PIX PDM Requirements

The PDM is just one of several GUI interface tools used to configure and monitor the PIX firewall. PDM is a Java Web-based interface that enables configuration of your firewall via a secure HTTPS connection. The tool is designed for a single firewall system. However, Cisco does have another GUI interface tool called the Cisco Secure Policy Manager (CSPM) that supports centralized management of several security systems simultaneously ”PIX is one such security system.

PIX Device Requirements, Client Needs, and Limitations

The PIX PDM version 2.1 supports all models ”501, 506/506E, 515/515E, 520, 525, and 535 models that run the PIX firewall software 6.2 or higher. The following is a list of all the requirements for these models:

• PIX software 6.2 or higher

• Minimum of 8MB of flash memory

• DES or 3DES activation keys

The encryption of DES or 3DES is required because of the HTTPS, Secure Socket Layer (SSL) connection needed to use the PDM interface. This SSL connection allows secure traffic to pass between the interface and Web browsers and typically used port 443.

The PDM software also supports the Cisco Firewall Service Module (FWSM) version 1.1 that can be installed in a Catalyst 6500 series switch.

Clients Using the PDM

The Java-based interface doesn't require a client installation; only an HTTPS connection to the firewall, which will download and execute the Java applets required to run the interface, is needed. Table 13.1 lists the client platforms that can run the interface.

Table 13.1. Supported Clients

To execute the PDM Java, the Web browser must support JavaScript and the Java Development Kit (JDK) version 1.1.4 or higher.

The PDM is supported on Windows, Linux, and Sun Solaris operating systems.

PDM Limitations

The PDM can configure almost all commands necessary to make the PIX firewall work. However, several commands and features are not supported; the PDM might, in fact, prevent you from setting up certain configurations on the firewall with the GUI. When this happens, the only option you can use is the Monitoring tab, which we will look at later. Following is a list of commands not supported on the PDM:

• The alias command

• The aaa command with the match option when other commands use the include and exclude options

• The same access-lists and outbound command linked to more than one interface

• The established command

See Cisco's Web site for other unsupported commands. Figure 13.1 displays the error message displayed when an unsupported command, such as the alias command, is found.

Unsupported commands on the PDM disable all configuration functionality on the interface. If unsupported commands are detected , the PDM locks out access to all tabs except the Monitoring tab.