.255.255.255 regardless of the class of IP address.


Deleting an HTTPS (SSL) Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > HTTPS (SSL).

The HTTPS (SSL) page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Telnet

The Telnet feature allows you to configure rules that permit specific hosts or networks to connect to the firewall device through Telnet. The rules restrict administrative Telnet access through a firewall device to a specific IP address and netmask. Connection tries that comply with the rules must be authenticated by a configured AAA server or the Telnet password. To access this feature, select Configuration > Device Settings > Firewall Device Administration > Telnet.

If you will be using a AAA authentication server to authenticate users, you do not need to complete this page.

Applying a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Enter the timeout value. Values are 1 to 60 minutes.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit a Telnet rule.

Adding or Editing a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Do one of the following:

To add a new row to the table, click Add.

The Telnet Interface dialog box appears.

To edit a row, select the check box for the row, then click Edit.

The Telnet Interface dialog box appears.

Step 3 Select the interface that should receive Telnet packets from the client. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address of the host or network that can access the firewall device Telnet console.

Step 5 Enter the IP address netmask.

Step 6 Verify the information is correct, then click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-9 describes the elements on the Telnet page.

Table 8-9 Telnet 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Timeout (minutes)

Number of minutes Telnet session can remain idle before firewall device closes it. Values are 1-60 minutes. Default is 5.

Interface Name

Interface that receives Telnet packets from the client.

Note If you are using a wizard, a list displays all interfaces defined at the current scope.

IP Address

IP address of host or network that can access PIX Firewall Telnet console.

Mask

Netmask for IP address of each host or network permitted to connect to firewall device through specified interface. Default is 255.255.255.255 regardless of class.

Note To limit access to a single IP address, use 255.255.255.255. Do not use the subnetwork mask of the internal network.


Deleting a Telnet Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Telnet.

The Telnet page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Secure Shell

The Secure Shell feature allows you to configure rules that permit only specific hosts or networks to connect to the firewall device for administrative access using the Secure Shell (SSH) protocol. The rules restrict SSH access through a firewall device interface to a specific IP address and netmask. SSH connection tries that comply with the rules must be authenticated by a preconfigured AAA Server or the Telnet password. To access this feature, select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

Note SSH is not required for you to use Firewall MC.

Applying SSH

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

The Secure Shell page appears.

Step 2 Verify the timeout value, which displays the number of minutes the secure shell session can remain idle before the firewall device closes it. Values are 1 to 60 minutes. Default is 5.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit an SSH rule.

Adding or Editing an SSH Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

Step 2 The Secure Shell page appears.

Step 3 Do one of the following:

To add a new row, click Add.

The SSH Interface dialog box appears.

To edit a row, select the check box, then click Edit.

The SSH Interface dialog box appears.

Step 4 Select the interface name of the firewall device that permits SSH connections. The list displays all interfaces defined at the current scope.

Step 5 Enter the IP address.

Step 6 Enter the netmask.

Step 7 Verify the information is correct, then click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-10 describes the elements on the SSH page.

Table 8-10 SSH 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Timeout (minutes)

Number of minutes Secure Shell session can remain idle before firewall device closes it. Values are 1-60 minutes. Default is 5.

Interface Name

Name of firewall device interface that permits SSH connections.

Note If you are using a wizard, a list displays all interfaces defined at the current scope.

IP Address

IP address and netmask of the host or network authorized to initiate an SSH connection to the firewall device.

Mask

Netmask for IP address of each host or network permitted to connect to firewall device through specified interface.

Note If you do not specify a netmask, the default is 255.255.255.255 regardless of the class.


Deleting an SSH Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Secure Shell.

The Secure Shell page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Management Access

The Management Access feature allows you to enable or disable the Management Access feature for an interface. You can enable the Management Access feature on only one interface at a time. By enabling this feature on an internal interface, PIX management functions can be performed on the interface over an IPSec VPN tunnel. You can perform the following functions on an interface with the Management Access feature enabled:

SNMP polls to the management interface.

HTTPS requests to the management interface.

PDM access to the management interface.

Telnet access to the management interface.

SSH access to the management interface.

Ping to the management interface.

Note The Management Access feature is only available on PIX Firewall software versions 6.3 and higher.

To access this feature, select Configuration > Device Settings > Firewall Device Administration > Management Access.

Enabling or Disabling Management Access

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Management Access.

Step 2 The Management Access page appears.

Step 3 To enable the Management Access feature, select the interface name on which you want to permit management access connections. You can enable the Management Access feature on only one interface at a time.

Note The list displays all interfaces defined at the current scope.

Step 4 To disable the Management Access feature, select (None).

Step 5 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-11 describes the elements on the Management Access page.

Table 8-11 Management Access 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Name of firewall device interface that permits management access connections. You can enable the Management Access feature on only one interface at a time. Select (None) to disable management access.

Note The list displays all interfaces defined at the current scope.


Configuring SNMP

The SNMP feature allows you to configure the firewall device for monitoring by Simple Network Management Protocol (SNMP) management stations. SNMP defines a standard way for network management stations or workstations to monitor the health and status of many types of devices, including switches, routers, and the firewall device. To access this feature, select Configuration > Device Settings > Firewall Device Administration > SNMP.

Configuring MIBs

The firewall device supports these MIBs that management stations can browse:

MIB II—System and Interface groups only.

Cisco Firewall MIB—cfwSystem group only.

Cisco Memory Pool MIB.

Cisco syslog MIB—Browsing of the Cisco syslog MIB is not supported. All SNMP variables supported in the firewall device are read-only (RO).

Note For Cisco MIB files and object identifiers (OIDs), see: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Configuring OIDs

The SNMP MIB mib-2.system.sysObjectID variable now provides one of the following firewall device platform-specific OIDs. You can use a management station such as CiscoView to view:

501—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall501 (same as .1.3.6.1.4.1.9.1.417).

506—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall506 (same as .1.3.6.1.4.1.9.1.389).

506E—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall506E (same as .1.3.6.1.4.1.9.1.450).

515—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall515 (same as .1.3.6.1.4.1.9.1.390).

515E—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall515E (same as .1.3.6.1.4.1.9.1.451).

520—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall520 (same as .1.3.6.1.4.1.9.1.391).

525—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall525 (same as .1.3.6.1.4.1.9.1.392).

535—.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall535 (same as .1.3.6.1.4.1.9.1.393).

For other firewall device platforms:

.iso.org.dod.internet.private.enterprises.cisco.ciscoProducts.ciscoPIXFirewall (same as .1.3.6.1.4.1.9.1.227).

Configuring Traps

The firewall device supports many SNMP traps. SNMP trap settings can also be configured from Firewall MC. The logging feature allows you to enable or disable the sending of messages to an SNMP management station and to set the SNMP message level. Firewall MC supports a maximum of 32 management stations.

Applying Settings to an SNMP Management Station

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Verify the password community string, which the SNMP management station uses when sending requests to a firewall device. The default is "public".

Step 3 Enter the name of the system administrator for the firewall device.

Step 4 Enter the firewall device location.

Step 5 Select the Send syslog as SNMP traps check box.

Step 6 Select the logging level from the list. See Logging Level list in the Field-Level Elements and Descriptions table.

Step 7 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to add or edit an SNMP rule.

Adding or Editing an SNMP Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Do one of the following:

To add a new row, click Add.

The SNMP Interface dialog box appears.

To edit a row, select the check box for the row, then click Edit.

The SNMP Interface dialog box appears.

Step 3 Select the interface name from the list. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address.

Step 5 Determine whether to set polling or trap information, then select the respective check box.

Poll check box—When selected, allows the firewall device to respond to periodic requests from the management station for syslog events or other information.

Trap check box—When selected, sends syslog events when they occur.

Step 6 Verify the information is correct, then click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-12 describes the elements on the SNMP page.

Table 8-12 SNMP 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Password (community string)

Password SNMP management station when sending requests to firewall device. SNMP community string is a shared secret among SNMP management stations and network nodes being managed. Firewall devices use the password to determine if an incoming SNMP request is valid.

Password is case-sensitive and can be up to 32 characters. Spaces are not permitted. Default is "public."

System Administrator Name

Name of firewall device system administrator. Text is case-sensitive and can be up to 127 characters. Spaces accepted, but multiple spaces are shortened to a single space.

Firewall Device Location

Specify firewall device location. Text is case-sensitive and can be up to 127 characters. Spaces accepted, but multiple spaces shortened to a single space.

Send syslog as SNMP traps check box

When selected, sends syslog as SNMP traps. See logging level type.

Logging Level list

List of logging messages to be sent to SNMP management station.

Note The logging levels generated by the firewall device are an ordered list of recorded events; each subsequent logging level option includes all events generated by the previous logging level.

Emergency (level 0)—System unusable. Generates messages that identify system instabilities.

Alerts (level 1)—Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action.

Critical (level 2)—Critical condition. Generates messages that identify critical system issues.

Errors (level 3)—Error condition. Generates messages that identify system errors during operation.

Warnings (level 4)—Warning condition. Generates messages that identify system warnings, for example, device might be configured incorrectly.

Notifications (level 5)—Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.

Logging level list (cont.)

Informational (level 6)—Informational message only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records.

Note This setting directly affects the level of reports you can generate about network activity for this firewall device. We recommend that you select Information to ensure that all report data is available.

Debugging (level 7)—Appears during debugging only. Generates messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions.

Disabled—No logging.

Interface Name

Logical name of interface that defines from where packets leave to reach the SNMP management station, for example, inside or outside.

Note The list displays all interfaces defined at the current scope.

IP Address

Displays IP address of SNMP management station to which firewall device will send trap events and receive requests or polls.

Poll/Trap check boxes

Poll check box—When selected, allows firewall device to respond to periodic requests from management station for syslog events or other information. When enabled, set to true when you view the summary page.

Trap check box—When selected, sends syslog events when they occur. When enabled, set to true when you view the summary page.


Deleting SNMP Client Information

Step 1 Select Configuration > Device Settings > Firewall Device Administration > SNMP.

The SNMP page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring ICMP Interface Rules

ICMP enables a network device to ping an IP address to discover the presence, identity, and function of other devices and to test intermediate communications links and network availability. The ICMP feature can enable or disable the ping response or echo of an interface on the firewall device. To access this feature, select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The rules table configures an access list that permits or denies ICMP traffic terminating at the firewall device. You specify a permit or deny action for each interface you add in the rules table. If no interfaces are added to the rules table, the default action for each interface is to permit ICMP traffic.

When an interface receives an ICMP packet, the firewall device searches the access list. If the first matched entry is a permit entry, the packet continues to be processed. If the first matched entry is a deny entry or the entry is not matched, the firewall device discards the packet and generates the %PIX-3-313001 syslog message. An exception is when an ICMP access-list command statement is not configured; then, permit is assumed.

Note We recommend that you grant permission for ICMP unreachable messages (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU discovery.

Inserting or Editing an ICMP Interface Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The ICMP Interface Rules page appears.

Step 2 Do one of the following:

To add a row, click Insert.

The ICMP Interface dialog box appears.

To edit a row, select the check box for the row, then click Edit.

The ICMP Interface dialog box appears.

Step 3 Select the ICMP message type from the list. See Table 8-13.

Step 4 From the list, select the name of the interface at which the ICMP packet arrives.

Step 5 Enter the source IP of each host or network added to the ICMP rule table (access list) for the interface.

Step 6 Enter the source IP mask.

Step 7 Determine the action for the rule (permit or deny), then click the appropriate radio button.

Permit—Permits the ability to ping a firewall device interface.

Deny—Denies the ability to ping a firewall device interface.

Step 8 Verify the information is correct, then click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated.

Table 8-13 describes the elements on the ICMP Interface Rules page.

Table 8-13 ICMP Interface Rules 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Name of interface at which the ICMP packet arrives.

Note If you are using a wizard, a list displays all interfaces defined at the current scope.

Action

Options are:

Permit—Permits ability to ping a firewall device interface.

Deny—Denies ability to ping a firewall device interface.

Source IP Address

IP address of each host or network added to ICMP rule table (access list) for interface.

Source IP mask

Network mask for source IP address. You can express the value in dotted decimal format (e.g. 255.255.255.0) or by entering the number of bits in the network mask (e.g. 24).

ICMP Message Type

Type of ICMP packet to which permit or deny action is applied.

Echo reply (0.)

Unreachable (3).

Source quench (4).

Redirect (5).

Alternate address (6).

Echo request (8).

Router advertisement (9).

Router solicitation (10).

Time exceeded (11).

Parameter problem (12).

Timestamp reply (13).

Timestamp request (14).

Information request (15).

Information reply (16).

Mask request (17).

Mask reply (18).

Conversion error (31).

Mobile redirect (32).

All types.

Note We recommend that you permit unreachable message type 3.


Deleting an ICMP Rule

Step 1 Select Configuration > Device Settings > Firewall Device Administration > ICMP Interface Rules.

The ICMP Interface Rules page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring AAA Admin Authentication

The AAA Admin Authentication feature allows you to enable AAA access to a firewall device. When AAA authentication is enabled, all administrative requests are authenticated against and authorized by the AAA server. Local Enable and Telnet passwords are ignored when AAA authentication is enabled. To access this feature, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

If you are not using a AAA authentication server to authenticate users, you must complete the Passwords page to define enable and Telnet passwords. See Configuring Passwords.

Note If you are using a AAA server for authentication, you must define a AAA server group before you enable this feature. To access the AAA server group, select Configuration > Building Blocks > AAA Server Group.

Applying AAA Admin Authentication

Before You Begin

Define a AAA server group. See Defining AAA Server Groups, page 10-31.

Configure the LOCAL database or the AAA server that you want to use for authentication. You must define a user profile with the commands that users are permitted to run, and you should test the authentication method before deploying a configuration. Failure to do so can result in a lockout condition.

Step 1 Select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

The AAA Admin Authentication page appears.

Step 2 For each type of access, select the server group to use for AAA authentication. Disable, LOCAL, and any previously defined server groups are listed as options. To define a server group, see Defining AAA Server Groups, page 10-31.)

Firewall MC generates the aaa authentication [serial | enable | telnet | ssh | http] console <server_tag> command for each type of access you specify. For information on the services that can be authenticated, see AAA Admin Authentication.

Caution Before you enable AAA authentication for access to a firewall device, make sure that you configured the LOCAL database or the AAA server to use for authentication. You must define a user profile with the commands that users are permitted to run, and you should test the authentication method before deploying a configuration that uses AAA authentication for device access. Failure to do so can result in a lockout condition.

If you lock yourself out of the firewall device and the aaa authentication http console <server_tag> command is not defined on the device, you can access to the PIX Firewall using PIX Device Manager with no username and the PIX Firewall enable password. If the aaa commands are defined but the HTTP authentication requests time out, which suggests that the AAA servers may be down or not available, you can access to the PIX Firewall using PIX Device Manager with the username pix and the enable password. By default, the enable password is not set.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-14 describes the elements on the AAA Admin Authentication page.

Table 8-14 AAA Admin Authentication 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Privilege Mode

Allows privilege access mode to the device using AAA authentication and a specified AAA Server Group.

Disabled—Default.

Local—Enable and Telnet passwords are used to authenticate instead of a AAA server.

All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.

HTTP Console

Allows AAA authentication of HTTP console using a specified AAA Server Group. HTTP console is used to remotely connect to the device using HTTP (port 80) or HTTPS (port 443). This is the delivery mechanism that Firewall MC and PIX Device Manager use.

Disabled—Default.

Local—Enable and Telnet passwords are used to authenticate instead of a AAA server.

All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.

Serial Connection

Allows AAA authentication of serial connections to the firewall device using a specified AAA Server Group.

Disabled—Default.

Local—Enable and Telnet passwords are used to authenticate instead of a AAA server.

All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.

SSH Connection

Allows use of a specified AAA Server Group to authenticate SSH connections (port 22) to the device.

Disabled—Default.

Local—Enable and Telnet passwords are used to authenticate instead of a AAA server.

All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.

Telnet Connection

Allows use of a specified AAA Server Group to authenticate Telnet connections (port 23) to the device.

Disabled—Default.

Local—Enable and Telnet passwords are used to authenticate instead of a AAA server.

All identified AAA servers—Defined using Configuration > Building Blocks > AAA Server Groups.


Configuring User Accounts

The User Accounts feature allows you to add, modify, and delete local user accounts on a PIX Firewall or FWSM. The local user accounts are used for authenticating administrative access to the firewall device, for command authorization on the firewall device, and for authenticating traffic through the firewall device. To access this feature, select Configuration > Device Settings > Firewall Device Administration > User Accounts.

Note PIX Firewall software version 6.2 and current versions of the FWSM support using the local user database only for authenticating administrative access to the firewall and for command authorization on the firewall. PIX Firewall software versions 6.3 and later also allow you to use the local user database for authenticating traffic through the firewall device.

Adding Local User Accounts

Step 1 Select Configuration > Device Settings > Firewall Device Administration > User Accounts.

The User Accounts page appears.

Step 2 Click Add.

The Add User Information dialog box appears.

Step 3 Enter a 4- to 15-character name for the user account in the Username field. The name cannot contain spaces or the following characters: &, <, >, ", ~, ^, |.

Step 4 To specify a password for this user account, enter a 3- to 16-character password in the Password and Confirm Password fields. The password cannot contain spaces or the following characters: &, <, >, ", ~, ^, |.

Step 5 If this user account does not have a password associated with it, then select the No Password check box.

Step 6 Enter the privilege level for this user in the Privilege field. The privilege level, 0-15, corresponds to the commands the user is authorized to use. Users can enter any command assigned to their privilege level or to lower privilege levels.

Note If this user account is used to contact the firewall device, then we recommend setting the privilege level to 15 to ensure that all commands can be deployed to the device.

Step 7 Click OK.

The user account is created. Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-15 describes the elements on the User Accounts page and in the Add User Information dialog box.

Table 8-15 User Accounts 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Username

The name of the user. The username must be a string of 4 to 15 characters and cannot contain spaces or the following characters: &, <, >, ", ~, ^, |.

Password

The password for this user account. The password must be a string of 3 to 16 characters and cannot contain spaces or the following characters: &, <, >, ", ~, ^, |.

To create a user account without a password, you must select the No Password check box.

Confirm Password

Reenter the password for this user account.

No Password

Select this check box to indicate that this user account does not have a password associated with it.

Privilege Level

Privilege level of this user account. The privilege level, 0-15, corresponds to the commands the user is authorized to use. A user can enter any command assigned to their privilege level or to lower privilege levels. Use the privilege command to assign privilege levels to commands.


Editing Local User Accounts

You can change the password or privilege level for an existing local user account.

Note You cannot modify the username of an existing local user account. To change the name of a local user account, you should create a new user account, and then delete the old user account.

Step 1 Select Configuration > Device Settings > Firewall Device Administration > User Accounts.

The User Accounts page appears.

Step 2 Select the user account to edit and click Edit.

The Add User Information dialog box appears.

Note If you change the password of the user account used for contacting the firewall device, you must specify the new password on the Firewall Device Contact Info page after you deploy to the device.

Step 3 To specify a password, enter a 3- to 16-character password in the Password and Confirm Password fields. The password may contain spaces or the following characters: &, <, >, ", ~, ^, |.

Step 4 If this user account does not have a password associated with it, then select the No Password check box.

Step 5 To change the privilege level for this user, enter the new privilege level in the Privilege field. The privilege level, 0-15, corresponds to the commands the user is authorized to use. Users may enter any command assigned to their privilege level or to lower privilege levels.

Note If this user account is used to contact the firewall device, then we recommend setting the privilege level to 15 to ensure that all commands can be deployed to the device.

Step 6 Click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Deleting Local User Accounts

Step 1 Select Configuration > Device Settings > Firewall Device Administration > User Accounts.

The User Accounts page appears.

Step 2 Select the user account that you want to delete, then click Delete.

The system displays a confirmation message.

Note If you delete the user, you must specify a different user on the Firewall Device Contact Info page before you can deploy to the device.

Step 3 To delete the user, click OK.

The user is deleted from the local user database. Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Configuring Console Timeout

The Console feature allows you to set the timeout value for any authenticated, enable mode, or configuration mode user session when accessing the firewall console through a serial cable. This timeout does not alter the Telnet or SSH timeouts; these access methods maintain their own timeout values. The default timeout is 0, which means the console will not time out. To access this feature, select Configuration > Device Settings > Firewall Device Administration > Console.

Setting the Console Timeout Value

Step 1 Select Configuration > Device Settings > Firewall Device Administration > Console.

The Console page appears.

Step 2 Enter the timeout value. Values are 0 to 60 minutes. The default timeout is 0, which means the console will not time out.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-16 describes the elements on the Console page.

Table 8-16 Console 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Timeout (minutes)

Number of minutes a console session can remain idle before the firewall device closes it. Values are 0-60 minutes. The default timeout is 0, which means the console will not time out.


Configuring Authentication Prompts

The Authentication Prompts feature allows you to change the AAA challenge text for HTTP, FTP, and Telnet access. This text is displayed above the username and password prompts that users see when logging in. To access this feature, select Configuration > Device Settings > Servers and Services > Authentication Prompts.

NoteMicrosoft Internet Explorer displays up to a 37-character authentication prompt.

Netscape Navigator displays up to a 120 character authentication prompt.

Telnet and FTP display up to a 235 character authentication prompt.

Step 1 Select Configuration > Device Settings > Servers and Services > Authentication Prompts.

The Authentication Prompt page appears.

Step 2 Select the Enable prompt check box, then enter the AAA challenge prompt string in the corresponding text box. The text can be up to 235 characters.

Note If you deselect the check box, the text string is saved but not used by the firewall device. This is true of all check boxes on this page.

Step 3 Select the Enable user-accepted message check box, then enter the prompt string in the corresponding text box to have user authentication by means of Telnet accepted.

Step 4 Select the Enable user-rejected message check box, then enter the prompt string in the corresponding text box to have user authentication by means of Telnet rejected.

Step 5 Click Apply.

Changes are applied to the firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-17 describes the elements on the Authentication Prompts page.

Table 8-17 Authentication Prompts 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable prompt check box and corresponding text field

When selected, displays AAA challenge prompt string. When enabled, set to true. Corresponding string field is protected by check box:

If check box selected, corresponding field is used to enter text string. String can be up to 235 characters.

If check box deselected, text string is saved but not used by firewall device.

Enable user-accepted message check box and corresponding text field

When selected, displays prompt string if user authentication by means of Telnet is accepted. When enabled, set to true. Corresponding string field is protected by check box:

If check box selected, corresponding field is used to enter text string.

If check box deselected, text string is saved but not used by firewall device.

Enable user-rejected message check box and corresponding text field

When selected, displays prompt string if user authentication via Telnet is rejected. When enabled, set to true. Corresponding string field is protected by check box:

If check box selected, corresponding field is used to enter text string.

If check box deselected, text string is saved but not used by firewall device.


Advanced Settings

Advanced settings are optional features that provide advanced processing or security features. This section includes the following topics:

Configuring IDS Policy

Configuring IDS Signatures

Configuring Anti-Spoofing

Configuring Fragments

Configuring TCP Options

Configuring Timeouts

Configuring Basic Fixups

Configuring Multimedia Fixups

Configuring Flood Guard

Configuring IDS Policy

The IDS Policy feature allows you to define Cisco Intrusion Detection System (IDS) policies. IDS policies instruct the firewall device to audit IP traffic going through the firewall. The firewall device looks for defined attack and informational signatures. For each IDS policy, you can instruct the firewall device to send an alarm (syslog), drop the offending packet, reset the offending connection, or a combination of the three. You can also enable your IDS policies selectively on one or more firewall device interfaces. To access this feature, select Configuration > Device Settings > Advanced Security > IDS Policy.

The firewall device audits IP traffic by checking the IP packets as they arrive at an interface. If a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. The firewall device supports both inbound and outbound auditing.

Step 1 Select Configuration > Device Settings > Advanced Security > IDS Policy.

The IDS Policy page appears.

Step 2 Determine whether you want an alarm, drop, or reset for each of the policies listed, then select the appropriate check box or check boxes.

Alarm—Uses an IDS message to indicate a network exploit in progress or a potential security problem. When selected, a message is displayed.

Drop—Drops the offending packet.

Reset—Resets the TCP session in which the attack signature was detected. (Available for TCP-based attacks only.)

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-18 describes the elements on the IDS Policy page.

Table 8-18 IDS Policy 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Default info actions check boxes

Alarm check box—When selected, uses an IDS message to indicate a network exploit in progress or a potential security problem. When selected, displays message.

Drop check box—When selected, drops offending packet.

Reset check box—(Available for TCP-based attacks only). When selected, sensor resets TCP session in which the attack signature was detected.

Note If you are editing default info actions, an info action row is displayed for each interface defined at the current scope.

Default attack actions check boxes

Alarm check box—When selected, uses an IDS message that is used internally to indicate a network exploit in progress or a potential security problem. When selected, displays message.

Drop check box—When selected, drops offending packet.

Reset check box—(Available for TCP-based attacks only). When selected, sensor resets TCP session in which the attack signature was detected.

If you are editing default info actions, an info action row is displayed for each interface defined at the current scope.

Note If you are editing default attack actions, an attack action row is displayed for each interface defined at the current scope.

Interface <name> info actions check boxes

Each interface has an info action and an attack action expressed in the table. Interface names might vary, depending on names entered in Configuration > Device Settings > Interface.

See Default info actions for options and their descriptions.

Interface <name> attack actions check boxes

Each interface has an info action and an attack action expressed in the table. Interface names might vary, depending on names used in Configuration > Device Settings > Interface.

See Default attack actions for options and their descriptions.


Configuring IDS Signatures

The IDS Signatures feature allows you to select which sensor signatures the firewall device IDS will search for. Sensors use a signature-based intrusion detection technology to detect misuse of network resources. Sensors scan network packets for known attack signatures and take user-defined actions when they detect an attack. When a signature is enabled, the firewall device audits the appropriate traffic and logs a message or takes other action if that signature is found. To access this feature, select Configuration > Device Settings > Advanced Security > IDS Signatures.

Signature-based detection, on a basic level, can be compared with virus-checking programs. Cisco Systems produces a list of signatures that the sensor compares to activity on the network. When a match is found, the sensor takes an action, such as logging the event or sending an alarm.

Important Notes About IDS Signatures

Enabling or disabling IDS signatures is meaningful only if you enabled one or more IDS policies from the IDS Policy feature.

The firewall device checks the IP packets as they arrive at an input interface. If a packet triggers a signature and the configured action does not drop the packet, then the same packet can trigger other signatures. PIX Firewall supports both inbound and outbound auditing.

For a list of supported IDS signatures, see the Cisco IDS Signatures home page on Cisco.com at: http://www.cisco.com/pcgi-bin/front.x/csec/idsHome.pl.

Note You must be a registered Cisco.com user to access the Cisco IDS Signatures home page.

Applying IDS Signatures

Step 1 Select Configuration > Device Settings > Advanced Security > IDS Signatures.

The IDS Signatures page appears.

Step 2 From the Enabled column, select the IDS signatures to disable, then click Disable => to move the selected IDS signatures to the Disabled column.

Note For definitions of signature types, see Cisco PIX Firewall System Log Messages, Version 6.2 on Cisco.com at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_book09186a008014638a.html.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-19 describes the elements on the IDS Signature page.

Table 8-19 IDS Signature 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enabled column1

Lists enabled signatures.

Disabled column

Lists disabled signatures.

Disable => button

Moves signature to the Disabled column.

<= Enable button

Moves signature to the Enabled column.

1 For definitions of the various types of signatures, see Cisco PIX Firewall Version 6.1 System Log Messages on Cisco.com at http://www.cisco.com/pcgi-bin/front.x/csec/idsHome.pl.


Configuring Anti-Spoofing

The Anti-Spoofing feature allows you to use network filtering to specify which interfaces to protect from an IP spoofing attack. To access this feature, select Configuration > Device Settings > Advanced Security > Anti-Spoofing.

This feature provides Unicast RPF (Reverse Path Forwarding) functionality for the firewall device. It is disabled by default. Because of the danger of IP spoofing in the IP protocol, measures must be taken to reduce this risk. Unicast RPF, or reverse route lookups, prevents manipulation under certain circumstances. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. It does not screen outbound packets. For more information on anti-spoofing, see RFC 2267.

Caution Before you use this feature, add static routes for every network that can be accessed on the interfaces. Enable this feature only if routing is fully specified. Otherwise, the firewall device will stop traffic on the interface you specify.

Applying Anti-Spoofing

Step 1 Select Configuration > Device Settings > Advanced Security > Anti-spoofing.

The Anti-spoofing page appears.

Step 2 Do one of the following:

To enable anti-spoofing for the inside interface, select the appropriate check box. Anti-spoofing is enabled on the outside interface by default.

To disable anti-spoofing on the outside interface, deselect the check box.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-20 describes the elements on the Anti-Spoofing page.

Table 8-20 Anti-Spoofing 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable anti-spoofing inside and outside check boxes

When selected, enables anti-spoofing on that interface for your device. The number and labels of rows depend on interfaces defined at the current scope. When enabled, set to true. Default setting is enabled on outside interface.

Note To disable anti-spoofing, deselect the check box. When disabled, set to false.


Configuring Fragments

The Fragments feature allows you to configure the IP fragment database for each firewall device interface. It provides additional packet-fragmentation management and improves compatibility with a Network File System (NFS) to allow remote file access across a network. To access this feature, select Configuration > Device Settings > Advanced Security > Fragment.

Adding or Editing a Fragment

Step 1 Select Configuration > Device Settings > Advanced Security > Fragment.

The Fragment page appears.

Step 2 Do one of the following:

To add a row, click Add.

The Edit Fragment dialog box appears.

To edit a row, select the check box for the row, then click Edit.

The Edit Fragment dialog box appears.

Step 3 Select the interface name. The list displays all interfaces defined at the current scope.

Step 4 Verify the maximum number of packets allowed in the fragment database. Default is 200.

Step 5 Verify the maximum number of elements allowed in the fragment set. Default is 24.

Step 6 Verify the timeout value, which is the maximum number of seconds to assemble a fragment set. Default is 5.

Step 7 Verify the information is correct, then click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-21 describes the elements on the Fragment page.

Table 8-21 Fragment 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Logical name of interface that relates to use.

Note If you are using a wizard, a list displays all interfaces defined at the current scope.

Size

Maximum number of packets in fragment database. Default is 200.

Chain Length

Maximum number of elements allowed in fragment set. Default is 24.

Timeout

Maximum number of seconds allowed to assemble a fragment set. Default is 5.


Deleting a Fragment

Step 1 Select Configuration > Device Settings > Advanced Security > Fragment.

The Fragment table appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring TCP Options

The TCP Options feature allows you to set various parameters for TCP connections. To access this feature, select Configuration > Device Settings > Advanced Security > TCP Options.

Applying TCP Options

Step 1 Select Configuration > Device Settings > Advanced Security > TCP Options.

The TCP Options page appears.

Step 2 Select the Force maximum segment size check box to enforce a maximum segment size for all TCP sessions through a firewall device, then enter the size of the byte in the corresponding text box. This setting ensures that a TCP session does not fragment.

Step 3 Select the Force TCP connection to linger in TIME_WAIT state at least 15 seconds check box to force a firewall device to retain its TCP connection information and state for at least 15 seconds after a normal TCP close-down is seen. This helps to ensure that both sides of a TCP session receive close-down packets.

Step 4 Select the Reset inbound check box to send TCP resets (instead of dropping the packets) for all TCP sessions that:

Arrive at the outside interface.

Try to transit to a firewall device.

Are denied by a firewall device based on access rules.

If you deselect the check box, the firewall device discards packets of all such sessions.

Step 5 Select the Reset outbound check box to send TCP resets for all TCP sessions that:

Arrive at the outside interface.

End at the outside interface.

Are denied by a firewall device based on access rules.

If you deselect the check box, the firewall device discards packets of all such sessions.

Step 6 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-22 describes the elements on the TCP Options page.

Table 8-22 TCP Options 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Force maximum segment size check box (bytes)

When selected, enforces maximum segment size (MSS) for all TCP sessions through firewall device. Used primarily to ensure that TCP session does not fragment. If MSS exceeds maximum, firewall device rewrites MSS within TCP packet to maximum specified.

Force TCP connection to linger in TIME_WAIT state at least 15 seconds check box

When selected, forces firewall device to retain its TCP connection information and state for at least 15 seconds after normal TCP close-down is seen. Helps to ensure that both sides of TCP session receive close-down packets.

Reset inbound check box

When selected, sends TCP resets for all TCP sessions that:

Arrive at outside interface.

Attempt to transit firewall device.

Are denied by firewall device based on access rules.

When deselected, firewall device discards packets of all such sessions.

Reset outbound check box

When selected, sends TCP resets for all TCP sessions that:

Arrive at outside interface.

End at outside interface.

Are denied by firewall device based on access rules.

When deselected, firewall device discards packets of all such sessions.


Configuring Timeouts

The Timeout feature allows you to set the maximum idle time for use with the firewall device. All times are displayed in the format hh:mm:ss. To access this feature, select Configuration > Device Settings > Advanced Security > Timeouts.

Applying Timeouts

Step 1 Select Configuration > Device Settings > Advanced Security > Timeouts.

The Timeouts page appears.

Step 2 Verify the timeout values for the protocols listed. (See Table 8-23.) Timeout values are displayed in the format hh:mm:ss.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-23 describes the elements on the Timeouts page.

Note Timeout values are displayed in the format hh:mm:ss.

Table 8-23 Timeouts 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Connection

Changes idle time to wait for a connection slot to be freed. Enter 00:00:001 to disable timeout. Duration must be at least 5 minutes. Default is 1 hour.

Half-closed

Changes idle time to wait for a TCP half-closed connection to close. Enter 00:00:00 1 to disable timeout. Minimum is 5 minutes. Default is 10 minutes.

H.323

Changes idle time to wait for an H.323 service connection to close. Enter 00:00:00 1 to disable timeout. Duration must be at least 5 minutes. Default is 5 minutes.

SIP

Changes idle time to wait for an SIP signaling port connection to close. Enter 00:00:00 1 to disable timeout. Default is 30 minutes.

SIP Media

Changes idle time to wait for an SIP media port connection to close. Enter 00:00:00 1 to disable timeout. Default is 2 minutes.

Authorization Absolute

Changes length of time until authentication and authorization cache times out and you must reauthenticate a new connection. Length of time must be shorter than Translation Slot value. System waits to reprompt you until you start a new connection, such as clicking link in browser. Enter 00:00:00 to disable caching.

Note Do not set this value to zero if passive FTP is used on the connections.

Authorization Inactivity (0 is inactive)

Changes idle time until authentication and authorization cache times out and you have to reauthenticate a new connection. Duration must be shorter than Translation Slot value.

Translation Slot

Changes idle time to wait for a translation slot to be freed. Duration must be at least 1 minute. Default is 3 hours.

UDP

Changes idle time to wait until UDP connection closes. Duration must be at least 1 minute. Default is 2 minutes.

RPC

Changes idle time to wait for an RPC slot to be freed. Enter 00:00:00 1 to disable timeout. Duration must be at least 1 minute. Default is 10 minutes.

H.225

Idle time after which H.225 signaling closes. Default is 1 hour.

Timeout value of 00:00:00 1 means never tear down H.225 signaling.

Timeout value of 00:00:01 1 disables timer and closes TCP connection immediately after all calls are cleared.

MGCP

Sets length of time for Media Gateway Control Protocol (MGCP) inactivity timer. Default is 5 minutes.

ICMP

Changes idle time to wait for an ICMP connection to close. Enter 00:00:00 1 to disable timeout. Default is 2 seconds.

1 00:00:00 = hh:mm:ss.


Configuring Basic Fixups

The Fixups feature is an informational list of services, protocols, and port numbers to which a firewall device applies the Adaptive Security Algorithm (ASA). The default ports or those you specify are the ports at which the firewall device listens for each service. To access this feature, select Configuration > Device Settings > Advanced Security > Basic Fixups.

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, but other applications have fixed port assignments that you cannot change.

Applying Basic Fixups

Step 1 Select Configuration > Device Settings > Advanced Security > Basic Fixups.

The Basic Fixups page appears.

Step 2 Select the check boxes for the fixup protocols to enable, then enter the ports or port ranges in the corresponding text field where needed. See Table 8-24.

In each Fixup row you select, you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.

For each check box you select, you must identify a port value.

To disable a fixup protocol, deselect the corresponding check box. Firewall MC generates a no fixup protocol protocol command in the generated configuration file.

Note Other fixups exist, but the Protocol and Fixup Port Range table displays only those that can be changed.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-24 describes the elements on the Basic Fixups page.

NoteIn each Fixup row (unless specified), you can enter a list of ports or port ranges to fix up using CSVs (lists) or dashes (ranges). Spaces are not valid when you define ranges.

For each check box you select, you must identify a port value.

To disable a fixup protocol, deselect the corresponding check box. From this, Firewall MC generates a no fixup protocol protocol command in the generated configuration file.

Other fixups exist, but in the Protocol and Fixup Port Range table displays only those that can be changed.

Some fixups are enabled by default; others are disabled. You can navigate to the global scope to determine default settings for each fixup.

Table 8-24 Basic Fixups 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

HTTP

Enables HTTP. Default is port 80. Enabled by default.

FTP

Enables FTP. Firewall device looks into payload of FTP control channel and applies ASA. You can specify ports at which the firewall device listens for FTP traffic. Default is port 21. Enabled by default.

If default port is changed, all FTP clients must use the same port to send data, and FTP control connections on port 21 no longer work.

Note If you disable FTP fixup, internal users can FTP to external servers only in passive mode.

FTP (strict)

Enables FTP (strict). Prevents browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. Disabled by default.

RSH

Enables firewall device to look into payload of RSH traffic and apply ASA. You can specify port at which the firewall device listens for RSH traffic. Default is port 514. Enabled by default.

Note The default port cannot be changed, but additional port statements can be added.

SMTP

Enables firewall device to look into payload of SMTP traffic and apply ASA. Default is port 25. Enabled by default.

Note SMTP fixup, which allows you to permit people or hosts on the outside to access your mail server, enables the Mail Guard feature, which limits mail servers to the HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT commands. All other commands are rejected.

SQLNet

When selected, enables firewall device to look into payload of SQL*Net traffic and apply ASA. Default is port 1521. Enabled by default.

Note Port 1521 is the default port that Oracle uses for SQL*Net; however, this value does not agree with IANA port assignments.

PPTP

Point-to-Point Tunneling Protocol. When selected, enables PPTP application inspection. Default is port 1723. Disabled by default.

TFTP

PIX Firewall software version 6.3(2) introduced application inspection for Trivial File Transfer Protocol (TFTP). To enable this feature, select the TFTP check box, and then enter the port number. You also can enter a range of numbers to apply TFTP application inspection to a range of port numbers.

The PIX Firewall inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server with the fixup protocol tftp command. Specifically, the fixup inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).

A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file transfer or error notification.

Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete secondary channel can exist between the TFTP client and server. An error notification from the server closes the secondary channel.

DNS (Packet Length)

Use the DNS (Packet Length) option to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. This functionality is called DNS Guard. The port assignment for the Domain Name System (DNS) is not configurable.

To enable this feature, select the DNS (Packet Length) check box, and then enter the maximum length for the DNS fixup. The value must be from 512 to 65535 bytes. The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. A syslog message will be generated when a DNS packet is dropped

ESP-IKE

Encapsulating Security Payload. Enables PAT for ESP, single tunnel. No port is required. Disabled by default.

ICMP Error

When selected, uses the error ICMP message type instead of a range of ports. Enables NAT of ICMP error. Disabled by default.


Configuring Multimedia Fixups

The Fixups feature is an informational list of services, protocols, and port numbers to which a firewall device applies the Adaptive Security Algorithm (ASA). The default ports or those you specify are the ports at which the firewall device listens for each service. To access this feature, select Configuration > Device Settings > Advanced Security > Multimedia Fixups.

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, while other applications have fixed port assignments that you cannot change.

Applying Multimedia Fixups

Step 1 Select Configuration > Device Settings > Advanced Security > Multimedia Fixups.

The Multimedia Fixups page appears.

Step 2 Select the check boxes for the fixup protocols to enable, then enter the ports or port ranges in the corresponding text field where needed. See Table 8-25.

For each fixup row selected, you can enter a list of ports or port ranges to fix up using comma-separated values or spaces.

For each check box selected, a port value must be identified.

To disable a fixup protocol, deselect the corresponding check box. Firewall MC generates a no fixup protocol <protocol> command in the generated configuration file.

Note Other fixups exist, but only those that can be changed are displayed in the Protocol and Fixup Port Range table.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 8-25 describes the elements on the Multimedia Fixups page.

NoteIn each Fixup row (unless specified), you can enter a list of ports or port ranges to fix up using CSVs (lists) or dashes (ranges). Spaces are not valid when you define ranges.

For each check box you select, you must identify a port value.

To disable a fixup protocol, deselect the corresponding check box. From this, Firewall MC generates a no fixup protocol protocol command in the generated configuration file.

Other fixups exist, but only those that can be changed are displayed in the Protocol and Fixup Port Range table.

Some fixups are enabled by default; others are disabled. You can navigate to the global scope to determine default settings for each fixup.

Table 8-25 Multimedia Fixups 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

H.323 H225

When selected, enables firewall device to look into payload of H.323 signal channels and apply ASA. Default is port 1720. Enabled by default.

Note H.323 is a suite of protocols defined by ITU for multimedia conferences over LANs. H.323 also supports VoIP gateways and gatekeepers. Firewall device supports H.323 version 2. H.323 FixUp feature provides support for Intel InternetPhone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and MS NetMeeting.

H.323 RAS

When selected, enhances the existing H.323 and Session Initiation Protocol (SIP) fixups to support Port Address Translation (PAT). Enables the firewall device to replace the embedded IP/port in the H.323/SIP message with the correct PAT. Additionally, the fixup opens up the correct media connections negotiated during signaling. Default ports are 1718 and 1719. Enabled by default.

Note Registration, admission, and status (RAS) is a signaling protocol that performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper.

ILS

Internet Locator Service. When selected, enables NAT support for ILS messages as used by MS NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server. Default is port 389. Enabled by default.

RTSP

Real Time Streaming Protocol. Enables the firewall device to look into payload of RTSP signal channel and apply ASA. You can specify ports at which PIX Firewall listens for RTSP traffic. Default is port 554. Enabled by default.

Note RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. PIX Firewall does not support multicast RTSP.

SIP

Session Initiation Protocol. Enables the firewall device to look into payload of SIP signal channel and apply ASA. You can specify the port at which firewall device listens for SIP traffic. Default is port 5060. The default port cannot be changed. Enabled by default.

Note Firewall devices use SIP to support Voice over IP (VoIP) gateways and VoIP proxy servers.

SIP UDP

Enables SIP on UDP. Operates on port 5060 only. Enabled by default.

Skinny

Skinny Client Control Protocol (SCCP). Known as skinny. Enables SCCP application inspection. SCCP protocol supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and operate with H.323 terminals. Default is port 2000. Enabled by default.

CTIQBE

Computer Telephony Interface Quick Buffer Encoding. Enables CTIQBE fixup. Used with Cisco TAPI/JTAPI applications. Disabled by default.

MGCP

Media Gateway Control Protocol. Enables MGCP. Disabled by default.


Configuring Flood Guard

The Flood Guard feature lets you reclaim firewall device resources if the user-authentication subsystem runs out of resources. If an inbound or outbound user-authentication connection is being attacked or overused, the firewall device actively reclaims TCP user resources. To access this feature, select Configuration > Device Settings > Advanced Security > Flood Guard.

Enabling Flood Guard

Step 1 Select Configuration > Device Settings > Advanced Security > Flood Guard.

The Flood Guard page appears.

Step 2 Select the Enable Flood Guard check box.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to firewall devices at deployment.

Table 8-26 describes the elements on the Flood Guard page.

Table 8-26 Flood Guard 

Element
Description

Inherit settings check box

When selected, the subgroup or device inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable Flood Guard check box

When selected, enables flood guard. Value is set to true.