- How to Best Use This Chapter
- "Do I Know This Already?" Quiz
- CiscoWorks Management Center for Firewalls Overview
- CiscoWorks
- Firewall MC Interface
- Basic User Task Flow
- Device Management
- Configuration Tasks
- Deployment Tasks
- Reports
- Administration Tasks
- CiscoWorks Auto Update Server
Foundation and Supplemental Topics
CiscoWorks Management Center for Firewalls Overview
The CiscoWorks Management Center for Firewalls (Firewall MC) enables you to manage the configuration of multiple PIX Firewall devices deployed throughout your network. Firewall MC is a Web-based application that provides centralized management for devices on your network and accelerates the deployment of firewalls to protect your network. Some features of Firewall MC are as follows:
Web-based interface for configuring and managing multiple firewalls
Configuration hierarchy and user interface to facilitate configuration of firewall settings
Support for PIX Firewall Version 6.0 and later
Ability to import configurations from existing firewalls
Ability to support dynamically addressed PIX Firewalls
Support for up to 1000 PIX Firewalls
Secure Sockets Layer (SSL) protocol support for client communications to CiscoWorks
Support for Workflow and audit trails
To obtain maximum functionality from Firewall MC, you need to understand the following items:
Key concepts
Supported devices
Installation
Key Concepts
To use Firewall MC effectively to manage and configure the PIX Firewalls on your network, you need to understand certain key concepts. These concepts fall into the following three categories:
Configuration hierarchy
Configuration elements
Workflow process
Configuration Hierarchy
All devices managed by Firewall MC are grouped in a hierarchical structure beneath a global group. By placing managed devices in different groups and subgroups, you can simplify your configuration and management tasks because each group can include devices with similar attributes, such as similar access rules and configuration settings.
Each device managed by Firewall MC can be a member of only one specific group. A group is composed of one or more of the following items:
Subgroups
Devices
Devices inherit properties either from a specific group or individually from a specific device. Inheritance of properties allows your configuration changes to apply to multiple managed devices using less administrative effort.
Configuration Elements
Through Firewall MC, you can configure various characteristics of the managed firewalls deployed throughout your network. These characteristics fall into the following four major categories:
Device settings
Access rules
Translation rules
Building blocks
Device settings control specific configuration parameters on your PIX Firewalls, such as interface and routing properties. Access rules regulate network traffic and fall into the two categories shown in Table 14-2. Translation rules define the address translations that your firewalls will perform on network traffic. Building blocks associate names with specific objects, such as subnets, that you can then use when defining rules. All of the configuration elements are explained in detail later in this chapter.
Table 14.2 Access Rule Types
Access Rule Type |
Description |
Mandatory |
Rules that apply to an enclosed group and that are ordered down to the devices in the group. These rules cannot be overwritten. |
Default |
Rules that apply to all of the devices in a group. These rules can be overwritten. |
Workflow Process
The workflow process divides configuration changes made using Firewall MC into the following three steps:
Define configuration.
Implement configuration (approve).
Deploy configuration.
A collection of configuration changes made for a specific purpose is called an activity. After you submit an activity to be deployed, it is converted into a set of configuration files known as a job. Finally, the job is scheduled for deployment on the network. A different person can approve each of these steps. Activities and job management are explained in detail later in the chapter.
Supported Devices
Firewall MC Version 1.2.1 supports PIX Firewall Versions 6.0, 6.1, 6.2, and 6.3.x along with the Firewall Service Module (FWSM) Version 1.1.x.
NOTE
Not all PIX command-line interface (CLI) commands are configurable by using
Firewall MC. For a complete list of Firewall MC[en]supported commands and
devices refer to
http://www.cisco.com/en/US/products/sw/cscowork/ps3992/
products_device_support_tables_list.html.
The following PIX hardware models are supported by Firewall MC Version 1.2.1:
PIX 501
PIX 506/506E
PIX 515/515E
PIX 525
PIX 535
FWSM
Installation
Firewall MC requires CiscoWorks Common Services to run. Therefore, before you can install Firewall MC, you must install CiscoWorks Common Services (Version 2.2). Common Services provides services for the following:
Interacting with the CiscoWorks desktop
Setting up the CiscoWorks server
Administering the CiscoWorks server
Adding external connections to the CiscoWorks server
Database administration for Firewall MC applications
System administration
Logging
Diagnosing problems with the CiscoWorks server
For CiscoWorks to operate efficiently, your CiscoWorks server and client computers must meet certain hardware requirements.
Server Requirements
When installing Firewall MC, you need to understand the hardware and software requirements for the different components. To support all of the functionality provided by Firewall MC and the underlying CiscoWorks foundation, your CiscoWorks server must meet the following minimum requirements:
IBM PC-compatible computer
1-gigahertz (GHz) or faster processor
Color monitor with video card capable of viewing 256 colors
CD-ROM drive
10Base-T or faster network connection
Minimum of 1 gigabyte (GB) of random-access memory (RAM)
2 GB of virtual memory
Minimum of 9 GB of free hard drive space (NTFS)
Open Database Connectivity (ODBC) Driver Manager 3.510 or later
Windows 2000 Professional and Windows 2000 Server (with Service Pack 3 or 4)
NOTE
Requirements for the CiscoWorks server are frequently updated. For the latest server requirements, refer to the documentation on the Cisco website.
Client Requirements
Although the Firewall MC runs on a server, access to Firewall MC is by a browser running on a client system. Client systems also must meet certain minimum requirements to ensure successful system operation. Your client systems should meet the following minimum requirements:
IBM PC-compatible
300-megahertz (MHz) or faster processor
Minimum 256 MB of RAM
400 MB of virtual memory (free space on hard drive)
Along with these requirements, your clients must be running one of the following operating systems:
Windows 2000 Professional or Server (with Service Pack 3 or later)
Windows XP Professional (with Service Pack 1) with Microsoft Virtual Machine
Windows 98
One final requirement is that your client systems must use one of the following web browsers:
Internet Explorer 6.0 (Service Pack 1) with Microsoft Virtual Machine
Netscape Navigator 4.78
Java Virtual Machine (JVM) version 5.1
NOTE
Requirements for the CiscoWorks clients are frequently updated. For the latest client requirements, refer to the documentation on the Cisco website.
PIX Bootstrap Commands
When you initially configure your PIX Firewall, you run the setup command to configure many of the basic components of the operational configuration. The setup command prompts you for the following items:
Enable password
Clock Universal Time Coordinate (UTC)
Date
Time
Inside Internet Protocol (IP) address
Inside network mask
Host name
Domain name
IP address of host running PDM
Besides this information, you must also configure the firewall to allow modification from a browser connection and specify which hosts or network is allowed to initiate these Hypertext Transfer Protocol (HTTP) connections. Complete the following steps to enable the Firewall MC server to update the configuration on your firewall:
Enable the firewall configuration to be modified from a browser by using the following command:
Specify the host or network authorized to initiate HTTP connections to the firewall by using the following command:
Store the current configuration in Flash memory using the following command:
http server enable
http ip-address [netmask] [interface-name]
write memory