Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 2

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Cisco Firepower.  This is Part 2 of tis article. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Cisco Firepower can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

A video demo of this Dev/Central article is available HERE 

This article is divided into the following high level sections:

Part1 (available here)

  • Firepower Virtual Machine configuration
  • Create a new Topology to perform testing
  • Monitor Firepower statistics – change the weight ratio – check Firepower stats again
  • Remove a single Firepower device from the Service

Part 2 (available here)

  • Perform maintenance on the Firepower device
  • Add the Firepower device to the new Topology
  • Test functionality with a single client
  • Add the Firepower device back to the original Topology
  • Test functionality again
  • Repeat to perform maintenance on the other Firepower device

Perform maintenance on the Firepower device

At this point Fireower1 has been removed from the Production_Topology and is no longer handling production traffic.  Firepower2 is now handling all of the production traffic.

We can now perform a variety of maintenance tasks on Firepower1 without disrupting production traffic.  When done with the task(s) we can then safely test/verify the health of Firepower1 prior to moving it back into production.

Some examples of maintenance tasks:

  • Perform a software upgrade to a newer version.
  • Make policy changes and verify they work as expected.
  • Physically move the device.
  • Replace a hard drive, fan, and/or power supply.

Add the Firepower device to the new Topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

Click the pencil icon

Click Add Service

Double click Cisco Firepower Threat Defense Inline Layer 2

Give it a name or leave the default. Click Add

Set the FROM and TO VLANS to the following, click Done

Click Save

Click Service Chain

Click the Staging_Chain

Move the CSCO Service from Available to Selected, click Save

Click OK

Click Deploy

Click OK

Test functionality

We created a policy with source IP = 10.1.11.52 to use the new Firepower Service that we just performed maintenance on. Go to that computer and verify that everything is still working as expected. As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers

You can view the Certificate to see that it is not the same as the Production Certificate

Add the Firepower device to the original Topology

From the SSL Orchestrator GUI select Service Chains

Select the Staging_Chain

Select ssloS_CSCO and click the left arrow to remove it from Selected

Click Deploy

Click OK

Click OK

From the SSL Orchestrator Guided Configuration select Services

Select the CSCO Service, click Delete

Click OK

Click the ssloS_Firepower Service

Click the Pencil icon

Click Add

Set the Ratio to 65535. Set the From and To VLAN the following, click Done.

Click Save & Next

Click OK

Click Deploy

Click OK

Test functionality again

Make sure Firepower1 is working properly by viewing the Statistics

This Firepower device is actively processing connections.

Repeat these steps to perform maintenance on the other Firepower device (not covered in this guide)

  • Remove a single Firepower device from the Service
  • Perform maintenance on the Firepower device
  • Add the Firepower device to the new Topology
  • Test functionality with a single client
  • Add Firepower device back to the original Topology
  • Test functionality again
Updated Nov 14, 2022
Version 2.0
No CommentsBe the first to comment