Deploy CSDAC for Dynamic O365 Objects on On-Prem FMC
Available Languages
Introduction
This document describes how to deploy and integrate CSDAC for Dynamic Microsoft 365 objects on On-prem FMC with Ansible on Ubuntu 20.04.
Prerequisites
Requirements
Cisco recommends that you know these topics:
- Basic Linux commands.
- Basic Python, Docker, and Ansible Knowledge.
- Basic Office 365 knowledge.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Firewall Management Center Virtual (FMCv) VWware running 7.2.5 release.
- Cisco Secure Dynamic Attributes Connector (CSDAC) release 2.2.
- Ubuntu 4vCPU/8GB release 20.04.
- Docker release 24.0.6.
- Python 3.8.10.
- Ansible 2.12.10.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The Cisco Secure Dynamic Attributes (CSDAC) allows to collection of data such as Networks and IP addresses from Cloud Providers and send it to the Cisco Secure Firewall Management Center so that it can be used in the Access Control Policy Rules.
The Cisco Secure Dynamic Attributes Connector allows to use of service tags and categories from various cloud service platforms such as AWS, Github, Google Cloud, Azure, Azure Service Tags, Microsoft Office 365, and vCenter.
Network constructs such as IP addresses are not reliable in virtual, cloud, and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Sometimes, Policy rules must be defined on non-network constructs such as Virtual Machine (VM) name or Security Group. Hence, firewall policies are persistent even when the IP address or VLAN changes. Those tags and attributes can be collected using dynamic attributes connector Docker containers running on Ubuntu, CentOs, or Red Hat Enterprise Linux virtual machines. If you desire to install CSDAC on CentOS or Red Hat, refer to the official documentation guide.
The dynamic attributes connector on the Ubuntu host is installed using Ansible Collection. Cisco Secure Dynamic Attributes supports 2 types of adapters.
- On-prem Secure Firewall Management Center.
- Cloud-delivered Firewall Management Center.
This article is focused on deploy the Cisco Secure Dynamic Attributes Connect on Ubuntu host for Microsoft Office 365 cloud service with on-prem Secure Firewall Management Center.
Configure
This section is divided into the next sections:
- CSDAC Deployment on Ubuntu 20.04.
- Create Office 365 connector.
- Create vCenter Connector.
Network Diagram
CSDAC Deployment on Ubuntu 20.04
This section discusses how to install prerequisite software on Ubuntu.
Step 1: Validate Docker is not installed.
root@tac:/home/tac# docker --version
Command 'docker' not found.
Step 2: Update Ubuntu repositories.
root@tac:/home/tac# sudo apt -y update && sudo apt -y upgrade
Hit:1 http://security-ubuntu-site/ubuntu focal-security InRelease
Hit:2 http://ubuntu-repository-web-site/ubuntu focal InRelease
Hit:3 http://ubuntu-repository-web-site/ubuntu focal-updates InRelease
Hit:4 http://ubuntu-repository-web-site/ubuntu focal-backports InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
334 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
....
Step 3: Confirm the Python version.
root@tac:/home/tac# /usr/bin/python3 --version
Python 3.8.10
Step 4: Install the common libraries.
root@tac:/home/tac# sudo apt -y install software-properties-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Step 5: Install Ansible.
root@tac:/home/tac# sudo apt-add-repository -y -u ppa:ansible/ansible && sudo apt -y install ansible
Hit:1 http://security-ubuntu-site/ubuntu focal-security InRelease
Get:2 http://personal-package-archive-site/ansible/ansible/ubuntu focal InRelease [18.0 kB]
Hit:3 http://ubuntu-repository-web-siteubuntu focal InRelease
Hit:4 http://ubuntu-repository-web-site/ubuntu focal-updates InRelease
Hit:5 http://ubuntu-repository-web-site/ubuntu focal-backports InRelease
Get:6 http://personal-package-archive-site/ansible/ansible/ubuntu focal/main amd64 Packages [1 132 B]
Get:7 http://personal-package-archive-site/ansible/ansible/ubuntu focal/main i386 Packages [1 132 B]
Get:8 http://personal-package-archive-site/ansible/ansible/ubuntu focal/main Translation-en [756 B]
Fetched 21.1 kB in 3s (7 526 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Step 6: Verify the Ansible version.
root@tac:/home/tac# ansible --version
ansible [core 2.12.10]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
jinja version = 2.10.1
libyaml = True
Step 7: Get Dynamic Attributes Connector software with Ansible.
root@tac:/home/tac# ansible-galaxy collection install cisco.csdac
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy-ansible-site/download/cisco-csdac-2.2.1.tar.gz to /root/.ansible/tmp/ansible-local-52406urwp91ou/tmpqabv89vb/cisco-csdac-2.2.1-fr29zaq5
Downloading https://galaxy-ansible-site/download/community-crypto-2.15.1.tar.gz to /root/.ansible/tmp/ansible-local-52406urwp91ou/tmpqabv89vb/community-crypto-2.15.1-dkc897hb
Installing 'cisco.csdac:2.2.1' to '/root/.ansible/collections/ansible_collections/cisco/csdac'
cisco.csdac:2.2.1 was installed successfully
Installing 'community.crypto:2.15.1' to '/root/.ansible/collections/ansible_collections/community/crypto'
Downloading https://galaxy-ansible-site/download/community-general-7.4.0.tar.gz to /root/.ansible/tmp/ansible-local-52406urwp91ou/tmpqabv89vb/community-general-7.4.0-cr9imbx3
community.crypto:2.15.1 was installed successfully
Installing 'community.general:7.4.0' to '/root/.ansible/collections/ansible_collections/community/general'
community.general:7.4.0 was installed successfully
Step 8: Move to the csdac directory.
root@tac:/home/tac# cd ~/.ansible/collections/ansible_collections/cisco/csdac/
Step 9: Install the muster service.
root@tac:~/.ansible/collections/ansible_collections/cisco/csdac# ansible-playbook default_playbook.yml --ask-become-pass
BECOME password:
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[WARNING]: running playbook inside collection cisco.csdac
PLAY [localhost] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [cisco.csdac.csdac : Define Python Interpreter] ***************************
ok: [localhost]
...
TASK [cisco.csdac.csdac : verify that core services are started] ***************
ok: [localhost]
TASK [cisco.csdac.csdac : verify that core services are started] ***************
ok: [localhost]
TASK [cisco.csdac.csdac : verify that core services are started] ***************
ok: [localhost]
TASK [cisco.csdac.csdac : verify that core services are started] ***************
ok: [localhost]
TASK [cisco.csdac.csdac : Post task] *******************************************
ok: [localhost] => {}
MSG:
Please login in to https://172.16.1.53 to configure csdac application
PLAY RECAP *********************************************************************
localhost : ok=72 changed=8 unreachable=0 failed=0 skipped=35 rescued=0 ignored=0
Warning: In case of installation failure due to 'Permissions denied with Docker daemon socket', Consider Cisco bug ID CSCwh58312 or contact Cisco TAC.
Step 10: Log in to the connector using the CSDAC IP address using HTTPS protocol.
Create an Office 365 Connector
Step 1: Log in to the dynamic attributes connector.
Step 2: Click 'Connectors'.
Step 3: Add an Office 365 connector: click on the Add icon (+), then 'Office 365'.
Step 4: Configure the connector with Name, Base API URL, Instance Name, and Enable or Disable optional IPs.
Consider the next:
- The pull Interval default is 30 seconds.
- The base API URL is the URL to retrieve Office 365 information. Consult Office 365 IP address and URL web service on the Microsoft documentation guide.
Step 5: Click 'Test' and make sure the test succeeds before saving the connector config.
Step 6: Save and make sure the status is 'OK'.
Create vCenter Connector
Step 1: Log in to the dynamic attributes connector.
Step 2: Click 'Adapters'.
Step 3: Add a new adapter: click on the Add icon (+), then 'on-prem Firewall Management Center'.
Step 4: Configure the adapter with Name, IP address, Port, and User/Password.
Step 5: Open On-Prem Firewall Secure Management Center UI.
Step 6: Download HTTPS PEM (chain) certificate from the browser: Click on HTTPS padlock shown on the browser, Secure Connection, More Information, View Certificate, PEM (chain).
This downloads a .pem file with the certificate chain.
Step 7: Open Dynamic Attributes Connector and click on 'Get certificate' and 'Browse from file...'.
Step 8: Upload the .pem certificate and click 'TEST' to ensure the test succeeds.
Step 9: Save and make sure the status is 'OK'.
Step 10: Start to create Access Control Policy Rules with Dynamic Office 365 Attributes on the On-Prem Firewall Management Center UI.
Verify
Verify container status on Ubuntu for Core services, Connectors, and Adapters.
root@tac://# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44f71f675ff1 public.ecr.aws/e6e4t5f5/muster_fmc_adapter:2.2.0-latest "./docker-entrypoint…" 12 hours ago Up 12 hours 50070/tcp muster-adapter-fmc.2.muster
88826cf0742f public.ecr.aws/e6e4t5f5/muster_o365_connector:2.2.0-latest "./docker-entrypoint…" 13 hours ago Up 13 hours 50070/tcp muster-connector-o365.3.muster
4c2c73d351e2 public.ecr.aws/e6e4t5f5/muster_envoy:2.2.0-latest "/docker-entrypoint.…" 2 days ago Up 2 days 0.0.0.0:443->8443/tcp muster-envoy
67f3afae2165 public.ecr.aws/e6e4t5f5/muster_ui:2.2.0-latest "/docker-entrypoint.…" 2 days ago Up 2 days 8080/tcp muster-ui
722a764c54e9 public.ecr.aws/e6e4t5f5/muster_ui_backend:2.2.0-latest "./docker-entrypoint…" 2 days ago Up 2 days 50031/tcp muster-ui-backend
038654545f30 public.ecr.aws/e6e4t5f5/muster_bee:2.2.0-latest "/bin/sh -c /app/bee" 2 days ago Up 2 days 50050/tcp, 50443/tcp muster-bee
90cfd7e3a28b public.ecr.aws/e6e4t5f5/muster_etcd:2.2.0-latest "etcd" 2 days ago Up 2 days 2379-2380/tcp muster-etcd
Verify Connector status from CSDAC UI.
Verify Adapter status from CSDAC UI.
Verify Office 365 Dynamic Attributes on Firewall Management Center.
Create or Edit an Access Control Policy Rule, click on 'Dynamic Attributes', click on 'Available Attributes', and select 'Dynamic Objects'.
Troubleshoot
In case of Secure Dynamic Attributes Connector installation issues with Ansible, collect 'csdac.log' located on '~/.ansible/collections/ansible_collection/cisco/csdac/logs/' directory.
root@tac://# cd ~/.ansible/collections/ansible_collections/cisco/logs/
root@tac:~/.ansible/collections/ansible_collections/cisco/csdac/logs# ls -lth
total 276K
-rw-r--r-- 1 root root 272K sep 14 15:37 csdac.log
Installation failure logs are found in this file. Open it using 'cat' or 'less' Linux commands, explore the failure logs, or Contact Cisco TAC and provide this file.
Sometimes, Ansible installation fails due to 'permissions denied'. Explore the csdac.log file and look for 'permission denied' logs.
TASK [cisco.csdac.csdac : print result of csdac command line start command (stderr)] ***
ok: [localhost] => {
"muster_cli_start_result.stderr_lines": [
"permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/volumes/create\": dial unix /var/run/docker.sock: connect: permission denied",
"permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/volumes/create\": dial unix /var/run/docker.sock: connect: permission denied",
"permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/volumes/create\": dial unix /var/run/docker.sock: connect: permission denied",
"permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/networks/create\": dial unix /var/run/docker.sock: connect: permission denied",
"docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create\": dial unix /var/run/docker.sock: connect: permission denied.",
"See 'docker run --help'.",
"docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create\": dial unix /var/run/docker.sock: connect: permission denied."
If similar logs are found, consider Cisco bug ID CSCwh58312 or Contact Cisco TAC for assistance.
If 'docker ps -a' indicates containers are down or to restart containers in the event of issues, containers can be restarted with the 'docker restart container-id' command.
Example: Restarting Office 365 with container ID '88826cf0742f'.
root@tac://# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44f71f675ff1 public.ecr.aws/e6e4t5f5/muster_fmc_adapter:2.2.0-latest "./docker-entrypoint…" 12 hours ago Up 12 hours 50070/tcp muster-adapter-fmc.2.muster
88826cf0742f public.ecr.aws/e6e4t5f5/muster_o365_connector:2.2.0-latest "./docker-entrypoint…" 13 hours ago Up 13 hours 50070/tcp muster-connector-o365.3.muster
root@tac://# docker restart 88826cf0742f
root@tac://# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44f71f675ff1 public.ecr.aws/e6e4t5f5/muster_fmc_adapter:2.2.0-latest "./docker-entrypoint…" 12 hours ago Up 12 hours 50070/tcp muster-adapter-fmc.2.muster
88826cf0742f public.ecr.aws/e6e4t5f5/muster_o365_connector:2.2.0-latest "./docker-entrypoint…" 13 hours ago Up 2 seconds 50070/tcp muster-connector-o365.3.muster
Verify connection with CSDAC and validate if the objects are created on the Secure Firewall Management Center.
> expert
sudoadmin@firepower:~$ sudo su -
Password:
root@firepower:/Volume/home/admin# cat /var/opt/CSCOpx/MDC/log/operation/usmsharedsvcs.log
17-Sep-2023 17:24:58.046,[INFO],(DefenseCenterServiceImpl.java:1462)
com.cisco.nm.vms.api.dc.DefenseCenterServiceImpl, ajp-nio-127.0.0.1-9009-exec-2
** REST Request [ CSM ]
** ID : ff3e6259-2417-48cc-8e5e-a41d0bd04b39
** URL: POST /audit
{
"version":"7.2.5",
"requestId":"ff3e6259-2417-48cc-8e5e-a41d0bd04b39",
"data":{
"userName":"TAC",
"subsystem":"API",
"message":"POST https://FMC-FQDN/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f
/object/bulkdynamicobjects Created (201) - The request has been fulfilled and resulted in a new resource being created",
"sourceIP":"172.16.1.53",
"domainUuid":"e276abec-e0f2-11e3-8169-6d9ed49b625f",
"time":"1694971497660"},"deleteList":[]
}
Related Information
Additional documents related to Cisco Secure Dynamic Attributes (CSDAC) can be found here:
About the Cisco Dynamic Attributes Connector
Install and Upgrade the Cisco Secure Dynamic Attributes Connector
Configure the Cisco Dynamic Attributes Connector
Use Dynamic Objects in Access Control Policies
Troubleshoot the Dynamic Attributes Connector
CSDAC 2.2 Installation failed "Permission denied with Docker daemon socket" in Ubuntu 20.04.
Cisco bug ID CSCwh58312.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
04-Oct-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)