Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 First Published: 2017-09-26 Last Modified: 2017-11-17 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 ©2017CiscoSystems,Inc.Allrightsreserved. 1 CHAPTER Introduction • Overview, page 1 • Prerequisites, page 3 • RelatedDocumentation, page 5 Overview TheCiscoApplicationPolicyInfrastructureController(APIC)isasinglepointofcontrolforcentralized functionsontheCiscoApplicationCentricInfrastructure(ACI).TheAPICcanautomatetheinsertionof servicessuchasaCiscoFirepowerThreatDefense(FTD)northboundbetweenapplications,alsocalled endpointgroups(EPGs).TheAPICusesnorthboundApplicationProgrammingInterfaces(APIs)forconfiguring thenetworkandservices.YouusetheseAPIstocreate,delete,andmodifyaconfigurationusingmanaged objects. Toconfigureandmonitorservicedevices,theAPICrequiresadevicepackage.Adevicepackagemanages aclassofservicedeviceandprovidestheAPICwithinformationaboutthedevicesothattheAPICknows whatthedevicecando.Byusingadevicepackage,youcaninsertandconfigurenetworkservicefunctions onaservicedevicesuchasanFTDappliance. TheFTDFabricInsertion(FI)DevicePackageisbasedonahybridmodel(ServiceManager,inACI terminology)wheretheresponsibilityofthefull-deviceconfigurationissharedbetweensecurityandnetwork administrators: •Securityadministrator.UsestheFMCtopre-defineasecuritypolicyforthenewservicegraph,leaving SecurityZonecriteriaunset.Thenewpolicyrule(s)definesappropriateaccess(allowedprotocols)and anadvancedsetofprotectionssuchasNGIPSandmalwarepolicy,URLfiltering,ThreatGrid,and more. •Networkadmininistrator.UsestheAPICtoorchestrateaservicegraph,insertanFTDdeviceintothe ACIfabric,andattachdirectedtraffictothispre-definedsecuritypolicy.InsidetheAPIC'sL4-L7Device ParametersorFunctionprofile,thenetworkadministratorsetsparametersdefinedinthisguide,including matchingapre-definedFMCAccessControlPolicyandRule(s). WhentheAPICmatchesthenameoftheAccessControlPolicyRuleintheFMC,itsimplyinsertsnewly createdsecurityzonesintotherule(s).Ifaruleisnotfound,theAPICcreatesanewrulebythatname,attaches Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 1 Introduction Overview securityzonestoit,andsetstheActiontoDeny.Thisforcesthesecurityadministratortoupdatethenew Rule(s)criteriaandappropriatesetofprotectionsbeforetrafficcanbeallowedforagivenservicegraph. ThisdocumentdescribeshowtointegrateFTDwiththeACIandconfiguretheAPICtoutilizecapabilities oftheFTD: •EnabletheRESTAPIintheFirepowerManagementCenter(FMC) •DownloadtheFTDforACIdevicepackagesoftwarefromCCO •ImporttheFTDforACIdevicepackageintotheAPIC •RegistertheFTDappliance •DefineanetworkservicegraphthatutilizestheFTDappliance Note Thescreenshotsoftheexamplesusedinthisdocumentshowapre-existingtenantnamedSampleTenant. Whenfollowingthestepsinthisguideandusingprovidedtemplates,usetheactualnameofyourtenant. Service Function Insertion Whenaservicefunctionisinsertedintheservicegraphbetweenapplications,trafficfromtheseapplications isclassifiedbytheAPICandidentifiedusingatagintheoverlaynetwork.Servicefunctionsusethetagto applypoliciestothetraffic.FortheFTDintegrationwiththeAPIC,theservicefunctionforwardstrafficusing eitherrouted,transparent,orinlinefirewalloperation. Available APIC Products TheinitialsoftwarereleasecontainstheCiscoFTDDevicePackageFabricInsertionsoftwareforACI. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 2 Introduction Prerequisites Prerequisites •FMCversion6.2.2isrequired,asitincludesRESTAPIsupportforFTD. •FTDversion6.2.2isrequired. •APICversion2.3(1f)isrequired,asitsDeviceManagerisusedtoregisteradevice.TheFTDdevice packageusestheDeviceManagertoallowthenetworkportionoftheFMCconfigurationtobeinstantiated bytheAPIC. •EnsurethattheFTDapplianceyouaretryingtoinsertandconfigureasanetworkserviceisbootstrapped withabaseconfigurationandregisteredwiththeFMC.Forexample,checktheDeviceManagement pageintheFMCfortheFTD: •ToavoidRESTAPItokengenerationraceconditions,createanFMCadministratordedicatedforuse ontheACI.Forexample: •Toavoidbothdeploymentfailureandagapintimebetweentheservers,configuretheAPICandFMC tousethesameNetworkTimeProtocol(NTP)server.WithFTDontheFirepower41xxand93xxSeries appliance,theChassisManagermustalsobeconfigured. ◦IntheAPIC,navigatetoFabric>FabricPolicies>PodPolicies>Policies>DateandTime. UsetheCreateDateandTimePolicyWizardtoconfigurethesameNTPserver: Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 3 Introduction Prerequisites ◦IntheFMC,navigatetoSystem>Configuration>TimeSynchronizationandconfigurethe sameNTPserver: ◦IntheChassisManageroftheFirepower41xxand93xxseriesappliance,navigatetoPlatform Settings>NTP>TimeSynchronizationandaddthesameNTPserver: Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 4 Introduction Related Documentation Note IfyoutrytocreateaconfigurationthatisnotsupportedonyourcurrentFMCorFTDversion,anerror similartothefollowingmayappearontheAPIC:"Majorscripterror:Configurationerror:….ERROR: %Invalidinputdetectedat'^'marker." Related Documentation •CiscoApplicationCentricInfrastructureFundamentals •CiscoAPICLayer4toLayer7ServicesDeploymentGuide •CiscoFirepowerThreatDefenseNGFW •CiscoFirepowerManagementCenter Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 5 Introduction Related Documentation Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 6 2 CHAPTER Install • ValidatethattheFMCRESTAPIisEnabled, page 7 • ImporttheDevicePackage, page 8 Validate that the FMC REST API is Enabled TheAPICusesaRESTAPItoconnectwithFirepowerdevices.Bydefault,theRESTAPIisenabled.Before theAPICcansetupandmanageanyFirepowerdevice,ensurethattheFMCRESTAPIisenabledby completingthefollowingsteps: Before You Begin TheFMCmustberunningversion6.2.0ornewer. Note TheRESTAPIisalreadypackagedwiththeFMCsoftware;thereisnolicenserequired. Step 1 SignintotheFMCusingyouradministratorcredentials. Step 2 NavigatetoSystem>Configuration>RESTAPIPreferences. Step 3 IftheEnableRESTAPIcheckboxisnotalreadyselected,checktheboxandclickSave. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 7 Install Import the Device Package What to Do Next OncetheRESTAPIisenabled,theFMCisreadytosupporttheFTDforACIdevicepackage. CreateanaccountotherthanadmintousewiththeAPIC. Import the Device Package TheAPICrequiresadevicepackageinordertoconfigureandmonitoraservicedevice.ImporttheFTDfor ACIdevicepackageintotheAPICsothattheAPICknowsyouhaveanFTDapplianceandwhattheFTD appliancecando. Step 1 Downloadthedevicepackagefromhttp://www.cisco.com/go/softwareandsaveitontoyourlocaldrive. Note Thedevicepackageisdownloadedasa.zipfile.Donotunzipthe file. Step 2 SignintotheAPICastheprovideradministrator. Step 3 Onthemenubar,clickL4-L7Services. Step 4 Onthesubmenubar,clickPackages. Step 5 Inthenavigationpane,clickL4-L7ServiceDeviceTypes. Step 6 SelectActions>ImportDevicePackage. Step 7 IntheFileNamefield,specifythedevicepackagethatyoudownloadedinStep1,andclickSubmit. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 8
Description: