892 Chapter 8 • Cisco PIX Firewall Configure ethernet2 as follows. PIX1(config)# nameif ethernet2 state security25 PIX1(config)# interface ethernet2 100full PIX1(config)# ip address state 172.16.1.1 255.255.255.0 PIX1(config)# failover ip address state 172.16.1.2 PIX2(config)# nameif ethernet2 state security25 PIX2(config)# interface ethernet2 100full Only a single command is required to make this the stateful failover interface: PIX1(config)# failover link state Monitoring Failover The primary method of monitoring failover activity is the show failover command.This com- mand relays everything you want to know about failover. PIX1# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary - Active Active time: 400 (sec) Interface state (172.16.1.1): Normal Interface outside (10.5.1.1): Normal Interface inside (192.168.1.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface state (172.16.1.2): Normal Interface outside (10.5.1.2): Normal Interface inside (192.168.1.2): Normal Stateful Failover Logical Update Statistics Link : intf3 Stateful Obj xmit xerr rcv rerr General 3 0 3 0 sys cmd 3 0 3 0 up time 0 0 0 0 xlate 0 0 0 0 tcp conn 0 0 0 0 udp conn 0 0 0 0 ARP tbl 0 0 0 0 RIP Tbl 0 0 0 0 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 892 Cisco PIX Firewall • Chapter 8 893 Logical Update Queue Information Cur Max Total Recv Q: 0 1 3 Xmit Q: 0 1 3 Some of the output of this command merits further explanation. Status of the failover cable: ■ Normal The primary and secondary firewalls are connected properly. ■ My Side Not Connected The failover cable is not connected to the firewall on which the command was typed. ■ Other Side is not Connected The failover cable is not connected to the other firewall. ■ Other Side Powered Off The failover cable is connected, but the other firewall is powered off. Interface status: ■ Normal The interface is functioning properly. ■ Link Down The line protocol on the interface is down. ■ Failed The interface has failed. ■ Shut Down The interface was administratively shut down. ■ Unknown The interface was not configured with an IP address, and the status has not yet been determined. ■ Waiting The monitoring of this interface on the other firewall has not yet started. Stateful failover (logical unit status): ■ General The sum of all objects. ■ sys cmd Logical system update commands, such as login. ■ up time Uptime information that is passed from the active to the standby unit. ■ xlate The translation table. ■ tcp conn TCP connection information. ■ udp conn Dynamic UDP connection information. ■ ARP tbl Dynamic ARP table information. ■ RIP Tbl Dynamic routing table information. For each of these stateful objects, the following statistics are available: ■ xmit The number of packets transmitted to the other firewall. ■ Xerr The number of errors that occurred while transmitting to the other firewall. ■ rcv The number of received packets. www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 893 894 Chapter 8 • Cisco PIX Firewall ■ rerr The number of errors that occurred while receiving packets from the other fire- wall. The PIX firewall provides debug commands for monitoring failover operation (for example, debug failover <option>). Here, option can be any of the keywords listed in Table 8.8. Table 8.8 Failover Debug Options Keyword Description cable Failover cable status. fail Failover internal exception. fmsg Failover message. get IP network packet received. ifc Network interface status trace. open Failover device open. put IP network packet transmitted. rx Failover cable receive. rxdmp Cable recv message dump (serial console only). rxip IP network failover packet received. tx Failover cable transmit. txdmp Cable xmit message dump (serial console only). txip IP network failover packet transmit. verify Failover message verify. switch Failover switching status. LAN-Based Failover PIX software v6.2 introduced support for LAN-based failover that uses an Ethernet link to mon- itor the failover status and exchange failover information. LAN-based failover overcomes the dis- tance limitation (6 feet) of the serial failover cable.This Ethernet link must be a dedicated LAN interface.This link can also be used for stateful failover by configuring it to exchange state infor- mation. A hub or switch can be used, but not a crossover Ethernet cable. LAN-based failover does not detect power loss on the other firewall, a serious failing of this method. Configuring and Enabling Failover The example in Figure 8.17 is used to configure LAN-based failover. If a failover serial cable is connected to either of the two firewalls, it should be disconnected at this point. Connect all the network cables as shown in the diagram, beginning with the secondary firewall powered off. www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 894 Cisco PIX Firewall • Chapter 8 895 Here is what the configuration would look like in this example. Ethernet2 is named lanlink. PIX2(config)# nameif ethernet2 lanlink security25 PIX1(config)# interface ethernet0 100full PIX1(config)# interface ethernet1 100full PIX1(config)# interface ethernet2 100full PIX1(config)# ip address inside 192.168.1.1 255.255.255.0 PIX1(config)# ip address outside 10.5.1.1 255.255.255.0 PIX1(config)# ip address lanlink 172.16.1.1 255.255.255.0 1. First, the failover we enabled on the primary unit with the failover configuration com- mand. 2. Next, the failover IP addresses are configured using the failover ip address command: PIX1(config)# failover ip address inside 192.168.1.2 PIX1(config)# failover ip address outside 10.5.1.2 PIX1(config)# failover ip address lanlink 172.16.1.2 3. The primary firewall is designated for LAN-based failover with the failover lan unit primary configuration command. www.syngress.com Figure 8.17 A LAN-Based Failover Example Internal Network e0 e0 e1e1 e2e2 PIX1 PIX2 Internet 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 895 896 Chapter 8 • Cisco PIX Firewall 4. The interface is specified on both the primary and secondary that will be used to as the failover interface with the command failover lan interface <if_name>. 5. In this example, the failover lan interface lanlink configuration command is entered on the primary firewall. 6. For better security (thought not required for failover), a manual pre-shared key should be used to encrypt and authenticate the contents of failover messages.This is accom- plished with the failover lan key <secret_key> command. 7. In this case, the failover lan key cisco command is entered on the primary firewall and the key is set to cisco. 8. To enable LAN-based failover on the primary firewall, enter the following commands: PIX1(config)# failover lan enable PIX1(config)# failover 9. At this point, the secondary firewall can be powered on (after disconnecting the LAN- based failover interface). Enter the following commands: PIX2(config)# interface ethernet2 100full PIX2(config)# nameif ethernet2 lanlink security25 PIX2(config)# ip address lanlink 172.16.1.1 255.255.255.0 PIX2(config)# failover ip address lanlink 172.16.1.2 PIX2(config)# failover lan unit secondary PIX2(config)# failover lan interface lanlink PIX2(config)# failover lan key cisco PIX2(config)# failover lan enable PIX2(config)# failover 10. At this point, LAN-based failover is fully configured. Now the LAN-based failover interface can be reconnected.The following messages should appear on the secondary PIX firewall: LAN-based Failover: trying to contact peer?? LAN-based Failover: Send hello msg and start failover monitoring 11. On the primary PIX firewall, the following messages should appear: LAN-based Failover: Peer is UP Sync Started Sync Completed 12. If all connections are working and the configurations were typed in correctly, the show failover command will show that failover is operational. www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 896 Cisco PIX Firewall • Chapter 8 897 PIX1# show failover Failover On Cable status: My side not connected Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: Primary - Active Active time: 400 (sec) Interface state (172.16.2.1): Normal Interface outside (10.5.1.1): Normal Interface inside (192.168.1.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface state (172.16.2.2): Normal Interface outside (10.5.1.2): Normal Interface inside (192.168.1.2): Normal LAN-based Failover is Active interface lanlink (172.16.1.1): Normal, peer (172.16.1.2): Normal N OTE The failover MAC address command is not available when using LAN-based failover. The interface ethernet3 could be configured for exchanging state information (see Figure 8.18) and configured for stateful failover, though in the real world, this would “waste” an interface. PIX1(config)# interface ethernet3 100full PIX1(config)# nameif ethernet3 state security20 PIX1(config)# ip address state 172.16.2.1 255.255.255.0 PIX1(config)# failover ip address state 172.16.2.2 PIX1(config)# failover link state PIX2(config)# interface ethernet3 100full PIX2(config)# nameif ethernet3 state security20 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 897 898 Chapter 8 • Cisco PIX Firewall Monitoring Failover The failover status can be viewed using the show failover command adjusted slightly to get a quick status of LAN-based failover: PIX1# show failover lan LAN-based Failover is Active interface fail (10.20.1.1): Normal, peer (10.20.1.2): Normal To view LAN-based failover details, use the show failover lan detail command: PIX1# show failover lan detail LAN-based Failover is Active This PIX is Primary Command Interface is lanlink My Command Interface IP is 172.16.2.1 Peer Command Interface IP is 172.16.2.2 My interface status is Normal Peer interface status is Normal Peer interface down time is 0x0 www.syngress.com Figure 8.18 A LAN-Based Stateful Failover Example Internal Network e0 e0 e1e1 e2e2 PIX1 PIX2 e3e3 Internet 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 898 Cisco PIX Firewall • Chapter 8 899 Total cmd msgs sent: 111, rcvd: 107, dropped: 0, retrans: 0, send_err: 0 Total secure msgs sent: 0, rcvd: 0 bad_signature: 2, bad_authen: 0, bad_hdr: 0, bad_osversion: 0, bad_length: 0 Total failed retx lck cnt: 0 Total/Cur/Max of 87:0:1 msgs on retransQ, 87 ack msgs Cur/Max of 0:21 msgs on txq Cur/Max of 0:1 msgs on rxq Number of blk allocation failure: 0, cmd failure: 0, Flapping: 0 Current cmd window: 1, Slow cmd Ifc cnt: 0 Cmd Link down: 0, down and up: 0, Window Limit: 141 Number of fmsg allocation failure: 0, duplicate msgs: 0 Cmd Response Time History stat: < 100ms: 84 100 - 250ms: 0 250 - 500ms: 0 500 - 750ms: 0 750 - 1000ms: 0 1000 - 2000ms: 0 2000 - 4000ms: 0 > 4000ms: 0 Cmd Response Retry History stat: Retry 0 = 87, 1 = 0, 2 = 0, 3 = 0, 4 = 0 Failover enable state is 0x1 Failover state is 0x7d Failover peer state is 0x58 Failover switching state is 0x0 Failover config syncing is not in progress Failover poll cnt is 0 Failover Fmsg cnt is 0 Failover OS version is 6.2(2) failover interface 0, tst_mystat = 0x0, tst_peerstat = 0x0 zcnt = 0, hcnt = 1, my_rcnt = 10186, peer_rcnt = 23408 myflag = 0x1, peer_flag=0x0, dchp = 0x80791f90 act_ip: 10.5.1.171, stn_ip:10.5.1.2 act_mac: 00d0.b7b2.97ee, stb_mac: 0090.273a.1240 failover interface 1, tst_mystat = 0x0, tst_peerstat = 0x0 zcnt = 0, hcnt = 1, my_rcnt = 26191, peer_rcnt = 39296 myflag = 0x1, peer_flag=0x0, dchp = 0x80791ff0 act_ip: 192.168.1.1, stn_ip:192.168.1.2 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 899 900 Chapter 8 • Cisco PIX Firewall act_mac: 00d0.b783.9a79, stb_mac: 0090.273a.1288 failover interface 3, tst_mystat = 0x0, tst_peerstat = 0x2 zcnt = 0, hcnt = 0, my_rcnt = 539, peer_rcnt = 404 myflag = 0x0, peer_flag=0x0, dchp = 0x80791e10 act_ip: 172.16.1.1, stn_ip:172.16.1.2 act_mac: 00a0.c9ef.cfa0, stb_mac: 00a0.c9ef.cfa0 LAN-based Failover command link Four debug commands are available (with the debug failover <option> command) when using LAN-based failover. See Table 8.9 for details. Table 8.9 LAN-Based Failover Debug Options Option Description lanrx LAN-based failover receive. lanretx LAN-based failover retransmit. lantx LAN-based failover transmit. lancmd LAN-based failover main thread. Failing Back Once failover has occurred and the primary firewall is running in standby mode and the sec- ondary firewall is running as the active, a failback does not automatically occur. When the pri- mary firewall is restored and the failed condition has been fixed, it does not automatically become the active firewall (unless the secondary firewall fails).The primary firewall can be forced to become active by either: ■ Using the failover active command on the primary firewall. ■ Using the no failover active command on the secondary firewall. After using one of these commands, the primary firewall becomes active. If stateful failover is enabled, no sessions will be dropped. Otherwise, connections will be dropped and applications will have to re-establish sessions through the firewall. Disabling Failover To disable failover, use the no failover command.To verify that failover has been disabled, use the show failover command: PIX1# show failover Failover Off Cable Status: My side not connected Reconnect timeout: 0:00:00 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 900 Cisco PIX Firewall • Chapter 8 901 If disabling failover permanently, it is highly recommended that you clean up the configura- tion by removing the other failover commands. It would be best to erase the configuration completely from the secondary firewall. Configuring Logging System management is an important part of configuring and maintaining a firewall. Logging is invaluable for measuring system performance, identifying potential network bottlenecks, and detecting potential security violations. There are two ways to log information: local and remote. Local logging is of limited value since it can only be used during a session on the PIX. Remote logging stores the messages and uses scripts to examine them in detail, manipulate the data, and generate detailed reports. Logging can be performed at several levels of detail. Level 3 (error) is the default for the PIX. Level 7 (debug) is the most verbose and is recommended only when troubleshooting the PIX. In normal network operations, Cisco recommends using Level 4 (warning) or Level 3 (error). Normal logging (Level 3) records alerts (such as a failover link going down), error conditions (such as an ICMP being blocked), and informational messages (such as a memory allocation error). Higher levels can record connection setup and teardown, as well as the amount of traffic transferred in each session.This functionality can be useful if an administrator is trying to gather statistics on how much traffic is being exchanged per protocol or per session. It is possible to view logging mes- sages in real time, either through a Telnet or SSH session or on the console port. Local Logging The three types of local logging are buffered, console, and terminal. Logging is disabled by default.To enable it and start logging to all output locations such as the buffer, console, terminal, or syslog server: PIX1(config)# [no] logging on To disable logging, use the no form of the command: Buffered Logging Buffered logging sends all messages to an internal buffer (up to 100 messages).To enable buffered logging, use the logging buffered <level> command. The command, show logging, displays the logging configuration as well as buffered messages. PIX1# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Console logging: level debugging, 37 messages logged Monitor logging: disabled Buffer logging: level debugging, 9 messages logged www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 901 [...]... 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.3.0 1.3.6.1.4.1 .9. 9.48.1.1.1.5.1 1.3.6.1.4.1 .9. 9.48.1.1.1.6.1 1.3.6.1.4.1 .9. 9.147.1.2.1.1.1.4.7 1.3.6.1.4.1 .9. 9.147.1.2.2.2.1.5.40.6 1.3.6.1.4.1 .9. 9.147.1.2.2.2.1.5.40.7 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.3.1 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.4.1 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.5.1 Configuring Traps SNMP traps are triggered by an event such as an interface going down .The SNMP traps are sent on UDP port... which lets the Cisco PIX firewall synchronize to the other server Use the command: ntp server key source [prefer] ip_address specifies the IP address of the server to which you want the PIX to authenticate .The key is the number of the shared key used when you configured the trusted-key command .The interface is the interface that will send the NTP packets to the server .The optional... authentication prevents unauthorized or manipulative clock resets by using trusted keys between the NTP server and the client .The 32-character authentication key must match on the PIX and the server 1 NTP authentication is disabled by default on the PIX It can be enabled by using the ntp authenticate command 2 Define the authentication key with the ntp authentication-key md5 command .The. .. MD5 .The number parameter is a value from 1 to 4 294 967 295 that uniquely identifies the key .The value parameter is an arbitrary string of 32 characters, including all printable characters and spaces 3 Define the trusted key that will be sent in the NTP packets with the command ntp trusted-key The key_number parameter must be a number from 1 to 4 294 967 295 4 The last step is to configure the. .. characteristic of the certificate, a “fingerprint,” from the CA’s administrator (or by other means) A fingerprint is a hash of the certificate’s content, and if the calculated hash and received hash match, the certificate is original .The command used on www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 91 9 Cisco PIX Firewall • Chapter 8 91 9 PIX for requesting the CA’s certificate is ca authenticate ... the write memory command To verify the SSH configuration, use the show ssh command in Enable mode Now you can SSH to the firewall with the client of your choice .The default username for a Cisco PIX SSH connection that is not using AAA for authentication is pix .The passphrase is the password that is used for Telnet Once the username and passphrase are authenticated, the SSH session will start This authentication... the same commands but with inbound and outbound interchanged: PIX2(config)# crypto map pix2map 10 set session-key outbound esp 300 cipher 123445566778 890 9 authenticator 123445566778 890 acdefacd9123445566778 890 9 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 92 7 Cisco PIX Firewall • Chapter 8 92 7 PIX2(config)# crypto map pix2map 10 set session-key inbound esp 400 cipher 98 87766554344556 authenticator... 31e1be5a bb2ddc46 2841b63b f92cb3f9 8de7cb01 d7ea4057 7bb44b4c a64a9cf0 efaacd42 e 291 e4ea 67efbf6c 90 348b75 320d7fd3 c573037a ddb2dde8 00df782c 390 20301 0001 www.syngress.com 253_BDCisco_08.qxd 91 8 10/14/03 12:41 PM Page 91 8 Chapter 8 • Cisco PIX Firewall Generated keys are stored in flash memory .The public key can be viewed by issuing the show ca mypubkey rsa key command .The private key cannot be viewed... follow these steps: www.syngress.com 253_BDCisco_08.qxd 91 0 10/14/03 12:41 PM Page 91 0 Chapter 8 • Cisco PIX Firewall 1 Configure the SNMP community with the snmp-server community Il0v 3CiSCo configuration command 2 Configure the SNMP host that will receive the traps .The syntax is similar to configuring a host for polling, except the trap keyword is used instead of poll: snmp-server host inside 192 .168.50.8... 253_BDCisco_08.qxd 92 0 10/14/03 12:41 PM Page 92 0 Chapter 8 • Cisco PIX Firewall CA certificates must be stored in flash memory using the ca save all command or they will be lost after a reboot .The write memory command does not save certificates Enrolling with the CA The firewall requests a new certificate from the CA, to which the CA replies by signing the public key certificate it received from the firewall . 1.3.6.1.4.1 .9. 9.147.1.2.2.2.1.5.40.7 CPU utilization (5 second) 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.3.1 CPU utilization (1 minute) 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.4.1 CPU utilization (5 minute) 1.3.6.1.4.1 .9. 9.1 09. 1.1.1.1.5.1 Configuring. peer_rcnt = 392 96 myflag = 0x1, peer_flag=0x0, dchp = 0x80 791 ff0 act_ip: 192 .168.1.1, stn_ip: 192 .168.1.2 www.syngress.com 253_BDCisco_08.qxd 10/14/03 12:41 PM Page 899 90 0 Chapter 8 • Cisco PIX Firewall act_mac:. on which the command was typed. ■ Other Side is not Connected The failover cable is not connected to the other firewall. ■ Other Side Powered Off The failover cable is connected, but the other firewall