Creating a Policy Enforcer Connector for Public and Private Clouds
To access this page, select Administration > Policy Enforcer > Connectors.
Before You Begin
For Amazon Web Services (AWS) connector:
Create access key and password for your AWS account. This will be a unique username and password for your Amazon account required to create a connector. See Managing Access Keys for Your AWS Account.
Create Virtual Private Clouds(VPC) for the required region. See Getting Started With Amazon VPC.
Instantiate vSRX instance in the required VPC and set the tag identifier to AWS_SDSN_VSRX.
Create a Security Group in AWS required to create a threat prevention policy for the AWS connector.
Deploy workloads in the required VPC and set the resource tags to the workloads.
To configure threat remediation for a public or private cloud, you must install and register the threat remediation plug-in with Policy Enforcer as follows:
- Select Administration > Policy Enforcer > Connectors.
The Connectors page appears.
- Click the create icon (+).
The Create Connector page appears.
- Complete the configuration using the information in Table 1.
- Click OK.
Once configured, you select the connector name as an Enforcement Point in your Secure Fabric.
Table 1: Fields on the Create Connector Page for AWS and Contrail
Enter a unique string that must begin with an alphanumeric character and can include underscores; no spaces allowed; 63 characters maximum.
Enter a description; maximum length is 1024 characters. You should make this description as useful as possible for all administrators.
Select Amazon Web Services or Contrail from the list to connect to your secure fabric and create policies for this network.
Enter the IP (IPv4 or IPv6) address or URL of AWS or Contrail.
For AWS, this field is set to www.aws.amazon.com, by default. This is where all VPCs are located. You cannot edit this field.
For AWS connector, the port is set to 443 by default and you cannot edit this field.
For Contrail connector, provide the port number as 8081.
Enter the username of the server for the selected connector type.
For AWS, enter the generated access key for your Amazon account. This is not same as your Amazon account username.
Enter the password for the selected connector type.
For AWS, enter your secret password generated along with your access key. This is not same password as your amazon account.
Connector Type: AWS
Virtual Private Clouds
One or more virtual networks under the AWS account are discovered. They are called virtual private cloud (VPC). Only VPCs having vSRX instances deployed are managed. The VPCs are region specific. Select a region from the Region list and the corresponding VPCs are listed. By default, the VPCs for the first available region are listed.
Security Director suggests a default Secure Fabric site name for the VPC, in the <connector name>_<vpc name>_site format. Click the Secure Fabric site name to edit it. When you edit the name, you will also see the other Secure Fabric sites that do not have any switches or connectors assigned to them. You can also assign these Secure Fabric sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the Secure Fabric site name is reverted to its previous name.
You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one option. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further.
You can get a detailed view of the VPC by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details.
Note: You can perform search on VPCs. Search is not supported for the site names.
Connector Type: Contrail
Tenant information determined from the Contrail connector is listed.
Security Director suggests a default site name for the project, in the <connector name>_<project name>_site format. Click the site name to edit it. When you edit the site name, you will also see the other sites that do not have any switches or connectors assigned to them. You can also assign these sites to the connectors. If the edited site name is already existing with a connector or a switch, an alert message is shown and the site name is reverted to its previous name.
You must enable either Threat Remediation or Next Generation Firewall options or both. You cannot create a connector instance without enabling at least one of the two options. If you navigate to the next page without enabling these options, an error message is shown insisting the user to enable either Threat Remediation or Next Generation Firewall to proceed further.
You can get a detailed view of the project by hovering over the name and clicking the Detailed View icon. See Viewing VPC or Projects Details.
Note: You can perform search on Project names. Search is not supported for the site names.
The subnet information for Contrail and AWS is determined from the respective systems. For AWS, subnets are the availability zones and for Contrail, subnets are virtual networks. You can create Policy Enforcement Groups for one or more of the subnets, if threat remediation is selected.
Both AWS and Contrail subnets are allocated to be within the tenant IP Address Management (IPAM) scheme.
Specifies the resource tag information and the resource tag values that you have determined from the projects or VPC. The tag information appears only if the Next Generation Firewall option is enabled.
For AWS connector, the resource tag values are fetched from AWS for all the endpoints and then mapped them to the Security Director generated metadata names.
Based on the resource tag name, Security Director checks if a metadata with the same resource tag name is already available. If available, it automatically maps the resource tag name to its metadata. If there is no match found, Security Director suggests a new metadata name for the corresponding tag. The suggested metadata name is same as the resource tag name. You can also edit the suggested metadata name and customize the resource tag name.
However, in the Generated MetaData Name column, you cannot use the following predefined metadata names:
If you provide these names, an appropriate error message is shown to choose a different name.
Select the Map option to map the resource tag to the generated Security Director Metadata while creating the connector instance. If the Map option is not selected, the connector instance is created for a project or VPC without any resource tags. For example, if you have multiple resource tags for a project, you can choose one or more resource tags to map to the corresponding generated metadata, by selecting the Import option. The project or VPC with the selected resource tags are created when the connector instance is created.
Mapping of Contrail and AWS connector resource tags to Security Director metadata enables you to create the next generation firewall policy definitions for the source and destination rules, based on the metadata expressions. Policy Enforcer dynamically determines the matching VM instances in AWS or Contrail connector to the metadata expressions and pushes the IP address content as dynamic address groups to the enforcement points in the tenant specific vSRX firewall instance.
In the Configuration Value column, provide any additional information required for this particular connector connection. For example, if the connector type is ForeScout CounterACT, you are required to provide the WebAPI username and password. Similarly for other connectors if the additional configuration parameters are required, they are listed in this column.
After the successful completion, the subnet you have created is mapped to that particular connector instance.
For AWS, provide the following configuration parameters:
For Contrail, provide the following configuration parameters:
For AWS and Contrail connectors, the site association is achieved in the Connectors page itself.
When a connector is added to the site, Policy Enforcer discovers the vSRX Series associated with the connector and assigns it to the site. Hover over the connector name to view the corresponding vSRX with its IP address as a tool tip.
If the mode in PE Setting page is SDSN with SKYATP, then you must create a SkyATP realm and assign the sites associated with the VPC or Project to the realm. Otherwise the vSRX instances in the VPC or Project does not download the dynamic address group objects, that is the list of workloads in the VPC or Project that match a policy metadata expression.
Threat Remediation Workflow
Once you create an AWS or a Contrail connector with Threat Remediation option, a site is created in the Secure Fabric page.
Perform the following actions for threat remediation:
- Select Configure > Threat Prevention > Sky ATP Realms.
Select the associated Secure Fabric sites to the respective VPC or Project that is successfully added. Add the secure fabric site to a Sky ATP realm and enrol the vSRX devices to the Sky ATP. Enroll devices by clicking Add Devices in the list view once the realm is created.
- Select Configure > Shared Objects > Policy Enforcement Groups.
Click the add icon to create a new policy enforcement group. You will see a list of all subnets that you have created in a VPC. Select the required subnets for this VPC and create a policy enforcement group. Associate this policy enforcement group to threat remediation policy.
- Select Configure > Threat Prevention > Policies.
Click the add icon to create a new threat prevention policy. Add the threat prevention policy, including profiles for one or more threat types. The security group that you had selected during connector configuration is used when the host gets infected within a corresponding VPC.
Next Generation Firewall Workflow
When you create an AWS or a contrail connector with Next Generation Firewall option, it means that for a particular VPC, Layer 7 firewall policy is enabled. Perform the following actions to enable next generation firewall:
- Select Configure > Firewall Policy.
- Select the policy for which you want to define rules and
click Add Rule.
The Create Rules page appears.
- In the General tab, enter the name of the rule and description of the rule
- In the Source tab, click Select for the Address(es)
field to select the source address.
The Source Address page appears.
In the Address Selection field, click By Metadata Filter option.
In the Metadata Provider field, select PE as a provider from the list.
In the Metadata Filter field, all the generated metadatas during the connector configuration are listed. Using these metadatas, create a required metadata expression. For example, Application = Web and Tier = App.
In the Matched Addresses field, addresses matching the selected metadata are listed. This address is used as a source address. For every metadata expression, a unique dynamic address group(DAG) is created.
Click Ok and complete configuring other parameters for the rule.
Publish and update the configuration immediately or schedule it later.