Firewalls CLI or GUI?

atorvenatorven Posts: 319Registered Members
I'm just getting into firewalls (ASAs) and I wondered about those of you who manage your own firewalls, do you use the CLI or GUI? As I'm learning I'm finding that whilst GUIs allow you to easily set stuff up but they also present you with too many options, which to me as a beginner are confusing as "I would prefer to know what checking certain boxes does", the CLI on the other hand allows you to configure exactly what you want but you need to know specifically what you want to do before hand.

Comments

  • Master Of PuppetsMaster Of Puppets Posts: 1,210Registered Members
    Personally, I am a CLI guy. I'm not very fond of GUIs and I avoid to use them as much as I can. However, sometimes it is faster and easier to do something with the GUI. I think you can have the best of both worlds so just make sure to know both. Also, I have made an interesting observation that may apply only to my circumstances but here it goes - IT managers like GUIs. Some of them are not that technical and can't understand the CLI. Additionally, they like pretty graphics, pictures and graphic representations of the things on the network(this can be useful for us too). In the past few weeks I have been specifically required to make sure there are GUIs for the ASAs and some IPS sensors that I deployed(yay for me on getting hands-on for the upcoming IPS exam :D ).
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • DevilWAHDevilWAH Posts: 2,996Registered Members
    CLi has far more options in general than the GUI, infact some things you can only really do by getting under the hood.

    My first time setting up a CISCO firewall was a simple install and I did it completely from the CLI as I wanted to know exactly what he configuration looked like and how making changes on the GUI would affect it.

    However in large set ups, with multiply firewalls and 10,000 of rules, the GUI really comes in to its own, and for day to day operation and monitoring its really very good. My suggestion would be to start with a simple set up using the GUI and then go through the CLI config and make sure you understand what every line of code does. I think you will find in the real world being able to use both with confidence is a big advantage, dont think as one as better than the other. they both have there place in a live insulation.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • TrifidwTrifidw Posts: 281Registered Members
    I do it on what is faster. New firewall rules I usually have my previous entry in a notepad so just change the numbers around and paste it in. Changing existing rules I usually find easier in ASDM. NAT I find quicker in ASDM too.

    If someone asks me a question on existing rules I usually go for the GUI as it is easier to show them however just me then I usually load up yesterdays copy of the config and search through it with ctrl+f.
  • Corndork2Corndork2 Posts: 266Registered Members
    When working with the Cisco ASA's I prefer CLI. This is because the ASDM (GUI) will stack up commands, then apply them all at once. This is supposed to simplify the config push, which I believe it does. However I also think it blinds me to possible errors. I notice the errors in my config better when going line by line in the CLI. The GUI could try to apply 25 lines of configuration all at once, one of which is wrong, and I wouldnt notice it. Then I'd have to spend X hours finding my error.
    Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
    CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
    Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
  • pertpert Posts: 250Registered Members
    There are definitely places the GUI is superior bar none, and that list is getting larger all the time. In the FW world I feel like GUIs are almost to the point where theyre just strictly better, not there yet, but will be soon. I know it's hip to be the CLI guy, but it's not about it being cool or hard to understand. It's about what's the most effective, and the GUI is winning in a lot of areas now.
  • emerald_octaneemerald_octane Posts: 613Registered Members
    Well CCNASec coursework demands that you have proficiency in either so I think there are pros and cons. I think for getting up to speed and learning the nuances of the ZBF of IOS (which is somewhat complex) the GUI is superior. Once you know what you're doing you can move towards CLI. If I had to do it over again, I would not rely on the GUI/CCP so much because it adds alot of extra stuff to the config.
  • colemiccolemic Posts: 1,559Registered Members
    I very much prefer the GUI as it is easier for me to see and understand what is going on and happening vs. command line... Honestly I really struggle with CLI because I am a visual learner, and it is difficult for me to understand what is going on with straight text. ASDM is a lifesaver for me, especially for rules and NAT.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • gorebrushgorebrush Posts: 2,741Registered Members
    Having had to deal with Checkpoint GUI's and hate them - I'd have to say CLI everytime.

    Personally the combo of ASA and CLI is my dream.
  • W StewartW Stewart Posts: 794Registered Members
    To use GUI you must enable HTTPS in the config of the device. (I vote no https enable). gui is cool but um, on a firewall? , just seems to make me laughicon_smile.gif when I thing about it.


    Well said.
    Being a sys admin sucks but I love it
  • inscom.brigadeinscom.brigade Posts: 400Registered Members
    To use GUI you must enable HTTPS in the config of the device. (I vote no https enable). gui is cool but um, on a firewall? , just seems to make me laugh:) when I thing about it.
  • docricedocrice Posts: 1,706Registered Members
    There may be times when a GUI is more intuitive (such as working with web portal bookmarks when dealing with ASA clientless SSL VPN configuration, or dealing with graphs on a dashboard), but generally CLI is faster, more straightforward, and to-the-point. However, if your typing speed is relatively slow or clunky, the CLI may impede you. Using a GUI also adds overhead to the connection which becomes increasingly more pronounced if you're working over a low-bandwidth or high-latency connection. This is where an SSH connection or console access wins out hands-down.

    I agree about enabling web services on a firewall, even if it's just the management port. Not a good idea at all to have an additional point of exposure and potential compromise vector on a security-centric device of all things. Additionally, it then essentially makes it in-scope for any web application vulnerability scan. Having the firewall provide a web-based UI also potentially means additional code running in memory which introduces complexity and higher likelihood of security issues requiring patching or code upgrades.

    Some firewalls seem made to cater to GUI-centric management more than CLI. Fortinet, Check Point, Sourcefire, Palo Alto Networks, to name a few. ASA's ASDM is a rather abysmal GUI, but it has its uses. The ASDM also has a feature that you can turn on where if you apply changes done through a GUI, it presents a list of raw commands that will be applied before it's committed so you can see what it's doing on the backend.

    I'm going to generalize here though - most people I've seen who prefer GUI tend to be the less-savvy admins. Doing rules, NATs, object definitions, etc. tend to be much more swift via CLI if you understand the ASA. I know Cisco likes to push the GUI in their training and certification emphasis, but in real life I rarely fire up the web browser or other Java-based applet to manage an appliance. It's too cumbersome and there's always that slight lag which annoys the hell out of me.

    I've seen the ASDM apply unnecessary "default template" configs (IPSec-related, for example) into the config that I didn't want to begin with as a result of using a wizard. It completely clutters things sometimes, and it got to the point where my boss declared that everyone in the team must use the CLI as a priority except in certain cases. An unnecessarily-long, cluttered configuration makes things difficult to parse and raises the potential of eventual mistakes.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • DevilWAHDevilWAH Posts: 2,996Registered Members
    How many firewalls are people managing with the cli? One/two or 200/300? When dealing with a few 100 where changes to allow access usually meant changes across mutiply devices the GUI for planning changes was great, implementing was still a scripted task due to the large volume.

    As for the security having https running, this should not be an issue, management access should be restricted weather it is to the cli or GUI. No outhorised devices/users should not be able to what device is running as a firewall, much less what services it has running on it. 90% of security breaches are caused by basic misconfiguration, not weaknesses in the underlying system.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • docricedocrice Posts: 1,706Registered Members
    I would actually argue the other way. I've seen bugs where ACLs didn't have the intended effect and Cisco software tends to have its share of code defects. In addition, at least for ASDM, one needs to have the appropriate version of JRE installed on their management host which increases the risk profile. Until somewhat recent versions, ASDM didn't run well on Java 7.

    For Cisco GUIs, one recent development that looks nice (which I haven't played with yet) is Prime. I don't know if it does centralized management of all ASAs, but that would be a welcome change.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • DevilWAHDevilWAH Posts: 2,996Registered Members
    I have to say I have only used a single ASA and like you say the issues with java are a pain in the neck as are the bugs you find. I do like how you can use it to show you the code it will apply which can be great for learning the cli.

    When dealing with multiply firewall I was using checkpoint. Never worked in a place running more than a couple of Cisco firewalls. That why I was intrested if people who like the cli work with small or very large deployments.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • docricedocrice Posts: 1,706Registered Members
    I think this is why Check Point seems to have a better reputation when it comes to firewalls in general. You would think Cisco would have good a centralized management solution for their firewalls in this day and age. On the other hand, often firewalls are handled by the same team who manage the networks in general, and for Cisco shops this becomes a relatively natural transition.

    That said, I don't consider Cisco much of a security company (except their recent acquisition of Sourcefire).
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • TrifidwTrifidw Posts: 281Registered Members
    docrice wrote: »
    For Cisco GUIs, one recent development that looks nice (which I haven't played with yet) is Prime.

    IMO it is a prime example of why Cisco and GUIs don't go together, at least for the moment. Overly complicated and slows down configuration (especially for adhoc changes) nothing is where you expect it to be and makes life so much more difficult for the network admin. And it was going so well when they changes ACS from version 4 to 5.

    Oh don't get me started on Prime web browser support, IE needs the chrome plug in which doesn't work. Chrome doesn't work and Firefox works but says it isn't supported and neither of them are allowed to be used in our place...
  • docricedocrice Posts: 1,706Registered Members
    That is unfortunate to hear. When I was evaluating McAfee's IPS some time ago, I ran into the same issue with browser support where IE was the only officially-supported browser. You would think in today's world these large vendors would be able to support the most common three browsers.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • TrifidwTrifidw Posts: 281Registered Members
    Version 2.1 should be a big change from what I've read so I'll hold full judgement until then. Hopefully they will have designed the web front end to be accessed by a web browser.
  • DevilWAHDevilWAH Posts: 2,996Registered Members
    i like prime, i still do most development on the cli, but to create templates and push changes to multiply devices i find its great. I agree the web interface leaves some thing to be desired, especially the speed. and is not cheap, but I use it daily and it defiantly saves time. I am hoping the promised updates will sort this out. its also not bad for general monitoring. I am just about to integrate it with ISE which i think might be intresting.

    I do think that for development and testing, generally networking or security like firewalls the CLI offeres a lot of advantages. but for day to day tasks, especially if you want to hand over some repetitive task to junior staff members. The GUI does offer some real advantages. If you know the CLI you can always navigate the GUI quite easily, not the same the other way round, knowing the GUI wont help at all on the CLI. So in answer to the original question GUI or CLI, if you really want to master firewalls CLI plain and simple, if you just want to do basic management and monitoring then you can do a lot just with the GUI and it is a lot nicer learning curve.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • msteinhilbermsteinhilber Posts: 1,479Registered Members
    Strictly CLI on all of our Cisco and Juniper equipment. After complete disappointment after disappointment in the web GUI's on both platforms, I've stopped even bothering to give the GUI a look over as things move forward. To me, mastery of the CLI really does seem to directly translate into a much better understanding of not just what the particular device is doing but the protocol/feature you're working with at the time as well. Web-based GUI's to me always seemed to be quite slow and clunky so I've largely given up on them all together.
  • Params7Params7 Posts: 254Registered Members
    I barely get to touch firewalls (level 1 support) but I've seen my supervisors deploy firewalls with CLI. None of them even have a ccna, yet they like the CLI more than GUI. I've only used the GUI to schedule restarts after-hours.
  • networker050184networker050184 Posts: 11,961Moderators mod
    CLI for Cisco because I'm already completely comfortable with it. I've done some work on other brands like Palo Alto that was all GUI though.
    An expert is a man who has made all the mistakes which can be made.
  • TheNewITGuyTheNewITGuy Posts: 169Registered Members
    totally depends on what im doing. ASA 8.2 and under i do all in CLI for everything, 8.3+ i tend to revert more to ASDM since I am not as comfortable with the changes.
  • eteneten Posts: 67Registered Members ■■□□□□□□□□
    ASA: Previous job was 100% CLI; focus was on firewall (ACL + NAT) and some site to site tunnels. Current job mostly uses ASDM and the focus is only VPN (client, clientless, site to site, legacy vpn client).
  • PurpleITPurpleIT Posts: 327Registered Members
    I am a big fan of the ASDM on the ASAs, but a lot of that is because as a visual learner I can assess the output much faster that way. When it comes to issuing commands I can use the CLI, but I have to admit I have become lazy and tend to do it via the GUI. I think it is safe to say that short of troubleshooting scenarios, I NEED the CLI less than 1% of the time.

    To be totally honest, I think a lot of the CLI vs GUI thing is due to false machismo. As one guy I worked with put it, "They have a perfectly good GUI, why wouldn't I use it?"*

    * This applies only to Cisco ASAs - for routers and switches the CLI is the way to go. CCP may be OK for one or two things, but I generally find the product bloated and slow.
    WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
    What next, what next...
  • SteveO86SteveO86 Posts: 1,423Registered Members
    As you would expect I prefer CLI. It's cleaner, quicker, and easier. Especially when performing the initial configuration or working with NAT or ACLs.

    However, working with larger deployments I've learned to accept GUI's. Just so much easier once figure out all the issues with the GUI's.

    Plus certain configuration such as SSL VPNs (AnyConnect or Clientless) tend be a little easier using the GUI.

    If you get to mess with the recent CX-modules those are primarily GUI based. If not completely.

    When working with GUI's or CLI always check the 'delta' changes icon_smile.gif
    (And in some cases if you work with the CSM the entire config)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • DevilWAHDevilWAH Posts: 2,996Registered Members
    ok atorven, so we clear up that question for you :)

    I am sure there are as many GUI guys who understand security far better than many experienced CLI guys, as the other way round. If understand the theory behind it all, then you just "know" when to turn to the GUI and when to dive in to the CLI.

    But you will never get a answer we all agree on :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • atorvenatorven Posts: 319Registered Members
    Thanks for the input guys.
Sign In or Register to comment.