Configure Settings on VAs
Configure other settings on your Cisco Secure Access Virtual Appliances (VAs).
Table of Contents
- Prerequisites
- Configure Rate Limiting
- Configure NTP Servers
- Configure Secure Access Resolvers
- Configure DNSSEC Support
- Configure Logging to Remote Syslog Server
- Configure Dual-NIC Support on the VA
- Configure Anycast
- Configure Load Balancing
- Configure Identity Association Timeouts
- Configure API Key Credentials for Authentication
Prerequisites
- For more information, see Prerequisites for Virtual Appliances.
Configure Rate Limiting
You can set rate limits of DNS queries on a VA for a single IP address. Use rate limits to prevent any single endpoint from attempting to flood the VA with DNS queries and causing a Denial-of-Service on the VA.
Enable Rate Limits on a VA
Enable rate limits on the Virtual Appliance. Rate-limiting is off by default.
- pps—The number of packets accepted for each second from an individual IP. Supported values are 10 to 100,000.
- burst—The packet burst rate.
config va per-ip-rate-limit enable <pps> <burst>
Disable Rate Limiting
Disable rate limits on the Virtual Appliance.
config va per-ip-rate-limit disable
Check Status and Packet Drops
Check status and packet drops on the Virtual Appliance.
config va show
Configure NTP Servers
By default, VAs use Ubuntu NTP servers (ntp.ubuntu.com) as their time servers. You can configure your VAs to use other NTP servers.
Add NTP Servers to the VA
config ntp add <serverIP1> <serverIP2>
Remove NTP Servers
config ntp remove <serverIP1> <serverIP2>
View the VA's Current NTP Servers
config ntp show
Configure Secure Access Resolvers
By default, the VA is configured to use the Cisco Secure Access DNS resolvers. For more information, see [Secure Access DNS Resolvers](doc:network-requirements-for-secure-access#secure-access-dns-resolvers.
You can change the Secure Access resolvers used by the VA.
Use IPv4 Secure Access DNS Resolvers
config va resolvers global
Use Alternate Secure Access DNS Resolvers
Use this option if your ISP blocks traffic to the Secure Access DNS resolvers.
config va resolvers alternate
Use the IPv6 Secure Access DNS Resolvers
config va resolvers global-v6
Use the US-only IPv4 Secure Access DNS Resolvers
config va resolvers US
Use the US-only IPv6 Secure Access DNS Resolvers
config va resolvers US-v6
Note: If you configure the IPv6 Secure Access DNS resolvers, then the VA only sends DNS queries over IPv6. HTTPS traffic to other endpoints is sent over IPv4.
Configure DNSSEC Support
Secure Access supports DNSSEC by performing validation on queries sent from Secure Access DNS resolvers to upstream authorities.
If your endpoints are making DNS queries with the DNSSEC OK (DO) bit to the VA, the default behavior of the VA is to turn off this bit before forwarding the query to Secure Access or the local DNS server.
Configure VA to Preserve the DO Bit
Configure the VA to preserve the DO bit when forwarding the DNS query to Secure Access or the local DNS server.
Note: Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint.
config va dnssec enable
Turn Off the DO Bit
config va dnssec disable
Command | Description | Notes |
---|---|---|
config va dnssec enable | Configure the VA to preserve the DO bit when forwarding the DNS query to Secure Access and/or the local DNS server. | Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint. |
config va dnssec disable | Disable the above configuration. |
Configure Logging to Remote Syslog Server
Virtual Appliances can forward logs to a remote syslog server. If configured, Secure Access forwards logs related to internal DNS queries, logs on upgrades and reboots of the VA, and admin audit.
Configure the Destination of the Remote Syslog Server
config logexport destination <server-ip-address:port> <protocol>
Supported Values for <protocol>
:
- TCP, UDP, or TLS.
- If no value is specified, TCP is the default.
- If the protocol value is TCP or UDP and a port is not specified, 514 is assigned as the default port.
- If the protocol value is TLS and a port is not specified, 6514 is taken as the default port.
- IPv6 addresses are not supported as destination IPs for this command.
Example:config logexport destination <10.26.02.82:514> udp
To forward the logs over a TLS-encrypted session, first create the certificates for the client (VA) and server (remote syslog server). The certificates can be self-signed or signed by a Root certificate authority (CA).
Add the key and certificate to the VA using the following commands:
config logexport key <copy the contents from keyForClientCert.pem file>
config logexport cert <copy the contents from ClientCert.pem file>
config logexport ca \<copy the contents from selfsignedCA.pem|chainCertCA.pem file>
Note: The CA configured in the last command should be the CA used to sign the server certificate.
Configure Log Export Internal DNS
All internal DNS queries sent to the internal DNS server are logged at the syslog server. Logs include the date and time, the internal domain being queried and the private IP, hostname and username of the source endpoint that made the query.
Note: If AD integration is not configured for the VA, the hostname and username of the source endpoint are not available.
config logexport enable internaldns
Format for internal DNS queries:
- Date
- Time
- Hostname (forwarder)
- VA Label:
- InternalDNS
- Internal IP of source
- User AD identity of source (if a user identity is mapped to this IP else "NULL")
- Host AD identity of source (if a host identity is mapped to this IP else "NULL")
- Internal Domain being queried
Configure Log Export Enable Health
Reboots and upgrades of the VA are logged at the syslog server.
config logexport enable health
Format for VA boot:
- Date
- Time
- Hostname ("forwarder")
- VA Label:
- Health
- VA started
Format for VA upgrade:
- Date
- Time
- Hostname (forwarder)
- VA Label: Health
- VA downloaded version <x.y.z> or VA upgraded to version <x.y.z>
Configure Log Export Enable Admin
Admin audit log (logins by admin users and config commands run on the VA) are logged at the syslog server.
config logexport enable admin
Format for User Login to VA:
- Date
- Time
- Hostname (forwarder)
- VA Label: Audit-Auth
- SSH login from as <vmadmin/vmuser> succeeded/failed or "Console login as <vmadmin/vmuser> succeeded/failed
Format for Configuration change:
- Date
- Time
- Hostname (forwarder)
- VA Label:"AuditLog-Config" "Command executed
Configure Log Export Enable All
Enables logging of internal DNS, health, and admin logs at the syslog server.
config logexport enable all
Configure Log Export Status
Run this command to check the status of the log forwarding:
config logexport status
Turn Off Logging
Run this command to turn off logging:
config logexport disable <feature>
Note: You can set the feature
option to internaldns
, health
, audit
or all
.
Example:
config logexport disable all
Configure Dual-NIC Support on the VA
NIC Terminology
Throughout this section, the terms NIC, network interface, and network adapter are used interchangeably.
Virtual Appliances support a dual-NIC configuration. This dual-NIC configuration is intended to enable the DMZ deployment of a VA for traffic segregation with one network interface. The network interface is used for outbound communication and the other network interface is used for internal communication.
Dual-NIC support has only been qualified on VAs running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.
Note: When using the dual-NIC configuration, Secure Access does not support the configure of IPv6 addresses for network adapters.
Configure an Existing VA to Support Dual-NIC
- Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
- Run the command to show the configuration of the VA.
Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
Note: Before adding a secondary network adapter, save the MAC address of the existing network adapter before adding a secondary network adapter.config va show
- Shut down the VA and add a second network adapter using your hypervisor console.
This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
Note: Some platforms may not permit the addition of a second network adapter after the VA has been created. - Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command
config va show
. This command returns the name of the second adapter.
Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or the corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter. - For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter:
config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>
.
Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP. - Once you have saved changes, enable traffic segregation.
Static routes are configured for the IP on the secondary adapter to all Secure Access destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.
Enter:
config va dmz enable
Deploy a New VA to Support Dual-NIC DMZ Mode
You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.
- Enter configuration mode on the VA and retrieve the name of both adapters.
Run:config va show
- Configure the primary adapter and then the secondary adapter.
Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication.
Run:config va interface <interface name> <ip address> <netmask> <gateway>
- Once both adapters are configured, enable traffic segregation.
Run:config va dmz enable
Configure Anycast
Secure Access Virtual Appliances enable the use of Anycast DNS addressing within an enterprise.
The advantage of using Anycast is that all your endpoints can use the same DNS IP address irrespective of the Site where they belong. Configuring an Anycast IP address on the VA adds resiliency for DNS resolution.
The VA currently supports enabling Anycast using the BGP protocol. This requires support for BGP on the VA’s neighboring router, or any router that is reachable from the VA within 255 hops.
You can configure up to 4 routers running BGP as BGP peers for the VA.
Two VAs in different branches can also be configured with the same Anycast IP address, ensuring resiliency across branches. However, if AD integration is required, these VAs must be in the same Secure Access Site, since the AD Connector propagates IP-AD user mappings only to VAs in its Secure Access site.
Secure Access supports the configuration of IPv4 addresses as an Anycast address on the VA.
Configure Anycast over BGP on the VA
- Enter the Configuration Mode on the VA.
- Enable Anycast support on the VA. Enter config anycast bgp <options>
Command returns an ASN for the VA.
Options are:- enable <anycast_ip> <bgp_info>—Enable the anycast mode
- <anycast_ip>—Anycast IP address
- <bgp_info>—ASN:IPAddress:Hop count of the BGP router to publish. If a hop count is not specified, a default value of 255 is assumed, therefore, the router can be up to 255 hops away.
- add <ASN:Router IP:Hop count>—Use this command to specify an additional router as a BGP peer for the VA. A maximum of 4 peers can be configured.
- delete —Use this command to remove a BGP peer for the VA.
- stats—Show statistics around the Anycast configuration
- summary—Show summarized list of all BGP peers for this VA
- disable—Disable anycast mode
- status—Show status of anycast
- test—test Anycast connectivity
- help—Display this usage information
- enable <anycast_ip> <bgp_info>—Enable the anycast mode
- Validate status. Enter config anycast bgp status
- On the router, add the VA’s ASN from step 2 as the neighbor of the router.
Example:
In the following configuration, the VA needs to be configured with Anycast IP 192.168.1.22, the BGP router’s ASN is 7105, and IP address is 10.1.0.1.
Configure Load Balancing
You can configure your Virtual Appliances behind a load balancer that meets the following requirements:
- The load balancer is able to inject the source IP address of the client making the query in the EDNS Client Subnet (ECS) field of the DNS request sent to the VA.
- The DNS response from the Virtual Appliance routes through the load balancer. Thus, the response to the client comes from the address of the load balancer.
This feature has specifically been qualified with the F5 BIGIP-LTM 16.1.1 version, where the F5 can inject the endpoint source IP in DNS requests that it forwards to VAs in the load balancing pool. Refer to F5 documentation on ECS injection in DNS requests when forwarding these requests to a DNS server pool.
By default, the VA does not accept DNS requests with the ECS option from any endpoint. To allow the VA to accept DNS requests with the ECS option from load balancers, the load balancer IP has to be added to the VA configuration using the following commands:
Add a Load Balancer
config loadbalancer add <server-ip/prefix>
Remove a Load Balancer
config loadbalancer remove <server-ip/prefix>
Note: You can add a maximum of 8 load balancers to a VA. Also, add or remove a single load balancer at a time.
Configure Identity Association Timeouts
Use the config admap
command to configure association timeouts for a given IP address. You can also view or clear the AD mapping. You can only clear the mappings of an individual IP address.
Example commands:
config admap view <ip address>
config admap clear <ip address>
config admap set-user-timeout 28800
# This command sets the host timeout for 8 hours
config admap set-host-timeout 28800
# This command sets the host timeout for 8 hours
config admap show-timeout
Configure API Key Credentials for Authentication
Once you delete the Secure Access API key credentials that you created for authentication of your Virtual Appliances, the VAs have 90 days to use the existing API client key and secret. After 90 days, your VAs can not sync with Secure Access.
Note: Unless you have unusual circumstances, we do not recommend that you delete your Secure Access API key credentials.
Configure the Client ID and Client Secret
- Create a new set of API client credentials in Secure Access. For more information, see Configure Authentication for Virtual Appliances.
- With your generated Secure Access API client key and secret, run the
config authcred set
command:
config authcred set "<client_id>:<client_secret>"
Configure Virtual Appliances > Configuration Settings on VAs > Local DNS Forwarding
Updated about 2 months ago