About the Cisco Secure Dynamic Attributes Connector
The Cisco Secure Dynamic Attributes Connector enables you to use service tags and categories from various cloud service platforms in Secure Firewall Management Center (management center) access control rules.
Supported connectors
We currently support:
|
CSDAC version/platform |
A.W.S. |
Git- Hub |
Google Cloud |
Azure |
Azure Service Tags |
Microsoft Office 365 |
VMware vCenter |
|---|---|---|---|---|---|---|---|
|
Version 1.1 (on-premises) |
Yes |
No |
No |
Yes |
Yes |
Yes |
Yes |
|
Version 2.0 (on-premises) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Cloud-delivered (Cisco Defense Orchestrator) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
More information about connectors:
-
Amazon Web Services (AWS)
For more information, see a resource like Tagging AWS resources on the Amazon documentation site.
-
GitHub
-
Google Cloud
For more information, see Setting Up Your Environment in the Google Cloud documentation.
-
Microsoft Azure
For more information, see this page on the Azure documentation site.
-
Microsoft Azure service tags
For more information, see a resource like Virtual network service tags on Microsoft TechNet.
-
Office 365
For more information, see Office 365 URLs and IP address ranges on docs.microsoft.com.
-
VMware categories and tags managed by vCenter and NSX-T
For more information, see a resource like vSphere Tags and Attributes in the VMware documentation site.
How it works
Network constructs such as IP address are not reliable in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.
You can collect these tags and attributes using dynamic attributes connector Docker containers running on an Ubuntu, CentOS, or Red Hat Enterprise Linux virtual machine. Install the dynamic attributes connector on the Ubuntu host using an Ansible collection.
The following figure shows how the system functions at a high level.
-
Connectors contain the tags and containers to query.
For example, typically these tags define dynamically allocated network and IP addresses for which you cannot create access control rules. Persisted feeds from the connectors are stored on the dynamic attributes connector for fast access.
-
Tag information is persisted on the dynamic attributes connector where you create dynamic attribute filters that define which information is important to use in access control rules.
For example, if AWS defines networks for the Accounting and Finance Departments virtual machines, you can create a dynamic attributes filter that specifies only the Finance network.
-
The adapter defined by the dynamic attributes connector receives those dynamic attributes filters as dynamic objects and enables you to use them in access control rules.
You can create the following types of adapters:
-
On-Prem Firewall Management Center for an on-premises Management Center device.
This type of Management Center device might be managed by Cisco Defense Orchestrator (CDO) or it might be a standalone.
-
Cloud-Delivered Firewall Management Center for devices managed by CDO.
-
Feedback