Initiate multiple-context mode:

Firewall(config)# mode [noconfirm] multiple

In single-context mode, all the firewall's configuration commands are contained in the

startup configuration. Multiple-context mode changes this concept, because the initial startup configuration must contain commands that define the individual contexts. Each context has its own startup configuration file that configures features used only by that context.

If single-context mode already has some configuration when this command is used, an admin context is automatically created, and the appropriate commands are imported into it. Any interfaces that were configured and enabled are automatically mapped into the admin context, too. Otherwise, the admin context begins with no mapped interfaces.

The end result is that the firewall automatically generates the startup configuration for the system execution space, which is stored in a hidden flash file system. A startup configuration for the admin context is automatically generated and stored as the flash:/admin.cfg file. Initiating multiple-context mode triggers the display of several prompts for you to confirm each action before it is carried out. You can use the noconfirm keyword to force the firewall to initiate multiple-context mode without any confirmation prompts.

Note

After it is entered, the mode command does not appear in any firewall configuration. This is because it changes the firewall's behavior. The firewall still can remember which mode to use after booting up.

For example, a firewall running in single-context mode is configured to begin running in multiple-context mode. The mode multiple command produces the following output: Code View: Scroll / Show All

Firewall(config)# mode multiple

WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Convert the system configuration? [confirm] !

The old running configuration file will be written to flash The admin context configuration will be written to flash The new running configuration file was written

***

*** --- SHUTDOWN NOW --- ***

*** Message to all terminals: ***

*** change mode to flash Flash Firewall mode: multiple [output omitted]

Creating context 'system'... Done. (0) Creating context 'null'... Done. (257) Creating context 'admin'... Done. (1)

INFO: Context admin was created with URL flash:/admin.cfg

INFO: Admin context will take some time to come up .... please wait. *** Output from config line 32, " config-url flash:/admi..."

[output omitted] Firewall# show mode

Running Firewall mode: multiple Firewall#

Notice that several contexts are automatically created during this process: The system context is actually the system execution space, the null context serves as a placeholder or a system resource, and the admin context becomes the configuration for the administrative side of the firewall.

The number in parentheses after each context, such as (0), indicates the context number or index. The null context is always defined with the topmost index.

After you initiate multiple-context mode, the firewall also leaves hooks for a backout plan should you ever need to revert to single-context mode. The previous running configuration is automatically saved as the flash:/old_running.cfg file. If the mode single command is used in the future, the firewall attempts to use that file to re-create a single-context mode

configuration. Therefore, you should consider leaving that file intact in the flash file system for future use.

Navigating Multiple Security Contexts

In multiple-context mode, it is possible to open an administrative session (console, Telnet, or Secure Shell [SSH]) to the firewall and then move around between security contexts. This allows you to configure and monitor any of the contexts as necessary without opening sessions to the individual virtual firewalls.

You can navigate between contexts only if you successfully connect and authenticate to the admin context or the system execution space first. At that point, you are considered an administrator of the physical firewall platform and any contexts that are configured.

If you connect to a user context first, the firewall limits your administrative session to only that context. This restricts the administrators of a user context from gaining access to any other context on the firewall. Each context is then independently managed from within that context. Context Prompts

Moving between contexts can get confusing. During one administrative session, you might have to keep track of which physical firewall platform and which context (virtual firewall) you are connected to. Fortunately, the firewall gives you a landmark each time you move your session.

The firewall always updates its prompt to indicate which context you are currently accessing. The traditional prompt, Firewall#, represents the system context; Firewall represents the firewall's host name. Any other context is indicated by a prompt such as Firewall/context#, where context is the name of the context.

Tip

As you move into various contexts, keep in mind that each context has its own startup and running configuration. Therefore, the running configuration must be saved on each context independently.

Think of each context as an independent firewall. The admin context represents the firewall that is used by the platform administrators. The system execution space, although not a true context, provides the functions necessary to extend the physical firewall resources (interfaces, flash memory, context definitions, and so on) to any admin and user contexts.

Changing a Session to a Different Context

You can move your terminal session from one context to another, as long as you have the administrative rights to do so, by entering the following command:

Firewall# changeto {system | context name}

For example, suppose your firewall has the host name MyPix. It also has a system execution space (always created by default), an admin context, and a user context called CustomerA. You can use the following commands to navigate between contexts:

MyPix#

MyPix# changeto context admin MyPix/admin#

MyPix/admin# changeto context CustomerA MyPix/CustomerA#

MyPix/CustomerA# changeto system MyPix#

Notice how the session prompt automatically changes to indicate the firewall and context name each time the session is moved. Keep in mind that the system execution space is always called system and not context system. Therefore, it does not really have a context name to be displayed in the prompt.

All contexts must be defined from a firewall's system execution space. Make sure you position your session in the system space with the following command before continuing:

Firewall# changeto system

The firewall also needs an admin context to be able to communicate beyond itself. The admin context is usually built automatically when the firewall is configured for multiple-context mode. As well, each time the firewall boots up, you should see console messages indicating that the admin context has been rebuilt.

To see a list of the contexts that have been configured, you can use the following command: Firewall# show context

In the following example, only the admin context has been built: Firewall# show context

Context Name Interfaces URL

*admin flash:/admin.cfg Total active Security Contexts: 1

Firewall#

To configure a new context, follow these steps:

1 .

Name the context:

Firewall(config)# context name

Every context must have a name that is unique on the physical firewall platform. This name is used in the context definition, in commands used to change sessions over to the context, in the user interface prompt, and in some forms of logging messages.

Tip

You must add an admin context to every firewall so that it can communicate with the outside world. Therefore, the first context you should create is the admin context.

By default, the admin context is named "admin" and is created by using the context admin command. If you decide to give it some other arbitrary name, you will identify it as the admin context in a later configuration step.

2 .

(Optional) Label the context: