This section presents some of the important methods for improving performance and avoiding a lockout situation. Following is the list of such some good practices:
If you are running PIX Version 6.3.4 or later, be sure to create a local user and configure a local user database as a fallback, just in case there is a communication problem between the PIX and AAA server.
When TACACS+ is configured with authorization for pass-through traffic, be sure not to enable accounting for all traffic. Otherwise, PIX will generate many accounting records for a single PIX Firewall.
When configuring cut-through proxy for HTTP(S), be sure not to set the absolute timeout to zero. This is because, for loading a single HTTP page, the browser might need to make multiple connections to the web server. If the absolute timeout is set to zero, for every request to load a single web page, you need to enter authentication information multiple times. For FTP and Telnet, this is not an issue.
If you have a backup RADIUS Server configured, configure dead-time for RADIUS to improve the performance.
If you have a web server that requires authentication in addition to cut-thru proxy authentication by the PIX firewall, always configure virtual Telnet and virtual HTTP on the PIX firewall. Additionally, virtual Telnet should be used when you need to authenticate/authorize the port that cannot be used as a service for authentication (HTTP/HTTPS/Telnet/FTP can be used as service). One such protocol is SMTP (TCP/25), so if you need SMTP authentication by the PIX firewall, you need to configure virtual Telnet.
Do not configure console authentication for PIX Device Manager (PDM) with a One-time Token card (for example, SDI), because when PDM starts up, it makes multiple connections to the PIX to get the configuration and other information, and for each HTTP/HTTPS connection to the PIX, the user is authenticated with the AAA server. Because the one-time password changes at certain time intervals, first one or two connections will successfully authenticate, but subsequent connection authentication will fail.