© 2003, Cisco Systems, Inc. All rights reserved. CSPFA 3.117-1 Chapter 17 Enterprise PIX Management.

Презентация:



Advertisements
Похожие презентации
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 18 Enterprise PIX Firewall Maintenance.
Advertisements

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 19 Introduction to Enterprise PIX Firewall Management.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA Installing and Configuring CSA MC.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2002, Cisco Systems, Inc. All rights reserved. AWLF 3.0Module 7-1 © 2002, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 10 Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Managing Events.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 13 Configure the Cisco Virtual Private Network 3002 Hardware Client for Software.
© 2005, Cisco Systems, Inc. All rights reserved. IPS v Lesson 4 Using IPS Device Manager.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 7 Using the Intrusion Detection System Device Manager to Configure the Sensor.
© 2005 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA Installing CSA.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 12 Cisco Intrusion Detection System Maintenance.
Транксрипт:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 17 Enterprise PIX Management

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Objectives Upon completion of this chapter, you will be to complete the following tasks: Define key features and concepts of the PIX MC. Install the PIX MC. Import devices. Manage devices and groups. Configure PIX Firewall settings. Manage activities and jobs. Administer the PIX MC server. Manage multiple PIX Firewalls with the PIX MC.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Introduction

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA What Is the PIX MC? The PIX MC is a web-based application that centralizes and accelerates the deployment and management of multiple PIX Firewalls. PIX MC PC Laptop SSL SSH

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Key Concepts Understanding the following key concepts helps you maximize PIX MC functionality: Configuration hierarchy. Configuration elements. Workflow process.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Supported Devices The PIX MC supports PIX Firewalls with operating systems running version 6.0 and higher. In addition to software requirements, the PIX MC supports the following hardware: –PIX Firewall 501 –PIX Firewall 506E –PIX Firewall 515E –PIX Firewall 525 –PIX Firewall 535

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Installation

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Overview CiscoWorks Common Services is required for the PIX MC. Common Services provides the CiscoWorks Server base components, software libraries, and software packages developed for the PIX MC.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Requirements Hardware –IBM PC-compatible computer with 1-GHz or faster CPU –Color monitor capable of viewing 256-colors –CD-ROM drive –10-BaseT or faster network connection Memory1 GB of RAM minimum Disk drive space –9 GB minimum –Fat32 or NTFS file system (NTFS recommended for security reasons) –2 GB of virtual memory Software –Windows 2000 Server with Service Pack 2 –ODBC Driver Manager or later

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Client Access Requirements Hardware –IBM PC-compatible computer with 300-MHz or faster CPU –10-BaseT or faster network connection Software –Windows 98, or –Windows NT 4.0, or –Windows 2000 Professional with Service Pack 2, or –Windows 2000 Server/Advanced Server with Service Pack 2, or –Windows XP Professional Memory256 MB of RAM minimum Disk drive space400 MB virtual memory BrowserInternet Explorer 5.5 or later

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Process

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Process (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Bootstrap Commands Enables the PIX Firewall to be monitored or have its configuration modified from a browser. Enables the PIX Firewall to be modified from a browser in the network on the inside interface. pixfirewall(config)# http server enable pixfirewall(config)# http inside pixfirewall(config)# http server enable Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall. pixfirewall(config)# http ip_address [netmask] [if_name]

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Conversion Tool Choose conv filename.cfg>filenamenew.cfg.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Login

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within the PIX MC: Help DeskRead-only for the entire system. ApproverCan review policy changes and accept or reject changes. Network OperatorCan create and submit jobs. Network AdministratorCan perform administrative tasks on the PIX MC. System AdministratorCan perform all tasks on the PIX MC. UsersCan be assigned multiple authorization roles.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Launch Choose VPN /Security Management Solution>Management Center>PIX Firewalls.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Understanding the PIX MC

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Interface Object Selector Path BarTOCOptions BarTabsActivity BarTools Instructions Page Object Bar

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Basic User Task Flow The basic user task flow is useful to understand the PIX MC operations when performing a common task from beginning to end. The following activities are part of the basic user task flow: Task 1Create a new activity. Task 2(Optional.) Create device groups. Task 3Import devices. Task 4Configure building blocks. Task 5Configure settings.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Basic User Task Flow (cont.) Task 6Configure access and translation rules. Task 7Generate and view the configuration. Task 8(Optional.) Submit the activity for approval. Task 9Create a job. Task 10(Optional.) Submit the job for approval. Task 11Deploy the job.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA New Activity Choose Devices>Activity>Open. Choose New Activity>OK.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Activity Management Interface Activity columnState columnOpened By columnLast Action column Action buttons

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Activity Management

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Group Management Choose Devices>Managing Groups>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Importing and Managing Devices

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Import Choose Devices>Importing Devices>Import.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Import (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Create Device

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration from Device

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration File for a Device

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Multiple Firewall Configurations from a CSV File

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration Files for Multiple Devices

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Device Management Choose Devices>Managing Devices.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Building Blocks

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Building blocks enable you to optimize your configuration. Building blocks consist of the following items: Network objects. Service definitions. Service groups. AAA server groups. Address translation pools.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksNetwork Objects Choose Configure>Settings>Building Blocks>Network Objects>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Network ObjectsIP Addresses

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Network ObjectsNetwork Objects

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksService Definitions Choose Configure>Settings>Building Blocks>Service Definitions>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Service DefinitionsTCP/UDP Values

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksService Groups Choose Configure>Settings>Building Blocks>Service Groups>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Service GroupsSelect Services

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksAAA Server Group Choose Configure>Settings>Building Blocks>AAA Server Group>Create.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AAA Server GroupServer Definition

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Address Translation Pool Choose Configure>Settings>Building Blocks>Address Translation Pool>Create.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Address Translation Pool (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Settings

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Settings Configuration The PIX MC allows the following settings to be changed on a device, group, or sub-group basis: PIX operating system version Interfaces Failover Routing PIX Firewall administration Logging

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Settings Configuration (cont.) Servers and services Advanced security PIX MC controls Configuration additions

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Operating System Version Choose Configure>Settings>PIX OS Version.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Interface Settings Choose Configure>Settings>Interfaces.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Interface Settings (cont.) Choose Configure>Settings>Interfaces>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA RoutingStatic Route Choose Configure>Settings>Routing>Static Route>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationPasswords Choose Configure>Settings>PIX Firewall Administration>Passwords.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationHTTPS (SSL) Choose Configure>Settings>PIX Firewall Administration>HTTPS(SSL).

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSSH Choose Configure>Settings>PIX Firewall Administration>SSH>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationLogging Setup Choose Configure>Settings>Logging>Logging Setup.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSyslog Choose Configure>Settings>Logging>Syslog.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSyslog (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationLogging Level Choose Configure>Settings>Logging>Logging Level.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Servers and Services Easy VPN Remote Choose Configure>Settings>Servers and Services>Easy VPN Remote.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC ControlsManagement Choose Configure>Settings>PIX MC Controls>Management.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC ControlsImport Choose Configure>Settings>PIX MC Controls>Import.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Controls PIX Device Contact Information Choose Configure>Settings>PIX MC Controls>PIX Device Contact Info.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Controls Configuration Additions Choose Configure>Settings>Config Additions.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Access and Translation Rules

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Mandatory or Default Access Rules Rules are recognized as either mandatory or default and can be applied at the global level, a group level, or to an individual device: MandatoryRules that apply at an enclosing group and are ordered down to a device. Mandatory rules cannot be overridden. DefaultRules that are ordered from the device up to enclosing groups. Default rules can be overridden.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access Rules Choose Configure>Access Rules>Insert.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesRelated Actions

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesAAA Settings

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesWeb Filter

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Static Translation Rule Choose Configure>Translation Rules>Static Translation Rules>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Dynamic Translation Rule Choose Configure>Translation Rules>Dynamic Translation Rules>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Generation Choose Configure>View Config>Generate Configuration.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Managing Jobs

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job Management Choose Workflow>Job Management>Add.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementSelect Activities

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementSelect Devices

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementReview Devices

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementJob State

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementDeployment

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Reporting, Tools, and Administration

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Reporting Choose Report>Activity.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Tools Choose Tools>Support.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Tools (cont.)

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdminWorkflow Setup Choose Admin>Workflow Setup.

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdminMaintenance Choose Admin>Maintenance.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Summary The PIX MC provides a web-based interface for configuring and managing multiple PIX Firewalls without requiring CLI knowledge. The PIX MC centralizes and accelerates the deployment and management of multiple PIX Firewalls. The PIX MC supports up to 1,000 PIX Firewalls. The PIX MC enables the grouping of PIX Firewalls for ease of management and configuration. The PIX MC allows you to generate activity reports based upon configuration changes to the PIX Firewall and the PIX MC.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Q P.0 Lab Visual Objective.2.1 Student PC Syslog server PIX Firewall Web/FTP PIX Firewall.1 Remote : 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1 Student PC Syslog server