Orchestrated Infrastructure Security - Change at the Speed of Business - Cisco Firepower

Editor's Note: The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latest here

Introduction

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF, Protocol Inspection (IPS) with AFM as well as leading Security Solutions like Cisco Firepower and WSA. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Cisco Firepower can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

Click here for a demo video of this Dev/Central article

This article is divided into the following high level sections:

·     Create a new Topology to perform testing

·     Monitor Firepower statistics – change the weight ratio – check Firepower stats again

·     Remove a single Firepower device from the Service

·     Perform maintenance on the Firepower device

·     Add the Firepower device to the new Topology

·     Test functionality with a single client

·     Add the Firepower device back to the original Topology

·     Test functionality again

·     Repeat to perform maintenance on the other Firepower device

Create a new Topology to perform testing

A new Topology will be used to safely test the Service after maintenance is performed. The Topology should be similar to the one used for production traffic. This Topology can be re-used in the future.

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration. Click Add under Topologies.

Scroll to the bottom of the next screen and click Next.

Give it a name, Topology_Staging in this example.

Select L2 Inbound as the Topology type then click Save & Next.

For the SSL Configurations you can leave the default settings. Click Save & Next at the bottom.

 

Click Save & Next at the bottom of the Services List.

Click the Add button under Services Chain List. A new Service Chain is needed so we can remove Firepower1 from the Production Service and add it here.

Give the Service Chain a name, Staging_Chain in this example. Click Save at the bottom.

Note: The Service will be added to this Service Chain later.

Click Save & Next.

Click the Add button on the right to add a new rule.

For Conditions select Client IP Subnet Match.

Enter the Client IP and mask, 10.1.11.52/32 in this example. Click New to add the IP/Subnet.

Set the SSL Proxy Action to Intercept.

Set the Service Chain to the one created previously.

Click OK.

 

Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing.

Select Save & Next at the bottom.

For the Interception Rule set the Source Address to 10.1.11.52/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443.

Select the VLAN for your Ingress Network and move it to Selected.

Set the L7 Profile to Common/http.  

Click Save & Next.

For Log Settings, scroll to the bottom and select Save & Next.

 

Click Deploy.

Monitor Firepower statistics – change the weight ratio – check Firepower statistics again

Check the statistics on the Firepower device we will be performing maintenance on. It’s “Firepower1” in this example.

Connect to the CLI via SSH. At the prompt enter ‘capture-traffic’. Select the correct ‘inlineset’ (2 in this example) and hit Enter for no tcpdump options:

> capture-traffic

Please choose domain to capture traffic from:
  0 - management0
  1 - inlineset1 inline set
  2 - inlineset2 inline set

Selection? 2

Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options:

You should see an output similar to the following:

This Firepower device is actively processing connections.

 

Change the Weight Ratio

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_Firepower in this example.

Click the pencil icon to edit the Service.

Click the pencil icon to edit the Network Configuration for Firepower2

Set the ratio to 65535 and click Done.

Click Save & Next at the bottom.

 

Click OK if presented with the following warning.

 

Click Deploy.

Click OK when presented with the Success message.

Check Firepower Statistics Again

Check the statistics on “Firepower1” again.  With the Weight Ratio change there should be little to no active connections.

It should look like the following:

Note: The connections above represent the health checks from SSL Orchestrator to the inline Service.

 

Remove a single Firepower device from the Service

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_Firepower in this example.

 

Click the pencil icon to edit the Service.

Under Network Configuration, delete Firepower1.

Click Save & Next at the bottom.

Click OK if presented with the following warning.

Click Deploy.

 

Click OK when presented with the Success message.

 

 

Perform maintenance on the Firepower device

At this point Fireower1 has been removed from the Incoming_Security Topology and is no longer handling production traffic. Firepower2 is now handling all of the production traffic.

We can now perform a variety of maintenance tasks on Firepower1 without disrupting production traffic. When done with the task(s) we can then safely test/verify the health of Firepower1 prior to moving it back into production.

Some examples of maintenance tasks:

·     Perform a software upgrade to a newer version.

·     Make policy changes and verify they work as expected.

·     Physically move the device.

·     Replace a hard drive, fan, and/or power supply.

 

Add the Firepower device to the new Topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

 

Click the pencil icon on the right to edit the Service.

Click Add Service.

Select the Cisco Firepower Threat Defense Inline Layer 2 Service and click Add.

Give it a name or leave the default. Click Add under Network Configuration.

 

Set the FROM and TO VLANS to the following and click Done.

 

Click Save at the bottom.

Click the Service Chain icon.

Click the Staging_Chain.

Move the CSCO Service from Available to Selected and click Save.

Click OK.

Click Deploy.

 

Click OK.

 

Test functionality with a single client

We created a policy with source IP = 10.1.11.52 to use the new Firepower Service that we just performed maintenance on.

Go to that client computer and verify that everything is still working as expected.

As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. 

You can view the Certificate and see that it is not the same as the Production Certificate.

  

 

Add the Firepower device back to the original Topology

From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains

Select the Staging_Chain.

Select ssloS_CSCO on the right and click the left arrow to remove it from Selected.

Click Deploy when done.

Click OK.

 

Click OK to the Success message.

 

From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services.

 

Select the CSCO Service and click Delete.

Click OK to the Warning.

When that is done click the ssloS_Firepower Service.

Click the Pencil icon to edit the Service.

Under Network Configuration click Add.

Set the Ratio to the same value as Firepower2, 65535 in this example. Set the From and To VLAN the following and click Done.

Click Save & Next at the bottom.

 

Click OK.

 

Click Deploy.

Click OK.

 

 

Test functionality again

Make sure Firepower1 is working properly.

To ensure that everything is working as expected you can view the Statistics on Firepower1 again.

This Firepower device is actively processing connections.

 

Repeat these steps to perform maintenance on the other Firepower device (not covered in this guide)

·     Create a new Topology to perform testing

·     Monitor Firepower statistics – change the weight ratio – check Firepower stats again

·     Remove a single Firepower device from the Service

·     Perform maintenance on the Firepower device

·     Add the Firepower device to the new Topology

·     Test functionality with a single client

·     Add Firepower device back to the original Topology

·     Test functionality again

Updated Nov 02, 2022
Version 3.0
No CommentsBe the first to comment