Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3675
Views
5
Helpful
6
Replies

Can office 365 dynamic object from app detector of firepower be used as network object group in extended access list?

asmithg
Level 1
Level 1

‎06-20-2021 06:49 AM

Apologies for the lengthy question here. 

I'm in the process of migrating ASA with some PBR policy to FTD.

 

Current setup:

ASA has the following rule in the extended access list specified in PBR policy

 

Line 1: Source: PBR_source IPs  Destination: Office 365 object group     Service: http/https  Action: Deny

Line 2: Source: PBR_source IPs  Destination: any  Service: http/https       Action: permit

 

So the above ACEs basically performing routing decisions and Line1 excludes the office 365 traffic in PBR and taking the default route then the rest of the traffic will take its specified route as per the route map. 

 

I want to achieve the same function in FTD leveraging the office 365 dynamic object that the app detector provides.

 

So the requirement is to use the dynamic office 365 object in the extended access list in FMC to exclude office 365 traffic which can be configured in Flexi config. 

 

Question: Can the office 365 dynamic object be used as a network object group to configure in extended ACL in FMC? 

 

I'm aware that there are scripts you can use to import office 365 URLs/IPs with FMC API/MS API
Is this the only way?

 

0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-20-2021 07:40 AM

There is a new feature in 7.0 called dynamic objects which, when combined with the Cisco Secure Dynamic Attributes Connector, should allow you to do this.

I have been meaning to try it out in the lab but haven't had a chance yet.

https://www.youtube.com/watch?v=TghSLH0FJUs

 

0 Helpful

asmithg
Level 1
Level 1
In response to Marvin Rhoads

‎06-21-2021 10:54 AM

Thanks Marvin, Interesting! please let me know if you try this.

0 Helpful

rschlayer
Level 4
Level 4
In response to asmithg

‎06-22-2021 01:58 AM - edited ‎06-22-2021 01:58 AM

The Dynamic Attributes Connector might soon support Office365 so it might be worth it to wait for 1.1

skalyana
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎03-27-2022 01:01 PM

https://galaxy.ansible.com/cisco/csdac (CSDAC 1.1 supports additional connectors (office365 and Azure Service Tags) that is compatible with FMC 7.0 and 7.1)

 

found this video https://youtu.be/-fon72TFw0I to be very illustrative as well!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to asmithg

‎07-06-2021 02:09 AM

I found a SecureX orchestration that is supposed to work with FMC 7.0 to do exactly this. I've not tried it personally yet but here's a link to it:

https://ciscosecurity.github.io/sxo-05-security-workflows/workflows/secure-firewall/0031-microsoft-online-object-update

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card