What You’ll Learn
- How to configure a dynamic access policy on Cisco Secure Firewall Management Center
- How the different options work to apply the DAP to the right user
What You’ll Need
- Secure Firewall Management Center running version 7.4 or better
- Secure Firewall Posture (formerly HostScan) version 5.x or above uploaded to Firewall Management Center
- A remote access VPN policy already configured
- A remote client computer with Cisco Secure Client 5.x installed
Not all policies can be static when connecting to a network using a remote access VPN. A static policy might not work for everyone because a user’s location might require stricter access, the user’s device may have an operating system that is not supported by IT or allowed on the network, or the device may be lacking certain security software. With a dynamic access policy (DAP), the administrator can take these important factors into consideration and have better control over the kind of access that a user should have, based on criteria other than just a username and password.
Cisco Secure Firewall Management Center (formerly Firepower Management Center) started supporting DAP configuration in version 7.0. The DAP allows the administrator to configure a remote access VPN authorization that automatically adapts to a changing environment that might need different policies applied to users, depending on certain criteria set by the administrator. This configuration ability has become more important with more users working from home.
The DAP is not enabled by default; because of this, other policies might apply. For example, on a remote access VPN policy, Secure Firewall Management Center can assign four possible policy enforcements, but only one can be used. They are:
- DAP
- User attributes (from Active Directory, LDAP, or RADIUS)
- Group policy attributes (on Secure Firewall Threat Defense)
- Group policy attributes associated with a connection profile
When the remote access VPN user first connects to the firewall that obtained their policy from Firewall Management Center, the firewall will evaluate the policy enforcements from top to bottom and apply the first one that matches. By default, there are no DAP, user attributes, and group policy attributes enabled on Firewall Management Center that would be applied to the firewall for a deployment. This means that only the group policy attributes associated with a connection profile would be applied to a VPN session by default. The connection profile already has a default group policy name of DfltGrpPolicy, which gives the VPN user unrestricted access to the network. The DAP could address this problem.
Note: Although HostScan is now called Secure Firewall Posture, the latest Firewall Management Center user interface still refers to this feature by its previous name.
On Secure Firewall Management Center, navigate to Devices > Dynamic Access Policy.
Click the Create Dynamic Access Policy button to create a new DAP.
From the window, give the DAP a name, and select a Secure Firewall Posture (HostScan) package to use. If there is no package already uploaded to Firewall Management Center, then click the Create New link.
Click the Add Secure Client File button to add a new file.
From the window, give the Secure Client file a name. In the File Name field, choose the Secure Firewall Posture file that you want to use, and in the File Type field, choose HostScan Package. Click Save.
From the Create Dynamic Access Policy window, select the new HostScan package that was created and uploaded to Firewall Management Center, and click Save.
Click the Create DAP Record button, which will allow you to create DAP rules that will affect the remote access VPN users.
When creating a DAP record, there are four menu options available: General, AAA Criteria, Endpoint Criteria, and Advanced. In this tutorial, we will be working only on the first three and not Advanced.
General
The General menu is used to name your DAP record, select an action, and choose a result—user pop-up message, access control list (ACL), or Secure Client custom attributes—if the record matches, based on the criteria that is selected by the administrator.
The record has three possible actions: Continue, Terminate, or Quarantine.
Continue (default): This action applies access policy attributes to the session—ACL, user pop-up message, or Secure Client custom attributes.
Quarantine: With the use of Quarantine, you can restrict a particular remote access client device that already has an established tunnel through a VPN. This is done using Endpoint Criteria, which allows the administrator to set posture conditions that the remote access VPN client device must meet during the posture assessment that is done using Secure Client. If the client does not meet the posture conditions on Endpoint Criteria, Cisco Secure Firewall Threat Defense will then restrict access, using ACLs to lock down the user to only access remediation servers that can address the client that might be out of compliance. This could be due to a hotfix that installed on the user’s Microsoft Windows 10 OS, or there is a missing security application that is not installed. After the fix is applied, the user can reconnect, which invokes a new posture assessment. If this assessment passes, the user connects. This parameter requires a Cisco Secure Client release that supports Secure Client features.
Terminate: If a remote access VPN client device matches a DAP record with a Terminate action, the session will be disconnected. The only result that you can send the user is a pop-up message.
Note: If the DAP record matches, you can apply a user pop-up message that the remote access VPN user gets, an ACL to limit access, and Secure Client custom attributes. You can apply all three results or only one, depending on the security policy that the administrator wants to apply to the user or users. Remember, the Terminate action only supports sending a user pop-up message.
In order to apply an ACL, if not already created on Firewall Management Center, click the Create New link.
This action will bring up the Extended ACL window. To create a new ACL, click the Add Extended Access List button.
Name the ACL, and click Add to add a new entry.
In the Action drop-down menu, select Allow. From the Network tab, add the subnet objects to the destination section.
From the Port tab, add the ports that are needed to be accessed on the subnet objects that were selected. Click Add.
A new entry is now added. More can be added later if required.
From the General menu, select the ACL that was created.
AAA Criteria
The AAA Criteria menu is used to select the criteria that a user might get from a Cisco VPN configuration or LDAP, RADIUS, or Security Assertion Markup Language (SAML) server.
From the Cisco VPN Criteria field, select the + button, and click Group Policy.
From the Group Policy menu, select the group policy that the DAP record will match.
As you can see, we have selected group policy. The Op. shows =, which means that the operator is set to equal. This can also be set to not equal.
Endpoint Criteria
The Endpoint Criteria menu is used to select the criteria that the Secure Firewall Posture (HostScan) service running on Secure Client will look for on the host computer that is connecting with a remote access VPN.
From the Operating System field, click the + button to add a new OS to match.
From the Operating System drop-down menu, select the OS to match for the DAP record, and click Save.
From the Personal Firewall field, click the + button to add a new firewall to match.
From the Personal Firewall menu, choose the Installed check box, and choose Enabled in the Firewall Protection field. In the Vendor drop-down field, select Microsoft Corporation, and in the Product Description field, select Windows Firewall. Click Save.
Notice that we have configured two endpoint criteria to match.
Notice that we now have one DAP record. From here, will create another record by clicking the Create DAP Record button.
As you can see below, we are following the same steps as before to create a new DAP record, but this time, but are adding a new group of users to which we want to apply restrictions.
This DAP will be applied to another set of users, and it will also have a user pop-up message and ACL.
The group policy has now been added for AAA Criteria.
We are now looking for anti-malware software to be installed and a personal firewall for Endpoint Criteria.
Now we have two DAP records.
The last two DAP records are using the Continue action. However, what if we have a remote access VPN session that is not meeting the policy and needs to be remediated? The reason for remediation is that the posture assessment did not find an installed hotfix for a Windows 10 security issue.
For this DAP record, we will be using the Quarantine action. We will display a user pop-up message and create an ACL that gives the user access to two servers to install the hotfix. To start, click the Create New link.
From the Extended ACL window, click the Add Extended Access List button.
Give the ACL a name, and click Add.
In the Action field, choose Allow, and from the Network tab, select the two servers that the user needs access to apply the hotfix.
From the Port tab, select the ports that will allow the user to download the hotfix files, and click Add.
Once the ACL is created, add it to the ACL drop-down.
AAA Criteria will look for two possible group policies to match this DAP record.
From the Endpoint Criteria tab, look for the Windows 10 host, and verify that it does not have a hotfix.
Note: In the Type column, for Hot Fix, we are using not equal. This will tell the DAP record that if the posture assessment that comes back from Secure Firewall Posture (HostScan) did not find the hotfix, then the DAP record will match.
We now have three DAP records, but there is a default record at the bottom. This should be set to Terminate. By default, it is set to Continue. To change the action, click the Continue button.
Choose Terminate in the Action field, and write a user pop-up message.
The DAP is now ready to be applied to the remote access policy.
On Secure Firewall Management Center, navigate to Devices > Remote Access.
Click the pencil icon next to the remote access policy to which you want to apply the DAP.
In the upper right-hand corner, click the None link next to Dynamic Access Policy.
From the menu, select the DAP, and click OK.
In the top right-hand corner, click Save to apply the changes to Firewall Management Center.
Click the Deploy button to deploy the change to Firewall Threat Defense.
After applying the DAP, on Firewall Threat Defense, issue the show running-config dynamic-access-policy-record command to verify that the DAP was applied.
> show running-config dynamic-access-policy-record
dynamic-access-policy-record Not_Using_Windows_10_Hotfix
user-message "Sorry, you have been place into quarantine, you will only have access
to remediation servers SRV-1, and SRV-2 to patch your system with Hotfix.
Once your system is remediated, please re-login."
network-acl SRV1-SRV2_Servers_DAP_ACL
action quarantine
priority 10
dynamic-access-policy-record DfltAccessPolicy
user-message "You don not meet the policy. Your session has been terminated."
action terminate
dynamic-access-policy-record Sales_Policy
user-message "Welcome to the Sales Policy."
network-acl Sales_DAP_ACL
priority 10
dynamic-access-policy-record HR_Policy
user-message "Welcome to the HR Policy."
network-acl HR_DAP_ACL
priority 10
On the Firewall Threat Defense flash, you will see dap.xml, which contains the policy that was created on Threat Defense.
> show flash:
--#-- --length-- -----date/time------ path
75 5192 Feb 09 2024 16:17:16 asa-cmd-server.log
110 4096 Jan 11 2024 22:44:28 log
118 354777 Jan 11 2024 22:39:28 log/asa-appagent.log
119 29877 Feb 09 2024 16:18:02 log/lina_monitor.log
120 43 Feb 09 2024 16:17:26 log/stdout_offload_app.log
121 76798 Feb 09 2024 16:17:40 log/asa_snmp.log
122 0 Jan 11 2024 22:44:28 log/fover_cd.log
123 9536 Feb 09 2024 16:20:40 log/asa-appagent-hb.log
124 0 Jan 11 2024 22:44:28 log/asa-msglyr.log
125 39 Feb 09 2024 16:17:28 snortpacketinfo.conf
126 4024 Feb 09 2024 16:17:58 dpdk.log
175 4096 Oct 14 2021 23:00:06 coredumpinfo
177 59 Oct 14 2021 23:00:06 coredumpinfo/coredump.cfg
178 0 Feb 09 2024 16:49:50 hitcnt_del_ruleid_list
179 4096 Jan 01 1980 00:00:00 FSCK0000.REC
180 28672 Jan 01 1980 00:00:00 FSCK0001.REC
181 4096 Jan 01 1980 00:00:00 FSCK0002.REC
182 6527 Jan 11 2024 22:19:18 backup-config.cfg
183 6416 Jan 11 2024 22:19:18 modified-config.cfg
184 4096 Jun 02 2022 23:40:32 packet-tracer
185 4096 Feb 09 2024 16:50:16 csm
187 116793174 Feb 06 2024 21:07:58 csm/cisco-secure-client-win-5.1.1.42-webdeploy-k9.pkg
192 122163108 Feb 09 2024 16:48:28 csm/secure-firewall-posture-5.1.1.42-k9.pkg
193 4754 Feb 09 2024 16:48:26 dap.xml < --- DAP XML
194 4096 Feb 09 2024 16:50:36 sdesktop
201 1356 Feb 09 2024 16:50:36 sdesktop/data.xml
8571076608 bytes total (8328040448 bytes free)
To view the contents of dap.xml, use the more command in the Firewall Threat Defense diagnostic-cli mode.
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ftd-0> ena
Password:
ftd-0#
ftd-0#
ftd-0# more flash
ftd-0# more flash:/dap.xml
<?xml version="1.0" encoding="UTF-8"?>
<dapRecordList>
<dapRecord>
<dapName>
<value>Sales_Policy</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<dapBasicView>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<attr>
<name>aaa.cisco.grouppolicy</name>
<operation>EQ</operation>
<value>Sales_Users</value>
<type>GroupPolicy</type>
</attr>
</dapSelection>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<dapSubSelection>
<dapPolicy>
<value>match-all</value>
</dapPolicy>
<attr>
<name>endpoint.os.version</name>
<operation>EQ</operation>
<value>Windows 10</value>
</attr>
</dapSubSelection>
</dapSelection>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<dapSubSelection>
<dapPolicy>
<value>match-all</value>
</dapPolicy>
<attr>
<name>endpoint.pfw["283"].enabled</name>
<operation>EQ</operation>
<value>ok</value>
</attr>
<attr>
<name>endpoint.pfw["283"].description</name>
<operation>EQ</operation>
<value>Windows Firewall</value>
<displayValue>Windows Firewall</displayValue>
</attr>
</dapSubSelection>
</dapSelection>
</dapBasicView>
</dapRecord>
<dapRecord>
<dapName>
<value>HR_Policy</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<dapBasicView>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<attr>
<name>aaa.cisco.grouppolicy</name>
<operation>EQ</operation>
<value>HR_Users</value>
<type>GroupPolicy</type>
</attr>
</dapSelection>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<dapSubSelection>
<dapPolicy>
<value>match-all</value>
</dapPolicy>
<attr>
<name>endpoint.am["100221"].activescan</name>
<operation>EQ</operation>
<value>ok</value>
</attr>
<attr>
<name>endpoint.am["100221"].description</name>
<operation>EQ</operation>
<value>Webroot SecureAnywhere (Mac)</value>
<displayValue>Webroot SecureAnywhere (Mac)</displayValue>
</attr>
</dapSubSelection>
</dapSelection>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<dapSubSelection>
<dapPolicy>
<value>match-all</value>
</dapPolicy>
<attr>
<name>endpoint.pfw["283"].enabled</name>
<operation>EQ</operation>
<value>ok</value>
</attr>
<attr>
<name>endpoint.pfw["283"].description</name>
<operation>EQ</operation>
<value>Windows Firewall</value>
<displayValue>Windows Firewall</displayValue>
</attr>
</dapSubSelection>
</dapSelection>
</dapBasicView>
</dapRecord>
<dapRecord>
<dapName>
<value>Not_Using_Windows_10_Hotfix</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<dapBasicView>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<attr>
<name>aaa.cisco.grouppolicy</name>
<operation>EQ</operation>
<value>HR_Users</value>
<type>GroupPolicy</type>
</attr>
<attr>
<name>aaa.cisco.grouppolicy</name>
<operation>EQ</operation>
<value>Sales_Users</value>
<type>GroupPolicy</type>
</attr>
</dapSelection>
<dapSelection>
<dapPolicy>
<value>match-any</value>
</dapPolicy>
<dapSubSelection>
<dapPolicy>
<value>match-all</value>
</dapPolicy>
<attr>
<name>endpoint.os.version</name>
<operation>EQ</operation>
<value>Windows 10</value>
</attr>
<attr>
<name>endpoint.os.hotfix["KB4495590"]</name>
<operation>NE</operation>
<value>true</value>
<type>caseless</type>
</attr>
</dapSubSelection>
</dapSelection>
</dapBasicView>
</dapRecord>
</dapRecordList>
Note: The dap.xml file contains the DAP selection attributes that were generated from Firewall Management Center.
The Firewall Threat Defense CLI also provides DAP debugs for trace and error outputs. The trace shows endpoint or AAA criteria that the DAP scan is seeing—for example, which applications we are detecting and which versions. This can be useful to make sure that we are matching what we are intending on the DAP record.
> debug dap trace 255
debug dap trace enabled at level 255
> debug dap error
debug dap errors enabled at level 1
DAP_TRACE: DAP_open: New DAP Request: 9
DAP_TRACE[5]: Username: ad1, DAP_add_AC:
endpoint.anyconnect.clientversion = "4.10.06079";
endpoint.anyconnect.platform = "mac-intel";
endpoint.anyconnect.devicetype = "MacBookPro17,1";
endpoint.anyconnect.platformversion = "13.1.0";