Using Management Center for Firewalls 1.3
Defining Rules Manually Using CLI Syntax
Download this chapter
Defining Rules Manually Using CLI SyntaxDefining Rules Manually Using CLI Syntax
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Defining Rules Manually Using CLI Syntax

Addressing Unsupported, Deprecated, and Partially Supported Commands After Import

Addressing Alias Command Support

Addressing AAA Include/Exclude Commands

Addressing NTP Server Command Support

Configuring Beginning Commands

Adding a Beginning Command

Configuring Ending Commands

Important Notes About Ending Commands

Adding an Ending Command


Defining Rules Manually Using CLI Syntax

PIX Firewall and Firewall Services Module (FWSM) CLI commands receive different levels of support from Firewall MC 1.2. As a result, you might import a device configuration that includes commands not recognized by Firewall MC. Unsupported commands become ending commands in Firewall MC. Ending commands are deployed after all Firewall MC generated commands have been deployed.

You should fully understand the level of support that each command receives from Firewall MC. This understanding will enable you to use commands or command combinations in PIX Firewall and FWSM configuration files so that import operations and deployment jobs succeed. For a list of supported and unsupported commands, see the document titled Supported Devices, OS Versions and Commands for Management Center for Firewalls 1.2, on Cisco.com.

Note You should not need to configure additions for this release of Firewall MC; however, they provide workarounds to commands that are not currently supported.

Topics to be discussed are:

Addressing Unsupported, Deprecated, and Partially Supported Commands After Import

Configuring Beginning Commands

Configuring Ending Commands

Addressing Unsupported, Deprecated, and Partially Supported Commands After Import

Firewall MC does not support all CLI commands that can exist on a firewall device. In addition, some commands have replay problems, which generate errors if the same command is deployed more than once. If the configuration you import from an existing device contains the following commands, you should make the recommended changes for that command:

alias command—See Addressing Alias Command Support.

aaa include/exclude—See Addressing AAA Include/Exclude Commands.

ntp server command— Addressing NTP Server Command Support.

Addressing Alias Command Support

Unless you use one of the fixup protocols that do not support outbound NAT (see Managing Alias Command Support), you should convert your alias commands to translation rules that map from a less secure interface to a more secure interface or using policy dynamic NAT rules.

Addressing AAA Include/Exclude Commands

The AAA commands, authentication | authorization | accounting include | exclude, are not supported by Firewall MC and result in errors during import.

You can convert these commands into the corresponding ACL rule that matches that AAA command.

For each exclude command with the same interface and group_tag, create an equivalent deny rule in a single ACL.

For each include command with the same interface and group_tag, create an equivalent permit rule in the same ACL.

All "exclude" rules should be handled before the "include" rules. The relative order of the individual "exclude" and "include" rules should remain the same.

The ACL must have been initially empty.

You should remove the original AAA include and exclude commands from the configuration that have been processed as above and replace them with a single ACL rule that matches that AAA command using the interface and group_tag. Repeat the above process for other AAA commands that have different interface and group_tag pairs, always creating a new ACL for each interface/group_tag pair.

Addressing NTP Server Command Support

If the command ntp server <ip_address> source <interface_name> exists on a firewall device and the device configuration is imported, then later deployed to the same device, the transcript returns an error.

To work around this problem, remove the NTP server command from the Ending commands after import.

Configuring Beginning Commands

The Beginning Commands feature provides a workaround for CLI commands not supported by this product release. Beginning commands are always replaced when the configuration files are deployed. To access this feature, select Configuration > Device Settings  > Config Additions > Beginning Commands.

Note You should not need to configure beginning commands for this release.

Adding a Beginning Command

Step 1 Select Configuration > Device Settings > Config Additions  > Beginning Commands.

The Beginning Commands page appears.

Step 2 Enter any unsupported CLI commands that you want to appear at the beginning of a configuration file.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 13-1 describes the elements in the Beginning Commands page.

Table 13-1 Beginning Commands

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Beginning Commands

Commands to place before the configuration file.


Configuring Ending Commands

The Ending Commands feature provides a workaround for CLI commands not supported by this release of Firewall MC. Ending commands appear after all other commands in the configuration file and before the command write mem. To access this feature, select Configuration > Device Settings > Config Additions > Ending Commands.

Ending commands are resent when the configuration files are deployed. Some commands are designed to be one-time operations. You should check the ending commands to see if any need to be removed before the configuration file is deployed.

Note You should not need to configure ending commands for this release.

Firewall MC might not support a particular firewall device OS command, but you can still configure this command on the firewall device by noting the command as an ending command.

The firewall device will generate an error if these commands are already configured on the device if an attempt is made to add them again.

To resolve this, two workarounds are available:

Enter the command that deconfigures the feature in question as an ending command in Firewall MC. For example, if the command is xyz, enter the following two lines: 

no xyz 

xyz

Change the Firewall MC setting that controls the action that Firewall MC will take. To do this, select Configuration > MC Settings  > Management. Set the action taken on unknown commands to "Warning."

Note The setting change will affect the behavior of Firewall MC for all commands being deployed, not just those designated as an ending command.

For more information, see Configuring Management Controls, page 3-13.

Important Notes About Ending Commands

If you are deploying to a device, most commands in the Ending Commands section should be removed after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then resent each time the configuration is deployed to a device.

Firewall MC displays an error because the firewall device shows that the object group already exists.

If you are deploying to a file or AUS, the Ending commands should remain.

Adding an Ending Command

Step 1 Select Configuration > Device Settings  > Config Additions  >  Ending Commands.

The Ending Commands page appears.

Step 2 Enter any unsupported CLI commands that you want to appear at the end of a configuration file.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 13-2 describes the elements on the Ending Commands page.

Table 13-2 Ending Commands

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Ending commands

Commands to place after configuration file.