Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

  • Print
  • + Share This
This chapter is from the book

CiscoWorks Auto Update Server

Maintaining current images on your managed devices can be a time-consuming task. The AUS is a tool that you can use to upgrade device configuration files and maintain current software images on your managed firewalls. The main advantage of AUS is that it can manage devices that obtain their addresses through Dynamic Host Configuration Protocol (DHCP). Remotely managed PIX Firewalls are often dynamically addressed, which means they cannot be managed by traditional network management servers.

The managed devices use an auto update feature to initiate a management connection periodically to the AUS. The device provides AUS with its current state and device information. The AUS then responds to the device by providing a list of versions of the software images and configuration files that the device should be running. The device compares the file versions with the versions it is running. If there are differences, the device downloads the new versions from the URLs provided by the AUS. Once the device is up-to-date with the new file versions, it sends AUS its state and device information again.

Some of the major features provided by AUS (Version 1.0) include the following:

  • Web-based interface for maintaining multiple PIX Firewalls

  • Support for PIX Firewall Version 6.0 and later (Version 6.2 and later for AUS Version 1.1)

  • Support for dynamically addressed PIX Firewalls

  • Support for up to 1000 PIX Firewalls

AUS Version 1.1 adds new functionality, including the following major features:

  • Installation on Solaris

  • Additional report formats

  • Support for configuration files

Supported Devices

AUS supports PIX Firewalls running Versions 6.0 and later. In addition, AUS supports the following PIX hardware platforms:

  • PIX 501

  • PIX 506/506E

  • PIX 515/515E

  • PIX 525

  • PIX 535

Installation

CiscoWorks Common Services (Version 2.2) is required for AUS. The requirements for the CiscoWorks server are described in the “CiscoWorks Management Center for Firewalls Overview” section earlier in this chapter. Once you have the CiscoWorks server built, the installation of AUS is easy and involves the following steps:

  1. Insert the AUS CD into the CD drive on the CiscoWorks server. If autorun is enabled, the installation process starts automatically. If not, you must locate the setup.exe file and run it. Once the installation process starts, the Welcome window is displayed.

  2. Click Next. The software license window is displayed.

  3. If you agree to the software license agreement, click Yes. (If you click No, the installation process will stop.) The system requirements window is displayed.

  4. Click Next. The Verification window is displayed.

  5. Click Next. A popup window is displayed that asks if you want to change the AUS database password. Click Yes to change the password.

  6. Click Finish. The AUS installation is now complete.

NOTE

AUS operates in unison with the Firewall MC to update the configuration files on firewalls running in auto update mode. AUS and the Firewall MC, however, do not have to be collocated on the same machine. Because of their different roles and responsibilities, these systems are typically installed on separate machines with Firewall MC located in your network operations center (NOC) and the AUS deployed on a demilitarized zone (DMZ) network.

Communication Settings

To configure and use AUS effectively, you need to understand the AUS communication architecture. The following steps describe the interaction between the PIX Firewall, Firewall MC, and AUS (see Figure 14-32).

  1. The Firewall MC deploys a configuration file to the AUS.

  2. At a configured polling interval, the managed PIX Firewall contacts the AUS to determine if there are any pending updates.

  3. The AUS sends a list of image files and/or configuration files that the PIX Firewall should be running.

  4. The PIX Firewall checks its configuration and image against the information provided by the AUS. If the PIX Firewall is not using the most current files, it requests the updated files from the AUS.

  5. The needed files are downloaded to the PIX Firewall.

Figure 32Figure 14-32 AUS Communication Flow

AUS Activation

To enable your managed firewalls to communicate with the AUS, you need to perform certain configuration changes using Firewall MC. The sequence of the changes is as follows:

  1. From the PIX console, enable the firewall to accept HTTP connections from the AUS.

  2. From Firewall MC, configure the following items:

    • AUS and PIX Firewall communications

    • PIX Firewall unique identification parameters

    • AUS contact information

  3. Deploy the updated configuration to the managed firewall.

  4. From Firewall MC, modify the PIX Firewall Configuration Deployment options so that configuration updates are sent to the AUS server instead of the device.

Auto Update Server and PIX Firewall Communications

After you configure the PIX Firewall to accept HTTP connections from the AUS, you need to configure the AUS communications parameters on the PIX Firewall by completing the following steps:

  1. Log in to CiscoWorks, and launch Firewall MC.

  2. Choose Configuration > Device Settings to access the device configuration settings.

  3. If workflow is enabled, you need to select an existing activity or create a new activity from the activity bar.

  4. Use the Object Selector to select a specific group or device.

  5. Select Auto Update Server > Device AUS Settings from the TOC. The Device AUS Settings window is displayed (see Figure 14-33).

  6. Figure 33Figure 14-33 Device AUS Settings Window

  7. Check the Enable Auto Update Server check box.

  8. Enter the unique ID (username) the PIX Firewall will use to contact the AUS in the Username field.

  9. Enter the password for the username specified.

  10. Confirm the password by entering it in the Confirm Password field.

  11. Enter the number of minutes in the Poll Period field (the default is 720 minutes). This parameter specifies the time that the PIX Firewall will wait between connections to the AUS to check for updates.

  12. Enter the number of times that the PIX Firewall will try to contact the AUS (if the initial attempt fails) in the Poll Retry Count field (the default is 0).

  13. Enter the number of minutes between poll retries in the Poll Retry Period field (the default is 5 minutes).

  14. If you want the PIX Firewall to deactivate itself if an update is not received in a specified number of minutes, check the Deactivate Device if no update for check box and specify the number of minutes.

  15. Click Apply.

PIX Firewall Unique Identification Parameters

When the PIX Firewall communicates with the AUS, the PIX Firewall must uniquely identify itself to the AUS. This unique identification enables the AUS to search its database of current assignments to locate entries that pertain to the specific PIX Firewall that is communicating with it. To configure the PIX Firewall unique identity parameters, complete the following steps:

  1. Log in to CiscoWorks, and launch Firewall MC.

  2. Choose Configuration > Device Settings to access the device configuration settings.

  3. If workflow is enabled, you need to select an existing activity or create a new activity from the activity bar.

  4. Use the Object Selector to select a specific group or device.

  5. Select Auto Update Server > Unique Identity from the TOC. The Device Unique Identity window is displayed (see Figure 14-34).

  6. Figure 34Figure 14-34 Device Unique Identity Window

  7. Choose the unique identifier by selecting the radio button next to one of the following items:

    • Hostname

    • IP Address

    • MAC Address

    • Hardware Serial Number

    • User-Defined String

  8. Click Apply.

Auto Update Server Contact information

Next you need to specify the contact information for the AUS. The Firewall MC will use this information to communicate with the AUS. To configure the AUS contact information, complete the following steps:

  1. Log in to CiscoWorks, and launch Firewall MC.

  2. Choose Configuration > Device Settings to access the device configuration settings.

  3. If workflow is enabled, you need to select an existing activity or create a new activity from the activity bar.

  4. Use the Object Selector to select a specific group or device.

  5. Select Auto Update Server > Server and Contact Information from the TOC. The Server and Contact Information window is displayed (see Figure 14-35).

  6. Figure 35Figure 14-35 AUS Server and Contact Information Window

  7. Enter the directory path where the updates are stored on the AUS (the default path is Autoupdate/AutoUpdateServlet).

  8. Enter the IP address of the AUS server.

  9. Enter the port (default 443).

  10. In the Username field, enter the CiscoWorks username that Firewall MC will use to communicate with the AUS.

  11. In the Password field, enter the password for the username specified.

  12. In the Confirm Password field, confirm the password by entering it again.

  13. Click Apply.

PIX Firewall Configuration Deployment

Finally, you need to configure the Firewall MC to send configuration updates to the AUS instead of the actual device. To specify this configuration change, complete the following steps:

  1. Log in to CiscoWorks, and launch Firewall MC.

  2. Choose Configuration > MC Settings to access the Firewall MC configuration settings.

  3. If workflow is enabled, you need to select an existing activity or create a new activity from the activity bar.

  4. Use the Object Selector to select a specific group or device.

  5. Select Deployment from the TOC. The Deployment window is displayed (see Figure 14-36).

  6. Figure 36Figure 14-36 Deployment Window

  7. Select the Auto Update Server radio button.

  8. Click Apply.

NOTE

Before changing the deployment parameters, you need to verify that you have deployed the initial AUS configuration information to the managed firewall. Once you change the deployment options, the device will not receive any more updates from the Firewall MC (because the updates are then sent to the AUS). If the managed firewall does not have the AUS settings, it will be unable to obtain any configuration updates.

Auto Update Server Interface

Besides configuring the communication between the AUS, Firewall MC, and your managed firewalls, you also need to understand the AUS interface to use it efficiently. The interface is divided into the following sections (see Figure 14-37):

  • Path bar

  • Options bar

  • Configuration tabs

  • Tools bar

  • Instructions box

  • Content area

NOTE

You access the AUS by first logging in to CiscoWorks (refer to the “CiscoWorks” section earlier in the chapter). After logging in to CiscoWorks, you launch the AUS by clicking the AUS option VPN/Security Management Solution drawer.

Figure 37Figure 14-37 AUS User Interface

Path Bar

The path bar provides a visual road map indicating where you are with respect to the AUS interface. It is located below the options bar and begins with the text “You Are Here.”

Figure 14-37 shows a situation in which the value of the path bar is Assignments > Assign Images to a Device. This indicates that you performed the following steps to reach the current window:

  1. You clicked the Assignments tab.

  2. You clicked the Assign Images to a Device option.

Options Bar

After clicking one of the major configuration tabs, the options for that selection are displayed in a list that is located on the screen just below the configuration tabs. Figure 14-37 shows a window in which the user clicked the Assignments tab. The options associated with the Assignments tab are as follows:

  • Assign Images to a Device

  • Assign an Image to Devices

Configuration Tabs

The configuration tasks are broken down into the following five major categories:

  • Devices—Displays summary information about devices

  • Images—Provides information about PIX Firewall software images, PDM images, and configuration files and allows you to add and delete PIX Firewall software images and PDM images

  • Assignments—Allows you to view and change device-to-image assignments and image-to-device assignments

  • Reports—Displays reports

  • Admin—Enables you to perform administrative tasks, such as configuring NAT settings and changing your database password

To access one of the categories, click the tab labeled with the appropriate name. The tabs are located across the top of the AUS display.

Tools Bar

Located at the upper-right portion of the AUS interface is the tools bar. From the tools bar, you can access the following items:

  • Logout

  • Help

  • About

Click Logout to log out of the current AUS user session. Click Help to open another browser window that displays detailed context-sensitive help information for using AUS. Finally, click the About option to display information about the version of AUS that you are using.

Instructions Box

Some pages provide you with an Instructions box on the right side of the AUS display. When displayed, this box provides you with a brief overview of the page that you have selected. The Instructions box provides less information than that provided through the Help option on the tools bar.

Content Area

The content area is the portion of the window in which you perform application tasks.

Configuring Devices

Click the Devices tab to display the Device Summary table (see Figure 14-38). The table shows all of PIX Firewalls being managed by the AUS. The table provides information such as the device ID, platform family, and the last time that the PIX Firewall contacted the AUS (see Table 14-7). To sort the table by a specific column, click the name of a column. You can also filter the information displayed by using the drop-down menus for Family, Type, or Device Status. Another option for limiting the number of entries displayed is to search for specific devices by entering a textual search string.

Table 14.7 Device Summary Table Parameters

Parameter

Description

Device ID

Displays the name the firewall uses to identify itself to the AUS.

Family

Series to which the firewall belongs (such as PIX)

Type

The type of device within the device family (such as PIX 515)

Up to Date

Indicates whether the devices is running the latest files

Last Contact

Indicates the last time that the firewall contacted the AUS


Figure 38Figure 14-38 Device Summary Table

Configuring Images

The AUS enables you to manage the following items for your managed firewalls:

  • PIX Firewall images

  • PDM images

  • PIX Firewall configuration files

In the Images configuration tab, you can add or delete both PIX Firewall software images and PDM images (see Figure 14-39). PIX Firewall configuration files can be added to AUS only by deploying them from Firewall MC. Table 14-8 describes the fields in the Software Images table.

Table 14.8 Software Images Table Parameters

Parameter

Description

Image Name

Name of the image that is stored in AUS

Type

Type of image (either PIX image, PDM image, or configuration file)

Version

Version of the image

Create Timestamp

Time the image was added to AUS

No. of References

Number of devices that have been assigned to the image


Figure 39Figure 14-39 Software Images Table

Configuring Assignments

When a new image becomes available, you can perform the following steps:

  1. Download the image file.

  2. Add the image to AUS.

  3. Assign the image to one or more devices.

Click the Assignments tab to assign image files to specific managed firewalls. You have the following two options when assigning images to your managed firewalls:

  • Assign Images to a Device

  • Assign an Image to Devices

Assign Images to a Device

The Assign Images to a Device option enables you to view the images assigned to your managed devices based on a table that is sorted by the device ID (see Figure 14-40). Besides viewing the currently assigned images, you can also assign a different image for a specific device based on its device ID.

Figure 40Figure 14_40 Device Assignment Summary Table

Assign an Image to Devices

The Assign an Image to Devices option enables you to view the images assigned to your managed devices based on a table that is sorted by the image name (see Figure 14-41). You also can assign a specific image listed in the table to one or more managed devices.

Figure 41Figure 14_41 Image Assignment Summary Table

Reports

The Reports tab enables you to view the different reports supported by AUS. The AUS supports the following two types of reports:

  • System Info Report

  • Event Report

System Info Report

The System Info Report displays general system information about the AUS along with the statistics for the last 24 hours (see Figure 14-42). The information provided by the System Info Report includes the following:

  • AUS URL

  • Number of devices managed

  • Number of files that the AUS contains

  • Number of assignments

  • Most downloaded configuration file (in the last 24 hours)

  • Number of unique configuration files downloaded (in the last 24 hours)

  • Number of successful configuration file downloads (in the last 24 hours)

  • Number of failed configuration file downloads (in the last 24 hours)

  • Number of successful auto updates (in the last 24 hours)

  • Number of failed auto updates (in the last 24 hours)

  • Device that contacted the server most (in the last 24 hours)

  • Number of bytes downloaded (in the last 24 hours)

  • Number of new assignments (in the last 24 hours)

Figure 42Figure 14_42 System Info Report

Event Report

The Event Report displays information about the devices that have contacted the AUS (see Figure 14-43). Each entry in the report represents an event and the result of the event. These events can also be notifications from the managed firewalls indicating errors (such as problems with a downloaded configuration file). Some of the events that you may observe are shown in Table 14-9.

Figure 43Figure 14_43 Event Report

Table 14.9 Event Types

Event

Description

CONNECT-SUCCESS

A managed firewall contacted the AUS successfully.

CONNECT-FAILURE

A problem occurred during an auto update attempt. Some possible causes include the following:

  • Error while parsing XML information

  • Invalid login credentials

  • Connectivity problems

DEVICE-CONFIG-ERROR

The managed firewall reported to the AUS that errors occurred while loading the downloaded configuration file.

GENERAL-DEVICE-ERROR

The managed firewall reported a nonconfiguration file error to AUS. Some possible causes include the following:

  • Problems connecting to AUS servlet

  • Invalid checksum for downloaded imag

DOWNLAOD-SUCCESS

The file was successfully sent to the managed firewall (does not necessarily indicate that image file is successfully installed).

DOWNLOAD-FAILURE

An error occurred while the image or configuration was being downloaded. Possible causes included the following:

  • Connectivity problems

  • Invalid credentials

AUS-IMMEDIATE-SUCCESS

The AUS successfully contacted and updated the managed device.

AUS-IMMEDIATE-FAILURE

An error occurred while updating a managed device. Possible causes include the following:

  • The server does not have connectivity to device (NAT problems)

  • The login credentials are incorrect

SYSTEM-ERROR

An internal error occurred.


Administrative Tasks

The Administrative tab enables you to change the following characteristics of the AUS:

  • NAT settings

  • Database password change

The NAT Settings option enables you to configure the actual address of the AUS server along with a NAT address. This option is used when the AUS server is separated from the managed devices by a NAT device.

The Database Password Change option lets you change the password that is used to authenticate access to the AUS database.

Foundation Summary

The “Foundation Summary” provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

CiscoWorks Management Center for Firewalls (Firewall MC) enables you to manage multiple firewalls across your network. The Firewall MC software operates on top of CiscoWorks Common Services (Version 2.2) that provide basic functionality such as user authentication. Some of the features of Firewall MC include the following:

  • Web-based interface for configuring and managing multiple firewalls

  • Configuration hierarchy and user interface to facilitate configuration of firewall settings

  • Support for PIX Firewall Version 6.0 and later

  • Ability to import configurations from existing firewalls

  • Ability to support dynamically addressed PIX Firewalls

  • Support for up to 1000 PIX Firewalls

  • SSL protocol support for client communications to CiscoWorks

  • Support for workflow and audit trails

Firewall MC supports the following firewall platforms:

  • PIX 501

  • PIX 506/506E

  • PIX 515/515E

  • PIX 525

  • PIX 535

  • FWSM

To manage firewalls using Firewall MC, you must configure the firewall to allow HTTP access from the Firewall MC. The Firewall MC interface is divided into the following major configuration tabs:

  • Devices—Enables you to import device configurations and define device groups to be managed by the system

  • Configuration—Enables you to change the operational configuration of the devices managed by the system

  • Deployment—Enables you to generate configuration files, manage firewall configuration files, and submit or manage new jobs

  • Reports—Enables you to generate reports, view scheduled reports, and view reports

  • Admin—Enables you to configure system settings

The basic user task flow for using Firewall MC involves the following steps:

  1. Create device groups.

  2. Import/create devices.

  3. Configure building blocks.

  4. Configure device settings.

  5. Configure access and translation rules.

  6. Generate and view the configuration.

  7. Deploy the configuration.

  8. You must define the firewalls that Firewall MC will manage. Device management falls into the following categories:

  • Managing groups

  • Importing devices

  • Managing devices

After importing the device to be managed, you must perform various configuration tasks. Configuration tasks using the Firewall MC fall into the following topics:

  • Configuring device settings

  • Defining access rules

  • Defining translation rules

  • Creating building blocks

  • Generating and viewing configuration information

Some of the device settings that you can configure through Firewall MC include the following:

  • PIX operating system version

  • Interfaces

  • Fail over

  • Routing

  • PIX Firewall administration

  • Logging

  • Servers and services

  • Advanced security

  • Firewall MC controls

  • Configuring access and translation rules

Access rules define your network security policy by controlling the flow of network traffic through your firewalls. The three types of access rules are as follows:

  • Firewall rules

  • AAA rules

  • Web filter rules

Translation rules define the translation of private IP addresses to public IP address and fall into the following three categories:

  • Static translation rules

  • Dynamic translation rules

  • Translation exception rules (NAT 0 ACL)

To optimize your configuration, you can define building blocks that can then be used when defining other items (such as access and translation rules). You can configure the following types of building blocks:

  • Network objects

  • Service definitions

  • Service groups

  • AAA server groups

  • Address translation pools

Firewall MC supports the following types of reports:

  • Activity Report

  • Configuration Differences report

  • Device Setting Report

After making configuration changes, you need to deploy those changes to your managed firewalls. By default these changes are deployed to your managed firewalls as soon as you save your configuration changes. If you enable workflow, however, then updating configurations involves the following three steps:

  1. Define configuration changes.

  2. Approve configuration changes.

  3. Deploy configuration changes.

Using workflow, configuration changes become activities, and deploying those activities become jobs. You can require approval for activities, jobs, or both.

The AUS enables you to maintain current images efficiently on your managed firewalls. Like Firewall MC, the AUS runs on top of CiscoWorks Common Services. AUS supports the following types of images:

  • PIX Firewall software images

  • PDM software images

  • PIX configuration files

Some of the major features provided by AUS (Version 1.0) include the following:

  • Web-based interface for maintaining multiple PIX Firewalls

  • Support for PIX Firewall operating system 6.0 and later

  • Support for dynamically addressed PIX Firewalls

  • Support for up to 1000 PIX Firewalls

AUS Version 1.1 added new functionality including the following major features:

  • Installation on Solaris

  • Additional report formats

  • Support for configuration files

PIX Firewall software images and PDM software images can be directly added to the AUS. PIX configuration files must be deployed from Firewall MC to be added to the AUS.

The configuration tasks in the AUS (Version 1.0) are broken down into the following five major categories:

  • Devices—Displays summary information about devices

  • Images—Provides information about PIX Firewall software images, PDM images, and configuration files and allows you to add and delete PIX Firewall software images and PDM images

  • Assignments—Allows you to view and change device-to-image assignments and image-to-device assignments

  • Reports—Displays reports

  • Admin—Enables you to perform administrative tasks, such as configuring NAT settings and changing your database password

Q&A

As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.

The answers to these questions can be found in Appendix A.

  1. Which software performs user authentication for Firewall MC and AUS?

  2. Which type of building block enables you to associate multiple protocols with a single name?

  3. What types of translation rules can you configure in Firewall MC?

  4. What types of access rules does Firewall MC enable you to configure?

  5. What types of images does AUS support?

  6. Which images can you not add directly through the AUS interface?

  7. Which type of translation rule defines a permanent mapping between private IP addresses and public IP addresses?

  8. What is an address translation pool?

  9. What is a network object?

  10. What are three of the device settings that you can configure through Firewall MC?

  11. What type of building block do you need to define to create a dynamic translation rule?

  12. What is workflow?

  13. Can AUS be used to manage firewalls that use dynamic addresses assigned by DHCP?

  14. What building blocks can you configure with Firewall MC, and how are they used?

  15. What three reports does Firewall MC support?

  16. Name the three possible methods from which each device setting in a managed configuration can be derived.

  17. What are the four steps used to import a device into Firewall MC?

  18. What are the steps required to add images to AUS?

  • + Share This
  • 🔖 Save To Your Account