Early availability features

This topic describes features available as Early Availability (EA) and how to enable ASMS's Early Availability features.

ASMS's Early Availability features enable you to access new functionality and support earlier than general availability. Customers partaking of Early Availability often provide invaluable feedback on the design and implementation of these features. Early Availability features have shorter QA cycles than GA features, and therefore are disabled by default.

Warning: We recommend that you do not use Early Availability features in production. They should be enabled only in testing systems, and disabled in production systems.

Cisco Meraki devices in AFA

Important: We recommend that you enable this Early Availability feature only in a lab environment.

Support for Cisco Meraki is available as an early availability (EA) feature. ASMS supports Cisco Meraki devices in EA mode as follows:

  • Policy Visibility including the following policy types:

    • Group Policy: displayed in ASMS as Layer 3 firewall Group Policy [GroupPolicyName]

    • Layer 3 Outbound rules

    • Site-to-site outbound firewall

  • Report Generation
  • Topology including VPN tunnels
  • Change History
  • Risks Calculation
  • Map Visibility
  • Regulatory Compliance
  • Traffic Simulation Query
  • Monitor Cycle

The following sections describe how ASMS connects to Cisco Meraki devices:

Network connectivity

From AFA we communicate with Meraki via Rest API over HTTPS protocol.

Device permissions

ASMS requires the API key to communicate with the Meraki via the Cisco Meraki SaaS application. The API key is preset in AFA for the Admin. See Obtaining Cisco Meraki API Key

Adding a new configuration parameter

  1. In the AFA Administration area, navigate to the Options>Advanced Configuration tab.

  2. Click Add to add a new configuration parameter, and enter the following details:

    Name ALGOSEC_EA_CISCOMERAKI
    Value

    Enter one of the following:

    • yes = Enable Meraki device support

    • no = Disable Meraki device support (default)
  3. Click OK

Obtaining Cisco Meraki API Key

The API key is needed for configuring a Meraki Account. To connect to the Meraki cloud we have to iterate the API key.

To iterate the API key we must possess the Admin user in the Meraki, as AFA does.

Obtain or create your Meraki API key as follows:

  1. Browse to the Meraki dashboard: https://account.meraki.com/secure/login/dashboard_login
  2. Login using your credentials.
  3. From your Cisco Meraki Account, in the upper right corner of screen, click on My Profile. on the user name drop down menu.
  4. Scroll down to API access/ API keys section. One or two API keys may be listed.
  5. If more than one API key is displayed, revoke at least one. Only then the Generate new API key is displayed and enabled.

  6. Click the Generate new API button that is displayed.

  1. When the new API key dialog is displayed, do the following:

    Click the copy icon to the right of the API key

    store the API key on your computer

    Click the I have stored my new API key check box

    Click Done



Note: You will be using the API key as you add your Cisco Meraki to AFA.

Add Cisco Meraki

Now that you have the API key, you can continue with the procedure below that adds the Cisco Meraki to AFA.

Do the following:

  1. In AFA, Go to Administration
  2. Click the Devices Setup tab
  3. From New drop-down, select Devices
  4. Select Cisco Meraki.
    The Step 1 of 2 form is:

  5. In the fields provided enter:
    1. Display name
      The display name must not contain spaces.
    2. Authentication key

  6. Under Geographic Distribution, select the remote agent that should perform data collection for the device. To specify that the device is managed locally, select Central Manager.This field is relevant when a Geographic Distribution architecture is configured. For more details, see Configure a distributed architecture.

  7. Click Next
    Step 2 of 2 is displayed:

  8. Select the relevant organizations of the account from the organizations listed.

  9. Select the required options:

    Real-time change monitoring

    Select this option to enable real-time change monitoring. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.
  10. Click Finish

Back to top

Arista devices in ASMS

This section describes the ASMS Early Availability support for Arista devices:

Supported features in Early Availability

ASMS supports Arista EOS devices as follows:

  • Geographic Distribution Remote Agent to manage Arista EOS devices

  • VRFs separation

  • Rules visibility

  • Report Generation

  • Topology

  • Change History

  • Risks Calculation

  • Map Visibility

  • Regulatory Compliance

  • Traffic Simulation Query

  • Monitor Cycle

The following functionality is not supported:

  • Integration with FireFlow

  • Changed by (Audit Logs collection)

  • IPT and unused rules (Traffic Logs collection)

Network connectivity

The following image shows an ASMS Central Manager or Remote Agent connected to an Arista device over HTTPS-REST.

Device permissions

To analyze Arista devices, ASMS connects to Arista EOS devices using the REST-based API, ensuring high performance and efficient data collection.

ASMS requires a user with Read permissions, and a HTTPS connection over port 443.

The user must also have permissions to run the following commands via API Explorer:

  • enable
  • show version
  • show interfaces
  • show ip interface
  • show ip route vrf ( all | <vrf-name> )
  • show ip access lists
  • show ip access-lists summary
  • show vrrp vrf all all

If the REST eAPI is not yet enabled, run the following using the Arista CLI:

Arista(config)#management api http-commands

Arista(config-mgmt-api-http-cmds)#no shut

Enable / Disable early availability support for Arista

This procedure describes how to enable or disable support for Arista devices in ASMS.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the parameter value as follows:

    Name ALGOSEC_EA_ARISTA
    Value

    One of the following:

    • yes = Enable Arista device support
    • no = Disable Arista device support

For more details, see Advanced Configuration. Continue with Add an Arista device to AFA.

Add an Arista device to AFA

This procedure describes how to add an Arista EOS device to AFA.

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page

  2. In the vendor device selection page, click Arista > Arista EOS.

  3. Complete the following fields:

    Host

    Enter the host name of the Arista device.

    This is the name that will be displayed in the devices tree.
    User Name Enter the username to use when accessing the device.
    Password Enter the password to use when accessing the device.
    Enable Password Enter the enable password to use when accessing the device.

    Note: In the Geographic Distribution area, you must select Central Manager.

    Arista devices cannot be managed by Remote Agents.

  4. Click Next, and then select the managed devices you want to add to AFA.

  5. Select the following as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes. For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.
  6. Click Finish. The new device is added to the device tree.

  7. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

    8. A success message appears to confirm that the device is added.

Back to top

Check Point R80 Layers support for TSQ and Risks

This section provides some general information about Check Point R80 Layers in GA and EA modes for ASMS A32.10: how to enable them, how to switch between them, and some other important information for working with your Check Point R80 devices and ASMS A32.10.

Important Notes:

  1. In ASMS A32.10, Check Point R80 EA mode is activated by setting the value of the parameter ALGOSEC_EA_CKP_LAYERS_TSQ_AND_RISKS to "true".
    You can switch between EA and GA modes. See Switching modes.

  2. EA mode of Check Point R80 Layers must not be used in a production environment.

  3. When upgrading from previous ASMS versions, any EA mode flags for CKP from former ASMS versions are no longer valid.

The following table explains Check Point R8x Layers Support features in GA and EA mode:

Mode Features
GA Mode

Provides the support of Inline Layers and second and beyond Ordered Layers for:

  • Policy visibility in Report and Policy tab, including search and export

  • Change detection

  • Policy Optimization, except for Covered rules

The following features in GA mode work only for the first Ordered Layer, ignoring parent rules and Inline Layers:

  • Traffic Simulation Queries

  • Risk Analysis

  • Policy Optimization – Covered rules
EA Mode

Enables the support of Inline Layers and second and beyond Ordered Layers for:

  • Traffic Simulation Queries

  • Risk Analysis

  • Policy Optimization – Covered rules

  • Relevant API responses include layer information

Relevant API responses include layer information.

The image below shows the GA mode policy tab, with groups of Ordered and Inline Layers under clearly marked header rows:

  • In GA Mode, if a user makes a request for a change that should be done inside an Inline Layer, FireFlow will recommend adding the rule after that Inline Layer.

  • If EA Mode is enabled, FireFlow validation will fail because the Traffic Simulation Query will identify that the change should have been done in the Inline Layer.

To enable Early Availability features for CKP 80 in ASMS A32.10:

  1. In the AFA Administration area, navigate to the Options > Advanced Configuration tab.

  2. Enter the following parameter with the value true

    Tip: If the parameter ALGOSEC_EA_CKP_LAYERS_TSQ_AND_RISKS is not in the list of parameters, click Add to add a new configuration parameter:

    Name ALGOSEC_EA_CKP_LAYERS_TSQ_AND_RISKS
    Value

    Enter one of the following:

    • true = Enable this configuration parameter, enable EA
    • false Disable this configuration parameter, disable EA

  3. Click OK.

Note: After entering or switching EA/GA mode, run analysis and Clear the cache before performing TSQ for the first time after the mode change. FireFlow tickets that have not yet been implemented may require re-planning.

You can switch from EA mode to GA mode and back again as needed.

Once you have added the ALGOSEC_EA_CKP_LAYERS_TSQ_AND_RISKS parameter to enable EA mode in A32.10 for the first time, you simply change the value to "false" for GA mode or "true" for EA mode. For example -

To leave EA mode and enter GA mode, canceling the availability of the EA features:

  1. In the toolbar, click your username.
    A drop-down menu appears.

  2. Select Administration.
    The Administration page, Options tab is displayed.

  3. Click the Advanced Configuration tab.

  4. Locate the parameter ALGOSEC_EA_CKP_LAYERS_TSQ_AND_RISKS and change its value to false.

  5. Click OK.

  6. After switching between EA and GA modes:

    • Run analysis and Clear the cache.
      This must be done before performing TSQ for the first time after the mode switch.

    • Re-plan open FireFlow tickets that have not yet been implemented.

    • Restart FireFlow

When required, clear the cache via the following command in the Algosec CLI Console:

rm -rf /data/cache/query

Note: Failure to run analysis and clear the cache after switching EA/GA modes may result in incorrect Traffic Simulation Query results.

CKP R7x families will keep working same as in A32.00.

Back to top

Enable ActiveChange for MSO-managed Cisco ACI tenants

ActiveChange for Cisco ACI tenants managed by a Cisco MSO (Multi-Site Orchestrator) is available as an early availability feature.

Note: By default, ActiveChange is supported for tenants managed by an APIC.

With this early availability feature enabled, you can add, modify and remove rules from the policy directly from FireFlow.

When Cisco ACI tenants are managed by an MSO, each APIC in turn can manage one or more tenants. Each tenant contains one schema, with one or more associated templates. Schemas and templates are configured in FireFlow in order to implement ActiveChange on the device.

To enable/disable ActiveChange for MSO-managed Cisco ACI in AFA

  1. In the AFA Administration area, navigate to the Options > Advanced Configuration tab.

  2. Click ADD to add a new configuration parameter, and enter the following details

    Name AlgoSec_EA_MSO_ActiveChange
    Value

    Enter one of the following:

    • true = Enable MSO-managed Cisco ACI tenants ActiveChange support
    • false (default) = Disable MSO-managed Cisco ACI tenants ActiveChange support

  3. Click OK

Note: After switching EA/GA mode, we recommend you restart your system.

Configure ActiveChange behavior for MSO-managed Cisco ACI tenants in FireFlow

In ACI MSO, there is no default value for the schema and template. In order to implement ActiveChange for the MSO-managed Cisco ACI tenants, user-defined schema and templates are required for each tenant.

Configuration Parameter Name Value
CiscoMsoActiveChangePolicyTargets

Defines policy targets (schema and templates) for each tenant.

Format: 

{ <Apic ID/Name> : {<tenant Name> : 
{ "schema":<Schema name>, "templates":[<template1>,<template2>...]}
}}

Limitation: In this Early Availability version, if you define more than one template for a schema, ActiveChange selects only the first template in the list (defined in the FireFlow parameter CiscoACIMSOActiveChangePolicyTargets, see below).

For example, Schema Payroll has templates Detroit, Baltimore and Abu Dhabi. Since changes are applied to the MSO and deployed on the first template defined in the schema, ActiveChange only selects Detroit.

Changes will be made only on the Filters and Contracts that are defined in the template that is configured in FireFlow.
CiscoMsoActiverChangeCommit

By default, FireFlow will apply changes on the MSO and deploy the changes to the relevant MSO-managed Cisco ACI APICs. If required, you can change this so changes will be applied only to the MSO and you can manually commit the changes to the APICs later.

The value assigned to this parameter determines whether or not ActiveChange deploys changes to APICs.

The possible values are:

  • deploy (default): Changes are applied on MSO and deployed to APICs.

  • commit: Changes are only applied on MSO .

To configure ActiveChange behavior for MSO-managed Cisco ACI tenants:

  1. Switch to FireFlow.

  2. Click the Advanced Configuration tab.

    The Advanced Configuration page is displayed.

  3. In FireFlow Configuration, Click ActiveChange and filter for CiscoACIMSOActiveChangePolicyTargets or just scroll to find it.

  4. Click on the edit icon next to the current value field. Define the schema and templates for one tenant.

    For example:

    Copy 
    {
      "10_20_30_40": {
        "10_20_30_40_ActiveChangeEA": {
          "schema": "Payroll",
          "templates": [
            "Detroit",
            "Baltimore",
            "Abu Dhabi"
          ]
        }
      }
    }
  5. Click Update below the current value field to update the value.

  6. Filter for CiscoMsoActiverChangeCommit or just scroll to find it.

    Assign a value to this parameter to determine whether or not ActiveChange deploys changes to APICs.

  7. Click Update below the current value field to update the value.

  8. Click Store Changes at the top of the page.
  9. Restart FireFlow.

Back to top