Add Cisco devices

Relevant for: AFA Administrators

This topic describes how to add Cisco devices to AFA and perform related configurations.

Add a CSM-managed Cisco device

This procedure describes how to add a Cisco device managed by a Cisco CSM. You must add each Cisco device or security context that is managed by a Cisco CSM separately, even if they are managed by the same CSM.

Note: To perform this procedure, you must have a Cisco API license for the CSM device.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Point > Firewall via CSM (CSM 4.3 or above).

  3. Complete the fields as needed, and then click Finish.

    The new device is added to the device tree.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Cisco Application Centric Infrastructure (ACI) devices in AFA

The following sections describe how ASMS connects to Cisco ACI devices:

Network connectivity

The following diagrams show an ASMS Central Manager or Remote Agent connecting to a Cisco ACI APIC and fabric.

Device permissions

ASMS requires the following permissions to access Cisco ACI devices:

MSO/NDO visibility in the device tree

EPG / ESG identification and supported contract scopes

Add a Cisco (ACI) to AFA

This procedure describes how to connect Cisco ACI devices to AFA. AFA always connects to Cisco ACI devices via REST.

Note:

  • ASMS requires minimal, read-only access permissions to access Cisco ACI devices and collect data.

    The user defined on the ACI APIC controller must have the following read-only privileges:

    • tenant-connectivity

    • tenant-epg

    • tenant-ext-connectivity

    • tenant-security

    • tenant-qos

    • nw-svc-policy

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Application Centric Infrastructure (ACI).

  3. Populate the fields as follows:

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

    • ACI devices appear in the device tree in a two-tier hierarchy, including both APICs and tenants.
    • EPGs/ESGs are shown with the following syntax: <application_profile>/<EPG_name> or <application_profile>/<ESG_name>. For more details, see EPG / ESG identification and supported contract scopes.
    • Any VRFs on the map are shown with the following syntax: <Tenant_name>/<VRF_name>
    • vzAny objects are shown with the following syntax: <VRF_name>/vzAny. AFA updates the contents of these objects upon change monitoring and analysis.
    • When an APIC is managed to an MSO, see MSO/NDO visibility in the device tree.
  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added. The ACI and each ACI tenant is displayed in the device tree.

Cisco ASA firewalls in AFA

The following sections describe how ASMS connects to Cisco ASA firewalls:

Note: All references in the ASMS Documentation to Cisco ASA devices also refer to legacy PIX and FWSM devices. To add a new PIX or FWSM device to AFA, select ASA options.

See also: VALIDATE_USER_ROUTING_URT parameter which applies only to Cisco PIX.

Network connection

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco ASA device:

Device permissions

ASMS requires the following permissions to connect to your Cisco ASA devices:

Add a Cisco ASA firewall

This procedure describes how to add a Cisco ASA firewall to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > ASA.
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added. Any configured contexts on the ASA device are also imported.

Cisco Firepower devices in AFA

The following sections describe how ASMS connects to Cisco Firepower devices:

Note: AFA automatically identifies Cisco Firepower devices in service-chaining mode if the device has only a single interface.

If your device has multiple interfaces and service-chaining mode is not identified automatically, configure this for your device manually. For more details, see Configure one-armed mode manually.

Note:

For logging engines: AlgoSec supports Unified Syslog (SNORT) engine events for Cisco Firepower.

Network connectivity

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco Firepower device:

Device permissions

ASMS requires the following device permissions to connect to Cisco Firepower devices:

Add a Cisco Firepower

This procedure describes how to add a Cisco Firepower device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Firepower.

  3. Complete the following fields as needed.

  1. Click Next to continue on to the FirePower - Step 2/2 page. This page lists the FTDs that are managed by the Firepower FMC. For example:

  2. To exclude an FTD, clear its check box in the table.

  3. Click to configure details for the selected FTDs.

    In the Direct Access Configuration, define the Host, User Name, and Password, and Baseline Profile for each FTD.

    Tip: To disable Baseline Compliance Report generation for this device, select None.

    For more details, see Customize baseline configuration profiles.

    For example:

    Click Test Connectivity to test the connections to the FTDs defined, and then click OK.

    Note: You must specify the credentials for each FTD in order for AFA to collect routing data it needs to accurately analyze the device.

  4. Select the following as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.

  5. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  6. Click Finish.

    The new device is added to the device tree.

  7. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Cisco IOS routers in AFA

The following sections describe how Cisco IOS routers are added to AFA:

Network connectivity

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco IOS router.

Device permissions

ASMS requires the following for the user used to access your Cisco IOS routers:

Add a Cisco IOS router

This procedure describes how to add a Cisco IOS router to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > IOS Router.
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added. The new device appears in the device tree, including any VRF devices as unique nodes.

Cisco ISE devices in AFA

The following sections describe how ASMS connects to CISCO ISE devices:

Network connectivity

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco ISE device.

Device permissions

ASMS connects to Cisco ISE devices via the Admin Node, using the ERS API.

To do so, ASMS requires an Administrator user with Read/Write permissions and the ERS-Operator group assignment.

Additionally, ASMS requires:

  • A REST connection over port 9060
  • Cisco ISE TrustSec SXP feature enabled for the device

Add a Cisco ISE device to AFA

This procedure describes how to add a Cisco ISE device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > CISCO ISE.
  3. Complete the fields as needed.

  4. Click Finish. The new device is added to the device tree.

  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Cisco Meraki devices in AFA

ASMS supports Cisco Meraki devices as follows:

  • Policy Visibility including the following policy types:

    • Group Policy: displayed in ASMS as Layer 3 firewall Group Policy [GroupPolicyName]

    • Layer 3 Outbound rules

    • Site-to-site outbound firewall

  • Report Generation
  • Topology including VPN tunnels
  • Change History
  • Risks Calculation
  • Map Visibility
  • Regulatory Compliance
  • Traffic Simulation Query
  • Monitor Cycle

The following sections describe how ASMS connects to Cisco Meraki devices:

Network connectivity

From AFA we communicate with Meraki via Rest API over HTTPS protocol.

Device permissions

ASMS requires an API key to communicate with the Meraki via the Cisco Meraki SaaS application. See Add Cisco devices.

Obtaining Cisco Meraki API Key

An API key is required to add a Meraki device to ASMS.

Create your Meraki API key, as follows:

  1. Navigate to the Meraki dashboard at this address: https://account.meraki.com/secure/login/dashboard_login
  2. Login using your Meraki account credentials.
  3. From your Cisco Meraki Account, in the upper right corner of screen, click My Profile from the user name drop down menu.

  4. Scroll to the API access/ API keys section. Click the Generate new APIKey button.

    Tip: If the maximum two API keys already exist, revoke one so you can create a new one.

  5. When the new API key dialog is displayed, do the following:

    1. Click the copy icon to the right of the API key

    2. Store the API key on your computer

    3. Click the I have stored my new API key check box

    4. Click Done

      Warning: Be careful with the API Key. Treat it like you would any other password.

  6. In the Meraki Dashboard, click Organization > Setting to open the Organization Settings.

  7. Under Dashboard API Access, select the Enable access to the Cisco Meraki Dashboard API checkbox.

  8. Click Save Changes.

Add Cisco Meraki

Now that you have the API key, add the Cisco Meraki to AFA.

Do the following:

  1. In AFA, go to Administration
  2. Click the Devices Setup tab
  3. From New drop-down, select Devices
  4. Select Cisco Meraki.
    The Step 1 of 2 form appears:


  5. Enter:
    1. Display name: The display name must not contain spaces.
    2. Authentication key The API Key you have just generated.
  6. When using Geographic Distribution architecture: Under Geographic Distribution, select the remote agent that should perform data collection for the device. To specify that the device is managed locally, select Central Manager. For more details, see Configure a distributed architecture.

  7. Click Next. Step 2 of 2 appears:

    Tip: If you know which organizations you want to onboard, you can save the time needed to calculate which organizations will be greyed out as unavailable in the Available Organizations list. Do this by disabling the following config property before onboarding (located in file: /data/algosec-ms/config/ms-devicemanager-prod.properties):

    devicedriver.cisco.meraki.definition.checkOrganizationsAvailability=false

    This will enable checkboxes for all organizations regardless of their availability.

    By default, organizations that are not available are greyed out and are not selectable.

  8. Select the relevant organizations of the account from the organization names listed.

    Why can't I select an organization?

    Organizations are greyed out (unavailable) when:

    • API access is disabled for this organization: To make API requests for this organization, you must first enable API access.

    • License expired: Meraki API services are available for licensed Meraki devices only. Contact Meraki support to renew your licenses.

    • Invalid API key: The API KEY used does not have required permissions to manage the organization.

    Why can't I see an organization after on-boarding?

    After onboarding, an organization will not appear if:

    • It has no configured networks.

    • Networks in Passthrough L2 bridge mode are being skipped. To turn on network detection, see (Optional) Enable Passthrough L2 bridge mode.

    • Network has neither VLANs nor devices with configured interfaces.

    • Network does not have supported devices (only Meraki MX is supported by default).

    For more details, see the log: /data/algosec-ms/logs/ms-devicemanager.log.

  9. Select the options as required:

    Real-time change monitoring

    Select this option to enable real-time change monitoring. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions to use this device in FireFlow and AppViz.

  10. Click Finish

Reduce API Calls

When not using network clients for group policies, the number of API calls can be reduced by setting the devicedriver.cisco.meraki.datacollection.skipNetworkClients configuration parameter.

Name devicedriver.cisco.meraki.datacollection.skipNetworkClients
Value

One of the following:

  • true: Fetching Meraki network clients information is skipped.
  • false (default): Allowing full data collection.

Cisco Nexus routers in AFA

The following sections describe how ASMS connects to Cisco Nexus routers:

Network connection

The following diagram shows the connection between an ASMS Central Manager or Remote Agent and a Cisco Nexus router over SSH.

Device permissions

To analyze Cisco Nexus router devices, ASMS requires the ability to run the following commands on the Nexus device:

  • show version
  • show interface
  • show ip interface
  • show ip access-list
  • show running-config
  • show vdc membership (For Nexus 7000 and above)
  • show vrf interface | xml
  • show vrf all interface
  • show ip route
  • show ip route vrf all
  • show vrf all
  • show bgp vpnv4 unicast labels

For Nexus versions 7000 and above, ASMS must also have permissions to view all VDCs.

Add a Cisco Nexus router to AFA

This procedure describes how to add a Cisco Nexus router to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > Nexus Router.

  3. Complete the fields as needed.

  4. Click Finish. The new device is added to the device tree.
  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure one-armed mode manually

AFA automatically identifies Cisco Firepower devices in one-armed mode, when the device has a single interface. If your device has multiple interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.