Cisco FWSM

From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Firewall Services Module (FWSM) is a firewall module integrated by Cisco into its Komodo blade on Catalyst 6500 Switches and 7600 Series Routers.

Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a firewall port and integrates firewall security inside the network infrastructure.

The FWSM is based on Cisco PIX technology and uses the same Cisco PIX Operating System, a secure, real-time operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management platform.

It has reached end of support status as of September 26, 2007[1] and replaced by the Cisco Catalyst 6500 Series 7600 Series ASA Services Module.[2]


The FWSM has five processors, two central CPUs (Pentium IV 1 GHz processor) and three network processors (IBM 4GS3 PowerNP). It is unknown if both of the Pentium CPUs are used for management.

The central CPUs are responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPUs are also responsible for rule-base compilation. The rulebase is converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware.

The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager.[3]

As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.


Resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another.

The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall resulting in minimal changes to network topology. [4]

FWSM Configuration

Configure Interfaces for FWSM—Before you can allow traffic through the FWSM, you need to configure an interface name and an IP address. You should also change the security level from the default, which is 0. If you name an interface inside, and you do not set the security level explicitly, then the FWSM sets the security level to 100. Note: Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100, while the outside network connected to the Internet can be level 0. Other networks, such as DMZs, can be in between. You can add any VLAN ID to the configuration, but only VLANs, for example, 10, 15, 20 and 25, that are assigned to the FWSM by the switch can pass traffic. Use the show vlan command in order to view all VLANs assigned to the FWSM.

  interface vlan 20
   nameif outside
   security-level 0
   ip address
  interface vlan 10 
   nameif inside
   security-level 100
   ip address
  interface vlan 15
   nameif dmz1
   security-level 60
   ip address
  interface vlan 25
   nameif dmz2
   security-level 50
   ip address