Add Cisco devices

Relevant for: AFA Administrators

This topic describes how to add Cisco devices to AFA and perform related configurations.

Add a CSM-managed Cisco device

This procedure describes how to add a Cisco device managed by a Cisco CSM. You must add each Cisco device or security context that is managed by a Cisco CSM separately, even if they are managed by the same CSM.

Note: To perform this procedure, you must have a Cisco API license for the CSM device.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Point > Firewall via CSM (CSM 4.3 or above).

  3. Complete the fields as needed, and then click Finish.

    The new device is added to the device tree.

  4. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Back to top

Cisco IOS routers in AFA

The following sections describe how Cisco IOS routers are added to AFA:

Network connectivity

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco IOS router.

Device permissions

ASMS requires the following for the user used to access your Cisco IOS routers:

Add a Cisco IOS router

This procedure describes how to add a Cisco IOS router to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > IOS Router.
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added. The new device appears in the device tree, including any VRF devices as unique nodes.

Back to top

Cisco Nexus routers in AFA

The following sections describe how ASMS connects to Cisco Nexus routers:

Network connection

The following diagram shows the connection between an ASMS Central Manager or Remote Agent and a Cisco Nexus router over SSH.

Device permissions

To analyze Cisco Nexus router devices, ASMS requires the ability to run the following commands on the Nexus device:

  • show version
  • show interface
  • show ip interface
  • show ip access-list
  • show running-config
  • show vdc membership (For Nexus 7000 and above)
  • show vrf interface | xml
  • show vrf all interface
  • show ip route
  • show ip route vrf all
  • show vrf all
  • show bgp vpn4 unicast labels

For Nexus versions 7000 and above, ASMS must also have permissions to view all VDCs.

Add a Cisco Nexus router to AFA

This procedure describes how to add a Cisco Nexus router to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > Nexus Router.

  3. Complete the fields as needed.

  4. Click Finish. The new device is added to the device tree.
  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Back to top

Cisco ASA firewalls in AFA

The following sections describe how ASMS connects to Cisco ASA firewalls:

Note: All references in the ASMSDocumentation to Cisco ASA devices also refer to legacy PIX and FWSM devices. To add a new PIX or FWSM device to AFA, select ASA options.

Network connection

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco ASA device:

Device permissions

ASMS requires the following permissions to connect to your Cisco ASA devices:

Add a Cisco ASA firewall

This procedure describes how to add a Cisco ASA firewall to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  2. In the vendor and device selection page, select Cisco > ASA.
  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added. Any configured contexts on the ASA device are also imported.

Back to top

Cisco Application Centric Infrastructure (ACI) devices in AFA

The following sections describe how ASMS connects to Cisco ACI devices:

Network connectivity

The following diagrams show an ASMS Central Manager or Remote Agent connecting to a Cisco ACI APIC and fabric.

Device permissions

ASMS requires the following permissions to access Cisco ACI devices:

MSO visibility in the device tree

EPG identification and supported contract scopes

Add a Cisco (ACI) to AFA

This procedure describes how to connect Cisco ACI devices to AFA. AFA always connects to Cisco ACI devices via REST.

Note:
(1) If defined Cisco ACI user has the following minimum privileges, they can perform all ASMS functionality:

  • tenant-connectivity

  • tenant-epg

  • tenant-ext-connectivity

  • tenant-security

(2) To identify service graph data in queries and change requests, you must specifically configure AFA to recognize that data. For details, see Configure support for Cisco service graphs.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Application Centric Infrastructure (ACI).

  3. Populate the fields as follows:

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  5. Click Finish. The new device is added to the device tree.

    • ACI devices appear in the device tree in a two-tier hierarchy, including both APICs and tenants.
    • EPGs are shown with the following syntax: <application_profile>/<EPG_name>. For more details, see EPG identification and supported contract scopes.
    • Any VRFs on the map are shown with the following syntax: <Tenant_name>/<VRF_name>
    • vzAny objects are shown with the following syntax: <VRF_name>/vzAny. AFA updates the contents of these objects upon change monitoring and analysis.
    • When an APIC is managed to an MSO, see MSO visibility in the device tree.
  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added. The ACI and each ACI tenant is displayed in the device tree.

Back to top

Cisco Firepower devices in AFA

The following sections describe how ASMS connects to Cisco Firepower devices:

Note: AFA automatically identifies Cisco Firepower devices in service-chaining mode if the device has only a single interface.

If your device has multiple interfaces and service-chaining mode is not identified automatically, configure this for your device manually. For more details, see Configure one-armed mode manually.

Note: For logging engines:

AlgoSec supports Unified Syslog (SNORT) engine events for Cisco Firepower.

Network connectivity

The following diagram shows an ASMS Central Manager or Remote Agent connecting to a Cisco Firepower device:

Device permissions

ASMS requires the following device permissions to connect to Cisco Firepower devices:

Add a Cisco Firepower

This procedure describes how to add a Cisco Firepower device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Cisco > Firepower.

  3. Complete the following fields as needed.

  1. Click Next to continue on to the FirePower - Step 2/2 page. This page lists the FTDs that are managed by the Firepower FMC.

    For example:

  2. To exclude an FTD, clear its check box in the table.

  3. Click to configure details for the selected FTDs.

    In the Direct Access Configuration, define the Host, User Name, and Password, and Baseline Profile for each FTD.

    Tip: To disable Baseline Compliance Report generation for this device, select None.

    For more details, see Customize baseline configuration profiles.

    For example:

    Click Test Connectivity to test the connections to the FTDs defined, and then click OK.

    Note: You must specify the credentials for each FTD in order for AFA to collect routing data it needs to accurately analyze the device.

  4. Select the following as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.

  5. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree, and click OK.

  6. Click Finish.

    The new device is added to the device tree.

  7. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the device is added.

Back to top

Configure one-armed mode manually

AFA automatically identifies Cisco Firepower devices in one-armed mode, when the device has a single interface. If your device has multiple interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.

Back to top