|
|
September 2000
This document includes the following sections:
The PIX Firewall Manager (PFM) lets you administer one or more PIX Firewall units, view syslog messages, and define customized alarms for each type of syslog message. You can use PFM to view, add, and modify the configuration of each PIX Firewall unit.
This version of PFM supports a subset of the PIX Firewall command set. Features in PIX Firewall version 4.3(2) are supported, but no new features are supported from versions 4.4, 5.0, 5.1, or 5.2. Refer to the respective PIX Firewall release notes for information on the new features in those releases that are not supported by PFM. PIX Firewall documentation is available online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm.
 |
Note If you have a problem with PFM, copy the pfm.log file immediately after a problem occurs so you can send the copy of pfm.log to Cisco's Technical Assistance Center (TAC). |
Refer to "New Software Features in Version 4.3(2)f" for information on version 4.3(2)f.
|
Note PFM provides support for only four interfaces, not the six supported by versions 4.4, 5.0, 5.1, or the 8 supported by version 5.2. |
|
Note PFM cannot be installed on a system or in the same network in which the PIX Firewall Syslog Server (PFSS) is installed. |
PFM software includes these components:
PFM provides two access levels: user-level with read-only (non-modifying) access and administrator-level with read and write access.
Diskettes for installing PFM are provided in the PIX Firewall accessory kit.
If you are upgrading from a previous version of PFM software, refer to the documentation supplied with the PIX Firewall for configuration information.
PFM can be installed and uninstalled on Workstation and Server versions of Windows NT 4.0.
This section includes the following topics:
The Windows NT system on which you install the Management Server requires the following:
|
Note Each PIX Firewall you manage must have been configured with the PIX Firewall telnet command or the PIX Firewall Setup Wizard to permit the Management Server to access the PIX Firewall. The PIX Firewall Setup Wizard is not available in version 4.4. |
All PIX Firewall units managed by PFM must be running PIX Firewall software version 4.3(2), 4.4, 5.0, 5.1, 5.2, or later. To check the version of the PIX Firewall software, go to the PIX Firewall console and enter the show version command.
If you intend to manage PIX Firewall units on the outside network, each foreign unit must run Private Link and at least one firewall on the local network must also run Private Link. The local PIX Firewall must be configured to communicate with the foreign Private Link firewalls.
You must have console access to each local and foreign PIX Firewall you manage in order to perform the configuration required to run PFM. If you are managing remote firewalls, work with the site administrator to get the PIX Firewall to communicate with PFM.
To configure each PIX Firewall unit from the Setup Wizard, follow the instructions in the Installation Guide for the Cisco Secure PIX Firewall Version 5.2.
Follow these steps to configure each PIX Firewall unit from the command line at the PIX Firewall console:
Step 2 configure terminal—to enter configuration mode.
Step 3 nameif—to specify the name or security level of the outside or optional third interface on the PIX Firewall. The inside interface cannot be renamed or given a different security level. Each security level must be a unique number between 0 and 99.
Step 4 interface—to set options for the Ethernet or Token Ring network interfaces.
Step 5 ip address—to assign IP addresses and network masks to each interface.
Step 6 telnet—to let the PIX Firewall communicate with PFM:
: Telnet for PIX Firewall Manager telnet Windows_NT_IP_Address 255.255.255.255
Replace Windows_NT_IP_Address with the IP address of the Windows NT system.
Add the comment before the telnet statement to ensure that the next person configuring the firewall knows the purpose of this telnet statement.
Step 7 link and linkpath—if you are managing remote PIX Firewall units, configure each for Private Link access. This feature is available in version 4.4, but was removed from version 5.0.
Step 8 write memory—save the configuration in Flash memory.
All commands are described in the configuration guide supplied with the PIX Firewall and online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm.
The Management Server has the following requirements:
Follow these steps to use another .AU format sound file:
Step 2 Click the Management Client's Setting tab to modify the audio filename.
The Management Client has the following requirements:
|
Note Using Netscape Navigator and Communicator version 4.04 or 4.05 with the JDK 1.1 Patch are not compatible with the Management Client. Additionally, Netscape Navigator and Communicator version 4.06 or later is not compatible with the Management Client. Earlier versions of Netscape browsers are available for download at the following URL: ftp://archive:oldies@archive.netscape.com/archive/index.html. |
The system running the browser must use Windows 95, Windows NT 4.0 Workstation, Windows NT 4.0 Server, or Solaris. On Windows 95 or Windows NT 4.0, 32 MB RAM is highly recommended.
This section includes the following topics:
PIX Firewall Manager has been updated to accept the PIX Firewall version 5.2 Cisco Secure Intrusion Detection System syslog signature messages. These messages appear under the Alarm and Report tab in the Warning Log Messages section of the Syslog Message Folder. Refer to System Log Messages for the Cisco Secure PIX Firewall Version 5.2 for a description of each Cisco Secure IDS signature message. You can view this document online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/syslog/index.htm
When PFM is run with PIX Firewall versions 4.4, 5.0, 5.1 or 5.2, the following error messages appear on the network browser:
PIX_ip_address: Unable to Show RADIUS Server [cmdCode = 4003] PIX_ip_address: Unable to Show TACACS Server [cmdCode = 4103] PIX_ip_address: Unable to show AAA Authentication [cmdCode = 3203] PIX_ip_address: Unable to show AAA Authorization [cmdCode = 3903] PIX_ip_address: Unable to show AAA Accounting [cmdCode = 5803]
These messages indicate features added after version 4.3(2) that are not compatible with PIX Firewall Manager.
The following caveats are new in version 4.3(2)f:
PIX_ip_address: Unable to Delete conduit [cmdCode = 402]
PIX_ip_address: Unable to show Failover [cmdCode=2103]
Signature Title | Signature ID | Signature Type |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following existing caveats affect use of PFM version 4.3(2)f:
PIX_ip_address: Unable to Show established [cmdCode = 4703]
PIX_ip_address: Unable to Add AAA Authentication [cmdCode = 3201] PIX_ip_address: Unable to Add AAA Authorization [cmdCode = 3901] PIX_ip_address: Unable to Add AAA Accounting [cmdCode = 5801]
PIX_ip_address: Unable to Show Global [cmdCode=103]
The following are new in version 4.3(2)e:
The following are new in version 4.3(2)d:
PFM provides the following features:
|
Note The Tasks button generates statements in the PIX Firewall configuration that allow connections to or from hosts on internal (protected) networks. If you have additional configuration requirements, such as access control for outbound connections and user authentication or authorization, other configuration commands apply. |
Capture quickly scrolling messages in the SYSLOG Message Window using the Message Snapshot button. The snapshot displays up to 200 lines of messages in a separate window. To display the Syslog Message Window, select the SYSLOG Notification Settings tab and change the Immediate Syslog Message setting to ON.
This section includes the following topics:
|
Note Refer to "Important Notes" for information on using the PIX Firewall Manager. |
1. Each PIX Firewall you wish to manage must be running PIX Firewall version 4.3(2), 4.4(1), or later.
2. Each PIX Firewall you manage must have previously been configured with the PIX Firewall telnet command or PIX Firewall Setup Wizard to permit access to the PIX Firewall from the Management Server for PFM. PIX Firewall Setup Wizard is not available in version 4.4.
3. A PIX Firewall Syslog Server (PFSS) is available for logging PIX Firewall event information on a Windows NT system. PFSS provides logging features not available with PFM, such as using TCP for highly reliable message delivery and control. PFM has features not available with PFSS, such as generating reports from syslog information.
4. The Windows NT computer running the PIX Firewall Manager Management Client (graphical user interface) must have a network browser that is Java 1.02 compliant. Refer to "Management Client Requirements" for more information.
5. Selecting a menu item (or screen) is indicated by the following convention:
6. The initial PFM password is set to expire after 42 days. Refer to "Changing Passwords" for more information.
7. PFM encrypts all communication with the PIX Firewall software versions 4.3(2), 4.4, 5.0, 5.1, or 5.2. Earlier software versions are not supported.
8. After installation and setup, if you change the IP address of the Windows NT system, you need to update the FIREWALL.HTML file installed on the system. The file is in the JClient\Netscape subdirectory on the Management Server's target directory. In the FIREWALL.HTML file, swap the old IP address with the current IP address, which is only visible from the inside network.
The sections that follow describe other installation topics.
Before installing PFM, you need to know the following:
Step 2 Double-click the Network icon.
Step 3 Click the Protocols tab and click TCP/IP Protocols>Properties.
Step 4 When the Microsoft TCP/IP Properties dialog box opens, click the IP Address tab. The IP address appears on the lower part of this tab.
Step 5 If the Obtain an IP address from a DHCP server item is checked, click it to disable it. Then click Specify an IP address and enter an IP address, subnet mask, and default gateway IP address for this system.
|
Note Only users with Windows NT Administrator privileges can run the installer or uninstaller program. |
During installation, if a previous version of PFM is found, the installation program replaces the old version with the new. Follow these steps to install PFM:
a. From each PIX Firewall you intend to manage, ping the Windows NT system. Use the PIX Firewall ping inside command. The ping is successful if the "response received" message appears. If the ping is unsuccessful, verify the IP address of the Windows NT system and check the network cabling. For example, if the Windows NT system has an IP address of 192.168.42.42, you would use the following commands from the PIX Firewall to enter privilege mode and run the ping command:
enable Password: (press Enter) ping inside 192.168.42.42
b. From the Windows NT system, ping the inside interface of each PIX Firewall. To ping from Windows NT, click Run on the Start menu and enter the ping command, or click the Programs>Command Prompt and enter the command there. The ping is successful if the "Reply from" message appears. If the ping is unsuccessful, verify the IP address of the inside interface of the PIX Firewall and check the network cabling. For example, if a PIX Firewall has an inside IP address of 192.168.42.54, you would enter this command:
ping 192.168.42.54
c. From the Windows NT system, establish a Telnet session with each target PIX Firewall. The Telnet is successful if the "PIX password" prompt appears. The default password is cisco. Enter the password to receive access to the PIX Firewall command prompt. If the Telnet is unsuccessful, go to the PIX Firewall console and use the show telnet command to ensure that the configuration has a telnet command entry for the IP address of the Windows NT system. Refer to "PIX Firewall Requirements" for information on how to enter the PIX Firewall console commands to get to configuration mode, give Telnet access, and store the configuration in Flash memory. For example, if a PIX Firewall has an IP address of 192.168.42.54, enter these commands to access configuration mode, let administrators start Telnet sessions with the PIX Firewall console, and store the configuration in Flash memory:
enable Password: (press Enter) configure terminal : Created for PIX Firewall Manager telnet 192.168.42.54 write memory
Step 2 Exit all Windows programs.
Step 3 Log in to the Windows NT system as Administrator or as any user who is a member of the Administrator group or who has Windows NT Administrator privileges.
Step 4 From the Windows NT system, insert the first PFM diskette in the diskette drive. You can install the software:
Step 5 Once the installation program starts, you are prompted with a series of dialog boxes. You can simply click Next and the installation will proceed without interruption. Alternately, you can designate an installation directory other than the default.
Step 6 During the installation you are prompted for a port number for the built-in web server in PFM; use the default, 8080, unless that port is in use already. Any port between 1025 and 64000 can be entered as an alternative. To pick another port, view ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers to find the ports in use.
The installation program then copies its files and prompts you to insert the second diskette. Insert the diskette and the remaining files are copied.
Step 7 At the last dialog box, click Finish. The Management Server starts automatically.
Step 8 To check whether the Management Server is running, click Start>Settings>Control Panel and double-click the Services icon. Look for the "PIX Firewall Management Server" service name. A server is running if its status appears as Started. If the status field is blank, you may run the server by selecting its name and then clicking Start. If you need to stop the Management Server, refer to the instructions for doing so in "Management Client Requirements."
Step 9 After the software setup completes, change the default passwords of the pixadmin and pixuser users with the Windows NT User Manager program described in the following section, "Changing Passwords."
1. PFM cannot be installed or uninstalled under Windows NT domain administration logins. If you attempt to install PFM on this type of login, the following message appears:
You are not authorized to run this installer. Terminating...
2. When installing PFM on a backup domain controller, be sure that the backup domain controller has connectivity with the primary domain controller. If connectivity is lost between the backup domain controller and the primary domain controller, the following message appears:
Could not find the domain controller for the domain.
3. PFM does not support the following PIX Firewall commands:
|
Note The established command in the command line interface is same as the multimedia feature in the Management Client. To use this feature, click Administrator>Administration>Multimedia. |
4. The following configuration features can be viewed on the Management Client but must be added or changed at the PIX Firewall's console port or Telnet session:
5. ICMP protocol services, such as ping, are initially blocked in both directions by the PIX Firewall and require a conduit configuration. To configure a conduit, click Inbound>Static>Conduit.
If a help topic is not available, information on the topic can be found in the documentation supplied with your PIX Firewall or online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
This section includes the following topics:
Follow these steps to change passwords for the pixadmin and pixuser default usernames:
Step 2 When the User Manager starts, locate the two users, pixadmin and pixuser in the Username section of the screen.
Step 3 Click the pixadmin username, and click User>Properties.
Step 4 In the User Properties dialog box, enter the new password in the Password and Confirm Password fields.
Step 5 In the User Properties dialog box, select the Password Never Expires check box to prevent the password from expiring. If the box is not cleared, the password expires after the number of days set in the Account Policy Maximum Password Age configured in the Windows NT system. The default value set during Windows NT system installation is 42 days. Click OK to exit.
Step 6 Click the pixuser username and click User>Properties. Enter the new password in the Password and Confirm Password fields.
Step 7 In the User Properties dialog box, select the Password Never Expires check box to prevent the password from expiring.
Step 8 Click OK to exit, and click User>Exit to leave the User Manager.
You can specify which users can access the Management Client by creating user accounts on the Windows NT system on which PFM is installed and giving the user either PFM administrative or read-only access privileges. When the Management Client starts, users enter their login ID and password and, if accepted, they can then run PFM.
|
Note Before limiting access to the Management Client, change the default password to a new value as described in the preceding section, "Changing Passwords." |
Follow these steps to limit access to the Management Client:
Step 2 To give a user access to the Management Client, locate the Groups area at the bottom of the User Manager dialog box.
Step 3 From the Groups area, if you want users to be able to change PIX Firewall settings, double-click PIX Admins. If you want users only to have read access and no change privileges, double-click PIX Users. The Local Group Properties dialog box then appears.
Step 4 Click Add to add an existing user to the selected group. The Add Users and Groups dialog box appears.
Step 5 From the Names field, choose the name of the user you wish to add, click Add, and then click OK to complete adding this user. Control returns to the Local Group Properties dialog box where you can continue adding users. To exit back to the User Manager dialog box, click OK. Then exit User Manager by clicking OK.
|
Note Do not assign a user to both the PIX Admins and PIX Users groups. |
Follow these steps to start the Management Client, restart the network browser, disable proxies, and then access the Management Client:
Windows 95, Windows NT, Solaris Netscape Navigator Version 3.x
Step 2 Click the Proxies tab, select the No Proxies check box, and click OK.
Step 3 Click Open Location on the File menu, enter ^L, or click Open, and enter the following:
http://IP_address:port
where IP_address is the system running PFM Server, and port is the Management Server's web server port that you defined in "Installation Notes."
Windows 95, Windows NT, Solaris Netscape Communicator 4.0, 4.01, 4.02, 4.04, 4.05, Netscape Navigator 4.0, 4.01, 4.02, 4.04, 4.05
Step 2 In the hierarchy display at the left, double-click the Advanced item. (In Solaris, click the arrow beside Advanced.) The hierarchy expands to display additional choices.
Step 3 Click Proxies from the expanded hierarchy list.
Step 4 Select the Direct connection to the Internet check box, and click OK.
Step 5 Click Open Location on the File menu, enter ^L, or click Open, and enter the following:
http://IP_address:port
where IP_address is the system running PFM Server, and port is the Management Server's web server port that you defined in "Installation Notes."
Windows 95 or Windows NT Microsoft Internet Explorer 4.0 Version 4.72.3110.8; Updated Version: SP1
Step 2 Click the Connections tab.
Step 3 In the Proxies Server group box, clear Access the Internet using a proxy server.
Step 4 Return to the main menu and enter the following:
http://IP_address:port
where IP_address is the system running PFM Server, and port is the Management Server's web server port that you defined in "Installation Notes."
Follow these steps to view the Management Client applet with any network browser described in "Management Client Requirements."
Step 2 You can generate reports using Microsoft Excel 97 by following the instructions on the home page.
Step 3 Click Run Management Client.
Step 4 After the Management Client is loaded, you are then prompted for a username and password. For the username, enter pixadmin for read-write access, or pixuser for read-only access. Enter either the default password, cisco, or the new password entered in "Installation Notes."
You can also use any username that is in either the PIX Admins or PIX Users group. When you complete entering a username and password, click OK. The Management Client then opens after it loads into memory.
|
Note When the program is loading, do not minimize the web browser. |
Step 5 If you need to restart the applet, you can click the browser's Reload button.
After you enter your login credentials, the Management Client window appears.
Follow these steps to navigate in the Management Client:
|
Note Any change to the configuration of a PIX Firewall made in the Management Client is sent immediately to the PIX Firewall and automatically saved in the PIX Firewall unit's RAM. |
|
Note If you have made changes to the configuration, click the Reload Configuration button following the upgrade to get the current configuration information. |
The areas of the Management Client window are as follows:
Step 2 Double-click the configuration option you want from the folder in the Main Tree. The folder then opens into a series of subfolders or files for each configuration feature. The Contents area displays information about each configuration feature. Use the button selections to get help information, view current configuration information, or change configuration settings.
Step 3 To ensure that the firewall can reload the new configuration after reboot, save the configuration in the firewall unit's Flash memory by clicking the Save to Flash Mem of PIX button.
To back up the configuration to a diskette, follow these steps:
a. Place an IBM-formatted diskette in the PIX Firewall's drive.
b. In the Main Tree window in PFM, click the PIX Firewall folder's Administration folder.
c. Click Save/Erase Config, and click to Floppy.
To stop the Management Client, stop the network browser on which it runs.
Follow these steps if you need to stop the Management Server:
Step 2 When the Services dialog box opens, select the PIX Firewall Management Server item from the Service list. You can stop this service by clicking the Stop button.
The PIX Firewall generates syslog messages for system events, such as security alerts and resource depletion. Syslog messages are stored in log files and can be used to create alerts and reports.
PFM provides two ways to view syslog connection information: using the PIX Firewall Management Client graphical user interface, or using a Microsoft Excel macro and data files provided for Microsoft Excel 97. Options for printing reports are available only using Microsoft Excel 97.
This section includes the following topics:
Refer to "Troubleshooting Syslog Reporting Problems" for additional syslog reporting information.
Prior to using the Alarm and Report features, you must configure each PIX Firewall to generate syslog messages and send them to a syslog server host, one of which can be the host running PFM. The syslog server in PFM listens for messages from the PIX Firewall on UDP port 514. Messages are stored in daily log files on the Windows NT computer running PFM. PFM uses the information in the daily log files to generate reports. To configure each PIX Firewall unit from the Management Client, click Admininstrator>SYSLOG to view options for configuring syslog host and message information.
To view syslog reports from the PIX Firewall Management Client, follow the instructions for "Navigating the Management Client." From the Management Client, click the Alarm and Report tab to view options for generating reports.
To view and print syslog reports from the macro, follow the instructions for "Starting the Management Client" to display the PFM home page. From the home page, follow the instructions on how to log in and generate reports.
The procedure for generating and printing syslog reports uses the Microsoft Excel macro REPORT.XLS. To use this file, start the Microsoft Excel application and open the file from within the application. If you try to open the file directly by double-clicking it, the following error message appears:
Cannot open the corresponding DBF file
|
Note When downloading the files from the web browser, be sure to save all files (report.xls, dns.dbf, monday.dbf, sunday.dbf, and so on) to the same directory on the local drive. After all the files are in the same directory, use Microsoft Excel 97 to open the report.xls file. |
|
Note The macro does not support viewing or printing detailed reports of FTP and HTTP file transfers as provided in reports generated by the PIX Firewall Management Client. |
PFM saves syslog information in daily log files. For example, PIX Firewall syslog information for Monday is saved in the monday.log file. The log files are located in \PIX Firewall Manager\protect\<weekday>.log on the Windows NT computer.
Log files are retained for one week, allowing a separate log file for each day of the week. After one week, daily log files are overwritten, starting with the daily file that was created first. For example, if log files were first started on Monday, the Monday log file will be overwritten in seven days. This also means that you can access a six-day archive of log information for a given day.
1. When a Management Client is running, only the following configuration changes to the PIX Firewall units made through the console or Telnet sessions are reflected in the client applet: conduit, static, global, nat, outbound, apply, and alias. To view the updated configuration for any other PIX commands modified via the console or Telnet sessions, click a PIX Firewall folder, then click the Reload Configuration button.
2. If a client is already connected to a Management Server and a second client on the same machine tries to connect to the same Management Server, then the first client will be disconnected and the second client will be connected.
3. PFM incorrectly converts any netmask you enter for the PAT IP address to be 255.255.255.255 and sends this value to the PIX Firewall.
4. All members in the PIX Admins group have read and write access, and all members in the PIX Users group have only read access; do not change the PIX Firewall configurations. Usernames that do not belong to one of these two groups cannot use the Management Client applet.
5. When accessing the Management Server from the Management Client, do not use the loopback address (127.0.0.1) in the URL. Using the loopback address causes an "I/O Exception" error on all online help and description pages. Refer to "Starting the Management Client" for more information on using the Management Client.
6. If you change the PIX Firewall enable password in Administrator>Administration>Password, wait for confirmation of password change prior to entering additional commands. If you enter an invalid password, confirmation of the change can take several minutes while the server tries to validate the entry. In the case of an invalid password, additional commands can appear to hang until the server returns confirmation that the change was unsuccessful.
7. Initially, no syslog setting information displays in the Admininstration>SYSLOG panel. Press the Refresh button to display the current information. Syslog information in the daily syslog file is now saved every 10 minutes by default. You can change the time interval for saving syslog information by setting the value in the SYSLOG Notification Settings tab.
8. You can specify that syslog messages be marked with the current time. To configure each PIX Firewall unit with the timestamp option, click Admininstrator>SYSLOG, set the logging type to Timestamp and set the status to Enable.
9. You must set the date and time from the PIX Firewall command line interface using the clock set command before timestamp information will appear in syslog messages. You cannot set the date and time from the PFM Management Client.
The sections that follow describe open and resolved caveats.
The following caveat is open:
PIX_ip_address: Unable to Show Global [cmdCode=103]
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
Unable to show established [cmdCode=4703]
The following caveat was resolved:
The following caveats were resolved:
The following caveats were resolved:
Port must be a +ve integer
PIXIPADDRESS: Unable to show Failover (cmdCode=2103)
This section includes the following topics:
The following questions are frequently asked in Cisco's Technical Assistance Center (TAC):
Step 2 Reboot the Windows system.
Step 3 Log in to the Windows system locally (not the domain) as "administrator" (use this login name, not the login of someone with administrator rights).
Step 4 Do not run setup yet. At a command prompt, run the netstat -a command to verify both TCP 8080 and UDP 514 are not listed.
If they are listed, uninstall the application that is using UDP port 514 or in the case of TCP 8080, choose an alternate TCP port such as 8081.
Step 5 If you uninstalled an application to remove the port conflict, repeat Steps 2 through 4, and reboot the Windows system.
Step 6 Check for any error messages in the event viewer and take the appropriate actions. You can search for the meaning of specific error messages at the following site:
http://support.microsoft.com/support
Step 7 Click Start>Settings>Control Panel>Services to verify that the "server" service is running.
Step 8 Now reinstall PFM.
Step 9 Reboot. You can log in to the domain at this time.
If you have problems installing or using PFM, check the following items:
A version of the PIX Firewall SYSLOG SERVER is detected on this machine. You must uninstall PIX Firewall SYSLOG SERVER before installing the PIX Firewall Manager.
Step 2 Scroll through the services to locate the PIX Firewall Manager Server.
Step 3 Double-click PIX Firewall Manager Server, which displays the Service dialog box.
Step 4 In the Service dialog box, check Allow Service to Interact with Desktop, and click OK.
Step 5 In the Services dialog box, click Stop to halt the PIX Firewall Manager Server; then click Start to restart the service.
Step 6 Start PFM. Errors generated by the application appear in the PIX Management dialog box.
Copy the errors messages in the dialog boxes and use Cisco Connection Online (CCO) for additional support.
http://local_host_ip_address:8080
\Program Files\Cisco\PIX Firewall\jclient\netscape\firewall
Step 2 Verify that logging host is pointed at the PFM server.
Step 3 Make sure your configuration shows logging on.
Step 4 Test successful logging by clicking "Immediate syslog notification" to "on" in PFM, generating traffic through the PIX Firewall, then verifying activity in the GUI pop-up window.
Problems generating syslog reports can mean that one or both of the configuration settings for the syslog host or Message type is not correct, or that data is not reaching the syslog host. If you have problems displaying syslog report information, or you receive a "Database Empty" error message, check the following items:
|
Note Close the SYSLOG Message Window after you have verified that information is being received at the syslog host. These messages can fill up system memory on the host, slowing performance. |
|
Note The Facility setting in the Edit SYSLOG Output dialog box is not used by PFM Management Client for generating reports. The report wizard provided with the Management Client references hosts by IP address. |
The following tips can help ensure PFM works correctly:
1. Do not install on a Windows NT system running Microsoft IIS. If you must, do not let PFM occupy any server ports being used by MS IIS. (Carefully following the previous directions will eliminate that.)
2. If any error messages appear during installation of PFM, capture them and call customer support immediately. Do not attempt to proceed.
a. Press and hold the Alt key and then press the Print Screen key to take a snapshot of the screen and copy it to the clipboard.
b. Start Wordpad and paste the screen image into a document.
c. Save the file and send it to customer support.
3. If any errors in the event viewer cannot be resolved, contact Microsoft support for assistance at the following site:
4. Ensure that the most current Service Pack is installed on your Windows NT system before installing PFM. All Windows NT Service Packs through SP5 work on all PFM versions, but the browser that installs with the Service Pack may not be supported.
5. Verify that your browser is compatible with PFM. Supported browsers are described on the PFM banner page that displays after you start PFM.
6. Make sure you have properly configured a PIX Firewall to allow Telnet from PFM. To verify, Telnet to the PIX Firewall and start enable mode.
7. If your Windows NT system is multihomed (more than one NIC) make sure all IP addresses for the system are listed in firewall.html, which you can edit with a text editor. Reboot the Windows NT system after you edit this file.
Use this document in conjunction with the PIX Firewall documentation available online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
Cisco provides PIX Firewall technical tips at the following site:
http://www.cisco.com/warp/public/110/index.shtml#pix
You can access the most current Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Registered CCO users can order the Documentation CD-ROM and other Cisco Product documentation through our online Subscription Services at http://www.cisco.com/cgi-bin/subcat/kaojump.cgi.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
You can e-mail questions about using CCO to cco-team@cisco.com.
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
To contact by e-mail, use one of the following:
Language | E-mail Address |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
In North America, TAC can be reached at 800 553-2447 or 408 526-7209. For other telephone numbers and TAC e-mail addresses worldwide, consult the following web site: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate and value your comments.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document/website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0008R)
Copyright © 2000, Cisco Systems, Inc.
All rights reserved.
Posted: Fri Sep 8 13:08:08 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.