Radware DefensePro Service Chain for ASA Quick Start Guide
Available Languages
Table of Contents
Radware DefensePro Service Chain for ASA Quick Start Guide
1. About Radware DefensePro Service Chaining for ASA
Licensing Requirements for the Radware DefensePro Service Chain
APSolute Vision Manager Version Requirements
2. Deploy and Configure Radware vDP in a Service Chain
Configure a Management Interface and Data Interfaces
Deploy a Standalone ASA with a Radware DefensePro Service Chain
Deploy an ASA Cluster with a Radware DefensePro Service Chain
1. About Radware DefensePro Service Chaining for ASA
The Cisco FXOS chassis can support multiple services (for example, an ASA firewall, and a third-party DDoS application) on a single blade. These applications can be linked together to form a Service Chain. In Firepower eXtensible Operating System (FXOS) 1.1.4 and later on the Firepower 4120, 4140, 4150, and 9300 security appliances, the third-party Radware DefensePro virtual platform can be installed to run in front of the ASA firewall. Radware DefensePro is a KVM-based virtual platform that provides distributed denial-of-service (DDoS) detection and mitigation capabilities on the FXOS chassis. When Service Chaining is enabled on your FXOS chassis, ingress traffic from the network must first pass through the DefensePro virtual platform before reaching the ASA firewall.
You can deploy Radware DefensePro with the ASA in the following modes:
Note
: Service Chaining is not supported in an inter-chassis cluster or Active/Active failover configuration. However, the Radware DefensePro (vDP) application can be deployed in a standalone configuration in an inter-chassis cluster scenario. The DefensePro application can run as separate instances on up to three security modules.
- The Radware DefensePro virtual platform may be referred to as Radware vDP (virtual DefensePro), or simply vDP.
- The Radware DefensePro application may occasionally be referred to as a Link Decorator for the ASA firewall.
Licensing Requirements for the Radware DefensePro Service Chain
Licensing for the Radware Virtual DefensePro application on the Firepower 4100 and 9300 series devices is handled through the Radware APSolute Vision Manager. Go to the Cisco Commerce Workspace (CCW) to order a throughput license for your device. After submitting this request, you will receive a login and link to the Radware Portal, where you can then request a license.
For more information and documentation on Radware’s APSolute Vision Manager and throughput licensing requirements, see the documentation on Radware’s site ( htttps://portals.radware.com/Customer/Home/Downloads/Management-Monitoring/?Product=APSolute-Vision). Note that you must be registered with Radware to access this portal.
Timezone Sync Requirements
Prior to deploying Radware vDP on your Firepower security appliance, you must ensure that your Chassis Manager is set to use an NTP Server, with the etc/UTC Time Zone.
1. In the Firepower Chassis Manager, choose Platform Settings to open the NTP area in the Platform Settings page.
2. Choose etc/UTC in the Time Zone drop-down list.
3. Under Set Time Source, select Use NTP Server:
4. Enter the IP address or hostname of the NTP server you want to use in the NTP Server field.
For more information about setting the date and time in your Firepower chassis, see the “Setting the Date and Time” topic in the Cisco FXOS CLI Configuration Guide or Cisco FXOS Firepower Chassis Manager Configuration Guide ( http://www.cisco.com/go/firepower9300-config).
APSolute Vision Manager Version Requirements
Radware APSolute Vision is the main management interface for vDP. In order for the APSolute Vision manager to support the full functionality offered by service chain integration, you must be on APSolute Vision version R3.40 or later.
Note: HTTPS management of Radware DefensePro requires APSolute Vision Manager. To manage Radware DefensePro locally without APSolute Vision Manager, you must use the FXOS CLI.
2. Deploy and Configure Radware vDP in a Service Chain
You can deploy the Radware DefensePro service chain on a standalone ASA or a cluster of ASAs using the Firepower Chassis Manager. For full CLI procedures, see the FXOS CLI Configuration Guide.
Before You Begin
Download the vDP image from Cisco.com and then upload that image to the FXOS chassis.
Configure a Management Interface and Data Interfaces
Configure a Management-type interface on the supervisor that you can include in the deployment configuration
for the ASA and vDP decorator. You must also configure at least one Data-type interface.
1. In the Firepower Chassis Manager, choose Interfaces to open the Interfaces page.
b. For the Port Channel ID, enter a value between 1 and 47.
d. For the Type, choose Management or Data. You can only include one management interface per logical device. Do not choose Cluster.
e. Add member interfaces as desired.
a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
c. For the Type, click Management or Data. You can only include one management interface per logical device.
Deploy a Standalone ASA with a Radware DefensePro Service Chain
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Standalone radio button.
7. Click OK. You see the Provisioning - device name window.
8. Expand the Data Ports area, and click each interface that you want to assign to the ASA.
9. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
10. Configure the deployment options as prompted.
11. Click OK to close the ASA Configuration dialog box.
12. In the Decorators area, select vDP. The Radware: Virtual DefensePro - Configuration dialog box appears. Configure the following fields under the General Information tab.
13. If you have more than one vDP version uploaded to the FXOS chassis, select the version you want to use in the Version drop-down.
14. If you have a resource configurable Radware DefensePro application, a list of supported resource profiles appears under the Resource Profile drop-down. Select the resource profile you want to assign to the device. If you do not select a resource profile, the default setting is used.
15. Under the Management Interface drop-down, choose the management interface you created earlier in this procedure.
16. Select the Address Type to be used: IPv4 only.
17. Configure the following fields, depending on your Address Type selection from the previous step.
a. In the Management IP field, configure a local IP address.
c. Enter a Network Gateway address.
18. Click the check box next to each data port that you want to assign to the vDP decorator. For each data port you select, all ingress traffic will first go through the vDP decorator before reaching the ASA. All egress traffic will be sent through ASA first, and then sent to vDP.
The FXOS Chassis deploys the logical device and vDP decorator by downloading the specified software versions and pushing the bootstrap configuration and management interface settings to the specified security module.
21. Set a password for the DefensePro application. Note that the application does not come online until you set a password. For more information, see the Radware DefensePro DDoS Mitigation User Guide on cisco.com.
Deploy an ASA Cluster with a Radware DefensePro Service Chain
Note: When you deploy a cluster on the Firepower 9300, the system automatically creates port-channel 48 for security module-to-module communications. In order to deploy the ASA cluster as a Cluster Control Link, you must configure the cluster on the default (port-channel 48) with no member interfaces.
Note: Service Chaining is not supported in an inter-chassis cluster or Active/Active failover configuration. However, the Radware DefensePro (vDP) application can be deployed in a standalone configuration in an inter-chassis cluster scenario.
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Cluster radio button.
7. Click the Create New Cluster radio button.
8. Click OK. You see the Provisioning - device name window.
9. Expand the Data Ports area, and click each interface that you want to assign to the ASA.
10. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
11. Configure the deployment options as prompted.
12. Click OK to close the ASA Configuration dialog box.
Note: In the Management IP Pool field, configure a pool of Local IP addresses, one of which will be assigned to each cluster unity for the interface, by entering the starting and ending addresses separated by a hyphen. Include at least as many addresses as there are units in the cluster. If you plan to expand the cluster, include additional addresses. The Virtual IP address (known as the Main cluster IP address) that belongs to the current primary unit is not part of this pool; be sure to reserve an IP address on the same network for the virtual IP address.
13. In the Decorators area, select vDP. The Radware: Virtual DefensePro - Configuration dialog box appears. Configure the following fields under the General Information tab.
14. If you have more than one vDP version uploaded to the FXOS chassis, select the vDP version you want to use in the Version drop-down.
15. If you have a resource configurable Radware DefensePro application, a list of supported resource profiles appears under the Resource Profile drop-down. Select the resource profile you want to assign to the device. If you do not select a resource profile, the default setting is used.
16. Under the Management Interface drop-down, choose a management interface.
17. Click the check box next to each data port that you want to assign to the vDP decorator. For each data port you select, all ingress traffic will first go through the vDP decorator before reaching the ASA. All egress traffic will be sent through ASA first, and then sent to vDP.
18. Click the Interface Information tab.
19. Select the Address Type to be used: IPv4 only.
20. Configure the following fields for each Security Module. Note the fields that display depend on your Address Type selection from the previous step.
a. In the Management IP field, configure a local IP address.
c. Enter a Network Gateway address.
The FXOS Chassis deploys the logical device and vDP decorator by downloading the specified software versions and pushing the bootstrap configuration and management interface settings to the specified security module(s).
23. Set a password for the DefensePro application. Note that the application does not come online until you set a password. For more information, see the Radware DefensePro DDoS Mitigation User Guide on cisco.com.
Verify Whether the DefensePro Instances are Configured in a Cluster
After installing the vDP application instances on the ASA cluster, you must then verify whether the DefensePro instances are configured in a cluster.
1. Choose Logical Devices to open the Logical Devices page.
2. Scroll through the list of configured logical devices to the entries for vDP. Verify their Attributes listed in the Management IP column.
–If the CLUSTER-ROLE element displays as unknown for the DefensePro instances, you must enter the DefensePro application and configure the master IP address to complete the creation of the vDP cluster. To do this, follow the procedure detailed in Cluster the vDP Application Instances, below.
–If the CLUSTER-ROLE element displays as primary or secondary for the DefensePro instances, the applications are online and formed in a cluster.
Cluster the vDP Application Instances
After you install vDP instances on the ASA cluster, you must enter the vDP CLI to cluster the vDP instances. Note that if you have set up your vDP service chain in a standalone configuration, you do not need to perform these steps.
2. Connect to the vDP application instance.
3. Use the given username and password (radware/radware) to log into the DefensePro application instance.
4. Show the cluster IP assigned to the vDP instance by the FXOS platform.
5. Set the Master IP to this assigned IP.
7. Exit the vDP application and return to the FXOS CLI.
8. Connect to the next vDP application instance.
9. Set the master IP to the cluster IP you found and assigned in steps 4 and 5 of this procedure.
11. Exit the vDP application and return to the FXOS CLI.
12. Repeat steps 8-11 on the third vDP application instance (if applicable). Once you have configured the master IP for all three vDP instances, the first instance is assigned primary and the other two are assigned secondary cluster-roles in the cluster.
13. Verify that the cluster is configured.
14. Exit the vDP application console and return to the FXOS module CLI.
3. Enable vDP Web Services
In order for APSolute Vision to manage the Virtual DefensePro application deployed on the FXOS chassis, you must enable the vDP web interface.
1. From the FXOS CLI, connect to the vDP application instance.
2. Use the given username and password (radware/radware) to log into the DefensePro application instance.
4. Exit the vDP application console and return to the FXOS module CLI.
4. Open UDP/TCP Ports
The Radware APSolute Vision Manager interfaces communicate with the Radware vDP application with various UDP/TCP ports. In order for the vDP application to communicate with the APSolute Vision Manager, you must ensure that these ports are accessible and not blocked by your firewall. For more information on which specific ports to open, see the following tables in the APSolute Vision User Guide :
5. Where to Go Next
- You can find links to all FXOS, Firepower 4100, and Firepower 9300 documentation at Navigating the Cisco FXOS Documentation.
- You can find links to all ASA/ASDM documentation at Navigating the Cisco ASA Series Documentation.
- Download the Radware DefensePro DDoS Mitigation User Guide, available at http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html
- Download the Radware DefensePro DDoS Mitigation Release Notes, available at http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html
- For more information and documentation on Radware’s APSolute Vision Manager, see the documentation portal on Radware’s site ( https://portals.radware.com/Customer/Home/Downloads/Management-Monitoring/?Product=APSolute-Vision). Note that you must be registered with Radware to access this portal.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)