Driver Support Document

Cisco firewalls, PIX series (OBSOLETE, PLEASE REDISCOVER)

Show Tested Devices Grid

SYSOID Mapping
SYSOID MODEL OS VERSION
 1.3.6.1.4.1.9.1.417 ciscoPIXFirewall501 5.x, 6.x
 1.3.6.1.4.1.9.1.389 ciscoPIXFirewall506 5.x, 6.x
 1.3.6.1.4.1.9.1.390 ciscoPIXFirewall515 5.x, 6.x
 1.3.6.1.4.1.9.1.391 ciscoPIXFirewall520 5.x, 6.x
 1.3.6.1.4.1.9.1.392 ciscoPIXFirewall525 5.x, 6.x
 1.3.6.1.4.1.9.1.393 ciscoPIXFirewall535 5.x, 6.x
 1.3.6.1.4.1.9.1.450 ciscoPIXFirewall506E 5.x, 6.x
 1.3.6.1.4.1.9.1.451 ciscoPIXFirewall515E 5.x, 6.x
 1.3.6.1.4.1.9.1.227 ciscoPIXFirewall 5.x, 6.x

Driver Features Support Grid

Driver FeaturesAccess Methods
(X signifies feature support)CLISNMPTFTPCLI+TFTPSNMP+TFTPFTPCLI+FTPSNMP+FTPCLI+SFTPSCPCLI+SCPSNMP+SCPHTTP/HTTPS
  Driver Discovery                            
X General Access  
(CLI protocols: telnet, ssh1, ssh2, console)
X     X                  
Configuration
X Retrieve Running Configuration release notes X     X                  
X Retrieve Startup Configuration   X                        
  Retrieve Binary Configuration                            
X Device information parsing  
X Enhanced Layer2 Basic IP information parsing  
X Configuration Deployment to Running         X                  
  Configuration Deployment to Startup                            
  Binary Configuration Deployment                            
Diagnostics
X Routing Table   X                        
  OSPF Neighbors                            
X Interfaces   X                        
  Modules and Inventory                            
  Flash Storage Space                            
  File System                            
X Uptime     X                      
X ICMP Test   X                        
X Topology Parsing   X                        
  Duplex Parsing                            
  Enhanced VLAN Parsing  
Features
X Software Center         X                  
  Software Image Synchronization                            
X Password Management release notes
(Can modify: limited username, limited password, full password, read-only community strings) 		X                        
X Syslog Configuration and Change Detection release notes Syslog patterns X                        
X Custom Scripts and Diagnostics  
Bulk deploy available 		X                        
X ACL Parsing  
X ACL Provisioning   X                        
  VLAN Provisioning                            
X Configlet Parsing  
  QoS Parsing  
  VRF Parsing  
  Context Management                            

Retrieve Running Configuration

Release Notes

Catalyst 3550: Cannot take snapshots using SNMP

Changes to ISAKMP keys may not be detected due to some versions of PIX firewalls masking them in the startup configuration but not in the running configuration.

May need to change the TFTP interface access setting

To retrieve (or deploy) a PIX device configuration using TFTP, you may need to specify the TFTP interface to use on the device. If the device self-selects the wrong interface for the TFTP settings, you can override the TFTP interface access setting in the device's password rules in the system. Note that you must either set up a device-specific password rule or define a password rule that applies specifically to PIX devices that are exhibiting this problem.

To change a device password rule:

  1. Edit the device and select "Use device-specific password information" or create or edit a device password rule applying to the appropriate device(s).
  2. Click "Show Device Access Settings"
  3. Choose "PIX TFTP interface" from one of the drop-down menus for "Name"
  4. Enter the desired interface (e.g. "outside") for the "Value" of this setting.
  5. Ensure all other authentication information is correct, and then save the device or password rule.

Double-check deployed configurations

The PIX occasionally has difficulty merging new configuration commands with the existing configuration. Because of this, we recommend that you double-check PIX configurations after you deploy them from the system.

First, take a snapshot of the configuration. Then check whether your changes were actually deployed to the running configuration as expected. Sometimes the system reports the deployment as failed, but still applies changes to the running configuration.

return to top

Syslog Configuration and Change Detection

Release Notes

No support for real-time change detection via AAA

The PIX does not support accounting sessions. Therefore, the system cannot provide real-time change detection through AAA.

Syslog interface must be defined

Cisco Firewalls require the specification of the interface to be used for relaying of syslog messages. The custom access variable "SyslogInterface" should be set to the correct interface to ensure correct operation of Syslog tasks.

return to top

Password Management

Release Notes

SNMP Updater cannot modify SNMP hosts

The SNMP community string updater can update, modify, or remove SNMP community strings. It cannot add, modify, or remove SNMP host entries that might be needed for desired SNMP functionality.

Changing limited password

The Limited Access Password field in the Deploy Passwords task only changes the telnet console access password, using the passwd command on the device.

return to top

Syslog Triggering

return to top