Automated backups of a standalone Cisco ASA

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

PBUKFW01(config)# event manager applet daily-backup-sftp01

PBUKFW01(config-applet)# event timer absolute time 23:50:00

PBUKFW01(config-applet)# action 0 cli command "copy /noconfirm running-config scp://username:password@;int=inside"

PBUKFW01(config-applet)# output none

The file on the remote server will be overwritten each time by the process, but you’ll have a config file with the most recent running configuration off the ASA in the case that that ASA goes bad.

Hope this helps.
Take care.


Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

Implement Multi-Factor Authentication (MFA)

May include but not limited to:

Enable MFA for an Azure tenant;

Configure user accounts for MFA;

Configure fraud alerts;

MS Docs state that Fraud Alerts are only specific to the on-premises MFA Server at the time of writing. I’m not 100% clear on this though, so treat with caution.

Configure bypass options;

One-time-bypass is specific to the on-premises MFA server at the time of writing.

Configure trusted IPs;

Configure verification methods;

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure

Duplication! See below.

Manage role-based access control (RBAC)

May include but not limited to:

Create a custom role;

When you create a custom role, it appears in the Azure portal with an orange resource icon.

Configure access to Azure resources by assigning roles;

Configure management access to Azure;

Troubleshoot RBAC;

Implement RBAC policies;

I don’t think this is the correct resource.

Assign RBAC roles

Duplicate! See above.

Implement Azure Active Directory (AD) Privileged Identity Management (PIM)

May include but not limited to:

Activate a PIM role;

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

Create a Delegated Approver account;

Enable PIM;

Process pending approval requests;

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parralels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are the progressions from HAProxy to Azure services.

May include but not limited to:
Configure application gateway and load balancing rules;

Implement front end IP configurations;

Manage application load balancing;

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer, load balancing rules, and public load balancer;

Internal Load Balancer;

Public Load Balancer;

Manage Azure load balancing;

Monitor and manage networking

Tim Warner’s course on Pluralsight helps plenty with this subject

May include but not limited to:
Monitor on-premises connectivity;

Use network resource monitoring and Network Watcher;

Manage external networking and virtual network connectivity;

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

Create and configure site to site VPN;

Configure Express Route;

Whilst I understand that there are organisations that need Express Route because of scale or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use VPN constructs where ever possible.

Verify on premises connectivity;

My belief is that both these objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

Manage on-premise connectivity with Azure

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 2 – Implement and manage application services

Implement and manage application services (20-25%)

Configure serverless computing

My background as an IT professional is in infrastructure. With that in mind, the intention in this post is to help others with a similar background evolve their understanding of the PaaS or Serverless computing services in Azure.

I’ll start with a comparison of Azure Functions and Logic Apps from

“A popular comparison states that Azure Functions is code being triggered by an event, whereas Logic Apps is a workflow triggered by an event. This is reflected in the developer experience. Azure Functions are completely written in code, with currently supports JavaScript, C#, F#, Node.js, Python, PHP, batch, bash and PowerShell. In Logic Apps, workflows are created with an easy-to-use visual designer, combined with a simple workflow definition language in the code view. Each developer has of course his/her personal preference. Logic Apps is much simpler to use, but this can sometimes cause limitations in complex scenarios. Azure Functions gives a lot more flexibility and responsibility to the developer.”

Azure Logic Apps took its inspiration from the on-premises tool “BizTalk Server”. Up until this point of my career, I’ve never known what BizTalk Server was intended for. Logic Apps operates in a similar iPaaS (Integration Platform as a Service) market space as Dell Boomi and Mulesoft. How well the Microsoft serverless applications perform compared to others, I can’t judge. All said, Logic Apps is Microsoft’s offering in the iPaaS market.

If Logic Apps as described above by abstract the code away from  Function Apps by using a visual designer, Microsoft Flow takes that one step further and provides Software as a Service on top of Logic Apps. Flow operates in similar product space to ITTT, but with the ability to leverage Microsoft’s On-Premises Data Gateway.

Bringing it back to the exam subject matter, to allow your Azure Serverless applications to communicate with each other and pass data around, you can make use of the Azure messaging services; Azure Event Grid, Service Bus, and Event Hubs.  

Here’s Sahil Malik’s Pluralsight course on Serverless Computing in Azure

May include but not limited to:

Manage a Logic App resource;

Stephen Thomas’ courses on Logic Apps could be really helpful

Logic Apps are defined in  JSON using the Workflow definition language.

Maybe use this Logic App as a demo to get you warmed up on what the hell a Logic App is!

Then you have both a VS Code and Visual Studio guide for managing the Logic App.

Manage Azure Function App settings;

There’s only one mention of Function Apps in these objectives, but do not underestimate the requirement for understanding them.

Function Apps are created from the Azure Portal, by choosing “Create a Resource” and choosing “Serverless Function App”. You can’t visit the Function App blade and add a Function App from the blade, strangely.

An App Service Plan will get created in the region you choose as either a consumption model plan or an App Service Plan, plan, with no free options available.

The guiding factor in these App Service Plans is the ACU or Azure Compute Units. You should choose the right plan for you with sufficient compute units and features to achieve your outcome. For exam objectives the consumption model is appropriate.

To move data in and out of your Function App using FTP or FTPS, within your Function App, from the Function App blade, navigate through;

Platform Features | Deployment Center | FTP | Dashboard

You are then presented with your FTPS endpoint, app credentials and user credentials for moving content to/from the Function App using FTPS.

Manage Event Grid;

An overview of Azure messaging services; Event Grid, Service Bus and Event Hub here;

Manage Service Bus;

Manage App Service plans

Here’s Neil Morrisey’s great course on Managing Azure App Service plans

May include but not limited to:

Configure application for scaling;

Enable monitoring and diagnostics;

Configure App Service plans;

Manage App services

Again, Neil Morrisey has a great course, this time on Managing App Services

May include but not limited to:

Assign SSL certificates;

Configure application settings;

Configure deployment slots;

Configure Azure content delivery network (CDN) integration;

Manage App Service protection;

Manage roles for an App service;

Create and manage App Service environment

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 1 – Evaluate and perform server migration to Azure

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

May include but not limited to:
Discover and assess environment;

Identify workloads that can and cannot be deployed;

Identify ports to open;

Identify changes to network;

This is tough to interpret and the only text that works for me is the work that you might do in the migration stage around changes to the VMs network interfaces. Otherwise, the previous link about opening ports should suffice.

Identify if target environment is supported;

This is really difficult to interpret, but my assumption is that this page best fits.

Setup domain accounts and credentials

Migrate servers to Azure

Recovery Services Vaults provide many data services for protection and recovery.

May include but not limited to:
Migrate by using Azure Site Recovery (ASR);

Migrate using P2V;

Configure storage;

Create a backup vault;

Prepare source and target environments;

Backup and restore data;

Deploy Azure Site Recovery (ASR) agent;

Prepare virtual network

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 5 – Manage Identities

Part 5 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam. content that matches the objectives

Manage identities (15-20%)

Manage Azure Active Directory (AD)

May include but not limited to:
Add custom domains;

configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming;

configure self-service password reset;

implement conditional access policies;

manage multiple directories;

perform an access review

Manage Azure AD objects (users, groups, and devices)

May include but not limited to:
Create users and groups;

manage user and group properties;

(Get-AzureADUser -ObjectId $UserId).ToJson()
Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue"

manage device settings;

perform bulk user updates

Implement and manage hybrid identities

May include but not limited to:
Install and configure Azure AD Connect;

configure federation and single sign-on;


Single Sign On

manage Azure AD Connect;

manage password sync and writeback

Password Sync

Password Writeback

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 4 – Configure and Manage Virtual Networks

Part 4 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

There’s a an addition I’d like to make for this objective and that is service endpoints.

It seems important to grasp this concept if your posture is one of using Azure services without exposing them to the Public Internet.

The new Azure Firewall – which deserves a post in its own right is also in preview as of August 2018.

As does the Azure VirtualWAN – or SD-WAN to everyone else in the world.

Configure and manage virtual networks (20-25%) content which matches the objectives for virtual networks.

Create connectivity between virtual networks

May include but not limited to:
Create and configure VNET peering;

create and configure VNET to VNET;

verify virtual network connectivity;

create virtual network gateway

Implement and manage virtual networking

May include but not limited to:
Configure private and public IP addresses, network routes, network interface, subnets, and virtual network

Configure name resolution

May include but not limited to:
Configure Azure DNS;

configure custom DNS settings;

configure DNS zones

Create and configure a Network Security Group (NSG)

May include but not limited to:
Create security rules;

associate NSG to a subnet or network interface;


identify required ports;

evaluate effective security rules