|
|
June 1999
This document describes how to install and configure the Cisco's PIX Firewall Manager for use with software versions 4.3 and 4.4.
The PIX Firewall Manager (PFM) lets you administer one or more PIX Firewall units, view syslog messages, and define customized alarms for each type of syslog message. You can use the PIX Firewall Manager to view, add, and modify the configuration of each PIX Firewall unit.
This version of PIX Firewall Manager does not support use of the new version 4.4 features, but will work with features that are common to both versions. PIX Firewall Manager version 4.3(2)b does not support the following version 4.4(1) features:
1. AAA---show RADIUS server, show TACACS+ server, show AAA authentication, show AAA authorization, and show AAA accounting
2. FDDI network interface cards
3. ActiveX blocking
4. The timeout command's new half-closed option
If you are using version 4.4(1), features not supported by PIX Firewall Manager version 4.3(2)b can be set from the PIX Firewall command line interface.
PIX Firewall Manager software includes these components:
PIX Firewall Manager provides two access levels: user-level with read-only (non-modifying) access and administrator-level with read and write access.
Diskettes for installing PIX Firewall Manager are provided in the PIX Firewall accessory kit.
If you are upgrading from a previous version of PIX Firewall Manager software, refer to the Configuration Guide for the PIX Firewall Version 4.3, which is included with your PIX Firewall accessory kit. This document has instructions for downloading the latest software. If you are using PIX Firewall version 4.4(1), refer to the Configuration Guide for the PIX Firewall Version 4.4 for these instructions.
PIX Firewall Manager can be installed and uninstalled on Workstation and Server versions of Windows NT 4.0.
The following sections describe system requirements.
The Windows NT system on which you install the Management Server requires the following:
All PIX Firewall units managed by PIX Firewall Manager version 4.3(2)b must be running PIX Firewall software version 4.3(2), version 4.4(1) or later. To check the version of the PIX Firewall software, go to the PIX Firewall console and enter the show version command.
If you intend to manage PIX Firewall units on the outside network, each foreign unit must run Private Link and at least one firewall on the local network must also run Private Link. The local PIX Firewall must be configured to communicate with the foreign Private Link firewalls.
You must have console access to each local and foreign PIX Firewall you manage in order to perform the configuration required to run the PIX Firewall Manager. If you are managing remote firewalls, work with the site administrator to get the PIX Firewall to communicate with PIX Firewall Manager.
To configure each PIX Firewall unit from the Setup Wizard, follow the instructions in the Quick Installation Guide for the PIX Firewall Version 4.3. The PIX Firewall Setup Wizard is not available in version 4.4.
To configure each PIX Firewall unit from the command line, enter these commands at the PIX Firewall console:
Step 1 enable---to enter privileged mode. When prompted, enter the privileged mode password. The default is no password and you can press the Enter key at the prompt.
Step 2 configure terminal---to enter configuration mode.
Step 3 nameif---to specify the name or security level of the outside or optional third interface on the PIX Firewall. The inside interface cannot be renamed or given a different security level. Each security level must be a unique number between 0 and 99.
Step 4 interface---to set options for the Ethernet or Token Ring network interfaces.
Step 5 ip address---to assign IP addresses and network masks to each interface.
Step 6 telnet---to let the PIX Firewall communicate with the PIX Firewall Manager:
: Telnet for PIX Firewall Manager telnet Windows_NT_IP_Address 255.255.255.255
Replace Windows_NT_IP_Address with the IP address of the Windows NT system.
Add the comment before the telnet statement to ensure that the next person configuring the firewall knows the purpose of this telnet statement.
Step 7 link and linkpath---if you are managing remote PIX Firewall units, configure each for Private Link access. Refer to Chapter 2, "Configuring the PIX Firewall," in the Configuration Guide for the PIX Firewall Version 4.3 for information on configuring Private Link, and Chapter 5, "Command Reference," to view the link command page for more information. If you are using PIX Firewall version 4.4(1), refer to the Configuration Guide for the PIX Firewall Version 4.4 for this information.
Step 8 write memory---save the configuration in Flash memory.
All commands are described in the Configuration Guide for the PIX Firewall Version 4.3 supplied in your PIX Firewall accessory kit. If you are using PIX Firewall version 4.4(1), refer to the Configuration Guide for the PIX Firewall Version 4.4 for this information.
The Management Server has the following requirements:
Step 1 Place the sound file on the Windows NT system running the Management Server in the JClient\Netscape subdirectory of the Management Server's target directory.
Step 2 Click the Management Client's Setting tab to modify the audio filename.
The Management Client has the following requirements:
The system running the browser must use Windows 95, Windows NT 4.0 Workstation, Windows NT 4.0 Server, or Solaris. On Windows 95 or Windows NT 4.0, 32 MB RAM is highly recommended.
The PIX Firewall Manager provides the following features:
Refer to the Configuration Guide for the PIX Firewall Version 4.3 for detailed information about PIX Firewall system features. If you are using PIX Firewall version 4.4(1), refer to the Configuration Guide for the PIX Firewall Version 4.4 for this information.
1. Each PIX Firewall you wish to manage must be running PIX Firewall version 4.3(2), 4.4(1), or later.
2. Each PIX Firewall you manage must have previously been configured with the PIX Firewall telnet command or PIX Firewall Setup Wizard to permit access to the PIX Firewall from the PIX Firewall Manager's Management Server. PIX Firewall Setup Wizard is not available in version 4.4.
3. A PIX Firewall Syslog Server (PFSS) is available for logging PIX Firewall event information on a Windows NT system. PFSS provides logging features not available with the PIX Firewall Manager (PFM), such as using TCP for highly reliable message delivery and control. PFM has features not available with PFSS, such as generating reports from syslog information.
4. The Windows NT computer running the PIX Firewall Manager Management Client (graphical user interface) must have a network browser that is Java 1.02 compliant. Refer to "Management Client Requirements" for more information.
5. Selecting a menu item (or screen) is indicated by the following convention:
Select screen1>screen2>screen3.
6. The initial PIX Firewall Manager password is set to expire after 42 days. Refer to "Changing Passwords" for more information.
7. PIX Firewall Manager Version 4.3(2)b encrypts all communication with the PIX Firewall software version 4.3(2) or 4.4(1). Managing PIX Firewall units running earlier software versions is not supported.
8. After installation and setup, if you change the IP address of the Windows NT system, you need to update the FIREWALL.HTML file installed on the system. The file is in the JClient\Netscape subdirectory on the Management Server's target directory. In the FIREWALL.HTML file, swap the old IP address with the current IP address, which is only visible from the inside network.
Interface entries can be specified as either IP addresses or domain names; however, you must remember to log on to the management server using the exact entry listed in the FIREWALL.HTML file or an IP address security violation error message can appear. This message indicates the Management Server could not locate the interface specified in the FIREWALL.HTML file, having tried the possible interfaces on the Windows NT computer running the Management Server.
The sections that follow describe other installation topics.
Before installing PIX Firewall Manager, you need to know the following:
Step 1 Select Start>Settings>Control Panel.
Step 2 Double-click the Network icon.
Step 3 Click the Protocols tab and select TCP/IP Protocols>Properties.
Step 4 When the Microsoft TCP/IP Properties dialog box opens, click the IP Address tab. The IP address appears on the lower part of this tab.
Step 5 If the Obtain an IP address from a DHCP server item is checked, click it to disable it. Then click Specify an IP address and enter an IP address, subnet mask, and default gateway IP address for this system.
During installation, if a previous version of the PIX Firewall Manager is found, the installation program replaces the old version with the new. To install PIX Firewall Manager:
Step 1 If you used the PIX Firewall Setup Wizard to configure the PIX Firewall with the IP address and network mask of the Windows NT computer running the PIX Firewall Manager, skip to Step 2. If you have not set up the IP address for the Windows NT computer, verify network connectivity before starting by following these steps:
(a) From each PIX Firewall you intend to manage, ping the Windows NT system. Use the PIX Firewall ping inside command. The ping is successful if the "response received" message appears. If the ping is unsuccessful, verify the IP address of the Windows NT system and check the network cabling. For example, if the Windows NT system has an IP address of 192.168.42.42, you would use the following commands from the PIX Firewall to enter privilege mode and run the ping command:
enable Password: (press Enter) ping inside 192.168.42.42
(b) From the Windows NT system, ping the inside interface of each PIX Firewall. To ping from Windows NT, click the Start menu. Then choose the Run... item and enter the ping command, or select the Programs>Command Prompt and enter the command there. The ping is successful if the "Reply from" message appears. If the ping is unsuccessful, verify the IP address of the inside interface of the PIX Firewall and check the network cabling. For example, if a PIX Firewall has an inside IP address of 192.168.42.54, you would enter this command:
ping 192.168.42.54
(c) From the Windows NT system, establish a Telnet session with each target PIX Firewall. The Telnet is successful if the "PIX password" prompt appears. The default password is cisco. Enter the password to receive access to the PIX Firewall command prompt. If the Telnet is unsuccessful, go to the PIX Firewall console and use the show telnet command to ensure that the configuration has a telnet command entry for the IP address of the Windows NT system. Refer to "PIX Firewall Requirements" for information on how to enter the PIX Firewall console commands to get to configuration mode, give Telnet access, and store the configuration in Flash memory. For example, if a PIX Firewall has an IP address of 192.168.42.54, enter these commands to access configuration mode, let administrators start Telnet sessions with the PIX Firewall console, and store the configuration in Flash memory:
enable Password: (press Enter) configure terminal : Created for PIX Firewall Manager telnet 192.168.42.54 write memory
Step 2 Exit all Windows programs.
Step 3 Log in to the Windows NT system as Administrator or as any user who is a member of the Administrator group or who has Windows NT Administrator privileges.
Step 4 From the Windows NT system, insert the first PIX Firewall Manager diskette in the diskette drive. You can install the software:
Step 5 Once the installation program starts, you are prompted with a series of dialog boxes. You can simply click Next and the installation will proceed without interruption. Alternately, you can designate an installation directory other than the default.
Step 6 During the installation you are prompted for a port number for the PIX Firewall Manager's built-in web server; use the default, 8080, unless that port is in use already. Any port between 1025 and 64000 can be entered as an alternative. To pick another port, view ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers to find the ports in use.
The installation program then copies its files and prompts you to insert the second diskette. Insert the diskette and the remaining files are copied.
Step 7 At the last dialog box, click Finish. The Management Server starts automatically.
Step 8 To check whether the Management Server is running, select Start>Settings>Control Panel and double-click the Services icon. Look for the "PIX Firewall Management Server" service name. A server is running if its status appears as Started. If the status field is blank, you may run the server by selecting its name and then clicking Start. If you need to stop the Management Server, refer to the instructions for doing so in "Management Client Requirements."
Step 9 After the software setup completes, change the default passwords of the pixadmin and pixuser users with the Windows NT User Manager program described in the following section, "Changing Passwords."
To change passwords for the pixadmin and pixuser default usernames:
Step 1 Select Start>Programs>Administrative Tools (Common)>User Manager. If your Windows NT system is a domain controller, select User Manager for Domains.
Step 2 When the User Manager starts, locate the two users, pixadmin and pixuser in the Username section of the screen.
Step 3 Select the pixadmin username and select User>Properties.
Step 4 In the User Properties dialog box, enter the new password in the Password and Confirm Password fields.
Step 5 In the User Properties dialog box, check Password Never Expires to prevent the password from expiring. If the box is not checked, the password expires after the number of days set in the Account Policy Maximum Password Age configured in the Windows NT system. The default value set during Windows NT system installation is 42 days. Click OK to exit.
Step 6 Select the pixuser username and select User>Properties. Enter the new password in the Password and Confirm Password fields.
Step 7 In the User Properties dialog box, check Password Never Expires to prevent the password from expiring.
Step 8 Click OK to exit and select User>Exit to leave the User Manager.
You can specify which users can access the Management Client by creating user accounts on the Windows NT system on which PIX Firewall Manager is installed and giving the user either PIX Firewall Manager administrative or read-only access privileges. When the Management Client starts, users enter their login ID and password and, if accepted, they can then run PIX Firewall Manager.
To limit access to the Management Client:
Step 1 Start the User Manager as described in Step 1 in the preceding section, "Changing Passwords." The User Manager dialog box appears. If you want to authorize access for users who already have accounts on the Windows NT system, proceed to Step 2. To add new users to the Windows NT system, select User>New User. Specify the information for the user including the user's login name, full name, and password.
Step 2 To give a user access to the Management Client, locate the Groups area at the bottom of the User Manager dialog box.
Step 3 From the Groups area, if you want users to be able to change PIX Firewall settings, double-click PIX Admins. If you want users only to have read access and no change privileges, double-click PIX Users. The Local Group Properties dialog box then appears.
Step 4 Click Add to add an existing user to the selected group. The Add Users and Groups dialog box appears.
Step 5 From the Names field, select the name of the user you wish to add, click Add, and then click OK to complete adding this user. Control returns to the Local Group Properties dialog box where you can continue adding users. To exit back to the User Manager dialog box, click OK. Then exit User Manager by clicking OK.
To start the Management Client, restart the network browser, disable proxies, and then access the Management Client:
Step 1 Choose the Network Preferences option from the Options menu.
Step 2 Click the Proxies tab, check the No Proxies option, and click OK.
Step 3 Choose the Open Location option from the File menu, enter ^L, or click Open, and enter the following:
http://IP_address:port
where IP_address is the system running PIX Firewall Manager Server, and port is the Management Server's web server port that you defined in "Installation Notes."
Step 1 Choose the Preferences... item from the Edit menu. A dialog box appears.
Step 2 In the hierarchy display at the left, double-click the Advanced item. (In Solaris, click the arrow beside Advanced.) The hierarchy expands to display additional choices.
Step 3 Click the Proxies item from the expanded hierarchy list.
Step 4 Check the Direct connection to the Internet option, and click OK.
Step 5 Choose the Open Location option from the File menu, enter ^L, or click Open, and enter the following:
http://IP_address:port
where IP_address is the system running PIX Firewall Manager Server, and port is the Management Server's web server port that you defined in "Installation Notes."
Step 1 Choose the Internet Options... item from the View menu.
Step 2 Click the Connections tab.
Step 3 In the Proxies Server group box, disable the Access the Internet using a proxy server option.
Step 4 Return to the main menu and enter the following:
http://IP_address:port
where IP_address is the system running PIX Firewall Manager Server, and port is the Management Server's web server port that you defined in "Installation Notes."
You can view the Management Client applet with any network browser described in "Management Client Requirements."
Step 1 After you have disabled browser proxies as described in "Starting the Management Client" and started the Management Client, the home page appears.
Step 2 You can generate reports using Microsoft Excel 97 by following the instructions on the home page.
Step 3 Select Run Management Client.
Step 4 After the Management Client is loaded, you are then prompted for a username and password. For the username, enter pixadmin for read-write access, or pixuser for read-only access. Enter either the default password, cisco, or the new password entered in "Installation Notes."
You can also use any username that is in either the PIX Admins or PIX Users group. When you complete entering a username and password, click OK. The Management Client then opens after it loads into memory.
Step 5 If you need to restart the applet, you can click the browser's Reload button.
After you enter your login credentials, the Management Client window appears.
Step 1 To view or modify the PIX Firewall configuration, go to the Main Tree window on the left side of the Management Client window and double-click a PIX Firewall folder. If the Main Tree window is empty, click Add A PIX Firewall in the Contents window to add PIX Firewall units to the Main Tree. Click the Reload Configuration button in the Contents window to get the most current configuration.
The areas of the Management Client window are as follows:
Step 2 Double-click the configuration option you want from the folder in the Main Tree. The folder then opens into a series of subfolders or files for each configuration feature. The Contents area displays information about each configuration feature. Use the button selections to get help information, view current configuration information, or change configuration settings.
Step 3 To ensure that the firewall can reload the new configuration after reboot, save the configuration in the firewall's Flash memory by clicking the Save to Flash Mem of PIX button. To back up the configuration to a diskette, follow these steps:
(a) Place an IBM-formatted diskette in the PIX Firewall's drive.
(b) In the PIX Firewall Manager's Main Tree window, click the PIX Firewall folder's Administration folder.
(c) Select Save/Erase Config, and click to Floppy.
To stop the Management Client, stop the network browser on which it runs.
If you need to stop the Management Server:
Step 1 Select Start>Settings>Control Panel>Services.
Step 2 When the Services dialog box opens, select the PIX Firewall Management Server item from the Service list. You can stop this service by clicking the Stop button.
The PIX Firewall generates syslog messages for system events, such as security alerts and resource depletion. Syslog messages are stored in log files and can be used to create alerts and reports.
The PIX Firewall Manager provides two ways to view syslog connection information: using the PIX Firewall Management Client graphical user interface, or using a Microsoft Excel macro and data files provided for Microsoft Excel 97. Options for printing reports are available only using Microsoft Excel 97. This section includes the following topics:
Prior to using the Alarm and Report features, you must configure each PIX Firewall to generate syslog messages and send them to a syslog server host, one of which can be the host running the PIX Firewall Manager. The syslog server in the PIX Firewall Manager listens for messages from the PIX Firewall on UDP port 514. Messages are stored in daily log files on the Windows NT computer running the PIX Firewall Manager. The PFM uses the information in the daily log files to generate reports. To configure each PIX Firewall unit from the Management Client, select Admininstrator>SYSLOG to view options for configuring syslog host and message information.
To view syslog reports from the PIX Firewall Management Client, follow the instructions for "Navigating the Management Client." From the Management Client, click the Alarm and Report tab to view options for generating reports.
Cannot open the corresponding DBF file
The PIX Firewall Manager saves syslog information in daily log files. For example, PIX Firewall connection information for Monday is saved in the monday.log file. The log files are located in \PIX Firewall Manager\protect\<weekday>.log on the Windows NT computer.
Log files are retained for one week, allowing a separate log file for each day of the week. After one week, daily log files are overwritten, starting with the daily file that was created first. For example, if log files were first started on Monday, the Monday log file will be overwritten in seven days. This also means that you can access a six-day archive of log information for a given day.
Problems generating syslog reports can mean that one or both of the configuration settings for the syslog host or Message type is not correct, or that data is not reaching the syslog host. If you have problems displaying syslog report information, or you receive a "Database Empty" error message, check the following items:
If syslog reports display both host names and IP addresses, verify that the Windows NT system running the Management Server is able to resolve host names. The PIX Firewall Manager attempts to resolve IP addresses with host names when the Management Server receives syslog messages. If it finds a host name for an IP address, the address and host name pair is stored in a database on the Management Server. This database is used to create SYSLOG reports. If the Management Server is unable to resolve the IP address with a host name within 15 seconds, only the IP address is logged in the database. As a result, SYSLOG reports might include both host names and IP addresses.
1. PIX Firewall Manager cannot be installed or uninstalled under Windows NT domain administration logins. If you attempt to install PIX Firewall Manager on this type of login, the following message appears:
You are not authorized to run this installer. Terminating...
2. When installing the PIX Firewall Manager on a backup domain controller, be sure that the backup domain controller has connectivity with the primary domain controller. If connectivity is lost between the backup domain controller and the primary domain controller, the following message appears:
Could not find the domain controller for the domain.
3. PIX Firewall Manager does not support the following PIX Firewall commands. To view, add, or change these configuration features, use the PIX Firewall's console port or start a Telnet session to access the PIX Firewall.
4. The following configuration features can be viewed on the Management Client but must be added or changed at the PIX Firewall's console port or Telnet session:
5. ICMP protocol services, such as ping, are initially blocked in both directions by the PIX Firewall and require a conduit configuration. To configure a conduit, select Inbound>Static>Conduit.
If a help topic is not available, information on the topic can be found in the Configuration Guide for the PIX Firewall Version 4.3. Also view the Release Notes for the PIX Firewall Version 4.3. If you are using PIX Firewall version 4.4(1), refer to the Configuration Guide for the PIX Firewall Version 4.4 for this information.
1. When a Management Client is running, only the following configuration changes to the PIX Firewall units made through the console or Telnet sessions are reflected in the client applet: conduit, static, global, nat, outbound, apply, and alias. To view the updated configuration for any other PIX commands modified via the console or Telnet sessions, click a PIX Firewall folder, then click the Reload Configuration button.
2. If a client is already connected to a Management Server and a second client on the same machine tries to connect to the same Management Server, then the first client will be disconnected and the second client will be connected.
3. All members in the PIX Admins group have read and write access, and all members in the PIX Users group have only read access; do not change the PIX Firewall configurations. Usernames that do not belong to one of these two groups cannot use the Management Client applet.
4. When accessing the Management Server from the Management Client, do not use the loopback address (127.0.0.1) in the URL. Using the loopback address causes an "I/O Exception" error on all online help and description pages. Refer to "Starting the Management Client" for more information on using the Management Client.
5. If you change the PIX Firewall enable password in Administrator>Administration>Password, wait for confirmation of password change prior to entering additional commands. If you enter an invalid password, confirmation of the change can take several minutes while the server tries to validate the entry. In the case of an invalid password, additional commands can appear to hang until the server returns confirmation that the change was unsuccessful.
6. Initially, no syslog setting information displays in the Admininstration>SYSLOG panel. Press the Refresh button to display the current information. Syslog information in the daily syslog file is now saved every 10 minutes by default. You can change the time interval for saving syslog information by setting the value in the SYSLOG Notification Settings tab.
7. You can specify that syslog messages be marked with the current time. To configure each PIX Firewall unit with the timestamp option, select Admininstrator>SYSLOG, set the logging type to Timestamp and set the status to Enable.
If you have problems installing or using the PIX Firewall Manager, check the following items:
A version of the PIX Firewall SYSLOG SERVER is detected on this machine. You must uninstall PIX Firewall SYSLOG SERVER before installing the PIX Firewall Manager.
Step 1 Select Start>Settings>Control Panel>Services on the Windows NT computer.
Step 2 Scroll through the services to locate the PIX Firewall Manager Server.
Step 3 Double-click PIX Firewall Manager Server, which displays the Service dialog box.
Step 4 In the Service dialog box, check Allow Service to Interact with Desktop and click OK.
Step 5 In the Services dialog box, click Stop to halt the PIX Firewall Manager Server; then click Start to restart the service.
Step 6 Start the PIX Firewall Manager. Errors generated by the application appear in the PIX Management dialog box.
Copy the errors messages in the dialog boxes and use Cisco Connection Online (CCO) for additional support.
\Program Files\Cisco\PIX Firewall\jclient\netscape\firewall
Use this document in conjunction with the following PIX Firewall documents.
You can view these documents online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v43/index.htm
You can view these documents online at:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/index.htm
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Sat Dec 11 20:31:44 PST 1999
Copyright 1989-1999©Cisco Systems Inc.