Configure the Dynamic Attributes Connector

Install the dynamic attributes connector and configure connectors, dynamic attributes filters, and adapters to provide Secure Firewall Management Center or the with dynamic network data that can be used in access control rules.

See the following topics for more information:

Create a connector

A connector is an interface with a cloud service. The connector retrieves network information from the cloud service so the network information can be used in policies on the Secure Firewall Management Center.

We support the following:

Table 1. List of supported connectors by dynamic attributes connector version and platform

CSDAC version

AWS

AWS security groups

AWS service tags

Azure

Azure Service Tags

Cisco APIC

Cisco Cyber Vision

Generic Text

GitHub

Google Cloud

Microsoft Office 365

vCenter

Webex

Zoom

Version 1.1 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

No

No

Yes

Yes

No

No

Version 2.0 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

No

Yes

Yes

Yes

No

No

Version 2.2 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

Yes

Yes

Yes

Yes

No

No

Version 2.3 (on-premises)

Yes

No

No

Yes

Yes

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

Version 3.0 (on-premises)

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Version 3.1 (on-premises)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Amazon Web Services connector—About user permissions and imported data

The dynamic attributes connector imports dynamic attributes from AWS to Secure Firewall Management Center for use in policies.

Dynamic attributes imported

We import the following dynamic attributes from AWS:

  • Tags, user-defined key-value pairs you can use to organize your AWS EC2 resources.

    For more information, see Tag your EC2 Resources in the AWS documentation

  • IP addresses of virtual machines in AWS.

Minimum permissions required

The dynamic attributes connector requires a user at minimum with a policy that permits ec2:DescribeTags, ec2:DescribeVpcs, and ec2:DescribeInstances to be able to import dynamic attributes.

Create an AWS user with minimal permissions for the dynamic attributes connector

This task discusses how to set up a service account with minimum permissions to send dynamic attributes to Secure Firewall Management Center . For a list of these attributes, see Amazon Web Services connector—About user permissions and imported data.

Before you begin

You must already have set up your Amazon Web Services (AWS) account. For more information about doing that, see this article in the AWS documentation.

Procedure

Step 1

Log in to the AWS console as a user with the admin role.

Step 2

From the Dashboard, click Security, Identity & Compliance > IAM.

Step 3

Click Access Management > Users.

Step 4

Click Add Users.

Step 5

In the User Name field, enter a name to identify the user.

Step 6

Click Access Key - Programmatic Access.

Step 7

At the Set permissions page, click Next without granting the user access to anything. You can grant user access later.

Step 8

Add tags to the user if desired.

Step 9

Click Create User.

Step 10

Click Download .csv to download the user's key to your computer.

Note

 

This is the only opportunity you have to retrieve the user's key.

Step 11

Click Close.

Step 12

At the Identity and Access Management (IAM) page in the left column, click Access Management > Policies.

Step 13

Click Create Policy.

Step 14

On the Create Policy page, click JSON.

Create a JSON policy

Step 15

Enter the following policy in the field:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeTags",
				"ec2:DescribeInstances",
				"ec2:DescribeVpcs"
			],
			"Resource": "*"
		}
	]
}

Step 16

Click Next.

Step 17

Click Review.

Step 18

On the Review Policy page, enter the requested information and click Create Policy.

Step 19

On the Policies page, enter all or part of the policy name in the search field and press Enter.

Step 20

Click the policy you just created.

Step 21

Click Actions > Attach.

Step 22

If necessary, enter all or part of the user name in the search field and press Enter.

Step 23

Click Attach Policy.

What to do next

Create an AWS connector.

Create an AWS connector

This task discusses how to configure a connector that sends data from AWS to the Secure Firewall Management Center for use in policies.

Before you begin

Create a user with at least the privileges discussed in Create an AWS user with minimal permissions for the dynamic attributes connector.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from AWS.

Region

(Required.) Enter your AWS region code.

Access Key

(Required.) Enter your access key.

Secret Key

(Required.) Enter your secret key.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Amazon Web Services Security Groups connector—About user permissions

The dynamic attributes connector imports dynamic attributes from AWS to Secure Firewall Management Center for use in policies.

Minimum permissions required

The dynamic attributes connector requires a user at minimum with a policy that permits ec2:DescribeTags, ec2:DescribeVpcs, and ec2:DescribeInstances to be able to import dynamic attributes.

Create an AWS user with minimal permissions for the dynamic attributes connector

This task discusses how to set up a service account with minimum permissions to send dynamic attributes to Secure Firewall Management Center . For a list of these attributes, see Amazon Web Services connector—About user permissions and imported data.

Before you begin

You must already have set up your Amazon Web Services (AWS) account. For more information about doing that, see this article in the AWS documentation.

Procedure

Step 1

Log in to the AWS console as a user with the admin role.

Step 2

From the Dashboard, click Security, Identity & Compliance > IAM.

Step 3

Click Access Management > Users.

Step 4

Click Add Users.

Step 5

In the User Name field, enter a name to identify the user.

Step 6

Click Access Key - Programmatic Access.

Step 7

At the Set permissions page, click Next without granting the user access to anything. You can grant user access later.

Step 8

Add tags to the user if desired.

Step 9

Click Create User.

Step 10

Click Download .csv to download the user's key to your computer.

Note

 

This is the only opportunity you have to retrieve the user's key.

Step 11

Click Close.

Step 12

At the Identity and Access Management (IAM) page in the left column, click Access Management > Policies.

Step 13

Click Create Policy.

Step 14

On the Create Policy page, click JSON.

Create a JSON policy

Step 15

Enter the following policy in the field:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeTags",
				"ec2:DescribeInstances",
				"ec2:DescribeVpcs"
			],
			"Resource": "*"
		}
	]
}

Step 16

Click Next.

Step 17

Click Review.

Step 18

On the Review Policy page, enter the requested information and click Create Policy.

Step 19

On the Policies page, enter all or part of the policy name in the search field and press Enter.

Step 20

Click the policy you just created.

Step 21

Click Actions > Attach.

Step 22

If necessary, enter all or part of the user name in the search field and press Enter.

Step 23

Click Attach Policy.

What to do next

Create an AWS connector.

Create an AWS Security Groups connector

This task discusses how to configure a connector that sends AWS security groups data to the Secure Firewall Management Center for use in policies.

Before you begin
Do all of the following:
Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from AWS.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Region

(Required.) Enter your AWS region code.

AWS Access Key

(Required.) Enter your access key.

AWS Secret Key

(Required.) Enter your secret key.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create an AWS service tags connector

This topic discusses how to create a connector for Amazon Web Services (AWS) service tags to the Secure Firewall Management Center for use in policies.

For more information, see resources like the following on the AWS documentation site:

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

URL

(Required.) Do not change the URL unless advised to do so.

Step 5

Click Test and make sure Test connection succeeded is displayed before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Azure connector—About user permissions and imported data

The dynamic attributes connector imports dynamic attributes from Azure to Secure Firewall Management Center for use in policies.

Dynamic attributes imported

We import the following dynamic attributes from Azure:

  • Tags, key-value pairs associated with resources, resource groups, and subscriptions.

    For more information, see this page in the Microsoft documentation.

  • IP addresses of virtual machines in Azure.

Minimum permissions required

The dynamic attributes connector requires a user at minimum with the Reader permission to be able to import dynamic attributes.

Create an Azure user with minimal permissions for the dynamic attributes connector

This task discusses how to set up a service account with minimum permissions to send dynamic attributes to Secure Firewall Management Center . For a list of these attributes, see Azure connector—About user permissions and imported data.

Before you begin

You must already have a Microsoft Azure account. To set one up, see this page on the Azure documentation site.

Procedure

Step 1

Log in to the Azure Portal as the owner of the subscription.

Step 2

Click Azure Active Directory.

Step 3

Find the instance of Azure Active Directory for the application you want to set up.

Step 4

Click Add > App registration.

Step 5

In the Name field, enter a name to identify this application.

Step 6

Enter other information on this page as required by your organization.

Step 7

Click Register.

Step 8

On the next page, write down or copy the Client ID (also referred to as application ID) and the tenant ID (also referred to as the directory ID).

A sample follows.

Make note of the application and tenant ID

Step 9

Next to Client Credentials, click Add a certificate or secret.

Step 10

Click New Client Secret.

Step 11

Enter the requested information and click Add.

Step 12

Copy the value of the Value field to the clipboard. This value, and not the Secret ID, is the client secret.

Copy the client secret to the clipboard now because you will not see it again

Step 13

Go back to the main Azure Portal page and click Subscriptions.

Step 14

Click the name of your subscription.

Step 15

Copy the subscription ID to the clipboard.

Copy the subscription ID to the keyboard

Step 16

Click Access Control (IAM).

Step 17

Click Add > Add role assignment.

Step 18

Click Reader and click Next.

Step 19

Click Select Members.

Step 20

On the right side of the page, click the name of the app you registered and click Select.

Associate the role with your app

Step 21

Click Review + Assign and follow the prompts to complete the action.

What to do next

See Create an Azure connector.

Create an Azure connector

This task discusses how to create a connector to send data from Azure to Secure Firewall Management Center for use in policies.

Before you begin
Create an Azure user with at least the privileges discussed in Create an Azure user with minimal permissions for the dynamic attributes connector.
Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from Azure.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Subscription Id

(Required.) Enter your Azure subscription ID.

Tenant Id

(Required.) Enter your tenant ID.

Client Id

(Required.) Enter your client ID.

Client Secret

(Required.) Enter your client secret.

Step 5

Click Test and make sure Test connection succeeded is displayed before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create an Azure Service Tags connector

This topic discusses how to create a connector for Azure service tags to the Secure Firewall Management Center for use in policies. The IP addresses associated with these tags are updated every week by Microsoft.

For more information, see Virtual network service tags on Microsoft TechNet.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from Azure.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Subscription Id

(Required.) Enter your Azure subscription ID.

Tenant Id

(Required.) Enter your tenant ID.

Client Id

(Required.) Enter your client ID.

Client Secret

(Required.) Enter your client secret.

Step 5

Click Test and make sure Test connection succeeded is displayed before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Cisco APIC connector

The following topics discuss how to configure the Cisco APIC Integration with the Secure Firewall Management Center.

Requirements and prerequisites for

Following are requirements and prerequisits to use Cisco APIC to send dynamic objects to ASA:

  • Network communication: All of the following must be able to communicate with each other securely:

    • ASA 9.16 and later

    • Cisco APIC 4.2(7q) and later

    • Dynamic Attributes Connector virtual machine, version 3.1 and later

  • ASA requirements

    • License: Essentials

      For more information about licensing, see Smart Software Licensing.

    • FQDN: Supported

    • Multi-context: Supported

    • Multi-instance: Supported

    • High availability: Supported

    • Clustering: Supported

  • Permissions required:

    • ASA: privilege 15

    • Cisco APIC: at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain

More information

For more information about the , see About the integration with ASA.

System requirements for the integration with Cisco APIC

Your system must meet the following requirements:

  • Secure Firewall Management Center version: 10.0.0 and later.

    Essentials license or better required; high availability is supported.

  • Firewall Threat Defense version: 7.2 and later.

  • Cisco APIC version: 3.0(1k) or later.

  • If you use the ACI Endpoint Update App, it must be version 2.6.

Get required information for the integration

This section discusses:

  • Information required to configure the integration

  • Information used in dynamic object names

Cisco ACI Endpoint Update App site prefix and update interval

This information applies to you only if you're currently using the Cisco ACI Endpoint Update App; otherwise, you can skip it.

To find the Cisco ACI Endpoint Update App site prefix and update interval:

  1. Log in to Cisco APIC as a user with admin privileges.

    For more information, see APIC Roles and Privileges Matrix.

  2. Click Apps.

  3. Under ACI Endpoint Update app, click Open.

  4. Click Edit (edit icon).

  5. Write down the values of Update Interval (In seconds) and Site Prefix.

Required to configure the integration: Find a user with appropriate access

To find a user with at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain:

  1. Log in to Cisco APIC.

  2. Click Admin.

  3. In the left pane, click Users.

  4. In the right pane, double-click the name of a user.

  5. Scroll to Security Domains.

  6. For the relevant security domain, make sure the user has at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain, as the following figure shows.

    Verify the Cisco APIC user defined for the connector has at least the read-all role with readPriv access and the tenant-admin role with writePriv access for retrieving objects from tenants for the relevant security domain

Cisco APIC tenant name

The Cisco APIC tenant name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Write down the name of the tenant that contains objects to send to .

Cisco APIC application profile name

The Cisco APIC application profile name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Double-click the name of your tenant.

  4. Expand your tenant.

  5. Expand Application Profiles.

  6. Write down the name of the application profile that contains EPGs and ESGs to integrate with ASA.

EPG name

The Cisco APIC EPG name is used in the names of dynamic objects created by this integration. To find it:

  1. Log in to Cisco APIC.

  2. Click Tenants.

  3. Double-click the name of your tenant.

  4. Expand your tenant.

  5. Expand Application Profiles.

  6. Expand the name of the application profile.

  7. Expand Application EPGs.

  8. Write down the name of the EPG or ESG that has network object groups to send to ASA.

    The following figure shows an example.

    Shows how to locate application EPGs and endpoint security groups in the Cisco APIC console

Example

The following figure shows the values in Cisco APIC.

Sample Cisco APIC management console that shows where to find the tenant name, application profile names, and EPG names

Create a Cisco APIC connector

This topic discusses creating a Cisco APIC connector that gets network object groups from a configured endpoint group (EPG) on Cisco APIC.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 60 seconds.) Interval at which IP mappings are retrieved from Cisco APIC.

We recommend setting this to 15 seconds.

IP or Hostname

Enter the fully-qualified domain name or IP address of the Cisco APIC server from which to retrieve network object groups from EPGs and ESGs.

Do not enter a scheme (such as https://) and do not include a trailing slash.

Add another cluster IP

(Optional.) Enter the IP address of other servers in the Cisco APIC cluster.

Username

Enter the name of a Cisco APIC user with at least at least the read-all role with readPriv access and the tenant-admin role with writePriv access for the security domain.

Objects from all tenants the user has privileges to can be pushed to .

Password

Enter the user's password.

Server Certificate

(Recommended if using fully-qualified domain name.)

You have the following options:

  • Paste the certificate authority (CA) chain you got as discussed in .

  • Click Get Certificate > Fetch to automatically fetch the certificate or, if that is not possible, get the certificate manually as discussed in .

  • Click Get Certificate > Browse from file to upload a certificate chain you downloaded previously.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

What to do next

Create an ASA adapter

Manually get a certificate authority (CA) chain

In the event you cannot automatically fetch the certificate authority chain, use one of the following browser-specific procedures to get a certificate chain used to connect securely to vCenter, Firewall Management Center, Cisco APIC, or .

The certificate chain is the root certificate and all subordinate certificates.

You can optionally use one of these procedures to connect to the following:

  • vCenter or NSX

  • Firewall Management Center

  • Cisco APIC

Get a Certificate Chain—Mac (Chrome and Firefox)

Use this procedure to get a certificate chain using the Chrome and Firefox browsers on Mac OS.

  1. Open a Terminal window.

  2. Enter the following command.

    security verify-cert -P url[:port]

    where url is the URL (including scheme) to vCenter Firewall Management Center, or Cisco APIC, or . For example: 

    security verify-cert -P https://myvcenter.example.com

    If you access vCenter Firewall Management Center, or Cisco APIC, or using NAT or PAT, you can add a port as follows: 

    security verify-cert -P https://myvcenter.example.com:12345

  3. Save the entire certificate chain to a plaintext file.

    • Include all -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters.

    • Exclude any extraneous text (for example, the name of the certificate and any text contained in angle brackets (< and >) as well as the angle brackets themselves.

  4. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Chrome

Use this procedure to get a certificate chain using the Chrome browser on Windows.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or using Chrome.

  2. In the browser address bar, click the lock to the left of the host name.

  3. Click Certificate.

  4. Click the Certification Path tab.

  5. Click the top (that is, first) certificate in the chain.

  6. Click View Certificate.

  7. Click the Details tab.

  8. Click Copy to File.

  9. Follow the prompts to create a CER-formatted certificate file that includes the entire certificate chain.

    When you're prompted to choose an export file format, click Base 64-Encoded X.509 (.CER) as the following figure shows.

    In the Certificate Export Wizard, select Base 64 encoded X.509 and export the certificate

  10. Follow the prompts to complete the export.

  11. Open the certificate in a text editor.

  12. Repeat the process for all certificates in the chain.

    You must paste each certificate in the text editor in order, first to last.

  13. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Firefox

Use the following procedure to get a certificate chain for the Firefox browser on either Windows or Mac OS.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or . using Firefox.

  2. Click the lock to the left of the host name.

  3. Click the right arrow (Show connection details). The following figure shows an example.

    In Firefox, show the connection details to see the certificate being used to connect to the FMC

  4. Click More Information.

  5. Click View Certificate.

  6. If the resulting dialog box has tab pages, click the tab page corresponding to the top-level CA.

  7. Scroll to the Miscellaneous section.

  8. Click PEM (chain) in the Download row. The following figure shows an example.

    Get the PEM chain to configure the FMC adapter

  9. Save the file.

  10. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.

Create a Cisco Cyber Vision connector

This task discusses how to send data from Cisco Cyber Vision to the Secure Firewall Management Center .

Before you begin

Cisco Cyber Vision must be reachable from the machine on which the dynamic attributes connector is running. You must know its IP address, port, and API key.

To find the API key in the Cyber Vision management console, click Admin > API > Token, then click Show to display the token and to copy the token to the clipboard.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Cyber Vision Prefix

Enter an alphanumeric string to identify dynamic objects from this Cyber Vision's IP address when objects are sent to Secure Firewall Management Center .

If you have one Cyber Vision IP address, you can enter any value such as 1 .

Pull Interval

(Default 60 seconds.) Interval at which data mappings are retrieved from Cyber Vision.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Host

(Required.) Enter the Cyber Vision fully qualified host name or IP address.

Port

(Required.) Enter the Cyber Vision listen port.

Token

(Required.) Enter the API token.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create a generic text connector

This task discusses how to create an ad hoc list of IP addresses you maintain manually and retrieve at an interval you select (30 seconds by default). You can update the list of addresses anytime you want.

Before you begin

Create text files with IP addresses and put it on a web server that is accessible from the Secure Firewall Management Center . IP addresses can include CIDR notation. The text file must have only one IP address per line.

For example, you might have a list of IP addresses for an "allow list" in access control rules and another list of IP addresses for a "block list" in access control rules.

You can specify up to 10,000 IP addresses per text file.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information:

Item

Description

Name

Enter a name to identify the connector.

Description

(Optional.) Enter a description

Pull Interval

Change the frequency, in seconds, at which the dynamic attributes connector retrieves IP addresses from the text file. The default is 30 seconds.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

URLs

Enter a URL from which to retrieve IP addresses.

Add another URL

(Optional.) Click the link to add more URLs to an existing list.

Username

(Optional.) If the server on which the text file is located uses authentication, enter the user's name in this field.

We use Basic authentication.

Password

(Optional.) Enter the user's password.

Certificate

(Optional.) If a certificate chain is required for a secure connection to the web server, you have the following options:

  • Click Get Certificate > Fetch to automatically fetch the certificate or, if that is not possible, get the certificate manually as discussed in Manually get a certificate authority (CA) chain.

  • Click Get Certificate > Browse from file to upload a certificate chain you downloaded previously.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create a GitHub connector

This section discusses how to create a GitHub connector that sends data to the Secure Firewall Management Center for use in policies. The IP addresses associated with these tags are maintained by GitHub. You do not have to create a dynamic attributes filters.

For more information, see About GitHub's IP addresses.


Note

Do not change the URL because doing so will fail to retrieve any IP addresses.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter a Name and an optional description.

Step 5

(Optional.) In the Pull Interval field, change the frequency, in seconds, at which the dynamic attributes connector retrieves IP addresses from GitHub. The default is 21,600 seconds (6 hours).

Step 6

Click Test and make sure the test succeeds before you save the connector.

Step 7

Click Save.

Step 8

Make sure Ok is displayed in the Status column.

Google Cloud connector—About user permissions and imported data

The dynamic attributes connector imports dynamic attributes from Google Cloud to Secure Firewall Management Center for use in policies.

Dynamic attributes imported

We import the following dynamic attributes from Google Cloud:

  • Labels, key-value pairs you can use to organize your Google Cloud resources.

    For more information, see Creating and Managing Labels in the Google Cloud documentation.

  • Network tags, key-value pairs associated with an organization, folder, or project.

    For more information, see Creating and Managing Tags in the Google Cloud documentation.

  • IP addresses of virtual machines in Google Cloud.

Minimum permissions required

The dynamic attributes connector requires a user at minimum with the Basic > Viewer permission to be able to import dynamic attributes.

Create a Google Cloud user with minimal permissions for the dynamic attributes connector

This task discusses how to set up a service account with minimum permissions to send dynamic attributes to Secure Firewall Management Center . For a list of these attributes, see Google Cloud connector—About user permissions and imported data.

Before you begin

You must already have set up your Google Cloud account. For more information about doing that, see Setting Up Your Environment in the Google Cloud documentation.

Procedure

Step 1

Log in to your Google Cloud account as a user with the owner role.

Step 2

Click IAM & Admin > Service Accounts > Create Service Account.

Step 3

Enter the following information:

  • Service account name: A name to identify this account; for example, CSDAC.

  • Service account ID: Should be populated with a unique value after you enter the service account name.

  • Service account description: Enter an optional description.

For more information about service accounts, see Understanding Service Accounts in the Google Cloud documentation.

Step 4

Click Create and Continue.

Step 5

Follow the prompts on your screen until the Grant users access to this service account section is displayed.

Step 6

Grant the user the Basic > Viewer role.

Step 7

Click Done.

A list of service accounts is displayed.

Step 8

Click More (more icon) at the end of the row of the service account you created.

Step 9

Click Manage Keys.

Step 10

Click Add Key > Create New Key.

Create a new key for your user

Step 11

Click JSON.

Step 12

Click Create.

The JSON key is downloaded to your computer.

Step 13

Keep the key handy when you configure the GCP connector.
What to do next

See Create a Google Cloud connector.

Create a Google Cloud connector

Before you begin

Have your Google Cloud JSON-formatted service account data ready; it's required to set up the connector.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from AWS.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

GCP region

(Required.) Enter the GCP region in which your Google Cloud is located. For more information, see Regions and Zones in the Google Cloud documentation.

Service account

Paste the JSON code for your Google Cloud service account.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create an Office 365 connector

This task discusses how to create a connector for Office 365 tags to send data to the Secure Firewall Management Center for use in policies. The IP addresses associated with these tags are updated every week by Microsoft. You do not have to create a dynamic attributes filter to use the data.

For more information, see Office 365 URLs and IP address ranges on docs.microsoft.com.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from Azure.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Base API URL

(Required.) Enter the URL from which to retrieve Office 365 information, if it's different from the default. For more information, see Office 365 IP Address and URL web service on the Microsoft documentation site.

Instance name

(Required.) From the list, click an instance name. For more information, see Office 365 IP Address and URL web service on the Microsoft documentation site.

Disable optional IPs

(Required.) Enter true or false .

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

vCenter connector—About user permissions and imported data

The Dynamic Attributes Connector imports dynamic attributes from vCenter to Secure Firewall Management Center for use in policies.

Dynamic attributes imported

We import the following dynamic attributes from vCenter:

  • Operating system

  • MAC address

  • IP addresses

  • NSX tags

Minimum permissions required

The Dynamic Attributes Connector requires a user at minimum with the Read Only permission to be able to import dynamic attributes.

Create a vCenter user with minimal permissions for the dynamic attributes connector

This task discusses how to set up a service account with minimum permissions to send dynamic attributes to Secure Firewall Management Center . For a list of these attributes, see vCenter connector—About user permissions and imported data.

Before you begin

You must already have set up your vCenter Server account. For more information about doing that, see About vCenter Server Installation and Setup in the vCenter documentation.

Procedure

Step 1

Log into vCenter as an administrator.

Step 2

Click Menu > Administration.

Step 3

In the left pane, click Single Sign On > Users and Groups.

Step 4

From the Domain list, click the name of a domain to add the user.

Step 5

Click Add User.

Step 6

Enter the requested information and click Add.

Step 7

In the left pane, click Access Control > Global Permissions.

Step 8

Click Add(add icon).

Step 9

From the User field, click the name of the vCenter domain in which you created the user.

Step 10

In the search field, enter part of the user's name.

Step 11

From the Role list, click Read-only.

Step 12

Select the Propagate to children check box.

When you create the role, make sure you propagate it to its children

Step 13

Click OK.

What to do next

See Create a vCenter connector.

Create a vCenter connector

This task discusses how to create a connector for VMware vCenter to send data to the Secure Firewall Management Center for use in policies.

Before you begin

If you use non-trusted certificates to communicate with vCenter, see Manually get a certificate authority (CA) chain.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Enter an optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from vCenter.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Host

(Required.) Enter any of the following:

  • vCenter's fully qualified host name

  • vCenter's IP address

  • (Optional.) A port

Do not enter a scheme (such as https://) or trailing slash.

For example, myvcenter.example.com or 192.0.2.100:9090

User

(Required.) Enter the user name of a user with the Read-only role at minimum. User names are case-sensitive.

Password

(Required.) Enter the user's password.

NSX IP

If you use vCenter Network Security Visualization (NSX), enter its IP address.

NSX User

Enter the user name of an NSX user with the Auditor role at minimum.

NSX Type

Enter NSX-T.

NSX Password

Enter the NSX user's password.

vCenter Certificate

You have the following options:

  • Click Get Certificate > Fetch to automatically fetch the certificate or, if that is not possible, get the certificate manually as discussed in Manually get a certificate authority (CA) chain.

  • Click Get Certificate > Browse from file to upload a certificate chain you downloaded previously.

Following is an example of successfully fetching a certificate chain:

Sample of fetching a CA certificate for a vCenter connector

Expanding the certificate CA chain at the top of the dialog box displays the certificates similar to the following.

You can see the certificates in the chain if you expand the certificates

If it's not possible to fetch the certificate this way, you can get the certificate chain manually as discussed in Manually get a certificate authority (CA) chain.

Step 5

Click Test and make sure Test connection succeeded is displayed before you save the connector.

Step 6

Click Save.

Create a Webex connector

This section discusses how to create a Webex connector that sends data to the Secure Firewall Management Center for use in policies. The IP addresses associated with these tags are maintained by Webex. You do not have to create a dynamic attributes filters.

For more information, see Port Reference for Webex Calling.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from Webex.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Provider Reserved IPs

(Required.) (Required.) Slide to enabled to retrieve any reserved IP addresses.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create a Zoom Connector

This section discusses how to create a Zoom connector that sends data to the Secure Firewall Management Center for use in policies. The IP addresses associated with these tags are maintained by Zoom. You do not have to create a dynamic attributes filters.

For more information, see Zoom network firewall or proxy server settings.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Connectors.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a name to uniquely identify this connector.

Description

Optional description.

Pull Interval

(Default 30 seconds.) Interval at which IP mappings are retrieved from Zoom.

The minimum value for Pull Interval is 1 second. You can set the maximum to any value you want. We recommend against setting the minimum to a low value because it can generate a lot of traffic, and, when applicable, can result in your being billed for the traffic.

Provider Reserved IPs

(Required.) Slide to enabled to retrieve any reserved IP addresses.

Step 5

Click Test and make sure the test succeeds before you save the connector.

Step 6

Click Save.

Step 7

Make sure Ok is displayed in the Status column.

Create an adapter

An adapter is a secure connection to Secure Firewall Management Center to which you push network information from cloud objects for use in access control policies.

First you can optionally fetch the certificate authority chain, which is required to securely connect to the Secure Firewall Management Center .

Fetching the certificate authority chain requires only the Secure Firewall Management Center host name; creating the adapter requires a user name, password, and other information.

Create an ASA adapter

This topic discusses how to create an ASA adapter that creates network object groups on ASA. These network object groups can be used in access rules.


Note

The ASA adapter creates only Cisco APIC network object groups. You cannot create on ASA dynamic objects from other cloud sources, such as Microsoft Outlook 365.

Before you begin

Create a Cisco APIC connector as discussed in Create a Cisco APIC connector.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Note

 

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Operative Status

From the list, click one of the following:

  • Running is the normal running state where the integration sends network object groups to ASA.

    In the Running state, the adapter's status is displayed as Ok on the dynamic attributes connector Adapters page.

  • Paused pauses sending network object groups, such as during an upgrade. You can pause and resume sending network object groups at any time; this option preserves the objects already pushed to ASA.

    To resume sending network object groups, edit this adapter again and click Running.

    In the Paused state, the adapter's status is displayed as Disabled on the dynamic attributes connector Adapters page.

  • Paused and Clear stops sending network object groups to ASA and clears any previously sent objects from ASA. After you do this you can delete the adapter if you wish.

    In the Paused and Clear state, the adapter's status is displayed as Disabled on the dynamic attributes connector Adapters page.

APIC Site Prefix

(Required.) Enter a name to use as the prefix for the objects created on ASA. We strongly recommend you use a unique name.

This value must match all of the following:

This value is not case-sensitive.

Tenants

(Required.) Specify the names of one or more Cisco APIC tenants the readPriv user has access to. Objects from only the tenants you specify will be pushed to ASA.

To specify more than one tenant, separate them with a comma character.

IP

(Required.) ASA IP address.

Port

(Required.) ASA TLS/SSL port (default is 443).

User

(Required.) Enter the name of an ASA user with privilege level 15.

Password

(Required.) Enter the user's password.

Security Context

(Optional.) Enter the name of the ASA security context. For more information, see Enabling Multiple Context Mode in the Cisco Security Appliance Command Line Configuration Guide.

Server Certificate

(Optional.) You have the following options:

Edit or delete an ASA adapter

This task discusses the supported way to either edit or delete an ASA adapter. Failure to follow this procedure might mean dynamic objects do not get updated on the ASA device.

Before you begin

Create an ASA adapter as discussed in Create an ASA adapter.


Note

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

To change an adapter's configuration:

  1. Click More (more icon), then click Delete.

  2. Follow the prompts to complete the action.

  3. Create another ASA adapter as discussed in Create an ASA adapter.

Step 4

To delete an adapter:

  1. Click More (more icon), then click Delete.

  2. Follow the prompts to complete the action.

    Note

     

    Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

    Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

    Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Create a Secure Firewall Management Center user for the dynamic attributes connector

We recommend you create a dedicated Secure Firewall Management Center user for the dynamic attributes connector adapter. Creating a dedicated Secure Firewall Management Center user avoids issues like unexpected logouts from the Secure Firewall Management Center because the dynamic attributes connector periodically logs in using a REST API to update the Secure Firewall Management Center with new and updated dynamic objects.

The Secure Firewall Management Center user must have Access Admin privileges at least.

Procedure

Step 1

Log in to the Secure Firewall Management Center if you haven't already done so.

Step 2

Click System (system gear icon) > Users.

Step 3

Click Create User.

Step 4

Enter the information required to create the user.

Step 5

Under User Role Configuration, check any of the following default roles or a custom role with the same privilege level:

  • Administrator

  • Access Admin

  • Network Admin

The following figure shows an example.

Choose a role for the FMC adapter

You can also choose a custom role with sufficient privileges to allow REST actions or a different default role with sufficient privileges. For more information about default roles, see the User Roles section in the chapter on user accounts.

What to do next

Create an adapter

How to create an On-Prem Firewall Management Center adapter

This topic discusses how to create an adapter to push dynamic objects from the dynamic attributes connector to the Secure Firewall Management Center .


Note

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Before you begin

See Create a Secure Firewall Management Center user for the dynamic attributes connector.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Note

 

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Domain

Enter the Secure Firewall Management Center domain in which to create dynamic objects. Leave the field blank to create dynamic objects in the Global domain.

For example, Global/MySubdomain

IP

(Required.) Enter your Secure Firewall Management Center's host name or IP address.

The host name or IP you enter must exactly match the Common Name of the CA certificate used to securely connect to it.

Port

(Required.) Enter the TLS port used by your Secure Firewall Management Center.

User

(Required.) Enter the name of an Secure Firewall Management Center user with the Network Admin role at minimum.

Password

(Required.) Enter the user's password.

Secondary IP

(High availability only.) Enter the secondary Secure Firewall Management Centers host name or IP address.

The host name or IP you enter must exactly match the Common Name of the CA certificate used to securely connect to it.

Secondary Port

(High availability only.) Enter the TLS port used by your secondary Secure Firewall Management Center.

Secondary User

(High availability only.) Enter the name of a secondary Secure Firewall Management Center user with the Network Admin role at minimum.

Secondary Password

(High availability only.) Enter the user's password.

Server Certificate

You have the following options:

  • Click Get Certificate > Fetch to automatically fetch the certificate or, if that is not possible, get the certificate manually as discussed in Manually get a certificate authority (CA) chain.

  • Click Get Certificate > Browse from file to upload a certificate chain you downloaded previously.

Following is an example of successfully fetching a certificate chain:

Sample of fetching a CA certificate for a vCenter connector

Expanding the certificate CA chain at the top of the dialog box displays the certificates similar to the following.

You can see the certificates in the chain if you expand the certificates

If it's not possible to fetch the certificate this way, you can get the certificate chain manually as discussed in Manually get a certificate authority (CA) chain.

Step 5

Click Test and make sure the test succeeds before you save the adapter.

Step 6

Click Save.

Create a Cloud-Delivered Firewall Management Center adapter

This topic discusses how to create an adapter to push dynamic objects from the dynamic attributes connector to a managed management center on the Secure Firewall Management Center.

You can create the following adapters:

  • On-Prem Firewall Management Center for an on-premises Secure Firewall Management Center

  • Cloud-Delivered Firewall Management Center for devices managed by Security Cloud Control

Before you can create a Cloud-Delivered Firewall Management Center, get the following information first: Get your base URL and API token.

Get your base URL and API token

This task dicusses how to get the URL and API token from Security Cloud Control that are required to create a Cloud-Delivered Firewall Management Center adapter.

Before you begin
You must be a Security Cloud Control Super Admin to complete the tasks discussed in this section.
Procedure

Step 1

Log in to Security Cloud Control as a user with the Super Admin role.

Step 2

In the upper right corner of the page, click Settings.

Step 3

Click General Settings.

Step 4

Next to API Token, click Refresh.

Step 5

Copy the API token to a text file for later use.

Step 6

Click the name of the management center to which to send dynamic attributes connector data.

Step 7

The value of Hostname, preceded by https://, is the base URL.

An example follows:

Your base URL for a management center managed by CDO is under Tools & Services > Firewall Management Center. Look for the value of Hostname.
What to do next

How to create a Cloud-Delivered Firewall Management Center adapter.

How to create a Cloud-Delivered Firewall Management Center adapter

This task discusses how to create a Cloud-Delivered Firewall Management Center adpater that sends data from the dynamic attributes connector to a device managed by Security Cloud Control.

Before you begin

You must get the management center base URL and API token from Security Cloud Control before you can complete this task. For more information, see Get your base URL and API token.

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Adapters.

Step 3

Do any of the following:

  • Add a new connector: click Add icon (add icon), then click the name of the connector.

  • Edit or delete a connector: Click More (more icon), then click Edit or Delete at the end of the row.

Note

 

Deleting an adapter by itself does not delete dynamic objects created by the adapter. If you wish to delete those objects permanently, do so on the device associated with the adapter.

Before deleting the adapter, you can set its Operative Status to Paused and Clear. Doing this stops sending network object groups to ASA and clears any previously sent objects from ASA.

Editing an adapter does not push updated objects to the associated device. If you must change the adapter's settings, delete the adapter and add it again.

Step 4

Enter the following information.

Value

Description

Name

(Required.) Enter a unique name to identify this adapter.

Description

Optional description of the adapter.

Base Url

 (Required.) Use the Base URL you found in Get your base URL and API token.

API Token

(Required.) Use the API token you found in Get your base URL and API token.

Step 5

Click Test and make sure the test succeeds before you save the adapter.

Step 6

Click Save.

What to do next

Create dynamic attributes filters.

Manually get a certificate authority (CA) chain

In the event you cannot automatically fetch the certificate authority chain, use one of the following browser-specific procedures to get a certificate chain used to connect securely to vCenter, Firewall Management Center, Cisco APIC, or .

The certificate chain is the root certificate and all subordinate certificates.

You can optionally use one of these procedures to connect to the following:

  • vCenter or NSX

  • Firewall Management Center

  • Cisco APIC

Get a Certificate Chain—Mac (Chrome and Firefox)

Use this procedure to get a certificate chain using the Chrome and Firefox browsers on Mac OS.

  1. Open a Terminal window.

  2. Enter the following command.

    security verify-cert -P url[:port]

    where url is the URL (including scheme) to vCenter Firewall Management Center, or Cisco APIC, or . For example: 

    security verify-cert -P https://myvcenter.example.com

    If you access vCenter Firewall Management Center, or Cisco APIC, or using NAT or PAT, you can add a port as follows: 

    security verify-cert -P https://myvcenter.example.com:12345

  3. Save the entire certificate chain to a plaintext file.

    • Include all -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters.

    • Exclude any extraneous text (for example, the name of the certificate and any text contained in angle brackets (< and >) as well as the angle brackets themselves.

  4. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Chrome

Use this procedure to get a certificate chain using the Chrome browser on Windows.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or using Chrome.

  2. In the browser address bar, click the lock to the left of the host name.

  3. Click Certificate.

  4. Click the Certification Path tab.

  5. Click the top (that is, first) certificate in the chain.

  6. Click View Certificate.

  7. Click the Details tab.

  8. Click Copy to File.

  9. Follow the prompts to create a CER-formatted certificate file that includes the entire certificate chain.

    When you're prompted to choose an export file format, click Base 64-Encoded X.509 (.CER) as the following figure shows.

    In the Certificate Export Wizard, select Base 64 encoded X.509 and export the certificate

  10. Follow the prompts to complete the export.

  11. Open the certificate in a text editor.

  12. Repeat the process for all certificates in the chain.

    You must paste each certificate in the text editor in order, first to last.

  13. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Firefox

Use the following procedure to get a certificate chain for the Firefox browser on either Windows or Mac OS.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or . using Firefox.

  2. Click the lock to the left of the host name.

  3. Click the right arrow (Show connection details). The following figure shows an example.

    In Firefox, show the connection details to see the certificate being used to connect to the FMC

  4. Click More Information.

  5. Click View Certificate.

  6. If the resulting dialog box has tab pages, click the tab page corresponding to the top-level CA.

  7. Scroll to the Miscellaneous section.

  8. Click PEM (chain) in the Download row. The following figure shows an example.

    Get the PEM chain to configure the FMC adapter

  9. Save the file.

  10. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.

Create dynamic attributes filters

Dynamic attributes filters that you define using the Dynamic Attributes Connector are exposed in the Secure Firewall Management Center as dynamic objects that can be used in access control policies. For example, restrict access to an AWS server for the Finance Department to only members of the Finance group defined in Microsoft Active Directory.


Note

You cannot create dynamic attributes filters for AWS, AWS service tags, AWS service groups, Azure, Azure Service Tags, Cisco Cyber Vision, Generic Text, GitHub, Google Cloud, Office 365, vCenter, Webex, or Zoom. These types of cloud objects provide their own IP addresses.

Before you begin

Create a connector

Procedure

Step 1

Log in to the dynamic attributes connector.

Step 2

Click Dynamic Attributes Filters.

Step 3

Do any of the following:

  • Add a new filter: click Add (add icon).

  • Edit or delete a filter: Click More (more icon), then click Edit or Delete at the end of the row.

Step 4

Enter the following information.

Item

Description

Name

Unique name to identify the dynamic filter (as a dynamic object) in a policy and in the Secure Firewall Management Center Object Manager (External Attributes > Dynamic Object).

Connector

From the list, click the name of a connector to use.

Query

Click Add add icon.

Step 5

To add or edit a query, enter the following information.

Item Description

Key

 Click a key from the list. Keys are fetched from the connector.

Operation

 Click one of the following:

  • Equals to exactly match the key to the value.

  • Contains to match the key to the value if any part of the value matches.

Values

 Click either Any or All and click one or more values from the list. Click Add another value to add values to your query.

Step 6

Click Show Preview to display a list of networks or IP addresses returned by your query.

Step 7

When you're finished, click Save.

Step 8

(Optional.) Verify the dynamic object in the Secure Firewall Management Center .

  1. Log in to the Secure Firewall Management Center as a user with the Network Admin role at minimum.

  2. Click Objects > Object Management > External Attributes > Dynamic Object.

    The dynamic attribute query you created should be displayed as a dynamic object.

Dynamic attribute filter examples

This topic provides some examples of setting up dynamic attribute filters.

Examples: vCenter

The following example shows one criterion: a VLAN.

This sample shows a simple vCenter dynamic attributes filter that finds a VLAN

The following example shows three criteria that are joined with OR: the query matches any of three hosts.

Another sample vCenter dynamic attributes filter that finds any of three hosts; the query is joined by OR

Example: Azure

The following example shows one criterion: a server tagged as a Finance app.

Sample Azure dynamic attributes filter that finds the Finance app tag

Example: AWS

The following example shows one criterion: a FinanceApp with a value of 1.

Sample Amazon Web Services dynamic attributes filter that finds a tag FinanceApp with a value of 1

Example: pxGrid Cloud

The following example shows one criterion: PostureStatus is NonCompliant.

Manually get a certificate authority (CA) chain

In the event you cannot automatically fetch the certificate authority chain, use one of the following browser-specific procedures to get a certificate chain used to connect securely to vCenter, Firewall Management Center, Cisco APIC, or .

The certificate chain is the root certificate and all subordinate certificates.

You can optionally use one of these procedures to connect to the following:

  • vCenter or NSX

  • Firewall Management Center

  • Cisco APIC

Get a Certificate Chain—Mac (Chrome and Firefox)

Use this procedure to get a certificate chain using the Chrome and Firefox browsers on Mac OS.

  1. Open a Terminal window.

  2. Enter the following command.

    security verify-cert -P url[:port]

    where url is the URL (including scheme) to vCenter Firewall Management Center, or Cisco APIC, or . For example: 

    security verify-cert -P https://myvcenter.example.com

    If you access vCenter Firewall Management Center, or Cisco APIC, or using NAT or PAT, you can add a port as follows: 

    security verify-cert -P https://myvcenter.example.com:12345

  3. Save the entire certificate chain to a plaintext file.

    • Include all -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters.

    • Exclude any extraneous text (for example, the name of the certificate and any text contained in angle brackets (< and >) as well as the angle brackets themselves.

  4. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Chrome

Use this procedure to get a certificate chain using the Chrome browser on Windows.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or using Chrome.

  2. In the browser address bar, click the lock to the left of the host name.

  3. Click Certificate.

  4. Click the Certification Path tab.

  5. Click the top (that is, first) certificate in the chain.

  6. Click View Certificate.

  7. Click the Details tab.

  8. Click Copy to File.

  9. Follow the prompts to create a CER-formatted certificate file that includes the entire certificate chain.

    When you're prompted to choose an export file format, click Base 64-Encoded X.509 (.CER) as the following figure shows.

    In the Certificate Export Wizard, select Base 64 encoded X.509 and export the certificate

  10. Follow the prompts to complete the export.

  11. Open the certificate in a text editor.

  12. Repeat the process for all certificates in the chain.

    You must paste each certificate in the text editor in order, first to last.

  13. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or .

Get a Certificate Chain—Windows Firefox

Use the following procedure to get a certificate chain for the Firefox browser on either Windows or Mac OS.

  1. Log in to vCenter, Firewall Management Center, Cisco APIC, or . using Firefox.

  2. Click the lock to the left of the host name.

  3. Click the right arrow (Show connection details). The following figure shows an example.

    In Firefox, show the connection details to see the certificate being used to connect to the FMC

  4. Click More Information.

  5. Click View Certificate.

  6. If the resulting dialog box has tab pages, click the tab page corresponding to the top-level CA.

  7. Scroll to the Miscellaneous section.

  8. Click PEM (chain) in the Download row. The following figure shows an example.

    Get the PEM chain to configure the FMC adapter

  9. Save the file.

  10. Repeat these tasks for vCenter, Firewall Management Center, Cisco APIC, or ASA.