Firewall Builder for PIX Version 3.0.0 Summary of Features Usage: Like all Firewall Builder policy compilers, policy compiler for PIX has the following command line options: fwb_pix [-vV] [-d wdir] -f data_file.xml object_name +------------------------------------------------------------------------+ | -f FILE | Specify the name of the data file to be processed. | |---------+--------------------------------------------------------------| | -d wdir | Specify working directory. Compiler creates file with PIX | | | configuration in this directory. If this parameter is | | | missing, then PIX configuration will be placed in the | | | current working directory. | |---------+--------------------------------------------------------------| | -v | Be verbose: compiler prints diagnostic messages while it | | | works. | |---------+--------------------------------------------------------------| | -V | Print version number and quit. | +------------------------------------------------------------------------+ Compiler reads objects definitions and firewall description from the data file specified with '-f' option and generates resultant Cisco PIX configuration file. The configuration is written to the file with the name the same as the name of the firewall object, plus extension '.fw'. Normally you won't have to call policy compiler on the command line because Firewall Builder GUI does it automatically when you use main menu item 'Rules/Compile'. The GUI calls compiler with options -f and -d (if working directory is specificed in the GUI Options dialog). Option '-v' can be added in the 'Compile/Install' tab of the firewall object dialog. Network Zones In order to be able to assign generated access lists to interfaces of the firewall, policy compiler needs information about network topology. This information is relayed to it through the special parameter on firewall's interface called Network Zone. Network Zone is a network object or a group of objects that reflect all networks that are located 'behind' given interface. In other words, it is assumed that only packets with source addresses belonging to the Network Zone can enter this interface. See Users Guide for more detailed explanation of this concept. Policy: When rule includes services 'telnet' or 'ssh' and destination is firewall itself or one of its interfaces, compiler generates commands 'telnet' or 'ssh'. When rule includes any ICMP service and destination is firewall or one of its interfaces, compiler generates command 'icmp' In all other cases compiler generates 'access-list' and attaches it to one or several interfaces. Compiler can emulate outbound ACL. We do not use commands 'outbound/apply' since they are deprecated and Cisco recommends using access lists. Compiler supports address range objects; it expands them to the set of individual addresses. Since PIX does not support checking for IP options, rules that use IP Service objects with any options will cause compiler to stop processing of the policy and print error message. The same goes for checking TCP options and flags. There is one exception though: for IP object with options 'all fragments' or "'short' fragments" compiler generates command 'sysopt security fragguard' Where possible, compiler creates and uses object-groups. In this version different object-groups may contain the same objects, this will be fixed in the future releases. Policy compiler can perform check for shadowing rules, this is controlled by an option in the GUI. NAT Compiler supports global pools; for rules that use network or address range objects in Translated Source, compiler creates global pools with appropriate addresses. Dynamic translation rules where Translated Source is a firewall or one of its interfaces generate global pool with option 'interface' Dynamic translation rules that create translation going from lower security level interface to the one with higher security level generate command 'nat ... outside' Compiler generates 'nat 0 ' commands for rules that require no translation NAT compiler can perform the following checks for rule consistency and correctness: * check for duplicate 'nat' rules * check for overlapping global pools * check for overlapping 'static' rules * check for 'static' rules overlapping with global pools 'timeout' commands User can configure 'timeout' commands using 'Advanced' dialog in the Firewall tab of the firewall object dialog. Firewall Builder has information about default values of all parameters for 'timeout' commands for PIX v6.1 and 6.2. All configured timeout commands can be reset to their default values with a button 'Set all to defaults'. 'fixup' commands User can configure 'fixup' commands using 'Advanced' dialog in the Firewall tab of the firewall object dialog. Firewall Builder has information about default values for all parameters for 'fixup' commands for PIX v 6.1 and 6.2. All configured fixup commands can be reset to their default values with a button 'Set all to defaults'. 'logging' commands Policy compiler can generate 'logging' commands for syslog, internal buffer and console logging. For syslog user can specify server name or address, syslog message queue size, facility and level. For internal buffer and console logging the level can be specified. User can also enable logging timestamps for syslog logging. All logging parameters are located in the 'Advanced' dialog in the Firewall tab of the firewall object dialog. 'ntp' commands Policy compiler can generate commands to configure NTP protocol. Up to three NTP servers can be spcified, one of which can be marked as preferred. 'snmp' commands Policy compiler can generate commands to configure SNMP agent. SNMP communities can be specified in the GUI. SNMP 'sysinfo' data, such as location and contact can also be defined in the GUI. Two SNMP servers can be configured, each of them can be configured for polling, traps or both. Compiler can also generate command 'snmp-server enable traps' to send log messages as SNMP trap notifications. 'sysopt' and 'floodguard' commands Policy compiler can use the following 'sysopt' commands which are controlled by the GUI elements in the 'Advanced' dialog in the Firewall tab of the firewall object dialog: * sysopt connection tcpmss * sysopt connection timewait * sysopt security fragguard * sysopt nodnsalias inbound * sysopt nodnsalias outbound * sysopt route dnat Compiler can also generate command 'floodguard enable/disable'. Options found in the "Firewall" tab of the firewall dialog and their meaning: +------------------------------------------------------------------------+ | Version: | PIX OS version, choices are 6.1 and 6.2 | |----------------+-------------------------------------------------------| | Prolog Script: | this is a list of any PIX configuration commands that | | | will be included on top of generated configuration | | | file. No syntax or other checks are done on commands | | | in this list. | |----------------+-------------------------------------------------------| | Epilog Script: | this is a list of any PIX configuration commands that | | | will be appended at the end of generated | | | configuration file. No syntax or other checks are | | | done on commands in this list. | +------------------------------------------------------------------------+ Policy Compiler Options: +------------------------------------------------------------------------+ | Assume firewall | For all rules where source or destination is 'any', | | is part of Any | compiler generates PIX commands as if there was one | | | more rule with firewall objects in the same rule | | | element. In the case of PIX there is a difference | | | only if service in the rule uses objects | | | representing ssh, telnet and any icmp protocols, in | | | which case it generates commands "ssh", "telnet" or | | | "icmp" in addition to the regular access list | | | command. | |------------------+-----------------------------------------------------| | Replace NAT'ed | PIX inspects packet with access lists before it | | objects with | performs address translation. Many other firewall | | their | platforms do it the other way around. This option | | translations in | turns on emulation of the firewall that does NAT | | policy rules | first. | |------------------+-----------------------------------------------------| | Emulate outbound | Normally PIX does not support outbound access | | ACLs | lists.This option turns on amulation of outbound | | | ACLs. | |------------------+-----------------------------------------------------| | Generate 'clear' | If this option is ON, compiler generates 'clear' | | commands | commands to reset any pre-existing access lists, | | | object-group, nat, global, static, telnet, ssh and | | | other commands. | |------------------+-----------------------------------------------------| | Optimize | simplifies nat rules if object in Original Source | | 'default nat' | is the same as the Network zone of one of the | | rules | interfaces. Network zone of the interfaces defines | | | all networks that are located "behind" this | | | interface. This means that packets entering the | | | interface may have source address only belonging to | | | the Network zone of this interface. Since policy | | | compiler can correctly assign nat rule to the | | | interface using information about its Network Zone, | | | explicit specification of the source address can be | | | omitted. | |------------------+-----------------------------------------------------| | Ignore empty | Policy compiler can find and eliminate empty groups | | groups in rules | if they are used in the policy rules. If this | | | option is OFF, compiler treats empty groups as an | | | error and aborts compilation. If it is ON, then it | | | removes empty groups from rule elements. If rule | | | element becomes empty (that is, becomes 'any') | | | after the last empty group has been removed, then | | | the whole rule is ignored. This may be useful if | | | you need to control access to or from flexible | | | group of hosts and do not want to make changes to | | | the firewall policy rules. In this case you can | | | create a group of hosts or networks and use it in | | | the rule. Any changes to the set of hosts that need | | | control can now be made in the group, with the rule | | | staying intact. If for some reason the group | | | becomes empty because all hosts have been removed, | | | compiler will ignore the rule instead of treating | | | empty group as 'any'. | +------------------------------------------------------------------------+ Script formatting: +------------------------------------------------------------------------+ | Comment the code | If this option is activated, compiler adds comments | | | to the configuration file | |------------------+-----------------------------------------------------| | Group similar | If this option is activated, compiler groups | | commands | similar commands next to each other, just like PIX | | together | device does it in the output of "show config" | | | command. Otherwise commands are grouped logically: | | | first go all object-group commands, then all | | | access-lists, then all nat, global and static | | | commands. Commands access-list, nat, global and | | | static are grouped by the rules they were generated | | | for, as they appear in the GUI. If one rule | | | requires several access-list commands assigned to | | | different interfaces, these commands are grouped | | | together. Command "show conf" groups access-list | | | commands by their interface. | +------------------------------------------------------------------------+ Verification of Policy Rules: +------------------------------------------------------------------------+ | Detect rule | Shadowing happens because a rule is a superset of a | | shadowing in the | subsequent rule and any packets potentially matched | | policy | by a subsequent rule have already been matched by a | | | prior rule. If this option is activated, compiler | | | detects this situation and abort compilation with | | | an error message. | +------------------------------------------------------------------------+ Verification of NAT rules: +------------------------------------------------------------------------+ | Check for | If this option is activated, compiler checks | | duplicate nat | generated configuration for duplicate 'nat' | | rules | commands | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for overlapping 'global' | | global pools | address pools | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for 'static' commands that | | statics | use overlapping address ranges. | |------------------+-----------------------------------------------------| | Check for | If this option is activated, compiler checks | | overlapping | generated configuration for 'global' and 'static | | global pools and | commands using overlapping address ranges. | | statics | | +------------------------------------------------------------------------+ Caveats: PIX does not support filtering by MAC address. Although GUI provides entry field for the MAC address, it is ignored by PIX policy compiler. static translation (DNAT) rules create in fact bidirectional translation (not only translation from outside to inside, but also in the opposite direction using the same addresses). This is caused by the behavior of PIX command 'static' and can't be easily fixed. GUI option Logging is ignored because PIX can not turn logging on and off, it always logs blocked packets. There are no rule options available as of yet. Unlike in Linux/iptables and other firewall platforms, PIX inspects packet before it does NAT. Therefore policy rules that control access to NAT'ted hosts should use objects, representing translated addresses instead of objects representing real hosts. Firewall Builder provides an emulation for the mode where NAT happens before the policy (ACL) inspection. Use checkbox "Replace NAT'ed objects with their translations in policy rules" to turn on this emulation. You can use objects representing real servers in the policy rules if this option is on. Version 3.0 does not support IPSEC configuration.