The PIX MC is a Web-based interface tool used inside Cisco VPN/Security Management Solution within CiscoWorks. The tool is similar to the PIX Device Manager (PDM) that is used to manage a single PIX firewall. However, PIX MC offers centralized management of up to 1,000 firewalls at the same time. The PIX MC enables you to configure new firewalls and import current firewall configurations. When paired with the PIX Auto Update Server, it can additionally download configurations, software upgrades, and PDM software to your PIX firewalls.
The following list displays some of the features PIX MC can provide:
Using the PIX MCThe PIX MC enables you to configure your PIX firewalls without the use of the command-line interface (CLI). The CiscoWorks Web interface requires you to log in to the system before you can access the PIX MC graphical user interface (GUI). Figure 14.2 displays the splash screen you will see when entering the PIX MC. Figure 14.2. The PIX MC splash screen.
Table 14.1 lists the five main upper tabs ”Devices, Configuration, Workflow, Reports , and Admin ”and their submenu items. Table 14.1. PIX MC Configuration Tabs
The Devices TabThis tab is used to import and manage the PIX firewall device configuration settings. Table 14.2 contains this tab's three main submenu items with basic descriptions of what they do. Table 14.2. PIX MC Devices Tab
The Configuration TabThis tab is used to define and manage settings that can be downloaded to the firewalls. Table 14.3 displays the Configuration tab's items and their descriptions. Table 14.3. PIX MC Configuration Tab
The Workflow TabThe Workflow tab enables you to control and manage activity workflow and to create new activities that are used to control policy changes against a device (firewall). Table 14.4 displays the Workflow tab's subitems. Table 14.4. PIX MC Workflow Tab
The Reports TabThis tab enables you to view reports about actions administrators have performed within an activity. Only one selection is available on this tab; it's called Activity. Table 14.5 displays the details of the activity report. Table 14.5. PIX MC Reports Tab's Activity Report
The Admin TabThe Admin tab configures the global settings for the PIX MC, such as enabling workflow and audit record retention. Table 14.6 describes the three submenu items available. Table 14.6. PIX MC Admin Tab
PIX MC GroupsThe PIX MC provides the ability to place PIX firewall devices with similar attributes into groups. These groups enable you to configure these devices with similar settings. The default group, called Global, is the highest-level group; from here you can create subgroups. Devices are placed within these subgroups. Figure 14.3 displays three firewalls placed into the group called Corvallis Firewalls. Figure 14.3. PIX MC Groups for attributes.
After groups are created, device (firewall) configurations can be imported into the group. Figure 14.3 shows three configurations currently imported: PIX-1, PIX-2, and PIX-3. PIX MC Access RulesThe PIX MC enables you to define access rules, which are used to configure network security policies on your firewall. Access rules are grouped by interfaces that eventually are translated into access list (ACL) entries assigned to that interface. These rules are assigned to a group or subgroup and are merged to provide access control on the firewall. The following shows the three types of access rules that can be created in the order of precedence:
Mandatory access rules are the most important rules and take precedence over any other rules. This places them first in the ACL that is created. Device access rules are next . If no mandatory access rule opposes a device rule, the rule affects the PIX. Lastly are the default rules, which take effect only if no other rule overrides them. Figure 14.4 displays access rules coming from each group and the device. The access rules from groups can be either mandatory or default. Access rules from a device are device rules applied only to that specific device. All these rules are combined and converted into the ACL for the device. Figure 14.4. Access rules.
|