Solved: Re: Questions around Dynamic Attributes Connector - FMC integrated

atsukane · ‎10-07-2024

Hi All,

A few question around Cisco Secure Dynamic Attributes Connector (CSDAC).

On a test FMC (v7.4.1), I've enabled the CSDAC integration and added build-in connectors for WebEx, O365 and Zoom, confirmed FMC is receiving feeds and corresponding Dynamic Objects are created.

It looks to be pretty useful for Exchange online and Teams (the dynamic object for Teams is called "o365_Worldwide_Skype"). Haven't tested Azure or AWS connectors as I have not obtained the API keys from the relevant teams, but from what I've seen on YouTube etc looks pretty cool as we can just use the tags on AWS EC2 instances.

I'm now testing the Genric Text connector and my questions are with 1) feeds format and 2) certificates.

On the Cisco Secure YouTube channel, it is using the Feodo tracker's CnC blocklist as an example and text file is used instead of JSON. Does this mean JSON isn't supported?

I'm using the Zscaler hub IP addresses for our test from here. https://config.zscaler.com/zscloud.net/hubs.

When I add the URL for the recommended addresses in JAON format ( https://config.zscaler.com/api/zscloud.net/hubs/cidr/json/recommended) and hit the Test button it completes successfully, however, it does not add any dynamic object/s.

Then comes my second question around the certificate. On the tutorial vid, just hitting the Fetch button and the CSDAC fetches the cert automatically, however, on my box I just get the below error as soon as I hit the Fetch button. "Unknown error: module 'lib' has no attribute 'd2i_PKCS7_bio'"

So, I've exported the certificate from the above URL and imported it, but if I hit the test button it the test connection fail.

Can anyone confirm 1) whether JSON is supported or not?

And troubleshooting steps for certificate issue that I'm facing?

Many thanks,

atsukane · ‎10-08-2024

OK, so I figured out about the certificate, I had to use Firefox and download the PEM chain, then the connection test completes successfully (Export from Edge and Chrome didn't work from me.)

However, JSON format appears to be not supported as no dynamic object added for the Zscaler hub IP via the new generic text connector.

View solution in original post

atsukane · ‎10-08-2024

OK, so I figured out about the certificate, I had to use Firefox and download the PEM chain, then the connection test completes successfully (Export from Edge and Chrome didn't work from me.)

However, JSON format appears to be not supported as no dynamic object added for the Zscaler hub IP via the new generic text connector.

adrian_iovita · ‎02-19-2025

You can setup a basic http server on Linux or Windows and use a script to generate a txt file with all the Zscaler IPs.

Here is a basic PowerShell script that you can schedule to run every week.

$url = "https://config.zscaler.com/api/private.zscaler.com/zpa/json"

##### Enable TLS1.2 #####
[Net.ServicePointManager]::SecurityProtocol = "tls12"

#If you have problems with certificate trust / or Self Signed Certificate is used Set to True
#Otherwise ignore below sections related to certcheck
$IgnoreCertCheck = $true
#################

if ($IgnoreCertCheck){
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
}

$response = Invoke-WebRequest -Uri $url | ConvertFrom-Json
$jsonobject = $response.Content
$jsonobject.IPs | Out-File -encoding ASCII -FilePath C:\IPs.txt

atsukane · ‎02-20-2025

Thanks, that's very helpful.

I'll try that out when I get round to it.