(844) 773-7734 mk@mkss.us

Network Security Automation using Cisco Secure Firewall and Hashicorp’s Consul

More and more organizations today are moving towards dynamic infrastructure deployments in cloud environments or using microservices. In such environments, instances and services are created and decommissioned as per need and that can be very frequent. Keeping track of updates to such components in a  fast-changing environment is becoming a challenge for SecOps teams and an agile,  scalable, automated solution has become a vital requirement.

Let’s assume that an access rule configured on the Cisco Secure Firewall allows traffic from one service to another based on their IP addresses. It is effective as long as the setup does not change but if the destination node goes down or becomes inaccessible, another node will spin up in its place making the access rule ineffective. The access rule does not dynamically change on the firewall, It needs an administrator to log into the device and manually change the rule unless dynamic objects are configured on the Cisco Secure Firewall Management Center (FMC).


If dynamic objects are configured on the FMC, any changes to dynamic IP addresses can take place programmatically using the Cisco Secure Dynamic Attribute Connector(CSDAC) without the need to deploy this change to the firewall.

Alternatively, IP addresses in the dynamic objects on FMC can be automatically created, updated and deleted using Hashicorp’s Consul-Terraform-Sync solution. For customers who use the Consul infrastructure, this is the preferred solution.

Hashicorp’s Consul is a service mesh solution providing service discovery, configuration, and segmentation functionality across several environments. Its service discovery feature allows Consul agents to register services to a central registry called the Consul service catalog.

The Consul-Terraform-Sync service utilizes the Consul catalog as a data source that contains networking information about services and watches Consul state changes at the application layer (based on service health changes, new instances deployed, etc.) and forwards the data to a Consul-Terraform-Sync compatible Terraform module that is automatically triggered.

Terraform is used as the underlying automation tool and leverages the Terraform provider ecosystem to drive relevant changes to the network infrastructure. The terraform module used here is the dynamicobjects module based on FMC terraform provider.

cisco secure

Please refer to this link for getting started with Consul-terraform-sync.

When the Consul Terraform-Sync solution is used in conjunction with the dynamic object, the FMC is updated with the IP address mappings received by the dynamicobjects Terraform module. This in turn, updates the access rules on the FMC containing that object which ensures that the right access is always provided to the right services.

This partnership between Cisco and Hashicorp provides an agile solution for tracking dynamic changes in the cloud environment.  The Terraform module with the detailed usage and workflow can be found here.

Related resources:

Video: https://www.youtube.com/watch?v=uDjU2VaEMvM

Cisco Secure FMC Terraform Provider

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels