Cisco Secure Dynamic Attribute Connector or CSDAC is an interface that imports attribute maps from a dynamic environment such as Azure, AWS, VMware vCenter, & NSX-T and reliably provides these dynamic feeds to FMC to enforce access policy without requiring policy deployment. This document describes CSADC components and demonstrate how to integrate it FMC and VMware. This document is not goint to list CSDAC installation steps. Please refer to Cisco and Ansible documentation as following for installation steps and guidelines:
Network constructs such as IP address are not reliable in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.
Also, managing Policy objects In big enterprise and Service provider network environments involves a lot of administrative overhead. This task is more cumbersome if you have objects enforcing access policy from multiple dynamic environments such as VMware and Cloud Providers (AWS, Azure). This is where CSDAC comes and solves this problem by providing a programmatic interface to integrate and keep up to date with changes to external dynamic environment providers. It also provides the ability to filter the labels using AND (match-all) and OR (match-any), logical operators, to construct different mappings for that dynamic object from the device manager.
Connector: AWS, Azure, VMware vCenter or NSX
CSDAC tool supports a single ‘admin’ user to access the tool. By default, the password is ‘admin' It should be changed at first login.
After you login, click on ‘Connectors’ tab and add a ‘AWS’ or ‘vCenter’ or ‘Azure’ connector by clicking on the ‘+’ button.
Enter the provider credentials and certificate to get the tag attributes of the instances.
Add the vCenter web server certificate.
Similarly, click on ‘Adapters’ tab and add a ‘FMC’ adapter by clicking on the ‘+’ button.
Enter the credentials of primary FMC (and secondary FMC in case of High Availability) to receive the filtered attribute mappings.
Add FMC certificate.
The filtered attributes are sent as dynamic objects to FMC (using dynamic objects REST API)
1. Connectors gets the attributes from AWS, Azure and vCenter cloud servers.
2. Attribute Filter is used to streamline the attributes using “AND” or “OR” Boolean expression.
3. Adapters are then used to send these streamlined attributes and its IP mappings to FMC as dynamic objects.
4. FMC sends the mappings real time to FTD (without deploy for an existing policy with dynamic objects)
FMC Policy Configuration with Dynamic Objects
Once CSDAC is connected with FMC and starts sending object feed, FMC policy rules can be configured with dynamic objects.
Once a policy with dynamic objects is deployed, all the subsequent changes to the dynamic objects (adding or removing of new IP addresses) is pushed to the FTD without any policy push.
Use Case: Blocking IP address using dynamic object without a policy push
As mentioned in this document that once a policy with dynamic objects in access-rule is deployed, all subsequent feed updates within dynamic object does not need policy push every time there is a new change. This brings up another useful use case where a dynamic object can be used within an access-rule and deployed beforehand which will block traffic from based on either source or destination. In future, if there is a need of blocking one or more IP addresses it can be achieved by simply making changes in the dynamic attributes filter on CSDAC which will update the dynamic object on FMC via rest-api and FMC will update the object used within access-policy without a policy push. This can be helpful to 3rd party vendors like Tufin and Algosec where their Security Policy Management frameworks rely on FMC/FTD API for policy deployments.
Note: FMC can also block an IP or a list of IP address by following two methods which does not require any policy push:
Connection > Analysis, right click and selecting "Add IP to Block-list", can not add "subnet" using this method.
FMC also allow you add an object group or feed list of IP's and URL's. But the list would have to be updated and uploaded manually in FMC. There is no API to update that list.
GreetingsI've been playing around with FDM and an FTD 7.0.1 and I'm having trouble understanding how to reach a NATed host from the inside network. It's a pretty basic setup with 192.168.1.0/24 as my inside network and 10.10.10.0/24 as an DMZ with some ho...
Hello everyone, We faced this issue more than year ago. Software version is ASA 9.12.4 or 9.6.4. We had few cases in Cisco (like 692054705) and in our local support partner. But it looks like nobody have real willing to do anything with this bug.&nbs...
disclosure: I don't think so; the default inflation of 3 may or may not be valid, but it doesn't actually represent what happens on the system. Maybe it's good for internal marketing? So I see this post is more of a recommendation than a quest...
All, I have 1 client (entire organization) that when computers resume for hibernate, Secure Endpoint will start scanning. Anyone seen this behavior before? When a laptop goes into hibernate mode and then enters resume, SE will scan. We have several o...
Hi Everyone, Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication? I read that there might be a password limitation of 32 characters and the Yubikey uses 132 c...