Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Best practice to document the Pix Firewall Configuration.

Hi there!!

I'd like to know what's the best practice to document the pix firewall configuration. Nowadays I'm using the Excel to do it, but I don't know if this is the best way.

Which are you guys using to document your firewall configuratin???..

My best regards,

Adriano Porcaro

Cisco CCNA

6 REPLIES
Silver

Re: Best practice to document the Pix Firewall Configuration.

Personally I cut and paste my config's into a text file. Not only do I have it for reference if needed but I can quickly paste it back in if the firewall crashes and loses config or needs replaced. Also helps to make changes easier as you can edit the text file and paste in the new config.

Steve

New Member

Re: Best practice to document the Pix Firewall Configuration.

Kiwi cattools www.kiwisyslog.com

This rocks. I use it daily for 302 devices, backs them all up in just minutes to flat text files and creates nice reports. Free version is limited to device numbers, but licenses are cheap......

New Member

Re: Best practice to document the Pix Firewall Configuration.

I cut and paste it into an Excel file, one column is the config (one cell per line), and then I put a column next to it for comments - very useful for remembering just what certain access-lists refer to, or which customers are served by which object-group.

And it's easy to do version control that way, as well as being able to cut and paste it right back to a terminal emulator if I need to fix something.

Tim Metzinger

Nortel Government Solutions (yes I manage Cisco gear)

New Member

Re: Best practice to document the Pix Firewall Configuration.

copy run tftp

I've run into problems when cutting & pasting large configs. This way, nothing gets lost in translation.

New Member

Re: Best practice to document the Pix Firewall Configuration.

One of my staff came up with a great idea of placing the interfaces on a circle, which is a good visual of interfaces or trust relationships. So you can see who can talk to who as you move from the most trusted to least trusted. 0-9, because you might not catch that you have some DMZ's that can talk to each other that you didn't intend to. For example because a more trusted interface is allowed to talk to an less trusted interface, an inside web server could establish a connection to a DMZ server you didn't want possible.

Example:

Interface 0 can talk to 1-9, and interface 2 can talk to 3-9 but not interface 1 or 0, follow the circle around and you can visulaize the flow.

Hope this helps.

Ben

Gold

Re: Best practice to document the Pix Firewall Configuration.

if you copy a config straight from a terminal window, you only get hashed out passwords w/ PIX. If you using the copy command, you get the actual password.

I wrote a script that every nite goes out to all cisco devices, and saves the configs to NVRAM and writes them across the network via tftp. I also just noticed PIX OS 7.0 supports copy tftp start finally.. woohoo!!

231
Views
0
Helpful
6
Replies
作成コンテンツを作成するには してください