Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
1
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 17 Enterprise PIX Management
2
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
3
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Objectives Upon completion of this chapter, you will be to complete the following tasks: Define key features and concepts of the PIX MC. Install the PIX MC. Import devices. Manage devices and groups. Configure PIX Firewall settings. Manage activities and jobs. Administer the PIX MC server. Manage multiple PIX Firewalls with the PIX MC.
4
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Introduction
5
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA What Is the PIX MC? The PIX MC is a web-based application that centralizes and accelerates the deployment and management of multiple PIX Firewalls. PIX MC PC Laptop SSL SSH
6
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Key Concepts Understanding the following key concepts helps you maximize PIX MC functionality: Configuration hierarchy. Configuration elements. Workflow process.
7
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Supported Devices The PIX MC supports PIX Firewalls with operating systems running version 6.0 and higher. In addition to software requirements, the PIX MC supports the following hardware: –PIX Firewall 501 –PIX Firewall 506E –PIX Firewall 515E –PIX Firewall 525 –PIX Firewall 535
8
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Installation
9
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Overview CiscoWorks Common Services is required for the PIX MC. Common Services provides the CiscoWorks Server base components, software libraries, and software packages developed for the PIX MC.
10
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Requirements Hardware –IBM PC-compatible computer with 1-GHz or faster CPU –Color monitor capable of viewing 256-colors –CD-ROM drive –10-BaseT or faster network connection Memory1 GB of RAM minimum Disk drive space –9 GB minimum –Fat32 or NTFS file system (NTFS recommended for security reasons) –2 GB of virtual memory Software –Windows 2000 Server with Service Pack 2 –ODBC Driver Manager or later
11
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Client Access Requirements Hardware –IBM PC-compatible computer with 300-MHz or faster CPU –10-BaseT or faster network connection Software –Windows 98, or –Windows NT 4.0, or –Windows 2000 Professional with Service Pack 2, or –Windows 2000 Server/Advanced Server with Service Pack 2, or –Windows XP Professional Memory256 MB of RAM minimum Disk drive space400 MB virtual memory BrowserInternet Explorer 5.5 or later
12
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Process
13
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Installation Process (cont.)
14
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started
15
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Bootstrap Commands Enables the PIX Firewall to be monitored or have its configuration modified from a browser. Enables the PIX Firewall to be modified from a browser in the network on the inside interface. pixfirewall(config)# http server enable pixfirewall(config)# http inside pixfirewall(config)# http server enable Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall. pixfirewall(config)# http ip_address [netmask] [if_name]
16
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Firewall Conversion Tool Choose conv filename.cfg>filenamenew.cfg.
17
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Login
18
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks User Authorization Roles CiscoWorks user authorization roles allow for different privileges within the PIX MC: Help DeskRead-only for the entire system. ApproverCan review policy changes and accept or reject changes. Network OperatorCan create and submit jobs. Network AdministratorCan perform administrative tasks on the PIX MC. System AdministratorCan perform all tasks on the PIX MC. UsersCan be assigned multiple authorization roles.
19
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA CiscoWorks Add User Choose Server Configuration>Setup>Security>Add Users.
20
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Launch Choose VPN /Security Management Solution>Management Center>PIX Firewalls.
21
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Understanding the PIX MC
22
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Interface Object Selector Path BarTOCOptions BarTabsActivity BarTools Instructions Page Object Bar
23
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Basic User Task Flow The basic user task flow is useful to understand the PIX MC operations when performing a common task from beginning to end. The following activities are part of the basic user task flow: Task 1Create a new activity. Task 2(Optional.) Create device groups. Task 3Import devices. Task 4Configure building blocks. Task 5Configure settings.
24
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Basic User Task Flow (cont.) Task 6Configure access and translation rules. Task 7Generate and view the configuration. Task 8(Optional.) Submit the activity for approval. Task 9Create a job. Task 10(Optional.) Submit the job for approval. Task 11Deploy the job.
25
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA New Activity Choose Devices>Activity>Open. Choose New Activity>OK.
26
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Activity Management Interface Activity columnState columnOpened By columnLast Action column Action buttons
27
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Activity Management
28
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Group Management Choose Devices>Managing Groups>Add.
29
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Importing and Managing Devices
30
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Import Choose Devices>Importing Devices>Import.
31
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Import (cont.)
32
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Create Device
33
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration from Device
34
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration File for a Device
35
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Multiple Firewall Configurations from a CSV File
36
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Import Configuration Files for Multiple Devices
37
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Device Management Choose Devices>Managing Devices.
38
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Building Blocks
39
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Building blocks enable you to optimize your configuration. Building blocks consist of the following items: Network objects. Service definitions. Service groups. AAA server groups. Address translation pools.
40
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksNetwork Objects Choose Configure>Settings>Building Blocks>Network Objects>Add.
41
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Network ObjectsIP Addresses
42
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Network ObjectsNetwork Objects
43
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksService Definitions Choose Configure>Settings>Building Blocks>Service Definitions>Add.
44
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Service DefinitionsTCP/UDP Values
45
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksService Groups Choose Configure>Settings>Building Blocks>Service Groups>Add.
46
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Service GroupsSelect Services
47
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building BlocksAAA Server Group Choose Configure>Settings>Building Blocks>AAA Server Group>Create.
48
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AAA Server GroupServer Definition
49
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Address Translation Pool Choose Configure>Settings>Building Blocks>Address Translation Pool>Create.
50
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Building Blocks Address Translation Pool (cont.)
51
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Settings
52
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Settings Configuration The PIX MC allows the following settings to be changed on a device, group, or sub-group basis: PIX operating system version Interfaces Failover Routing PIX Firewall administration Logging
53
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Settings Configuration (cont.) Servers and services Advanced security PIX MC controls Configuration additions
54
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX Operating System Version Choose Configure>Settings>PIX OS Version.
55
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Interface Settings Choose Configure>Settings>Interfaces.
56
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Interface Settings (cont.) Choose Configure>Settings>Interfaces>Add.
57
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA RoutingStatic Route Choose Configure>Settings>Routing>Static Route>Add.
58
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationPasswords Choose Configure>Settings>PIX Firewall Administration>Passwords.
59
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationHTTPS (SSL) Choose Configure>Settings>PIX Firewall Administration>HTTPS(SSL).
60
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSSH Choose Configure>Settings>PIX Firewall Administration>SSH>Add.
61
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationLogging Setup Choose Configure>Settings>Logging>Logging Setup.
62
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSyslog Choose Configure>Settings>Logging>Syslog.
63
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationSyslog (cont.)
64
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdministrationLogging Level Choose Configure>Settings>Logging>Logging Level.
65
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Servers and Services Easy VPN Remote Choose Configure>Settings>Servers and Services>Easy VPN Remote.
66
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC ControlsManagement Choose Configure>Settings>PIX MC Controls>Management.
67
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC ControlsImport Choose Configure>Settings>PIX MC Controls>Import.
68
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Controls PIX Device Contact Information Choose Configure>Settings>PIX MC Controls>PIX Device Contact Info.
69
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA PIX MC Controls Configuration Additions Choose Configure>Settings>Config Additions.
70
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Access and Translation Rules
71
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Mandatory or Default Access Rules Rules are recognized as either mandatory or default and can be applied at the global level, a group level, or to an individual device: MandatoryRules that apply at an enclosing group and are ordered down to a device. Mandatory rules cannot be overridden. DefaultRules that are ordered from the device up to enclosing groups. Default rules can be overridden.
72
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access Rules Choose Configure>Access Rules>Insert.
73
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesRelated Actions
74
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesAAA Settings
75
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Access RulesWeb Filter
76
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Static Translation Rule Choose Configure>Translation Rules>Static Translation Rules>Add.
77
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Dynamic Translation Rule Choose Configure>Translation Rules>Dynamic Translation Rules>Add.
78
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Configuration Generation Choose Configure>View Config>Generate Configuration.
79
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Managing Jobs
80
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job Management Choose Workflow>Job Management>Add.
81
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementSelect Activities
82
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementSelect Devices
83
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementReview Devices
84
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementJob State
85
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Job ManagementDeployment
86
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Reporting, Tools, and Administration
87
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Reporting Choose Report>Activity.
88
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Tools Choose Tools>Support.
89
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Tools (cont.)
90
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdminWorkflow Setup Choose Admin>Workflow Setup.
91
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA AdminMaintenance Choose Admin>Maintenance.
92
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary
93
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Summary The PIX MC provides a web-based interface for configuring and managing multiple PIX Firewalls without requiring CLI knowledge. The PIX MC centralizes and accelerates the deployment and management of multiple PIX Firewalls. The PIX MC supports up to 1,000 PIX Firewalls. The PIX MC enables the grouping of PIX Firewalls for ease of management and configuration. The PIX MC allows you to generate activity reports based upon configuration changes to the PIX Firewall and the PIX MC.
94
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
95
© 2003, Cisco Systems, Inc. All rights reserved. CSFPA Q P.0 Lab Visual Objective.2.1 Student PC Syslog server PIX Firewall Web/FTP PIX Firewall.1 Remote : 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1 Student PC Syslog server
Еще похожие презентации в нашем архиве:
