ebook img

Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 PDF

36 Pages·2017·3.2 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2

Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 First Published: 2017-09-26 Last Modified: 2017-11-17 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 ©2017CiscoSystems,Inc.Allrightsreserved. 1 CHAPTER Introduction • Overview, page 1 • Prerequisites, page 3 • RelatedDocumentation, page 5 Overview TheCiscoApplicationPolicyInfrastructureController(APIC)isasinglepointofcontrolforcentralized functionsontheCiscoApplicationCentricInfrastructure(ACI).TheAPICcanautomatetheinsertionof servicessuchasaCiscoFirepowerThreatDefense(FTD)northboundbetweenapplications,alsocalled endpointgroups(EPGs).TheAPICusesnorthboundApplicationProgrammingInterfaces(APIs)forconfiguring thenetworkandservices.YouusetheseAPIstocreate,delete,andmodifyaconfigurationusingmanaged objects. Toconfigureandmonitorservicedevices,theAPICrequiresadevicepackage.Adevicepackagemanages aclassofservicedeviceandprovidestheAPICwithinformationaboutthedevicesothattheAPICknows whatthedevicecando.Byusingadevicepackage,youcaninsertandconfigurenetworkservicefunctions onaservicedevicesuchasanFTDappliance. TheFTDFabricInsertion(FI)DevicePackageisbasedonahybridmodel(ServiceManager,inACI terminology)wheretheresponsibilityofthefull-deviceconfigurationissharedbetweensecurityandnetwork administrators: •Securityadministrator.UsestheFMCtopre-defineasecuritypolicyforthenewservicegraph,leaving SecurityZonecriteriaunset.Thenewpolicyrule(s)definesappropriateaccess(allowedprotocols)and anadvancedsetofprotectionssuchasNGIPSandmalwarepolicy,URLfiltering,ThreatGrid,and more. •Networkadmininistrator.UsestheAPICtoorchestrateaservicegraph,insertanFTDdeviceintothe ACIfabric,andattachdirectedtraffictothispre-definedsecuritypolicy.InsidetheAPIC'sL4-L7Device ParametersorFunctionprofile,thenetworkadministratorsetsparametersdefinedinthisguide,including matchingapre-definedFMCAccessControlPolicyandRule(s). WhentheAPICmatchesthenameoftheAccessControlPolicyRuleintheFMC,itsimplyinsertsnewly createdsecurityzonesintotherule(s).Ifaruleisnotfound,theAPICcreatesanewrulebythatname,attaches Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 1 Introduction Overview securityzonestoit,andsetstheActiontoDeny.Thisforcesthesecurityadministratortoupdatethenew Rule(s)criteriaandappropriatesetofprotectionsbeforetrafficcanbeallowedforagivenservicegraph. ThisdocumentdescribeshowtointegrateFTDwiththeACIandconfiguretheAPICtoutilizecapabilities oftheFTD: •EnabletheRESTAPIintheFirepowerManagementCenter(FMC) •DownloadtheFTDforACIdevicepackagesoftwarefromCCO •ImporttheFTDforACIdevicepackageintotheAPIC •RegistertheFTDappliance •DefineanetworkservicegraphthatutilizestheFTDappliance Note Thescreenshotsoftheexamplesusedinthisdocumentshowapre-existingtenantnamedSampleTenant. Whenfollowingthestepsinthisguideandusingprovidedtemplates,usetheactualnameofyourtenant. Service Function Insertion Whenaservicefunctionisinsertedintheservicegraphbetweenapplications,trafficfromtheseapplications isclassifiedbytheAPICandidentifiedusingatagintheoverlaynetwork.Servicefunctionsusethetagto applypoliciestothetraffic.FortheFTDintegrationwiththeAPIC,theservicefunctionforwardstrafficusing eitherrouted,transparent,orinlinefirewalloperation. Available APIC Products TheinitialsoftwarereleasecontainstheCiscoFTDDevicePackageFabricInsertionsoftwareforACI. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 2 Introduction Prerequisites Prerequisites •FMCversion6.2.2isrequired,asitincludesRESTAPIsupportforFTD. •FTDversion6.2.2isrequired. •APICversion2.3(1f)isrequired,asitsDeviceManagerisusedtoregisteradevice.TheFTDdevice packageusestheDeviceManagertoallowthenetworkportionoftheFMCconfigurationtobeinstantiated bytheAPIC. •EnsurethattheFTDapplianceyouaretryingtoinsertandconfigureasanetworkserviceisbootstrapped withabaseconfigurationandregisteredwiththeFMC.Forexample,checktheDeviceManagement pageintheFMCfortheFTD: •ToavoidRESTAPItokengenerationraceconditions,createanFMCadministratordedicatedforuse ontheACI.Forexample: •Toavoidbothdeploymentfailureandagapintimebetweentheservers,configuretheAPICandFMC tousethesameNetworkTimeProtocol(NTP)server.WithFTDontheFirepower41xxand93xxSeries appliance,theChassisManagermustalsobeconfigured. ◦IntheAPIC,navigatetoFabric>FabricPolicies>PodPolicies>Policies>DateandTime. UsetheCreateDateandTimePolicyWizardtoconfigurethesameNTPserver: Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 3 Introduction Prerequisites ◦IntheFMC,navigatetoSystem>Configuration>TimeSynchronizationandconfigurethe sameNTPserver: ◦IntheChassisManageroftheFirepower41xxand93xxseriesappliance,navigatetoPlatform Settings>NTP>TimeSynchronizationandaddthesameNTPserver: Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 4 Introduction Related Documentation Note IfyoutrytocreateaconfigurationthatisnotsupportedonyourcurrentFMCorFTDversion,anerror similartothefollowingmayappearontheAPIC:"Majorscripterror:Configurationerror:….ERROR: %Invalidinputdetectedat'^'marker." Related Documentation •CiscoApplicationCentricInfrastructureFundamentals •CiscoAPICLayer4toLayer7ServicesDeploymentGuide •CiscoFirepowerThreatDefenseNGFW •CiscoFirepowerManagementCenter Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 5 Introduction Related Documentation Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 6 2 CHAPTER Install • ValidatethattheFMCRESTAPIisEnabled, page 7 • ImporttheDevicePackage, page 8 Validate that the FMC REST API is Enabled TheAPICusesaRESTAPItoconnectwithFirepowerdevices.Bydefault,theRESTAPIisenabled.Before theAPICcansetupandmanageanyFirepowerdevice,ensurethattheFMCRESTAPIisenabledby completingthefollowingsteps: Before You Begin TheFMCmustberunningversion6.2.0ornewer. Note TheRESTAPIisalreadypackagedwiththeFMCsoftware;thereisnolicenserequired. Step 1 SignintotheFMCusingyouradministratorcredentials. Step 2 NavigatetoSystem>Configuration>RESTAPIPreferences. Step 3 IftheEnableRESTAPIcheckboxisnotalreadyselected,checktheboxandclickSave. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 7 Install Import the Device Package What to Do Next OncetheRESTAPIisenabled,theFMCisreadytosupporttheFTDforACIdevicepackage. CreateanaccountotherthanadmintousewiththeAPIC. Import the Device Package TheAPICrequiresadevicepackageinordertoconfigureandmonitoraservicedevice.ImporttheFTDfor ACIdevicepackageintotheAPICsothattheAPICknowsyouhaveanFTDapplianceandwhattheFTD appliancecando. Step 1 Downloadthedevicepackagefromhttp://www.cisco.com/go/softwareandsaveitontoyourlocaldrive. Note Thedevicepackageisdownloadedasa.zipfile.Donotunzipthe file. Step 2 SignintotheAPICastheprovideradministrator. Step 3 Onthemenubar,clickL4-L7Services. Step 4 Onthesubmenubar,clickPackages. Step 5 Inthenavigationpane,clickL4-L7ServiceDeviceTypes. Step 6 SelectActions>ImportDevicePackage. Step 7 IntheFileNamefield,specifythedevicepackagethatyoudownloadedinStep1,andclickSubmit. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2 8

Description:
If a rule is not found, the APIC creates a new rule by that name, attaches. Cisco Firepower Threat Defense Quick Start Guide for APIC Integration, 1.0.2.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.