Managing a Cisco PIX with PDM

Enterprise Networks & Servers, Mar 2004 by Welcher, Peter J

This month we're going to take a quick look at the new Cisco graphical interface for PIX configuration, also useful for access list and IPSec VPN configuration and monitoring. This is a graphical article, with some screen captures to give you a feel for what this application for the PIX looks like. My intent to is make more people aware of PDM and what it can do. Due to space limitations, there's no way this article can fully cover the whole PDM graphical interface. I've got a lot more screen captures than will fit into the available space. In fact, I was hoping to also cover the router configuration utility, SDM, but that'll have to wait for another article.

The full sets of screen captures are available in Adobe PDF form online, at the following locations:

www.netcraftsmen.net/welcher/papers/pdm-3.0-cap.pdf

www.netcraftsmen.net/welcher/papers/sdm-1.1-cap.pdf

I hope these are useful to those who are curious about these tools, but don't have time or equipment to take a quick look. I'd like to have annotated the screen captures, but that's really the role of somebody who is documenting them in detail. It's probably a good thing more images don't fit. After all, we wouldn't want this article to become the high-tech version of "boring slides from my summer vacation."

What Is PDM?

PIX Device Manager is a graphical user interface (GUI) that manages a single Cisco PIX Firewall. PDM uses certificates and HTTPS (HTTP over SSL) to securely access, configure, and monitor a PIX Firewall from your PC.

I sometimes come at things from a large-shop perspective, where the command line (CLI) rules, because of the need to manage many devices. There have been various Cisco GUI tools for easy configuration of various devices. Sometimes these have been a bit limited or clunky, or clearly intended as getting-started tools for folks new to Cisco. I've got to say I was favorably impressed with PDM. No, it doesn't manage more than one PIX. But it sure looks like the configuration tools in PDM give you nice visibility into how it is configured, and the monitoring tools provide a very nice way to keep tabs on what the PIX is doing at any given time. For multi-PIX sites, the CLI or the PIX Management Center in CiscoWorks may still be the way to go. But even there PDM may be useful as a graphical alternative to show commands.

PIX Device Manager (PDM) consists of a signed Java applet bundled with the PIX operating system software. You access PDM via HTTPS from a Java-capable web browser on a PC or other desktop computer. No PC installation is needed. PDM started appearing with PIX OS 6.0 and 6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and version 3.x comes with PIX OS 6.3. You can also separately install PDM if you need to by copying it to flash.

Paraphrasing parts of the well-written Overview part of the Installation Guide, PDM has the following components.

* PDM Startup Wizard - Creates a basic configuration to get you started.

* VPN Wizard - Creates a basic VPN configuration easily setting up remote access VPN or site-to-site VPN.

* Configuration GUI - Uses forms to configure most aspects of the PIX.

* Monitoring and Reporting Tools - View real-time and historical data, summaries of network activity, resource utilization, and event logs.

* Graphical Tools - Creates graphical summary reports showing real-time usage, security events, and network activity, including performance and trend analysis. Data from each graph can be displayed in user-selected increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side analysis.

Types of graphs available include the following.

System graphs: Detailed status information on the PIX Firewall, including blocks used and free, current memory utilization, and CPU utilization.

Connection graphs: Real-time session and performance data about connections, address translations, authentication, authorization, and accounting (AAA) transactions, URL filtering requests, etc.

Intrusion Detection System (IDS): Various graphs to display potentially malicious activity, including IDS-based signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP) requests, and Portmap requests.

Interface graphs: Real-time monitoring of your bandwidth usage by interface, including incoming and outgoing packet rates, counts, and errors, as well as bit, byte, and collision counts.

* Syslog Viewer - View specific syslog message types by choosing a logging level.

I hope that sounds interesting. There is one caveat, the usual one for GUI tools for Cisco devices. Pick your configuration tool and stick to it. PDM does track CLI configuration changes. But if you use PIX Management Center or CiscoSecure Policy Manager, they think they're in charge, and they may well overwrite any configuration done via PDM.

The Cisco Web pages for PDM can be found at www.cisco.com/en/US/partner/ products/sw/netmgtsw/ps2032/index.html. A PDF form of the online help is linked there as the User Guide. Poking around in that document is another way to familiarize yourself with PDM. However, since that document is the online help for PDM, it shows no screen captures, so you may want to read it with a downloaded copy of my full screen captures document open alongside.