Radware DefensePro Service Chain for Firepower Threat Defense Quick Start Guide
Available Languages
Table of Contents
Radware DefensePro Service Chain for Firepower Threat Defense Quick Start Guide
1. About Radware DefensePro Service Chaining for Firepower Threat Defense
Licensing Requirements for the Radware DefensePro Service Chain
APSolute Vision Manager Version Requirements
2. Deploy and Configure Radware vDP in a Service Chain
Configure a Management Interface and Data Interfaces
Deploy a Standalone Firepower Threat Defense Logical Device with a Radware DefensePro Service Chain
Deploy a Firepower Threat Defense Cluster with a Radware DefensePro Service Chain
Radware DefensePro Service Chain for Firepower Threat Defense Quick Start Guide
First Published: December 20, 2016
Last Updated: June 14, 2018
1. About Radware DefensePro Service Chaining for Firepower Threat Defense
The Cisco FXOS chassis can support multiple services (for example, a Firepower Threat Defense firewall, and a third-party DDoS application) on a single blade. These applications can be linked together to form a Service Chain. In Firepower eXtensible Operating System (FXOS) 2.1.1 and later on the Firepower 4120, 4140, 4150, and 9300 security appliances, the third-party Radware DefensePro virtual platform can be installed to run in front of ASA or Firepower Threat Defense. Radware DefensePro is a KVM-based virtual platform that provides distributed denial-of-service (DDoS) detection and mitigation capabilities on the FXOS chassis. When Service Chaining is enabled on your FXOS chassis, ingress traffic from the network must first pass through the DefensePro virtual platform before reaching Firepower Threat Defense.
You can deploy Radware DefensePro with Firepower Threat Defense in the following modes:
Note
: Service Chaining is not supported in an inter-chassis cluster configuration. However, the Radware DefensePro (vDP) application can be deployed in a standalone configuration in an inter-chassis cluster scenario. The DefensePro application can run as separate instances on up to three security modules.
- The Radware DefensePro virtual platform may be referred to as Radware vDP (virtual DefensePro), or simply vDP.
- The Radware DefensePro application may occasionally be referred to as a Link Decorator.
Licensing Requirements for the Radware DefensePro Service Chain
Licensing for the Radware Virtual DefensePro application on Firepower 4100 and Firepower 9300 series security appliances is handled through the Radware APSolute Vision Manager. Go to the Cisco Commerce Workspace (CCW) to order a throughput license for your device. After submitting this request, you will receive a login and link to the Radware Portal, where you can then request a license.
For more information and documentation on Radware’s APSolute Vision Manager and throughput licensing requirements, see the documentation on Radware’s site ( htttps://portals.radware.com/Customer/Home/Downloads/Management-Monitoring/?Product=APSolute-Vision). Note that you must be registered with Radware to access this portal.
Timezone Sync Requirements
Prior to deploying Radware vDP on your Firepower security appliance, you must ensure that your Chassis Manager is set to use an NTP Server, with the etc/UTC Time Zone.
1. In the Firepower Chassis Manager, choose Platform Settings to open the NTP area in the Platform Settings page.
2. Choose etc/UTC in the Time Zone drop-down list.
3. Under Set Time Source, select Use NTP Server:
4. Enter the IP address or hostname of the NTP server you want to use in the NTP Server field.
For more information about setting the date and time in your Firepower chassis, see the “Setting the Date and Time” topic in the Cisco FXOS CLI Configuration Guide or Cisco FXOS Firepower Chassis Manager Configuration Guide ( http://www.cisco.com/go/firepower9300-config).
APSolute Vision Manager Version Requirements
Radware APSolute Vision is the main management interface for vDP. In order for the APSolute Vision manager to support the full functionality offered by vDP and Firepower Threat Defense service chain integration, you must be on APSolute Vision version R3.40 or later.
Note: HTTPS management of Radware DefensePro requires APSolute Vision Manager. To manage Radware DefensePro locally without APSolute Vision Manager, you must use the FXOS CLI.
2. Deploy and Configure Radware vDP in a Service Chain
Before You Begin
- If the security module that you want to use for the logical device already has a logical device configured on it, you must first delete the existing logical device (see Delete a Logical Device).
- Download the vDP image from Cisco.com (see Downloading Images from Cisco.com) and then download that image to the FXOS chassis (see Downloading a Logical Device Software Image to the FXOS chassis).
Configure a Management Interface and Data Interfaces
Configure a Management-type interface on the supervisor that you can include in the deployment configuration
for the Firepower Threat Defense logical device and vDP decorator. You must also configure at least one Data-type interface.
1. In the Firepower Chassis Manager, choose Interfaces to open the Interfaces page.
b. For the Port Channel ID, enter a value between 1 and 47.
d. For the Type, choose Management or Data. You can only include one management interface per logical device. Do not choose Cluster.
e. Add member interfaces as desired.
a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
c. For the Type, click Management or Data. You can only include one management interface per logical device.
Deploy a Standalone Firepower Threat Defense Logical Device with a Radware DefensePro Service Chain
The following procedure shows how to install the Radware DefensePro image, and configure it in a Service Chain in front of a Firepower Threat Defense standalone logical device.
Note: If you are installing Radware DefensePro on Firepower Threat Defense on a Firepower 4110 or 4120 device, you must deploy the decorator at the same time as the logical device. You cannot install the decorator after the logical device is already configured on the device. For more information, see Create a Standalone Threat Defense Logical Device in the Cisco FXOS Firepower Chassis Manager Configuration Guide.
1. Create a standalone Threat Defense logical device (see Create a Standalone Threat Defense Logical Device in the Cisco FXOS Firepower Chassis Manager Configuration Guide).
2. In the FXOS CLI, enter security services mode:
3. Install the Radware vDP image on the same slot that the Firepower Threat Defense is installed on:
5. Verify the installation and provisioning of vDP on the security module:
6. (Optional) Show the available supported resource profiles:
7. (Optional) Set the resource profile, using one of the available profiles from the previous step:
b. Enter the DefensePro application instance:
c. Enable the application instance:
8. After the vDP application is in an Online state, access the logical device:
9. Enter the Firepower Threat Defense logical device:
10. Assign the management interface to vDP. You can use the same physical interface as for the logical device, or you can use a separate interface.
11. Configure the external management for vDP:
b. Configure management IP address:
e. Exit management IP configuration scope:
f. Exit management bootstrap configuration scope:
12. Create external port link:
14. Add the third-party application to the logical device:
15. Verify whether the third-party application is set for the interface:
17. Set a password for the DefensePro application. Note that the application does not come online until you set a password. For more information, see the Radware DefensePro DDoS Mitigation User Guide on cisco.com.
Deploy a Firepower Threat Defense Cluster with a Radware DefensePro Service Chain
The following procedure shows how to install the Radware DefensePro image, and configure it in a Service Chain in front of a Firepower Threat Defense intra-chassis cluster.
Note: Service Chaining is not supported in an inter-chassis cluster configuration. However, the Radware DefensePro (vDP) application can be deployed in a standalone configuration in an inter-chassis cluster scenario.
1. Configure Firepower Threat Defense cluster (see Configure Firepower Threat Defense Clustering in the Cisco FXOS Firepower Chassis Manager Configuration Guide).
2. Decorate external (client-facing) port with Radware DefensePro:
3. Assign the external management port for Firepower Threat Defense:
4. Assign the external management port for DefensePro:
5. Optional) Show the available supported resource profiles:
6. (Optional) Set the resource profile, using one of the available profiles from the previous step:
b. Enter the DefensePro application instance:
c. Enable the application instance:
7. Configure cluster port channel:
8. Configure management bootstrap for all three DefensePro instances:
9. Exit management bootstrap configuration scope:
10. On the master blade, set the management IP and enable clustering:
12. Set a password for the DefensePro application. Note that the application does not come online until you set a password. For more information, see the Radware DefensePro DDoS Mitigation User Guide on cisco.com.
13. After completing this procedure, you must verify whether the DefensePro instances are configured in a cluster. To do so, scope the DefensePro instance and show the application attributes to verify which DefensePro instance is primary, and which one is secondary:
If the DefensePro application is online but not yet formed in a cluster, the CLI displays:
If the system displays this "unknown" value, you must enter the DefensePro application and configure the master IP address to create the vDP cluster.
If the DefensePro application is online and formed in a cluster, the CLI displays:
3. Enable vDP Web Services
In order for APSolute Vision to manage the Virtual DefensePro application deployed on the FXOS chassis, you must enable the vDP web interface.
1. From the FXOS CLI, connect to the vDP application instance.
2. Use the given username and password (radware/radware) to log into the DefensePro application instance.
4. Exit the vDP application console and return to the FXOS module CLI.
4. Open UDP/TCP Ports
The Radware APSolute Vision Manager interfaces communicate with the Radware vDP application with various UDP/TCP ports. In order for the vDP application to communicate with the APSolute Vision Manager, you must ensure that these ports are accessible and not blocked by your firewall. For more information on which specific ports to open, see the following tables in the APSolute Vision User Guide :
5. Where to Go Next
- You can find links to all FXOS, Firepower 4100, and Firepower 9300 documentation at Navigating the Cisco FXOS Documentation.
- You can find links to all Firepower Threat Defense documentation at Cisco Firepower System Documentation Roadmap.
- Download the Radware DefensePro DDoS Mitigation User Guide, available at http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html
- Download the Radware DefensePro DDoS Mitigation Release Notes, available at http://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html
- For more information and documentation on Radware’s APSolute Vision Manager, see the documentation portal on Radware’s site ( https://portals.radware.com/Customer/Home/Downloads/Management-Monitoring/?Product=APSolute-Vision). Note that you must be registered with Radware to access this portal.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)