Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 1

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Cisco Firepower. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator refer to this Dev/Central article series or the CloudDocs Deployment Guide here

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Cisco Firepower backup files can be downloaded from here from GitLab

Please forgive me for using SSL and TLS interchangeably in this article.

A video demo of this Dev/Central article is available HERE

This article is divided into the following high level sections:

Part1 (available here)

Firepower Virtual Machine configuration
Create a new Topology to perform testing
Monitor Firepower statistics – change the weight ratio – check Firepower stats again
Remove a single Firepower device from the Service

Part 2 (available here)

Perform maintenance on the Firepower device
Add the Firepower device to the new Topology
Test functionality with a single client
Add the Firepower device back to the original Topology
Test functionality again
Repeat to perform maintenance on the other Firepower device

Firepower Virtual Machine configuration

Adapter 1 is for Management

Adapter 2 is for the Diagnostic interface

Adapter 3 corresponds to Firepower interface 0/0

Adapter 4 corresponds to Firepower interface 0/1

The Firepower network settings should look like this

For a Layer 2 deployment like this use Ethernet0/0 and Ethernet0/1 to Create an Inline Set

Create an Inline Set (Layer 2 bridge). Click Add Inline Set. Give it a name, inlineset1 in this example. Move eth0< - >eth1 to the Selected Interface Pair. Click OK

Repeat these steps if configuring SSL Orchestrator deployed with High Availability

Configure ESX Networking

Create a Port Group for the following

Network connectivity to the North (connected to BIG-IP interfaces)

Network connectivity to the South (connected to BIG-IP interfaces)

Service Egress to Firepower1

Service Ingress from Firepower1

Service Egress to Firepower2

Service Ingress from Firepower2

Create a new Topology

A new Topology will be used to test the Service after maintenance is performed. This Topology can be re-used in the future

From the BIG-IP Configuration Utility click Add

Scroll to the bottom and click Next

Give it a name, Topology_Staging

Select L2 Inbound as the Topology then click Save & Next

Click Save & Next

Click Add. A new Service Chain is needed so we can remove Firepower1 from the Production Service and add it here

Give the Service Chain a name, Click Save

Note: The Service will be added to this Service Chain later

Click Save & Next

Click Add

Set Conditions to Client IP Subnet Match

Enter the Client IP and mask, 10.1.11.52/32. Click New

Set the SSL Proxy Action to Intercept

Set the Service Chain to the one created previously

Click OK

Note: This rule is so a single client computer (10.1.11.52) will match and can be used for testing. In the All Traffic default rule set the SSL Proxy Action to Bypass

Select Save & Next

Set the Source Address to 10.1.11.52/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443

Select the VLAN for your Ingress Network and move it to Selected

Set the L7 Profile to Common/http

Click Save & Next

Select Save & Next

Click Deploy

Monitor Firepower statistics – change weight ratio – check Firepower statistics

Check the statistics on the Firepower device we will be performing maintenance on. It’s “Firepower1” in this example. Connect to the CLI via SSH. At the prompt enter ‘capture-traffic’. Select the correct ‘inlineset’ (2 in this example) and hit Enter for no tcpdump options: