Enhancing Firewall Policy in ACI using FMC Endpoint Update 1.3 App

Posted on by Goran Saradzic

Defining and maintaining a firewall policy can quickly become a challenge in a fluid software-defined data center.  Luckily, some good orchestration between controllers can get us further along. 

Figure 1: FMC Endpoint Update App listed on dcappcenter.cisco.com

FMC (Firepower Management Center) Endpoint Update App, in the 1.3 version posted on dcappcenter helps us define a better firewall policy by providing up-to-date FMC Network Objects based on ACI Tenant EPGs and their Endpoints.  Once configured for desired pairs of Tenants and managers to update, the App uses APIs and orchestration to periodically learn APIC EPG info and then update these objects on FMC.  Note that a new firewall policy (Access Control Policy or ACP), changed due to an object update must be deployed to the firewall (Firepower Threat Defense or FTD).  When deploy is completed, an updated firewall policy would take effect. 

Parameters

In Figure 2, you can find all parameters required to setup Endpoint updates.

Figure 2: App GUI under APIC Apps tab shows parameters to configure

App allows you to reuse FMC for multiple Tenants and define domains for Tenant updates. You can enable this App to Automatically Deploy the new policy once FMC objects are updated.  

Objects

FMC Network Object names, as shown in Figure 3, include the following items:

  1. Site prefix – SITE1 is configurable item in the App. I.e., each ACI SITE can have a different prefix.
  2. Tenant name – SEC-GORANS-899053 in this case.
  3. Application Profile name – APROF
  4. EPG name – APP or WEB or DB
Figure 3: FMC Network Objects created based on ACI EPGs and discovered Endpoints

The Site Prefix is useful to uniquely identify each ACI Site and their objects in FMC.  This separation of objects allows a single FMC to deploy a common policy to firewalls at multiple ACI sites.  You may think of a VM being migrated between two data centers and FMC updating and deploying a policy that will carry the same controls on firewalls in the new data center.

Timing

As we place a firewall in the traffic path between EPGs, we need to consider the timing of how quickly an updated firewall policy will take place.   For example, let’s consider a firewall policy in Figure 4, allowing source WEB EPG to communicate with destination APP EPG.  As we spin up a new VM in WEB EPG, how long would it take until it can communicate with APP EPG VMs?

Figure 4: FMC policy rule that uses EPG Network Objects

There are 3 steps to take into account here:

  1. Periodic update by Endpoint App – every 30 seconds (or longer as configured by administrator) App checks for discrepancy in objects between APIC and FMC
  2. App performs an update to objects in FMC using APIs – usually a quick set of actions
  3. App asks FMC to deploy the new policy to FTD(s) – this task commonly takes a couple of minutes or longer, depending on the size and nature of the policy

These 3 steps can easily take a couple of minutes before firewall would allow the new WEB VM to communicate with APP EPG.

Here you can watch a video of how to setup this App for update and apply that new policy to FTD: https://vimeo.com/519010777/3681482133

Future Improvements

If you had a chance to review the new FMC 7.0 configuration guide, you will notice a new type of objects added called Dynamic Objects. 

From the FMC 7.0 config guide:

Figure 5: FMC 7.0 config guide description of the new feature: Dynamic Objects

This is very exciting!  Once the next version of the App includes updates for Dynamic Objects, that would remove the policy deploy to FTD (the step 3 in our timing calculation), and significantly shorten the time it takes for firewall to apply updated policy to EPGs.    Look forward to testing and writing an article on the new app when it gets posted on dcappcenter.

Posted in All

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.