|
|
November 1997
This document describes how to install and configure Cisco's PIX Firewall Manager.
The following topics are covered in these release notes:
Cisco's PIX Firewall Manager lets you administer one or more PIX Firewall units, view SYSLOG messages, and define customized alarms for each type of SYSLOG message. You can use the PIX Firewall Manager to view, add, and modify the configuration of each PIX Firewall unit.
PIX Firewall Manager software includes these components:
PIX Firewall Manager provides two access levels: user-level with read-only (non-modifying) access and administrator-level with read and write access.
Diskettes for installing PIX Firewall Manager are provided in the PIX Firewall accessory kit.
Before installing PIX Firewall Manager, you need the following:
Step 1 Click the Start menu and choose Settings.
Step 2 Select Control Panel and double-click the Network icon.
Step 3 Click the Protocols tab and choose TCP/IP Protocols.
Step 4 Select Properties and when the Microsoft TCP/IP Properties dialog box opens, click the IP Address tab. The IP address appears on the lower part of this tab.
Step 5 If the Obtain an IP address from a DHCP server item is checked, click it to disable it. Then click Specify an IP address and enter an IP address, subnet mask, and default gateway IP address for this system.
The following sections list software requirements for using PIX Firewall Manager.
All PIX Firewall units managed by PIX Firewall Manager must be running PIX Firewall version 4.1.3 or later. To check the version of the PIX Firewall software, go to the unit and enter the show version command at the console.
If you intend to manage PIX Firewall units on the outside network, each foreign unit must run Private Link and at least one firewall on the local network must also run Private Link. The local PIX Firewall must be configured to communicate with the foreign Private Link firewalls.
You must have console access to each local PIX Firewall you manage. If you are managing remote firewalls, work with the site administrator to get the PIX Firewall to communicate with PIX Firewall Manager.
To configure each PIX Firewall unit, enter these commands at the PIX Firewall console:
Step 1 enable--to enter privileged mode. When prompted, enter the privileged mode password. The default is no password and you can press the Enter key at the prompt.
Step 2 configure terminal--to enter configuration mode.
Step 3 nameif--to specify the name or security level of the outside or optional third interface on the PIX Firewall. The inside interface cannot be renamed or given a different security level. Each security level must be a unique number between 0 and 99.
Step 4 interface--to set options for the Ethernet or Token Ring network interfaces.
Step 5 ip address--to assign IP addresses and network masks to each interface.
Step 6 telnet--to let the PIX Firewall communicate with the PIX Firewall Manager:
Replace Windows_NT_IP_Address with the IP address of the Windows NT system.
Add the comment before the telnet statement to ensure that the next person configuring the firewall knows the purpose of this telnet statement.
Step 7 link--If you are managing remote PIX Firewall units, configure each for Private Link access. Refer to Chapter 2, "Configuring the PIX Firewall" in the PIX Firewall Series Configuration Guide for information on configuring Private Link, and Chapter 3, "Command Reference," to view the link command page for more information.
Step 8 write memory--save the configuration in flash memory.
All commands are described in the PIX Firewall Series Configuration Guide supplied in your PIX Firewall accessory kit.
The Windows NT system on which you install the Management Server requires the following:
The Management Server runs as a background Windows NT service (similar to a UNIX daemon). The server starts automatically when the installation completes or when a user logs in. An icon for the server does not display in the task bar.
All machines running the Management Server must be on the PIX Firewall's "inside" (most secure) network.
PIX Firewall Manager comes with a sound file, T1.AU, for the SYSLOG audio alarm.
All sound files must be in .AU format.
To use another .AU format sound file:
Step 1 Place the sound file on the Windows NT system running the Management Server in the following subdirectories of the Management Server's target directory:
Step 2 Click the Management Client's Setting tab to modify the audio filename.
You can stop the Management Server from the Windows NT Services item on the Control Panel. Access the Control Panel by choosing the Settings item from the Start menu. Double-click the Services icon and when the dialog box opens, select the "PIX Firewall Management Server" item. You can stop the service with the Stop button in the dialog box.
All machines running the Management Client must be on the PIX Firewall's inside network.
The Management Client network browser must be Java 1.02 or 1.1 compliant.
The following browsers are supported:
The system running the browser must use Windows 95, Windows NT 4.0 Workstation, Windows NT 4.0 Server, or Solaris. On Windows 95 or Windows NT 4.0, 32 MB RAM is highly recommended.
During installation, if a previous version of the PIX Firewall Manager is found, the installation program replaces the old version with the new.
To install PIX Firewall Manager:
Step 1 Verify network connectivity before starting. This consists of successfully performing the following:
(a) From each PIX Firewall you intend to manage, ping the Windows NT system. Use the PIX Firewall ping inside command. The ping is successful if the "response received" message appears. If the ping is unsuccessful, verify the IP address of the Windows NT system and check the network cabling. For example, if the Windows NT system has an IP address of 192.168.42.42, you would use the following commands from the PIX Firewall to enter configuration mode and run the ping command:
enable(b) From the Windows NT system, ping the inside interface of each PIX Firewall. To ping from Windows NT, click the Start menu. Then choose the Run... item and enter the ping command, or choose the Programs item and then Command Prompt and enter the command there. The ping is successful if the "Reply from" message appears. If the ping is unsuccessful, verify the IP address of the Windows NT system and check the network cabling. For example, if a PIX Firewall has an IP address of 192.168.42.54, you would enter this command:
ping 192.168.42.54(c) From the Windows NT system, establish a Telnet session with each target PIX Firewall. The Telnet is successful if the "PIX password" prompt appears. The default password is cisco. Enter the password and after messages appear, you then receive access to the PIX Firewall command prompt. If the Telnet is unsuccessful, go to the PIX Firewall and use the show telnet command to ensure that the configuration has a telnet command entry for the IP address of the Windows NT system. Refer to "PIX Firewall Requirements" for information on how to enter the PIX Firewall console commands to get to configuration mode, give Telnet access, and to store the configuration in flash memory. For example, if a PIX Firewall has an IP address of 192.168.42.54, enter these commands to access configuration mode, permit Telnet to the PIX Firewall console, and store the configuration in flash memory:
enableStep 2 Exit all Windows programs.
Step 3 Log into the Windows NT system as Administrator.
Step 4 From the Windows NT system, insert the first PIX Firewall Manager diskette in the diskette drive. You can install the software:
Step 5 Once the installation program starts, you are prompted with a series of dialog boxes. You can simply click Next and the installation will proceed without interruption. Alternately, you can designate an installation directory other than the default.
Step 6 When you are prompted for a port number for the PIX Firewall Manager's built-in web server, use the default, 8080, unless that port is in use already. Any port between 1025 and 64000 can be entered as an alternative.To pick another port, view ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers to find the ports in use.
The installation program then copies its files and prompts you to insert the second diskette. Insert the diskette and the remaining files are copied.
Step 7 At the last dialog box, click Finish.
Step 8 To check whether the Management Server is running, choose Settings from the Start menu. Select Control Panel and double-click the Services icon. Look for the "PIX Firewall Management Server" service name. A server is running if its status appears as Started. If the status field is blank, you may run the server by selecting its name and then clicking Start.
Step 9 After the software setup completes, change the PIX Admins and PIX Users passwords with the Windows NT User Manager program. User Manager may also appear as User Manager for Domains in some Windows NT 4.0 or later versions.
To access User Manager, choose Programs from the Start menu, and choose Administrative Tools from the Programs folder. Then choose User Manager. When User Manager starts, you will see two users groups, PIX Admins and PIX Users. All members in the PIX Admins group have read and write access, and all members in the PIX Users group can only read, but not change the PIX Firewall configurations. User names that do not belong to one of these two groups cannot use the Management Client applet.
To change the two passwords, select either the PIX Admins or PIX Users accounts in the User Manager dialog box and choose Properties... from the File menu. Enter the new password in the Password and Confirm Password fields, and click OK to exit.
You can specify which users can access the Management Client by creating logins on the Windows NT system in which PIX Firewall Manager is installed and giving the user either PIX Firewall Manager administrative or read-only access privileges. When the Management Client starts, users enter their login and password and, if accepted, can then run PIX Firewall Manager.
To limit access to the Management Client:
Step 1 Start User Manager as described in Step 9 in the last section, "Installing PIX Firewall Manager." The User Manager dialog box appears. If you want to authorize access for users who already have logins on the Windows NT system, proceed to Step 2. To add new users to the Windows NT system, choose New User from the User menu. Specify the information for the user including the user's login name, full name, and password.
Step 2 To give a user access to the Management Client, locate the Groups area at the bottom of the User Manager dialog box.
Step 3 From the Groups area, if you want users to be able to change PIX Firewall settings, double-click PIX Admins. If you want users to only have read access and no change privileges, double-click PIX Users. The Local Group Properties dialog box then appears.
Step 4 Click Add to add an existing user to the selected group. The Add Users and Groups dialog box appears.
Step 5 Select the name of the user you wish to add, click Add, and then click OK to complete adding this user. Control returns to the Local Group Properties dialog box where you can continue adding users. To exit back to the User Manager dialog box, click OK. Then exit User Manager by clicking OK.
You can view the Management Client applet with any network browser described in "Management Client Requirements."
The sections that follow describe how to disable proxies from each type of supported network browser before running the Management Client.
Step 1 Choose the Network Preferences option from the Options menu.
Step 2 Click the Proxies tab, check the No Proxies option, and click OK.
Step 3 Choose the Open Location option from the File menu, enter ^L, or click Open, and enter the following:
IP_address is the system running PIX Firewall Manager Server. port is the Management Server's web server port that you defined in Step 6 of "Installing PIX Firewall Manager."
Step 1 Choose the Preferences... item from the Edit menu. A dialog box appears.
Step 2 In the hierarchy display at the left, double-click the Advanced item. (In Solaris, click the arrow beside Advanced.) The hierarchy expands to display additional choices.
Step 3 Click the Proxies item from the expanded hierarchy list.
Step 4 Check the Direct connection to the Internet option and click OK.
Step 5 Choose the Open Location option from the File menu, enter ^L, or click Open, and enter the following:
IP_address is the system running PIX Firewall Manager Server. port is the Management Server's web server port that you defined in Step 6 of "Installing PIX Firewall Manager."
Step 1 Choose the Internet Options... item from the View menu.
Step 2 Click the Connections tab.
Step 3 In the Proxies Server group box, disable the Access the Internet using a proxy server option.
Step 4 Return to the main menu and enter the following:
IP_address is the system running PIX Firewall Manager Server. port is the Management Server's web server port that you defined in Step 6 of "Installing PIX Firewall Manager."
Step 1 After you have disabled browser proxies as described in "Disabling Browser Proxies" and started the Management Client, the home page appears.
Step 2 You are then prompted for a user name and password. For the user name, enter pixadmin for read-write access, or pixuser for read-only access. Enter either the default password, cisco, or the new password recommended in Step 9 in "Installing PIX Firewall Manager."
Step 3 You can use the Enter key to move between the user name and password fields (the Tab key has no effect). When you complete entering a user name and password, click OK. The PIX Firewall Manager then opens after loading the Java applet into memory.
Step 4 To view or modify the PIX Firewall configuration, go to the Main Tree window on the left side of the window and select a PIX Firewall folder. If the Main Tree window is empty, click Add to add PIX Firewall units for management.
Step 5 To ensure that the firewall can reload the new configuration after reboot, save the configuration in the firewall's flash memory by clicking the Save button in the upper-left corner. To back up the configuration to a diskette, place an IBM-formatted diskette in the PIX Firewall's drive. Then in the PIX Firewall Manager's Main Tree window, go to the PIX Firewall folder's Administration folder and choose Save/Erase Config and click to Floppy.
Step 6 If you need to restart the applet, you must first close and restart the Web browser, then load the applet again. Do not click the browser's Reload button because the browser may run out of memory and crash with a page fault or by becoming non-responsive.
After you enter your login credentials, the Management Client screen appears. The areas of the screen you can see are as follows:
To start, double-click the PIX Firewall folder you want to access.
The folder opens to display the possible configuration options for this unit.
The grayed buttons at the top are accessible once you click a configuration option that can be changed.
Double-click the configuration option you want. The folder then opens into a series of subfolders or files for each configuration feature. The Action window displays information about each configuration feature. If you want to add information, click Add. To delete an entry, click Del. To save your configuration, click Save.
The following configuration features can be viewed on the Manager Client but must be added or changed at the PIX Firewall's console port or Telnet session:
To generate SYSLOG reports:
Step 1 From the Web browser, download the Microsoft Excel macro, REPORT.XLS, from the Manager Server by entering the following:
IP_address is the system running Management Server and port is the Management Server's built-in web server port you defined when you installed PIX Firewall Manager.
Step 2 From the same site, download the SYSLOG database file STAT.DBF, domain name database file DNS.DBF, and the daily information database file(s). For example, Monday.dbf is Monday's log file.
Step 3 Start Microsoft Excel 97. (The PIX Firewall Manager SYSLOG reports only work with Microsoft Excel 97 or later.)
Step 4 Choose Open from the File menu and open the macro REPORT.XLS. Do not open it from the list of previously opened files on the File menu.
Step 5 If a dialog box appears asking if you want to download the macro, click Enable Macros, then continue.
Step 6 In the next dialog box, if you select daily information files, an Open File dialog box is displayed. Select a file from Monday.dbf to Sunday.dbf, then click Open.
Step 7 Make your selections in the dialog boxes that follow. At the end, a chart is generated.
Step 8 To print the chart, choose Print from the File menu.
Step 9 To generate another chart, close the macro REPORT.XLS, and then go to Step 4.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar, select Documentation, and click Enter the feedback form. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
|
|