Cisco Secure Dynamic Attribute Connector

Using Dynamic Attributes in Cisco Secure Firewall Policies

Introduction

The Cisco Secure Dynamic Attributes Connector (CSDAC) is a feature of the Cisco Secure Firewall Management Center (FMC) that brings agility and intelligence into your security policy management.

**Figure 1:** Benefits of the Cisco Secure Dynamic Attribute Connector

Figure 1: Cisco Secure Dynamic Attribute Connector Benefits


CSDAC enables your firewall policy to adapt in real-time to the changes in public and private cloud workloads and business-critical SaaS applications. The Firewall Management Center and CSDAC integration simplify management through firewall policy automation by keeping the rules up-to-date without tedious manual updates and policy deployment. With CSDAC, you can centrally manage workload attribute feeds obtained from multiple public and private cloud environments, enabling firewalls to adapt to changes instantaneously to help accelerate Cisco Secure Firewall integration with your complex and dynamic environment. CSDAC provides a set of predefined connectors for importing IP prefixes of commonly used SaaS applications: Office365, GitHub, WebEx, and Zoom. You can also configure a Generic TXT connector to subscribe to IP prefix feeds in a flat text format. See the summary of supported CSDAC connectors in Figure 2.



**Figure 2:** - Cisco Secure Dynamic Attribute Connector - Supported Cloud and Public Feeds Connectors

Figure 2: - Cisco Secure Dynamic Attribute Connector - Supported Cloud and Public Feeds Connectors



CSDAC significantly improves network security with automatic endpoint attribute and contextual awareness propagation simultaneously, preventing the build-up of outdated firewall rules over time. With CSDAC the firewall policy becomes more dynamic, secure, and much easier to manage. As illustrated in Figure 3, the CSDAC discovers resources and IP addresses in the cloud and translates this information to dynamic network objects consumed by firewall deployment. The CSDAC keeps track of the changes on the cloud side and updates dynamic objects accordingly in near real time.


**Figure 1:** Cisco Secure Dynamic Attributes Connector

Figure 3: Cisco Secure Dynamic Attributes Connector


CSDAC in Action

CSDAC maps IP addresses of cloud resources to Dynamic Objects, which are then used in Access Control Policy rules. Changes in the cloud detected by CSDAC are cascaded in real-time to the FMC, and in turn, to the managed firewalls without any administrator action. CSDAC makes firewall policy dynamic, more secure, and easier to manage. Figure 4 illustrates step-by-step, how CSDAC dynamically updates firewall policy.


**Figure 2:** CSDAC Dynamic Object Update

Figure 4: CSDAC Dynamic Object Update


  1. The firewall protects a Workload and is configured with an Access Control Policy containing the dynamic object Workload_A representing cloud resources.
  2. CSDAC monitors changes to the workload constantly and detects when a new instance is spun up.
  3. CSDAC detects the workload change and evaluates the user-created attribute filters.
  4. Then CSDAC triggers a REST request to update the Workload_A dynamic attribute with the 10.0.0.5 IP address of the new server.
  5. The Firewall Management Center adds the new IP address to the dynamic object.
  6. Immediately after the Workload_A object change, the FMC pushes an update to all the managed firewalls using that object in deployed Access Control Policies. The dynamic object update happens automatically and does not require a policy deployment.
  7. The firewall updates the new IP address in Snort's identity memory and its policy to allow the new server access.

Architecture

Cisco Secure Dynamic Attributes Connector is a modular, containerized application comprised of three main components:

  • Connectors – a connector is a software interface that interacts with a public or private cloud provider to retrieve up-to-date network information, categories, and tags. CSDAC translates information provided by the connectors to Dynamic Objects used in firewall access control policies on the FMC. Architecturally the connectors are software plug-in modules installed in CSDAC, which allows the straightforward addition of new connectors in future releases.
  • Dynamic Attribute Filters – a set of conditions configured by an administrator, defining how cloud resources are mapped to Dynamic Objects. The filters are built with AND/OR boolean expressions matching attributes specific to the source Provider. For example, you can configure a Dynamic Object with VM IP addresses assigned with a particular tag in Azure or running in a specific VMWare port group.
  • Adapters – represent a secure connection to an FMC configured with Dynamic Objects by CSDAC and periodically updated with changes detected via configured cloud Connectors.

**Figure 3:** CSDAC Architecture

Figure 5: CSDAC Architecture


Dynamic objects are the cornerstone of the solution in the Firewall Management Center introduced in the Secure Firewall 7.0 release. Dynamic objects provide a new approach to building and keeping the access control policy up to date. The dynamic objects are a special flavor of network objects that can be configured and updated on-the-fly with the Firewall Management Center’s programmatic interface. With dynamic objects, the Access Control Policy is auto-updated in real-time without policy deployment.

If you want to learn more about dynamic objects watch the Cisco Secure Firewall 7.0 Release: Identity - Dynamic Objects video on the Cisco Secure Firewall YouTube channel:


Deployment Scenarios

Cisco Secure Dynamic Attribute Connector provides flexible deployment options depending on the nature of the firewall installation. You can use CSDAC in one of the three form factors:

  • Native (FMC integrated) - running as a container in Firewall Management Center.
  • Cloud-Delivered (CDO embedded) - Cisco Defence Orchestrator cloud-delivered application.
  • Standalone (on-prem) - an on-premises application running on a Linux server.

Firewall Management Center software release 7.4 and later highlights CSDAC deployment options when you navigate to Objects > External Attributes > Dynamic Objects as illustrated in (Figure 6). This quick-start page displays options, representing supported form factors, the required steps, and "how it works" pop-ups.

**Figure 6** -

Figure 6 - CSDAC Deployment Options Quick-Start Page


📘

FMC displays the quick-start page presented in Figure 6 only until the first dynamic object is configured.


Native (Integrated) with Firewall Management Center

The Firewall Management Center integrated form factor provides out-of-the-box CSDAC capabilities. The CSDAC runs as a native service within the management center and allows configuring between 10-30 connectors depending on the FMC model. You can access the CSDAC in the Integration tab as illustrated in Figure 7.

📘

The Dynamic Attributes Connector is disabled by default. Enabling CSDAC is a one time configuration.

**Figure 7** -

Figure 7 - CSDAC in Management Center User Interface

👍

CSDAC Internet connectivity

The Dynamic Attributes connector requires access to the internet to reach public cloud providers and download connector binaries. Remember to provide Firewall Management Center with either a direct or proxied Internet access.

The Dynamic Attributes Connector connects to your on-premises VMWare/NSX-T infrastructure and public providers using the management center's network interface (Figure 8).

**Figure 8** -

Figure 8 - Native (Integrated) Cisco Secure Dynamic Attributes Connector Deployment

The integrated Dynamic Attributes Connector runs as a containerized application on the Firewall Management Center. As the CSDAC shares resources with the hosting FMC, there are connector limits imposed depending on the management center.

Table 1 - Native (Integrated) CSDAC Connector Count
Management Center ModelMaximum Dynamic Attribute Connectors
FMC1600, FMCv10 connectors
FMC2600, FMCv30020 connectors
FMC460030 connector

🚧

Connector count is enforced

The maximum number of connectors is enforced by software, to ensure you stay within recommended limits. Once you configure the maximum number of connectors, the new connector button is grayed out and the management center displays a warning message.

📘

Additional memory requirements for FMCv/FMCv300

When running a virtual version of the management center (FMCv or FMCv300), remember to allocate an additional 1 GB of RAM memory for each 5 connectors configured.


You can check the status of CSDAC components running within the management center using CLI. Connect to the console of the FMC, enter expert mode, and change the directory to /usr/local/sf/csdac. Run muster-cli status command to display running core services and connector instances. In the example below you can see the list of Core Services and three connector instances in a healthy state.

Copyright 2004-2023, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Firepower Extensible Operating System (FX-OS) v2.14.0 (build 425)
Cisco Secure Firewall Management Center for VMware v7.4.0 (build 1888)

>expert
admin@fmc:~$ sudo su - root
root@fmc:~# cd /usr/local/sf/csdac/                
root@fmc:/usr/local/sf/csdac# ./muster-cli status

=============================================== CORE SERVICES ===============================================
          Name                        Command               State                   Ports                
---------------------------------------------------------------------------------------------------------
muster-bee                 /bin/sh -c /app/bee              Up      127.0.0.1:15050->50050/tcp, 50443/tcp
muster-envoy               /docker-entrypoint.sh runs ...   Up      127.0.0.1:6443->8443/tcp             
muster-local-fmc-adapter   ./docker-entrypoint.sh run ...   Up                                           
muster-ui-backend          ./docker-entrypoint.sh run ...   Up      50031/tcp                            
muster-user-analysis       ./docker-entrypoint.sh run ...   Up      50070/tcp                            

=========================== CONNECTORS AND ADAPTERS ===========================
              Name                            Command               State     Ports  
-------------------------------------------------------------------------------------
muster-connector-github.4.muster   ./docker-entrypoint.sh run ...   Up      50070/tcp
muster-connector-webex.3.muster    ./docker-entrypoint.sh run ...   Up      50070/tcp
muster-connector-zoom.3.muster     ./docker-entrypoint.sh run ...   Up      50070/tcp

👍

Native CSDAC Supports FMC High-Availability

The native Cisco Secure Dynamic Attributes Connector benefits from the high availability capabilities of the Firewall Management Center. When you deploy your management centers in high availability, a CSDAC standby instace runs on the secondary server, ready to pick up dynamic updates upon primary failure. You can run muster-cli status on the secondary FMC server to confirm the set of core services and connectors runs in the background.

Cloud-Delivered (CDO Embedded) CSDAC Deployment

The SaaS form factor provides the benefits of dynamic attribute updates without having to deploy and maintain a Linux server hosting the CSDAC application in your environment. The CSDAC application is available in Cisco Defense Orchestrator in the Tool & Services section.


**Figure 5:** Cloud-Delivered CSDAC Dashboard

Figure 9: Cloud-Delivered CSDAC Dashboard


The cloud-delivered CSDAC runs within Cisco Defence Orchestrator and can provide dynamic updates to both on-premises and cloud-delivered Firewall Management Center deployments. In the latter scenario, the communication between CSDAC and the cloud-delivered FMC is provided natively by the CDO's infrastructure as illustrated in Figure 10.


**Figure 6:** Cloud-Delivered CSDAC and Firewall Management Center

Figure 10: Cloud-Delivered CSDAC and Firewall Management Center Deployment


The communication between cloud-delivered CSDAC and the on-premises FMC, is established through a lightweight connector application, Secure Device Connector or SecureX as illustrated on Figure 11.


**Figure 8:** Cloud-Delivered CSDAC with On-Prem Firewall Management Center

Figure 11: Cloud-Delivered CSDAC with On-Prem Firewall Management Center Deployment


In order to use the cloud-delivered CSDAC with an on-premises firewall deployment, you need to add your Firewall Management Center to the Cisco Defence Orchestrator's (CDO) inventory. CDO supports two connection methods with on-premises Firewall Management Centers:

Figure 12 provides a screenshot of the initial step of the on-premises Firewall Management Center onboarding wizard in the Cisco Defense Orchestrator.


**Figure 7:** Adding On-Prem Firewall Management Center to CDO's Inventory

Figure 12: Adding On-Prem Firewall Management Center to CDO's Inventory


📘

Cloud-delivered CSDAC can support on-premises and cloud-delivered Firewall Management Center adapters at the same time.


The following video provides an overview of the cloud-delivered CSDAC along with a demo covering integration with both on-premises and cloud-delivered FMC.


Standalone (On-premises) CSDAC Deployment

The on-premises CSDAC application can be installed on the following Linux distributions:

  • Ubuntu 18.04 to 22.04.02
  • Red Hat Enterprise Linux (RHEL) 7 or 8
  • CentOS 7 Linux

The install and upgrade process is automated with Ansible Galaxy 2.9 or later and requires Python 3.6.x. The minimum requirements for the system are 4 CPUs, 8GB RAM, and 100 GB of available disk space.


👍

Best Practice

Depending on your deployment scale and the number of the connectors consider following sizing recommendation for the CSDAC host system:

Max. Connectors

Avg. Number of Filters per Connector

Number of Workloads

Recommended System Setup

50

5

20 000

4 CPUs; 8GB RAM; 100 GB disk

125

5

50 000

8 CPUs; 16GB RAM; 100 GB disk

The on-premises CSDAC is typically deployed in a Data Center in close network proximity to the Firewall Management Center as illustrated in Figure 13. Depending on the providers you want to monitor, ensure the CSDAC has network connectivity to the programmatic interfaces on the Internet or locally in your Data Center. Use the on-premises CSDAC to provide dynamic objects to on-premises and cloud-delivered Firewall Management Centers.


**Figure 5:** CSDAC On-Prem Deployment with On-Prem FMC

Figure 13: CSDAC On-Prem Deployment with On-Prem FMC Deployment


If you are integrating an on-premises CSDAC with a cloud-delivered FMC, ensure you allow outbound network access towards Cisco Defense Orchestrator on your firewalls (Figure 6). To find the your cloud-delivered Firewall Management Center's URL, open the CDO console and navigate to "Tools & Services > Firewall Management Center" and select the desired FMC instance.


**Figure 6:** CSDAC On-Prem Deployment with Cloud-Delivered FMC

Figure 14: CSDAC On-Prem Deployment with Cloud-Delivered FMC Deployment


The CSDAC Ansible collection and detailed installation instructions are available on the Ansible Galaxy space and in the video below.


Configuration

Connectors

The connectors are the modules that interface with the public and private cloud providers to retrieve information about workload resources over a secure connection. CSDAC supports the import of mappings from the following:


The new connectors are being added to CSDAC on a regular basis. Refer to Table 2 for the breakdown of supported connectors per CSDAC version and form factor.

Table 2 - CSDAC Connectors Support Matrix
CSDAC Version/PlatformAWSAWS Security GroupsAWS Service TagsAzureAzure Service TagsCisco Cyber VisionGCPGeneric TXTGitHubOffice365VMWareWebexZoom
Version 1.1 (on-premises)YES--YESYES----YESYES--
Version 2.0 (on-premises)YES--YESYES-YES-YESYESYES--
Version 2.2 (Standalone)YES--YESYES-YES-YESYESYES--
Version 2.3 (Standalone)YES--YESYES-YES-YESYESYESYESYES
Version 3.0 (Standalone)YESYESYESYESYESYESYESYESYESYESYESYESYES
Cloud-Delivered (CDO)YES--YESYES-YES-YESYES-*YESYES
Native FMC 7.4YES--YESYES-YESYESYESYESYESYESYES

* - in CDO deployments, you can use an on-premises CSDAC instance to provide VMWare sourced dynamic objects to your cloud-delivered Firewall Management Center as illustrated in **Figure 14**.


In Figure 15 below, you can see an example of a Google Cloud Platform Connector setup. The name uniquely identifies the connector instance and refers to the Dynamic Attribute Filters configuration to specify the provider for individual Dynamic Objects.


**Figure X** - Google Cloud Platform Connector

Figure 15: Google Cloud Platform Connector


The pull interval value determines the frequency at which the CSDAC reaches out to the provider for the latest list of resources. This timer directly influences how quickly your firewalls pick up changes to the Dynamic Objects used in enforcing policies. The lower the pull interval, the quicker the firewall policy gets updated.


🚧

Warning

Some providers impose limits on the number of API calls in a unit of time and may throttle CSDAC requests if the pull interval is set to a low value.


👍

Best Practice

When configuring the pull interval, ensure you find the right balance between the desired dynamic object update delay and the rate of requests supported by your providers. The CSDAC generates warnings messages when a provider throttles the requests. In such instances, gradually increase the pull interval timer to an acceptable value.


The attributes required to configure a connector are specific to the provider. Depending on the connector you are setting up, you may need a set the region where your services are deployed, as well as the API access credentials or username/password. Once you configure the required fields, you can run a connectivity test to confirm your setup is complete, and the CSDAC can reach the provider.


The Cisco Secure Dynamic Attributes Connector Configuration Guide gives a helping hand with provider-specific application account setup. In the documentation, you will find a set of step-by-step procedures for each provider supported by the CSDAC. The table below provides a list of quick links for your convenience.

Table 3 - Procedures for creating a CSDAC user with minimal permissions
ProviderProcedure for setting up an application account for CSDAC access
AWS and AWS Security Group ConnectorCreate an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
AWS Service TagsNo credentials required - CSDAC downloads IP ranges from a public Amazon URL.
Azure and Azure Service TagsCreate an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Cisco Cyber VisionConfigure an API key in the Cyber Vision management console
GCPCreate a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Generic TXTNo credentials required - CSDAC downloads IP addresses and rages from a custom HTTP/HTTPs feed.
GitHubNo credentials required - CSDAC downloads IP ranges of GitHub content, webhooks, and actions from a public GitHub's API URL.
Office365No credentials required - CSDAC downloads IP ranges of Skype for Business, Sharepoint, Exchange and Common Services from a public Microsoft's API URL.
VMWarevCenter Connector—About User Permissions and Imported Data
WebexNo credentials required - CSDAC downloads IP ranges of Webex Meetings&Messaging and Calling from a public Webex Service Prefix Feed
ZoomNo credentials required - CSDAC downloads IP ranges of Zoom components from public IP Ranges TXT Files

Once you set up a connector you can review the configuration details as well as the current status. The Connectors tab provides a list of all provider instances configured in your CSDAC as illustrated in Figure 16.


**Figure 9:** CSDAC Connectors Tab

Figure 16: CSDAC Connectors Tab


📘

Note

You can configure multiple connectors for each type AWS, Azure, GCP, and VMWare, should you have multiple public or private cloud instances of the same type.


Adapters

Adapters are secure connections to the Firewall Management Center that CSDAC uses to configure and update dynamic objects. When configuring the adapter on your on-premises CSDAC (see an example in Figure 17) you need to provide the IP address, username, and password, as well as, your FMC's trusted certificate chain.


**Figure 10:** Configuring an On-Prem Firewall Management Center Adapter

Figure 17: Configuring an On-Prem Firewall Management Center Adapter


🚧

It is strongly recommended to create a dedicated user on the FMC for the CSDAC REST API access.

📘

When running native CSDAC, adapter configuration is not available. The hosting Firewall Management Center is implicitly configured to injest dynamic objects configured in the on-board CSDAC.


Starting from the on-premises CSDAC release 2.0, you can configure an adapter connecting to the cloud-delivered FMC. The adapter setup requires a base URL and the API token, which are available in your Cisco Defense Orchestrator tenant. The step-by-step procedure is available in the CSDAC Configuration Guide in the Get Your Base URL and API Token section.

**Figure 14:** Configuring a Cloud-Delivered Firewall Management Center Adapter

Figure 18: Configuring a Cloud-Delivered Firewall Management Center Adapter


In the cloud-delivered CSDAC, you simply select the on-premises FMC from your inventory or the cloud-delivered FMC. You don't have to specify access credentials as the connection is already secured by the Cisco Defense Orchestrator management channel.


**Figure 11:** Configuring Cloud-Delivered Firewall Management Center Adapter

Figure 19: Configuring Cloud-Delivered Firewall Management Center Adapter


Dynamic Attributes Filters

The Dynamic Attribute Filters are conditions used to map public and private cloud resources to Dynamic Objects. Each filter contains:

  • The Dynamic Object name to be programmed on the Firewall Management Center
  • The source connector provides information about the workload
  • A query string defining the matching criteria for VMs and instances in which IP addresses will be dynamically added to the objects pushed to the firewalls

**Figure 12:** CSDAC Dynamic Attributes Filters Tab

Figure 20: CSDAC Dynamic Attributes Filters Tab


CSDAC pulls the list of resources using configured connectors with provider-specific meta-data. The information is made available to the administrator within the Dynamic Attribute Filter configuration in the form of Key/Value pairs. The Keys are the attributes associated with a VM or an instance running in a cloud, such as user-defined tags in AWS/Azure/GCP, network, power status, or VM name on vCenter.

In the sample condition depicted in Figure 21, the CSDAC provides a drop-down of available Keys that one can use for the vCenter connector.


**Figure 13:** Selecting Keys in a Condition

Figure 21: Selecting Keys in a Condition


After selecting a Key, CSDAC displays the available set of Values an administrator can use as the matching criteria. In Figure 22, after selecting "os" key, CSDAC provides the list of operating systems running in the VMware infrastructure.


**Figure 14:** Selecting Values in a Condition

Figure 22: Selecting Values in a Condition


You can use Equals and Contains operands, as well as, select multiple values with ANY/ALL matching logic.


**Figure 15:** Adding Multiple Values to a Condition

Figure 23: Adding Multiple Values to a Condition


CSDAC gives you the flexibility to configure a query with multiple conditions to match many Key/Value pairs at the same time.


**Figure 16:** Adding Multiple Conditions to a Query

Figure 24: Adding Multiple Conditions to a Query


Once your query is complete you can observe the list of IP addresses in the preview that match the conditions.


**Figure 17:** Dynamic Attribute Filter Preview

Figure 25: Dynamic Attribute Filter Preview


📘

Note

You cannot configure dynamic attributes filters for GitHub, Office 365, WebEx, Zoom, Azure Service Tags nor Generic TXT connectors. For these public feeds connectors, the CSDAC creates automatic filters, organizing IP prefixes into dynamic objects as per categories provided within the feeds.

Using CSDAC-Provided Objects in the Firewall Rules

CSDAC polls the cloud providers periodically for a list of available VMs/instances and their attributes. When a change in a workload is detected, CSDAC sends an update to the FMC. You can review the list of IP addresses assigned to dynamic objects in the Firewall Management Center in Objects > Object Management > External Attributes > Dynamic Object.


**Figure 18:** Viewing IP Addresses Mapped to a Dynamic Objects in Firewall Management Center

Figure 26: Viewing IP Addresses Mapped to a Dynamic Objects in Firewall Management Center


You can use Dynamic objects in the firewall rules in your Access Control Policy as both source and destination matching criteria.


**Figure 19:** Using Dynamic Objects in an Access Control Policy

Figure 27: Using Dynamic Objects in an Access Control Policy


The Firewall Management Center distributes the change to the managed firewalls seamlessly, without deploying the policy or performing a Snort reload. This way, the firewall policy remains up-to-date, without any action from the administrator and with no interruption to traffic. The updates to dynamic objects propagate to the firewall in near real time.


📚Additional Resources

Cisco Blogs:

Documentation and Configuration guides:

CSDAC videos on Cisco Secure Firewall YouTube channel:

Cisco Live! Security Sessions:


Title of the document The current suggested release is 7.4.2 Check out our new 7.6 Release Overview video.