Configure Settings on VAs

Configure other settings on your Cisco Secure Access Virtual Appliances (VAs).

Table of Contents

Prerequisites

Configure Rate Limiting

You can set rate limits of DNS queries on a VA for a single IP address. Use rate limits to prevent any single endpoint from attempting to flood the VA with DNS queries and causing a Denial-of-Service on the VA.

Enable Rate Limits on a VA

Enable rate limits on the Virtual Appliance. Rate-limiting is off by default.

  • pps—The number of packets accepted for each second from an individual IP. Supported values are 10 to 100,000.
  • burst—The packet burst rate.
config va per-ip-rate-limit enable <pps> <burst>

Disable Rate Limiting

Disable rate limits on the Virtual Appliance.

config va per-ip-rate-limit disable

Check Status and Packet Drops

Check status and packet drops on the Virtual Appliance.

config va show

Configure NTP Servers

By default, VAs use Ubuntu NTP servers (ntp.ubuntu.com) as their time servers. You can configure your VAs to use other NTP servers.

Add NTP Servers to the VA

config ntp add <serverIP1> <serverIP2>

Remove NTP Servers

config ntp remove <serverIP1> <serverIP2>

View the VA's Current NTP Servers

config ntp show

Configure Secure Access Resolvers

By default, the VA is configured to use the Cisco Secure Access DNS resolvers. For more information, see [Secure Access DNS Resolvers](doc:network-requirements-for-secure-access#secure-access-dns-resolvers.

You can change the Secure Access resolvers used by the VA.

Use IPv4 Secure Access DNS Resolvers

config va resolvers global

Use Alternate Secure Access DNS Resolvers

Use this option if your ISP blocks traffic to the Secure Access DNS resolvers.

config va resolvers alternate

Use the IPv6 Secure Access DNS Resolvers

config va resolvers global-v6

Use the US-only IPv4 Secure Access DNS Resolvers

config va resolvers US

Use the US-only IPv6 Secure Access DNS Resolvers

config va resolvers US-v6

Note: If you configure the IPv6 Secure Access DNS resolvers, then the VA only sends DNS queries over IPv6. HTTPS traffic to other endpoints is sent over IPv4.

Configure DNSSEC Support

Secure Access supports DNSSEC by performing validation on queries sent from Secure Access DNS resolvers to upstream authorities.

If your endpoints are making DNS queries with the DNSSEC OK (DO) bit to the VA, the default behavior of the VA is to turn off this bit before forwarding the query to Secure Access or the local DNS server.

Configure VA to Preserve the DO Bit

Configure the VA to preserve the DO bit when forwarding the DNS query to Secure Access or the local DNS server.

Note: Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint.

config va dnssec enable

Turn Off the DO Bit

config va dnssec disable
CommandDescriptionNotes
config va dnssec enableConfigure the VA to preserve the DO bit when forwarding the DNS query to Secure Access and/or the local DNS server.Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint.
config va dnssec disableDisable the above configuration.

Configure Logging to Remote Syslog Server

Virtual Appliances can forward logs to a remote syslog server. If configured, Secure Access forwards logs related to internal DNS queries, logs on upgrades and reboots of the VA, and admin audit.

Configure the Destination of the Remote Syslog Server

config logexport destination <server-ip-address:port> <protocol>

Supported Values for <protocol>:

  • TCP, UDP, or TLS.
  • If no value is specified, TCP is the default.
  • If the protocol value is TCP or UDP and a port is not specified, 514 is assigned as the default port.
  • If the protocol value is TLS and a port is not specified, 6514 is taken as the default port.
  • IPv6 addresses are not supported as destination IPs for this command.
    Example: config logexport destination <10.26.02.82:514> udp

To forward the logs over a TLS-encrypted session, first create the certificates for the client (VA) and server (remote syslog server). The certificates can be self-signed or signed by a Root certificate authority (CA).

Add the key and certificate to the VA using the following commands:

config logexport key <copy the contents from keyForClientCert.pem file>
config logexport cert <copy the contents from ClientCert.pem file>
config logexport ca \<copy the contents from selfsignedCA.pem|chainCertCA.pem file>

Note: The CA configured in the last command should be the CA used to sign the server certificate.

Configure Log Export Internal DNS

All internal DNS queries sent to the internal DNS server are logged at the syslog server. Logs include the date and time, the internal domain being queried and the private IP, hostname and username of the source endpoint that made the query.
Note: If AD integration is not configured for the VA, the hostname and username of the source endpoint are not available.

config logexport enable internaldns

Format for internal DNS queries:

  • Date
  • Time
  • Hostname (forwarder)
  • VA Label:
    • InternalDNS
  • Internal IP of source
  • User AD identity of source (if a user identity is mapped to this IP else "NULL")
  • Host AD identity of source (if a host identity is mapped to this IP else "NULL")
  • Internal Domain being queried

Configure Log Export Enable Health

Reboots and upgrades of the VA are logged at the syslog server.

config logexport enable health

Format for VA boot:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:
    • Health
    • VA started

Format for VA upgrade:

  • Date
  • Time
  • Hostname (forwarder)
  • VA Label: Health
  • VA downloaded version <x.y.z> or VA upgraded to version <x.y.z>

Configure Log Export Enable Admin

Admin audit log (logins by admin users and config commands run on the VA) are logged at the syslog server.

config logexport enable admin

Format for User Login to VA:

  • Date
  • Time
  • Hostname (forwarder)
  • VA Label: Audit-Auth
    • SSH login from as <vmadmin/vmuser> succeeded/failed or "Console login as <vmadmin/vmuser> succeeded/failed

Format for Configuration change:

  • Date
  • Time
  • Hostname (forwarder)
  • VA Label:"AuditLog-Config" "Command executed

Configure Log Export Enable All

Enables logging of internal DNS, health, and admin logs at the syslog server.

config logexport enable all

Configure Log Export Status

Run this command to check the status of the log forwarding:

config logexport status

Turn Off Logging

Run this command to turn off logging:

config logexport disable <feature>

Note: You can set the feature option to internaldns, health, audit or all.

Example:

config logexport disable all

Configure Dual-NIC Support on the VA

👍

NIC Terminology

Throughout this section, the terms NIC, network interface, and network adapter are used interchangeably.

Virtual Appliances support a dual-NIC configuration. This dual-NIC configuration is intended to enable the DMZ deployment of a VA for traffic segregation with one network interface. The network interface is used for outbound communication and the other network interface is used for internal communication.

Dual-NIC support has only been qualified on VAs running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.

Note: When using the dual-NIC configuration, Secure Access does not support the configure of IPv6 addresses for network adapters.

Configure an Existing VA to Support Dual-NIC

  1. Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
  2. Run the command to show the configuration of the VA.
    Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
    Note: Before adding a secondary network adapter, save the MAC address of the existing network adapter before adding a secondary network adapter.
    config va show
    

  1. Shut down the VA and add a second network adapter using your hypervisor console.
    This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
    Note: Some platforms may not permit the addition of a second network adapter after the VA has been created.
  2. Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command config va show. This command returns the name of the second adapter.
    Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or the corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter.
  3. For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter: config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>.
    Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
    Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP.
  4. Once you have saved changes, enable traffic segregation.
    Static routes are configured for the IP on the secondary adapter to all Secure Access destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.
    Enter:
config va dmz enable

Deploy a New VA to Support Dual-NIC DMZ Mode

You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.

  1. Enter configuration mode on the VA and retrieve the name of both adapters.
    Run:
    config va show
    
  2. Configure the primary adapter and then the secondary adapter.
    Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication.
    Run:
    config va interface <interface name> <ip address> <netmask> <gateway>
    
  3. Once both adapters are configured, enable traffic segregation.
    Run:
    config va dmz enable
    

Configure Anycast

Secure Access Virtual Appliances enable the use of Anycast DNS addressing within an enterprise.

The advantage of using Anycast is that all your endpoints can use the same DNS IP address irrespective of the Site where they belong. Configuring an Anycast IP address on the VA adds resiliency for DNS resolution.

The VA currently supports enabling Anycast using the BGP protocol. This requires support for BGP on the VA’s neighboring router, or any router that is reachable from the VA within 255 hops.

You can configure up to 4 routers running BGP as BGP peers for the VA.

Two VAs in different branches can also be configured with the same Anycast IP address, ensuring resiliency across branches. However, if AD integration is required, these VAs must be in the same Secure Access Site, since the AD Connector propagates IP-AD user mappings only to VAs in its Secure Access site.

Secure Access supports the configuration of IPv4 addresses as an Anycast address on the VA.

Configure Anycast over BGP on the VA

  1. Enter the Configuration Mode on the VA.
  2. Enable Anycast support on the VA. Enter config anycast bgp <options>
    Command returns an ASN for the VA.
    Options are:
    • enable <anycast_ip> <bgp_info>—Enable the anycast mode
      • <anycast_ip>—Anycast IP address
      • <bgp_info>—ASN:IPAddress:Hop count of the BGP router to publish. If a hop count is not specified, a default value of 255 is assumed, therefore, the router can be up to 255 hops away.
    • add <ASN:Router IP:Hop count>—Use this command to specify an additional router as a BGP peer for the VA. A maximum of 4 peers can be configured.
    • delete —Use this command to remove a BGP peer for the VA.
    • stats—Show statistics around the Anycast configuration
    • summary—Show summarized list of all BGP peers for this VA
    • disable—Disable anycast mode
    • status—Show status of anycast
    • test—test Anycast connectivity
    • help—Display this usage information
  3. Validate status. Enter config anycast bgp status
  4. On the router, add the VA’s ASN from step 2 as the neighbor of the router.

Example:
In the following configuration, the VA needs to be configured with Anycast IP 192.168.1.22, the BGP router’s ASN is 7105, and IP address is 10.1.0.1.

Configure Load Balancing

You can configure your Virtual Appliances behind a load balancer that meets the following requirements:

  • The load balancer is able to inject the source IP address of the client making the query in the EDNS Client Subnet (ECS) field of the DNS request sent to the VA.
  • The DNS response from the Virtual Appliance routes through the load balancer. Thus, the response to the client comes from the address of the load balancer.

This feature has specifically been qualified with the F5 BIGIP-LTM 16.1.1 version, where the F5 can inject the endpoint source IP in DNS requests that it forwards to VAs in the load balancing pool. Refer to F5 documentation on ECS injection in DNS requests when forwarding these requests to a DNS server pool.

By default, the VA does not accept DNS requests with the ECS option from any endpoint. To allow the VA to accept DNS requests with the ECS option from load balancers, the load balancer IP has to be added to the VA configuration using the following commands:

Add a Load Balancer

config loadbalancer add <server-ip/prefix>

Remove a Load Balancer

config loadbalancer remove <server-ip/prefix>

Note: You can add a maximum of 8 load balancers to a VA. Also, add or remove a single load balancer at a time.

Configure Identity Association Timeouts

Use the config admap command to configure association timeouts for a given IP address. You can also view or clear the AD mapping. You can only clear the mappings of an individual IP address.

Example commands:

config admap view <ip address>
config admap clear <ip address>
config admap set-user-timeout 28800
# This command sets the host timeout for 8 hours
config admap set-host-timeout 28800
# This command sets the host timeout for 8 hours
config admap show-timeout

Configure API Key Credentials for Authentication

Once you delete the Secure Access API key credentials that you created for authentication of your Virtual Appliances, the VAs have 90 days to use the existing API client key and secret. After 90 days, your VAs can not sync with Secure Access.

Note: Unless you have unusual circumstances, we do not recommend that you delete your Secure Access API key credentials.

Configure the Client ID and Client Secret

  1. Create a new set of API client credentials in Secure Access. For more information, see Configure Authentication for Virtual Appliances.
  2. With your generated Secure Access API client key and secret, run the config authcred set command:
config authcred set "<client_id>:<client_secret>"


Configure Virtual Appliances > Configuration Settings on VAs > Local DNS Forwarding