Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 2

KevinGallaugher · ‎31-Oct-2022

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Cisco Firepower. This is Part 2 of tis article. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Cisco Firepower can be downloaded from here from GitLab.

Please forgive me for using SSL and TLS interchangeably in this article.

A video demo of this Dev/Central article is available HERE

This article is divided into the following high level sections:

Part1 (available here)

Firepower Virtual Machine configuration
Create a new Topology to perform testing
Monitor Firepower statistics – change the weight ratio – check Firepower stats again
Remove a single Firepower device from the Service

Part 2 (available here)

Perform maintenance on the Firepower device
Add the Firepower device to the new Topology
Test functionality with a single client
Add the Firepower device back to the original Topology
Test functionality again
Repeat to perform maintenance on the other Firepower device

Perform maintenance on the Firepower device

At this point Fireower1 has been removed from the Production_Topology and is no longer handling production traffic. Firepower2 is now handling all of the production traffic.

We can now perform a variety of maintenance tasks on Firepower1 without disrupting production traffic. When done with the task(s) we can then safely test/verify the health of Firepower1 prior to moving it back into production.

Some examples of maintenance tasks:

Perform a software upgrade to a newer version.
Make policy changes and verify they work as expected.
Physically move the device.
Replace a hard drive, fan, and/or power supply.

Add the Firepower device to the new Topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

Click the pencil icon

Click Add Service

Screen Shot 2021-01-15 at 1.43.30 PM.png

Double click Cisco Firepower Threat Defense Inline Layer 2

Screen Shot 2021-07-08 at 10.00.16 AM.png

Give it a name or leave the default. Click Add

Screen Shot 2021-07-08 at 10.01.31 AM.png

Set the FROM and TO VLANS to the following, click Done

Screen Shot 2021-07-08 at 10.05.07 AM.png

Click Save

Screen Shot 2021-01-15 at 1.51.32 PM.png

Click Service Chain

Screen Shot 2021-01-15 at 1.52.50 PM.png

Click the Staging_Chain

Screen Shot 2021-01-15 at 1.54.16 PM.png

Move the CSCO Service from Available to Selected, click Save

Screen Shot 2021-07-08 at 10.07.58 AM.png

Click OK

Screen Shot 2021-01-15 at 1.58.13 PM.png

Click Deploy

Screen Shot 2021-01-15 at 1.59.16 PM.png

Click OK

Screen Shot 2021-01-15 at 2.00.13 PM.png

Test functionality

We created a policy with source IP = 10.1.11.52 to use the new Firepower Service that we just performed maintenance on. Go to that computer and verify that everything is still working as expected. As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers

Screen Shot 2021-01-21 at 10.15.25 AM.png