Automated backups of a standalone Cisco ASA

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

 
PBUKFW01(config)# event manager applet daily-backup-sftp01

PBUKFW01(config-applet)# event timer absolute time 23:50:00

PBUKFW01(config-applet)# action 0 cli command "copy /noconfirm running-config scp://username:password@1.1.1.1/PBUKFW01/PBUKFW01_Daily.cfg;int=inside"

PBUKFW01(config-applet)# output none

The file on the remote server will be overwritten each time by the process, but you’ll have a config file with the most recent running configuration off the ASA in the case that that ASA goes bad.

Hope this helps.
Take care.
Paul

Advertisements

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 4 – Secure Identities

Secure identities (25-30%)

Implement Multi-Factor Authentication (MFA)

May include but not limited to:

Enable MFA for an Azure tenant;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Configure user accounts for MFA;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Configure fraud alerts;

MS Docs state that Fraud Alerts are only specific to the on-premises MFA Server at the time of writing. I’m not 100% clear on this though, so treat with caution.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert

Configure bypass options;

One-time-bypass is specific to the on-premises MFA server at the time of writing.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass

Configure trusted IPs;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

Configure verification methods;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#selectable-verification-methods

Manage role-based access control (RBAC);

Duplication! See below.

Implement RBAC policies;

Duplication! See below.

Assign RBAC Roles;

Duplication! See below.

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure

Duplication! See below.

Manage role-based access control (RBAC)

https://docs.microsoft.com/en-us/azure/role-based-access-control/

May include but not limited to:

Create a custom role;

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

When you create a custom role, it appears in the Azure portal with an orange resource icon.

Configure access to Azure resources by assigning roles;

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Configure management access to Azure;

https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

Troubleshoot RBAC;

https://docs.microsoft.com/en-us/azure/role-based-access-control/troubleshooting

Implement RBAC policies;

I don’t think this is the correct resource.

https://docs.microsoft.com/en-us/azure/governance/policy/overview

Assign RBAC roles

Duplicate! See above.

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Implement Azure Active Directory (AD) Privileged Identity Management (PIM)

May include but not limited to:

Activate a PIM role;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

Configure just-in-time access, permanent access, PIM management access, and time-bound access;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim

Create a Delegated Approver account;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

Enable PIM;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

Process pending approval requests;

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 3 – Implement Advanced Virtual Networking

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parralels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are the progressions from HAProxy to Azure services.

May include but not limited to:
Configure application gateway and load balancing rules;

https://azure.microsoft.com/en-gb/services/application-gateway/

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ilb-arm

Implement front end IP configurations;

https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-manage-web-traffic-powershell#create-an-application-gateway

Manage application load balancing;

https://docs.microsoft.com/en-gb/azure/application-gateway/quick-create-portal

Implement Azure load balancer

May include but not limited to:
Configure internal load balancer, load balancing rules, and public load balancer;

Internal Load Balancer;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-basic-internal-portal

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-get-started-ilb-arm-ps

Public Load Balancer;

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-create-basic-load-balancer-portal

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal

Manage Azure load balancing;

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-manage-portal#remove-or-add-vms-from-the-backend-pool

Monitor and manage networking

Tim Warner’s course on Pluralsight helps plenty with this subject

https://app.pluralsight.com/library/courses/azure-network-watcher-troubleshooting/table-of-contents

May include but not limited to:
Monitor on-premises connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

Use network resource monitoring and Network Watcher;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

Manage external networking and virtual network connectivity;

https://docs.microsoft.com/en-us/azure/network-watcher/view-relative-latencies

Integrate on premises network with Azure virtual network

May include but not limited to:
Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#VNetGateway

Create and configure site to site VPN;

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Configure Express Route;

Whilst I understand that there are organisations that need Express Route because of scale or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use VPN constructs where ever possible.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager

Verify on premises connectivity;

My belief is that both these objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-diagnose-on-premises-connectivity

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

https://docs.microsoft.com/en-us/azure/network-watcher/diagnose-communication-problem-between-networks

Manage on-premise connectivity with Azure

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 2 – Implement and manage application services

Implement and manage application services (20-25%)

Configure serverless computing

My background as an IT professional is in infrastructure. With that in mind, the intention in this post is to help others with a similar background evolve their understanding of the PaaS or Serverless computing services in Azure.

I’ll start with a comparison of Azure Functions and Logic Apps from codit.eu

“A popular comparison states that Azure Functions is code being triggered by an event, whereas Logic Apps is a workflow triggered by an event. This is reflected in the developer experience. Azure Functions are completely written in code, with currently supports JavaScript, C#, F#, Node.js, Python, PHP, batch, bash and PowerShell. In Logic Apps, workflows are created with an easy-to-use visual designer, combined with a simple workflow definition language in the code view. Each developer has of course his/her personal preference. Logic Apps is much simpler to use, but this can sometimes cause limitations in complex scenarios. Azure Functions gives a lot more flexibility and responsibility to the developer.”

Azure Logic Apps took its inspiration from the on-premises tool “BizTalk Server”. Up until this point of my career, I’ve never known what BizTalk Server was intended for. Logic Apps operates in a similar iPaaS (Integration Platform as a Service) market space as Dell Boomi and Mulesoft. How well the Microsoft serverless applications perform compared to others, I can’t judge. All said, Logic Apps is Microsoft’s offering in the iPaaS market.

If Logic Apps as described above by codit.eu abstract the code away from  Function Apps by using a visual designer, Microsoft Flow takes that one step further and provides Software as a Service on top of Logic Apps. Flow operates in similar product space to ITTT, but with the ability to leverage Microsoft’s On-Premises Data Gateway.

Bringing it back to the exam subject matter, to allow your Azure Serverless applications to communicate with each other and pass data around, you can make use of the Azure messaging services; Azure Event Grid, Service Bus, and Event Hubs.  

Here’s Sahil Malik’s Pluralsight course on Serverless Computing in Azure

https://app.pluralsight.com/library/courses/microsoft-azure-serverless-computing-configuring/table-of-contents

May include but not limited to:

Manage a Logic App resource;

Stephen Thomas’ courses on Logic Apps could be really helpful

https://app.pluralsight.com/library/courses/azure-logic-apps-getting-started/table-of-contents

https://app.pluralsight.com/library/courses/azure-logic-apps-fundamentals/description

Logic Apps are defined in  JSON using the Workflow definition language.

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-workflow-definition-language

Maybe use this Logic App as a demo to get you warmed up on what the hell a Logic App is!

https://docs.microsoft.com/en-us/azure/logic-apps/tutorial-build-schedule-recurring-logic-app-workflow

Then you have both a VS Code and Visual Studio guide for managing the Logic App.

https://docs.microsoft.com/en-us/azure/logic-apps/quickstart-create-logic-apps-visual-studio-code

https://docs.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-visual-studio

Manage Azure Function App settings;

https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings

There’s only one mention of Function Apps in these objectives, but do not underestimate the requirement for understanding them.

Function Apps are created from the Azure Portal, by choosing “Create a Resource” and choosing “Serverless Function App”. You can’t visit the Function App blade and add a Function App from the blade, strangely.

An App Service Plan will get created in the region you choose as either a consumption model plan or an App Service Plan, plan, with no free options available.

The guiding factor in these App Service Plans is the ACU or Azure Compute Units. You should choose the right plan for you with sufficient compute units and features to achieve your outcome. For exam objectives the consumption model is appropriate.

To move data in and out of your Function App using FTP or FTPS, within your Function App, from the Function App blade, navigate through;

Platform Features | Deployment Center | FTP | Dashboard

You are then presented with your FTPS endpoint, app credentials and user credentials for moving content to/from the Function App using FTPS.

Manage Event Grid;

An overview of Azure messaging services; Event Grid, Service Bus and Event Hub here; https://docs.microsoft.com/en-us/azure/event-grid/overview

Manage Service Bus;

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

Manage App Service plans

Here’s Neil Morrisey’s great course on Managing Azure App Service plans

https://app.pluralsight.com/library/courses/microsoft-azure-app-service-plan-managing/table-of-contents

May include but not limited to:

Configure application for scaling;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-scale

Enable monitoring and diagnostics;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-diagnostic-log

Configure App Service plans;

https://docs.microsoft.com/en-us/azure/app-service/azure-web-sites-web-hosting-plans-in-depth-overview

Manage App services

Again, Neil Morrisey has a great course, this time on Managing App Services

https://app.pluralsight.com/library/courses/microsoft-azure-app-services-managing/table-of-contents

May include but not limited to:

Assign SSL certificates;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site

Configure application settings;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure

Configure deployment slots;

https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing

Configure Azure content delivery network (CDN) integration;

https://azure.microsoft.com/en-gb/blog/enabling-azure-cdn-from-azure-web-app-and-storage-portal-extension/

Manage App Service protection;

https://www.pluralsight.com/courses/microsoft-azure-app-service-protection-managing

https://docs.microsoft.com/en-us/azure/app-service/app-service-mobile-how-to-configure-active-directory-authentication

https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup

Manage roles for an App service;

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

Create and manage App Service environment

https://docs.microsoft.com/en-us/azure/app-service/environment/intro

Microsoft Azure Integration and Security exam AZ-101 – Resources Part 1 – Evaluate and perform server migration to Azure

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

May include but not limited to:
Discover and assess environment;

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware

Identify workloads that can and cannot be deployed;

https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware#create-and-view-an-assessment

https://docs.microsoft.com/en-us/azure/migrate/concepts-assessment-calculation

https://docs.microsoft.com/en-gb/azure/migrate/troubleshooting-general#troubleshoot-readiness-issues

Identify ports to open;

https://docs.microsoft.com/en-us/azure/migrate/migrate-overview#what-are-the-port-requirements

Identify changes to network;

This is tough to interpret and the only text that works for me is the work that you might do in the migration stage around changes to the VMs network interfaces. Otherwise, the previous link about opening ports should suffice.
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-manage-network-interfaces-on-premises-to-azure#modify-network-interface-settings

Identify if target environment is supported;

This is really difficult to interpret, but my assumption is that this page best fits.
https://docs.microsoft.com/en-us/azure/migrate/how-to-modify-assessment

Setup domain accounts and credentials

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial-prepare-on-premises#prepare-an-account-for-mobility-service-installation

Migrate servers to Azure

Recovery Services Vaults provide many data services for protection and recovery.

May include but not limited to:
Migrate by using Azure Site Recovery (ASR);

https://docs.microsoft.com/en-us/azure/site-recovery/

Migrate using P2V;

https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Configure storage;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-storage-account

Create a backup vault;

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#create-a-recovery-services-vault

Prepare source and target environments;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-source

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-set-up-target

Backup and restore data;

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure

https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-restore-files-windows-server

Deploy Azure Site Recovery (ASR) agent;

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-install-mobility-service

Prepare virtual network

https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure#set-up-an-azure-network

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 5 – Manage Identities

Part 5 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

SafariBooksOnline.com content that matches the objectives

https://www.safaribooksonline.com/videos/azure-active/0422018AZURE1F

Manage identities (15-20%)

Manage Azure Active Directory (AD)

May include but not limited to:
Add custom domains;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

configure Azure AD Identity Protection, Azure AD Join, and Enterprise State Roaming;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-enable

configure self-service password reset;

https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

implement conditional access policies;

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-untrusted-networks

manage multiple directories;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-administer#how-can-i-add-and-manage-multiple-directories

perform an access review

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview

Manage Azure AD objects (users, groups, and devices)

May include but not limited to:
Create users and groups;

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal

manage user and group properties;

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

(Get-AzureADUser -ObjectId $UserId).ToJson()
Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue"

manage device settings;

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings

perform bulk user updates

https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0

Implement and manage hybrid identities

May include but not limited to:
Install and configure Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-express

configure federation and single sign-on;

Federation

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs

Single Sign On

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

manage Azure AD Connect;

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-whats-next

manage password sync and writeback

Password Sync

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-hash-synchronization#enable-password-hash-synchronization

Password Writeback

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Microsoft Azure Infrastructure and Deployment exam AZ-100 – Resources Part 4 – Configure and Manage Virtual Networks

Part 4 of 5 linking to the most appropriate documentation for learning how to achieve the objectives set in the new Azure AZ-100 exam.

There’s a an addition I’d like to make for this objective and that is service endpoints.

https://docs.microsoft.com/en-gb/azure/virtual-network/virtual-network-service-endpoints-overview

It seems important to grasp this concept if your posture is one of using Azure services without exposing them to the Public Internet.

The new Azure Firewall – which deserves a post in its own right is also in preview as of August 2018.

https://docs.microsoft.com/en-gb/azure/firewall/overview

As does the Azure VirtualWAN – or SD-WAN to everyone else in the world.

https://azure.microsoft.com/en-us/services/virtual-wan/

Configure and manage virtual networks (20-25%)

SafariBooksOnline.com content which matches the objectives for virtual networks.

https://www.safaribooksonline.com/videos/azure-networking/0422018AZURE1H

Create connectivity between virtual networks

May include but not limited to:
Create and configure VNET peering;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

create and configure VNET to VNET;

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal

verify virtual network connectivity;

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#troubleshoot

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-portal?toc=%2fazure%2fvirtual-network%2ftoc.json

create virtual network gateway

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Implement and manage virtual networking

May include but not limited to:
Configure private and public IP addresses, network routes, network interface, subnets, and virtual network

https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal

Configure name resolution

May include but not limited to:
Configure Azure DNS;

https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal

configure custom DNS settings;

https://docs.microsoft.com/en-us/azure/dns/dns-custom-domain

configure DNS zones

https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal

Create and configure a Network Security Group (NSG)

May include but not limited to:
Create security rules;

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules

associate NSG to a subnet or network interface;

Subnet
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet#change-subnet-settings
Interface
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#associate-or-dissociate-a-network-security-group

identify required ports;

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

evaluate effective security rules

https://docs.microsoft.com/en-us/azure/virtual-network/diagnose-network-traffic-filter-problem