Best Practices

This section lists some of the practices that can help in improving performance and providing necessary security for the Firewall MC server:

• Always upgrade to the latest version of Firewall MC and apply new patches available on the Cisco Web Site.

• A valid DNS entry for the Firewall MC server is required for optimum performance. Remote access for managing the Firewall MC might be slow when connecting to Firewall MC without the appropriate DNS entry. If you do not have the DNS server configured for the Firewall MC server, be sure both the management client and the Firewall MC server hosts files have the host name for Firewall MC server mapped to the IP address of the Firewall MC server.

• If possible, install Security Monitor on a server that is separate from the Firewall MC server.

• Be sure to install Common Services and Firewall MC on a dedicated machine. This is because Common Services and Firewall MC have their own web server and database server, which might cause resource confliction issues if another application is installed. Be sure to fulfill minimum requirements for running VMS server. As performance depends on the configuration of hardware, not VMS software, it is always recommended that you have a fast and powerful server.

• It is recommended that you secure the VMS server with Cisco's Security Agent (CSA). CSA is Cisco's host-based IDS/IPS software.

• If the Firewall MC is in a different network (VLAN) than the firewalls (PIX firewall or FWSM), then be sure the network devices between the Firewall MC server and the firewall allow SSH (TCP/22) and SSL (TCP/443) in both directions.

• Do not install Firewall MC on Primary or Backup Domain Controller, IIS Server, Terminal Server, IEV, or CSPM.

• Implement a Disaster Recovery Plan as explained in the "Disaster Recovery Plan" of this chapter.