Deep Dive Lab on Cisco Firepower NGFW and ASA Dive Lab on Cisco Firepower NGFW and ASA Integration in ACI Goran Saradzic –Security TME Manager Minako Higuchi –ACI TME LTRSEC-3001

Deep Dive Lab on Cisco Firepower NGFW and ASA Integration in ACI

Goran Saradzic – Security TME ManagerMinako Higuchi – ACI TME

LTRSEC-3001

Lab Guide can be downloaded at http://cs.co/acisec-lab-guide

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRSEC-3001


Programmatic Approach with Security

Stand up defenses at the same time as applications

APIC Security Device Packages.

Cisco Security Device Packages

Automate security policy updates with tighter integration

between security appliances and APIC.

Dynamic EPG updates to Rules/ACLs

Embrace a dynamic workload quarantine with

programmable policy enforcement.

Cisco FMC Remediation Package for APIC

LTRSEC-3001 4

• Introduction

• Work through Lab 1 together

• Run Labs 2-7 on your own

Agenda

SECURITY

ASAv NGIPSv

FTDv


Cisco Firepower NGFW and ASA Integration in ACI

Lab Exercises:

1. Connect and run scripts to build-out your Tenant with security services

2. Change FTDv service graph to unmanaged mode on app-to-db contract

3. Change FTDv to EPG-attached NGFW Service with no Contract

4. Apply malware protection to FTDv service graph on app-to-db contract

5. Run Rapid Threat Containment with APIC Firepower remediation package

6. Enable Dynamic update to EPG feature on out-to-web contract

7. Study the mechanics and benefits of the ASA PBR service graph

LTRSEC-3001 6

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7LTRSEC-3001

Physical Gear – Two Fabrics

Nexus9396PX - Leaf Nexus9396PX - Leaf

Nexus9336PQ - Spine

4x ASA5525 ASA+SFR

2x FirePOWER7010

40G 40G

4x1G

4x1G

4x1G

4x1G

10G10G

2x UCS C220 M4L

10G10G

Fabric 1: pod1 to pod20

APIC: 10.10.35.10

vCenter: 10.10.35.120


APIC: 10.10.35.11

vCenter: 10.10.35.125

vCenter


Orchestrate Cisco ASA and FTD in ACI Fabric

ASA5585-X (EoS)

ASA5500-X

Divert to SFR

ASAv50

ASAv30

ASAv10

Firepower

Management

Console

(FMC)

FPR9300

FPR4100/2100

Run ASA app

ASA Device Package

FPR9300, FPR4100,

FPR2100Run FTD app

FTD Device Package

Automation and

Orchestration

NGFWv

Virtual FTD

FMC Remediation

Module for ACI

ASAv

React to detected threats

in an automated fashion

LTRSEC-3001 8


Cisco ASA and FTD Device Packages for ACI

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric

Interfaces, IP Addresses,

VLANs, Inline IPS pairs,

Security Zones

Access & Threat Policies

URL filter, NGIPS, AMP, etc.

APIC configures via FMCVia FTD Device Package

Security team configures via FMC

Cisco NGFW (FTD image)

Interfaces, VLANs, IPs, Static

or Dynamic Routes

ASA Embedded FirePOWER

Services - Threat Polices

ACLs, Inspections, HA,

Special Features

APIC Configures on ASAvia ASA Device Package


ASA with FirePOWER Services

APIC Added/Validated

Config

Config added manually

via FMC, outside of

APIC control/visibility

Adding Security Zone to pre-

defined rules under Access &

Threat Policies

LTRSEC-3001 9


FTD Device Package for ACI

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Service Graph in the ACI Fabric

Interfaces, VLANs, BVIs,

Inline Pairs (Cross-connects)

Threat Defense Policies

Access Control, URL filtering,

Geolocation features, etc.

APIC configures via FMC on NGFW(v)Via FTD Device Package

Hybrid – Device Manager


Firepower NGFW 6.2 Code

Posted on Cisco.com

APIC configures in FMC:• Interfaces and VLANs

• Routed, Transparent FW, NGIPS

• Create Security Zone

• Create/Update Policy & Rule

Security Team update FMC:• Network Access Policy

• NGIPS, File, Geo-location

• Other items beyond APIC cfg

SECURITYDevice ManagerDevice Manager

LTRSEC-3001 10


Cisco Security Devices in ACI Fabric

Cisco L4-7 Device Supported PlatformsDevice Package

Device Version

L4-7 Insertion

ModeHA Mode

FTD on physical

appliance

FPR9300, FPR4100,

FPR2100, ASA5500-XFTD_FI DP 1.0.2

FMC/FTD 6.2.2

APIC 2.2.2e

Go-To

(Routed, no L3out),

Go-Through

(L2FW, inline IPS)

FTD DP 1.0.2 released!!!

HA (L3FW, L2FW, IPS) or

Fail-to-Wire (IPS only)

FTDv virtual Vmware, KVM FTD DP 1.0.2 released

ASA physical appliance

FPR9300, FPR4100,

ASA5585-X,

ASA5500-X

DP 1.2.8

8.4+

9.6+ (ASA app)

Go-To (Routed,

L3out supported)

Go-Through (L2FW)

ASA Active/Standby Failover,

ASA Clustering (Active/Active)

ASAv virtualASAv5, v10, v30

VMware, Hyper-V

DP 1.2.7

9.4+(SMART)

ASAv Active/Standby Failover

KVM SR-IOV use as Phys.Dom

FirePOWER physical

appliance

FP71x0, FP71x5,

FP70x0, FP8100,

FP8300Unmanaged

DP in the plans

Go-To (Routed)

Go-Through

(inline IPS)

PBR works with Routed

Fail-to-Wire for IPS

Go-Through

(inline IPS)Firepower NGIPSv VMware N/A

Reference

LTRSEC-3001 11


Cisco Security Device Insertion into ACI

ASA 1.2.8 Device Package

GoTo (L3FW), GoThrough (L2FW)

ACL, DPI, Netflow, Syslogs, TrustSec

L3out Dynamic Routing (BGP/OSPF)

NAT4/6, Dynamic Update EPG ACL

Global Service-Policy

Active / Standby Failover

Divert to embedded Firepower

Firepower NGFW (FTD) 1.0.2

Device Manager Package

GoTo (L3FW),

GoThrough (L2FW and Inline NGIPS)

APIC orchestrates Data Plane

Interfaces, creates Security Zones, and

attaches to pre-defined FMC Policy

FMC controls policy on FTD app,

including AMP, URL filter, Sandbox, etc.

APIC Managed Service Graph APIC Unmanaged Service Graph

APIC orchestrates the service graph on

Nexus leaf switches

Security devices ASA, FirePOWER, or

Firepower NGFW (FTD) are managed

using CLI, REST-API, or purpose-built

management tools (ASDM, CSM,

FMC), and we now match settings on

unmanaged service graph (plug into

configured ports, and match interface

static/dynamic VLANs)

Run Any ASA or Fire(power)

Platform, Code, and Features

Partial orchestration: APIC controls

networking and policy on fabric leaf

switches but not L4-L7 devices

NGFWvASAv

ASA app FTD app

Reference

LTRSEC-3001 12


Cisco Security Device Integration in LTRSEC-3001

ASA 1.2 Device Package

Exercise 1 – ASA5525-X2x Go-To Service Graphs:

PBR Failover & L3out Cluster

Exercise 6 – ASA5525-XDynamic update on Web/App

Exercise 7 – PBRStudy PBR Contracts/Graph

FTD 1.0.2 Device Manager

Package

Exercise 1 – FTD 6.2.2Go-To Service Graph

Access Control Policy on FMC

Exercise 4,5 – FMC Add Malware block policy,

Then add APIC remediation instance & quarantine

APIC Managed Service Graph APIC Unmanaged Service Graph

Exercise 2 – FTD 6.2.2 Unmanaged Service Graph

Run Any ASA, FTD, or Fire(power)


Lab Guide can be downloaded at http://cs.co/acisec-lab-guide

APIC EPG-attached Services

Run Any ASA, FTD, or Fire(power)


Exercise 3 – FTD 6.2.2 and EPG attached NGFW

LTRSEC-3001 13

Access Your Pod with RDP Session


POD Access and InstructionsOpen RDP Session

Prep

Proctor provides

RDP Access and

Credentials

Remember you POD Number

Open you instructions PDF

http://cs.co/acisec-lab-guide

Exercises in Detailed Lab Diagrams


Application Profile Before and After Orchestration

rebuild-mypod.bash+ later exercises

contracts:

out-to-web (ASA)

web-to-app (ASA)

app-to-db (FTD)

Exercise 1


Outside Network

External VRF

vrf(pod#)netInternal VRF – pod(pod#)net

DB EPGApp EPGWeb EPG

18LTRSEC-3001

ASA and Firepower NGFW in ACI

Web host App host DB host

ASAv5

outside

ASA5525 Cluster

Routed L3FW Context

Dynamic Routing to vPC

GoTo Non-PBR

Outside host

ASA Cluster

IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103

10.3.0.110.2.0.1

10.40.0.10

10.40.0.1

10.50.0.10

10.50.0.1

10.60.0.1

10.60.0.10

out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101

web-to-appSrc: 10.1.0.101Dst: 10.1.p#.102

app-to-dbSrc: 10.1.0.102Dst: 10.2.#.103

NGFWv (FTDv)

Routed Mode

GoTo Non-PBR

ASA5525 Dynamic EPG

PBR GoTo L3FW

RoutedL3FW Context

One-Arm Mode

ASA Failover

BD1 (web) BD2 (db)

10.1.0.1

10.3.0.2

FTDv

CL18 Barcelona

10.70.0.1

L3out2

L3out3

L3out1 BD3

pbr-bd

SVI/Subnet 10.1.0.2/24

Click to Jumpbox icon to see RDP menu.

Login info shown under RDP icon in Topology tab of labops portal

FMC https://10.0.0.30Login: (aciadmin / cisco)

pod1 to pod20: APIC: 10.10.35.10, vCenter: 10.10.35.120

pod21 to pod40: APIC: 10.10.35.11, vCenter: 10.10.35.125

APIC/vCenter Login: (pod# / cisco)


Let’s Do Exercise 1 Together…

• Open Chrome and log into your APIC (pod# / cisco)

• Click Tenants and find you pod# Tenant

• Open another tab in Chrome and log into your FMC

• https://10.0.0.30 (aciadmin /cisco)

• Go to System -> Licenses -> Smart Licenses

• Click on Evaluation (enable 90day eval)

• Open Superputty via menu or desktop shortcut

• Go to bottom-left api-client tab and run ./ftd-reg.pl

• This will register two FTDv instances on Vmware with your FMCv

• Now we wait for FTDv to show up in FMC


APIC: 10.10.35.10

vCenter: 10.10.35.120


APIC: 10.10.35.11

vCenter: 10.10.35.125

LTRSEC-3001 19

https://10.0.0.30/


Choose to use FTDv in HA or Standalone

• Standalone FTDv

• Takes about 1min to deploy configuration from FMC

• FTDv HA pair

• Takes about 3min to deploy configuration from FMC

• Building HA pair will take about 5min

• FTDv HA Build Details

• Go to Step 13 of Exercise 1 for details or follow me along

• Gi0/0 is configured for HA link and lan

• Use Primary IP 10.10.1.1 and Secondary IP 10.10.1.2

• Now we wait for FTDv to show up in FMC


APIC: 10.10.35.10

vCenter: 10.10.35.120


APIC: 10.10.35.11

vCenter: 10.10.35.125

LTRSEC-3001 20


Let’s Do Exercise 1 Together… (continuted)

• In APIC Tenant assigned to you, open L4-L7 services

• Expand folder L4-L7 devices

• Expand folder Function Profiles

• Expand L4-L7 Service Graphs

• In Superputty api-client run your python script

• cd demo/

• ./rebuild-mypod.bash

• Now press Enter at each step to run each python script

• Watch your APIC folders reflect your script changes


APIC: 10.10.35.10

vCenter: 10.10.35.120


APIC: 10.10.35.11

vCenter: 10.10.35.125

LTRSEC-3001 21


External VRF Internal Tenant VRF

DB EPGApp EPG

Firepower NGFWv HA in ACI

App host DB hostapp-to-dbContract

FTDv HA

pair

FMC

api-client

Step 1

Orchestrate FTDv

config to secure App

to DB communication

python

scripts

Exercise 1

LTRSEC-3001 22


FTD Device Package in ACI

GoTo (Routed L3FW)

GoThrough (Transp. L2FW,

Inline NGIPS)

FMC manages FTDv Policy

APIC uses FMC APIs to

define interfaces, VLAN,

IPs, BVIs, Inline pairs, etc.

APIC tell vCenter to

connect graph vNICs

FTDv Managed Service Graph – vNIC Pairs

vNIC2 vNIC3

Vlan 100 Vlan 200

Vlan 304 Vlan 305

app db

consumer

SG portgroupprovider

SG portgroup

FTDv on VMware

vCenter

FTDvFMC Security Zones are defined

by APIC and inserted in ACP

rules which can be configured by

security admin to carry

appropriate traffic controls and

inspections (i.e. AMP) .

LTRSEC-3001 23


External VRF Internal Tenant VRF

App EPGWeb EPG

ASA HA Context in ACI

Web host App hostweb-to-appContract

ASA Context

on HA pair

api-client

Step 2

Orchestrate ASA

config to secure Web

to App communication

python

scripts

Exercise 1

LTRSEC-3001 24


PBR Service Graph to a Single Interface L3FW ASA

Protected

Servers

EPG Web

N9k SVIs

BD_pbr

10.3.0.2

DHCP: 10.1.0.100 – 10.1.0.140

ASA Context

10.3.0.1

Default or Static Route to SVI

Custom MAC 5585.4100.9300

BD1

EPG App

Fabric directs traffic in and

out of the same interface,

using managed ASA. Must

enable this ASA feature:

same-security intra-interface

We can script a custom MAC

on ASA(v) and set that MAC

on the PBR redirect.

PBR Service Graph

redirects traffic between

two EPGs within the same

Bridge Domain (subnet).

Select type of traffic to

redirect, verses what

protocols not to redirect.

APIC 2.0

http

ssh (file copy)

One-arm Graph

Managed

LTRSEC-3001 25


Campus Network

Internal Tenant VRF

Web EPG

ASA Cluster Context in ACI

Web hostOutside host

ASA Context

on a Cluster

out-to-web Contract

Step 3

Orchestrate ASA

config and OSPF

peers to secure

campus to Web

communication

External VRF

Exercise 1

api-client

python

scripts

LTRSEC-3001 26


Outside Network

External VRF

vrf(pod#)netInternal VRF – pod(pod#)net

App EPGWeb EPG

Contract out-to-web and ASA GoTo Service Graph

Web host App host

ASAv5

outside

ASA5525 Cluster

Routed L3FW Context

Dynamic Routing to vPC

GoTo Non-PBR

Outside host

ASA Cluster

IP 10.1.0.101/16 IP 10.1.pod#.102/16

10.40.0.10

10.40.0.1

10.50.0.10

10.50.0.1

10.60.0.1

10.60.0.10


BD1 (web)

SVI/Subnet 10.1.0.2/1610.70.0.1

L3out2

L3out3

L3out1

LTRSEC-3001 27


Internal VRF – pod(pod#)net

DB EPGApp EPG

Contract app-to-db: FTDv GoTo Unmanaged Service Graph


IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103

10.2.0.1

app-to-dbSrc: 10.1.0.102Dst: 10.2.0.103

NGFWv (FTDv)

Routed Mode

GoTo Non-PBR

BD1 (web) BD2 (db)

10.1.0.1

FTDv

Exercise 2


FMCService Manager

Hybrid Model

Web EPG

LTRSEC-3001 28

api-client

python

scripts

APIC will create service graph port-groups and assign them to:Network Adapter 3 & 4


Internal VRF – pod(pod#)net

DB EPGApp EPG

No Contract FTDv Routed EPG-attached Integration


IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103

10.2.0.1

app-to-dbSrc: 10.1.0.102Dst: 10.2.0.103

NGFWv (FTDv)

Routed Mode

EPG-attached vNICs

BD1 (web) BD2 (db)

10.1.0.1

FTDv

Exercise 3


FMCService Manager

Web EPG

LTRSEC-3001 29

api-client

python

scripts

Network Adapter 5 & 6 are already statically assigned to App and DB EPGs


FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC

DB EPG

ACI Fabric

App EPG

Infected App1

Step 4: APIC Quarantines infected App1

workload into an isolated uSeg EPG

Step 1: Infected End Point launches an attack

that NGFW(v), FirePOWER Services in ASA,

or FirePOWER appliance blocks the attack

Step 2: Event is generated to FMC about an attack

blocked from infected host

Step 3: Attack event is configured to trigger

remediation module for APIC and quarantine

infected host using APIC NB API

1

FMC

App2

2

34

See demo on http://cs.co/rtc-with-apic

Exercise 5

http://cs.co/rtc-with-apic


Attachment Notification on Service Graph Terminals

P2-ASA5525-1/pod37# show object-group

object-group network __$EPG$_pod37-wan-out-out-l3out3

network-object 10.70.0.0 255.255.255.0

object-group network __$EPG$_pod37-aprof-app

network-object host 10.1.37.102

object-group network __$EPG$_pod37-aprof-web

network-object host 10.1.0.101

Outside Network App EPGWeb EPG

Web hostOutside host

IP 10.1.0.101/16


10.70.0.1

App host

IP 10.1.37.102/16

BD1 (web)


LTRSEC-3001 31

Exercise 6


Study Mechanics and Benefits of PBR Service Graph

Protected

Servers

EPG Web

N9k SVIs

BD_pbr

10.3.0.2

DHCP: 10.1.0.100 – 10.1.0.140

ASA Context

10.3.0.1

Default or Static Route to SVI

Custom MAC 5585.4100.9300

BD1

EPG Apphttp/ssh

icmp

One-arm Graph

LTRSEC-3001 32

Exercise 7


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRSEC-3001


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the WoS – Visit Security Booths

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

LTRSEC-3001 35

Thank you


List of ACI White Papers - https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-listing.html

Service Graph design - https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html

ASAv PBR Service Graph - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/secure-data-center-solution/guide-c07-739765.html

PBR Service Graph Designs - https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

Cisco Advanced Security in ACI Playlist

https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl

GitHub python scripting for automation of ASA and FTD service graph with ACI

https://github.com/cisco-security

Additional Resources

LTRSEC-3001 37

https://www.cisco.com/c/en/us/solutions/data-center- virtualization/application-centric-infrastructure/white-paper-listing.html

https://www.cisco.com/c/en/us/solutions/collateral/data-center- virtualization/application-centric-infrastructure/white-paper-c11-734298.html

https://www.cisco.com/c/en/us/solutions/collateral/enterprise- networks/secure-data-center-solution/guide-c07-739765.html

https://www.cisco.com/c/en/us/solutions/data-center- virtualization/application-centric-infrastructure/white-paper-c11-739971.html

https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl

https://github.com/cisco-security


FTD 1.0.2 FI Device Package Posted

LTRSEC-3001 38


ASA PO & FI Device Package

LTRSEC-3001 39


FMC Remediation Module for ACI on Cisco.com

Documents

Deep Dive Lab on Cisco Firepower NGFW and ASA Dive Lab on Cisco Firepower NGFW and ASA Integration in ACI Goran Saradzic –Security TME Manager Minako Higuchi –ACI TME LTRSEC-3001