Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CWVMS 2.2 and PIX MC

I have installed CWVMS 2.2 and I made the upgrade for PIX MC from 1.1.3 to 1.2. The Import process report no errors and warnings, Generate and Deploy was O.K , but in Configuration it’s not the Pix configuration.

What is the idea ? To introduce in the PIX MC the configuration for PIX and export to PIX , or vice-versa ?

What is the advantage from PDM which is free ?




Re: CWVMS 2.2 and PIX MC

PDM is generally used in small environments to configure a few firewalls. When the environment to be managed gets larger customers often find that they need a central configuration management tool that defines multiple security policies across different groups of firewalls. In addition larger environments often have more strict change audit procedures and needs for granular access control.

Firewall MC provides a device grouping hierarchy that allows for inheritance of settings from the global group to sub-groups down to the device level. Mandatory settings cannot be changed at lower levels, default settings can be over ridden at lower levels. The optional Workflow feature allows the change process to be controlled such that there are different users that can change settings, approve changes, deploy changes, and approve deployments. If your do not require a rigid change-audit procedure, this feature can be disabled.

Finally with Cisco Secure ACS integration very granular role based access control as well as network virtualization allows users to have specific privileges based on their user role over only the subset of devices which they need to manage.

Focusing on the changes made by Firewall MC after import and re-deployment. Changes to the original configuration are made to enable the policy based configuration across multiple devices. There are also optimization features that will try to improve the configuration. After the first generation and deployment, only the configuration deltas will be pushed out. As a best practice, if this is a new installation, bootstrapping the firewall, and then importing into VMS is recommended. After it has been imported into VMS, use VMS to make and push out all configuration changes. While PDM and the CLI are useful in small production and lab environments, they don't easily lend themselves to a centralized policy based management approach.

Hope this helps.

Community Member

Re: CWVMS 2.2 and PIX MC

Not sure what you mean by "Configuration it’s not the Pix configuration".

Importing a device into Firewall MC and then generating a config may change the representation because of translation considerations. The Firewall MC config should be functionally equivalent.

Community Member

Re: CWVMS 2.2 and PIX MC

The PIX configuration from Firewall MC is not the same with real PIX configuration , even after Import process.

CreatePlease to create content