© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.219-1 Lesson 19 Introduction to Enterprise PIX Firewall Management. - презентация

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 19 Introduction to Enterprise PIX Firewall Management

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

4 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define key features and concepts of the Firewall MC. Install the Firewall MC. Import and manage devices. Configure the PIX Firewall. Deploy the PIX Firewall configuration. Administer the Firewall MC server.

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Introduction

6 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Management Center for Firewalls 1.2 Internet CiscoWorks Management Center for Firewalls 1.2 (Firewall MC) is a web-based interface for configuring and managing multiple Cisco PIX Firewalls. Import existing PIX Firewall configurations. Configure new PIX Firewalls. Firewall MC server Firewall MC client Firewall MC client

7 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Firewall MC Components A common set of management services shared by multiple network management applications Web-based applications for configuring and managing multiple devices such as PIX Firewalls, routers, IDS Sensors, host-based IDS, and so on Common Services CiscoWorks2000 Server CSAMC Firewall MC IDS MC Router MC

8 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Firewall MC 1.2Supported Devices Firewall MC 1.2 supports the following hardware platforms: – PIX 501 Firewall – PIX 506/506E Firewall – PIX 515/515E Firewall – PIX 525 Firewall – PIX 535 Firewall – FWSM Firewall MC 1.2 adds support for the following software versions: – PIX Firewall versions 6.0, 6.1, 6.2, and 6.3. x – FWSM versions and 1.1.2

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Firewall MC Hardware Requirements

10 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA MC Server Requirements Hardware –IBM PC-compatible computer with 1-GHz or faster CPU –Color monitor capable of viewing 256 colors –CD-ROM drive –10BASE-T or faster network connection Memory1 GB of RAM minimum Disk space –9 GB minimum –2 GB of virtual memory –NTFS file system recommended Software –Windows 2000 Professional or Server with Service Pack 3 or later –ODBC Driver Manager or later Internet Firewall MC server Firewall MC client

11 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA MC Client Access Requirements Hardware –IBM PC-compatible computer with 300-MHz or faster CPU –10BASE-T or faster network connection SoftwareOne of the following: –Windows 98 –Windows NT 4.0 –Windows 2000 Server or Professional with Service Pack 3 or later Memory256 MB of RAM minimum Disk space400 MB virtual memory BrowserInternet Explorer 6.0 or Netscape Navigator 4.78 Internet Firewall MC server Firewall MC client

12 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Installation Process Step 1Install Common Services Step 2Install Firewall MC –Auto Update Server –Other MCs

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Preparing for Firewall MC

14 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Setup Dialog Pre-configure PIX Firewall now through interactive prompts [yes]? Enable Password [ ]: ciscopix Clock (UTC): Year [2003]: Month [Sep]: Day [10]: 18 Time [22:47:37]: 14:22:00 Inside IP address: Inside network mask: Host name: pixP Domain name: cisco.com IP address of host running PIX Device Manager: Use this configuration and write to flash? Y Internet Firewall MC server

15 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Bootstrap Commands Enables the PIX Firewall to be monitored or have its configuration modified from a browser. pix1(config)# http server enable pix1(config)# http inside pixfirewall(config)# http server enable Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall. pixfirewall(config)# http ip_address [netmask] [if_name] Internet Firewall MC server HTTP server

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Understanding the Firewall MC

17 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Login

18 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within the PIX MC: Help DeskRead-only for the entire system. ApproverCan review policy changes and accept or reject changes. Network OperatorCan create and submit jobs. Network AdministratorCan perform administrative tasks on the PIX MC. System AdministratorCan perform all tasks on the PIX MC. UsersCan be assigned multiple authorization roles.

19 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users.

20 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Launch Firewall MC

21 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Firewall MC Home Page

22 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Firewall MC Interface Object Selector Path bar TOC ScopeTabsActivity/actions bar Instructions Page OptionsTools Object bar

23 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Basic User Task Flow You will find it useful to understand the basic user task flow for Firewall MC operations when performing a common task from beginning to end. The following are part of the basic user task flow: Task 1Create device groups. Task 2Import devices. Task 3Configure building blocks. Task 4Configure settings. Task 5Configure access and translation rules. Task 6Generate and view the configuration. Task 7 Deploy the configuration.

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Importing and Managing Devices

25 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Managing Groups and Devices Firewall MC Internet Singapore London New York NY1 S1 UK1 Groups-devices: Global New_York - NY1 Singapore - S1 London - UK1

26 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Devices Tab

27 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Managing Groups

28 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration from Device

29 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Contact Information

30 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Import Summary

31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Settings

32 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Tab

33 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Object Selector Configuration: Global – pod6 pix6

34 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Add Interface

35 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA ConfigurationInterfaces

36 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Building Blocks

37 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks

38 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Network ObjectsAdded

39 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Service DefinitionAdded

40 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Enter Service Group Objects

41 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Service GroupsAdded

42 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Access and Translation Rules

43 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Static Translation RulesAdded

44 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Dynamic Translation RulesAdded

45 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesAdded

46 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Address Translation PoolAdded

47 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Enter Syslog Setup

48 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deployment Tab

49 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Generate Summary and Deploy Now

50 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deploy Later

51 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deployment Summary

52 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deployment Transcript

53 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deployment Config

54 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Deployed

55 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Managing Workflow

56 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Workflow Setup

57 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Create Activity

58 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Submit Activity and Generate Configuration

59 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Job Requested and Approved

60 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Job Deployed

61 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Reporting

62 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Reports

63 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Activity Report

64 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Differences Report

65 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Settings Report

66 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

67 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Summary The Firewall MC provides a web-based interface for configuring and managing multiple PIX Firewalls without requiring CLI knowledge. The Firewall MC centralizes and accelerates the deployment and management of multiple PIX Firewalls. The Firewall MC supports up to 1,000 PIX Firewalls. The Firewall MC enables the grouping of PIX Firewalls for ease of management and configuration. The Firewall MC allows you to generate activity reports based upon configuration changes to the PIX Firewall and the Firewall MC.

68 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

69 © 2004, Cisco Systems, Inc. All rights reserved. CSFPA Q P.0 Lab Visual Objective.2.1 Student PC Firewall MC PIX Firewall Web/FTP PIX Firewall.1 Local: 10.0.P.11Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1 Student PC Firewall MC