Home > Articles > Cisco > CCNP Security

  • Print
  • + Share This
This chapter is from the book

Foundation and Supplemental Topics

CiscoWorks Management Center for Firewalls Overview

The CiscoWorks Management Center for Firewalls (Firewall MC) enables you to manage the configuration of multiple PIX Firewall devices deployed throughout your network. Firewall MC is a Web-based application that provides centralized management for devices on your network and accelerates the deployment of firewalls to protect your network. Some features of Firewall MC are as follows:

  • Web-based interface for configuring and managing multiple firewalls

  • Configuration hierarchy and user interface to facilitate configuration of firewall settings

  • Support for PIX Firewall Version 6.0 and later

  • Ability to import configurations from existing firewalls

  • Ability to support dynamically addressed PIX Firewalls

  • Support for up to 1000 PIX Firewalls

  • Secure Sockets Layer (SSL) protocol support for client communications to CiscoWorks

  • Support for Workflow and audit trails

To obtain maximum functionality from Firewall MC, you need to understand the following items:

  • Key concepts

  • Supported devices

  • Installation

Key Concepts

To use Firewall MC effectively to manage and configure the PIX Firewalls on your network, you need to understand certain key concepts. These concepts fall into the following three categories:

  • Configuration hierarchy

  • Configuration elements

  • Workflow process

Configuration Hierarchy

All devices managed by Firewall MC are grouped in a hierarchical structure beneath a global group. By placing managed devices in different groups and subgroups, you can simplify your configuration and management tasks because each group can include devices with similar attributes, such as similar access rules and configuration settings.

Each device managed by Firewall MC can be a member of only one specific group. A group is composed of one or more of the following items:

  • Subgroups

  • Devices

Devices inherit properties either from a specific group or individually from a specific device. Inheritance of properties allows your configuration changes to apply to multiple managed devices using less administrative effort.

Configuration Elements

Through Firewall MC, you can configure various characteristics of the managed firewalls deployed throughout your network. These characteristics fall into the following four major categories:

  • Device settings

  • Access rules

  • Translation rules

  • Building blocks

Device settings control specific configuration parameters on your PIX Firewalls, such as interface and routing properties. Access rules regulate network traffic and fall into the two categories shown in Table 14-2. Translation rules define the address translations that your firewalls will perform on network traffic. Building blocks associate names with specific objects, such as subnets, that you can then use when defining rules. All of the configuration elements are explained in detail later in this chapter.

Table 14.2 Access Rule Types

Access Rule Type

Description

Mandatory

Rules that apply to an enclosed group and that are ordered down to the devices in the group. These rules cannot be overwritten.

Default

Rules that apply to all of the devices in a group. These rules can be overwritten.


Workflow Process

The workflow process divides configuration changes made using Firewall MC into the following three steps:

  1. Define configuration.

  2. Implement configuration (approve).

  3. Deploy configuration.

A collection of configuration changes made for a specific purpose is called an activity. After you submit an activity to be deployed, it is converted into a set of configuration files known as a job. Finally, the job is scheduled for deployment on the network. A different person can approve each of these steps. Activities and job management are explained in detail later in the chapter.

Supported Devices

Firewall MC Version 1.2.1 supports PIX Firewall Versions 6.0, 6.1, 6.2, and 6.3.x along with the Firewall Service Module (FWSM) Version 1.1.x.

NOTE

Not all PIX command-line interface (CLI) commands are configurable by using Firewall MC. For a complete list of Firewall MC[en]supported commands and devices refer to http://www.cisco.com/en/US/products/sw/cscowork/ps3992/
products_device_support_tables_list.html
.

The following PIX hardware models are supported by Firewall MC Version 1.2.1:

  • PIX 501

  • PIX 506/506E

  • PIX 515/515E

  • PIX 525

  • PIX 535

  • FWSM

Installation

Firewall MC requires CiscoWorks Common Services to run. Therefore, before you can install Firewall MC, you must install CiscoWorks Common Services (Version 2.2). Common Services provides services for the following:

  • Interacting with the CiscoWorks desktop

  • Setting up the CiscoWorks server

  • Administering the CiscoWorks server

  • Adding external connections to the CiscoWorks server

  • Database administration for Firewall MC applications

  • System administration

  • Logging

  • Diagnosing problems with the CiscoWorks server

For CiscoWorks to operate efficiently, your CiscoWorks server and client computers must meet certain hardware requirements.

Server Requirements

When installing Firewall MC, you need to understand the hardware and software requirements for the different components. To support all of the functionality provided by Firewall MC and the underlying CiscoWorks foundation, your CiscoWorks server must meet the following minimum requirements:

  • IBM PC-compatible computer

  • 1-gigahertz (GHz) or faster processor

  • Color monitor with video card capable of viewing 256 colors

  • CD-ROM drive

  • 10Base-T or faster network connection

  • Minimum of 1 gigabyte (GB) of random-access memory (RAM)

  • 2 GB of virtual memory

  • Minimum of 9 GB of free hard drive space (NTFS)

  • Open Database Connectivity (ODBC) Driver Manager 3.510 or later

  • Windows 2000 Professional and Windows 2000 Server (with Service Pack 3 or 4)

NOTE

Requirements for the CiscoWorks server are frequently updated. For the latest server requirements, refer to the documentation on the Cisco website.

Client Requirements

Although the Firewall MC runs on a server, access to Firewall MC is by a browser running on a client system. Client systems also must meet certain minimum requirements to ensure successful system operation. Your client systems should meet the following minimum requirements:

  • IBM PC-compatible

  • 300-megahertz (MHz) or faster processor

  • Minimum 256 MB of RAM

  • 400 MB of virtual memory (free space on hard drive)

Along with these requirements, your clients must be running one of the following operating systems:

  • Windows 2000 Professional or Server (with Service Pack 3 or later)

  • Windows XP Professional (with Service Pack 1) with Microsoft Virtual Machine

  • Windows 98

One final requirement is that your client systems must use one of the following web browsers:

  • Internet Explorer 6.0 (Service Pack 1) with Microsoft Virtual Machine

  • Netscape Navigator 4.78

  • Java Virtual Machine (JVM) version 5.1

NOTE

Requirements for the CiscoWorks clients are frequently updated. For the latest client requirements, refer to the documentation on the Cisco website.

PIX Bootstrap Commands

When you initially configure your PIX Firewall, you run the setup command to configure many of the basic components of the operational configuration. The setup command prompts you for the following items:

  • Enable password

  • Clock Universal Time Coordinate (UTC)

  • Date

  • Time

  • Inside Internet Protocol (IP) address

  • Inside network mask

  • Host name

  • Domain name

  • IP address of host running PDM

Besides this information, you must also configure the firewall to allow modification from a browser connection and specify which hosts or network is allowed to initiate these Hypertext Transfer Protocol (HTTP) connections. Complete the following steps to enable the Firewall MC server to update the configuration on your firewall:

  1. Enable the firewall configuration to be modified from a browser by using the following command:

  2. http server enable
  3. Specify the host or network authorized to initiate HTTP connections to the firewall by using the following command:

  4. http ip-address [netmask] [interface-name]
  5. Store the current configuration in Flash memory using the following command:

  6. write memory
  • + Share This
  • 🔖 Save To Your Account