Advanced Configurations

Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default is the failover off command. Enter the no failover command in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active.

Important Notes

1. If you are upgrading from a previous version, refer to "Upgrading from PIX Firewall Version 4.1 to Version 4.2" and "Upgrading from PIX Firewall Version 4.2(1) to 4.3(2)" before continuing.

2. Before connecting the failover cable, removing network cables, or powering off your unit as described in this section, read the Regulatory Compliance and Safety Information for the PIX Firewall Version 4.3 guide for important safety information.

3. Refer to the Quick Installation Guide for the PIX Firewall Version 4.3 for information about installing a failover cable and other failover installation information.

4. Failover is supported only between identical PIX Firewall models running the same software version and connection license. For example, failover is not supported between a PIX10000 and a PIX 520.

5. Failover IP addresses must be configured on each interface card. The Active unit of the failover pair uses the system IP addresses and the Primary unit's MAC address, while the Standby unit uses the failover IP addresses and the secondary unit's MAC address. The system IP addresses and the failover IP addresses must be on the same subnet with no router between them.

6. Failover syslog messages are described in the System Log Messages for the PIX Firewall Version 4.3 guide which is available online at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/syslog/

How Failover Occurs

When a failover occurs, each unit changes state. The newly Active unit assumes the IP and MAC addresses of the previously Active unit and begins accepting traffic. The new Standby unit assumes the failover IP and MAC addresses of the unit that was previously the Active unit. Because network devices see no change in these addresses, no ARP entries change or timeout anywhere on the network.

Note The active PIX Firewall does not maintain a copy of the connection state in the Standby unit. If the Active unit fails, network traffic must re-establish previous connections.

Syslog messages indicate whether the primary or secondary unit failed. Use the show failover command to verify which unit is active.

If you want to force a PIX Firewall to be active or go to standby you can use the failover active or no failover active command. Use this feature to force a PIX Firewall offline for maintenance or to return a failed unit to service.

Both PIX Firewall units in a failover pair must have the same configuration. To accomplish this, always enter configuration changes on the Active unit in a PIX Firewall failover configuration. Use the write memory command on the Active unit to save configuration changes to Flash memory (non-volatile memory) on both the active and Standby units. Changes made on the Standby unit are not replicated on the Active unit.

Synchronizing Configurations

Use the write standby command to manually save the configuration of the active failover unit to the standby failover unit from RAM to RAM. The Standby unit must not be configured individually. Commands entered on the Active unit are automatically replicated on the Standby unit. Only use the default configuration initially. You can force an update by using the write standby command on the Active unit. If you make changes to the Standby unit, it displays a warning but does not update the Active unit.

To save the configuration of the Active unit to Flash memory (permanent memory) on the Standby unit, use the write memory command on the Active unit. The write memory command results are replicated on the Standby unit.

Failover Cable

Both units in a failover pair communicate through the failover cable. The two units send special failover "hello" packets to each other over all network interfaces and the failover cable every 15 seconds. The failover feature in PIX Firewall monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within a time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed, and transfers active control to the Standby unit.

The Standby unit does not maintain the state information of each connection. This means that all active connections will be dropped when failover occurs. Client systems must reestablish connections. Additionally, no RIP information is available on the newly Active unit. The newly active PIX Firewall must wait for up to 30 seconds to learn the routing information from the network.

When a failover occurs, syslog messages are generated indicating what happened.

Failover works by passing control to the Standby unit should the Active unit fail. For Ethernet, failover detection should occur within 30 seconds. Token Ring requires additional time for failover.

The markings on the cable let you choose which PIX Firewall unit is primary and which is secondary. You need only connect the failover cable between the PIX Firewall units.

Directions for testing or constructing a failover cable are provided in the Quick Installation Guide for the PIX Firewall Version 4.3, which you can view online at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/pix43qig.htm

Upgrading from PIX Firewall Version 4.1 to Version 4.2

Step 1 Save the PIX Firewall version 4.1 configuration to a blank DOS-formatted diskette; and write-protect and label it.

Note

Step 2 If failover is running, enter the no failover active command at the Primary unit.

Step 3 Remove the failover and network cables from the Standby unit. Do not remove the console cable.

Step 4 Insert the PIX Firewall version 4.2 diskette into the Standby unit and use the reload command to reboot the unit.

Step 5 After the the Standby unit comes up, check the configuration and use the write memory command to store the configuration in flash memory.

Step 6 Plug in the failover and network cables into the Standby unit. Look for link lights on the network interface.

Step 7 On the Standby unit, enter the show interface command to ensure that traffic is moving through the PIX Firewall.

Step 8 Power off the Primary unit to force failover to the Standby unit.

Step 9 Enter the show conn command on the Standby unit to see if traffic is passing through the PIX Firewall.

Step 10 Disconnect the failover and network cables from the Primary unit which is now inactive.

Step 11 Insert the PIX Firewall version 4.2 diskette into the Primary unit.

Step 12 Check the configuration and use the write memory command to store the configuration in flash memory.

Step 13 Plug in the failover and network cables. Look for link lights on the network interface.

Step 14 On the Primary unit, use the failover active command to restart failover.

Step 15 Enter the show conn command on the Primary unit to see if traffic is passing through the PIX Firewall.

This completes the upgrade procedure.

Upgrading from PIX Firewall Version 4.2(1) to 4.3(2)

Step 1 Connect a separate console to the Primary unit and one to the Secondary unit.

Step 2 Insert the PIX Firewall version 4.2 diskette into the Primary unit. Enter the reload command at the Primary unit.

Step 3 As the Primary unit reboots, PIX Firewall prompts you to write the diskette to Flash memory. Before entering a reply, read the next three substeps and be ready to move quickly to complete them. When ready, enter y for yes to write the diskette to Flash memory.

(a) Immediately remove the diskette from the Primary unit and insert it into the Standby unit. Locate the reset button on the front of the Standby unit.

(b) When the PIX Firewall Cisco banner appears on the console, press the reset button on the Standby to load the new image.

Step 4 On the Primary unit, observe the link lights on the network interface to determine that the unit is receiving traffic. Once the Standby unit completes its startup, the two units replicate the configuration. During the replication, the Primary console will not receive input.

Step 5 On the Standby unit, use the show failover command to monitor progress. When both PIX Firewall units report Normal, the replication is done.

Step 6 On each unit, enter the write memory command to store the new images in Flash memory.

This completes the upgrade procedure.

Configuring Firewall Units for Failover

Note Always enter configuration changes on the Active unit. Configuration changes entered on the Standby unit are not saved to the Active unit.

The following guidelines apply to configuring failover on the Active unit:

The unit that has the cable end labeled "primary" becomes the default Primary unit.
Configure a failover IP address for each interface on the Active unit using the ip address command. From the Active unit, configure a failover IP address for each interface on the Standby unit using the failover ip address command.
Use the write standby command to save configuration change to the Standby unit. Saving the configuration changes to memory also saves the changes to Flash memory on the Standby unit.

Frequently Asked Failover Questions

This section contains some frequently asked questions about the failover feature. Additional questions relating to installation are provided in the Quick Installation Guide for the PIX Firewall Version 4.3.

What happens when failover is triggered?

: A switch can be initiated by either unit. When a switch takes place, each unit changes state. The newly Active unit assumes the IP address and MAC address of the previously Active unit and begins accepting traffic for it. The new Standby unit assumes the IP address and MAC address of the unit that was previously the Standby unit. The two units do not share connection states. Any active connections will be dropped when a failover switch occurs. The clients must re-establish the connections through the newly Active unit.

How is startup initialization accomplished between two units?

: When a unit boots up, it defaults to Failover Off and Secondary, unless the failover cable is present or failover has been saved in the configuration. The configuration from the Active unit is also copied to the Standby unit. If the cable is not present, the unit automatically becomes the Active unit. If the cable is present, the unit that has the primary end of the failover cable plugged into it becomes the Primary unit by default.

How can both units be configured the same without manually entering the configuration twice?

: Commands entered on the Active unit are automatically replicated on the Standby unit.

What happens if a Primary unit has a power failure?

: When the primary active PIX Firewall experiences a power failure, the standby PIX Firewall comes up in active mode. If the Primary unit is powered up again it will become the Standby unit.

What constitutes a failure?

Fault detection is based on the following:

Failover hello packets are received on each interface. If hello packets are not heard for two consecutive 15 second intervals, the interface will be tested to determine which unit is at fault.
Cable errors. The cable is wired so that each unit can distinguish between a power failure in the other unit, and an unplugged cable. If the Standby unit detects that the Active unit is powered down (or resets) it will take active control. If the cable is unplugged, a SYSLOG is generated but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable will force the unit active. If both units are powered on without the failover cable installed they will both become active creating a duplicate IP address conflict on your network. The failover cable must be installed for failover to work correctly.
Failover communication. The two units share information every 15 seconds. If the Standby unit does not hear from the Active unit in two communication attempts (and the cable status is OK) the Standby unit will take over as active.

How long does it take to detect a failure?
- Network errors are detected within 30 seconds (two consecutive 15-second intervals).
- Power failure (and cable failure) is detected within 15 seconds.
- Failover communications errors are detected within 30 seconds (two consecutive 15-second intervals).
What maintenance is required?

: Syslog messages will be generated when any errors or switches occur. Evaluate the failed unit and fix or replace it.

Failover Interface Tests

If a failure is due to a condition other than a loss of power on the other unit, failover will begin a series of tests to determine which unit is failed. This series of tests will begin when hello messages are not heard for two consecutive 15-second intervals. Hello messages are sent over both network interfaces and the failover cable.

The purpose of these tests is to generate network traffic in order to determine which (if either) unit is failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then go to the next test.

Note If the failover IP address has not been set, failover does not work and the Network Activity, ARP, and Broadcast ping tests are not performed.

Link Up/Down test---This is a test of the NIC card itself. If an interface card is not plugged into an operational network, it is considered failed (for example, the hub or switch is failed, has a failed port, or a cable is unplugged).
Network Activity test---This is a received network activity test. The unit will count all received packets for up to 5 seconds. If any packets are received at any time during this interval the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.
ARP test---The ARP test consists of reading the unit's ARP cache for the 10 most recently acquired entries. One at a time the unit sends ARP requests to these machines attempting to stimulate network traffic. After each request the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.
Broadcast Ping test---The ping test consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval the interface is considered operational and testing stops. If no traffic is received the testing starts over again with the ARP test.

WebSENSE URL Filtering

If your network has a WebSENSE server on any network interface, you can provide URL filtering through the PIX Firewall.

To configure the PIX Firewall to use WebSENSE:

Step 1 Specify the interface and IP address of the WebSENSE server with the url-sever command as shown in this example:

url-server (dmz) host 192.168.1.42 timeout 10

In this example, the WebSENSE host is on the dmz interface at IP address 192.168.1.42. A timeout value of 10 seconds is specified as maximum allowed idle time before the PIX Firewall switches to the next WebSENSE server.

Step 2 Use the filter url http command to tell the PIX Firewall how to filter requests. For example, to filter requests for all hosts, use:

filter url http 0 0 0 0 allow

Note The allow option in the filter command is crucial to the use of PIX Firewall URL filtering feature. If you use the allow option and the WebSENSE server goes offline, the PIX Firewall lets all Web requests continue without filtering. If the allow option is not specified, all port 80 Web requests are stopped until the server is back online.

However, if you use the allow option, PIX Firewall does not roll over to a WebSENSE server when the first goes offline.

Step 3 If you want to disable URL filtering, use the no filter url command.

FTP and URL Logging

You can log FTP commands and WWW URLs when syslog is enabled. FTP and URL messages are logged at syslog level 7.

Refer to the section "Step 15 - Enable Syslog" in Chapter 2, "Configuring the PIX Firewall," for more information on how to view syslog messages on a server, console session, or via Telnet to the console.

Use the show fixup command to ensure that the fixup protocol commands for FTP and HTTP are present in the configuration:

fixup protocol http 80
fixup protocol ftp 21

These commands are in the default configuration.

The sections that follow provide sample output displays for each logging type.

Sample URL Log

The following is an example of a URL logging syslog message:

192.168.69.71 accessed URL 10.0.0.1/secrets.gif

Sample FTP Log

The following are examples of FTP logging syslog messages:

192.168.69.42 Retrieved 10.0.0.42:feathers.tar
192.168.42.54 Stored 10.0.42.69:privacy.zip

You can view these messages at the PIX Firewall console with the show logging command.

SNMP Traps

The snmp-server command causes the PIX Firewall to send SNMP traps so that the firewall can be monitored remotely. Use snmp-server host to specify which systems receive the SNMP traps.

An SNMP object ID (OID) for PIX Firewall now displays in SNMP event traps sent from the PIX Firewall. OID 1.3.6.1.4.1.9.1.227 was assigned as the PIX Firewall system object ID.

Note The PIX Firewall does not support browsing of the Cisco syslog MIB. The only MIBs you can browse are System and Interfaces.

Browsing a MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. Traps are different; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, syslog event generated, and so on.

To send traps to an SNMP server:

Step 1 Identify the IP address of the SNMP server with the snmp-server host command.

Step 2 Set the snmp-server options for location, contact, and the community password as required.

Step 3 Set the logging level with the logging trap command; for example:

logging trap debugging

Cisco recommends that you use the debugging level during initial set up and during testing. Thereafter, set the level from debugging to a lower value for production use.

Step 4 Start sending syslog traps to the server with the logging on command.

The PIX Firewall SNMP MIB-II groups available are System and Interfaces.

All SNMP values are read only (RO).

Using SNMP, you can monitor system events on the PIX Firewall. SNMP events can be read, but information on the PIX Firewall cannot be changed with SNMP. The PIX Firewall SNMP traps available to an SNMP server are:

Link up and link down (cable on outside interface working or not working)
Warm and cold start
Syslog messages
Global access denied event sent via the Cisco Enterprise MIB

Use CiscoWorks for Windows (Product Number CWPC-2.0-WIN) or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. SNMP traps occur at UDP port 162.

Compiling Cisco Syslog Enterprise MIB Files

To receive security and failover SNMP traps from the PIX Firewall, compile the Cisco syslog MIB into your SNMP management application. If you do not compile the Cisco syslog MIB into your application, you only receive MIB-II traps for link up or down, and firewall cold and warm start.

You can get the Cisco MIB files on the Web from:

http://www.cisco.com/public/mibs/v2/CISCO-SYSLOG-MIB.my

To compile Cisco syslog Enterprise MIB files into your browser using CiscoWorks for Windows (SNMPc), complete the following steps:

Step 1 Get the Cisco syslog Enterprise MIB files.

Step 2 Start SNMPc.

Step 3 Select Config>Compile MIB.

Step 4 Scroll to the bottom of the list, and select the last entry.

Step 5 Click the Add button.

Step 6 Find the file CISCO-SMI.my and click OK.

Step 7 Scroll to the bottom of the list, and select the last entry.

Step 8 Click the Add button again.

Step 9 Find the file CISCO-syslog-MIB.my and click OK.

Step 10 Click Load All.

Step 11 If there are no errors, restart SNMPc.

These instructions are only for SNMPc (CiscoWorks for Windows).

Private Link

The link command creates an encrypted path between Private Link-equipped PIX Firewall units. You can specify up to seven encryption keys for data access between the local unit and the remote unit. The key-ID and key values must be the same on each side of the Private Link. Once you specify the same keys on both sides of the connection, the systems alert each other when a new key takes effect. You can use the age command to specify the number of minutes that a key is in effect.

Note After using the link command to add or delete link entries, use the write memory command to store the configuration, and then reboot the PIX Firewall.

Specify the link command once for each key you want to specify; for example, if you want seven keys, enter the link command in the configuration seven times.

The PIX Firewall Private Link consists of an encryption card and software that permits the PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet.

The PIX Firewall allows up to 256 Private Links and up to 512 link paths.

At least two PIX Firewall units are required to use Private Link and each system must have the same hardware and software versions.

Private Link works by checking packets that arrive at the PIX Firewall inside interface. If a route link previously created by the linkpath command exists that matches the destination network address, the packet is encrypted and encapsulated in an AH/ESP frame. The frame has a destination address of the remote PIX Firewall and a source address of the local PIX Firewall. When the packet arrives at the remote PIX Firewall unit, the data in the packet is decrypted and then sent through the designated interface to the original IP address specified. No translation takes place on packets that traverse the PIX Firewall Private Link. The addressing and data remains completely unchanged.

If you use the link command to change the interface on which a Private Link tunnel terminates, you must reboot the PIX Firewall on which you made the change. For example, if the Private Link tunnel terminates on the perimeter interface of the foreign PIX Firewall and you change it to terminate on the inside interface of the foreign PIX Firewall, you must reboot the local PIX Firewall on which you changed the configuration.

You can manage remote PIX Firewall units through the Private Link interface.

You can use the linkpath 0.0.0.0 0.0.0.0 foreign_external_ip command to route all outbound traffic on a foreign PIX Firewall to a central PIX Firewall. However, this use has two caveats: there can be only one central PIX Firewall and the other PIX Firewall units must be satellites to it. This implies that the satellites only relay connections to the central and do not communicate among themselves. The second caveat is that the linkpath 0 0 command overrides the default route on the outside interface of the satellite PIX Firewall causing all outbound traffic to flow over Private Link to the central PIX Firewall unit. One use of this feature is when access to the Internet is controlled through one PIX Firewall and the other PIX Firewall units feed their Internet traffic to this one site. This could occur when a central processing facility wants to manage all the Internet IP addresses, let the internal networks use any IP numbering scheme, and have local PIX Firewall units protecting individual departments or sites.

Configuring Private Link

To configure a Private Link, refer to the example shown in Figure 3-1.

Figure 3-1: Example Private Link Network Diagram

Before configuring Private Link, you would initially configure the systems using the standard commands.

When you configure a Private Link, follow these steps:

Step 1 Agree on up to seven hexadecimal encryption keys for use between the PIX Firewall Private Link local and remote units; for example, one key could be like the hexadecimal value fadebacbeebeee. Be sure to select unique keys that are difficult to guess. The key can be up to 56 bits in length (14 hexadecimal digits). If you specify fewer than 14 digits, the key is padded with leading zeros.

Step 2 Use the link command to create an encrypted link for each key you want to specify.

Step 3 Use the linkpath command to specify the IP address of the network on the inside of the remote firewall.

Step 4 On PIX Firewall A, in Figure 3-1, enter these commands to configure the Private Link:

	link 192.168.37.1 1 fadebacfadebac
	link 192.168.37.1 2 bacfadefadebac
	link 192.168.37.1 3 baabaaafadebac
	link 192.168.37.1 4 beebeeefadebac
linkpath 10.3.0.0 255.255.255.0 192.168.37.1

Step 5 On PIX Firewall B, enter these commands:

	link 192.168.35.1 1 fadebacfadebac
	link 192.168.35.1 2 bacfadefadebac
	link 192.168.35.1 3 baabaaafadebac
	link 192.168.35.1 4 beebeeefadebac
linkpath 10.1.0.0 255.255.255.0 192.168.35.1

Note Use random keys, not the ones shown in this guide.

Step 6 Test the connection to each foreign PIX Firewall with the ping command.

Note You can ping the PIX Firewall interfaces on the foreign PIX Firewall unit. Use hosts on the network to ensure that PIX Firewall interfaces are reachable.

Step 7 After configuring the link and linkpath commands, if a ping inside command to the inside address of the remote PIX Firewall does not work, enter the show link command and look at packets in and out. If both are at 0 that means the link is up, but traffic is not being routed to the inside interface of the local PIX Firewall.

Step 8 Proceed to the router closest to the PIX Firewall on the inside, and look at the routing table. If there is not a route to the remote PIX Firewall network, add a static route, or turn RIP on at the PIX Firewall.

When you Telnet to the PIX Firewall, and perform a ping inside, the packet is not simply generated from the inside address of the PIX Firewall and forwarded across the bus to the outside address and out the encrypted tunnel. Instead the ICMP packet is placed on the inside network, picked up by the closest router, and retransmitted to the PIX Firewall, where it is then picked up, encrypted and sent across the link to the remote box.

Table of Contents

Advanced Configurations