+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 29
  1. Senior Member
    Join Date
    Jul 2011
    Posts
    311
    #1

    Default Firewalls CLI or GUI?

    I'm just getting into firewalls (ASAs) and I wondered about those of you who manage your own firewalls, do you use the CLI or GUI? As I'm learning I'm finding that whilst GUIs allow you to easily set stuff up but they also present you with too many options, which to me as a beginner are confusing as "I would prefer to know what checking certain boxes does", the CLI on the other hand allows you to configure exactly what you want but you need to know specifically what you want to do before hand.
    Reply With Quote Quote  

  2. SS
  3. Netzwerksicherheit Master Of Puppets's Avatar
    Join Date
    Jan 2013
    Location
    /dev/null
    Posts
    1,175

    Certifications
    CCNA R&S, CCNA Security, CCNP R&S, CCNP Security
    #2
    Personally, I am a CLI guy. I'm not very fond of GUIs and I avoid to use them as much as I can. However, sometimes it is faster and easier to do something with the GUI. I think you can have the best of both worlds so just make sure to know both. Also, I have made an interesting observation that may apply only to my circumstances but here it goes - IT managers like GUIs. Some of them are not that technical and can't understand the CLI. Additionally, they like pretty graphics, pictures and graphic representations of the things on the network(this can be useful for us too). In the past few weeks I have been specifically required to make sure there are GUIs for the ASAs and some IPS sensors that I deployed(yay for me on getting hands-on for the upcoming IPS exam ).
    Last edited by Master Of Puppets; 12-24-2013 at 10:54 AM.
    Reply With Quote Quote  

  4. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,968

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #3
    CLi has far more options in general than the GUI, infact some things you can only really do by getting under the hood.

    My first time setting up a CISCO firewall was a simple install and I did it completely from the CLI as I wanted to know exactly what he configuration looked like and how making changes on the GUI would affect it.

    However in large set ups, with multiply firewalls and 10,000 of rules, the GUI really comes in to its own, and for day to day operation and monitoring its really very good. My suggestion would be to start with a simple set up using the GUI and then go through the CLI config and make sure you understand what every line of code does. I think you will find in the real world being able to use both with confidence is a big advantage, dont think as one as better than the other. they both have there place in a live insulation.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jun 2008
    Location
    UK
    Posts
    276

    Certifications
    A+ Technician, CCNA, CCNP
    #4
    I do it on what is faster. New firewall rules I usually have my previous entry in a notepad so just change the numbers around and paste it in. Changing existing rules I usually find easier in ASDM. NAT I find quicker in ASDM too.

    If someone asks me a question on existing rules I usually go for the GUI as it is easier to show them however just me then I usually load up yesterdays copy of the config and search through it with ctrl+f.
    Reply With Quote Quote  

  6. Operations Officer Corndork2's Avatar
    Join Date
    Dec 2009
    Location
    Champaign, Illinois
    Posts
    269

    Certifications
    A+, Network+, A+ CE, Network+ CE, Security+ CE, CDIA+, CWTS, CCENT, CCNA R&S, MTCNA, MTCRE, MTCWE, MTCTRE, BAIS, BACNS, BAEFS, JNCIA-JUNOS, VCA-DV
    #5
    When working with the Cisco ASA's I prefer CLI. This is because the ASDM (GUI) will stack up commands, then apply them all at once. This is supposed to simplify the config push, which I believe it does. However I also think it blinds me to possible errors. I notice the errors in my config better when going line by line in the CLI. The GUI could try to apply 25 lines of configuration all at once, one of which is wrong, and I wouldnt notice it. Then I'd have to spend X hours finding my error.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Aug 2009
    Posts
    250

    Certifications
    CCNP R/S, CCNA Wireless, BCNP, BCNE, SCP, A+, N+
    #6
    There are definitely places the GUI is superior bar none, and that list is getting larger all the time. In the FW world I feel like GUIs are almost to the point where theyre just strictly better, not there yet, but will be soon. I know it's hip to be the CLI guy, but it's not about it being cool or hard to understand. It's about what's the most effective, and the GUI is winning in a lot of areas now.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Feb 2012
    Posts
    604
    #7
    Well CCNASec coursework demands that you have proficiency in either so I think there are pros and cons. I think for getting up to speed and learning the nuances of the ZBF of IOS (which is somewhat complex) the GUI is superior. Once you know what you're doing you can move towards CLI. If I had to do it over again, I would not rely on the GUI/CCP so much because it adds alot of extra stuff to the config.
    Reply With Quote Quote  

  9. EC Council #1 fan colemic's Avatar
    Join Date
    Apr 2010
    Location
    Tejas, Baby!
    Posts
    1,535

    Certifications
    CISSP, CISA, GIAC 2700, MCSE:Security, CEH, CHFI, CCNA:Security, CCENT, Sec+, Net+, ITIL v3 Foundations
    #8
    I very much prefer the GUI as it is easier for me to see and understand what is going on and happening vs. command line... Honestly I really struggle with CLI because I am a visual learner, and it is difficult for me to understand what is going on with straight text. ASDM is a lifesaver for me, especially for rules and NAT.
    Reply With Quote Quote  

  10. ...loading... gorebrush's Avatar
    Join Date
    Apr 2005
    Location
    UK
    Posts
    2,729

    Certifications
    CCIE:R&S, CCNA:S, (MCSE, but 2003)
    #9
    Having had to deal with Checkpoint GUI's and hate them - I'd have to say CLI everytime.

    Personally the combo of ASA and CLI is my dream.
    Reply With Quote Quote  

  11. Senior Member W Stewart's Avatar
    Join Date
    Jun 2011
    Location
    Tampa, FL
    Posts
    786

    Certifications
    Bachelor of Science IT - Security, CCNA Security, CCNA R&S, LPIC-1, A+ Net+ Sec+, Linux+ and others I don't feel are worth mentioning
    #10
    Quote Originally Posted by inscom.brigade View Post
    To use GUI you must enable HTTPS in the config of the device. (I vote no https enable). gui is cool but um, on a firewall? , just seems to make me laugh when I thing about it.

    Well said.
    Last edited by W Stewart; 12-29-2013 at 06:18 AM.
    Reply With Quote Quote  

  12. I like soup inscom.brigade's Avatar
    Join Date
    Jun 2012
    Posts
    394

    Certifications
    A+, MCITP:eda, CCNA, CCNA security, CCNP
    #11
    To use GUI you must enable HTTPS in the config of the device. (I vote no https enable). gui is cool but um, on a firewall? , just seems to make me laugh when I thing about it.
    Reply With Quote Quote  

  13. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,689

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #12
    There may be times when a GUI is more intuitive (such as working with web portal bookmarks when dealing with ASA clientless SSL VPN configuration, or dealing with graphs on a dashboard), but generally CLI is faster, more straightforward, and to-the-point. However, if your typing speed is relatively slow or clunky, the CLI may impede you. Using a GUI also adds overhead to the connection which becomes increasingly more pronounced if you're working over a low-bandwidth or high-latency connection. This is where an SSH connection or console access wins out hands-down.

    I agree about enabling web services on a firewall, even if it's just the management port. Not a good idea at all to have an additional point of exposure and potential compromise vector on a security-centric device of all things. Additionally, it then essentially makes it in-scope for any web application vulnerability scan. Having the firewall provide a web-based UI also potentially means additional code running in memory which introduces complexity and higher likelihood of security issues requiring patching or code upgrades.

    Some firewalls seem made to cater to GUI-centric management more than CLI. Fortinet, Check Point, Sourcefire, Palo Alto Networks, to name a few. ASA's ASDM is a rather abysmal GUI, but it has its uses. The ASDM also has a feature that you can turn on where if you apply changes done through a GUI, it presents a list of raw commands that will be applied before it's committed so you can see what it's doing on the backend.

    I'm going to generalize here though - most people I've seen who prefer GUI tend to be the less-savvy admins. Doing rules, NATs, object definitions, etc. tend to be much more swift via CLI if you understand the ASA. I know Cisco likes to push the GUI in their training and certification emphasis, but in real life I rarely fire up the web browser or other Java-based applet to manage an appliance. It's too cumbersome and there's always that slight lag which annoys the hell out of me.

    I've seen the ASDM apply unnecessary "default template" configs (IPSec-related, for example) into the config that I didn't want to begin with as a result of using a wizard. It completely clutters things sometimes, and it got to the point where my boss declared that everyone in the team must use the CLI as a priority except in certain cases. An unnecessarily-long, cluttered configuration makes things difficult to parse and raises the potential of eventual mistakes.
    Reply With Quote Quote  

  14. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,968

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #13
    How many firewalls are people managing with the cli? One/two or 200/300? When dealing with a few 100 where changes to allow access usually meant changes across mutiply devices the GUI for planning changes was great, implementing was still a scripted task due to the large volume.

    As for the security having https running, this should not be an issue, management access should be restricted weather it is to the cli or GUI. No outhorised devices/users should not be able to what device is running as a firewall, much less what services it has running on it. 90% of security breaches are caused by basic misconfiguration, not weaknesses in the underlying system.
    Reply With Quote Quote  

  15. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,689

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #14
    I would actually argue the other way. I've seen bugs where ACLs didn't have the intended effect and Cisco software tends to have its share of code defects. In addition, at least for ASDM, one needs to have the appropriate version of JRE installed on their management host which increases the risk profile. Until somewhat recent versions, ASDM didn't run well on Java 7.

    For Cisco GUIs, one recent development that looks nice (which I haven't played with yet) is Prime. I don't know if it does centralized management of all ASAs, but that would be a welcome change.
    Reply With Quote Quote  

  16. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,968

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #15
    I have to say I have only used a single ASA and like you say the issues with java are a pain in the neck as are the bugs you find. I do like how you can use it to show you the code it will apply which can be great for learning the cli.

    When dealing with multiply firewall I was using checkpoint. Never worked in a place running more than a couple of Cisco firewalls. That why I was intrested if people who like the cli work with small or very large deployments.
    Reply With Quote Quote  

  17. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,689

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #16
    I think this is why Check Point seems to have a better reputation when it comes to firewalls in general. You would think Cisco would have good a centralized management solution for their firewalls in this day and age. On the other hand, often firewalls are handled by the same team who manage the networks in general, and for Cisco shops this becomes a relatively natural transition.

    That said, I don't consider Cisco much of a security company (except their recent acquisition of Sourcefire).
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jun 2008
    Location
    UK
    Posts
    276

    Certifications
    A+ Technician, CCNA, CCNP
    #17
    Quote Originally Posted by docrice View Post
    For Cisco GUIs, one recent development that looks nice (which I haven't played with yet) is Prime.
    IMO it is a prime example of why Cisco and GUIs don't go together, at least for the moment. Overly complicated and slows down configuration (especially for adhoc changes) nothing is where you expect it to be and makes life so much more difficult for the network admin. And it was going so well when they changes ACS from version 4 to 5.

    Oh don't get me started on Prime web browser support, IE needs the chrome plug in which doesn't work. Chrome doesn't work and Firefox works but says it isn't supported and neither of them are allowed to be used in our place...
    Last edited by Trifidw; 12-28-2013 at 09:32 PM.
    Reply With Quote Quote  

  19. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,689

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #18
    That is unfortunate to hear. When I was evaluating McAfee's IPS some time ago, I ran into the same issue with browser support where IE was the only officially-supported browser. You would think in today's world these large vendors would be able to support the most common three browsers.
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Jun 2008
    Location
    UK
    Posts
    276

    Certifications
    A+ Technician, CCNA, CCNP
    #19
    Version 2.1 should be a big change from what I've read so I'll hold full judgement until then. Hopefully they will have designed the web front end to be accessed by a web browser.
    Reply With Quote Quote  

  21. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,968

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #20
    i like prime, i still do most development on the cli, but to create templates and push changes to multiply devices i find its great. I agree the web interface leaves some thing to be desired, especially the speed. and is not cheap, but I use it daily and it defiantly saves time. I am hoping the promised updates will sort this out. its also not bad for general monitoring. I am just about to integrate it with ISE which i think might be intresting.

    I do think that for development and testing, generally networking or security like firewalls the CLI offeres a lot of advantages. but for day to day tasks, especially if you want to hand over some repetitive task to junior staff members. The GUI does offer some real advantages. If you know the CLI you can always navigate the GUI quite easily, not the same the other way round, knowing the GUI wont help at all on the CLI. So in answer to the original question GUI or CLI, if you really want to master firewalls CLI plain and simple, if you just want to do basic management and monitoring then you can do a lot just with the GUI and it is a lot nicer learning curve.
    Last edited by DevilWAH; 12-28-2013 at 11:06 PM.
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Jan 2008
    Location
    Madison, WI
    Posts
    1,455
    #21
    Strictly CLI on all of our Cisco and Juniper equipment. After complete disappointment after disappointment in the web GUI's on both platforms, I've stopped even bothering to give the GUI a look over as things move forward. To me, mastery of the CLI really does seem to directly translate into a much better understanding of not just what the particular device is doing but the protocol/feature you're working with at the time as well. Web-based GUI's to me always seemed to be quite slow and clunky so I've largely given up on them all together.
    Reply With Quote Quote  

  23. Elite Member Params7's Avatar
    Join Date
    May 2013
    Location
    New Jersey
    Posts
    247

    Certifications
    CCNA
    #22
    I barely get to touch firewalls (level 1 support) but I've seen my supervisors deploy firewalls with CLI. None of them even have a ccna, yet they like the CLI more than GUI. I've only used the GUI to schedule restarts after-hours.
    Reply With Quote Quote  

  24. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,789

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #23
    CLI for Cisco because I'm already completely comfortable with it. I've done some work on other brands like Palo Alto that was all GUI though.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Jan 2013
    Posts
    169
    #24
    totally depends on what im doing. ASA 8.2 and under i do all in CLI for everything, 8.3+ i tend to revert more to ASDM since I am not as comfortable with the changes.
    Reply With Quote Quote  

  26. Member
    Join Date
    Mar 2010
    Posts
    67
    #25
    ASA: Previous job was 100% CLI; focus was on firewall (ACL + NAT) and some site to site tunnels. Current job mostly uses ASDM and the focus is only VPN (client, clientless, site to site, legacy vpn client).
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks