Managing a Cisco PIX with PDM
This month we're going to take a quick look at the new Cisco graphical interface for PIX configuration, also useful for access list and IPSec VPN configuration and monitoring. This is a graphical article, with some screen captures to give you a feel for what this application for the PIX looks like. My intent to is make more people aware of PDM and what it can do. Due to space limitations, there's no way this article can fully cover the whole PDM graphical interface. I've got a lot more screen captures than will fit into the available space. In fact, I was hoping to also cover the router configuration utility, SDM, but that'll have to wait for another article.
The full sets of screen captures are available in Adobe PDF form online, at the following locations:
I hope these are useful to those who are curious about these tools, but don't have time or equipment to take a quick look. I'd like to have annotated the screen captures, but that's really the role of somebody who is documenting them in detail. It's probably a good thing more images don't fit. After all, we wouldn't want this article to become the high-tech version of "boring slides from my summer vacation".
What Is PDM?
PIX Device Manager is a graphical user interface (GUI) that manages a single Cisco PIX Firewall. PDM uses certificates and HTTPS (HTTP over SSL) to securely access, configure, and monitor a PIX Firewall from your PC.
I sometimes come at things from a large-shop perspective, where the command line (CLI) rules, because of the need to manage many devices. There have been various Cisco GUI tools for easy configuration of various devices. Sometimes these have been a bit limited or clunky, or clearly intended as getting-started tools for folks new to Cisco. I've got to say I was favorably impressed with PDM. No, it doesn't manage more than one PIX. But it sure looks like the configuration tools in PDM give you nice visibility into how it is configured, and the monitoring tools provide a very nice way to keep tabs on what the PIX is doing at any given time. For multi-PIX sites, the CLI or the PIX Management Center in CiscoWorks may still be the way to go. But even there PDM may be useful as a graphical alternative to show commands.
PIX Device Manager (PDM) consists of a signed Java applet bundled with the PIX operating system software. You access PDM via HTTPS from a Java-capable web browser on a PC or other desktop computer. No PC installation is needed. PDM started appearing with PIX OS 6.0 and 6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and version 3.x comes with PIX OS 6.3. You can also separately install PDM if you need to by copying it to flash.
Paraphrasing parts of the well-written Overview part of the Installation Guide, PDM has the following components:
- PDM Startup Wizard — Creates a basic configuration to get you started.
- VPN Wizard — Creates a basic VPN configuration easily setting up remote access VPN or site-to-site VPN.
- Configuration GUI — Uses forms to configure most aspects of the PIX.
- Monitoring and Reporting Tools — View real-time and historical data, summaries of network activity, resource utilization, and event logs.
- Graphical Tools — Creates graphical summary reports showing real-time usage, security events, and network activity, including performance and trend analysis. Data from each graph can be displayed in user-selected increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side analysis. Types of graphs available include:
- System graphs: Detailed status information on the PIX Firewall, including blocks used and free, current memory utilization, and CPU utilization.
- Connection graphs: Real-time session and performance data about connections, address translations, authentication, authorization, and accounting (AAA) transactions, URL filtering requests, etc.
- Intrusion Detection System (IDS): Various graphs to display potentially malicious activity, including IDS-based signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP) requests, and Portmap requests.
- Interface graphs: Real-time monitoring of your bandwidth usage by interface, including incoming and outgoing packet rates, counts, and errors, as well as bit, byte, and collision counts.
- Syslog Viewer — View specific syslog message types by choosing a logging level.
I hope that sounds interesting. There is one caveat, the usual one for GUI tools for Cisco devices. Pick your configuration tool and stick to it. PDM does track CLI configuration changes. But if you use PIX Management Center or CiscoSecure Policy Manager, they think they're in charge, and they may well overwrite any configuration done via PDM.
The Cisco web pages for PDM can be found at http://www.cisco.com/en/US/partner/products/sw/netmgtsw/ps2032/index.html
. A PDF form of the online help is linked there as the User Guide. Poking around in that document is another way to familiarize yourself with PDM. However, since that document is the online help for PDM, it shows no screen captures, so you may want to read it with a downloaded copy of my full screen captures document open alongside.
PDM Orientation Tour
I decided to skip the splash screen. It's pretty, but not very informative!
Our tour starts with the real part of PDM, the functional user interface. When you first launch PDM, it comes up showing the Home screen. (Note the Home icon is selected). The tools row shows the other main sub-areas of PDM, namely Configuration and Monitoring.
As you can see, the PDM GUI is fairly self-explanatory. Home is a dashboard showing what the PIX is doing, at a high level.
The PDM menus also have some functionality not visible in the GUI. The File menu allows you to load a changed running configuration from the PIX. You can also show the running config in a window, or save to flash or a TFTP server. Rules and Search we'll see a bit more of in a moment. Tools allows CLI entry of commands, also PING. And you can set up service groups (groups of TCP/UDP ports for use in access lists and other rules). The Wizards menu launches the Startup and VPN Wizards. There are screenshots of a couple of the screens from these Wizards later in this article.
Let's continue the tour by taking a look at the main Configuration screen, shown in the figure below.
You've probably notices that the Rules and Search menus are no longer grayed out. They're used to build up rules for access lists and so on. The various major categories of things you can configure here are represented by the tabs at the top: Access Rules, Translation (NAT) Rules, VPN, Hosts/Networks, and System Properties (other system configuration). Hosts/Networks is where you name hosts or networks, or groups of them, for use in high-level access list rules.
The above capture shows the Access Rules tab in PDM. The radio buttons are in effect a submenu, allowing selection of access list rules, AAA rules, or filter rules. (Filter rules filter outbound HTTP, FTP, etc.).
The next stop in our high-level tour is the Monitoring part of PDM, shown in the next screen capture. At the left you'll see categories of things, some of which have been expanded. You select a category and then the variables you can graph show up in the middle field of the screen. In the screen capture an interface was selected, so the middle part shows the performance and troubleshooting variables that can be graphed. You select the variables of interest, click on "Add >>", name the graph, click "Graph It!", and your graph appears. It updates itself as new data comes in.
Far be it from me to disappoint you. The resulting graph is shown in the next screen capture. The format is reminiscent of the now-discontinued QDM, which was a tool I really liked for working with Quality of Service (QoS). I imagine the Java graphing widgets got re-used by the programmers.
I captured the pull-down, so you can see the various time intervals that can be graphed.
The last major component in PDM is the Wizards. The following shows the Wizards menu and a screen early in the VPN Wizard's sequence of screens.
And here's a screen from the Startup Wizard:
PDM In More Depth
Now that you've had a chance to get your bearings, let's look at some of the features in PDM in a little more depth. The following capture shows the Rules menu, used for editing access lists and similar rules. You get a similar menu by right-clicking on an entry in the acces list.
When you add or edit a rule, the following form allows you to specify what you want. Notice that you can enter IP addresses and masks (shown), or you can use a hostname or a group of hosts / networks, by selecting the appropriate radio button and then picking from a list. (It's generally simpler to create the named hosts and networks and service groups in advance).
Note the Apply button. When you've built up a configuration, you can Apply it to the running configuration. A status dialog box provides feedback as the PIX is configured.
If you realize you can use a service group that you didn't create in advance, you can click on the Manage Service Groups button. It brings up the following form:
The idea is to add ports to the list on the right, and then give them a name. (The list shown is rather random). I like putting "tcp" or "udp" in the name, creating service groups named things like "ecommerce1-tcp" for the ports allowed to access the ecommerce1 server(s).
Since IPSec VPN configuration has a reputation, let's take a look at the screen capture for the VPN tab in PDM:
You select what you want to configure on the left, and what's currently configured shows up on the right side. You can then add, delete, or edit the rules. This appears somewhat helpful, in that it at least prompts for what you need, and constrains your choices. If you're starting from scratch, IPSec can be somewhat overwhelming! Having said that, it still helps to know your way around IPSec and the commands for configuring it. The GUI here will do the work for you, and it's helpful to a degree, but I'd certainly hesitate to call it an intuitive user interface!
The last Configuration tab is System Properties, shown below. On the left are the various Categories of things you can configure through this tab. I've selected the Interfaces item. On the right, it shows the status and configuration of the PIX interfaces. If I want to make a change, I click on a row (interface), then Edit, and I can fill in a form to configure the interface.
To wrap things up, here's the File menu, showing some of the managerial functions for doing things with your configuration.
That concludes our quick screen capture survey of PDM.
I hope you're as impressed with PDM as I was. SDM is a similar tool for configuring IPSec and security aspects of routers. It's on an earlier release, 1.1. The GUI has many of the same elements as PDM, but the overall look and feel are a bit more web than Java applet. Next month's article may be on SDM. If you're dying to see what it looks like, follow the link at the beginning of this article to the posted screen captures.
I'd like to thank Michelle Cormier and the Cisco office in Columbia, Maryland for allowing me to use their equipment for these screen captures.
I have the feeling IP Telephony is going to start re-appearing in these articles. I and some of our other folks have been immersed in various IP Telephony projects, so IPT has certainly been on my mind. We've been involved in Call Manager, Unity unified voice mail, Cisco call center deployments, on the Cisco side. I've been involved in the network side of a large-scale (10,000 seat) Nortel IP telephony deployment, focussing on QoS and Security to support the IP telephony. One of our other folks has been helping integrate an Avaya system with a Cisco switched network. We're glad to be in the thick of this activity, and I think we should be able to pass along some of what we've seen and learned.
If you have comments or suggestions for future articles, please do email me (address below).
Copyright (C) 2004 Peter J. Welcher