Section 2-1. User Interface

2-1. User Interface

A Cisco firewall, like any other networking device, offers several ways for the administrative user to connect to and interact with the firewall. Users usually need to make changes to the firewall's security policies and configuration, monitor firewall activity, and troubleshoot traffic handling. All interaction with a firewall is based on a common user interface, which can be described as follows:

• A Cisco firewall supports user access by these methods:

  - Command-line interface (CLI) by an asynchronous console connection

  - CLI by a Telnet session

  - CLI by Secure Shell (SSH) version 1.x or 2 (PIX 7.x only)

  - PIX Device Manager (PDM) through a web browser (PIX 7.x refers to the PDM as the Adaptive Security Device Manager [ASDM])

  - VPN/Security Management Solution (VMS) Firewall Management Center

• A firewall also provides a user interface to the ROM monitor bootstrap code when the operating system is not running.

• Users can execute commands from the user level or from the privileged level. The user level offers basic system information commands. The privileged level offers complete access to all firewall information, configuration editing, and debugging commands.

• A help system offers command syntax and command choices at any user prompt.

• A history of executed firewall commands can be kept. As well, command lines can be edited and reused.

• The output from a command can be searched and filtered so that useful information can be found quickly.

NOTE

Only the CLI itself is covered in this section. The mechanisms to reach it (Telnet, SSH, and so on) are covered in Chapter 4, "Firewall Management," section 4-4, "Managing Administrative Sessions".

TIP

The Catalyst 6500 Firewall Services Module (FWSM) does not have an accessible console connection or other physical interface. However, you can still access an FWSM from the Catalyst 6500 native IOS CLI, as if you were connected to its console. Use the following Catalyst EXEC command to connect to the FWSM in chassis slot number slot:

 Switch# session slot slot processor 1 

User Interface Modes

The user interface of a Cisco firewall consists of several modes, each providing a different level of administrative capability and a different function. The user interface modes are as follows:

• User EXEC mode

  Administrative users can connect to a firewall via the console port, Telnet session, or SSH session. By default, the initial access to a firewall places the user in user EXEC mode and offers a limited set of commands. When you connect to the firewall, a user-level password is required. A firewall designates user EXEC mode with a prompt of this form:

   Firewall> 

  
  

  NOTE

  User-level authentication and passwords are covered in Chapter 5, "Managing Firewall Users."

  
  

• Privileged EXEC mode

  As soon as a user gains access to user EXEC mode, the enable command can be used to enter privileged EXEC or enable mode. Full access to all the executable commands is available. To leave privileged EXEC mode, use the disable, quit, or exit command. The syntax for entering privileged EXEC mode is as follows:

   Firewall> enable password: password Firewall# 

  
  

  Notice that the pound, or number, sign (#) is used to designate privileged EXEC mode.

• Configuration mode

  From privileged EXEC mode, you can enter configuration mode. From this mode, you can issue firewall commands to configure any feature that is available in the operating system. In PIX 6.x, all configuration is performed in one global configuration mode. PIX 7.x, however, offers a global configuration mode and many submodes, much like the Cisco IOS software. To leave configuration mode and return to EXEC mode, enter exit or press Ctrl-z. You can also use the exit command to exit a submode and return to global configuration mode.

  The syntax for entering global configuration mode is as follows:

   Firewall# configure terminal Firewall(config)# 

  
  

User Interface Features

Within an administrative session, you can enter commands and get helpful information about entering commands. As well, you can filter the information that a firewall displays in a session as a result of a command. These mechanisms are discussed in the following sections.

Entering Commands

To enable a feature or parameter, enter the command and its options normally. To disable a command that is in effect, begin the command with no, followed by the command. You need to include enough options to identify the command uniquely, as it exists in the firewall session or configuration. For example, the following configuration commands enable and then disable the embedded HTTP server:

 Firewall(config)# http server enable Firewall(config)# no http server enable 

You can see the configuration commands that are in effect by using one of the following commands:

Notice that PIX 7.x allows you to specify a command keyword in the show running-config command. If it is included, only the related configuration commands are shown, rather than the entire configuration. PIX 6.x allows a similar option with the show command syntax.

TIP

Some PIX 7.x configuration commands and their options are not shown if they use the default values. To see every configuration command that is enabled or active, even if it is a default, you can use the show running-config all [command] form of the command.

Commands and their options can be abbreviated with as few letters as possible without becoming ambiguous. For example, to enter configuration mode, the command configure terminal can be abbreviated as conf t.

PIX 7.x also offers a keyword completion function. If you enter a shortened or truncated keyword, you can press the Tab key to make the firewall complete the keyword for you. Keyword completion can be useful when you are entering keywords that are very long and hyphenated. For example, pressing the Tab key after entering show ru produces the completed command show running-config:

 Firewall# show ru[Tab] Firewall# show running-config 

This works only if the truncated keyword is unambiguous; otherwise, the firewall can't decide which one of several similar keywords you want. If you press Tab and the keyword stays the same, you know you haven't entered enough characters to make it unambiguous.

You can edit a command line as you enter it by using the left and right arrow keys to move within the line. If you enter additional characters, the remainder of the line to the right is spaced over. You can use the Backspace and Delete keys to make corrections.

TIP

Sometimes the firewall might display an informational or error message while you are entering a command line. To see what you've entered so far, you can press Ctrl-l (lowercase L) to redisplay the line and continue editing.

For example, suppose an administrator is trying to enter the hostname configuration command to set the firewall's host name. Before he or she can enter the command, the firewall displays a logging message that interrupts the command line:

 pix-c# config t pix-c(config)# hostnNov 15 2004 00:34:08  single_vf : %PIX-7-111009:   User 'enable_15' executed cmd: show interface [user presses Ctrl-l here] pix-c(config)# hostn 

Pressing Ctrl-l displays the line again without all the clutter.

Command Help

You can enter a question mark (?) after any keyword in a command line to get additional information from the firewall. Entering the question mark alone on a command line displays all available commands for that mode (configuration or EXEC).

You can also follow a command keyword with a question mark to get more information about the command syntax. Doing this in PIX 6.x displays the command syntax of all commands that use that keyword. For example, entering arp ? causes the firewall to show the syntax of the arp command, as well as the show arp and clear arp commands.

PIX 7.x offers context-based help, much like the Cisco IOS software. Entering a question mark after a keyword causes the firewall to list only the possible keywords or options. For example, entering show arp ? results in the following output:

 Firewall# show arp ?   statistics  Show arp statistics   |           Output modifiers   <cr> Firewall# show arp 

Here, show arp can be followed by statistics, a pipe symbol (|), or the Enter key (<cr>).

With PIX 7.x, you can also use the question mark with a partially completed command keyword if you don't know the exact spelling or form. The firewall displays all possible keywords that can be formed from the truncated word. For example, suppose you don't remember what commands can be used to configure access lists. Entering access? in configuration mode reveals the possibilities:

 Firewall(config)# access? access-group  access-list Firewall(config)# access 

Notice that the truncated command keyword is displayed again, ready to be completed with more typing.

If you enter a command but use the wrong syntax, you see the following error:

 Type help or '?' for a list of available commands 

PIX 7.x also displays a carat (^) symbol below the command line location to point out the error. For example, suppose a user forgets and enters the command config type rather than config term:

 Firewall# config type                   ^ ERROR: % Invalid input detected at '^' marker. Firewall# 

The carat points to the keyword type, starting at the y, where the syntax error begins.

Command History

The firewall keeps a history of the last 19 commands that were issued in each interactive session. You can see the entire history list for your current session with the show history command.

You can use the command history to recall a previous command that you want to use again. This can save you time in entering repetitive commands while allowing you to make edits or changes after you recall them.

Each press of the up arrow key () or ) or When commands are recalled from the history, they can be edited as if you just entered them. You can use the left arrow key () or right arrow key () to move within the command line and begin typing to insert new characters. You can also use the Delete key to delete characters.

NOTE

The arrow keys require the use of an American National Standards Institute (ANSI)-compatible terminal emulator (such as the VT100).

Searching and Filtering Command Output

A show command can generate a long output listing. If the listing contains more lines than the terminal session can display (set using the pager command, whose default is 24 lines), the listing is displayed a screenful at a time, with the following prompt at the bottom:

 <---More ---> 

To see the next screen, press the spacebar. To advance one line, press the Enter key. To exit to the command line, press the q key.

You can use a regular expression (reg-expression) to match against lines of output. Regular expressions are made up of patternseither simple text strings (such as permit or route) or more complex matching patterns. Typically, regular expressions are regular text words that offer a hint to a location in the output of a show command. You can use the following command structure to perform a regular-expression search:

 Firewall# showcommand ... | {begin | include | exclude | grep [-v]}  reg-expression 

To search for a specific regular expression and start the output listing there, use the begin keyword. This can be useful if your firewall has a large configuration. Rather than using the spacebar to eventually find a certain configuration line, you can use begin to jump right to the desired line.

To display only the lines that include a regular expression, use the include (or grep) keyword. To display all lines that don't include a regular expression, use the exclude (or grep -v) keyword.

A more complex regular expression can be made up of patterns and operators. Table 2-1 lists and defines the characters that are used as operators.

For example, the following command can be used to display all the logging messages with message ID 302013 currently stored in the logging buffer:

 Firewall# show log | include 302013 302013: Built outbound TCP connection 1788652405 for outside:69.25.38.107/80   (69.25.38.107/80) to inside:10.1.198.156/1667 (207.246.96.46/52531) 302013: Built outbound TCP connection 1788652406 for outside:218.5.80.219/21   (218.5.80.219/21) to inside:10.1.100.61/3528 (207.246.96.46/52532) [output truncated] 

Message 302013 records TCP connections built in either the inbound or outbound direction. To display only the inbound TCP connections recorded, the regular expression could be changed to include 302013, any number of other characters (.*), and the string inbound:

 Firewall# show log | include 302013.*inbound 302013: Built inbound TCP connection 1788639636 for outside:216.117.177.135/54780   (216.117.177.135/54780) to inside:10.1.3.16/25 (207.246.96.46/25) Firewall# 

You might also use a regular expression to display command output that contains IP addresses within a range. For example, the following command filters the output to contain only IP addresses that begin with 10.10.5, 10.10.6, and 10.10.7:

 Firewall# show log | include 10.10.[5-7].* 

Terminal Screen Format

By default, all output from the firewall is displayed for a terminal session screen that is 80 characters wide by 24 lines long. To change the terminal screen width, you can use the following configuration command:

 Firewall(config)# terminal width characters 

Here, characters is a value from 40 to 511. You can also specify 0, meaning the full 511-character width.

To change the screen length (the number of lines displayed when paging through a large amount of output), you can use the following configuration command:

 Firewall(config)# pager [lines number] 

Here, number can be any positive value starting at 1. If you use only the pager keyword, the page length returns to its default of 24 lines.

You can also disable screen paging completely by using pager lines 0. This action might be useful if you are capturing a large configuration or logging message output with a terminal emulator. A more efficient practice would be to let all the output scroll by into the emulator's capture buffer; otherwise, you would have to use the spacebar to page through the output and then later remove all the <--- More ---> prompts that were captured too.