You are on page 1of 14

What Is PDM?

PIX Device Manager is a graphical user interface (GUI) that manages a single Cisco PIX Firewall. PDM uses certificates
and HTTPS (HTTP over SSL) to securely access, configure, and monitor a PIX Firewall from your PC.

There have been various Cisco GUI tools for easy configuration of various devices. Sometimes these have been a bit
limited or clunky, or clearly intended as getting-started tools for folks new to Cisco. I've got to say I was favorably
impressed with PDM. No, it doesn't manage more than one PIX. But it sure looks like the configuration tools in PDM give
you nice visibility into how it is configured, and the monitoring tools provide a very nice way to keep tabs on what the PIX
is doing at any given time. For multi-PIX sites, the CLI or the PIX Management Center in CiscoWorks may still be the way
to go. But even there PDM may be useful as a graphical alternative to show commands.

PIX Device Manager (PDM) consists of a signed Java applet bundled with the PIX operating system software. You access
PDM via HTTPS from a Java-capable web browser on a PC or other desktop computer. No PC installation is needed. PDM
started appearing with PIX OS 6.0 and 6.1 (PDM version 1.x), PIX OS 6.2 came with PDM version 2.x, and version 3.x
comes with PIX OS 6.3. You can also separately install PDM if you need to by copying it to flash.

Paraphrasing parts of the well-written Overview part of the Installation Guide, PDM has the following components:

• PDM Startup Wizard — Creates a basic configuration to get you started.


• VPN Wizard — Creates a basic VPN configuration easily setting up remote access VPN or site-to-site VPN.
• Configuration GUI — Uses forms to configure most aspects of the PIX.
• Monitoring and Reporting Tools — View real-time and historical data, summaries of network activity, resource
utilization, and event logs.
• Graphical Tools — Creates graphical summary reports showing real-time usage, security events, and network
activity, including performance and trend analysis. Data from each graph can be displayed in user-selected
increments you select (10 second snapshot, last 10 minutes, last 60 minutes, last 12 hours, last 5 days) and refreshed
at user-defined intervals. You can view multiple graphs simultaneously to do side-by-side analysis. Types of graphs
available include:

o System graphs: Detailed status information on the PIX Firewall, including blocks used and free, current
memory utilization, and CPU utilization.
o Connection graphs: Real-time session and performance data about connections, address translations,
authentication, authorization, and accounting (AAA) transactions, URL filtering requests, etc.
o Intrusion Detection System (IDS): Various graphs to display potentially malicious activity, including IDS-
based signature information displays activity such as IP attacks, Internet Control Message Protocol (ICMP)
requests, and Portmap requests.
o Interface graphs: Real-time monitoring of your bandwidth usage by interface, including incoming and
outgoing packet rates, counts, and errors, as well as bit, byte, and collision counts.
• Syslog Viewer — View specific syslog message types by choosing a logging level.

I hope that sounds interesting. There is one caveat, the usual one for GUI tools for Cisco devices. Pick your configuration
tool and stick to it. PDM does track CLI configuration changes. But if you use PIX Management Center or CiscoSecure
Policy Manager, they think they're in charge, and they may well overwrite any configuration done via PDM.
The Cisco web pages for PDM can be found at
http://www.cisco.com/en/US/partner/products/sw/netmgtsw/ps2032/index.html. A PDF form of the online help is linked
there as the User Guide. Poking around in that document is another way to familiarize yourself with PDM. However, since
that document is the online help for PDM, it shows no screen captures, so you may want to read it with a downloaded copy
of my full screen captures document open alongside.

PDM Orientation Tour


I decided to skip the splash screen. It's pretty, but not very informative!

Our tour starts with the real part of PDM, the functional user interface. When you first launch PDM, it comes up showing
the Home screen. (Note the Home icon is selected). The tools row shows the other main sub-areas of PDM, namely
Configuration and Monitoring.
As you can see, the PDM GUI is fairly self-explanatory. Home is a dashboard showing what the PIX is doing, at a high
level.

The PDM menus also have some functionality not visible in the GUI. The File menu allows you to load a changed running
configuration from the PIX. You can also show the running config in a window, or save to flash or a TFTP server. Rules
and Search we'll see a bit more of in a moment. Tools allow CLI entry of commands, also PING. And you can set up
service groups (groups of TCP/UDP ports for use in access lists and other rules). The Wizards menu launches the Startup
and VPN Wizards. There are screenshots of a couple of the screens from these Wizards later in this article.
Let's continue the tour by taking a look at the main Configuration screen, shown in the figure below.

You've probably notices that the Rules and Search menus are no longer grayed out. They're used to build up rules for
access lists and so on. The various major categories of things you can configure here are represented by the tabs at the top:
Access Rules, Translation (NAT) Rules, VPN, Hosts/Networks, and System Properties (other system configuration).
Hosts/Networks is where you name hosts or networks, or groups of them, for use in high-level access list rules.

The above capture shows the Access Rules tab in PDM. The radio buttons are in effect a submenu, allowing selection of
access list rules, AAA rules, or filter rules. (Filter rules filter outbound HTTP, FTP, etc.).
The next stop in our high-level tour is the Monitoring part of PDM, shown in the next screen capture. At the left you'll see
categories of things, some of which have been expanded. You select a category and then the variables you can graph show
up in the middle field of the screen. In the screen capture an interface was selected, so the middle part shows the
performance and troubleshooting variables that can be graphed. You select the variables of interest, click on "Add >>",
name the graph, click "Graph It!", and your graph appears. It updates itself as new data comes in.
Far be it from me to disappoint you. The resulting graph is shown in the next screen capture. The format is reminiscent of
the now-discontinued QDM, which was a tool I really liked for working with Quality of Service (QoS). I imagine the Java
graphing widgets got re-used by the programmers.

I captured the pull-down, so you can see the various time intervals that can be graphed.

The last major component in PDM is the Wizards. The following shows the Wizards menu and a screen early in the VPN
Wizard's sequence of screens.
And here's a screen from the Startup Wizard:
PDM in More Depth
Now that you've had a chance to get your bearings, let's look at some of the features in PDM in a little more depth. The
following capture shows the Rules menu, used for editing access lists and similar rules. You get a similar menu by right-
clicking on an entry in the access list.
When you add or edit a rule, the following form allows you to specify what you want. Notice that you can enter IP
addresses and masks (shown), or you can use a hostname or a group of hosts / networks, by selecting the appropriate radio
button and then picking from a list. (It's generally simpler to create the named hosts and networks and service groups in
advance).

Note the Apply button. When you've built up a configuration, you can Apply it to the running configuration. A status dialog
box provides feedback as the PIX is configured.
If you realize you can use a service group that you didn't create in advance, you can click on the Manage Service Groups
button. It brings up the following form:
The idea is to add ports to the list on the right, and then give them a name. (The list shown is rather random). I like putting
"tcp" or "udp" in the name, creating service groups named things like "ecommerce1-tcp" for the ports allowed to access the
ecommerce1 server(s).

Since IPSec VPN configuration has a reputation, let's take a look at the screen capture for the VPN tab in PDM:
You select what you want to configure on the left, and what's currently configured shows up on the right side. You can then
add, delete, or edit the rules. This appears somewhat helpful, in that it at least prompts for what you need, and constrains
your choices. If you're starting from scratch, IPSec can be somewhat overwhelming! Having said that, it still helps to know
your way around IPSec and the commands for configuring it. The GUI here will do the work for you, and it's helpful to a
degree, but I'd certainly hesitate to call it an intuitive user interface!

The last Configuration tab is System Properties, shown below. On the left are the various Categories of things you can
configure through this tab. I've selected the Interfaces item. On the right, it shows the status and configuration of the PIX
interfaces. If I want to make a change, I click on a row (interface), and then edit and I can fill in a form to configure the
interface.

To wrap things up, here's the File menu, showing some of the managerial functions for doing things with your
configuration.
That concludes our quick screen capture survey of PDM.