How It Works

Network constructs such as IP address are not reliable in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.

The following figure shows how the system functions at a high level.

"The Cisco Secure Dynamic Attributes Connector queries cloud services such as VMware vCenter and provides information such as VLANs, networks, and tags to the secure management center to use as selection criteria in access control rules. This way, you don't have to constantly update network objects when IP address information (for example) in your cloud systems change"

  1. Connectors contain the tags and containers to query.

    For example, typically these tags define dynamically allocated network and IP addresses for which you cannot create access control rules. Persisted feeds from the connectors are stored on the dynamic attributes connector for fast access.

  2. Tag information is persisted on the dynamic attributes connector where you create dynamic attribute filters that define which information is important to use in access control rules.

    For example, if AWS defines networks for the Accounting and Finance Departments virtual machines, you can create a dynamic attributes filter that specifies only the Finance network.

  3. The adapter defined by the dynamic attributes connector receives those dynamic attributes filters as dynamic objects and enables you to use them in access control rules.

    You can create the following types of adapters:

    • On-Prem Firewall Management Center for an on-premises device.

      This type of device might be managed by Cisco Defense Orchestrator (CDO) or it might be a standalone.

    • Cloud-delivered Firewall Management Center for devices managed by CDO.