Hey we are back, this time I want to explore the section of the deployment of Umbrella, where we can configure a device to communicate and forward all traffic to Umbrella
We will concentrate on the section for Network Devices this time:
The main idea of this integration is that the devices will become an Identity, which you can use later to apply policy under any of your settings inside Umbrella
The ingredients:
- Firewall Management Center –> Currently running software version: 7.3.0
- Umbrella Subscription
Prerequisites
- Cisco Secure Firewall Management Center (FMC) running version 7.2 or above.
- FMC-managed Cisco Firepower Threat Defense (FTD) firewall running version 6.6 or above.
- FTD able to resolve and connect to api.opendns.com over port 443 for initial registration.
- FTD access over TCP and UDP on port 53 (DNS) to 208.67.220.220 and 208.67.222.222—the Cisco Umbrella public DNS resolvers.
- The Umbrella Digicert CA (registration server certificate) installed on the FTD devices. The certificate needs to be trusted for purposes of ‘SSL Server’ validation which is a non-default option in FMC.
- FMC Base license with ‘export-control’ functionality allowed.
- The FMC needs to be able to resolve management.api.umbrella.com for policy configuration
Things we will need from Umbrella
When you go to FMC –> Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection – You will notice that there are a few requirements:
- Organization ID – You get this one from the url when you go to the Umbrella dashboard –> https://dashboard.umbrella.com/o/XXXXXXX/#/overview –> XXXXXXX will be your OrgID
- Network Device Key – Depending on your deployment, you may have to refresh the Key, copy the Key and the Secret ** You will be able to get this on the same place under Legacy API Keys
- Network Device Secret – This one gets generated once you refresh the Key
- Legacy Network Device Token: You get this one by going to Legacy Keys, look for Legacy Network Devices
After you finish hunting for all those keys and information, you will be ready to click the test button and it should be successful
Calling or defining Policies in FMC
This section may take a while, but your policies will make it to FMC, maybe after 5 minutes. How do we check this? In FMC, go to Policies –> DNS
For this example I created a DNS Umbrella Policy which I will be using to call my Policy in Umbrella, the next thing I will do is to create a New DNS Policy this time on Umbrella – I expect to see it show up in FMC after a few mins
Here is the example:
Be aware of the errors and correct them, I got this one when I was ready to save: Selected umbrella protection policy name contains space. Umbrella Protection Policy name cannot contains space. Create umbrella protection policy name without space in umbrella cloud and refresh.
How to add our DNS Policies to our Access Policy?
In this case you want to go to Policies –> Access Control
Select your policy and click Security Intelligence (Not very intuitive if you’re new here, but it will be there)
Select on the right your Umbrella Policy
At this point I decided that it was time to deploy my changes, now if everything is working properly I should be able to modify my Umbrella Policies
Next is to Deploy the Umbrella CA Certificate
This one is not very intuitive from the guides, yeah Umbrella Docs mentions it on the prerequisites, but no other guide shows you where and how to do it. Now the Umbrella docs tell you that you need the Umbrella Registration Certificate, which I found under the ASA Umbrella Connector Integration
Go to Objects –> Object Management
Under PKI go for Cert Enrollment
Add a new enrollment like in the next image – Make sure you select Manual for the Enrollment Type. The Umbrella certificate needs to be in .pem format – open it in a text editor and copy and past it, again, like in the image. *** Make sure you use the certificate from this guide –> ASA Umbrella Connector Integration
Once this is done, we are going to Devices –> Certificates
Click add and configure it like this for each of your FTD appliances
Troubleshooting
I recently had a quick issue that was driving me nuts, the FTD Devices were not showing up on my Network Devices (Umbrella Dashboard). Here are some of the things that I did
Went to my Platform Settings Policy and made sure the DNS was correctly configured and I had Umbrella on my trusted DNS Servers
The next step was the Umbrella Certificate – you need the Registration certificate not the Root CA – which I did not know because the documentation did not point to this one. So I started looking at the ASA Integration guide, and I found the PEM format of the Umbrella Registration Cert.
-----BEGIN CERTIFICATE-----
MIIE6jCCA9KgAwIBAgIQCjUI1VwpKwF9+K1lwA/35DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw
HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMy
MzU5NTlaME8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERp
Z2lDZXJ0IFRMUyBSU0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6aqXodgojl
EVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddng9/n00tnTCJRpt8OmRDt
V1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuWraKImxW8oHzf6VGo1bDtN+I2tIJLYrVJ
muzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGBAfr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkD
Ka77SU+kFbnO8lwZV21reacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBrjCCAaowHQYDVR0OBBYE
FLdrouqoqoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgw
BgEB/wIBADB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv
YmFsUm9vdENBLmNydDB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDAGA1UdIAQpMCcwBwYFZ4EMAQEwCAYGZ4EMAQIBMAgG
BmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEBAHert3onPa679n/gWlbJhKrKW3EX
3SJH/E6f7tDBpATho+vFScH90cnfjK+URSxGKqNjOSD5nkoklEHIqdninFQFBstcHL4AGw+oWv8Z
u2XHFq8hVt1hBcnpj5h232sb0HIMULkwKXq/YFkQZhM6LawVEWwtIwwCPgU7/uWhnOKK24fXSuhe
50gG66sSmvKvhMNbg0qZgYOrAKHKCjxMoiWJKiKnpPMzTFuMLhoClw+dj20tlQj7T9rxkTgl4Zxu
YRiHas6xuwAwapu3r9rxxZf+ingkquqTgLozZXq8oXfpf2kUCwA/d5KxTVtzhwoT0JzI8ks5T1KE
SaZMkE4f97Q=
-----END CERTIFICATE-----
Then I moved to Devices --> Certificates and enrolled the 2 new certs.
Last but not least, I regenerated my API Keys in Umbrella and got a good connection this time. I don't think I needed this specific piece, but at this point I needed to test everything
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.
Excellent document!!!!! Thank you!