Network Security Automation Lab: Ansible + AWX for Firewall & Infrastructure Automation

By on

 

LAB TOPOLOGY



This lab consists of four Cisco ASA firewalls deployed within the 192.168.145.0/24 subnet. Each firewall represents a different global region—North America, South America, EMEA, and APAC—allowing me to simulate a distributed enterprise network environment.

  • NA-FW1 – 192.168.145.190

  • SAM-FW1 – 192.168.145.191

  • EMEA-FW1 – 192.168.145.192

  • APAC-FW1 – 192.168.145.193









All Cisco ASA firewalls in this lab are configured with two object-groups—BlackList_Outbound and BlackList_Inbound—which are referenced in the ACLs to block traffic from known malicious IP addresses.

As part of this automation, I created a simple workflow that updates these object-groups by automatically adding newly identified malicious IPs. This ensures that all firewalls consistently enforce the latest security blocks without requiring manual configuration on each device.






I built an Ubuntu-based host to run and manage my AWX setup.



Before applying any configurations using Ansible and AWX, here are the existing contents of the object-groups:



Below is a sample playbook I created in Visual Studio Code. I will push this to my GitHub repository, then pull it into my AWX project, sync it, and create an inventory in AWX.


Verifying from my Github Repository:

Below is the setup of my Project in AWX side.








Below is the output from running the playbook. As shown in the debug messages, the automation successfully added the network-object host 1.1.1.2 entry to each firewall—eliminating the need to configure them one by one. The updated configuration for each firewall is shown below.




Building this lab showed how impactful automation can be when managing firewalls across different “regions” in a simulated enterprise environment. Instead of touching each device manually, Ansible and AWX handled everything for me clean, fast, and error-free. This is only the start of my network security automation journey, and I’m excited to dive deeper into more complex workflows in the next phases of this lab.

I plan to apply this simple automation to our daily tasks in the production environment. This lab allows me to test all the ideas I come up with, helping both me and my teammates save time through automation."































"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more