

Firewall Builder for PIX v2.1.6  migration notes




1.   New version of fwbuilder generates access lists with different
     names.  If you use "safety net" install mode, you will run into
     an error when code generated by fwbuilder tries to clear access
     list that does not exist yet. Other installation modes are not
     susceptible to this problem because they use "clear access-list"
     command that clears all ACLs regardless of their name.  "Safety
     net" install, on the other hand, clears individual access lists
     using their specific names. Also, old access lists remain in the
     PIX memory because they are not cleared. Similar problem occurs
     when generated script tries to clear object groups. Object groups
     are referenced by old access lists and PIX blocks removal command
     with the following error:

Removing object-group (common.id44CA300F.srv.tcp.0) not allowed; object-group (common.id44CA300F.srv.tcp.0), being used in access-list/conduit, would become empty 

    To clear old access lists and object groups load new policy for
    the first time using "basic" installation method instead of the
    "Safety net" install. You need to do this only once, right after
    you upgrade fwbuilder and generate firewall configuration for the
    first time. After that you can switch to the "Safety net" install
    method again.

    This problem occurs when you upgrade fwbuilder, regardless of
    whether you upgrade your PIX to 7.0 at the same time or not.




2. Since PIX 7.0 supports outbound ACLs, the algorithm used to
   generate ACLs and assign them to interfaces has changed. This
   change only affects firewall objects configured with platform
   "pix", version "7.0" and platform "fwsm", version "2.3". Other
   versions are not affected, that is, compiler generated ACLs as
   before.

   Here is how it works for the new versions of PIX and FWSM:

a) if interface is 'all' and direction is 'both', use network zones of
   interfaces to find the right ones. Try to optimize and generally be
   smart. For example if a rule has an object in source with address
   that belongs to network zone of interface 'inside' and another
   object in destination with address that matches network zone of
   interface 'dmz', the compiler will generate two rules - one in
   inbound ACL of interface 'inside' and another in outbound ACL of
   interface 'dmz'.  Obviously results of this algorithm depend on how
   accurate is the configuration of the network zones of interfaces of
   the firewall.


b) if interface or direction or both are specified, ignore network
   zones and execute exactly what administrator configured in the
   rule. If interface element is 'all' and direction is inbound or
   outbound, create a rule for each interface with specified
   direction. If interface is specified, attach rule to this interface
   with direction as specified. In other words, if direction is set to
   'both', compiler generates rules for both inbound and outbound
   acls.  If direction is nailed to in or out, compiler only generates
   rules in corresponding acl.


   To simplify migration,Firewall Builder provides an option (a
   checkbox in the firewall settings dialog) that controls whether
   compiler generates outbound ACLs for PIX 7.0. By default this
   option is OFF, which makes compiler behave just like if the
   firewall object was configured with version 6.3, that is, it does
   not generate outbound access lists but tries to emulate
   them. Direction set in policy rules in the GUI is largely ignored
   and compiler tries to guess right interface by matching objects in
   source and destination against network zones of interfaces. This
   privides for backward compatibility so if you just set version of
   the firewall object to 7.0, and your policy written and compiled
   for v6.3 used to work, the new one is going to work too.

   This behavior of compiler is deprecated, it will be supported in
   the current and future versions of fwbuilder only for compatibility
   with older versions of PIX firewall. We encourage users to upgrade
   to PIX 7.0 and turn generation of outbound ACLs on.

   Be careful when you turn generation of outbound ACLs on. If your
   policy written for PIX 6.3 has any rules with direction "Outbound",
   things may break because compiler will actually generate rules in
   the outbound access lists. As soon as at least one rule is placed
   in the outbound ACL of an interface, because of the "catch all"
   rule added at the bottom, connections that are not explicitly
   permitted will be blocked. Even if a connection is permitted by an
   inbound ACL on ingress interface, it also needs to be permitted by
   an outbound ACL on the egress interface. Either rely on fwbuilder
   compiler to add such rules for you by using interface 'All' and
   direction 'Both' in your rules, or inspect your policy and add
   rules manually with direction 'Outbound' to permit packets going in
   that direction.




3. there may be conflicts between 'inspect' commands that PIX
   automatically creates from 'fixup' commands in the old
   configuration during upgrade to 7.0 and 'inspect' commands
   generated by fwbuilder 2.1. Clear autogenerated policy maps and
   inspection classes before loading new configuration for the first
   time.

   This problem only occurs if you upgrade both fwbuilder to 2.1 and
   PIX to 7.0



4.  You see a lot of '^H' characters in the installation log, like this:

pix515(config)# access-list outside_acl_in deny ip host 10.3.14.206 any log 5^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H$deny ip host 10.3.14.206 any log 5^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^Haccess-list outside_acl_in deny ip host 10.3.14.206 any log $^H^H^H^H

   This is just formatting done by PIX when it prints echo of the
   command being entered in CLI. PIX tries to scroll the input line as
   user types in it, to make the part being typed visible if the width
   of the terminal does not allow long command line to fit as a
   whole. To turn this off add the following command to the "Prolog"
   section of the generated configuration using "Prolog/Epilog" tab of
   the firewall settings dialog:

terminal width 511




