Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments:
1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with it....but then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX deployments and how they manage day to day, and deploy new ones. I know this is a long post but coming from Cyberguard, and going to PIX there seems to be some major deficiencies as far as functionality and manageability. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47393&t=47393 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]