Using Management Center for Firewalls 1.3 - Representing Network Assets in Firewall MC [CiscoWorks Management Center for Firewalls]

Table Of Contents

Defining Firewall Devices and Identifying Supporting Servers

Populating Firewall MC with Firewall Devices

Important Notes About Importing Devices

Importing PIX Firewalls That Use Conduit and Outbound Commands

Populating Firewall MC Using the Import From File Methods

Creating Firewall Devices by Defining the Basics

Discovering Settings from a Firewall

Handling Unsupported Commands

Understanding Import Messages

Managing Devices

Renaming a Device

Moving a Device

Deleting a Device

Identifying Supporting Devices

Configuring URL Filter Servers

Configuring a DHCP Server

Configuring DHCP Relay Servers

Editing DHCP Relay Agents

Configuring TFTP Servers

Representing Auto Update Servers

Defining Firewall Devices and Identifying Supporting Servers

In Firewall MC, you can portray two types of devices:

•Firewall devices—devices for which you are defining network policies.

•Supporting servers—used by the firewall devices to enforce network policy. The supporting servers define network objects referenced in rule definitions or network devices about which the firewall devices must know to conduct normal network operations, such as user authentication and obtaining address leases.

Different techniques for defining firewall devices and supporting servers are described. Topics to be discussed are:

• Populating Firewall MC with Firewall Devices

• Managing Devices

• Identifying Supporting Devices

Populating Firewall MC with Firewall Devices

To represent a firewall device to be managed by Firewall MC, use the import feature to either manually define the contact and configuration settings for a device, import the current settings directly from a device, or import settings for one or more devices from a *.csv file. To access this feature, select Devices > Importing Devices.

The Importing Devices feature allows you to add new devices and configuration files to the system. Wizards guide you with your selections.

Table 7-1 shows the methods used to populate Firewall MC with firewall devices.

Table 7-1 Methods Used to Populate Firewall MC with Firewall Devices

Element

Reference

Create a firewall device

Allows you to add a single device.

Note To add a created device to Firewall MC successfully, you must bootstrap the device before you deploy to it.

Import configuration from a device

Allows you to manually provide device credentials that allow the Firewall MC server to "talk" directly to a device to retrieve configuration information.

This option specifies that you want Firewall MC to connect to and discover the settings on a firewall device.

Note You can import from a device only once. If you need to reimport configuration information, you must delete the device, then reimport it.

Import multiple configurations from devices defined in a CSV file

Allows the Firewall MC server to "talk" directly to multiple devices specified in a CSV file to retrieve configuration information.

Import configuration file for a device

Allows you to import a configuration file for a single device.

Import configuration files for multiple devices

Allows you to import multiple configuration files from a single directory. Each file contains configuration information for a single device.

Important Notes About Importing Devices

•When you import configuration files for devices, make sure the imported file references a software version at the beginning of the file. If version information is not included, the import will fail. Version syntax information can be represented as either of the following:

:! PIX Version 6.n(n) (a colon immediately followed by an exclamation mark)

or

PIX Version 6.n(n)

When the file is deployed, it always uses the first format listed, which the firewall device can safely ignore as a comment.

•Firewall MC imports and generates only configuration files with ACLs. Conduits and outbound lists are not supported. Therefore, you must use the conversion tool on configurations with conduits and outbound lists before importing them into Firewall MC. See Importing PIX Firewalls That Use Conduit and Outbound Commands.

•When you import existing object group, the following exceptions exist:

–Only those object groups that are referenced by an ACL and that are bound to an interface are reverse generated as a building block in Firewall MC. These rules include firewall, NAT 0, dynamic and static NAT, and IPSec tunnel rules.

–Object groups that are not referenced by an ACL are discarded.

–Object groups that are referenced by an ACL but not bound to an interface are placed in the Ending Commands.

–Some commands that can reference object groups cannot be bound to an interface. In this case, referenced object groups may not be reverse generated. Therefore, you must manually define such object groups in the under Building Blocks, and you must match the name referenced by the commands.

•If Firewall MC imports a configuration file that contains an unknown command, the default setting of Firewall MC results in an error. To receive a warning instead, change the setting by selecting Configuration > MC Settings > Management. If the warning setting is used, commands are placed as an ending command. To view ending commands, select Configuration > Device Settings > Config Additions > Ending Commands.

•When you create a device, Firewall MC does not prohibit you from adding devices with the same name to different groups. If you are deploying to a file, the deployed filename is Hostname.cfg. If you have more than one device with the same name being deployed to a file in a single directory, one overrides the other.

•Use alphanumeric (U.S. English) characters to define the hostname. You can also use the following characters: ' ( ) + - . , / : = ?

•Before you can successfully add a created device to Firewall MC, you must bootstrap the device. See "Preparing Your Firewall Devices."

•Devices can be listed only once in the configuration hierarchy.

•When you define a device group name, the name must be different from that of the enclosing group.

•Device groups contained within a single enclosing group must have different names.

•To retain changes made to a firewall device configuration by a means other than Firewall MC, you can delete the device, then reimport it; however, doing so results in the need to redefine device name, group, and hierarchy information.

For example, you created the device My Device, whose scope is Global > Group1 > SubGroupA > My Device. You defined the following building blocks at the device scope:

Network Object Inside Nets = (10.0.0.0/8, 11.0.0.0/8, 12.0.0.0/8)

Network Object Outside Nets = (20.0.0.0/8, 21.0.0.0/8, 22.0.0.0/8)

Service Group My Services = (tcp, udp)

You defined an access rule at the device scope using the building blocks just defined:

Source = Inside Nets, Destination = Outside Nets, Interface = inside, Service = My Services, permit

This rule will expand to become 18 rules in the actual configuration file that will deploy to My Device. If you deploy these changes, then delete and reimport the device, the names and values for the building blocks are lost, but the rules remain (see line items).
Src, Dest, Interface, Service, Permit/Deny
10.0.0.0/8, 20.0.0.0/8, inside, tcp, permit
10.0.0.0/8, 20.0.0.0/8, inside, udp, permit
11.0.0.0/8, 20.0.0.0/8, inside, tcp, permit 
11.0.0.0/8, 20.0.0.0/8, inside, udp, permit
12.0.0.0/8, 20.0.0.0/8, inside, tcp, permit 
12.0.0.0/8, 20.0.0.0/8, inside, udp, permit
10.0.0.0/8, 21.0.0.0/8, inside, tcp, permit 
10.0.0.0/8, 21.0.0.0/8, inside, udp, permit
11.0.0.0/8, 21.0.0.0/8, inside, tcp, permit 
11.0.0.0/8, 21.0.0.0/8, inside, udp, permit
12.0.0.0/8, 21.0.0.0/8, inside, tcp, permit 
12.0.0.0/8, 21.0.0.0/8, inside, udp, permit
10.0.0.0/8, 22.0.0.0/8, inside, tcp, permit 
10.0.0.0/8, 22.0.0.0/8, inside, udp, permit
11.0.0.0/8, 22.0.0.0/8, inside, tcp, permit 
11.0.0.0/8, 22.0.0.0/8, inside, udp, permit
12.0.0.0/8, 22.0.0.0/8, inside, tcp, permit 
12.0.0.0/8, 22.0.0.0/8, inside, udp, permit
Settings are also affected when you reimport a device. For example, for My Device, setting A was set at the Global scope, setting B was set at Group 1 (Global > Group 1), and setting C was set at SubGroup A (Global > Group 1 > SubGroup A). If you delete, then reimport My Device, settings A, B, and C will come from the device scope (Global > Group 1 > SubGroup A > My Device). Settings previously resulting from the configuration hierarchy are lost.

Importing PIX Firewalls That Use Conduit and Outbound Commands

Firewall MC uses access rules and access-control lists (ACLs) to define network security policies. ACLs describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.

Other tools that define security policies are conduits and outbound lists. Currently Firewall MC does not support conduits and outbound lists. As a result, you must convert configurations that use conduits and outbound lists to ACLs.

If you try to import a configuration file and receive an error message, you must convert the file to a standard output accepted by Firewall MC. A conversion tool is available for this purpose. Using the CLI, the conversion tool reads the configuration file named on the command line and writes the converted configuration to the accepted standard output.

The conversion tool does not try to resolve conflicts between ACL entries generated from conduits and those generated from outbound commands. It simply places the outbound-generated entries first in the output file. If an entry covers all traffic, the conversion tool omits the entry. At the end of every ACL, the conversion tool places an entry to deny all traffic. This complies with the security policy to deny everything unless it is specifically permitted.

Note The latest version of the conversion tool can be downloaded from cisco.com at: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix.

Converting Conduits

A conduit is an exception to the PIX Firewall Adaptive Security mechanism. It permits connections from one network interface to access hosts on another.

Note Conduit commands apply to all but the inside interface.

The conversion tool checks for overlaps between the global address of the conduit and each of the following:

•Global address in static commands on the interface.

•Pool addresses in global commands on the interface.

•Local address in NAT 0's on higher security-level interfaces.

•Interface address.

If no overlaps apply, the conversion tool does not create an ACL entry for the conduit on that particular interface.

Converting Outbound Lists

An outbound list is based on the source IP address, the destination IP address, and the destination port or protocol, as specified by the access rules. Outbound lists control Internet use by specifying:

•Whether inside users can create outbound connections.

•Whether inside users can access specific outside servers.

•What services are available to inside users for outbound connections and for accessing outside servers.

Firewall MC uses an algorithm to determine which outbound command to apply to a given incoming packet. The conversion tool considers an outbound command with a wider address mask to be a better match, regardless of the service. If the address masks are equal, a more specific service is a better match.

Important Notes Regarding Specific Service

•Specific service types are recognized as a descending list (from the most specific to the least specific):

–Single port on a transport protocol.

–Range of ports on a transport protocol.

–Wider range of ports on a transport protocol.

–All ports on a transport protocol.

–All IP traffic.

•If two outbound commands are identical, a permit action is a better match than a deny action.

•If two outbound commands are identical, the order in which they appear in the configuration determines the better match.

•If two outbound commands have the same list ID, the one appearing first is the better match.

•If two outbound commands have different list IDs, the one with the list ID matching the apply command that appears second is the better match.

Using the PIX Outbound/Conduit Conversion Tool

The following procedure assumes you have tried to import filename PIX510A but received an error message stating that the import failed. You must convert the file PIX510A using the PIX Outbound/Conduit Conversion tool (occ.exe).

Caution Use caution when converting configurations using conduit and outbound commands for PIX Firewalls that have more than two interfaces. Automatic conversion could result in unwanted access from a perimeter (DMZ) interface to a lower security interface.

Note You can convert only one file at a time.

Step 1 Open a command prompt window.

Step 2 Change the directory path to the path where you extracted the Conversion tool.

Step 3 Enter the following command, substituting filenames shown with actual filenames, then press Enter.
occ PIX510A > PIX510Anew
Step 4 Wait a few seconds for the conversion to finish. When it is finished, the converted file is ready for import.

Note Although you can convert only one file at a time, you can import multiple configuration files after you have converted all necessary files.

Populating Firewall MC Using the Import From File Methods

Firewall MC allows you to import device configurations in two different ways:

•Import whole configuration files for a single device or for multiple devices. See Importing Configuration Files.

•Import device contact information used to connect to a device before importing the configuration. See Importing Multiple Firewall Configurations from a CSV File.

Importing Configuration Files

Firewall MC allows you to import configuration files for a single device or for multiple devices.

Before You Begin

•If you import a firewall device with the same hostname as a device already in Firewall MC, Firewall MC overwrites the existing device with the new device information. Make sure the name of a device being imported is not already being used by Firewall MC.

•Make sure information in the configuration file is valid.

•Firewall MC does not support the use of command abbreviations. Always use full-length syntax for a command.

•If you do not specify the firewall device hostname in the configuration file you are importing, Firewall MC uses the configuration file name instead. If a hostname is specified, you might see both the filename and the hostname in status messages, but Firewall MC uses the hostname when naming the device. To avoid confusion, make sure that the filename for each configuration matches the hostname specified in the configuration file.

–For PIX Firewall 6.2 and earlier, the device name can be up to 16 alphanumeric (U.S. English) characters.

–For PIX Firewall 6.3 and later, the device name can be up to 63 alphanumeric (U.S. English) characters and can include any of the following special characters: ` ( ) + - , . / : =.

•Make sure the version of the operating system is shown in the configuration file being imported.

Step 1 Select Devices > Importing Devices.

The Importing Devices page appears.

Step 2 Click Import.

The Select Target Group page appears.

Step 3 Select the group in which you want the firewall devices to reside.

Tip If you did not define a group but want to do so, select Devices > Managing Groups.

Step 4 Click Next.

The Select Entry Type page appears.

Step 5 To import multiple configuration files for multiple devices, go to Step 6.

To import a configuration file for a single device:

a. Select Import configuration file for a device.

b. Click Next.

The Enter Config File page appears.

Note The asterisk in the GUI means optional; however, we recommend that you enter contact information if the Firewall MC will deploy directly to the device.

c. Enter the name of the configuration file to import. The file is located in the import directory. You can click Browse to navigate to the location.

d. Enter the contact IP address, which is the address Firewall MC uses to contact a firewall device using HTTPS. This is generally a firewall's interface address, but it might be different because of address translation between the Firewall MC server and the firewall.

e. Enter the enable password for the firewall device, or enter the user name and password to use for AAA authentication. Go to Step 7.

Step 6 To import multiple configuration files for multiple devices:

a. Select Import configuration files for multiple devices.

b. Click Next.

The Enter Config File Directory Information page appears.

c. Enter the name of the directory in the field provided. The directory must include at least one configuration file ending in .cfg. You can click Browse to navigate to the location.

Step 7 Click Next.

The wizard summary page appears.

Step 8 Verify the information, then click Finish.

A new window displays a table of devices.

Note We recommend that you verify the output before importing the configuration file.

Table 7-2 describes the elements on the Enter Config File page.

Table 7-2 Enter Config File

Element¹

Description

Config File Name

Name of configuration file to import.

Browse

Allows you to navigate to the file location.

Contact IP Address

Optional IP address Firewall MC uses to contact a firewall device using HTTPS. Generally a firewall's interface address, but might be different due to address translation between the Firewall MC server and the firewall.

Note You should have specified this IP address for the inside interface during bootstrapping. The inside interface is the one for which you used the setup command to automatically enable HTTP access.

Contact User Name

Optional username that is needed only if a firewall device is configured to authenticate using an AAA server. If no AAA server is used, leave field blank.

This name can be up to 63 alphanumeric (U.S. English) characters.

Password

Enable password for firewall device.

•AAA server password if AAA authentication used on target firewall device.

•Local enable password if no AAA server used.

Note The enable password is used if Firewall MC will be talking directly with a device.

¹The asterisk means optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the device.

Table 7-3 describes the elements on the Enter Config File Directory page.

Table 7-3 Enter Config File Directory

Element

Description

Config Directory

Name of directory in which configuration files for import reside. Default is ..\CSCOpx\MDC\PIXMC\import

Browse

Allows you to navigate to the location.

Importing Multiple Firewall Configurations from a CSV File

This import method allows you to import devices in bulk based on device credentials in a comma-separated values (CSV) file. The default import directories are:

•For Windows 2000: c:\Program Files\CSCOpx\MDC\PIXMC\import

•For Solaris: /opt/CSCOpx/MDC/PIXMC/import

Note If you changed the import directory from the default location, imported devices are added to the new location.

If Resource Manager Essentials (Essentials) is installed on your system, you can export device information from Essentials using a CSV file. Alternatively, you can create a CSV file with device credentials.

The CSV format has one table of data with several columns. A CSV-formatted import file must contain each device's full name or IP address, read-only community string, and passwords. Other information is optional. You can omit empty trailing columns and the separating commas.

The CSV format provides the following device information:

•Value 1 - Device name (include domain unless your site uses DNS) or IP address in dotted decimal notation (required).

•Value 2 - Read-only (RO) community string.

•Value 3 - Read-write (RW) community string.

•Value 4 - Serial number.

•Value 5 - User Field 1.

•Value 6 - User Field 2.

•Value 7 - User Field 3.

•Value 8 - User Field 4.

•Value 9 - Telnet password (required for PIX Firewall and when using Telnet access method).

•Value 10 - Enable password (required if not using AAA authentication).

•Value 11 - Enable secret.

•Value 12 - TACACS+ user (required for TACACS+ authorization).

•Value 13 - TACACS+ password (required for TACACS+ authorization).

•Value 14 - TACACS+ enable user.

•Value 15 - TACACS+ enable password.

•Value 16 - Local user (required for local authorization).

•Value 17 - Local password (required for local authorization).

•Value 18 - RCP user.

•Value 19 - RCP password; comment not used; leave blank.

Consider the following example of a CSV-formatted table ( Table 7-4).

Table 7-4 Sample CSV Format Table

Full device name or IP address

Read-only community string

Write-only community string

Serial Number

User Field 1

User Fields 2 through 4

Telnet Password

Enable Password

192.168.1.1

public

private

—

comment (Shown as note 1 in example)

—

—

cisco

You can write CSV information as shown in the following example:
192.168.1.1,public,private,,note 1,,,,,cisco
Note•If a column, such as a user field, contains a comma, you must begin and end the column with double quotation marks, for example, "note,1".

•If a column must include a double quotation mark, you must use two double quotation marks together, for example, "note with "double quotes" in it".

•You can use a semicolon at the beginning of a line to designate the line as a comment.

•You can omit trailing empty columns, including the comma field delimiters.

Step 1 Select Devices > Importing Devices.

The Importing Devices page appears.

Step 2 Click Import.

The Select Target Group page appears.

Step 3 Select the group in which you want the imported devices to reside.

Tip If you did not define a group but want to do so, select Devices > Managing Groups.

Step 4 Click Next.

The Select Entry Type page appears.

Step 5 Click Import multiple firewall configurations from a CSV file.

Step 6 Click Next.

The Enter CSV File page appears.

Step 7 Enter the CSV filename in the field provided. You can click Browse to navigate to the filename location. Only one CSV file can be specified at a time.

Step 8 Click Next.

The wizard summary page appears.

Step 9 Verify the information, then click Finish.

A new window displays a table of devices.

Table 7-5 describes the elements on the Enter CSV File page.

Table 7-5 Enter CSV File

Element

Description

CSV Filename

Name of file containing device credentials in a comma-separated values (CSV) file.

Browse

Allows you to navigate to the file location.

Creating Firewall Devices by Defining the Basics

When you create a firewall device, you identify a hardware device and add it to Firewall MC.

Tip After you create a device, you must define a minimum set of device-specific settings before you can generate commands. At a minimum, you must define the settings for the interfaces installed in the device. To configure these settings, select Configuration > Device Settings > Interfaces.

Step 1 Select Devices > Importing Devices.

The Importing Devices page appears.

Step 2 Click Import.

The Select Target Group page appears.

Step 3 Select the group in which the imported device should reside.

Tip If you have not defined a group but want to do so, select Devices  > Managing Groups.

Step 4 Click Next.

The Select Import Type page appears.

Step 5 Select Create Firewall Device.

Step 6 Click Next.

The Define Firewall Device Basic Info page appears.

Note The asterisk in the GUI means the field is optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the device.

Step 7 Enter a device name to help you differentiate among devices (for example, PIX-510-A).

Step 8 Enter a username only if the firewall device is configured to authenticate to a AAA server. If no AAA server is used, leave the Contact Username field blank.

Step 9 Enter the IP address Firewall MC should use to contact the firewall device using HTTPS.

This address is generally the firewall interface address, but it might be different due to address translation between the Firewall MC server and the firewall.

Step 10 Enter the enable password. You use the enable password if Firewall MC should communicate directly with a device. Use one of the following:

•AAA server password if AAA authentication is used on the target firewall device.

•Local enable password if no AAA server is used.

Step 11 If you are adding a PIX Firewall, click Supported Firewall OS Version, then select the version of the operating system that will be used to generate commands for that device.

If you are adding an FWSM:

a. Click Supported FWSM OS Version, then select the OS version from the list that will be used to generate commands for that device.

b. If you selected FWSM version 2.x, determine the configuration mode information, then select the appropriate radio buttons.

–Single context mode—Only one firewall context exists, so the FWSM blade behaves as a single firewall device. Context management is therefore not a factor.

–Multiple context mode—Multiple virtually independent firewall contexts exist. Multiple contexts are equivalent to having multiple standalone firewalls. Contexts are conveniently contained within a single card.

You can create up to 250 separate security contexts (depending on your software license). Multiple context mode information is not shown as part of the configuration. As a result, no information is displayed if you use the show run command.

–Routed firewall—Layer 3 IP interfaces are used. Use of firewalls is between different networks. Also known as L3 Mode. When the FWSM is in router mode, it acts as a Layer 3 firewall. The FWSM is considered to be a router hop in the network. It performs network address translation (NAT) between connected networks, and can use Open Shortest Path First (OSPF) or passive Routing Information Protocol (RIP) in single context mode.

–Transparent firewall—VLAN-based Layer 2 interfaces are used. Use of firewalls is within the same subnet. Also known as L2 Mode. When the FWSM is in transparent mode, it acts as a Layer 2 firewall. The FWSM acts like a "bump in the wire," and is not a router hop. The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT are required. Transparent mode information is not shown as part of the configuration. As a result, no information is displayed if you use the show run command.

Note You must run all security contexts in either routed mode or transparent mode; you cannot run some contexts in one mode and others in another.

Step 12 Click Next.

The wizard summary page appears.

Step 13 Verify the information, then click Finish.

You are returned to the Importing Devices table, with the new device listed in the table Import Task column.

Table 7-6 describes the elements on the Define Firewall Device Basic Info page.

Table 7-6 Define Firewall Device Basic Info

Element¹

Description

Firewall Information

Firewall Device Name

User-defined device name to help you differentiate among devices, for example, PIX-510-A.

Note We recommend that you use a unique hostname for each device you create. This will keep files from being overwritten during deployment. For PIX Firewall 6.2 and earlier, the device name can be up to 16 alphanumeric (U.S. English) characters. For PIX Firewall 6.3 and later, the device name can be up to 63 alphanumeric (U.S. English) characters and can include any of the following special characters: ` ( ) + - , . / : =.

Contact User Name

Optional username that is needed only if a firewall device is configured to authenticate using an AAA server. If no AAA server is used, leave field blank.

This name can be up to 63 alphanumeric (U.S. English) characters.

Contact IP Address

Optional IP address Firewall MC uses to contact a firewall device using HTTPS. Generally a firewall's interface address, but might be different due to address translation between the Firewall MC server and the firewall.

Note You should have specified this IP address for the inside interface during bootstrapping. The inside interface is the one for which you automatically enabled HTTP access using the setup command.

Password

Enable password for firewall device.

•AAA server password if AAA authentication used on target firewall device.

•Local enable password if no AAA server used.

Note The enable password is used if Firewall MC will be talking directly with a device.

Firewall OS Version

Supported Firewall OS Version list

List of available OS Versions. The selected version is used by Firewall MC to generate commands that support PIX Firewalls.

Supported FWSM OS Version list

List of available OS Versions. The selected version is used by Firewall MC to generate commands that support FWSMs.

Firewall Modes²

Security Context

•Single—Only one firewall context exists, so the FWSM blade behaves as a single firewall device. Context management is therefore not a factor.

•Multiple—Multiple independent virtual firewall contexts exist. Multiple contexts are equivalent to having multiple standalone firewalls. Contexts are conveniently contained within a single card.

In multiple context mode, you can create up to 250 separate security contexts (depending on your software license). Multiple context mode information is not shown as part of the configuration. As a result, no information is displayed if you use the show run command.

Note Switching between single mode and multiple mode is not supported.

Mode

Configuration modes.

•Routed—Layer 3 IP interfaces are used. Use of firewalls is between different networks. Also referred to as L3 Mode.

The FWSM is considered to be a router hop in the network. It performs network address translation (NAT) between connected networks, and can use Open Shortest Path First (OSPF) or passive Routing Information Protocol (RIP) in single context mode.

•Transparent—VLAN-based Layer 2 interfaces are used. Use of firewalls is within the same subnet. Also referred to as L2 Mode.

The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT are required. Transparent mode information is not shown as part of the configuration. As a result, no information is displayed if you use the command show run.

¹The asterisk means optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the device.

²Mode radio buttons are disabled when the OS version is earlier than FWSM 2.1.

Discovering Settings from a Firewall

This feature allows you to contact the device directly when discovering the settings.

Step 1 Select Devices > Importing Devices.

The Importing Devices page appears.

Step 2 Click Import.

The Select Target Group page appears.

Step 3 Select the group in which you want the imported device to reside.

Tip If you have not defined a group but want to do so, select Devices  > Managing Groups.

Step 4 Click Next.

The Select Entry Type page appears.

Step 5 Click Import configuration from device.

Step 6 Click Next.

The Define Firewall Device Contact Info page appears.

Step 7 Enter the contact IP address, which is the address Firewall MC uses to contact a firewall device using HTTPS. This is generally a firewall's interface address, but it might be different due to address translation between the Firewall MC server and the firewall.

Note You should have specified this IP address for the inside interface during bootstrapping. The inside interface is the one for which you automatically enabled HTTP access using the setup command.

Step 8 Enter the enable password for the firewall device.

Step 9 Click Next.

The wizard summary page appears.

Step 10 Verify the information, then click Finish.

A new window displays a table of devices.

Table 7-7 describes the elements on the Define Firewall Device Contact Info page.

Table 7-7 Define Firewall Device Contact Info

Element¹

Description

Config File Name

Name of configuration file to import.

Browse

Allows you to navigate to the file location.

Contact IP Address

Optional IP address Firewall MC uses to contact a firewall device using HTTPS. Generally a firewall's interface address, but might be different due to address translation between the Firewall MC server and the firewall.

Note You should have specified this IP address for the inside interface during bootstrapping. The inside interface is the one for which you automatically enabled HTTP access using the setup command.

Contact User Name

Optional username that is needed only if a firewall device is configured to authenticate using an AAA server. If no AAA server is used, leave field blank.

This name can be up to 63 alphanumeric (U.S. English) characters.

Password

Enable password for firewall device. One of the following:

•AAA server password if AAA authentication used on target firewall device.

•Local enable password if no AAA server used.

Note The enable password is used if Firewall MC will be talking directly with a device.

¹The asterisk means optional; however, we recommend that you enter contact information if Firewall MC will deploy directly to the device.

Handling Unsupported Commands

Firewall MC supports PIX Firewall software versions 6.0(x) through 6.3(x); however, not all commands are fully supported at this release As a result, specific commands or combinations of commands in a device configuration file can prevent you from importing and deploying jobs.

Firewall MC command support is categorized as follows:

•Supported—Firewall MC fully supports this command. It can import and deploy a configuration with this command.

•Unsupported—Firewall MC does not support the command. Based on the value of the Action on Unknown commands setting, (which you can located by selecting Configuration > MC Settings > Management), Firewall MC generates an error or places the command as an ending command. To view ending commands, select Configuration > Device Settings > Config Additions > Ending Commands.

•Error—Commands in this category can interact unpredictably with Firewall MC features that might be configured in a user interface. If a command in this category appears in a configuration during import or deployment to a device, Firewall MC generates errors, and the import fails.

•Ignored—Commands in this category do not interact with features configured in the Firewall MC user interface. These commands are copied verbatim during import as an ending command.

•Discarded—Commands in this category are discarded upon import.

•Deprecated—Commands in this category are supported in beginning and ending commands, but can result in overlapping commands with unexpected results. These commands have been outdated by newer CLI constructs and might become obsolete in future versions of CLI. We recommend that you not use deprecated commands.

A complete list of commands in each category can be found in Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.3.

Understanding Import Messages

The import status popup window displays information about device imports. The window is refreshed automatically every 60 seconds; however, you can click Refresh to update the import status manually. If the import is successful, "Completed" is displayed in the Status column. If the import is unsuccessful, the message "Failed to import" is displayed.

After the import status is displayed in the Status column, you can select a device in the table, then click View Imported Config. A new window opens with the configuration file displayed.

Close the window after you view the contents, then close the import status popup window. You are returned to the Import Devices table, which shows the imported device information. Click Refresh to display the updated status.

Table 7-8 shows import status messages.

Table 7-8 Import Status Messages

Import Message

Description

Initializing

Import tasks are being initialized.

Importing

Devices are being imported.

Completed

Import is successful.

Failed to import

An error occurred during import and import has failed.

Canceled

Import has been canceled by user.

Managing Devices

The Managing Devices feature allows you to modify or delete existing devices, as well as move them to different groups. To access this feature, select Devices > Managing Devices.

Topics to be discussed are:

• Renaming a Device

• Moving a Device

• Deleting a Device

Table 7-9 describes the elements on the Managing Devices page.

Table 7-9 Managing Devices

Element

Description

All tab (default)

Displays all devices and groups in hierarchy.

Selection tab

Highlights selected devices.

Group and subgroup check boxes

Acts as a filter, allowing you to select specific groups or subgroups under the All tab for viewing under the Selection tab.

Firewall device name

Enter a name to help you differentiate among devices.

Edit button

Allows you to change the firewall device name and description.

Delete button

Allows you to remove a selected firewall device from a group or folder.

View button

Allows you to review the logical name that you have defined for the firewall device.

Move button

Allows you to move the selected firewall device to a different group folder.

Renaming a Device

You can rename a previously defined firewall device that you have represented in Firewall MC. This name is a logical name that does not correspond to the hostname of the firewall device.

Step 1 Select Devices > Managing Devices.

The Managing Devices page appears.

Step 2 Select the device to edit.

Note You can edit only one device at a time.

Step 3 Click Edit.

The Edit Firewall Device Identity page appears.

Step 4 Enter a name that will help you differentiate among devices in the Firewall Device Name field.

Step 5 Click Next.

The wizard summary page appears.

Step 6 Verify the information, then click Finish.

You are returned to the Managing Devices page with new device information displayed.

Moving a Device

You can move firewall devices from one group to another. This feature is useful for staging incremental rollouts of global policy changes that are defined at the group level or simply for moving the device to a more suitable location within your inheritance model.

Step 1 Select Devices > Managing Devices.

The Managing Devices page appears.

Step 2 Select the device to move, then click Move.

The Select Target Group page appears.

Step 3 Select the target group, then click Next.

The Target Group wizard summary page appears.

Step 4 Verify the information, then click Finish.

You are returned to the Managing Devices page, with new device group information displayed.

Deleting a Device

You can delete a firewall device from Firewall MC. This feature is useful if you changed the configuration files substantially outside of Firewall MC and you want to preserve those changes. Of course, the settings that are unique to Firewall MC will be lost, as will any device-level access and translation rules that were defined in the GUI.

Step 1 Select Devices > Managing Devices.

The Managing Devices page appears.

Step 2 Select the devices to delete, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The device is removed from the group.

Identifying Supporting Devices

You can add and edit URL filters and DHCP servers from the GUI. URL filter and DHCP servers allow you to further control your web security features.

Topics to be discussed are:

• Configuring URL Filter Servers

• Configuring a DHCP Server

• Configuring DHCP Relay Servers

• Editing DHCP Relay Agents

• Configuring TFTP Servers

• Representing Auto Update Servers

Configuring URL Filter Servers

URL filtering lets you prevent internal users from accessing external World Wide Web URLs that you designate by using a Websense or N2H2 URL filtering server. To access this feature, select Configuration > Settings > Servers and Services  > URL Filter Server.

After you define your URL filtering servers and related options, use the Web Filter Rules feature to define the rules for enforcing URL filtering (see Inserting or Editing a Web Filter Rule, page 11-29).

Important Notes about URL Filtering

• This feature is available only if you have the Websense or N2H2 application, available from http://www.websense.com or http://www.n2h2.com.

•You can configure a total of 16 URL servers. The primary filtering server is the first server in the list. The firewall can be configured to use either N2H2 or Websense, but not both. If you change the URL filter server type, then all the previously configured filter servers are removed.

•HTTPS and FTP filtering are not supported for the N2H2 filtering server.

•If you change policy settings within the Websense server application, you must disable, then re-enable the Websense cache to ensure that the cached information does not conflict with any new policy settings.

Defining URL Filtering Options

The following procedure describes how to specify the type of URL filter server that you are using and the settings to use for URL filtering. These settings include enabling caching, URL buffering, and long URL support. By enabling caching, you can satisfy user requests faster if more than one user wants to access the same objects. It also reduces the amount of traffic between your network and the Internet, potentially improving your overall network performance and optimizing your bandwidth usage. When enabled, the URL buffering feature buffers the response from the web server while waiting for a response from the URL filter server. The long URL support feature allows you to extend the size of URLs that are supported when using a Websense server.

Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.

The URL Filter Server page appears.

Step 2 Select the type of URL filtering server that you are using (Websense or N2H2).

Step 3 If you are using an N2H2 server, enter the N2H2 URL filtering port. The default is 4005.

Step 4 To enable caching:

a. Select the Enable Caching check box.

b. Click the appropriate radio button to select whether to base cache entries on the destination or source and destination.

c. Enter the size of the cache file. Values are 1-128 KB. The default is 1.

Step 5 To enable URL buffering, select the Enable URL Buffering check box, then specify the number of 1550-byte buffers to allocate for URL buffering. Values are 1-128. The default is 1.

Step 6 To enable long URL support:

Note Long URL support is available only with Websense servers.

a. Select the Enable Long URL Support check box.

b. Enter the maximum size of the long URL. Values are 2-4 KB. The default is 2 KB.

c. Enter the memory allocated for the long URL. Values are 2-1024 KB. The memory allocated must be larger than the maximum size specified for each long URL.

Step 7 Click Apply.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-10 describes the elements on the URL Filter Server page.

Table 7-10 URL Filter Server Settings

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

URL Filtering Server radio buttons

Selects type of URL filtering server that you are using (Websense or N2H2).

N2H2 Port

Identifies port used for communicating with an N2H2 server. Default is 4005.

Enable Caching check box

When selected, improves throughput by caching responses to URL filtering requests sent to a Websense URL server.

Base Cache Entries on radio buttons

•Destination—Address used if all users share the same URL filtering policy on a Websense server.

•Source and Destination—Address used if users do not share the same URL filtering policy on a Websense server.

Size of Cache (KB)

Amount of memory allocated for caching. Values are 1-128 KB. Default is 1.

Enable URL Buffering check box

When selected, enables buffering of responses from a web server while waiting for a response from the URL filter server.

Number of 1550-byte Buffers

Number of 1550-byte buffers to allocate for URL buffering. Values are 1-128. Default is 1.

Enable Long URL Support check box

When selected, enables support for long URLs. The long URL support feature allows you to extend the size of URLs that are supported when using a Websense server.

Note Long URL support is available only with Websense servers.

Maximum Long URL Size (KB)

Maximum size of the long URL. Values are 2-4 KB. Default is 2.

Memory Allocated for Long URL (KB)

Amount of memory allocated for long URLs. Values are 2-1024 KB. Memory allocated must be larger than the maximum size specified for each long URL.

Adding or Editing a URL Filter Server

Firewall MC allows you to monitor, manage, and restrict employee access to nonbusiness and objectionable content on the Internet. Users can be allowed or denied access to websites or can be coached with information about acceptable use of the Internet. The following procedure describes how to add a server to the list of defined URL filter servers or edit the information for a defined URL filter server.

Before You Begin

Configure the URL filtering options for the firewall device. See Defining URL Filtering Options.

Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.

The URL Filter Server page appears.

Step 2 Do one of the following:

•To insert the first row in the table, click Insert.

•To add another row, select the check box for the row above which to add a new row, then click Insert.

•To edit a row, select the check box for the row, then click Edit.

The URL Filter Server page appears.

Step 3 From the list, select the interface on which the URL filter server resides. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address of the server that runs the URL filtering application.

Step 5 Verify the timeout value. The timeout is the maximum idle time (in seconds) before a firewall device tries to access the next URL server. The default is 5.

Step 6 Click the radio button for the appropriate protocol.

Note For Websense servers, version 4 of these protocols provides greater functionality than version 1 provides. In version 4, when AAA filtering is enabled to perform user authentication, username information is passed to the Websense server so it can perform URL filtering and log URL activity by username.

Step 7 Verify the information, then click OK.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-11 describes the elements in the URL Filter Server page.

Table 7-11 Add/Edit URL Filter Server

Element

Description

Interface Name list

Select the network interface on which the URL filtering server resides. The Interface Name list contains all interfaces defined at the current scope.

IP Address

IP address of URL filtering server.

Timeout (seconds)

Maximum idle time in seconds before the firewall tries to access the next URL filtering server. Default is 5.

Protocol

Websense options are:

•TCP 1 (Default)

•TCP 4

•UDP 4

Note Version 4 of these protocols provides functionality beyond version 1 in that when AAA filtering is enabled to perform user authentication, username information is passed to the Websense server so it can perform URL filtering and log URL activity by username.

N2H2 options are:

•TCP (Default)

•UDP

Deleting a URL Filter Server

You can delete a server from the list of defined URL filter servers.

Step 1 Select Configuration > Device Settings > Servers and Services > URL Filter Server.

The URL Filter Server table appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned configuration files when the files are deployed.

Configuring a DHCP Server

A Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters to a DHCP client. Support for the DHCP server within the PIX Firewall means the PIX Firewall can use DHCP to configure connected clients. This DHCP feature is designed for the remote home or branch office that will establish a connection to an enterprise or corporate network.

You can configure the firewall device as a DHCP server for hosts connected to its inside interface.

Note If your firewall device is also acting as a DHCP client on the outside interface, you can enable autoconfiguration. This allows the firewall device to automatically pass the DNS, WINS, and domain name parameters it gets from the outside interface (as a DHCP client) to hosts on its inside network. Alternatively, you can manually specify the DNS, WINS, and domain name parameters. If you specify those parameters manually and autoconfiguration is on, your values take precedence over autoconfiguration.

Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Server.

The DHCP Server page appears.

Step 2 Select the Enable DHCP on inside interface check box to enable DHCP for the firewall device.

Step 3 Enter the DHCP address-pool range information in the fields provided. The IP address range is from lowest to highest (for example, 10.10.1.01-10.10.1.10).

Note Blocks of addresses must be on the same subnet as the inside interface.

Step 4 Verify the lease length setting, which is the amount of time a DHCP client can use its allocated IP address from the DHCP server before its lease expires. Values are 300-2,147,483,647. The default is 3,600 (1 hour).

Step 5 Verify the ping timeout setting, which is the amount of time the firewall device should wait before declaring timeout on a ping. The default is 750 milliseconds.

Step 6 Select the Enable autoconfiguration check box to instruct the DHCP server to configure domain name, DNS, and WINS information.

Step 7 Enter the domain name (for example, cisco.com).

Step 8 Enter the DNS servers. You can enter up to two DNS servers and IP addresses (Server 1 and Server 2) for a DHCP client.

Step 9 Enter the WINS servers. You can enter up to two WINS servers and IP addresses (Server 1 and Server 2) for a DHCP client.

Step 10 Enable DHCP option 150:

a. Select the Enable DHCP option 150 check box.

b. Enter the IP address of the TFTP servers.

Step 11 Enable DHCP option 66:

a. Select the Enable DHCP option 66 check box.

b. Enter the TFTP server hostname or IP address.

Step 12 Click Apply.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-12 describes the elements on the DHCP Server page.

Table 7-12 DHCP Server

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable DHCP on inside interface check box

When selected, enables DHCP for firewall device. When enabled, set to true.

DHCP Address Pool fields

IP address range from lowest to highest, for example, 10.10.1.01-10.10.1.10. Block of addresses must be on same subnet as inside interface.

PIX 506 can support up to 32 DHCP-assigned IP addresses in version 6.0; all larger firewall device platforms can support 256 IP addresses.

Lease Length (seconds)

Amount of time a DHCP client can use its allocated IP address from the DHCP server before lease expires. Values are 300-2,147,483,647 seconds. Default is 3,600 (1 hour).

Ping Timeout (milliseconds)

Amount of time in milliseconds the firewall device should wait before declaring timeout on a ping. To verify status of its DHCP leases, a firewall device uses ping to dynamically determine if an IP address is still in use by a client. Default is 750.

Enable autoconfiguration check box

When selected, instructs DHCP server to configure domain name, DNS, and WINS information. When enabled, set to true.

Domain Name

Optional field to add domain name. Enter valid Domain Name System (DNS) domain name, for example, cisco.com.

DNS Servers

Domain Name System servers. Fields to add DNS IP addresses. Enables up to two DNS servers and IP addresses (Server 1 and Server 2) for a DHCP client.

WINS Servers

Windows Internet Naming Service servers. Fields to add WINS IP addresses. Enables up to two WINS servers and IP addresses (Server 1 and Server 2) for a DHCP client.

Enable DHCP option 150 check box

When selected, enables DHCP option 150, which allows the firewall device to respond to DHCP option 150 requests.

TFTP Servers

When DHCP option 150 is enabled, one or two TFTP servers can be specified, by IP address, in the fields provided.

Enable DHCP option 66

When selected, enables DHCP option 66, which allows the firewall device to respond to DHCP option 66 requests.

TFTP Server Host Name/IP

When DHCP option 66 is enabled, a TFTP server hostname or IP address must be specified.

Configuring DHCP Relay Servers

The DHCP Relay Server feature allows you to define the IP address of the DHCP server to which the DHCP Relay Agent forwards client requests. For interfaces on which the DHCP Relay Agent is enabled, the DHCP Relay Server feature overrides the DHCP server configured on the Configuration > Device Settings > Servers and Services > DHCP Server page.

Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Relay Server.

The DHCP Relay Server page appears.

Step 2 Enter the DHCP Relay timeout, in seconds, in the DHCP Relay Timeout field, then click Apply. The default is 60 seconds.

Step 3 Click Add.

The Edit DHCP Relay Server page appears.

Step 4 Select the interface from the Interface Name list.

Step 5 Enter the server's IP address.

Step 6 Click OK.

The new Relay Server appears in the DHCP Relay Servers list.

Note The DHCP Relay Server table can have a maximum of four servers.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-13 describes the elements on the DHCP Relay Server page and in the Edit DHCP Relay Server page.

Table 7-13 DHCP Relay Server

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

DHCP Relay Timeout

Sets the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure. Default is 60.

Interface Name

Logical name of the interface that relates to use.

Note If you are using a wizard, a list displays all interfaces defined at the current scope

Server IP Address

IP address used to communicate with the DHCP server.

Editing DHCP Relay Agents

The DHCP Relay Agent feature allows you to enable the DHCP Relay Agent on a specified interface. This agent relays DHCP requests between clients behind that interface and a DHCP server behind a different interface. You must define the address of the DHCP server on the Configuration > Device Settings > Servers and Services > DHCP Relay Server.

The following restrictions apply to the use of DHCP relay:

•The relay agent cannot be enabled if the PIX Firewall DHCP server is enabled.

•The relay agent will forward requests if IPSec is configured. VPN negotiations will be initiated if a tunnel does not exist.

•Clients must be directly connected to the PIX Firewall and cannot send requests through another relay agent or a router.

•DHCP relay will not work in client mode.

Note Some type of NAT must be specified to allow forwarding of a DHCP release message from a client to a DHCP server.

Step 1 Select Configuration > Device Settings > Servers and Services > DHCP Relay Agent.

The DHCP Relay Agent page appears.

Step 2 Select the interface to edit from the DHCP Relay Agent list, then click Edit.

The Edit DHCP Relay Agent page appears.

Step 3 To enable the DHCP relay agent to accept DHCP requests from clients on this interface, select the Enable Interface check box.

Step 4 To have DHCP clients use this interface as the default gateway for reaching the DHCP server, select the Enable Setroute check box.

When enabled, the DHCP Relay Agent substitutes the address of this interface for the default gateway address in the packet sent from the DHCP server.

Step 5 Click OK.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-14 describes the elements on the DHCP Relay Agent page and in the Edit DHCP Relay Agent page.

Table 7-14 DHCP Relay Agent

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable

Enables the DHCP relay agent to accept DHCP requests from clients on the specified interface.

Setroute

Specifies that DHCP clients should use this interface as the default gateway for reaching the DHCP server. When enabled, the DHCP Relay Agent substitutes the address of this interface for the default gateway address in the packet sent from the DHCP server.

Configuring TFTP Servers

The TFTP Server feature allows you to configure a firewall device to propagate its configuration files to a fileserver using the Trivial File Transfer Program (TFTP). Only one server is supported.

TFTP is a simple client/server file-transfer protocol described in RFC783 and RFC1350 Rev 2. This feature allows you to configure firewall devices as TFTP clients so that a firewall device can transfer a copy of the configuration files to a TFTP server. This transfer enables configuration files to be backed up and propagated to multiple firewall devices.

Step 1 Select Configuration > Device Settings > Servers and Services > TFTP Server.

The TFTP Server page appears.

Step 2 Select the Enable TFTP Server check box to enable TFTP server settings in the configuration.

Step 3 Select the interface from the list. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address that communicates with the TFTP server.

Step 5 Enter the pathname of the configuration file, beginning with "/" (forward slash) and ending with the filename (where the configuration file will be written).

Step 6 Click Apply.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-15 describes the elements on the TFTP Server page.

Table 7-15 TFTP Server

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable TFTP Server check box

When selected, enables TFTP server settings in the configuration. When enabled, set to true.

Interface Name

Logical name of interface that relates to use.

Note The list displays all interfaces defined at the current scope.

IP Address

IP address used to communicate with the TFTP server.

Config File Path

Field to enter TFTP server path, beginning with "/" (forward slash) and ending in filename (where the configuration file will be written).

Representing Auto Update Servers

The Auto Update Server (AUS) feature enables communication between the firewall devices and the AUS. The settings are applied to firewall device configuration files, and provide the contact information for the Firewall MC to connect and deploy configuration files to the Auto Update Server. The configuration files are updated at the time of deployment and auto update becomes enabled. To access this feature, select Configuration > Device Settings > Auto Update Server.

Firewall devices must have PIX OS version 6.2 or later to use AUS.

Note For the firewall device to contact the AUS initially, these settings must match those used to bootstrap the firewall device.

For the Firewall MC and firewall devices to communicate, you must also:

•Configure the Unique Identity feature. (See Configuring Unique Identity.)

•Configure HTTPS on firewall devices. (See "Preparing Your Firewall Devices.")

Note The AUS does not support firewall devices that are configured for failover.

Step 1 Select Configuration > Device Settings > Auto Update Server > Server and Contact Information.

The Server and Contact Information page appears.

Step 2 Enter the AUS URL path to the servlet that the device uses to receive an auto update.

Step 3 Enter the AUS IP address.

Step 4 Verify the port number for the AUS. The default is 443.

Step 5 Enter the name of the user being used by Firewall MC to contact the AUS. Username is based on type of authentication used.

Step 6 Enter the user password.

Step 7 Reenter the user password in the Confirm Password field.

If the Firewall MC uses a different IP address or port number than another device to contact the AUS server, you must specify the alternate IP address or port number in the Use Different AUS Address and Port for Device fields. If the Firewall MC and the other device use the same contact information, skip to Step 8.

To assign a different IP address or port number for the other device:

a. Select the Use Different AUS Address and Port for Device check box.

b. Enter the AUS IP address used by the other device.

c. Enter the AUS port number used by the other device.

Step 8 Click Apply.

Table 7-16 describes the elements on the Server and Contact Information page.

Table 7-16 Server and Contact Information

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

AUS URL

Directory path to servlet that device uses to receive auto update. Default path is /autoupdate/AutoUpdateServlet

Path portion of URL used to communicate with AUS. Specifies location of AUS using the following syntax: http[s]:[[user:password@] location [:port]] / pathname.

IP Address

IP address of AUS.

Port

Port number used for AUS. Default is 443.

Username

Name of the user that Firewall MC uses to contact the AUS. Username is based on type of authentication used.

Password

Password that corresponds to username.

Confirm Password

Password is reentered.

Use Different AUS Address and Port for Device

If a NAT boundary exists between the firewall device and the AUS server, use this set of fields to identify the IP address and port number that the firewall device should use.

IP Address

IP address used by a firewall device when a NAT boundary exists between the AUS server and that device (only if different from Firewall MC).

Port

Port number used by a firewall device when a NAT boundary exists between the AUS server and that device (only if different from Firewall MC).

Applying AUS Settings

Before You Begin

•Configure the Unique Identity feature. See Configuring Unique Identity.

•Configure HTTPS on firewall devices. See "Preparing Your Firewall Devices."

Step 1 Select Configuration > Device Settings > Auto Update Server > Device AUS Settings.

The Device AUS Settings page appears.

Step 2 Select the Enable Auto Update Server check box to enable the AUS.

Step 3 Enter the name of the user that the firewall device uses to contact the AUS. Username is based on type of authentication used.

Step 4 Enter the user password.

Step 5 Reenter the user password in the Confirm Password field.

Step 6 Verify the poll period. The default is 720 minutes.

Step 7 Verify the poll retry count, which is the number of attempts to connect to a device being polled.

Step 8 Verify the poll retry period.

Step 9 To deactivate the firewall device if an update is not received within a certain amount of time, select the Deactivate Device check box and enter the amount of time to wait before deactivating it. The default is to never deactivate.

Step 10 Select the Verify Certificate check box to verify the certificate being used.

Step 11 Click Apply.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are downloaded and deployed to the firewall device if the deployment type is set to "Direct to Device." If the deployment type is AUS, then the configuration files are deployed to the AUS server and then downloaded to the firewall devices when they contact the AUS server.

Table 7-17 describes the elements on the Device AUS Settings page.

Table 7-17 Device AUS Settings

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable Auto Update Server check box

When selected, enables Auto Update Server (AUS). When enabled, set to true.

Username

Name of user that the firewall device uses to contact AUS. Username is based on authentication type used.

Password

Password that corresponds to username above.

Confirm Password

Password is reentered.

Poll Period (minutes)

Polling period in minutes. Default is 720.

Poll Retry Count

Number of attempts to connect to device being polled. Default is 0.

Poll Retry Period (minutes)

Polling retry period in minutes. Default is 5.

Deactivate Device if no update for (minutes)

Amount of time in minutes to deactivate firewall device if no update occurs within designated time frame. Default is to never deactivate.

Verify Certificate

Allows the verification of the certificate being used.

Configuring Unique Identity

The Unique Identity feature enables you to assign an identifier to each firewall device. The identifiers are applied to the firewall device configuration file. This feature is generally used by organizations using an Auto Update Server (AUS) and when hostnames are not unique.

Step 1 Select Configuration > Device Settings > Auto Update Server > Unique Identity.

The Unique Identity page appears.

Step 2 Select the method to use for identifying a firewall device. Special characters (`, ", <, >, &, ?) and spaces are not permitted.

Step 3 Click Apply.

Changes are applied to the assigned configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 7-18 describes the elements on the Unique Identity page.

Table 7-18 Unique Identity

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Hostname radio button

Hostname of device.

IP address radio button and list

Interface options using an IP address.

MAC address radio button, list, and text field

Interface options using a MAC address.

Hardware serial number radio button and text field

Serial number of device.

User defined string

Field to enter user-defined text string. Special characters (`, ", <, >, &, ?) and spaces are not permitted.