Using Built-in Policy Installer in Firewall Builder - Page 3
Running built-in installer to copy generated firewall policy to the firewall machine and activate it there
Now that all preparations are complete, we can move on and actually try to install newly generated firewall policy. Select firewall object in the object tree in Firewall Builder GUI, click right mouse button and use menu item "Install". The program will recompile the policy and open installer dialog.
(This how installer options dialog looks like for iptables, pf, ipfilter and ipfw firewalls).
Here the program already entered user name fwadmin in the "User Name" field, but you can change it for one installation session if you wish. Next you need to enter the password for this user. This is the password of user fwadmin on the firewall machine. Address that will be used to comunicate with the firewall is also entered by the program automatically, it is taken from the firewall settings. You can change it for one installation session as well.
Other installer parameters do the following:
After all parameters are set and the password entered, hit "OK" to start installation.
If this is the first time your management machine is logging in to the firewall via ssh, it will find out that ssh host key of the firewall is unknown to it and will present you with a dialog:
Here is says that it does not know host key of the firewall "crash". This is nothing more than a copy of the warning message presented by the ssh client. You should verify the host key manually and if it matches, click "Yes". If you click "No" in the dialog, installation process will be interrupted.
Installer only recognizes ssh client warning message about unknown public host keys. If you rebuld your firewall machine, which means its host key changes, ssh will print different warning message which fwbuilder installer does not recognise. In this case you will see this message in the installer progress window, but installation process will get stuck. You need to use ssh client (ssh on Unix or putty.exe on Windows) to update host key before you can use fwbuilder policy installer with this firewall again.
After this, installer copies files to the firewall and runs policy script there. You can monitor its progress in the dialog as shown on the screenshot:
This is an example of successfull installation session. Installer records the status in the left hand side panel of the dialog. If you use installer to update several firewall machines in one session, their names and corresponding status of the installation session for each will be shown in the panel on the left. You can save installer log to a file using "Sabe log to file" button, this can be useful for documentation or troubleshooting.
Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)
From the user's point of view the installer works the same when you manage Cisco router or ASA firewall, with only few minor differences. First of all, the first screen of the installer, where you enter the password, offers another input field for the enable password as well.
You should be able to use IPv6 address to communicate with the router.
Most of the options and parameters in this dialog are the same as those for Linux firewalls (see above). The following parameters work differently for Cisco devices:
Here is a screenshot of installation session to a Cisco router. Note the output at the very top of the log that shows how installer detected previously unknown RSA host key and accepted it after the user clicked "Yes" in the pop-up dialog (not shown on the screenshot). It then logged into the router; you can see the banner motd output from the router. After this, installer switched to enable mode, set terminal width and turned off terminal pagination using terminal length 0 command and finally switched to the configuration mode. It then started enterig generated configuration line by line.
The final part of the installation session looks like this:
This was a successfull installation session, with no errors. Installer finished entering configuration lines and issued exit command to exit configuration mode, then wr mem command to save configuration to memory and finally exit again to log out.