PIX

some PIX series 501, 515, 535, 506e
Firewall Services Module (FWSM)
PIX firewall doesn't run IOS

most PIX come with only two interface, but some could be expanded to have more interfaces. interfaces in PIX must have physical name, logilcal name and priority (security level). priority can be set to a value between 0-100. an interface from lower priority cannot send packets to interface with higher priority.

default physical name:
E0
E1
default logical name:
E0 -> outside
E1 -> inside
default priority
E0 -> 0
E1 -> 100


DMZ (demilitiarized zone) is a concept that is an area/segment in your network that is accessible through your inner network and also the internet (usually server that should be accessible from the internet reside in this area). but the DMZ couldn't access your inner network (DMZ's priority is set lower than inside interface).
DMZ priority can be set to be higher than the outside interface. to make the server in the DMZ be accessible from outside you can use NAT.

Failover, a pair of PIX can work together to give a redundancy. How this work is as much the same with HSRP. each PIX in a failover pair must have the exact same configuration. changes you make to the active PIX will be synchronized to the standby PIX. while changes to the standby PIX will not be synchronized to the active PIX. however you won't be prevented from making any changes to the standby PIX.
on a hardware PIX, there will be a failover port for connecting this device with its failover pair.

PIX also support logging. in configuring the logging process you may want to configure the destination of the log (the monitor, sys server) and the level of the logging (each level give different level of detail)

0 comments:

top