This action might not be possible to undo. Are you sure you want to continue?
PIX Device Manager is a graphical user interface (GUI) that manages a single Cisco PIX Firewall. PDM uses certificates and HTTPS (HTTP over SSL) to securely access, configure, and monitor a PIX Firewall from your PC. There have been various Cisco GUI tools for easy configuration of various devices. Sometimes these have been a bit limited or clunky, or clearly intended as getting-started tools for folks new to Cisco. I've got to say I was favorably impressed with PDM. No, it doesn't manage more than one PIX. But it sure looks like the configuration tools in PDM give you nice visibility into how it is configured, and the monitoring tools provide a very nice way to keep tabs on what the PIX is doing at any given time. For multi-PIX sites, the CLI or the PIX Management Center in CiscoWorks may still be the way to go. But even there PDM may be useful as a graphical alternative to show commands. PIX Device Manager (PDM) consists of a signed Java applet bundled with the PIX operating system software. You access PDM via HTTPS from a Java-capable web browser on a PC or other desktop computer. No PC installation is needed. PDM started appearing with PIX OS 6.0 and 6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and version 3.x comes with PIX OS 6.3. You can also separately install PDM if you need to by copying it to flash. Paraphrasing parts of the well-written Overview part of the Installation Guide, PDM has the following components:
• • • • •
PDM Startup Wizard — Creates a basic configuration to get you started. VPN Wizard — Creates a basic VPN configuration easily setting up remote access VPN or site-to-site VPN. Configuration GUI — Uses forms to configure most aspects of the PIX. Monitoring and Reporting Tools — View real-time and historical data, summaries of network activity, resource utilization, and event logs. Graphical Tools — Creates graphical summary reports showing real-time usage, security events, and network activity, including performance and trend analysis. Data from each graph can be displayed in user-selected increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side analysis. Types of graphs available include: System graphs: Detailed status information on the PIX Firewall, including blocks used and free, current memory utilization, and CPU utilization. o Connection graphs: Real-time session and performance data about connections, address translations, authentication, authorization, and accounting (AAA) transactions, URL filtering requests, etc. o Intrusion Detection System (IDS): Various graphs to display potentially malicious activity, including IDSbased signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP) requests, and Portmap requests. o Interface graphs: Real-time monitoring of your bandwidth usage by interface, including incoming and outgoing packet rates, counts, and errors, as well as bit, byte, and collision counts. Syslog Viewer — View specific syslog message types by choosing a logging level.
I hope that sounds interesting. There is one caveat, the usual one for GUI tools for Cisco devices. Pick your configuration tool and stick to it. PDM does track CLI configuration changes. But if you use PIX Management Center or CiscoSecure Policy Manager, they think they're in charge, and they may well overwrite any configuration done via PDM.
The Cisco web pages for PDM can be found at http://www.cisco.com/en/US/partner/products/sw/netmgtsw/ps2032/index.html. A PDF form of the online help is linked there as the User Guide. Poking around in that document is another way to familiarize yourself with PDM. However, since that document is the online help for PDM, it shows no screen captures, so you may want to read it with a downloaded copy of my full screen captures document open alongside.
PDM Orientation Tour
I decided to skip the splash screen. It's pretty, but not very informative! Our tour starts with the real part of PDM, the functional user interface. When you first launch PDM, it comes up showing the Home screen. (Note the Home icon is selected). The tools row shows the other main sub-areas of PDM, namely Configuration and Monitoring.
As you can see, the PDM GUI is fairly self-explanatory. Home is a dashboard showing what the PIX is doing, at a high level. The PDM menus also have some functionality not visible in the GUI. The File menu allows you to load a changed running configuration from the PIX. You can also show the running config in a window, or save to flash or a TFTP server. Rules and Search we'll see a bit more of in a moment. Tools allow CLI entry of commands, also PING. And you can set up service groups (groups of TCP/UDP ports for use in access lists and other rules). The Wizards menu launches the Startup and VPN Wizards. There are screenshots of a couple of the screens from these Wizards later in this article.
Let's continue the tour by taking a look at the main Configuration screen, shown in the figure below.
You've probably notices that the Rules and Search menus are no longer grayed out. They're used to build up rules for access lists and so on. The various major categories of things you can configure here are represented by the tabs at the top: Access Rules, Translation (NAT) Rules, VPN, Hosts/Networks, and System Properties (other system configuration). Hosts/Networks is where you name hosts or networks, or groups of them, for use in high-level access list rules. The above capture shows the Access Rules tab in PDM. The radio buttons are in effect a submenu, allowing selection of access list rules, AAA rules, or filter rules. (Filter rules filter outbound HTTP, FTP, etc.).
The next stop in our high-level tour is the Monitoring part of PDM, shown in the next screen capture. At the left you'll see categories of things, some of which have been expanded. You select a category and then the variables you can graph show up in the middle field of the screen. In the screen capture an interface was selected, so the middle part shows the performance and troubleshooting variables that can be graphed. You select the variables of interest, click on "Add >>", name the graph, click "Graph It!", and your graph appears. It updates itself as new data comes in.
Far be it from me to disappoint you. The resulting graph is shown in the next screen capture. The format is reminiscent of the now-discontinued QDM, which was a tool I really liked for working with Quality of Service (QoS). I imagine the Java graphing widgets got re-used by the programmers.
I captured the pull-down, so you can see the various time intervals that can be graphed. The last major component in PDM is the Wizards. The following shows the Wizards menu and a screen early in the VPN Wizard's sequence of screens.
And here's a screen from the Startup Wizard:
PDM in More Depth
Now that you've had a chance to get your bearings, let's look at some of the features in PDM in a little more depth. The following capture shows the Rules menu, used for editing access lists and similar rules. You get a similar menu by rightclicking on an entry in the access list.
When you add or edit a rule, the following form allows you to specify what you want. Notice that you can enter IP addresses and masks (shown), or you can use a hostname or a group of hosts / networks, by selecting the appropriate radio button and then picking from a list. (It's generally simpler to create the named hosts and networks and service groups in advance). Note the Apply button. When you've built up a configuration, you can Apply it to the running configuration. A status dialog box provides feedback as the PIX is configured.
If you realize you can use a service group that you didn't create in advance, you can click on the Manage Service Groups button. It brings up the following form:
The idea is to add ports to the list on the right, and then give them a name. (The list shown is rather random). I like putting "tcp" or "udp" in the name, creating service groups named things like "ecommerce1-tcp" for the ports allowed to access the ecommerce1 server(s). Since IPSec VPN configuration has a reputation, let's take a look at the screen capture for the VPN tab in PDM:
You select what you want to configure on the left, and what's currently configured shows up on the right side. You can then add, delete, or edit the rules. This appears somewhat helpful, in that it at least prompts for what you need, and constrains your choices. If you're starting from scratch, IPSec can be somewhat overwhelming! Having said that, it still helps to know your way around IPSec and the commands for configuring it. The GUI here will do the work for you, and it's helpful to a degree, but I'd certainly hesitate to call it an intuitive user interface! The last Configuration tab is System Properties, shown below. On the left are the various Categories of things you can configure through this tab. I've selected the Interfaces item. On the right, it shows the status and configuration of the PIX
interfaces. If I want to make a change, I click on a row (interface), and then edit and I can fill in a form to configure the interface.
To wrap things up, here's the File menu, showing some of the managerial functions for doing things with your configuration.
That concludes our quick screen capture survey of PDM.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.