Editing Cisco PIX (section)

=== Software ===
The PIX runs a custom-written proprietary [[operating system]] originally called Finese (''Fast Internet Service Executive''), but {{as of |2014 |lc=on}} the software is known simply as PIX OS. Though classified as a [[network layer firewall|network-layer firewall]] with [[stateful firewall|stateful inspection]], technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket-based connections (a port and an IP Address: port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an [[Access Control List]] (ACL) or by a ''conduit''. Administrators can configure the PIX to perform many functions including [[network address translation]] (NAT) and [[port address translation]] (PAT), as well as serving as a [[virtual private network]] (VPN) endpoint appliance.

The PIX became the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the firewall to apply additional security policies to connections identified as using specific protocols. Protocols for which specific fixup behaviors were developed include DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as ''outside'' interface) for each DNS request from a client on the protected (known as ''inside'') interface. "Inspect" has superseded "fixup" in later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate [[IPSec]] VPN gateway functionality.

Administrators can manage the PIX via a [[command line interface]] (CLI) or via a [[graphical user interface]] (GUI). They can access the CLI from the serial console, telnet and [[Secure Shell|SSH]]. GUI administration originated with version 4.1, and it has been through several incarnations:<ref>{{cite web |url=http://www.cisco.com/warp/public/110/41.shtml#nine |title=FAQs for Cisco PFM | accessdate=2007-06-19}}
</ref><ref>
{{cite web |url=http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html |title=Documentation on Cisco PDM |accessdate=2007-06-19}}
</ref><ref>
{{cite web |url=http://www.cisco.com/en/US/products/ps6121/products_user_guide_book09186a00806aea58.html |title=Documentation on Cisco ASDM |accessdate=2007-06-19 |archiveurl=https://web.archive.org/web/20070616121501/http://www.cisco.com/en/US/products/ps6121/products_user_guide_book09186a00806aea58.html <!-- Bot retrieved archive --> |archivedate=2007-06-16}}
</ref>

* PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client
* PIX Device Manager (PDM) for PIX OS version 6.x, which runs over [[https]] and requires [[Java (programming language)|Java]]
* Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.

Because Cisco acquired the PIX from Network Translation, the CLI originally did not align with the [[Cisco IOS]] syntax. Starting with version 7.0, the configuration became much more IOS-like.