Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
6
Replies

Best practice to document the Pix Firewall Configuration.

aporcaro01
Level 1
Level 1

‎01-12-2006 05:11 AM - edited ‎02-21-2020 12:38 AM

Hi there!!

I'd like to know what's the best practice to document the pix firewall configuration. Nowadays I'm using the Excel to do it, but I don't know if this is the best way.

Which are you guys using to document your firewall configuratin???..

My best regards,

Adriano Porcaro

Cisco CCNA

0 Helpful
6 Replies 6

stomasko
Level 4
Level 4

‎01-12-2006 06:11 AM

Personally I cut and paste my config's into a text file. Not only do I have it for reference if needed but I can quickly paste it back in if the firewall crashes and loses config or needs replaced. Also helps to make changes easier as you can edit the text file and paste in the new config.

Steve

0 Helpful

itchampnz
Level 1
Level 1
In response to stomasko

‎01-13-2006 12:06 PM

Kiwi cattools www.kiwisyslog.com

This rocks. I use it daily for 302 devices, backs them all up in just minutes to flat text files and creates nice reports. Free version is limited to device numbers, but licenses are cheap......

0 Helpful

tim.metzinger
Level 1
Level 1

‎01-13-2006 01:22 PM

I cut and paste it into an Excel file, one column is the config (one cell per line), and then I put a column next to it for comments - very useful for remembering just what certain access-lists refer to, or which customers are served by which object-group.

And it's easy to do version control that way, as well as being able to cut and paste it right back to a terminal emulator if I need to fix something.

Tim Metzinger

Nortel Government Solutions (yes I manage Cisco gear)

0 Helpful

fernandess
Level 1
Level 1

‎01-19-2006 01:20 PM

copy run tftp

I've run into problems when cutting & pasting large configs. This way, nothing gets lost in translation.

0 Helpful

ben.chaltraw
Level 1
Level 1

‎01-19-2006 06:59 PM

One of my staff came up with a great idea of placing the interfaces on a circle, which is a good visual of interfaces or trust relationships. So you can see who can talk to who as you move from the most trusted to least trusted. 0-9, because you might not catch that you have some DMZ's that can talk to each other that you didn't intend to. For example because a more trusted interface is allowed to talk to an less trusted interface, an inside web server could establish a connection to a DMZ server you didn't want possible.

Example:

Interface 0 can talk to 1-9, and interface 2 can talk to 3-9 but not interface 1 or 0, follow the circle around and you can visulaize the flow.

Hope this helps.

Ben

0 Helpful

srue
Level 7
Level 7
In response to ben.chaltraw

‎01-20-2006 07:02 AM

if you copy a config straight from a terminal window, you only get hashed out passwords w/ PIX. If you using the copy command, you get the actual password.

I wrote a script that every nite goes out to all cisco devices, and saves the configs to NVRAM and writes them across the network via tftp. I also just noticed PIX OS 7.0 supports copy tftp start finally.. woohoo!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card