Introduction

The new 2.1 version of an ACI Endpoint Update app has now changed to support updates to both FMC and ASA. This article is a continuation of this topic previously written on the version 1.3 found here:

• Enhancing Firewall Policy in ACI using FMC Endpoint Update 1.3 App

All versions of this app are available on dcappcenter.cisco.com

The Endpoint Update app helps define and maintain a dynamic firewall policy in a fluid software-defined data center. It adds API orchestration between controllers/firewalls (APIC to FMC or ASA) to keep EPG policy objects up-to-date.

The new app now supports the following new features:

• FMC Dynamic objects can be updated on their own or in parallel with Network objects
• ASA support is added to the app with updates to EPG-based object-groups
• The new GUI that is cleaner and more flexible to apply changes to individual or group of devices
• Ability to enable/disable learning on per-device basis
• Select from a list of tenants to perform updates to FMC or ASA (as opposed to entering Tenant names)
• Per-device connectivity test to help the user determine if FMC or ASA is reachable

Target Devices

In the below screenshot, you can find an FMC entry that is being updated and ASA entry, which has connectivity issues (indicated in orange color).

To find out more, you simply review the audit log tab to realize that connectivity to ASA is not working. In this case, ASDM image is not enabled on this ASA, and http is not allowed from APIC subnet.

A quick apply of the asdm and http cli on ASA, turns this entry green.

asav-pbr-1(config)# asdm image flash:asdm-7141-48.bin
asav-pbr-1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.14(1)
SSP Operating System Version 2.8(1.105)
Device Manager Version 7.14(1)
...(snip)
asav-pbr-1(config)# sh run http
http server enable
http 198.18.128.0 255.255.192.0 management
asav-pbr-1(config)# http 0 0 management
asav-pbr-1(config)#

When configuring FMC, make sure to create a new user with admin privileges. This prevents the app from logging out an existing admin user from the GUI.

Now, lets review how these two devices are configured and their resulting EPG objects.

Device Setup

FMC and ASA devices can be added using the GUI (Add Device option), or can be imported via json (Import Device List). Below is an example of what JSON looks like, for two devices shown above. The password fields are not exported and would need to be updated before device import. You could also import and then edit devices to update their passwords.

{
    "interval": "20",
    "site_prefix": "APIC",
    "ip_1": "198.19.193.71:44330",
    "user_1": "apiuser",
    "password_1": "<hidden>",
    "tenant_1": "sec-gorans-928658",
    "type_1": "FMC",
    "networkgroup_1": true,
    "deploy_1": true,
    "status_1": "enabled|reachable|Connectivity is OK",
    "domain_1": "GLOBAL",
    "ip_2": "198.19.193.71:44342",
    "user_2": "aciadmin",
    "password_2": "<hidden>",
    "tenant_2": "sec-gorans-928658",
    "type_2": "ASA",
    "networkgroup_2": null,
    "deploy_2": null,
    "status_2": "enabled|reachable|Connectivity is OK",
    "domain_2": null
}

Device EP learning option can be Enabled/Disabled on individual bases. You may want to disable learning during device maintenance or similar times of configuration changes. This is especially true for FMC policy deploy (Automatic Deploy) option, where administrator could uncheck this option for their FMC, to prevent deployment of unfinished configurations during maintenance window. Once the maintanance window is complete, you could Enable learning on FMC target device again, from inside the app.

When you choose to Disable learning, you will have an option to remove the objects app has created. This can help with demo and testing of the app with FMC and ASA. Before this is successful, these objects would need to be removed from the policies.

FMC setup can use an IP or IP:port, if APIC connection is going through the proxy device in order to reach the FMC manager of ASA device. You also select a configured Tenant in APIC you wish for EPGs to be updated, and provide FMC credentials and domain. Objects can be stored in a particular domain if FMC has different FTDs split up into domains.

Note that FMC has two checkmarks. Network Groups check tells the app to configure both Dynamic Groups as well as Network Groups.

If you recall from our previous 1.3 app article, Dynamic Groups allow FMC to apply object changes with out policy deploy. Anotherwords, if we use Dynamic Groups in FMC ACP (policy), any changes to those objects that app makes would apply immediately, having no need to deploy a policy.

If we happen to use Network Objects in FMC ACP, we can tell the app to automatically deploy the policy with additional checkmark.

An ASA, much like any other configured device can be added, or selected and edited.

As you can see, ASA config is simpler compared to FMC.

Policy Objects

FMC in 2.1 app version allows two sets of objects to be updated. Network Objects require policy deploy and can be found at Objects -> Network. In my case, I left the Site prefix as a default value of "APIC". My tenant name is "sec-gorans-928658" and the application profile name is "aprof". The last item in the object is the EPG name.

Dynamic Objects are located under Objects -> External Attributes -> Dynamic Object. IP members are not shown in the FMC GUI, you must download the file to review what IP members are in each Object. These are strictly updated via FMC API.

Here is an example dynamic object downloaded directly from the FMC GUI.

ASA objects are defined as object-groups. Those can be used in ASA access-list to define appropriate firewall policy.

asav-pbr-1# show run object-group
object-group network APIC#sec-gorans-928658#aProf#db
 network-object host 10.2.0.103
object-group network APIC#sec-gorans-928658#aProf#web
 network-object host 10.1.0.101
object-group network APIC#sec-gorans-928658#aProf#quarantine-app
 network-object host 10.1.71.102
object-group network APIC#sec-gorans-928658#aProf#app
asav-pbr-1#

Notice that app EPG objects is empty on ASA while FMC app object shows localhost address. This is due to an app EPG not having any IP Endpoints. Because FMC requires that Network Object cannot be empty (must have one or more entries), we resort to defining a localhost IP when this object type is empty.

On ASA, empty object-group definition is allowed, however, empty object-group is not allowed in an access-list, unless we enable forward reference.

asav-pbr-1(config)#
asav-pbr-1(config)# access-list web-to-app permit ip object-group  APIC#sec-gorans-928658#aProf#web object-g APIC#sec-gorans-928658#aProf#app
ERROR: specified object group <APIC#sec-gorans-928658#aProf#app> is empty
asav-pbr-1(config)#
asav-pbr-1(config)# forward-reference enable
asav-pbr-1(config)# access-list web-to-app permit ip object-group  APIC#sec-gorans-928658#aProf#web object-g APIC#sec-gorans-928658#aProf#app
asav-pbr-1(config)#

Enhanced Firewall Policy

Finally, we can define the policy based on EPG objects defined and updated by the ACI app.

FMC has two options:

1. Using Dynamic Objects allows FMC to skip policy deploy where policy is immediately applied after object update. Under rule add/edit, these are found in the Dynamic Attribute tab, and listed under Dynamic Attributes.

Forcing a change in an app EPG membership will not result in the need to redeploy the policy from FMC to FTD. This is the preferred object to use in FMC, because again, updated object(s) have immediate new policy enforced (no time delay as with Network Objects).

2. Using Network Objects is requires FMC to redeploy policy to FTD because we changed objects used in the rules. These objects can easily be reviewed in the GUI. Under rule add/edit, these are found in the Networks tab.

ASA access-list can easily make use of EPG object-groups and those changes apply in ACL immediately.

asav-pbr-1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list web-to-app; 1 elements; name hash: 0x2ac0218a
access-list web-to-app line 1 extended permit ip object-group APIC#sec-gorans-928658#aProf#web object-group APIC#sec-gorans-928658#aProf#app (hitcnt=0) 0xdafe979c
  access-list web-to-app line 1 extended permit ip host 10.1.0.101 host 10.1.71.102 (hitcnt=0) 0xe73db589
asav-pbr-1(config)#

ACI Multi-site Considerations

In ACI Multi-site deployments, you will have a set of Tenants that stretch EPGs between sites. These EPGs would have the same name in both sites, while an Endpoint inside them can be learned (or exist) in only one or the other site EPG. If an Endpoint moves from Site-1 to Site-2, in due time, respective APICs will update their EPG membership to reflect Endpoint departure and arrival in appropriate site EPG.

When multiple fabrics or sites are deployed with their own APIC clusters, an Endpoint Update app needs to be installed at each site and define FMC with its own admin user. Unique user per site APIC cluster ensures that each can update the FMC simultaniously. In case of multiple fabric, it is desirable to use a single FMC to apply the same policy to deployed FTD units inspecting the stretched EPG traffic at each fabric.

To avoid an overlap between multiple fabric app objects, a Site prefix option is used to create unique objects for EPGs that had been extended between ACI sites. This setting is found under app General Settings.

Lets consider a Site-1 and Site-2 ACI fabrics, where each has an install of the ACI Endpoint Update app in their APIC controller. We designate each Site with a Prefix in the corresponding app, and app then creates and updates its unique objects in the same FMC.

Below is an equivalent FMC rule you would define if you had ACI Multi-site with stretched EPGs. To allow app EPG to communicate with db EPG, we must include objects defined by each site (fabric) app.

FTDs that apply policy to stretched EPG communication would work properly. EPGs that are not stretched would be unique in FMC (only one Site object would exist) and would be added to the policy rule as we did for a single site.

Lastly, we should consider an Update interval in General Settings of each site app. Since the duration of each update is very dependent on the number of EPGs and their Endpoints, it is recommended that the admin reviews the FMC Audit log. After determining how long it takes for an app to complete an update in the current setup, you can set and adjust an interval appropriately (2 or 3 times the given update average). Multiple apps updating the same FMC would not be an issue as long as each app has a unique set of credentials and Site Prefix.

Additional Information

• ACI Endpoint Update app 2.1 on dcappcenter includes a video that shows around the app
• Cisco dcloud has a lab which includes this scenario – Enhance FMC policy. This lab can be scheduled and shared with a customer by their Cisco account team.
• Here are more videos related to ACI L4L7 integration related to this dcloud lab guide:

1. Video-1 Review of Terminals used in HOLSEC-3002 – https://vimeo.com/519008533/ec5c23cb3a
2. Video-2 Using Postman to register FTD VMs to FMC – HOLSEC-3002 – https://vimeo.com/519008594/386414de19
3. Video-3 Use Postman to build FTD HA pair – HOLSEC-3002 – https://vimeo.com/519008653/29c931ee8c
4. Video-4 Configure FTD NICS and VRFs for service graphs using Postman – HOLSEC-3002 – https://vimeo.com/519008684/af5e484bff
5. Video-5 Review how Service Graph FTD NICs and VRFs are configured in FMC GUI – HOLSEC-3002 – https://vimeo.com/519008815/4f409c4ecc
6. Video-6 Using Postman collection, configure ACI PBR Service Graphs for 3 contracts – HOLSEC-3004 – https://vimeo.com/519008868/5cd44e5a51
7. Video-7 Using APIC GUI apply graph wizard, create PBR graph – HOLSEC-3002 – https://vimeo.com/519010563/0df753eeae
8. Video-8 Using FMC, configure file policy and add it to ACP – HOLSEC-3002 – https://vimeo.com/519010610/51b142f94a
9. Video-9 Configure RTC for APIC in FMC – HOLSEC-3002 – https://vimeo.com/519010667/3f20a43950
10. Video-10 Test quarantine of a VM with RTC for APIC – HOLSEC-3002 – https://vimeo.com/519010716/951c1a12a7
11. Video-11 Setup FMC app in APIC to update EPG objects in your Tenant FMC – HOLSEC-3002 – https://vimeo.com/519010777/3681482133
12. Video-12 Using Postman, clean up previous contracts and service graphs before starting vzAny scenario – HOLSEC-3002 – https://vimeo.com/519011454/ca5a28c912
13. Video-13 Build vzAny-to-vzAny contract with PBR service graph using Postman – HOLSEC-3002 – https://vimeo.com/519011494/0e68831277
14. Video-14 Using APIC GUI, review how to build vzAny-to-vzAny contract with PBR service graph – HOLSEC-3002 – https://vimeo.com/519011550/a3484ce007
15. Video-15 Using Postman, clean up vzAny contract and PBR service graph – HOLSEC-3002 – https://vimeo.com/519011604/217e563dba
16. Video-16 Review how to clean up vzAny contract and PBR service graph in APIC GUI – HOLSEC-3002 – https://vimeo.com/519011654/2b6e5b480d
17. Video-17 Using Postman, configure symmetric PBR with stand-alone ASAv firewalls in vzAny-to-vzAny contract – HOLSEC-3002 – https://vimeo.com/519011711/92b6c77d8f
    • You may review additional details on the topic of Cisco Secure Firewalls in ACI in Ciscolive website recordings of the Breakout sessions.