| I'll double-check on your questions, but my initial responses are below: |
At 09:49 AM 9/18/2001 +1000, you wrote:
> -----Original Message-----
> From: Bill McGee [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 7:51 AM
> To: safieradam; Ben Nagy; 'Michael Janke'; [EMAIL PROTECTED]
> Subject: Re: More PIX vs. Firewall-1. Comments welcome.
>
>
> BTW, The Cisco Secure Policy Manager will allow you to manage
> up to 500 PIX
> firewalls from a single GUI management interface, as well as
> VPNs, IDS, and
> more. Not sure why people keep harping on the one-at-a-time
> management
> issue for the PIX, as we've had this covered for some time now.
Probably because it's not well known that CSPM can do this? Tell me more.
Can you track config differences between all firewalls?
Yes.
Can you roll out an
ACL policy that will automatically guess the right values ($INSIDE_NETWORK,
$OUTSIDE_NAT_MAPPING_1 etc) and apply on all firewalls?
Most of this is set up as part of individual or group policies, so "guessing" is not something I think it does. You mentioned in another message to me that <snip> "I'm sure that you understand what I mean with the ACL "guessing" stuff - I think that one should be able to say "SMTP yes, HTTP, yes, FTP no etc etc" and apply that policy to every firewall at once." <snip> The answer to that is yes, it can do these things.
Can you access
everything that is configurable from the CLI (sysopt stuff, particularly)?
Yes. There is a CLI screen which allows you to review and edit each line of CLI commands generated by the policy tool.
Will it do change control on a proactive basis (Firewall 52 has changed
config! Reset to archived config?)
Yes.
Note that I'm not asking these questions in comparison to any commercial
software I've seen, they're just some things that I think a tool like this
should be able to do.
Understood.
> At 06:03 PM 9/17/2001 -0400, safieradam wrote:
> >Ben makes good points about centralized management.
Strictly speaking, the only point I was making is that I didn't _know_ if
the rumours about a tool like CSPM were true. Oh, and that centralised
management was going to be important for a network that size.
The latest release of CSPM is pretty sophisticated. Take a look at it. While I can't go into detail, the roadmap for CSPM, as well as other multi-device management tools scheduled for release within the next quarter or so will put the management issue to bed once and for all, IMO.
-bill
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
______________________________________________________________________________________
Bill McGee, CCNA
VPN and Security BU
Channels Manager and Evangelist
Cisco Systems, Inc.
Make your Cisco network "SAFE"
http://www.cisco.com/go/safe/
______________________________________________________________________________________
