This section lists some of common problems that you may experience and explains how to resolve them.
Does the Firewall MC server require a valid DNS entry?
No it's not required, but for performance you must have DNS entry.
What other Cisco software is required for running Firewall MC?
Firewall MC is a tool that installs on top of the VMS Bundle, which includes CiscoWorks Common Services.
What regional settings can I use for my operating system?
Currently, only English-US regional settings are supported.
Can I upgrade my Firewall MC from Version 1.x to the latest release?
Yes, you can directly upgrade from Firewall MC 1.x to the latest release by installing the new version. The upgrade will automatically address data schema changes that have occurred between the releases. During installation, you can choose to re-initialize your database, or to keep the existing data. If you choose to keep your data, the upgrade framework will automatically convert the data to be compatible with the new version.
Backing up data from older versions to new versions is also supported by the same database upgrade framework, so you can take a 1.0 backup and restore it on a 1.3 version of Firewall MC.
What happens to my AAA roles during an upgrade of Firewall MC?
If you do not unregister Firewall MC from CS ACS before you run the upgrade, your CS ACS role settings will be retained and you will be constrained to making changes directly through the CS ACS user interface. If you do unregister Firewall MC, and then upgrade, you will have to re-register with ACS, and CS ACS will use the new settings that are installed with the new version of Firewall MC as its default. The changed files are pixmdc_cmfrolemap.xml and acsroles.xml.
How do I determine device deployment status after canceling a deployment to an AUS?
If you cancel a job that deploys to AUS, the status might show that the deployment of some devices was canceled even though deployment was completed. To work around this problem, select VPN/Security Management Solution > Administration > Logging > Audit Log to determine which devices were deployed.
How can I see my global and default rules while I am defining rules on my devices?
To see all rules that apply to a device, select Configuration > Access Rules. Select the rule table from the TOC, and then navigate to the device for which you want to see the rules. Click View All. A popup window displays all rules defined at all scopes that pertain to the selected device.
The default setting ensures that global settings are inherited by all children. How do I change this?
Default configuration settings are set at the global level, but you can override them for a subgroup or device. A setting is designated as default for a subgroup or device(s) when you select Inherit settings in the user interface. When you select Inherit settings, the subgroup or device defers the definition of any setting to a higher-level, enclosing group. You can override a default setting by deselecting the Inherit settings check box and specifying other values completely for that scope.
How should I order the Access Rules for firewall using Firewall MC?
Access rules are processed in first-matched order. Therefore, the first rule that satisfies the conditions of a session, regardless of how generally they are expressed in the rule, is the rule that is applied. You should organize the most explicit and most narrowly defined rules first, and then define the more general rules.
Dynamic and static translation rules are processed in best-matched order. NAT 0 ACL rules are processed in first-matched order.
Can I move rules after they are inserted in a rule table?
You can cut, copy, and paste rules within a rule table by using the buttons at the bottom of each rule table or by right-clicking inside the rule table, which brings up a menu with the same button options listed.
Because rules are applied to an interface, make sure the interface specified in a rule exists on the device to which you are pasting the rule. If the interface is not found on the device, an error results when the device configuration is generated. You cannot paste a rule before or after a rule created from an outbound rule. Outbound rules are sorted in the order in which a firewall device applies them to traffic.
Why are certain rules in the rule table not mapping to rules in the generated command sets?
Not every rule in the GUI translates to a line in the CLI. If optimization is enabled, some rules might be compressed.
How can I see all rules that will be deployed to a device?
Select the device whose configurations you want to view, generate the command sets, select Deploy Later, and then use the Devices Settings report.
I changed a global rule and need to regenerate all my device configurations before they can be deployed. Can I select devices to deploy instead of deploying all of them at once?
How you select devices depends on your workflow settings:
If workflow is not enabled, select the Deploy Later button. This option saves your changes. You can then go to the Deployment tab and select one or more devices to deploy the changes.
If workflow is enabled, you can select the devices to deploy in the Select Devices page of the Job Management wizard.