Create the Secure Firewall connector in Secure Workload to establish communication with the Secure Firewall Management Center.

1. From the navigation pane, choose Manage > Workloads > Connectors.

2. Under Firewall, click Cisco Secure Firewall.

3. To configure the Secure Firewall connector, click Configure your new connector here.

4. In the New Connection page, enter the credentials and other connection settings as follows:

   Fields	Description
   Connector Name	Enter a unique name for the FMC connector.
   Description	Enter a description.
   Username and Password	Enter the credentials that are used to communicate with the FMC.
   CA Certificate	To use secure authentication, enter the CA Certificate that Secure Workload uses to authenticate this FMC, or you can Disable SSL where the network is trusted and Secure Workload does not validate the certificate. You can obtain the CA certificate from FMC using the Object Management workflow.
   Server IP/FQDN* and Port	Enter the Server IP address and Port Number for the associated FMC. The hostname must be a fully qualified domain name or an IP address of FMC.
   Does your network require HTTP Proxy to reach FMC	If yes, enter the Proxy URL in the format <proxy.host> : <proxy.port>
   Secure Connector	Enable if a Secure Connector is used to tunnel connections from Secure Workload to FMC. Note   Ensure that you deploy a Secure Connector before enabling this option.

5. Click Create.

   

Secure Workload enforced segmentation policies are converted into Access Control Policies, utilizing IP address sets derived from scopes, inventory filters, and clusters. These sets are transformed into dynamic objects within the Secure Firewall Management Center.

Converted segmentation policies from Secure Workload are added to the FMC as rules in the respective sections of the access control policy. The Absolute policies are added in the Mandatory rules section and the Default policies are added in the Default rules section.

Add the following types of access control rules:

• Rules with prefix: Workload_golden_:

  These rules, called golden rules, ensure that Secure Workload can communicate with any Secure Workload agents that are installed on workloads behind the Secure Firewalls.

• Rules with prefix: Workload_:

  These are the rules that are converted from segmentation policies in application workspaces for which enforcement is enabled.

• Rules with prefix: Workload_ca_:

  These are the converted catch-all rules for each enforced application workspace. From Secure Workload version, you can use the catch-all rules of Secure Workload only if you have selected the Use Secure Workload Catch-All option while configuring the FMC connector.

• Dynamic objects are created with the prefix: WorkloadObj_

Note

If you delete or modify these rules in FMC, your changes will be overwritten the next time Secure Workload pushes updates to the FMC. If you create more access control rules in the FMC that are independent of this integration, and you configure the integration to merge rather than overwrite existing rules, this integration does not change your independent rules, as long as they are not named using one of the prefixes described above.

Add ACP Mapping

1. In the Segmentation tab, click + Add to map an Access Policy.

2. In the Add ACP Mapping window, choose an Access Policy from the drop-down list and map it to a Scope. You can map an Access Policy to only one Scope.

3. Check the Use Secure Workload Catch All check-box to enable catch-all rules from Secure Workload. The catch-all Secure Workload rules are listed after all other rules (Secure Workload rules and rules created directly in FMC, if any) in the Default section of Access Control Policies. If you decide to disable catch-all rules from Secure Workload, deselect this option to use the Default Action of the Secure Firewall Management Center Access Control Policy.

4. Select an option in the Enforcement Mode.

   • Merge: Secure Workload policy rules are added along with the existing rules created by users. You can configure the priority as explained in the next step.

   • Override: The existing rules created by users are replaced by Secure Workload policy rules.

   Note	The priority drop-down list is available only when Merge is selected as the Enforcement Mode.

5. In the Absolute and Default Policies drop-down menus, choose the required option to set the priority for Secure Workload policies to be higher or lower to the pre-existing rules in the respective section of the Access Control Policy in FMC.

   • Choosing Insert above existing Mandatory rules makes Secure Workload policies take higher priority over Mandatory rules.

   • Choosing Insert below existing Mandatory rules makes Secure Workload policies take lower priority over Mandatory rules.

   For example, from the Absolute Policies drop-down list, if you choose Insert above existing Mandatory rules, the Secure Workload rules are configured at the beginning of the Mandatory section followed by any pre-existing access control rules in the FMC. When a new rule is created, the rule order of the Access Control Policy is updated based on the selected priority for policies in Secure Workload.

6. Click Submit.

Edit ACP Mapping

To edit the Access Control Policy mapping

1. From the navigation pane, choose Defend > Segmentation and click on the policy you want to edit.

2. Under Action, click the pencil icon to edit.

3. Update the details and click Submit.

4. Click Save to save all edits.

Virtual Patching, also known as External Patching and Just-in-time Patching, is a security technique that is used to protect applications and computer systems from known vulnerabilities. Virtual Patching, originally used by the Intrusion Prevention System (IPS), implements temporary fixes or workarounds to address vulnerabilities until a permanent patch can be developed and applied.

For example, organisations following the Software Development Life Cycle, take time to detect, fix, and develop a new version of the application. The system can be protected by introducing a firewall and adding the IPS rules, until the newer version of the application is rolled out. Secure Workload publishes the CVEs to the firewall to consider while creating the IPS policies.

1. In the Create a Virtual Patching Rule window, enter a Rule Name and Description.

2. Select an Existing Filter from the drop-down list. You can select an existing scope or subscope to select the hosts to consider for Virtual Patching.

   • By default, the Use Filter as Host Query check box is checked. You can proceed by just entering the CVE query; without creating a new Virtual Patching filter. The Host Query includes the contents of the filter chosen.

     

   • Uncheck the Use Filter as Host Query check box to enter both the Host and CVE query. This creates a new Virtual Patching filter.

     

3. Enter a Host and CVE query. Click the + icon to add more queries.

   Note	Hover over the info icon to view the supported query formats. By default, a Virtual Patching filter is created based on the entered query combination.

4. Click Next. In the Summary window, lists of matching Workloads and CVEs are displayed. Workloads and CVEs are matched dynamically based on the query.

5. Click Create.

6. Added virtual patching rules are displayed under Rules. Enter attributes and click Filter to narrow down the search results.

7. Workloads with Published CVEs are displayed on the right.

   • Enter attributes and click Filter to narrow down the search results.

   • Click the column headers to sort the entries.

   • In the Exported column, click CVEs List to view a list of all published CVEs of a workload.

   • Click the hamburger menu to view the Audit Log of a workload. Logs for the last 48 hours are stored and displayed.

The Event Log tab lists the important events or transactions between Secure Workload and FMC.

1. Enter attributes to filter the events based on Capability, Event Level, Namespace, and Message.

   Note	Color codes for the Event level are Information (blue), Warning (orange), and Error (red).

2. Click the column headers to sort the entries.

3. Click the three dot menu icon to download the details in JSON and/or CSV format.

4. Click Refresh to reset all filters.

Create the Secure Firewall connector in Secure Workload to establish communication with the Secure Firewall Management Center.

1. From the navigation pane, choose Manage > Workloads > Connectors.

2. Under Firewall, click Cisco Secure Firewall.

3. To configure the Secure Firewall connector, click Configure your new connector here.

4. In the New Connection page, enter the credentials and other connection settings as follows:

   Fields	Description
   Connector Name	Enter a unique name for the FMC connector.
   Description	Enter a description.
   Username and Password	Enter the credentials that are used to communicate with the FMC.
   CA Certificate	To use secure authentication, enter the CA Certificate that Secure Workload uses to authenticate this FMC, or you can Disable SSL where the network is trusted and Secure Workload does not validate the certificate. You can obtain the CA certificate from FMC using the Object Management workflow.
   Server IP/FQDN* and Port	Enter the Server IP address and Port Number for the associated FMC. The hostname must be a fully qualified domain name or an IP address of FMC.
   Does your network require HTTP Proxy to reach FMC	If yes, enter the Proxy URL in the format <proxy.host> : <proxy.port>
   Secure Connector	Enable if a Secure Connector is used to tunnel connections from Secure Workload to FMC. Note   Ensure that you deploy a Secure Connector before enabling this option.

5. Click Create.

   

Secure Workload enforced segmentation policies are converted into Access Control Policies, utilizing IP address sets derived from scopes, inventory filters, and clusters. These sets are transformed into dynamic objects within the Secure Firewall Management Center.

Converted segmentation policies from Secure Workload are added to the FMC as rules in the respective sections of the access control policy. The Absolute policies are added in the Mandatory rules section and the Default policies are added in the Default rules section.

Add the following types of access control rules:

• Rules with prefix: Workload_golden_:

  These rules, called golden rules, ensure that Secure Workload can communicate with any Secure Workload agents that are installed on workloads behind the Secure Firewalls.

• Rules with prefix: Workload_:

  These are the rules that are converted from segmentation policies in application workspaces for which enforcement is enabled.

• Rules with prefix: Workload_ca_:

  These are the converted catch-all rules for each enforced application workspace. From Secure Workload version, you can use the catch-all rules of Secure Workload only if you have selected the Use Secure Workload Catch-All option while configuring the FMC connector.

• Dynamic objects are created with the prefix: WorkloadObj_

Note

If you delete or modify these rules in FMC, your changes will be overwritten the next time Secure Workload pushes updates to the FMC. If you create more access control rules in the FMC that are independent of this integration, and you configure the integration to merge rather than overwrite existing rules, this integration does not change your independent rules, as long as they are not named using one of the prefixes described above.

Add ACP Mapping

1. In the Segmentation tab, click + Add to map an Access Policy.

2. In the Add ACP Mapping window, choose an Access Policy from the drop-down list and map it to a Scope. You can map an Access Policy to only one Scope.

3. Check the Use Secure Workload Catch All check box to enable catch-all rules from Secure Workload. The catch-all Secure Workload rules are listed after all other rules (Secure Workload rules and rules created directly in FMC, if any) in the Default section of Access Control Policies. If you decide to disable catch-all rules from Secure Workload, deselect this option to use the Default Action of the Secure Firewall Management Center Access Control Policy.

4. Select an option in the Enforcement Mode.

   • Merge: Secure Workload policy rules are added along with the existing rules created by users. You can configure the priority as explained in the next step.

   • Override: The existing rules created by users are replaced by Secure Workload policy rules.

   Note	The priority drop-down list is available only when Merge is selected as the Enforcement Mode.

5. In the Absolute and Default Policies drop-down menus, choose the required option to set the priority for Secure Workload policies to be higher or lower to the pre-existing rules in the respective section of the Access Control Policy in FMC.

   • Choosing Insert above existing Mandatory rules makes Secure Workload policies take higher priority over Mandatory rules.

   • Choosing Insert below existing Mandatory rules makes Secure Workload policies take lower priority over Mandatory rules.

   For example, from the Absolute Policies drop-down list, if you choose Insert above existing Mandatory rules, the Secure Workload rules are configured at the beginning of the Mandatory section followed by any pre-existing access control rules in the FMC. When a new rule is created, the rule order of the Access Control Policy is updated based on the selected priority for policies in Secure Workload.

6. Click Submit.

Edit ACP Mapping

Edit the Access Control Policy Mapping:

1. From the navigation menu, choose Defend > Segmentation and click on the policy you want to edit.

2. Under Action, click the pencil icon to edit.

3. Update the details and click Submit.

4. Click Save to save all edits.

Virtual Patching, also known as External Patching and Just-in-time Patching, is a security technique that is used to protect applications and computer systems from known vulnerabilities. Virtual Patching, originally used by the Intrusion Prevention System (IPS), implements temporary fixes or workarounds to address vulnerabilities until a permanent patch can be developed and applied.

For example, organisations following the Software Development Life Cycle, take time to detect, fix, and develop a new version of the application. The system can be protected by introducing a firewall and adding the IPS rules, until the newer version of the application is rolled out. Secure Workload publishes the CVEs to the firewall to consider while creating the IPS policies.

1. In the Create a Virtual Patching Rule window, enter a Rule Name and Description.

2. Select an Existing Filter from the drop-down list. You can select an existing scope or subscope to select the hosts to consider for Virtual Patching.

   • By default, the Use Filter as Host Query check box is checked. You can proceed by just entering the CVE query; without creating a new Virtual Patching filter. The Host Query includes the contents of the filter chosen.

     

   • Uncheck the Use Filter as Host Query check box to enter both the Host and CVE query. This creates a new Virtual Patching filter.

     

3. Enter a Host and CVE query. Click the + icon to add more queries.

   Note	Hover over the info icon to view the supported query formats. By default, a Virtual Patching filter is created based on the entered query combination.

4. Click Next. In the Summary window, lists of matching Workloads and CVEs are displayed. Workloads and CVEs are matched dynamically based on the query.

5. Click Create.

6. Added virtual patching rules are displayed under Rules. Enter attributes and click Filter to narrow down the search results.

7. Workloads with Published CVEs are displayed on the right.

   • Enter attributes and click Filter to narrow down the search results.

   • Click the column headers to sort the entries.

   • In the Exported column, click CVEs List to view a list of all published CVEs of a workload.

   • Click the hamburger menu to view the Audit Log of a workload. Logs for the last 48 hours are stored and displayed.

The Event Log tab lists the important events or transactions between Secure Workload and FMC.

1. Enter attributes to filter the events based on Capability, Event Level, Namespace, and Message.

   Note	Color codes for the Event level are Information (blue), Warning (orange), and Error (red).

2. Click the column headers to sort the entries.

3. Click the three dot menu icon to download the details in JSON and/or CSV format.

4. Click Refresh to reset all filters.