PIX Firewall version 6.3 introduced support for message-of-the-day (MOTD), EXEC, and
login banners, similar to the feature included in Cisco IOS Software. Banner size is limited
only by available system memory or Flash memory.
You can create a message as a warning for unauthorized use of the firewall. In some
jurisdictions, civil and/or criminal prosecution of crackers who break into your system are
made easier if you have incorporated a warning banner that informs unauthorized users that
their attempts to access the system are in fact unauthorized. In other jurisdictions, you may
be forbidden to monitor the activities of even unauthorized users unless you have taken steps
to notify them of your intent to do so. One way of providing this notification is to put the
information into a banner message configured with the Security Appliance banner command.
Legal notification requirements are complex and vary in each jurisdiction and situation. Even
within jurisdictions, legal opinions vary, and this issue should be discussed with your own
legal counsel. In cooperation with counsel, you should consider which of the following
information should be put into your banner:
■ A notice that the system can be logged in to or used only by specifically authorized
personnel, and perhaps information about who may authorize use
■ A notice that any unauthorized use of the system is unlawful and may be subject to civil
and/or criminal penalties
■ A notice that any use of the system may be logged or monitored without further notice
and that the resulting logs may be used as evidence in court
■ Specific notices required by specific local laws
From a security, rather than a legal, point of view, your login banner usually should not
contain any specific information about your router, its name, its model, what software it is
running, or who owns it; such information may be abused by crackers.
The banner messages can be displayed when a user enters privileged EXEC mode, upon line
activation, on an incoming connection to a virtual terminal, or as a MOTD. To create a
banner message, use the following command:
banner {exec | login | motd} text
Table 6-15 describes the parameters of the banner command.
Table 6-15 banner Command Parameters
Parameter Description
exec Configures the system to display a banner before displaying the enable prompt.
Login Configures the system to display a banner before the password login prompt
when accessing the firewall using Telnet.
motd Configures the system to display a MOTD banner.
text Specifies the line of message text to be displayed in the firewall command-line
interface. Subsequent text entries are added to the end of an existing banner
unless the banner is cleared first. The tokens $(domain) and $(hostname) are
replaced with the host name and domain name of the firewall.
Spaces are allowed, but tabs cannot be entered using the CLI. You can dynamically add the
host name or domain name of the Security Appliance by including $(hostname) and
$(domain) in the string. Example 6-10 shows a sample configuration using the banner
command.
To replace a banner, use the no banner command before adding the new lines. The no banner
{exec | login | motd} command removes all the lines for the banner option specified. The no
banner command removes all the lines for the banner option specified and does not
selectively delete text strings. The clear banner command removes all the banners.