Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 1

KevinGallaugher · ‎31-Oct-2022

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Cisco Firepower. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator refer to this Dev/Central article series or the CloudDocs Deployment Guide here

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Cisco Firepower backup files can be downloaded from here from GitLab

Please forgive me for using SSL and TLS interchangeably in this article.

A video demo of this Dev/Central article is available HERE

This article is divided into the following high level sections:

Part1 (available here)

Firepower Virtual Machine configuration
Create a new Topology to perform testing
Monitor Firepower statistics – change the weight ratio – check Firepower stats again
Remove a single Firepower device from the Service

Part 2 (available here)

Perform maintenance on the Firepower device
Add the Firepower device to the new Topology
Test functionality with a single client
Add the Firepower device back to the original Topology
Test functionality again
Repeat to perform maintenance on the other Firepower device

Firepower Virtual Machine configuration

Screen Shot 2022-10-11 at 9.30.31 AM.png

Adapter 1 is for Management

Adapter 2 is for the Diagnostic interface

Adapter 3 corresponds to Firepower interface 0/0

Adapter 4 corresponds to Firepower interface 0/1

The Firepower network settings should look like this

Screen Shot 2022-10-11 at 9.43.30 AM.png

For a Layer 2 deployment like this use Ethernet0/0 and Ethernet0/1 to Create an Inline Set

Create an Inline Set (Layer 2 bridge). Click Add Inline Set. Give it a name, inlineset1 in this example. Move eth0< - >eth1 to the Selected Interface Pair. Click OK

Screen Shot 2022-10-11 at 9.51.18 AM.png

Repeat these steps if configuring SSL Orchestrator deployed with High Availability

Configure ESX Networking

Create a Port Group for the following

Network connectivity to the North (connected to BIG-IP interfaces)

Network connectivity to the South (connected to BIG-IP interfaces)

Service Egress to Firepower1

Service Ingress from Firepower1

Service Egress to Firepower2

Service Ingress from Firepower2

Create a new Topology

A new Topology will be used to test the Service after maintenance is performed. This Topology can be re-used in the future

From the BIG-IP Configuration Utility click Add

Screen Shot 2021-01-15 at 10.59.33 AM.png

Scroll to the bottom and click Next

Screen Shot 2021-01-15 at 10.59.54 AM.png

Give it a name, Topology_Staging

Screen Shot 2021-01-15 at 11.00.43 AM.png

Select L2 Inbound as the Topology then click Save & Next

Screen Shot 2021-01-15 at 11.00.53 AM.png

Click Save & Next

Screen Shot 2021-01-15 at 11.01.32 AM.png

Click Save & Next

Screen Shot 2021-01-15 at 11.01.50 AM.png

Click Add. A new Service Chain is needed so we can remove Firepower1 from the Production Service and add it here

Screen Shot 2021-01-15 at 11.02.02 AM.png

Give the Service Chain a name, Click Save

Screen Shot 2021-01-15 at 11.02.23 AM.png

Note: The Service will be added to this Service Chain later

Click Save & Next

Screen Shot 2021-01-15 at 11.02.38 AM.png

Click Add

Screen Shot 2021-01-15 at 11.56.33 AM.png

Set Conditions to Client IP Subnet Match

Screen Shot 2021-01-15 at 11.03.09 AM.png

Enter the Client IP and mask, 10.1.11.52/32. Click New

Screen Shot 2021-01-15 at 11.04.35 AM.png

Set the SSL Proxy Action to Intercept

Screen Shot 2021-01-15 at 11.05.40 AM.png

Set the Service Chain to the one created previously

Screen Shot 2021-01-15 at 11.06.03 AM.png

Click OK

Screen Shot 2021-01-15 at 11.06.20 AM.png

Note: This rule is so a single client computer (10.1.11.52) will match and can be used for testing. In the All Traffic default rule set the SSL Proxy Action to Bypass

Screen Shot 2022-10-11 at 12.56.17 PM.png

Select Save & Next Screen Shot 2021-01-15 at 11.06.29 AM.png

Set the Source Address to 10.1.11.52/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443

Screen Shot 2021-01-21 at 11.00.58 AM.png

Select the VLAN for your Ingress Network and move it to Selected

Screen Shot 2022-10-11 at 12.58.40 PM.png

Set the L7 Profile to Common/http

Screen Shot 2021-01-15 at 11.08.03 AM.png

Click Save & Next

Screen Shot 2021-01-15 at 11.08.12 AM.png

Select Save & Next

Screen Shot 2021-01-15 at 11.08.23 AM.png

Click Deploy

Screen Shot 2021-01-15 at 11.08.33 AM.png

Monitor Firepower statistics – change weight ratio – check Firepower statistics

Check the statistics on the Firepower device we will be performing maintenance on. It’s “Firepower1” in this example. Connect to the CLI via SSH. At the prompt enter ‘capture-traffic’. Select the correct ‘inlineset’ (2 in this example) and hit Enter for no tcpdump options:

Screen Shot 2022-10-12 at 2.37.50 PM.png