Add to collection(s) Add to saved
  1. No category
Uploaded by asdf0101

Cisco Firepower NGFW & ASA Integration in ACI

LTRSEC-3001
Deep Dive Lab on Cisco
Firepower NGFW and ASA
Integration in ACI
Goran Saradzic – Security TME Manager
Minako Higuchi – ACI TME
Lab Guide can be downloaded at http://cs.co/acisec-lab-guide
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1.
Find this session in the Cisco Live Mobile App
2.
Click “Join the Discussion”
3.
Install Spark or go directly to the space
4.
Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmatic Approach with Security
Stand up defenses at the same time as applications
APIC Security Device Packages.
 Cisco Security Device Packages
Automate security policy updates with tighter integration
between security appliances and APIC.
 Dynamic EPG updates to Rules/ACLs
Embrace a dynamic workload quarantine with
programmable policy enforcement.
 Cisco FMC Remediation Package for APIC
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Agenda
•
Introduction
•
Work through Lab 1 together
•
SECURITY
Run Labs 2-7 on your own
ASAv
NGIPSv
FTDv
Cisco Firepower NGFW and ASA Integration in ACI
Lab Exercises:
1. Connect and run scripts to build-out your Tenant with security services
2. Change FTDv service graph to unmanaged mode on app-to-db contract
3. Change FTDv to EPG-attached NGFW Service with no Contract
4. Apply malware protection to FTDv service graph on app-to-db contract
5. Run Rapid Threat Containment with APIC Firepower remediation package
6. Enable Dynamic update to EPG feature on out-to-web contract
7. Study the mechanics and benefits of the ASA PBR service graph
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Physical Gear – Two Fabrics
Fabric 1: pod1 to pod20
40G
Nexus9336PQ - Spine
APIC: 10.10.35.10
40G
vCenter: 10.10.35.120
vCenter
10G
Fabric 2: pod21 to pod40
10G
Nexus9396PX - Leaf
Nexus9396PX - Leaf
4x1G
APIC: 10.10.35.11
vCenter: 10.10.35.125
4x1G
4x ASA5525 ASA+SFR
4x1G
4x1G
2x FirePOWER7010
10G
10G
2x UCS C220 M4L
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Automation and
Orchestration
Orchestrate Cisco ASA and FTD in ACI Fabric
React to detected threats
in an automated fashion
FMC Remediation
Module for ACI
ASAv
FPR9300
FPR4100/2100
Run ASA app
ASA5585-X (EoS)
ASA5500-X
Divert to SFR
ASAv50
ASAv30
ASAv10
NGFWv
FPR9300, FPR4100,
FPR2100
Run FTD app
ASA Device Package
Virtual FTD
Firepower
Management
Console
(FMC)
FTD Device Package
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Cisco ASA and FTD Device Packages for ACI
Cisco NGFW (FTD image)
ASA with FirePOWER Services
ASA Embedded FirePOWER
Services - Threat Polices
Security team configures via FMC
Config added manually
via FMC, outside of
APIC control/visibility
Access & Threat Policies
URL filter, NGIPS, AMP, etc.
Security team configures via FMC
Adding Security Zone to predefined rules under Access &
Threat Policies
Interfaces, IP Addresses,
VLANs, Inline IPS pairs,
Security Zones
ACLs, Inspections, HA,
Special Features
Interfaces, VLANs, IPs, Static
or Dynamic Routes
APIC Added/Validated
Config
APIC Configures on ASA
via ASA Device Package
APIC configures via FMC
Via FTD Device Package
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Posted on Cisco.com
FTD Device Package for ACI
Hybrid – Device Manager
Threat Defense Policies
APIC configures in FMC:
•
•
•
•
Interfaces and VLANs
Routed, Transparent FW, NGIPS
Create Security Zone
Create/Update Policy & Rule
Access Control, URL filtering,
Geolocation features, etc.
Security team configures via FMC
Security Team update FMC:
•
•
•
Network Access Policy
NGIPS, File, Geo-location
Other items beyond APIC cfg
Interfaces, VLANs, BVIs,
Inline Pairs (Cross-connects)
APIC configures via FMC on NGFW(v)
Via FTD Device Package
Device Manager
SECURITY
Firepower NGFW 6.2 Code
Device Manager
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Reference
Cisco Security Devices in ACI Fabric
Cisco L4-7 Device
Supported Platforms
FTD on physical
appliance
FPR9300, FPR4100,
FPR2100, ASA5500-X
FTDv virtual
Vmware, KVM
ASA physical appliance
ASAv virtual
FirePOWER physical
appliance
FPR9300, FPR4100,
ASA5585-X,
ASA5500-X
ASAv5, v10, v30
VMware, Hyper-V
FP71x0, FP71x5,
FP70x0, FP8100,
FP8300
Device Package
Device Version
L4-7 Insertion
Mode
FTD_FI DP 1.0.2
FMC/FTD 6.2.2
APIC 2.2.2e
Go-To
(Routed, no L3out),
Go-Through
(L2FW, inline IPS)
DP 1.2.8
8.4+
9.6+ (ASA app)
DP 1.2.7
9.4+(SMART)
VMware
FTD DP 1.0.2 released!!!
HA (L3FW, L2FW, IPS) or
Fail-to-Wire (IPS only)
FTD DP 1.0.2 released
Go-To (Routed,
L3out supported)
ASA Active/Standby Failover,
ASA Clustering (Active/Active)
Go-Through (L2FW)
ASAv Active/Standby Failover
KVM SR-IOV use as Phys.Dom
Go-To (Routed)
Unmanaged
DP in the plans
Firepower NGIPSv
HA Mode
Go-Through
(inline IPS)
Go-Through
(inline IPS)
LTRSEC-3001
PBR works with Routed
Fail-to-Wire for IPS
N/A
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Reference
Cisco Security Device Insertion into ACI
APIC Unmanaged Service Graph
APIC Managed Service Graph
ASA 1.2.8 Device Package
GoTo (L3FW), GoThrough (L2FW)
ACL, DPI, Netflow, Syslogs, TrustSec
L3out Dynamic Routing (BGP/OSPF)
NAT4/6, Dynamic Update EPG ACL
Global Service-Policy
Active / Standby Failover
Divert to embedded Firepower
Firepower NGFW (FTD) 1.0.2
Device Manager Package
Run Any ASA or Fire(power)
Platform, Code, and Features
GoTo (L3FW),
GoThrough (L2FW and Inline NGIPS)
APIC orchestrates Data Plane
Interfaces, creates Security Zones, and
attaches to pre-defined FMC Policy
FMC controls policy on FTD app,
including AMP, URL filter, Sandbox, etc.
APIC orchestrates the service graph on
Nexus leaf switches
ASA app
FTD app
ASAv
NGFWv
Security devices ASA, FirePOWER, or
Firepower NGFW (FTD) are managed
using CLI, REST-API, or purpose-built
management tools (ASDM, CSM,
FMC), and we now match settings on
unmanaged service graph (plug into
configured ports, and match interface
static/dynamic VLANs)
Partial orchestration: APIC controls
networking and policy on fabric leaf
switches but not L4-L7 devices
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Cisco Security Device Integration in LTRSEC-3001
APIC Unmanaged Service Graph
APIC Managed Service Graph
ASA 1.2 Device Package
FTD 1.0.2 Device Manager
Package
Run Any ASA, FTD, or Fire(power)
Platform, Code, and Features
Exercise 1 – ASA5525-X
2x Go-To Service Graphs:
PBR Failover & L3out Cluster
Exercise 1 – FTD 6.2.2
Go-To Service Graph
Access Control Policy on FMC
Exercise 2 – FTD 6.2.2
Unmanaged Service Graph
Exercise 6 – ASA5525-X
Dynamic update on Web/App
Exercise 7 – PBR
Study PBR Contracts/Graph
Exercise 4,5 – FMC
Add Malware block policy,
Then add APIC remediation
instance & quarantine
APIC EPG-attached Services
Run Any ASA, FTD, or Fire(power)
Platform, Code, and Features
Exercise 3 – FTD 6.2.2
and EPG attached NGFW
Lab Guide can be downloaded at http://cs.co/acisec-lab-guide
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Access Your Pod with RDP Session
Prep
POD Access and Instructions
Open RDP Session
Proctor provides
RDP Access and
Credentials
Open you instructions PDF
http://cs.co/acisec-lab-guide
Remember you POD Number
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Exercises in Detailed Lab Diagrams
Exercise 1
Application Profile Before and After Orchestration
rebuild-mypod.bash
+ later exercises
contracts:
out-to-web (ASA)
web-to-app (ASA)
app-to-db (FTD)
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
APIC/vCenter Login: (pod# / cisco)
pod1 to pod20: APIC: 10.10.35.10, vCenter: 10.10.35.120
CL18 Barcelona
pod21 to pod40: APIC: 10.10.35.11, vCenter: 10.10.35.125
ASA and Firepower NGFW in ACI
ASA5525 Dynamic EPG
PBR GoTo L3FW
RoutedL3FW Context
One-Arm Mode
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
External VRF
vrf(pod#)net
Click to Jumpbox icon
to see RDP menu.
Login info shown under
RDP icon in Topology
tab of labops portal
L3out2
10.60.0.10
ASAv5
outside
10.70.0.1
Outside host
10.70.0.101
Outside Network
Internal VRF – pod(pod#)net
ASA Cluster
10.50.0.10
L3out3
10.50.0.1
FTDv
ASA Failover
10.40.0.10
10.1.0.1
10.3.0.1
L3out1
10.2.0.1
FMC https://10.0.0.30
Login: (aciadmin / cisco)
BD3
pbr-bd
10.3.0.2
10.40.0.1
10.60.0.1
out-to-web contract
Source: 10.70.0.101
Destination: 10.1.0.101
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
SVI/Subnet 10.1.0.2/24
Web host
IP 10.1.0.101/16
web-to-app
Src: 10.1.0.101
Dst: 10.1.p#.102
Web EPG
app-to-db
Src: 10.1.0.102
IP 10.1.pod#.102/16 Dst: 10.2.#.103
App host
App EPG
BD1 (web)
LTRSEC-3001
DB host
IP 10.2.0.103
DB EPG
BD2 (db)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Let’s Do Exercise 1 Together…
•
Open Chrome and log into your APIC (pod# / cisco)
•
•
Click Tenants and find you pod# Tenant
Open another tab in Chrome and log into your FMC
•
https://10.0.0.30 (aciadmin /cisco)
• Go to System -> Licenses -> Smart Licenses
• Click on Evaluation (enable 90day eval)
•
Open Superputty via menu or desktop shortcut
•
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
Go to bottom-left api-client tab and run ./ftd-reg.pl
• This will register two FTDv instances on Vmware with your FMCv
• Now we wait for FTDv to show up in FMC
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Choose to use FTDv in HA or Standalone
•
Standalone FTDv
•
•
Takes about 1min to deploy configuration from FMC
FTDv HA pair
•
Takes about 3min to deploy configuration from FMC
• Building HA pair will take about 5min
•
FTDv HA Build Details
•
Go to Step 13 of Exercise 1 for details or follow me along
• Gi0/0 is configured for HA link and lan
• Use Primary IP 10.10.1.1 and Secondary IP 10.10.1.2
• Now we wait for FTDv to show up in FMC
LTRSEC-3001
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Let’s Do Exercise 1 Together… (continuted)
•
In APIC Tenant assigned to you, open L4-L7 services
•
Expand folder L4-L7 devices
• Expand folder Function Profiles
• Expand L4-L7 Service Graphs
•
In Superputty api-client run your python script
•
cd demo/
• ./rebuild-mypod.bash
• Now press Enter at each step to run each python script
• Watch your APIC folders reflect your script changes
LTRSEC-3001
Fabric 1: pod1 to pod20
APIC: 10.10.35.10
vCenter: 10.10.35.120
Fabric 2: pod21 to pod40
APIC: 10.10.35.11
vCenter: 10.10.35.125
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Exercise 1
Firepower NGFWv HA in ACI
python
scripts
api-client
External VRF
Internal Tenant VRF
FTDv HA
pair
Step 1
Orchestrate FTDv
config to secure App
to DB communication
FMC
app-to-db
Contract
App host
App EPG
LTRSEC-3001
DB host
DB EPG
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
FTDv Managed Service Graph – vNIC Pairs
app
db
Vlan 100
Vlan 200
Vlan 304
Vlan 305
FTD Device Package in ACI
GoTo (Routed L3FW)
GoThrough (Transp. L2FW,
Inline NGIPS)
FMC manages FTDv Policy
APIC uses FMC APIs to
define interfaces, VLAN,
IPs, BVIs, Inline pairs, etc.
APIC tell vCenter to
connect graph vNICs
vNIC2
vNIC3
consumer
SG portgroup
provider
SG portgroup
vCenter
FMC Security Zones are defined
by APIC and inserted in ACP
rules which can be configured by
security admin to carry
appropriate traffic controls and
inspections (i.e. AMP) .
FTDv
FTDv on VMware
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Exercise 1
ASA HA Context in ACI
python
scripts
Internal Tenant VRF
External VRF
Step 2
Orchestrate ASA
config to secure Web
to App communication
api-client
ASA Context
on HA pair
Web host
Web EPG
web-to-app
Contract
App host
App EPG
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Managed
APIC 2.0
PBR Service Graph to a Single Interface L3FW ASA
ASA Context
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
Fabric directs traffic in and
out of the same interface,
using managed ASA. Must
enable this ASA feature:
same-security intra-interface
We can script a custom MAC
on ASA(v) and set that MAC
on the PBR redirect.
N9k SVIs
BD_pbr
10.3.0.2
EPG Web
PBR Service Graph
redirects traffic between
two EPGs within the same
Bridge Domain (subnet).
Select type of traffic to
redirect, verses what
protocols not to redirect.
One-arm
Graph
http
EPG App
BD1
ssh (file copy)
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Exercise 1
ASA Cluster Context in ACI
python
scripts
Internal Tenant VRF
External VRF
Step 3
Orchestrate ASA
config and OSPF
peers to secure
campus to Web
communication
api-client
ASA Context
on a Cluster
Outside host
Campus Network
out-to-web
Contract
Web host
Web EPG
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Contract out-to-web and ASA GoTo Service Graph
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
External VRF
vrf(pod#)net
Internal VRF – pod(pod#)net
ASA Cluster
10.50.0.10
L3out2
10.60.0.10
L3out3
ASAv5
outside
10.70.0.1
Outside host
10.70.0.101
Outside Network
10.40.0.10
L3out1
10.40.0.1
10.50.0.1
10.60.0.1
out-to-web contract
Source: 10.70.0.101
Destination: 10.1.0.101
SVI/Subnet 10.1.0.2/16
Web host
App host
IP 10.1.0.101/16
IP 10.1.pod#.102/16
Web EPG
App EPG
BD1 (web)
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Exercise 2
Contract app-to-db: FTDv GoTo Unmanaged Service Graph
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
Internal VRF – pod(pod#)net
python
scripts
FTDv
10.1.0.1
10.2.0.1
SVI/Subnet 10.1.0.2/24
api-client
FMC
Service Manager
Hybrid Model
APIC will create service
graph port-groups and
assign them to:
Network Adapter 3 & 4
Web host
app-to-db
Src: 10.1.0.102
IP 10.1.pod#.102/16 Dst: 10.2.0.103
App host
IP 10.1.0.101/16
Web EPG
App EPG
BD1 (web)
DB host
IP 10.2.0.103
DB EPG
BD2 (db)
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Exercise 3
No Contract FTDv Routed EPG-attached Integration
NGFWv (FTDv)
Routed Mode
EPG-attached vNICs
Internal VRF – pod(pod#)net
python
scripts
FTDv
10.1.0.1
10.2.0.1
api-client
FMC
Service Manager
SVI/Subnet 10.1.0.2/24
Network Adapter 5 & 6 are
already statically assigned
to App and DB EPGs
Web host
app-to-db
Src: 10.1.0.102
IP 10.1.pod#.102/16 Dst: 10.2.0.103
App host
IP 10.1.0.101/16
Web EPG
App EPG
BD1 (web)
DB host
IP 10.2.0.103
DB EPG
BD2 (db)
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Exercise 5
FMC to APIC Rapid Threat Containment
FMC Remediation Module for APIC
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
3
4
ACI Fabric
FMC
1
2
Infected App1
App EPG
DB EPG
App2
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
See demo on http://cs.co/rtc-with-apic
Step 2: Event is generated to FMC about an attack
blocked from infected host
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Exercise 6
Attachment Notification on Service Graph Terminals
P2-ASA5525-1/pod37# show object-group
object-group network __$EPG$_pod37-wan-out-out-l3out3
network-object 10.70.0.0 255.255.255.0
object-group network __$EPG$_pod37-aprof-app
network-object host 10.1.37.102
object-group network __$EPG$_pod37-aprof-web
network-object host 10.1.0.101
10.70.0.1
Outside host
10.70.0.101
Outside Network
SVI/Subnet 10.1.0.2/24
out-to-web contract
Source: 10.70.0.101
Destination: 10.1.0.101
Web host
App host
IP 10.1.0.101/16
IP 10.1.37.102/16
Web EPG
App EPG
BD1 (web)
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
Exercise 7
Study Mechanics and Benefits of PBR Service Graph
ASA Context
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
N9k SVIs
BD_pbr
10.3.0.2
EPG Web
One-arm
Graph
http/ssh
EPG App
BD1
icmp
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1.
Find this session in the Cisco Live Mobile App
2.
Click “Join the Discussion”
3.
Install Spark or go directly to the space
4.
Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
•
Please complete your Online
Session Evaluations after each
session
•
Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
•
All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Complete Your Online
Session Evaluation
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
•
Demos in the WoS – Visit Security Booths
•
Walk-in Self-Paced Labs
•
Lunch & Learn
•
Meet the Engineer 1:1 meetings
•
Related sessions
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
Thank you
Additional Resources
List of ACI White Papers - https://www.cisco.com/c/en/us/solutions/data-centervirtualization/application-centric-infrastructure/white-paper-listing.html
Service Graph design - https://www.cisco.com/c/en/us/solutions/collateral/data-centervirtualization/application-centric-infrastructure/white-paper-c11-734298.html
ASAv PBR Service Graph - https://www.cisco.com/c/en/us/solutions/collateral/enterprisenetworks/secure-data-center-solution/guide-c07-739765.html
PBR Service Graph Designs - https://www.cisco.com/c/en/us/solutions/data-centervirtualization/application-centric-infrastructure/white-paper-c11-739971.html
Cisco Advanced Security in ACI Playlist
https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl
GitHub python scripting for automation of ASA and FTD service graph with ACI
https://github.com/cisco-security
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
FTD 1.0.2 FI Device Package Posted
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
ASA PO & FI Device Package
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
FMC Remediation Module for ACI on Cisco.com
LTRSEC-3001
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Related documents
1.1.1.2 Lab - How Connected are You
1.1.1.2 Lab - How Connected are You
Module Summary
Module Summary
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Download