6.7 KiB
Cisco Firepower Logic Apps connector and playbook templates
Table of Contents
Overview
The Cisco Firepower Management Center (formerly FireSIGHT Management Center) is the administrative nerve center for select Cisco security products running on a number of different platforms. It provides complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
This integration allows to automate response to Azure Sentinel incidents which contain IPs or URLs. It contains the basic connector component, with which you can create your own playbooks that interact with Cisco Firepower. It also contains 3 playbook templates, ready to quick use, 2 directly modify the Cisco Firepower configuration and 1 allows direct response on Cisco Firepower from Microsoft Teams.
Prerequisites
Authentication
In Cisco Firepower create a user and give it the appropriate user role in the domain you want the playbooks to modify network group objects in.
Options to establish a connection with Cisco Firepower
The connector needs to be able to reach the Cisco Firepower REST API. A few options are:
- Over the internet
- Using Logic Apps gateway
- Secure tunnel between your network and Azure
Over the internet
You can make the Cisco Firepower REST API available to the internet. You can use IP filtering to restrict access. To find the IP addresses that need access, go to your Logic App instance and go to properties. The field 'Connector outgoing IP addresses' contains the IP addresses Azure uses for your Logic App to call the connector. Logic Apps also needs to be able to validate the SSL certificate used.
Using Logic Apps gateway
On a server in your network install the on-premises data gateway, see Install on-premises data gateway for Azure Logic Apps. The server on which the data gateway is installed needs to be able to reach the Cisco Firepower REST API. Also the SSL certificate used by the Cisco Firepower REST API needs to be able to be validated on the server, including the certificate chain. When deploying the Cisco Firepower connector choose the option via on-premises data gateway. When using the connector you will be asked to select the data gateway you want to use.
Secure tunnel between your network and Azure
Create an Azure Virtual Network and connect it to your on-premise network using Azure VPN, for information see Overview of partner VPN device configurations. When creating the Logic App make sure to select the option 'Associate with integration service environment'. When the Logic App is created you can connect it to the Azure Virtual Network. See (Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment Connect to Azure virtual networks from Azure Logic Apps by using an integration service environment (ISE)] and Access to Azure Virtual Network resources from Azure Logic Apps by using integration service environments (ISEs) for documentation.
Deployment instructions
1. Deploy the custom connector
Custom connector should be deployed in the Resource Group where the playbooks that will include it are located. There are two options for the custom connector, one not connecting via on-premises data gateway and one connecting via on-premises data gateway.
Connector not via on-premises data gateway
- Deploy the Custom Connector by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
- Fill in the required paramteres:
- Connector name: Please enter the custom connector(ex:Cisco Firepower connector)
- Service Endpoint: The URL to the Cisco Firepower REST API
Connector via on-premises data gateway
- Deploy the Custom Connector by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
- Fill in the required paramteres:
- Connector name: Please enter the custom connector(ex:Cisco Firepower connector)
- Service Endpoint: The URL to the Cisco Firepower REST API
2. Deploy the required playbook template (or create your own playbook from scratch)
This integration offers 3 playbook templates that blocks IP in 3 different methods. Each one has it's own documentation and quick deployment button:
- Cisco Firepower - Add FQDN to a Network Group object
- Cisco Firepower - Add IP Addresses to a Network Group object
- Cisco Firepower - Add IP Addresses to a Network Group object with Teams