Foundation and Supplemental TopicsCiscoWorks Management Center for Firewalls OverviewThe CiscoWorks Management Center for Firewalls (Firewall MC) enables you to manage the configuration of multiple PIX Firewall devices deployed throughout your network. Firewall MC is a Web-based application that provides centralized management for devices on your network and accelerates the deployment of firewalls to protect your network. Some features of Firewall MC are as follows:
To obtain maximum functionality from Firewall MC, you need to understand the following items:
Key ConceptsTo use Firewall MC effectively to manage and configure the PIX Firewalls on your network, you need to understand certain key concepts. These concepts fall into the following three categories:
Configuration HierarchyAll devices managed by Firewall MC are grouped in a hierarchical structure beneath a global group. By placing managed devices in different groups and subgroups, you can simplify your configuration and management tasks because each group can include devices with similar attributes, such as similar access rules and configuration settings.Each device managed by Firewall MC can be a member of only one specific group. A group is composed of one or more of the following items:
Devices inherit properties either from a specific group or individually from a specific device. Inheritance of properties allows your configuration changes to apply to multiple managed devices using less administrative effort. Configuration ElementsThrough Firewall MC, you can configure various characteristics of the managed firewalls deployed throughout your network. These characteristics fall into the following four major categories:
Device settings control specific configuration parameters on your PIX Firewalls, such as interface and routing properties. Access rules regulate network traffic and fall into the two categories shown in Table 14-2. Translation rules define the address translations that your firewalls will perform on network traffic. Building blocks associate names with specific objects, such as subnets, that you can then use when defining rules. All of the configuration elements are explained in detail later in this chapter.
Workflow ProcessThe workflow process divides configuration changes made using Firewall MC into the following three steps:
A collection of configuration changes made for a specific purpose is called an activity . After you submit an activity to be deployed, it is converted into a set of configuration files known as a job . Finally, the job is scheduled for deployment on the network. A different person can approve each of these steps. Activities and job management are explained in detail later in the chapter. Supported DevicesFirewall MC Version 1.2.1 supports PIX Firewall Versions 6.0, 6.1, 6.2, and 6.3. x along with the Firewall Service Module (FWSM) Version 1.1. x .NoteNot all PIX command-line interface (CLI) commands are configurable by using Firewall MC. For a complete list of Firewall MC[en]supported commands and devices refer to http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products-device-support-tables-lis186The following PIX hardware models are supported by Firewall MC Version 1.2.1:
InstallationFirewall MC requires CiscoWorks Common Services to run. Therefore, before you can install Firewall MC, you must install CiscoWorks Common Services (Version 2.2). Common Services provides services for the following:
For CiscoWorks to operate efficiently, your CiscoWorks server and client computers must meet certain hardware requirements. Server RequirementsWhen installing Firewall MC, you need to understand the hardware and software requirements for the different components. To support all of the functionality provided by Firewall MC and the underlying CiscoWorks foundation, your CiscoWorks server must meet the following minimum requirements:
NoteRequirements for the CiscoWorks server are frequently updated. For the latest server requirements, refer to the documentation on the Cisco website. Client RequirementsAlthough the Firewall MC runs on a server, access to Firewall MC is by a browser running on a client system. Client systems also must meet certain minimum requirements to ensure successful system operation. Your client systems should meet the following minimum requirements:
Along with these requirements, your clients must be running one of the following operating systems:
One final requirement is that your client systems must use one of the following web browsers:
NoteRequirements for the CiscoWorks clients are frequently updated. For the latest client requirements, refer to the documentation on the Cisco website. PIX Bootstrap CommandsWhen you initially configure your PIX Firewall, you run the setup command to configure many of the basic components of the operational configuration. The setup command prompts you for the following items:
Besides this information, you must also configure the firewall to allow modification from a browser connection and specify which hosts or network is allowed to initiate these Hypertext Transfer Protocol (HTTP) connections. Complete the following steps to enable the Firewall MC server to update the configuration on your firewall:
CiscoWorksCiscoWorks is the heart of the Cisco family of comprehensive network management tools that allow you to access and manage the advanced capabilities of the Cisco AVVID (Architecture for Voice, Video and Integrated Data) easily. It provides the foundation upon which Firewall MC (and other management center applications such as the AUS) is built. Therefore, before you can access the Firewall MC application, you must first log in to CiscoWorks. To use Firewall MC, you need to understand the following CiscoWorks functionality:
Login ProcessTo access the applications supported by CiscoWorks, such as Firewall MC and AUS, you must first log in to the CiscoWorks server desktop. The CiscoWorks server desktop is the interface used for CiscoWorks network management applications, such as Firewall MC.To log in to CiscoWorks, you connect to the CiscoWorks desktop using a web browser. By default, the CiscoWorks web server listens on port 1741. So, if your CiscoWorks desktop is on a machine named CW.cisco.com through your Domain Name System (DNS) with an IP address of 10.10.20.10, you could connect to it by entering either of the following Universal Resource Locators (URLs): NoteYou can also enable CiscoWorks to use HTTP over SSL (HTTPS) instead of HTTP. When you install some management centers (such as the Management Center for Cisco Security Agents), they enable HTTPS on CiscoWorks automatically. When HTTPS is enabled, you need to connect to port 1742.At the initial CiscoWorks window, log in to CiscoWorks by entering a valid username and password (see Figure 14-1). Figure 14-1. CiscoWorks Login Window User Authorization RolesCiscoWorks enables you to define different roles for different users. A role can enable a user to perform specific operations when using CiscoWorks and any of the applications that are built upon CiscoWorks (such as Firewall MC). CiscoWorks supports five different user roles that are relevant to Firewall MC operations (see Table 14-3).
Adding UsersAs part of your Firewall MC configuration, you must configure accounts for the various users that need to access Firewall MC. The CiscoWorks Add User window enables you to create new accounts that have access to the CiscoWorks applications. To create a new account in CiscoWorks, perform the following steps:
Firewall MC InterfaceAlthough the Firewall MC user interface is graphical and easy to use, it is helpful to understand how the interface is structured. The Firewall MC user interface is composed of the following major sections (see Figure 14-3):
Figure 14-3. Firewall MC User Interface Configuration TabsThe configuration tasks are broken down into the following five major categories:
NoteWhen you enable workflow, the Deployment tab changes to Workflow.To access any of the categories, click the tab labeled with the appropriate name. The tabs are located across the top of the Firewall MC display. Options BarAfter clicking one of the major configuration tabs, the options for that selection are displayed in a list located in the window just below the configuration tabs. Figure 14-3 shows a window in which the Configuration tab has been selected. The options associated with the Configuration tab are as follows:
Click an option to display the information in the content area or a menu of available choices (known as the TOC) on the left side of the Firewall MC interface. Table of ContentsThe table of contents ( TOC ) is a menu of choices that is displayed on the left side of the Firewall MC interface. It presents a list of suboptions you can select based on the option chosen. As shown in Figure 14-3, for instance, the Configuration > Device Settings option has the following selections:
Path BarThe path bar provides a visual road map indicating where you are with respect to the Firewall MC interface. It is located above the TOC and below the options bar, and it begins with the text "You Are Here."Figure 14-3 shows a situation in which the value of the path bar is Configuration > Device Settings > Interfaces. This indicates that you performed the following steps to reach the current window:
Instructions BoxSome pages provide you with an Instructions box on the right side of the Firewall MC display. When displayed, this box provides you with a brief overview of the page that you have selected. The Instructions box provides less information than the Help option on the tools bar. Content AreaThe content area displays the information associated with the option that you selected (when no TOC selections are available) or the selection in the TOC that you click. Scope BarThe Scope bar displays the object or objects that you have selected using the Object Selector. Figure 14-3 shows a situation in which you have selected the firewall named PIX515A from the Perimeter firewall group, which is part of the Global group. When you perform configuration changes, the Scope bar indicates which devices will receive updated configuration information. Object SelectorWhen making configuration changes using Firewall MC, you need to specify to which device or devices you want to apply changes. By clicking the Object Selector , you can select individual firewalls or firewall groups (see Figure 14-4). Any changes that you specify are then applied to that firewall or firewall group. The Scope bar indicates the device or group that you currently have selected. Figure 14-4. Object Selector Tools BarLocated in the upper-right portion of the Firewall MC interface is the Tools bar . The Tools bar has the following options: Click Close to log out of the current Firewall MC user session. Select Help to open another browser window that displays detailed context-sensitive help information on using Firewall MC. Finally, click About to display information about the version of Firewall MC that you are using. Activity BarThe activity bar displays activities and Actions icons that vary depending on the information that you are changing. The activity bar is shown only when you are operating in either the Devices or Configuration tabs of the Firewall MC. The Actions icons that can be shown are as follows:
NoteSome of the activity options are not available unless you enable workflow. Workflow is explained later in the chapter. Basic User Task FlowFirewall MC provides you with a flexible graphical user environment in which to manage and configure the firewall devices deployed throughout the network. When you first begin to use Firewall MC, however, you might become confused as to where to start. Therefore, it is helpful to understand the basic user task flow involved in using Firewall MC. The following steps illustrate the basic task flow: NoteThe approval process for configuration changes is disabled by default. If you enable this process (see the "Workflow Setup" section later in the chapter), before you can deploy your changes you will have to follow the approval process for those changes.Each step is explained in detail in the following sections. Each section is broken down based on the five configuration tabs available in the Firewall MC interface:
Device ManagementWhen using the Firewall MC, all managed devices are members of a group named Global. You also can group your firewalls into subgroups that share similar properties (such as configuration settings or geographic location). Grouping similar devices facilitates management of those devices. You can also import existing configurations into Firewall MC. These activities are accessed through the Devices configuration tab. The tasks in this section include the following:
Managing GroupsSelect Devices > Managing Groups to add new groups to the system, modify existing groups, and delete existing groups (see Figure 14-5). When defining group names, it is helpful to use descriptive names that clearly identify the different groups. For example, you may identify your groups based on geographic region or department within the company. Figure 14-5. Managing Groups
Importing DevicesAfter defining your device groups, you can then import devices into those groups using the Devices > Import Devices option. When importing devices, you perform the following four basic steps:
You have several options when importing devices into Firewall MC (see Figure 14-6). Table 14-5 explains the various import options that are available. Figure 14-6. Select Import Type
Figure 14-7. Firewall Contact Information
After specifying all of the characteristics for the device being imported, you will see an Import Status window (see Figure 14-8). This window displays the progress of the actual import process, and it automatically updates itself every 60 seconds. You can also force the window to update by clicking the Refresh button. Figure 14-8. Import Status Window Managing DevicesSometimes you need to remove devices or move them from one group to another. To perform these types of device operations, select Devices > Managing Devices . The Managing Devices window enables you to move a device from one group to another and remove existing devices (see Figure 14-9). Figure 14-9. Managing Devices Configuration TasksThe majority of the tasks that you perform in Firewall MC involves configuration tasks. Configuration settings control individual features of a firewall device. When defining these settings, you can apply them either to a specific firewall or to all of the firewalls in a group by selecting a group instead of an individual firewall. The scope of the changes that you make depends on the object that you select using the Object Selector before making the configuration changes (see the section entitled "Object Selector" earlier in this chapter). These tasks can be broken down into the following categories, each of which is discussed in detail in this section:
Configuring Device SettingsThrough the Firewall MC, you can configure many device-specific properties on your managed firewalls. Following are the majority of the device settings that you can configure through Firewall MC:
One common task is changing the properties of the interfaces on the firewalls managed by the Firewall MC software. If you configure a firewall using Setup, it configures only the inside interface. Before you can define the access or translation rules, you must configure the rest of the interfaces on the firewall. Defining Access RulesAccess rules, which control the traffic that flows through your firewall, are used to define your network security policy. Each access rule is a member of an order list of rules that Firewall MC stores in a table. Rules are processed from first to last. A firewall uses the first matching rule to determine whether the traffic is permitted or denied.You can configure the following three types of access rules (see Figure 14-10):
Figure 14-10. Access Rules Defining Translation RulesTranslation rules enable you to configure and view the address translations that you are using on the network. You can configure the following types of translation rules using Firewall MC:
NoteFirewall MC supports both Network Address Translation (NAT) and Port Address Translation (PAT).Static translation rules permanently map an internal IP address to a publicly accessible global IP address. These rules assign a host on a higher-security-level interface to a global IP address on a lower-security interface. This enables the hosts from the lower-security zone to communicate with the host from the higher-security zone. Figure 14-11 shows a static translation rule that assigns the local address of a protected host (10.10.10.20/32 on the inside interface) to a global address (192.168.10.20/32 on the outside) that is accessible by external systems. Figure 14-11. Static Translation Rules Figure 14-12. Dynamic Translation Rules Creating Building BlocksBuilding blocks enable you to optimize your configuration. Building blocks define groups of objects such as hosts, protocols, or services. You can then issue a command that affects every item in the group by specifying the name of the group. Basically, you can use the names of the building blocks in place of corresponding data values when configuring device settings or defining rules. You can configure the following types of building blocks, each of which is described within this section:
Network ObjectsNetwork objects enable you to group a range of network addresses specified by an IP address and a network mask. These network objects can then be used in access rules and translation rules. In Figure 14-13, the network object named DMZ is associated with the Class C network 172.16.10.0/24. Figure 14-13. Network Objects Figure 14-14. Creating a Static Translation Rule Figure 14-15. Selecting Network Objects Service DefinitionsService definitions enable you to define objects that associate IP protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) source and destination ports, and Internet Control Message Protocol (ICMP) message types with a specific name (see Figure 14-16). These service definitions are then used in firewall device protocol groups, service groups, and ICMP-type groups, respectively. Figure 14-16. Service Definitions Figure 14-17. Selecting Services Service GroupsService groups enable you to define objects that associate a name with a group of service definitions (see Figure 14-18). For instance, you can create a service group that permits both HTTPS and Secure Shell (SSH) traffic. Figure 14-18. Service Groups AAA Server GroupsAAA server groups enable you to define separate groups of Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) servers that are used for different types of traffic. Traffic will attempt to authenticate with the fist server in the AAA server group. If this server is inaccessible, the next server in the group is tried.NoteYou can define 14 AAA server groups, each containing 14 distinct AAA servers, supporting a total of 196 AAA servers. Address Translation PoolsAddress translation pools enable you to associate a name with a group of addresses that will be used to create dynamic address translations for outbound traffic. When defining an address translation pool, you need to specify the parameters shown in Table 14-6.
Figure 14-19. Defining an Address Translation Pool Generating and Viewing Configuration InformationSelecting Configuration > View Config > Generate Config allows you to generate the configuration for a specific device. The Scope bar indicates for which device the configuration will be generated. Once the configuration is generated, you can then view the information in the content area (see Figure 14-20). Figure 14-20. Viewing Generated Configuration MC SettingsSelecting Configuration > MC Settings allows you to control how Firewall MC operates when it discovers commands configured outside of Firewall MC or unsupported and error commands imported into Firewall MC. It also identifies the directories in which imported and deployed configurations will be placed.When configuring the MC settings, you have the following options: NoteWhen configuring the AUS, you use the Deployment option to redirect configuration updates to the AUS instead of sending them directly to the managed device. Deployment TasksAfter you make changes to the configuration for a managed device, you must deploy those changes on the actual firewalls on your network. You have the following two options when you select the Deployment configuration tab:
NoteThese are the options available when workflow is not enabled. If workflow is enabled, refer to the "Workflow Setup" section later in the chapter for the options that are available. Deploy Saved ChangesSelect Deployment > Deploy Saved Changes to cause the Firewall MC to generate the updated configuration files for the device or devices specified by the Scope bar. The Generate Summary window initially shows the deployment options as unavailable until the generation process is complete. Once the generation process is finished, you can deploy the changes to your managed firewalls (see Figure 14-21) using the following options:
Figure 14-21. Generate Summary Window Figure 14-22. Deployment Status Summary Window
Click the View Config link to display the deployed configuration for the managed firewall (see Figure 14-23), or click the View Transcript link to display a window that shows a transcript of all configuration commands that were executed and their success status (see Figure 14-24). Figure 14-23. Viewing the Config Window Figure 14-24. Viewing the Deploy Transcript Window Summary ReportSelect Deployment > Status Summary to display the history of the deployment changes that you have made to your managed firewalls (see Figure 14-25). Figure 14-25. Status Summary Window ReportsIn the Reports tab, you can view the following three reports:
Activity ReportThe Activity Report, as the name implies, displays information about the activities or configuration changes that have occurred on the Firewall MC (see Figure 14-26). For each activity, the report provides the following two pieces of information:
Figure 14-26. Activity Report Configuration Differences ReportThe Configuration Differences report enables you to determine if the running configuration on a managed firewall matches the latest configuration that you deployed to it. You can also use this report to determine which managed firewalls have an updated configuration waiting to be deployed. You can generate reports based on the following two options:
Initially, you select the device or group on which you want to check for configuration differences. This displays a window indicating the firewalls that have configuration differences. To view the actual differences, click the View Configuration Differences link next to a specific device. This displays a window outlining the actual configuration differences (see Figure 14-27). Figure 14-27. Configuration Differences Report Device Setting ReportThe Device Setting Report enables you to view the device settings for a device or device group. Each setting also indicates how the setting was derived. Each setting is determined based on one of the following categories:
You have the following two options when generating this report:
The Show inheritance only option displays a list of all of the device settings, indicating how the setting was derived (see Figure 14-28). The Show inheritance and values option includes the actual values for the settings in addition to how the settings were derived (see Figure 14-29). Figure 14-28. Show Inheritance Only Device Setting Report Figure 14-29. Show Inheritance and Values Device Setting Report Administration TasksThe administration tasks fall into the following categories:
Workflow SetupThe Firewall MC software enables you to configure firewalls as well as groups of firewalls. By default, when you make changes, they are propagated to your firewalls as soon as you save and deploy the changes. If you enable workflow (by selecting Admin > Workflow Setup) , however, there is a distinct process that you must follow to deploy your changes to the appropriate firewalls. This process allows you to track changes down to the individual user that performed the changes. The workflow process establishes the following three distinct steps in the configuration process:
A separate person can be in charge of each step, thus dividing the responsibility for updating the configuration on the managed firewalls.When using workflow, policy changes (known as activities and jobs) regulate the deployment of configuration files. You can require formal approval for activities, jobs, or both. The Firewall MC interface also changes. The Deployment configuration tab is replaced with a Workflow configuration tab (see Figure 14-30). Figure 14-30. Firewall MC Interface with Workflow Enabled
NoteThe various activity options are unavailable unless they are valid for the activity selected. For instance, you cannot approve an activity that has not been submitted.Creating a job to deploy configuration changes (from specified activities) involves the following steps:
You regulate and manage jobs using the following options:
NoteThe various job options are unavailable unless they are valid for the activity selected. For instance, you cannot approve a job that has not been submitted. MaintenanceDepending on how frequently you perform configuration updates, you may want to remove old activity and job records periodically. Select Admin > Maintenance to configure how often activity and job records are automatically purged from the database (see Figure 14-31). For both activities and jobs, you can specify how old an entry must be before it is automatically removed from the database (the default is 30 days). Figure 14-31. Maintenance Window SupportWhen debugging your system, you may need to obtain some important operational information about your system. Select Admin > Support to run a program specifically designed to collect information to assist in troubleshooting the operation of your Firewall MC system. CiscoWorks Auto Update ServerMaintaining current images on your managed devices can be a time-consuming task. The AUS is a tool that you can use to upgrade device configuration files and maintain current software images on your managed firewalls. The main advantage of AUS is that it can manage devices that obtain their addresses through Dynamic Host Configuration Protocol (DHCP). Remotely managed PIX Firewalls are often dynamically addressed, which means they cannot be managed by traditional network management servers.The managed devices use an auto update feature to initiate a management connection periodically to the AUS. The device provides AUS with its current state and device information. The AUS then responds to the device by providing a list of versions of the software images and configuration files that the device should be running. The device compares the file versions with the versions it is running. If there are differences, the device downloads the new versions from the URLs provided by the AUS. Once the device is up-to-date with the new file versions, it sends AUS its state and device information again.Some of the major features provided by AUS (Version 1.0) include the following:
AUS Version 1.1 adds new functionality, including the following major features:
Supported DevicesAUS supports PIX Firewalls running Versions 6.0 and later. In addition, AUS supports the following PIX hardware platforms:
InstallationCiscoWorks Common Services (Version 2.2) is required for AUS. The requirements for the CiscoWorks server are described in the "CiscoWorks Management Center for Firewalls Overview" section earlier in this chapter. Once you have the CiscoWorks server built, the installation of AUS is easy and involves the following steps:
NoteAUS operates in unison with the Firewall MC to update the configuration files on firewalls running in auto update mode. AUS and the Firewall MC, however, do not have to be collocated on the same machine. Because of their different roles and responsibilities, these systems are typically installed on separate machines with Firewall MC located in your network operations center (NOC) and the AUS deployed on a demilitarized zone (DMZ) network. Communication SettingsTo configure and use AUS effectively, you need to understand the AUS communication architecture. The following steps describe the interaction between the PIX Firewall, Firewall MC, and AUS (see Figure 14-32). Figure 14-32. AUS Communication Flow
AUS ActivationTo enable your managed firewalls to communicate with the AUS, you need to perform certain configuration changes using Firewall MC. The sequence of the changes is as follows:
Auto Update Server and PIX Firewall CommunicationsAfter you configure the PIX Firewall to accept HTTP connections from the AUS, you need to configure the AUS communications parameters on the PIX Firewall by completing the following steps:
PIX Firewall Unique Identification ParametersWhen the PIX Firewall communicates with the AUS, the PIX Firewall must uniquely identify itself to the AUS. This unique identification enables the AUS to search its database of current assignments to locate entries that pertain to the specific PIX Firewall that is communicating with it. To configure the PIX Firewall unique identity parameters, complete the following steps:
Auto Update Server Contact informationNext you need to specify the contact information for the AUS. The Firewall MC will use this information to communicate with the AUS. To configure the AUS contact information, complete the following steps:
PIX Firewall Configuration DeploymentFinally, you need to configure the Firewall MC to send configuration updates to the AUS instead of the actual device. To specify this configuration change, complete the following steps:
NoteBefore changing the deployment parameters, you need to verify that you have deployed the initial AUS configuration information to the managed firewall. Once you change the deployment options, the device will not receive any more updates from the Firewall MC (because the updates are then sent to the AUS). If the managed firewall does not have the AUS settings, it will be unable to obtain any configuration updates. Auto Update Server InterfaceBesides configuring the communication between the AUS, Firewall MC, and your managed firewalls, you also need to understand the AUS interface to use it efficiently. The interface is divided into the following sections (see Figure 14-37):
Figure 14-37. AUS User Interface Path BarThe path bar provides a visual road map indicating where you are with respect to the AUS interface. It is located below the options bar and begins with the text "You Are Here."Figure 14-37 shows a situation in which the value of the path bar is Assignments > Assign Images to a Device. This indicates that you performed the following steps to reach the current window:
Options BarAfter clicking one of the major configuration tabs, the options for that selection are displayed in a list that is located on the screen just below the configuration tabs. Figure 14-37 shows a window in which the user clicked the Assignments tab. The options associated with the Assignments tab are as follows:
Configuration TabsThe configuration tasks are broken down into the following five major categories:
To access one of the categories, click the tab labeled with the appropriate name. The tabs are located across the top of the AUS display. Tools BarLocated at the upper-right portion of the AUS interface is the tools bar. From the tools bar, you can access the following items:
Click Logout to log out of the current AUS user session. Click Help to open another browser window that displays detailed context-sensitive help information for using AUS. Finally, click the About option to display information about the version of AUS that you are using. Instructions BoxSome pages provide you with an Instructions box on the right side of the AUS display. When displayed, this box provides you with a brief overview of the page that you have selected. The Instructions box provides less information than that provided through the Help option on the tools bar. Content AreaThe content area is the portion of the window in which you perform application tasks. Configuring DevicesClick the Devices tab to display the Device Summary table (see Figure 14-38). The table shows all of PIX Firewalls being managed by the AUS. The table provides information such as the device ID, platform family, and the last time that the PIX Firewall contacted the AUS (see Table 14-7). To sort the table by a specific column, click the name of a column. You can also filter the information displayed by using the drop-down menus for Family, Type, or Device Status. Another option for limiting the number of entries displayed is to search for specific devices by entering a textual search string. Figure 14-38. Device Summary Table
Configuring ImagesThe AUS enables you to manage the following items for your managed firewalls:
In the Images configuration tab, you can add or delete both PIX Firewall software images and PDM images (see Figure 14-39). PIX Firewall configuration files can be added to AUS only by deploying them from Firewall MC. Table 14-8 describes the fields in the Software Images table. Figure 14-39. Software Images Table
Configuring AssignmentsWhen a new image becomes available, you can perform the following steps:
Click the Assignments tab to assign image files to specific managed firewalls. You have the following two options when assigning images to your managed firewalls:
Assign Images to a DeviceThe Assign Images to a Device option enables you to view the images assigned to your managed devices based on a table that is sorted by the device ID (see Figure 14-40). Besides viewing the currently assigned images, you can also assign a different image for a specific device based on its device ID. Figure 14-40. Device Assignment Summary Table Assign an Image to DevicesThe Assign an Image to Devices option enables you to view the images assigned to your managed devices based on a table that is sorted by the image name (see Figure 14-41). You also can assign a specific image listed in the table to one or more managed devices. Figure 14-41. Image Assignment Summary Table ReportsThe Reports tab enables you to view the different reports supported by AUS. The AUS supports the following two types of reports:
System Info ReportThe System Info Report displays general system information about the AUS along with the statistics for the last 24 hours (see Figure 14-42). The information provided by the System Info Report includes the following:
Figure 14-42. System Info Report Event ReportThe Event Report displays information about the devices that have contacted the AUS (see Figure 14-43). Each entry in the report represents an event and the result of the event. These events can also be notifications from the managed firewalls indicating errors (such as problems with a downloaded configuration file). Some of the events that you may observe are shown in Table 14-9. Figure 14-43. Event Report
Administrative TasksThe Administrative tab enables you to change the following characteristics of the AUS:
The NAT Settings option enables you to configure the actual address of the AUS server along with a NAT address. This option is used when the AUS server is separated from the managed devices by a NAT device.The Database Password Change option lets you change the password that is used to authenticate access to the AUS database. |
لطفا منتظر باشید ...
