|
|
Not all PIX Firewall commands are supported by Cisco Security Manager. This appendix describes the current command support, identifying any limitations, and explains how you can use unsupported commands in conjunction with the Cisco Policy Manager user interface. Table A-1 lists the PIX Firewall commands and the level of support within Cisco Security Manager.
| Command | Description | Support Status |
|---|---|---|
Enables or disables TACACS+ or RADIUS user authentication, authorization, and accounting. | Cisco Security Manager does not generate the command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Allows to personalize the AAA challenge text. | Cisco Security Manager does not generate the command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Implements dual NAT for overlapping addresses. | Current status: supported for mapping the external addresses to alias addresses. Not supported for DNS lookup fixup. | |
Updates PIX Firewall address resolution protocol (ARP) cache and sets the timeout value for ARP sessions. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Creates conduits through the firewall for incoming connections. | Current status: supported including selective ICMP. | |
Clears or merges current configuration with the configuration on a floppy disk or in Flash memory. This command starts a PIX Firewall configuration session. | Supported for configuration over a Telnet session (terminal). | |
Shows debug packets or ICMP tracings. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Exits the privileged mode. | Not applicable. Cisco Security Manager uses the PIX Firewall Manager (PFM) port for control connection. | |
Starts the privileged (administrative) mode. It also is used as a backdoor for the aaa authentication serial console command in the event that the authentication server is offline. | Cisco Security Manager uses the PFM port for control connection and uses the enable password to engage the privileged mode. | |
Changes the privileged mode password. | Cisco Security Manager does not generate this command; however, you can use the Command panel on the associated PIX Firewall to change the password. | |
Allows return connections based on an established connection. This command is intended to support nonstandard applications. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Exits PIX Firewall access mode. | Not applicable. Cisco Security Manager uses the PFM port for control connection. | |
Establishes the PIX Firewall failover feature. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Enables URL filtering for use with WebSENSE servers. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Enables and disables a PIX Firewall application protocol feature. An option new in PIX Firewall version 4.2 enables you to distinguish between plugs and application protocol filters that listen on the same port. | Fully supported. Use the Settings 1 panel on the PIX Firewall node.
| |
floodguard | Lets you reclaim PIX Firewall resources if the user authentication (uauth) subsystem runs out of resources. If an inbound or outbound uauth connection is being attacked or overused, the PIX Firewall will actively reclaim TCP user resources. When the resources deplete, the PIX Firewall lists messages about it being out of resources or out of TCP users. | Fully supported. Use the Settings 1 panel on the PIX Firewall node. |
global | Creates entries in the pool of global addresses. | Fully supported. Defined in the Mapping panel. |
groom | Refreshes the Flash memory card. Prevents Flash memory overflow when new configurations are appended.Requires that the 2-MB Flash memory be installed. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. |
Displays help information about the PIX Firewall commands when used at the CLI prompt. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Changes the hostname in the PIX Firewall command line prompt. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Identifies network interface speed and duplex. This is a mandatory item in PIX Firewall configurations. PIX Firewall allocates more internal buffers based on higher line speeds. | Fully supported. Defined in the Interfaces panel of the PIX Firewall node. | |
Defines IP address of the PIX Firewall. | Fully supported. Defined in the Interfaces panel of the PIX Firewall node. | |
Terminates another Telnet session to PIX Firewall. Irrelevant for firewall policy management. | Current status: N/A. | |
Creates Private Link connection to a remote PIX Firewall. Private Link is a proprietary secure protocol between PIX Firewalls (versions 4.2 and later). | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Sets PIX Firewall logging parameters. | Fully supported. Use the Settings 1 panel on the PIX Firewall node. | |
Sets maximum transmission unit (MTU) for an interface. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Associates text names with IP addresses. These names have no connection with DNS names. The PIX Firewall manual suggests to exercise caution when using this feature. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Names the PIX Firewall interfaces. | Fully supported. Defined on the Interfaces panel of the PIX Firewall node. | |
Associates a network with a pool of global IP addresses. | Current status: supported except the randomization flag. | |
Fully supported. Defined in security policies. | ||
Enables PIX Firewall console screen paging. Irrelevant for firewall policy management. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Sets password for Telnet and PIX Firewall Manager access to the firewall console. | Cisco Security Manager does not generate this command; however, you can use the Command panel on the associated PIX Firewall to change the password. | |
Pings a specified IP address. This command is used for the configuration testing. Irrelevant for firewall policy management. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
radius-server | Specifies a RADIUS server for use with the aaa command. | Cisco Security Manager does not generate the command, but the command can be supported using the Command panel on the PIX Firewall node. |
Reboots and reloads the configuration. | This command is not applicable to Cisco Security Manager because it performs a sequence of clear commands (such as clear nat and clear route) to clear the existing command sets. | |
Enables routing tables updates from RIP broadcasts. | Fully supported. Use the Settings button in the Interfaces panel for a selected interface object. | |
Specifies a static or a default route for the interface. | Fully supported. Use the Routes panel on a selected PIX Firewall node. | |
Allows the PIX Firewall to include the RST (reset) header in the packets returned to the source. Used to reset IDENT connections. Without this option, the PIX Firewall drops the packets and does not return any information to the source. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Allows you to specify IOS commands on the AccessPro router console when the router is installed on the PIX Firewall. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Allows you to view PIX Firewall configuration information. Utilized by the PIX Firewall configuration loader. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | ||
Maps local IP address to a global IP address. | Current status: supported except for the randomization flag. | |
syslog | Replaced by the logging command. | Current status: supported using the Settings 1 panel on a PIX Firewall node. |
tacacs-server | Specifies a TACACS+ server for use with the aaa command. | Cisco Security Manager does not generate the command, but the command can be supported using the Command panel on the PIX Firewall node. |
telnet | Allows an inside IP address to access a PIX Firewall over Telnet. | Fully supported. To define additional hosts, you must place the host node in the Security Policy Enforcement branch and apply a security policy to that node that allows Telnet to the firewall interface or IP address. |
Changes console terminal state. Allows you to enable or disable displaying syslog messages in the current session for either Telnet or the serial console. You can regulate your environment without affecting other console users. The logging monitor command regulates all console users. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Specifies the IP address of the TFTP configuration server for the configure net command. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Sets timeout interval for various protocols and PIX Firewall connection slots. | Fully supported. | |
Deletes all authorization caches for authenticated users. Authentication and authorization services are established using the aaa command. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Specifies a WebSENSE server for use with the filter command. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Sets WebSENSE URL caching mode and cache size. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
Specifies a fictitious address to which web user authentication is redirected. Used in conjunction with the aaa command. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. | |
who | Shows active administrative Telnet sessions on the PIX Firewall. | Cisco Security Manager does not generate this command, but the command can be supported using the Command panel on the PIX Firewall node. |
Stores a PIX Firewall configuration. | Fully supported. | |
Clears translation slot information. Removes address translation information after changing or removing alias, static, and global commands when merging two PIX Firewall configurations. | Fully supported. |
From the Command panel, you can define commands that are not automatically derived by Cisco Security Manager either as a prologue or epilogue command set. You can approve the command set that Cisco Security Manager generates before you download it to the selected firewall by reviewing the pending command sets. In addition, you can import and export your custom commands sets to ease administration of like firewalls.
Before using the Command panel, you should understand all the options that exist on this panel. Table A-2 defines these options and provides some insight as to how you can use them. For more information, see the "Perform a Task" topic for the Command panel in the online help system and study the example procedures in the remainder of this appendix.
| Field Name | Description |
|---|---|
|
(Optional) | The number following Policy is the current policy generation (provided by the control agent) that the control agent is operating under. The number should agree with the Current policy generation field found in the System Inconsistencies panel that appears when you perform a Consistency Check. |
|
(Required) | This group box organizes different options for reviewing and/or editing various command sets generated or authored for the selected PEP. These command sets are published to the PEP by the Policy Distribution Point or received from the PEP by the Policy Distribution Point as part of status. You can review the following command sets:
Expected Value: One of the options listed above. This value determines which set of commands you can review or edit in the Commands/Messages box. Example: Generation Status. |
|
(Text box) | Displays the command sets or message types selected under Command Review/Edit. In combination with the Prologue or Epilogue option, you can type new commands in the Commands/Messages box that you want to publish to the selected PEP as part of the composite command set (prologue + pending/generated + epilogue). These commands represent commands that are not generated by Cisco Security Manager and are published in addition to the commands that it does generate. Also, any commands that you import into or export out of Cisco Security Manager are those that appear in this box. |
|
(Required) | Specifies whether you want to approve the commands that are generated by Cisco Security Manager before they are published to the PEP during a Save and Update operation. Three possible values for this setting exist: Automatic. Specifies that you do not want to approve the command sets generated for the selected PEP before the Policy Distribution Point publishes them to the PEP. The command sets are to be published automatically during a Save and Update operation. Default. Specifies that you want to use the value specified under Policy Update Default in the Options dialog box, which you can access by clicking Options on the Tools menu. This option enables you to define a global setting for all PEPs. Manual. Specifies that you want to manually approve the command sets generated for the selected PEP before the Policy Distribution Point publishes them to the PEP. See Approve Now. Expected Value: One of the values listed above. The default value is Default. Example: Manual. |
|
(Optional) | Specifies that you want to halt any ongoing sessions that the PEP is currently allowing to bring them in-line with the network policy that you intend to download to the PEP. This feature enables you to ensure that from the time the new command set is published to the PEP that all sessions will adhere to the rules defined in that command set. Any sessions that are halted must be reissued by the client. For a PIX Firewall, this command inserts a clear xlate command at the end of the generated command set. Expected Value: Selected/Cleared (On/Off). Example: Selected. |
|
(Action) | Clicking Approve Now enables you to approve the selected command set after you review it. When you click Approve Now, the selected command is approved and is immediately downloaded to the selected PEP without any further verification. Any settings under Command Approval are overridden when you click this button. In addition, this button must be used to approve the command sets if you have selected Manual under Command Approval. |
|
(Action) | Enables you to search for a specific text string within the Commands/Messages box. To search different command sets, click that command set option under Command Review/Edit. |
|
(Action) | Clicking File Import enables you to import a previously exported PEP command set file. You can import either the Prologue, Pending, or Epilogue command set; however, you cannot import a composite view of the command sets. Each command set must be imported separately. Expected Value: A valid filename that contains a previously exported set of commands that are valid for the selected PEP. Example: PixEpilogueCmds04-29-99.txt. |
|
(Action) | Clicking File Export enables you to export the currently selected command set. You can export any command set. However, you can use the File Import feature to import only certain command sets into the Command panel. Expected Value: A valid filename that uniquely identifies this command set for later use. Example: PixPendingCmds04-29-99.txt. |
Even though Cisco Security Manager does not support all combinations of PIX Firewall commands directly, it does support them indirectly with the Command panel on any specific PIX Firewall node in the Network Topology tree. This task illustrates how to enter a command that is not automatically supported by Cisco Security Manager to the PIX Firewall. The following procedure explains how to perform this task.
Step 1 To find the firewall for which you want to select the associated Policy Distribution Point, expand the Network Topology tree until you view the Corporate Firewall node in the Navigator pane.
Step 2 To access the shortcut menu, right-click the Corporate Firewall icon for which you want to restrict administrative access.
Step 3 To view the Command panel, point to Properties, and then click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 4 To specify that you want to define a command and include that command as part of the command set that is downloaded to the selected PIX Firewall, click the command type that you want to define under Command Review/Edit.
Result: The Commands/Messages box appears blank in the Command panel.
You can define three types of commands that are not generated by Cisco Security Manager:
Step 5 To specify the command that you want to include with the generated command sets published to the corporate firewall, type that command in the Commands/Messages box.
Step 6 For each unsupported command that you want to specify, repeat Step 5.
Step 7 To accept your changes and close the Command panel, click OK.
Step 8 To save any changes that you have made to the Policy Database, click Save on the File menu.
The next section illustrates how to use this procedure to perform a common task.
Currently, you cannot directly use Cisco Policy Manager to change the enable password for a PIX Firewall. However, two workarounds exist: Use the PIX Firewall Setup Wizard to change the password during initial configuration of the PIX Firewall, or use the Pending command box in Cisco Policy Manager.
To use the Pending command box to change the enable password, perform the following task:
Step 1 To generate a new set of pending commands, click Save and Update on the File menu.
Result: A new set of pending commands is generated for all PEPs residing on your network.
Step 2 To view the Network Topology tree alone, click Network Topology on the Navigator toolbar.
Result: The Network Topology tree appears in the Navigator pane.
Step 3 To find the PIX Firewall for which you want to specify the enable password, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
You can expand or collapse the tree structure in one of two ways:
Step 4 To access the shortcut menu, right-click the PIX Firewall icon for which you want to specify the enable password.
Step 5 To view the Command panel, point to Properties, and then click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 6 To specify that you want to edit the Pending command set, click Pending under Command Review/Edit.
Result: The Pending command set appears in the Command/Messages box.
Step 7 To change the enable password, use the following format to type that password as part of the Pending command set in the Command/Messages box:
enable password <new_password>
Step 8 To publish the new command set to the PIX Firewall and change the existing password to the password that you just specified, return to the Command panel on the PIX Firewall node, and then click Approve Now.
Result: The pending command set is published to the selected PIX Firewall. The next time that Cisco Security Manager accesses the PIX Firewall, it will use the enable password that you specified in the command above. Verify that you have specified this new password in the Enable password box in the Enforcement panel of the selected PIX Firewall node.
Posted: Wed Aug 18 19:23:28 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.