|
Introduction
This month we're going to take a quick look at the new Cisco graphical
interface for PIX configuration, also useful for
access list and IPSec VPN configuration and monitoring. This is a
graphical article,
with some screen captures to give you a feel for what this application
for the PIX looks like. My intent to is make more people aware of PDM
and what it can do. Due to space limitations, there's
no way this
article can fully cover the whole PDM graphical interface. I've got a
lot more screen captures than will fit into the
available space. In fact, I was hoping to also cover the router
configuration utility, SDM, but that'll have to wait for another
article.
The full sets of screen captures are available in Adobe PDF
form online, at the following locations:
I hope these are useful to those who are curious about these tools,
but don't have time or equipment to take a quick look. I'd like to have
annotated the screen captures, but that's really the role of somebody
who is documenting them in detail. It's probably a good thing more
images
don't fit. After all,
we wouldn't want this article to become the high-tech version of
"boring slides from my summer vacation".
What Is PDM?
PIX Device Manager
is a graphical user interface (GUI) that manages a single
Cisco
PIX Firewall.
PDM uses certificates and HTTPS (HTTP over SSL)
to securely access, configure, and monitor a PIX Firewall from your
PC.
I sometimes come at things from a large-shop perspective,
where the command line (CLI) rules, because of the need to manage many
devices. There have been various Cisco GUI tools for easy configuration
of various devices. Sometimes these have been a bit limited or clunky,
or clearly intended as getting-started tools for folks new to Cisco.
I've got to say I was favorably impressed with PDM. No, it doesn't
manage more than one PIX. But it sure looks like the configuration
tools in PDM give you nice visibility into how it is configured, and
the monitoring tools provide a very nice way to keep tabs on what the
PIX is doing at any given time. For multi-PIX sites, the CLI or the PIX
Management Center in CiscoWorks may still be the way to go. But even
there PDM may be useful as a graphical alternative to show commands.
PIX Device Manager (PDM) consists of a signed Java applet bundled with
the PIX operating system software. You access PDM via HTTPS from
a Java-capable web browser on a PC or other desktop computer. No
PC installation is needed. PDM started appearing with PIX OS 6.0 and
6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and
version 3.x comes with PIX OS 6.3. You can also separately install PDM
if you need to by copying it to flash.
Paraphrasing parts of the well-written Overview part of the
Installation Guide, PDM has the following components:
- PDM
Startup Wizard — Creates
a basic configuration to get you started.
- VPN
Wizard — Creates a basic VPN configuration easily setting up
remote access VPN or site-to-site VPN.
- Configuration
GUI — Uses forms to configure most aspects of the PIX.
- Monitoring
and Reporting Tools — View real-time and historical data,
summaries of network activity, resource
utilization, and event logs.
- Graphical Tools — Creates
graphical summary reports showing real-time usage, security events, and
network activity, including performance and trend analysis. Data from
each graph can be displayed in user-selected increments
you select (10 second snapshot, last 10 minutes, last 60 minutes, last
12 hours, last 5 days) and refreshed at user-defined intervals. You can
view multiple graphs simultaneously to do side-by-side analysis. Types
of graphs available include:
-
- System
graphs: Detailed status
information on the PIX Firewall, including
blocks used and free, current memory utilization, and CPU utilization.
- Connection
graphs: Real-time
session and performance data about
connections, address translations, authentication, authorization, and
accounting (AAA) transactions, URL filtering requests, etc.
- Intrusion
Detection System (IDS):
Various graphs to display potentially malicious activity, including
IDS-based signature information displays activity such as IP attacks,
Internet Control Message Protocol (ICMP) requests, and Portmap requests.
- Interface
graphs: Real-time
monitoring of your bandwidth usage by interface, including incoming and
outgoing
packet rates, counts, and errors, as well as
bit, byte, and collision counts.
- Syslog
Viewer — View specific syslog message types by choosing a
logging level.
I hope that sounds interesting. There is one caveat, the usual
one
for GUI tools for Cisco devices. Pick your configuration tool and stick
to it. PDM does track CLI configuration changes. But if you use PIX
Management Center or CiscoSecure Policy Manager, they think they're in
charge, and they may well overwrite any configuration done via PDM.
The Cisco web pages for PDM can be found at http://www.cisco.com/en/US/partner/products/sw/netmgtsw/ps2032/index.html.
A PDF form of the online help is linked there as the User Guide. Poking
around in that document is another way to familiarize yourself with
PDM. However, since that document is the online help for PDM, it
shows no screen captures, so you may want to read it with a downloaded
copy of my full screen captures document open alongside.
PDM Orientation Tour
I decided to skip the splash screen. It's pretty, but not very
informative!
Our tour starts with the real part of PDM, the functional user
interface. When you first launch PDM, it comes up showing the Home
screen. (Note the Home icon is selected). The tools row shows the other
main sub-areas of PDM, namely Configuration and Monitoring.
As you can see, the PDM GUI is fairly self-explanatory. Home is a
dashboard showing what the PIX is doing, at a high level.
The PDM menus also have some functionality not visible in the
GUI. The File menu allows you to load a changed running configuration
from the PIX. You can also show the running config in a window, or save
to flash or a TFTP server. Rules and Search we'll see a bit more of in
a moment. Tools allows CLI entry of commands, also PING. And you can
set up service groups (groups of TCP/UDP ports for use in access lists
and other rules). The Wizards menu launches the Startup and VPN
Wizards. There are screenshots of a couple of the screens from these
Wizards later in this article.
Let's continue the tour by taking a look at the main
Configuration screen, shown in the figure below.
You've probably notices that the Rules and Search menus are no
longer grayed out. They're used to build up rules for access lists and
so on. The various major categories of things you can configure here
are represented by the tabs at the top: Access Rules, Translation (NAT)
Rules, VPN, Hosts/Networks, and System Properties (other system
configuration). Hosts/Networks is where you name hosts or networks, or
groups of them, for use in high-level access list rules.
The above capture shows the Access Rules tab in PDM. The radio buttons
are in effect a submenu, allowing selection of access list rules, AAA
rules, or filter rules. (Filter rules filter outbound HTTP, FTP, etc.).
The next stop in our high-level tour is the Monitoring part of
PDM, shown in the next screen capture. At the left you'll see
categories of things, some of which have been expanded. You select a
category and then the variables you can graph show up in the middle
field of the screen. In the screen capture an interface was selected,
so the middle part shows the performance and troubleshooting variables
that can be graphed. You select the variables of interest, click on
"Add >>", name the graph, click "Graph It!", and your graph
appears. It updates itself as new data comes in.
Far be it from me to disappoint you. The resulting graph is
shown in the next screen capture. The format is reminiscent of the
now-discontinued QDM, which was a tool I really liked for working with
Quality of Service (QoS). I imagine the Java graphing widgets got
re-used by the programmers.
I captured the pull-down, so you can see the various time
intervals that can be graphed.
The last major component in PDM is the Wizards. The following
shows the Wizards menu and a screen early in the VPN Wizard's sequence
of screens.
And here's a screen from the Startup Wizard:
PDM In More Depth
Now that you've had a chance to get your bearings, let's look at some
of the features in PDM in a little more depth. The following capture
shows the Rules menu, used for editing access lists and similar
rules. You get a similar menu by right-clicking on an entry in the
acces list.
When you add or edit a rule, the following form allows you to specify
what you want. Notice that you can enter IP addresses and masks
(shown), or you can use a hostname or a group of hosts / networks,
by selecting the appropriate radio button and then picking from a
list. (It's generally simpler to create the named hosts and networks
and service groups in advance).
Note the Apply button. When you've built up a configuration,
you can Apply it to the running configuration. A status dialog box
provides feedback as the PIX is configured.
If you realize you can use a service group that you didn't create in
advance, you can click on the Manage Service Groups button. It brings
up the following form:
The idea is to add ports to the list on the right, and then give them a
name. (The list shown is rather random). I like putting "tcp" or "udp"
in the name, creating service groups named things like "ecommerce1-tcp"
for the ports allowed to access the ecommerce1 server(s).
Since IPSec VPN configuration has a reputation, let's take a
look at the screen capture for the VPN tab in PDM:
You select what you want to configure on the left, and what's currently
configured shows up on the right side. You can then add, delete, or
edit the rules. This appears somewhat helpful, in that it at least
prompts for what you need, and constrains your choices. If you're
starting from scratch, IPSec can be somewhat overwhelming! Having said
that, it still helps to know your way around IPSec and the commands for
configuring it. The GUI here will do the work for you, and it's helpful
to a degree, but I'd certainly hesitate to call it an intuitive user
interface!
The last Configuration tab is System Properties, shown below.
On the left are the various Categories of things you can configure
through this tab. I've selected the Interfaces item. On the right, it
shows the status and configuration of the PIX interfaces. If I want to
make a change, I click on a row (interface), then Edit, and I can fill
in a form to configure the interface.
To wrap things up, here's the File menu, showing some of the managerial
functions for doing things with your configuration.
That concludes our quick screen capture survey of PDM.
Summary
I hope you're as impressed with PDM as I was. SDM is a similar tool for
configuring IPSec and security aspects of routers. It's on an earlier
release, 1.1. The GUI has many of the same elements as PDM, but the
overall look and feel are a bit more web than Java applet. Next month's
article may be on SDM. If you're dying to see what it looks like,
follow the link at the beginning of this article to the posted screen
captures.
I'd like to thank Michelle Cormier and the Cisco office in
Columbia,
Maryland for allowing me to use their equipment for these screen
captures.
I have the feeling IP Telephony is going to start re-appearing
in these articles. I and some of our other folks have been immersed in
various IP
Telephony projects, so IPT has certainly been on my mind. We've been
involved in Call Manager, Unity
unified voice mail, Cisco call center deployments, on the Cisco side.
I've been involved in the network side of a large-scale (10,000 seat)
Nortel IP telephony deployment, focussing on QoS and Security to
support the IP telephony. One of our other folks has been helping
integrate an Avaya system with a Cisco switched network. We're glad to
be in the thick of this activity, and I think we should be able to pass
along some of what we've seen and learned.
If you have comments or suggestions for future articles, please do
email me (address below).
Dr. Peter J. Welcher (CCIE #1773, CCSI #94014, CCIP) is a
Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a
high-end consulting firm and Cisco Premier Partner dedicated to quality
consulting and knowledge transfer. NetCraftsmen has eight CCIE's, with
expertise including large network high-availability routing/switching
and design, VoIP, QoS, MPLS, IPSec VPN, wireless LAN and
bridging, network management, security, IP multicast, and other
areas. See
http://www.netcraftsmen.net for more information about
NetCraftsmen. Pete's links start at
http://www.netcraftsmen.net/welcher . New articles will be posted
under the Articles link. Questions, suggestions for articles, etc. can
be sent to pjw
<at> netcraftsmen <dot> net.
2/6/2004
Copyright (C) 2004 Peter J. Welcher
|
|
|
|
