Managing Cisco Secure Firewall Threat Defense with Cloud-delivered Firewall Management Center
Managing Cisco Secure Firewall Threat Defense Devices with Cloud-delivered Firewall Management Center
What's New for Cloud-delivered Firewall Management Center
Welcome to Security Cloud Control
November 8, 2024
August 23, 2024
June 6, 2024
May 30, 2024
April 2, 2024
February 13, 2024
November 30, 2023
October 19, 2023
August 3, 2023
July 20, 2023
June 8, 2023
May 25, 2023
March 9, 2023
February 16, 2023
January 18, 2023
December 13, 2022
October 20, 2022
June 9, 2022
Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant
Hardware and Software Support
Security Cloud Control Platform Maintenance Schedule
Cisco AI Assistant User Guide
Onboard with Cisco AI Assistant
Prompt Guide for Cisco AI Assistant
Online Help Documentation
Policy Insights
Policy Analyzer and Optimizer
Automate Policy Rule Creation
Contact Support
Notifications Center
Cisco AI Assistant Frequently Asked Questions (FAQ)
Onboard Devices to Cloud-delivered Firewall Management Center
Onboard an FTD to the Cloud-delivered Firewall Management Center
Onboarding Overview
Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center
Onboard a Device with a CLI Registration Key
Onboard a Threat Defense Device to Cloud-delivered Firewall Management Center using Zero-Touch Provisioning
Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
Onboard Threat Defense Devices using Device Templates to Cloud-delivered Firewall Management Center using Zero-Touch Provisioning
Deploy a Threat Defense Device with AWS
Deploy a Threat Defense Device in Azure
Onboard an Azure VNet Environment
Deploy a Threat Defense Virtual in Azure
Deploy a Threat Defense Device to Google Cloud Platform
Create VPC Networks for GCP
Deploy a Threat Defense Device on Google Cloud Platform
Onboard a Secure Firewall Threat Defense Cluster
Onboard a Chassis
Delete Devices from Cloud-delivered Firewall Management Center
About Device Interfaces
Management Interfaces
About Data Interfaces
Network Routes on Device Management Interfaces
Log Into the Command Line Interface on the Device
Troubleshooting
Troubleshoot Cloud-delivered Firewall Management Center Connectivity with TCP
Troubleshoot Threat Defense Device Connectivity
Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update
Troubleshoot Onboarding a Device to the Cloud-delivered Firewall Management Center Using the CLI Registration Key
Error: Device Remains in Pending Setup State After Onboarding
Troubleshoot Onboarding a Device to Cloud-delivered Firewall Management Center Using the Serial Number
Device is Offline or Unreachable
Error: Serial Number Already Claimed
Error: Claim Error
Error: Failed to Claim
Error: Provisional Error
Device Management
Log Into the Command Line Interface on the Device
Manage Devices
Add a Device Group
Register With a New Management Center
Shut Down or Restart the Device
Download the Managed Device List
Migrate the Configuration to a New Model
Supported Devices for Migration
License for Migration
Prerequisites for Migration
What Configurations Does the Wizard Migrate?
Limitations for Migration
Migrate the Secure Firewall Threat Defense
Best Practices for Migration
Hot Swap an SSD on the Secure Firewall 3100/4200
Disable the USB Port
Disable the USB Port on a Device
Disable the USB Port in Multi-Instance Mode
Device Management Using Device Templates
About Device Management using Device Templates
Variables and Network Object Overrides
Model Mapping
Requirements and Prerequisites for Device Management using Device Templates
Licenses for Device Management using Device Templates
Guidelines and Limitations for Device Management using Device Templates
Template Management
Add a Device Template
Create a New Device Template
Generate a New Device Template from an Existing Device
Import a Device Template
Configure a Device Template
Add a Physical Interface
Add a Logical Interface
Edit an Interface
Configure Other Device Settings
Configure Template Settings
Edit General Settings
Edit Licenses
Edit Applied Policies
Edit Advanced Settings
Edit Deployment Settings
Configure Template Parameters
Supported Variables
Add a Variable
Supported Network Object Overrides
Add a Network Object Override
Add Model Mapping
Invalid Model Mappings
Configure Site-to-Site VPN Connections in a Device Template
Configure an SD-WAN VPN Connection
Configure a Route-Based Site-to-Site VPN Connection
Configure a Policy-Based Site-to-Site VPN Connection
Add a Device to an SD-WAN Topology in a Dual ISP Deployment
Apply Templates to Existing Devices
Apply a Template
Reapply a Template
Validation of Template Configuration Before and After Application of Template on Device
Monitoring Device Templates
View Associated Devices
Generate a Template Apply Report
Delete Device Template
Configure a Template for Threat Defense Devices Managed Using the Data Interface
Device Template Operations on Threat Defense High Availability Devices
Audit Logs
Device Templates in Domains
Troubleshooting Device Templates
History for Device Management using Device Templates
Device Settings
Edit General Settings
Copy a Configuration to Another Device
Export and Import the Device Configuration
Edit License Settings
View System Information
View the Inspection Engine
View Health Information
Edit Management Settings
Update the Hostname or IP Address in the Management Center
Change Both Management Center and Threat Defense IP Addresses
Change the Manager Access Interface from Management to Data
Change the Manager Access Interface from Data to Management
Change the Manager Access Interface from Management to Data in a High Availability Pair
Change the Manager Access Interface from Data to Management in a High Availability Pair
Configure a Redundant Manager Access Data Interface
Modify Threat Defense Management Interfaces at the CLI
Modify the Threat Defense Data Interface Used for Management at the CLI
Edit the Management Center IP Address/Hostname on the Device
Manually Roll Back the Configuration if the Management Center Loses Connectivity
Troubleshoot Management Connectivity on a Data Interface
Troubleshoot Management Connectivity on a Data Interface in a High Availability Pair
View Inventory Details
Edit Applied Policies
Edit Advanced Settings
Configure Automatic Application Bypass
Configure Object Group Search
Configure Interface Object Optimization
Edit Deployment Settings
Edit Cluster Health Monitor Settings
History for Device Settings
Change Management
About Change Management
How to Configure Devices in the Change Management Workflow
Creating Separate Approver and Configuration Roles
Policies and Objects that Support Change Management
Requirements and Prerequisites for Change Management
Guidelines and Limitations for Change Management
Enabling or Disabling Change Management
Managing Tickets
Creating Change Management Tickets
Opening a Ticket for Configuration Changes
Previewing a Ticket
Submitting a Ticket
Discarding a Ticket
Approving or Rejecting a Ticket
Taking Over or Reassigning Tickets
History for Change Management
Users for Devices
About Users
Internal and External Users
CLI Access
CLI User Roles
Requirements and Prerequisites for User Accounts for Devices
Guidelines and Limitations for User Accounts for Devices
Add an Internal User at the CLI
Troubleshooting LDAP Authentication Connections
Configuration Deployment
About Configuration Deployment
Configuration Changes that Require Deployment
Deployment Preview
Selective Policy Deployment
System Username
Auto-Enabling of Application Detectors
Asset Rediscovery with Network Discovery Policy Changes
Snort Restart Scenarios
Restart Warnings for Devices
Inspect Traffic During Policy Apply
Snort Restart Traffic Behavior
Configurations that Restart the Snort Process When Deployed or Activated
Changes that Immediately Restart the Snort Process
Requirements and Prerequisites for Policy Management
Best Practices for Deploying Configuration Changes
Deploy the Configuration
Deploy Configuration Changes
Redeploy Existing Configurations to a Device
Manage Deployments
View Deployment Status
View Deployment History
Download Policy Changes Report for Multiple Devices
Compare Policies
Generate Current Policy Reports
History for Configuration Deployment
System Settings
System Configuration
Requirements and Prerequisites for the System Configuration
Manage the Secure Firewall Management Center System Configuration
Access Control Preferences
Change Reconciliation
Configuring Change Reconciliation
Change Reconciliation Options
Change Management
Email Notification
Intrusion Policy Preferences
Set Intrusion Policy Preferences
Manager Remote Access
Network Analysis Policy Preferences
Users for the Management Center
About Users
Internal and External Users
User Roles
Create a User Record with Your Security Cloud Control Username
Troubleshooting LDAP Authentication Connections
Updates
About System Updates
Guidelines and Limitations for System Updates
Update the Vulnerability Database (VDB)
Schedule VDB Updates
Manually Update the VDB
Update the Geolocation Database (GeoDB)
Schedule GeoDB Updates
Manually Update the GeoDB
Update Intrusion Rules
Schedule Intrusion Rule Updates
Manually Update Intrusion Rules
Import Local Intrusion Rules
Best Practices for Importing Local Intrusion Rules
View Intrusion Rule Update Logs
Intrusion Rule Update Log Details
Licenses
About Licenses
Smart Software Manager and Accounts
How Licensing Works for the Management Center and Devices
Periodic Communication with the Smart Software Manager
Evaluation Mode
Out-of-Compliance State
Unregistered State
End-User License Agreement
License Types and Restrictions
Essentials Licenses
Malware Defense Licenses
IPS Licenses
Carrier License
URL Filtering Licenses
Secure Client Licenses
Licensing for Export-Controlled Functionality
Threat Defense Virtual Licenses
Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations
License PIDs
Requirements and Prerequisites for Licensing
Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
Licensing for Device High-Availability
Licensing for Device Clusters
Create a Cisco Account
Create a Smart Account and Add Licenses
Configure Smart Licensing
Register the Management Center for Smart Licensing
Register the Management Center with the Smart Software Manager
Assign Licenses to Devices
Assign Licenses to a Single Device
Assign Licenses to Multiple Managed Devices
Manage Smart Licensing
Deregister the Management Center
Monitoring Smart License Status
Monitoring Smart Licenses
Troubleshooting Smart Licensing
Configure Legacy Management Center PAK-Based Licenses
Additional Information about Licensing
Security Certifications Compliance
Security Certifications Compliance Modes
Security Certifications Compliance Characteristics
Security Certifications Compliance Recommendations
Appliance Hardening
Protecting Your Network
Optimize Firewall Performance with AIOps
Introduction to AIOps Insights
About AIOps Insights
AIOps Licensing Requirements
Prerequisites to Use AIOps
Enable AIOps Insights
View Summary Insights
Assess and Improve Feature Adoption
Configure Settings for AIOps
Enable Traffic and Capacity Insights
Enable Feature Adoption Insights
Enable Health and Operations Insights
Frequently Asked Questions About AIOps
Additional Resources
Health and Monitoring
Health
Requirements and Prerequisites for Health Monitoring
About Health Monitoring
Health Modules
Configuring Health Monitoring
Health Policies
Default Health Policy
Creating Health Policies
Apply a Health Policy
Edit a Health Policy
Set a Default Health Policy
Delete a Health Policy
Send Vendor-Neutral Telemetry Streams Using OpenConfig
Generate Certificates and Private Keys
Configure OpenConfig Streaming Telemetry
Troubleshoot OpenConfig Streaming Telemetry
Device Exclusion in Health Monitoring
Excluding Appliances from Health Monitoring
Excluding Health Policy Modules
Expired Health Monitor Exclusions
Health Monitor Alerts
Health Monitor Alert Information
Creating Health Monitor Alerts
Editing Health Monitor Alerts
Deleting Health Monitor Alerts
About the Health Monitor
Using Management Center Health Monitor
Running All Modules for an Appliance
Running a Specific Health Module
Generating Health Module Alert Graphs
Hardware Statistics on Management Center
Device Health Monitors
Viewing System Details and Troubleshooting
Viewing the Device Health Monitor
Correlating Device Metrics
Cluster Health Monitor
Viewing the Cluster Health Monitor
Health Monitor Status Categories
Health Event Views
Viewing Health Events
Viewing the Health Events Table
The Health Events Table
About System Auditing
Audit Records
Audit Log Workflow Fields
The Audit Events Table View
Troubleshooting
Best Practices for Troubleshooting
System Messages
Message Types
Message Management
View Basic System Information
View Appliance Information
Manage System Messages
View Deployment Messages
View Upgrade Messages
View Health Messages
View Task Messages
Manage Task Messages
Memory Usage Thresholds for Health Monitor Alerts
Disk Usage and Drain of Events Health Monitor Alerts
Health Monitor Reports for Troubleshooting
Generate Troubleshooting Files for Specific System Functions
Download Advanced Troubleshooting Files
General Troubleshooting
Connection-Based Troubleshooting
Troubleshoot a Connection
Advanced Troubleshooting for the Secure Firewall Threat Defense Device
Packet Capture Overview
Use the Capture Trace
Packet Tracer Overview
Use the Packet Tracer
CPU Profiler Overview
Use the CPU Profiler
Rule Profiler Overview
Use the Rule Profiler
How to use the Threat Defense Diagnostic CLI from the Web Interface
Feature-Specific Troubleshooting
Tools
Backup/Restore
About Backup and Restore
Requirements for Backup and Restore
Guidelines and Limitations for Backup and Restore
Best Practices for Backup and Restore
Back Up Managed Devices
Back Up a Threat Defense Device from Cloud-delivered Firewall Management Center
Restore Security Cloud Control-Managed Devices
Restore a Threat Defense Device
Restore Threat Defense from Backup: Threat Defense Virtual
Scheduling
About Task Scheduling
Requirements and Prerequisites for Task Scheduling
Configuring a Recurring Task
Scheduled Backups
Schedule Remote Device Backups
Automating Policy Deployment
Software Upgrade Automation
Automating Software Downloads
Automating Software Pushes
Automating Software Installs
Vulnerability Database Update Automation
Automating VDB Update Downloads
Automating VDB Update Installs
Automating URL Filtering Updates Using a Scheduled Task
Scheduled Task Review
Task List Details
Viewing Scheduled Tasks on the Calendar
Editing Scheduled Tasks
Deleting Scheduled Tasks
Import/Export
About Configuration Import/Export
Configurations that Support Import/Export
Special Considerations for Configuration Import/Export
Requirements and Prerequisites for Configuration Import/Export
Exporting Configurations
Importing Configurations
Import Conflict Resolution
Reporting and Alerting
External Alerting with Alert Responses
Secure Firewall Management Center Alert Responses
Configurations Supporting Alert Responses
Requirements and Prerequisites for Alert Responses
Creating an SNMP Alert Response
Creating a Syslog Alert Response
Syslog Alert Facilities
Syslog Severity Levels
Creating an Email Alert Response
External Alerting for Intrusion Events
About External Alerting for Intrusion Events
License Requirements for External Alerting for Intrusion Events
Requirements and Prerequisites for External Alerting for Intrusion Events
Configuring SNMP Alerting for Intrusion Events
Intrusion SNMP Alert Options
Configuring Syslog Alerting for Intrusion Events
Facilities and Severities for Intrusion Syslog Alerts
Configuring Email Alerting for Intrusion Events
Intrusion Email Alert Options
Events and Assets
Cisco Security Analytics and Logging
About Security Analytics and Logging
Comparison of SAL Remote Event Storage and Monitoring Options
About SAL (OnPrem)
Licensing for SAL (OnPrem)
Manage SAL (OnPrem) for Security Cloud Control-Managed Threat Defense Devices
Configure SAL (OnPrem) Integration
Configure a Secure Network Analytics Manager
Configure a Secure Network Analytics Data Store
About SAL (SaaS)
Licensing for SAL (SaaS)
Connection Logging
About Connection Logging
Connections That Are Always Logged
Other Connections You Can Log
How Rules and Policy Actions Affect Logging
Logging for Fastpathed Connections
Logging for Monitored Connections
Logging for Trusted Connections
Logging for Blocked Connections
Logging for Allowed Connections
Beginning vs End-of-Connection Logging
Limitations of Connection Logging
Best Practices for Connection Logging
Requirements and Prerequisites for Connection Logging
Configure Connection Logging
Logging Connections with Tunnel and Prefilter Rules
Logging Decryptable Connections with TLS/SSLDecryption Rules
Logging Connections with Security Intelligence
Logging Connections with Access Control Rules
Logging Connections with a Policy Default Action
Limiting Logging of Long URLs
Device Operations
Transparent or Routed Firewall Mode
About the Firewall Mode
About Routed Firewall Mode
About Transparent Firewall Mode
Using the Transparent Firewall in Your Network
Passing Traffic For Routed-Mode Features
About Bridge Groups
Bridge Virtual Interface (BVI)
Bridge Groups in Transparent Firewall Mode
Bridge Groups in Routed Firewall Mode
Allowing Layer 3 Traffic
Allowed MAC Addresses
BPDU Handling
MAC Address vs. Route Lookups
Unsupported Features for Bridge Groups in Transparent Mode
Unsupported Features for Bridge Groups in Routed Mode
Default Settings
Guidelines for Firewall Mode
Set the Firewall Mode
Logical Devices on the Firepower 4100/9300
About Interfaces
Chassis Management Interface
Interface Types
FXOS Interfaces vs. Application Interfaces
Shared Interface Scalability
Shared Interface Best Practices
Shared Interface Usage Examples
Viewing Shared Interface Resources
Inline Set Link State Propagation for the Threat Defense
About Logical Devices
Standalone and Clustered Logical Devices
Logical Device Application Instances: Container and Native
Container Instance Interfaces
How the Chassis Classifies Packets
Classification Examples
Cascading Container Instances
Typical Multi-Instance Deployment
Automatic MAC Addresses for Container Instance Interfaces
Container Instance Resource Management
Performance Scaling Factor for Multi-Instance Capability
Container Instances and High Availability
Container Instances and Clustering
Licenses for Container Instances
Requirements and Prerequisites for Logical Devices
Requirements and Prerequisites for Hardware and Software Combinations
Requirements and Prerequisites for Container Instances
Requirements and Prerequisites for High Availability
Requirements and Prerequisites for Clustering
Guidelines and Limitations for Logical Devices
Guidelines and Limitations for Interfaces
General Guidelines and Limitations
Configure Interfaces
Enable or Disable an Interface
Configure a Physical Interface
Add an EtherChannel (Port Channel)
Add a VLAN Subinterface for Container Instances
Configure Logical Devices
Add a Resource Profile for Container Instances
Add a Standalone Threat Defense
Add a Standalone Threat Defense for the Cisco Security Cloud Control
Add a High Availability Pair
Change an Interface on a Threat Defense Logical Device
Connect to the Console of the Application
Multi-Instance Mode for the Secure Firewall 3100
About Multi-Instance Mode
Multi-Instance Mode vs. Appliance Mode
Chassis Management Interface
Instance Interfaces
Interface Types
Chassis Interfaces vs. Instance Interfaces
Shared Interface Scalability
Shared Interface Best Practices
How the Chassis Classifies Packets
Classification Examples
Cascading Instances
Typical Multi-Instance Deployment
Automatic MAC Addresses for Instance Interfaces
Performance Scaling Factor for Multi-Instance Mode
Instances and High Availability
Licenses for Instances
Requirements and Prerequisites for Instances
Guidelines and Limitations for Instances
Configure Instances
Onboard the Multi-Instance Chassis
Configure Chassis Interfaces
Configure a Physical Interface
Configure an EtherChannel
Configure a Subinterface
Add an Instance
Customize the System Configuration
Configure SNMP
Import or Export the Chassis Configuration
Configure Chassis Platform Settings
Create a Chassis Platform Settings Policy
Configure DNS
Configure SSH and SSH Access List
Configure Syslog
Configure Time Synchronization
Configure Time Zones
Manage Multi-Instance Mode
Change Interfaces Assigned to an Instance
Change Chassis Management Settings at the FXOS CLI
Monitoring Multi-Instance Mode
Monitoring Multi-Instance Setup
Monitoring Instance Interfaces
History for Multi-Instance Mode
High Availability
About Secure Firewall Threat Defense High Availability
High Availability Support on Threat Defense Devices in a Remote Branch Office Deployment
High Availability System Requirements
Hardware Requirements
Software Requirements
License Requirements for Threat Defense Devices in a High Availability Pair
Failover and Stateful Failover Links
Failover Link
Failover Link Data
Interface for the Failover Link
Connecting the Failover Link
Stateful Failover Link
Shared with the Failover Link
Dedicated Interface for the Stateful Failover Link
Avoiding Interrupted Failover and Data Links
MAC Addresses and IP Addresses in High Availability
Stateful Failover
Supported Features
Unsupported Features
Bridge Group Requirements for High Availability
Failover Health Monitoring
Unit Health Monitoring
Heartbeat Module Redundancy
Interface Monitoring
Interface Tests
Interface Status
Failover Triggers and Detection Timing
About Active/Standby Failover
Primary/Secondary Roles and Active/Standby Status
Active Unit Determination at Startup
Failover Events
Config-Sync Optimization
Requirements and Prerequisites for High Availability
Guidelines for High Availability
Add a High Availability Pair
Configure Optional High Availability Parameters
Configure Standby IP Addresses and Interface Monitoring
Edit High Availability Failover Criteria
Configure Virtual MAC Addresses
Manage High Availability
Switch the Active Peer in the Threat Defense High Availability Pair
Refresh Node Status for a Single Threat Defense High Availability Pair
Suspend and Resume High Availability
Replace a Unit in Threat Defense High Availability Pair
Replace a Primary Threat Defense HA Unit with no Backup
Replace a Secondary Threat Defense HA Unit with no Backup
Break a High Availability Pair
Remove a High Availability Pair
Monitoring High Availability
View Failover History
View Stateful Failover Statistics
Troubleshooting High Availability Break in a Remote Branch Deployment
How to Break a High Availability Pair in Active-Active State
How to Break a High Availability Pair when Active or Standby Unit has Lost Connectivity
How to a Break High Availability Pair when the Secondary Device is in a Failed or Disabled State
History for High Availability
Clustering for the Secure Firewall 3100/4200
About Clustering for the Secure Firewall 3100/4200
How the Cluster Fits into Your Network
Control and Data Node Roles
Cluster Interfaces
Cluster Control Link
Configuration Replication
Management Network
Licenses for Clustering
Requirements and Prerequisites for Clustering
Guidelines for Clustering
Configure Clustering
About Cluster Interfaces
Cluster Control Link
Cluster Control Link Traffic Overview
Cluster Control Link Interfaces and Network
Size the Cluster Control Link
Cluster Control Link Redundancy
Cluster Control Link Reliability
Spanned EtherChannels (Recommended)
Spanned EtherChannel Benefits
Guidelines for Maximum Throughput
Load Balancing
EtherChannel Redundancy
Connecting to a Redundant Switch System
Individual Interfaces (Routed Firewall Mode Only)
Policy-Based Routing
Equal-Cost Multi-Path Routing
Cisco Intelligent Traffic Director (Routed Firewall Mode Only)
Cable and Add Devices to the Management Center
Create a Cluster
Configure Interfaces
Configure Spanned EtherChannels
Configure Individual Interfaces
Configure Interfaces
Configure Cluster Health Monitor Settings
Manage Cluster Nodes
Add a New Cluster Node
Break a Node
Break the Cluster
Disable Clustering
Rejoin the Cluster
Change the Control Node
Edit the Cluster Configuration
Reconcile Cluster Nodes
Unregister the Cluster or Nodes and Register to a New Management Center
Monitoring the Cluster
Cluster Health Monitor Dashboard
Viewing Cluster Health
Cluster Metrics
Troubleshooting the Cluster
Perform a Ping on the Cluster Control Link
Examples for Clustering
Firewall on a Stick
Traffic Segregation
Reference for Clustering
Threat Defense Features and Clustering
Unsupported Features with Clustering
Centralized Features for Clustering
Connection Settings and Clustering
FTP and Clustering
Multicast Routing in Individual Interface Mode
Multicast Routing in Individual Interface Mode
NAT and Clustering
Dynamic Routing
Dynamic Routing in Individual Interface Mode
SIP Inspection and Clustering
SNMP and Clustering
Syslog and Clustering
Cisco TrustSec and Clustering
VPN and Clustering
Performance Scaling Factor
Control Node Election
High Availability Within the Cluster
Node Health Monitoring
Interface Monitoring
Status After Failure
Rejoining the Cluster
Data Path Connection State Replication
How the Cluster Manages Connections
Connection Roles
New Connection Ownership
Sample Data Flow for TCP
Sample Data Flow for ICMP and UDP
History for Clustering
Clustering for Threat Defense Virtual in a Private Cloud
About Threat Defense Virtual Clustering in the Private Cloud
How the Cluster Fits into Your Network
Control and Data Node Roles
Individual Interfaces
Policy-Based Routing
Equal-Cost Multi-Path Routing
Cluster Control Link
Cluster Control Link Traffic Overview
Configuration Replication
Management Network
Licenses for Threat Defense Virtual Clustering
Requirements and Prerequisites for Threat Defense Virtual Clustering
Guidelines for Threat Defense Virtual Clustering
Configure Threat Defense Virtual Clustering
Add Devices to the Management Center
Create a Cluster
Configure Interfaces
Configure Cluster Health Monitor Settings
Manage Cluster Nodes
Add a New Cluster Node
Break a Node
Break the Cluster
Disable Clustering
Rejoin the Cluster
Change the Control Node
Edit the Cluster Configuration
Reconcile Cluster Nodes
Delete the Cluster or Nodes from the Management Center
Monitoring the Cluster
Cluster Health Monitor Dashboard
Viewing Cluster Health
Cluster Metrics
Reference for Clustering
Threat Defense Features and Clustering
Unsupported Features and Clustering
Centralized Features for Clustering
Connection Settings and Clustering
Dynamic Routing and Clustering
FTP and Clustering
NAT and Clustering
SIP Inspection and Clustering
SNMP and Clustering
Syslog and Clustering
Cisco Trustsec and Clustering
VPN and Clustering
Performance Scaling Factor
Control Node Election
High Availability within the Cluster
Node Health Monitoring
Interface Monitoring
Status After Failure
Rejoining the Cluster
Data Path Connection State Replication
How the Cluster Manages Connections
Connection Roles
New Connection Ownership
Sample Data Flow for TCP
Sample Data Flow for ICMP and UDP
History for Threat Defense Virtual Clustering in a Private Cloud
Clustering for Threat Defense Virtual in a Public Cloud
About Threat Defense Virtual Clustering in the Public Cloud
How the Cluster Fits into Your Network
Individual Interfaces
Control and Data Node Roles
Cluster Control Link
Cluster Control Link Traffic Overview
Configuration Replication
Management Network
Licenses for Threat Defense Virtual Clustering
Requirements and Prerequisites for Threat Defense Virtual Clustering
Guidelines for Threat Defense Virtual Clustering
Deploy the Cluster in AWS
AWS Gateway Load Balancer and Geneve Single-Arm Proxy
Sample Topology
End-to-End Process for Deploying Threat Defense Virtual Cluster on AWS
Templates
Deploy the Stack in AWS Using a CloudFormation Template
Deploy the Cluster in AWS Manually
Create the Day0 Configuration for AWS
Create the Day0 Configuration With a Fixed Configuration for AWS
Deploy Cluster Nodes
Deploy the Cluster in Azure
Sample Topology for GWLB-based Cluster Deployment
Azure Gateway Load Balancer and Paired Proxy
End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with GWLB
Templates
Prerequisites
Deploy Cluster on Azure with GWLB Using an Azure Resource Manager Template
Sample Topology for NLB-based Cluster Deployment
End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with NLB
Templates
Prerequisites
Deploy Cluster on Azure with NLB Using an Azure Resource Manager Template
Deploy the Cluster in Azure Manually
Create the Day0 Configuration for Azure
Create the Day0 Configuration With a Fixed Configuration for Azure
Create the Day0 Configuration With a Customized Configuration for Azure
Deploy Cluster Nodes Manually - GWLB-based Deployment
Deploy Cluster Nodes Manually - NLB-based Deployment
Troubleshooting Cluster Deployment in Azure
Deploy the Cluster in GCP
Sample Topology
End-to-End Process for Deploying Threat Defense Virtual Cluster in GCP
Templates
Deploy the Instance Group in GCP Using an Instance Template
Deploy the Cluster in GCP Manually
Create the Day0 Configuration for GCP
Create the Day0 Configuration With a Fixed Configuration for GCP
Create the Day0 Configuration With a Customized Configuration for GCP
Deploy Cluster Nodes Manually
Allow Health Checks for GCP Network Load Balancers
Add the Cluster to the Management Center (Manual Deployment)
Configure Cluster Health Monitor Settings
Manage Cluster Nodes
Disable Clustering
Rejoin the Cluster
Reconcile Cluster Nodes
Unregister the Cluster or Nodes and Register to a New Management Center
Monitoring the Cluster
Cluster Health Monitor Dashboard
Viewing Cluster Health
Cluster Metrics
Upgrading the Cluster
Reference for Clustering
Threat Defense Features and Clustering
Unsupported Features and Clustering
Centralized Features for Clustering
Cisco Trustsec and Clustering
Connection Settings and Clustering
Dynamic Routing and Clustering
FTP and Clustering
NAT and Clustering
SIP Inspection and Clustering
SNMP and Clustering
Syslog and Clustering
VPN and Clustering
Performance Scaling Factor
Control Node Election
High Availability within the Cluster
Node Health Monitoring
Interface Monitoring
Status After Failure
Rejoining the Cluster
Data Path Connection State Replication
How the Cluster Manages Connections
Connection Roles
New Connection Ownership
Sample Data Flow for TCP
Sample Data Flow for ICMP and UDP
History for Threat Defense Virtual Clustering in the Public Cloud
Clustering for the Firepower 4100/9300
About Clustering on the Firepower 4100/9300 Chassis
Bootstrap Configuration
Cluster Members
Cluster Control Link
Size the Cluster Control Link
Cluster Control Link Redundancy
Cluster Control Link Reliability for Inter-Chassis Clustering
Cluster Control Link Network
Management Network
Management Interface
Cluster Interfaces
Spanned EtherChannels
Configuration Replication
Licenses for Clustering
Requirements and Prerequisites for Clustering
Clustering Guidelines and Limitations
Configure Clustering
FXOS: Add a Threat Defense Cluster
Create a Threat Defense Cluster
Add More Cluster Nodes
Management Center: Add a Cluster
Management Center: Configure Cluster, Data Interfaces
Management Center: Configure Cluster Health Monitor Settings
FXOS: Remove a Cluster Node
Management Center: Manage Cluster Members
Add a New Cluster Member
Replace a Cluster Member
Deactivate a Member
Rejoin the Cluster
Unregister a Data Node
Change the Control Unit
Reconcile Cluster Members
Management Center: Monitoring the Cluster
Cluster Health Monitor Dashboard
Viewing Cluster Health
Cluster Metrics
Examples for Clustering
Firewall on a Stick
Traffic Segregation
Reference for Clustering
Threat Defense Features and Clustering
Unsupported Features with Clustering
Centralized Features for Clustering
Connection Settings
Dynamic Routing and Clustering
FTP and Clustering
Multicast Routing and Clustering
NAT and Clustering
SIP Inspection and Clustering
SNMP and Clustering
Syslog and Clustering
TLS/SSL Connections and Clustering
Cisco TrustSec and Clustering
VPN and Clustering
Performance Scaling Factor
Control Unit Election
High Availability Within the Cluster
Chassis-Application Monitoring
Unit Health Monitoring
Interface Monitoring
Decorator Application Monitoring
Status After Failure
Rejoining the Cluster
Data Path Connection State Replication
How the Cluster Manages Connections
Connection Roles
New Connection Ownership
Sample Data Flow for TCP
Sample Data Flow for ICMP and UDP
History for Clustering
Interfaces and Device Settings
Interface Overview
Management Interface
Management Interface
Diagnostic Interface
Interface Mode and Types
Security Zones and Interface Groups
Auto-MDI/MDIX Feature
Default Settings for Interfaces
Create Security Zone and Interface Group Objects
Enable the Physical Interface and Configure Ethernet Settings
Configure EtherChannel Interfaces
About EtherChannels
About EtherChannels
Channel Group Interfaces
Connecting to an EtherChannel on Another Device
Link Aggregation Control Protocol
Load Balancing
EtherChannel MAC Address
Guidelines for EtherChannels
Configure an EtherChannel
Sync Interface Changes with the Management Center
Manage the Network Module for the Secure Firewall 3100/4200
Configure Breakout Ports
Add a Network Module
Hot Swap the Network Module
Replace the Network Module with a Different Type
Remove the Network Module
Merge the Management and Diagnostic Interfaces
Unmerge the Management Interface
History for Interfaces
Regular Firewall Interfaces
Requirements and Prerequisites for Regular Firewall Interfaces
Configure Firepower 1010 and Secure Firewall 1210/1220 Switch Ports
About Firepower 1010 and Secure Firewall 1210/1220 Switch Ports
Understanding Switch Ports and Interfaces
Auto-MDI/MDIX Feature
Guidelines and Limitations for Switch Ports
Configure Switch Ports and Power Over Ethernet
Enable or Disable Switch Port Mode
Configure a VLAN Interface
Configure Switch Ports as Access Ports
Configure Switch Ports as Trunk Ports
Configure Power Over Ethernet
Configure Loopback Interfaces
About Loopback Interfaces
Guidelines and Limitations for Loopback Interfaces
Configure a Loopback Interface
Rate-Limit Traffic to the Loopback Interface
Configure VLAN Subinterfaces and 802.1Q Trunking
Guidelines and Limitations for VLAN Subinterfaces
Maximum Number of VLAN Subinterfaces by Device Model
Add a Subinterface
Configure VXLAN Interfaces
About VXLAN Interfaces
Encapsulation
VXLAN Tunnel Endpoint
VTEP Source Interface
VNI Interfaces
VXLAN Packet Processing
Peer VTEPs
VXLAN Use Cases
VXLAN Bridge or Gateway Overview
VXLAN Bridge
VXLAN Gateway (Routed Mode)
Router Between VXLAN Domains
Geneve Single-Arm Proxy
Azure Gateway Load Balancer and Paired Proxy
Requirements and Prerequisites for VXLAN Interfaces
Guidelines for VXLAN Interfaces
Configure VXLAN or Geneve Interfaces
Configure VXLAN Interfaces
Configure the VTEP Source Interface
Configure the VNI Interface
Configure Geneve Interfaces
Configure the VTEP Source Interface
Configure the VNI
Allow Gateway Load Balancer Health Checks
Configure Routed and Transparent Mode Interfaces
About Routed and Transparent Mode Interfaces
Dual IP Stack (IPv4 and IPv6)
31-Bit Subnet Mask
31-Bit Subnet and Clustering
31-Bit Subnet and Failover
31-Bit Subnet and Management
31-Bit Subnet Unsupported Features
Guidelines and Limitations for Routed and Transparent Mode Interfaces
Configure Routed Mode Interfaces
Configure Bridge Group Interfaces
Configure General Bridge Group Member Interface Parameters
Configure the Bridge Virtual Interface (BVI)
Configure IPv6 Addressing
About IPv6
IPv6 Addressing
Modified EUI-64 Interface IDs
Configure the IPv6 Prefix Delegation Client
About IPv6 Prefix Delegation
IPv6 Prefix Delegation /64 Subnet Example
IPv6 Prefix Delegation /62 Subnet Example
Enable the IPv6 Prefix Delegation Client
Configure a Global IPv6 Address
Configure IPv6 Neighbor Discovery
Configure Advanced Interface Settings
About Advanced Interface Configuration
About MAC Addresses
Default MAC Addresses
About the MTU
Path MTU Discovery
Default MTU
MTU and Fragmentation
MTU and Jumbo Frames
About the TCP MSS
Default TCP MSS
Suggested Maximum TCP MSS Setting
ARP Inspection for Bridge Group Traffic
MAC Address Table
Default Settings
Guidelines for ARP Inspection and the MAC Address Table
Configure the MTU
Configure the MAC Address
Add a Static ARP Entry
Add a Static MAC Address and Disable MAC Learning for a Bridge Group
Set Security Configuration Parameters
History for Regular Firewall Interfaces for Secure Firewall Threat Defense
Inline Sets and Passive Interfaces
About IPS Interfaces
IPS Interface Types
About Hardware Bypass for Inline Sets
Hardware Bypass Triggers
Hardware Bypass Switchover
Snort Fail Open vs. Hardware Bypass
Hardware Bypass Status
Requirements and Prerequisites for Inline Sets
Guidelines for Inline Sets and Passive Interfaces
Configure a Passive Interface
Configure an Inline Set
DHCP and DDNS
About DHCP and DDNS Services
About the DHCPv4 Server
DHCP Options
About the DHCPv6 Stateless Server
About the DHCP Relay Agent
Requirements and Prerequisites for DHCP and DDNS
Guidelines for DHCP and DDNS Services
Configure the DHCPv4 Server
Configure the DHCPv6 Stateless Server
Create the DHCP IPv6 Pool
Enable the DHCPv6 Stateless Server
Configure the DHCP Relay Agent
Configure Dynamic DNS
History for DHCP and DDNS
SNMP for the Firepower 1000
About SNMP for the Firepower 1000
Enabling SNMP and Configuring SNMP Properties for Firepower 1000
Creating an SNMP Trap for Firepower 1000
Creating an SNMP User for Firepower 1000
Quality of Service
Introduction to QoS
About QoS Policies
Requirements and Prerequisites for QoS
Rate Limiting with QoS Policies
Creating a QoS Policy
Setting Target Devices for a QoS Policy
Configuring QoS Rules
QoS Rule Components
QoS Rule Conditions
Interface Rule Conditions
Network Rule Conditions
User Rule Conditions
Application Rule Conditions
Port Rule Conditions
Port, Protocol, and ICMP Code Rule Conditions
URL Rule Conditions
Custom SGT Rule Conditions
ISE SGT vs Custom SGT Rule Conditions
Autotransition from Custom SGTs to ISE SGTs
Platform Settings
Introduction to Platform Settings
Requirements and Prerequisites for Platform Settings Policies
Manage Platform Settings Policies
ARP Inspection
Banner
DNS
External Authentication
Enable Virtual-Router-Aware Interface for External Authentication of Platform
Fragment Settings
HTTP Access
ICMP Access
NetFlow
Add Collector in NetFlow
Add Traffic Class to NetFlow
SSH Access
SMTP Server
SNMP
About SNMP
SNMP Terminology
MIBs and Traps
Supported Tables and Objects in MIBs
Add SNMPv3 Users
Add SNMP Hosts
Configure SNMP Traps
Configure SSL Settings
About SSL Settings
Syslog
About Syslog
Severity Levels
Syslog Message Filtering
Syslog Message Classes
Guidelines for Logging
Configure Syslog Logging for Threat Defense Devices
Threat Defense Platform Settings That Apply to Security Event Syslog Messages
Enable Logging and Configure Basic Settings
Enable Logging Destinations
Send Syslog Messages to an E-mail Address
Create a Custom Event List
Limit the Rate of Syslog Message Generation
Configure Syslog Settings
Configure a Syslog Server
Timeouts
Time Synchronization
Time Zone
UCAPL/CC Compliance
Performance Profile
Network Address Translation
Why Use NAT?
NAT Basics
NAT Terminology
NAT Types
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode or Within a Bridge Group
Auto NAT and Manual NAT
Auto NAT
Manual NAT
Comparing Auto NAT and Manual NAT
NAT Rule Order
NAT Interfaces
NAT Exemption
Configuring Routing for NAT
Addresses on the Same Network as the Mapped Interface
Addresses on a Unique Network
The Same Address as the Real Address (Identity NAT)
Requirements and Prerequisites for NAT Policies
Guidelines for NAT
Firewall Mode Guidelines for NAT
IPv6 NAT Guidelines
IPv6 NAT Best Practices
NAT Support for Inspected Protocols
FQDN Destination Guidelines
Additional Guidelines for NAT
Manage NAT Policies
Creating NAT Policies
Configuring NAT Policy Targets
Configure NAT for Threat Defense
Customizing NAT Rules for Multiple Devices
Searching and Filtering the NAT Rule Table
Enabling, Disabling, or Deleting Multiple Rules
Dynamic NAT
About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Configure Dynamic Auto NAT
Configure Dynamic Manual NAT
Dynamic PAT
About Dynamic PAT
Dynamic PAT Disadvantages and Advantages
PAT Pool Object Guidelines
Configure Dynamic Auto PAT
Configure Dynamic Manual PAT
Configure PAT with Port Block Allocation
Static NAT
About Static NAT
Static NAT with Port Translation
One-to-Many Static NAT
Other Mapping Scenarios (Not Recommended)
Configure Static Auto NAT
Configure Static Manual NAT
Identity NAT
Configure Identity Auto NAT
Configure Identity Manual NAT
NAT Rule Properties for Threat Defense
Interface Objects NAT Properties
Translation Properties for Auto NAT
Translation Properties for Manual NAT
PAT Pool NAT Properties
Advanced NAT Properties
Translating IPv6 Networks
NAT64/46: Translating IPv6 Addresses to IPv4
NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet
NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet and DNS Translation
NAT66: Translating IPv6 Addresses to Different IPv6 Addresses
NAT66 Example, Static Translation between Networks
NAT66 Example, Simple IPv6 Interface PAT
Monitoring NAT
Examples for NAT
Providing Access to an Inside Web Server (Static Auto NAT)
Dynamic Auto NAT for Inside Hosts and Static NAT for an Outside Web Server
Inside Load Balancer with Multiple Mapped Addresses (Static Auto NAT, One-to-Many)
Single Address for FTP, HTTP, and SMTP (Static Auto NAT-with-Port-Translation)
Different Translation Depending on the Destination (Dynamic Manual PAT)
Different Translation Depending on the Destination Address and Port (Dynamic Manual PAT)
NAT and Site-to-Site VPN
Rewriting DNS Queries and Responses Using NAT
DNS64 Reply Modification
DNS Reply Modification, DNS Server on Outside
DNS Reply Modification, DNS Server on Host Network
Alarms for the Cisco ISA 3000
About Alarms
Alarm Input Interfaces
Alarm Output Interface
Syslog Alarms
SNMP Alarms
Defaults for Alarms
Requirements and Prerequisites for Alarms
Configure the Alarms for the ISA 3000
Configure Alarm Input Contacts
Configure Power Supply Alarms
Configure Temperature Alarms
Monitoring Alarms
Monitoring Alarm Status
Monitoring Syslog Messages for Alarms
Turning Off the External Alarm
Routing
Static and Default Routes
About Static and Default Routes
Default Route
Static Routes
Route to null0 Interface to Drop Unwanted Traffic
Route Priorities
Transparent Firewall Mode and Bridge Group Routes
Static Route Tracking
Requirements and Prerequisites for Static Routes
Guidelines for Static and Default Routes
Add a Static Route
Reference for Routing
Path Determination
Supported Route Types
Static Versus Dynamic
Single-Path Versus Multipath
Flat Versus Hierarchical
Link-State Versus Distance Vector
Supported Internet Protocols for Routing
Routing Table
How the Routing Table Is Populated
Administrative Distances for Routes
Backup Dynamic and Floating Static Routes
How Forwarding Decisions Are Made
Dynamic Routing and High Availability
Dynamic Routing in Clustering
Dynamic Routing in Individual Interface Mode
Routing Table for Management Traffic
Equal-Cost Multi-Path (ECMP) Routing
About Route Maps
Permit and Deny Clauses
Match and Set Clause Values
Virtual Routers
About Virtual Routers and Virtual Routing and Forwarding (VRF)
About Virtual Routers and Dynamic VTI
How to Configure a Virtual Router with Dynamic VTI
Applications of Virtual Routers
Global and User-Defined Virtual Routers
Configuring Policies to be Virtual-Router-Aware
Interconnecting Virtual Routers
Overlapping IP Addresses
Configuring SNMP on User-Defined Virtual Routers
Maximum Number of Virtual Routers By Device Model
Requirements and Prerequisites for Virtual Routers
Guidelines and Limitations for Virtual Routers
Modifications to the Management Center Web Interface - Routing Page
Manage Virtual Routers
Create a Virtual Router
Configure a Virtual Router
Modify a Virtual Router
Remove Virtual Routers
Monitoring Virtual Routers
Configuration Examples for Virtual Routers
How to Route to a Distant Server through Virtual Routers
How to Provide Internet Access with Overlapping Address Spaces
How to Allow RA VPN Access to Internal Networks in Virtual Routing
How to Secure Traffic from Networks in Multiple Virtual Routers over a Site-to-Site VPN
How to Secure Traffic from Networks with Multiple Virtual Routers over a Site-to-Site VPN with Dynamic VTI
How to Route Traffic between Two Overlapping Network Host in Virtual Routing
How to Manage Overlapping Segments in Routed Firewall Mode with BVI Interfaces
How to Configure User Authentication with Overlapping Networks
How to Interconnect Virtual Routers using BGP
ECMP
About ECMP
Guidelines and Limitations for ECMP
Manage ECMP Page
Create an ECMP Zone
Configure an Equal Cost Static Route
Modify an ECMP Zone
Remove an ECMP Zone
Configuration Example for ECMP
Bidirectional Forwarding Detection Routing
About BFD Routing
Guidelines for BFD Routing
Configure BFD
Configure BFD Policies
Configure Single-Hop BFD Policies
Configure Multi-Hop BFD Policies
History for BFD Routing
OSPF
OSPF
About OSPF
OSPF Support for Fast Hello Packets
Prerequisites for OSPF Support for Fast Hello Packets
OSPF Hello Interval and Dead Interval
OSPF Fast Hello Packets
Benefits of OSPF Fast Hello Packets
Implementation Differences Between OSPFv2 and OSPFv3
Requirements and Prerequisites for OSPF
Guidelines for OSPF
Configure OSPFv2
Configure OSPF Areas, Ranges, and Virtual Links
Configure OSPF Redistribution
Configure OSPF Inter-Area Filtering
Configure OSPF Filter Rules
Configure OSPF Summary Addresses
Configure OSPF Interfaces and Neighbors
Configure OSPF Advanced Properties
Configure OSPFv3
Configure OSPFv3 Areas, Route Summaries, and Virtual Links
Configure OSPFv3 Redistribution
Configure OSPFv3 Summary Prefixes
Configure OSPFv3 Interfaces, Authentication, and Neighbors
Configure OSPFv3 Advanced Properties
History for OSPF
EIGRP
About EIGRP Routing
Requirements and Prerequisites for EIGRP
Guidelines and Limitations of EIGRP Routing
Configure EIGRP
Configure EIGRP Settings
Configure EIGRP Neighbors Settings
Configure EIGRP Filter Rules Settings
Configure EIGRP Redistribution Settings
Configure EIGRP Summary Address Settings
Configure EIGRP Interfaces Settings
Configure EIGRP Advanced Settings
BGP
About BGP
Routing Table Changes
When to Use BGP
BGP Path Selection
BGP Multipath
Requirements and Prerequisites for BGP
Guidelines for BGP
Configure BGP
Configure BGP Basic Settings
Configure BGP General Settings
Configure BGP Neighbor Settings
Configure BGP Aggregate Address Settings
Configure BGPv4 Filtering Settings
Configure BGP Network Settings
Configure BGP Redistribution Settings
Configure BGP Route Injection Settings
Configure BGP Route Import/Export Settings
RIP
About RIP
Routing Update Process
RIP Routing Metric
RIP Stability Features
RIP Timers
Requirements and Prerequisites for RIP
Guidelines for RIP
Configure RIP
Multicast
About Multicast Routing
IGMP Protocol
Stub Multicast Routing
PIM Multicast Routing
PIM Source Specific Multicast Support
Multicast Bidirectional PIM
PIM Bootstrap Router (BSR)
PIM Bootstrap Router (BSR) Terminology
Multicast Group Concept
Multicast Addresses
Clustering
Requirements and Prerequisites for Multicast Routing
Guidelines for Multicast Routing
Configure IGMP Features
Enable Multicast Routing
Configure IGMP Protocol
Configure IGMP Access Groups
Configure IGMP Static Groups
Configure IGMP Join Groups
Configure PIM Features
Configure PIM Protocol
Configure PIM Neighbor Filters
Configure PIM Bidirectional Neighbor Filters
Configure PIM Rendezvous Points
Configure PIM Route Trees
Configure PIM Request Filters
Configure the Secure Firewall Threat Defense Device as a Candidate Bootstrap Router
Configure Multicast Routes
Configure Multicast Boundary Filters
Policy Based Routing
About Policy Based Routing
Guidelines and Limitations for Policy Based Routing
Path Monitoring
Configure Path Monitoring Settings
Configure Policy-Based Routing Policy
Add Path Monitoring Dashboard
Configuration Example for Policy Based Routing
Configuration Example for PBR with Path Monitoring
Objects and Certificates
Object Management
Introduction to Objects
The Object Manager
Importing Objects
Editing Objects
Viewing Objects and Their Usage
Filtering Objects or Object Groups
Object Groups
Grouping Reusable Objects
Object Overrides
Managing Object Overrides
Allowing Object Overrides
Adding Object Overrides
Editing Object Overrides
AAA Server
Add a RADIUS Server Group
RADIUS Server Group Options
RADIUS Server Options
Add a Single Sign-on Server
Access List
Configure Extended ACL Objects
Configure Standard ACL Objects
Address Pools
Application Filters
AS Path
BFD Template
Cipher Suite List
Creating Cipher Suite Lists
Community List
Extended Community
DHCP IPv6 Pool
Distinguished Name
Creating Distinguished Name Objects
DNS Server Group
Creating DNS Server Group Objects
External Attributes
Dynamic Objects
Create Dynamic Objects with Cloud-delivered Firewall Management Center
Create Dynamic Objects with Cloud-delivered Firewall Management Center and On-Premises Cisco Secure Dynamic Attributes Connector
Work With Dynamic Objects
Dynamic Object Mappings
About API-Created Dynamic Objects
Add or Edit an API-Created Dynamic Object
Security Group Tag
Creating Security Group Tag Objects
File List
Source Files for File Lists
Adding Individual SHA-256 Values to File Lists
Uploading Individual Files to File Lists
Uploading Source Files to File Lists
Editing SHA-256 Values in File Lists
Downloading Source Files from File Lists
FlexConfig
Geolocation
Creating Geolocation Objects
Interface
Key Chain
Creating Key Chain Objects
Network
Network Wildcard Mask
Creating Network Objects
Importing Network Objects
Editing and Deleting Network Objects and Groups
PKI
Internal Certificate Authority Objects
CA Certificate and Private Key Import
Importing a CA Certificate and Private Key
Generating a New CA Certificate and Private Key
New Signed Certificates
Creating an Unsigned CA Certificate and CSR
Uploading a Signed Certificate Issued in Response to a CSR
CA Certificate and Private Key Downloads
Downloading a CA Certificate and Private Key
Trusted Certificate Authority Objects
Trusted CA Object
Adding a Trusted CA Object
Certificate Revocation Lists in Trusted CA Objects
Adding a Certificate Revocation List to a Trusted CA Object
External Certificate Objects
Adding External Certificate Objects
Internal Certificate Objects
Adding Internal Certificate Objects
Certificate Enrollment Objects
Adding Certificate Enrollment Objects
Add Certificate Enrollment
Certificate Enrollment Object EST Options
Certificate Enrollment Object SCEP Options
Certificate Enrollment Object Certificate Parameters
Certificate Enrollment Object Key Options
PKI Enrollment of Certificates with Weak-Crypto
Certificate Enrollment Object Revocation Options
Policy List
Port
Creating Port Objects
Importing Port Objects
Prefix List
Configure IPv6 Prefix List
Configure IPv4 Prefix List
Route Map
Security Intelligence
How to Modify Security Intelligence Objects
Global and Domain Security Intelligence Lists
Security Intelligence Lists and Multitenancy
Delete Entries from Global Security Intelligence Lists
List and Feed Updates for Security Intelligence
Changing the Update Frequency for Security Intelligence Feeds
Custom Security Intelligence Lists and Feeds
Custom Lists and Feeds: Requirements
URL Lists and Feeds: URL Syntax and Matching Criteria
Custom Security Intelligence Feeds
Creating Security Intelligence Feeds
Manually Updating Security Intelligence Feeds
Custom Security Intelligence Lists
Uploading New Security Intelligence Lists to the Secure Firewall Management Center
Updating Security Intelligence Lists
Sinkhole
Creating Sinkhole Objects
SLA Monitor
Time Range
Creating Time Range Objects
Time Zone
Tunnel Zone
URL
Creating URL Objects
Variable Set
Variable Sets in Intrusion Policies
Variables
Predefined Default Variables
Network Variables
Port Variables
Advanced Variables
Variable Reset
Adding Variables to Sets
Example: Adding User-Defined Variables to Default Sets
Example: Adding User-Defined Variables to Custom Sets
Nesting Variables
Managing Variable Sets
Creating Variable Sets
Managing Variables
Adding Variables
Editing Variables
VLAN Tag
Creating VLAN Tag Objects
VPN
Certificate Map Objects
Secure Client Custom Attributes Objects
Add Secure Client Custom Attributes Objects
Add Custom Attributes to a Group Policy
Threat Defense Group Policy Objects
Configure Group Policy Objects
Group Policy General Options
Group Policy Secure Client Options
Group Policy Advanced Options
Threat Defense IPsec Proposals
Configure IKEv1 IPsec Proposal Objects
Configure IKEv2 IPsec Proposal Objects
Threat Defense IKE Policies
Configure IKEv1 Policy Objects
Configure IKEv2 Policy Objects
Secure Client Customization
File Objects
Certificates
Requirements and Prerequisites for Certificates
Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations
Managing Threat Defense Certificates
Automatically Update CA Bundles
Installing a Certificate Using Self-Signed Enrollment
Installing a Certificate using EST Enrollment
Installing a Certificate Using SCEP Enrollment
Installing a Certificate Using Manual Enrollment
Installing a Certificate Using a PKCS12 File
Troubleshooting Threat Defense Certificates
History for Certificates
SD-WAN
SD-WAN Capabilities
Overview of SD-WAN Capabilities
Using SD-WAN Wizard for Secure Branch Network Deployment
Guidelines and Limitations for Using SD-WAN Wizard
Prerequisites for Using the SD-WAN Wizard
Configure an SD-WAN Topology Using the SD-WAN Wizard
Add a Dynamic Virtual Tunnel Interface for a Hub
Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard
Dual ISP Deployment: Two Hubs and Four Spokes in the Same Region
Dual ISP Deployment: Two Hubs and Four Spokes in Different Regions
Verify Tunnel Statuses of an SD-WAN Topology
VPN
VPN Overview
VPN Types
VPN Basics
Internet Key Exchange (IKE)
IPsec
VPN Packet Flow
IPsec Flow Offload
VPN Licensing
How Secure Should a VPN Connection Be?
Complying with Security Certification Requirements
Deciding Which Encryption Algorithm to Use
Deciding Which Hash Algorithms to Use
Deciding Which Diffie-Hellman Modulus Group to Use
Deciding Which Authentication Method to Use
Pre-shared Keys
PKI Infrastructure and Digital Certificates
Removed or Deprecated Hash Algorithms, Encryption Algorithms, and Diffie-Hellman Modulus Groups
VPN Topology Options
Point-to-Point VPN Topology
Hub and Spoke VPN Topology
Full Mesh VPN Topology
Implicit Topologies
Site-to-Site VPNs
About Site-to-Site VPN
Secure Firewall Threat Defense Site-to-site VPN Guidelines and Limitations
Types of Site-to-Site VPN Topologies
Requirements and Prerequisites for Site-to-Site VPN
Manage Site-to-Site VPNs
Configure a Policy-based Site-to-Site VPN
Threat Defense VPN Endpoint Options
Threat Defense VPN IKE Options
Threat Defense VPN IPsec Options
Threat Defense Advanced Site-to-site VPN Deployment Options
Threat Defense VPN Advanced IKE Options
Threat Defense VPN Advanced IPsec Options
Threat Defense Advanced Site-to-site VPN Tunnel Options
About Virtual Tunnel Interfaces
Static VTI
Dynamic VTI
Guidelines and Limitations for Virtual Tunnel Interfaces
Add a VTI Interface
Create a Route-based Site-to-Site VPN
Configure Endpoints for a Point to Point Topology
Advanced Configurations for a Point to Point Topology in a Route-based VPN
Configure Endpoints for a Hub and Spoke Topology
Advanced Configurations for Hub and Spokes in a Route-based VPN
Configure Multiple Hubs in a Route-based VPN
Configure Routing for Multiple Hubs in a Route-based VPN
Verify the Multiple Hubs Configuration in a Route-based VPN
Route Traffic Through a Backup VTI Tunnel
Configure Dynamic VTI for a Route-based Site-to-Site VPN
How to Configure a Virtual Router with Dynamic VTI
Configure Routing and AC Policies for VTI
Deploy a SASE Tunnel on Umbrella
Guidelines and Limitations for Configuring SASE Tunnels on Umbrella
How to Deploy a SASE Tunnel on Umbrella
Prerequisites for Configuring Umbrella SASE Tunnels
Map Management Center Umbrella Parameters and Cisco Umbrella API Keys
Configure a SASE Tunnel for Umbrella
View SASE Tunnel Status
Monitoring the Site-to-Site VPNs
History for Site-to-Site VPN
Remote Access VPN
Remote Access VPN Overview
FTD Remote Access VPN Features
AnyConnect Components
Remote Access VPN Authentication
Understanding Policy Enforcement of Permissions and Attributes
Understanding AAA Server Connectivity
License Requirements for Remote Access VPN
Requirements and Prerequisites for Remote Access VPN
Remote Access VPN Guidelines and Limitations
Configuring a New Remote Access VPN Connection
Prerequisites for Configuring Remote Access VPN
Create a New Remote Access VPN Policy
Update the Access Control Policy on the Secure Firewall Threat Defense Device
(Optional) Configure NAT Exemption
Configure DNS
Add Secure Client Profile XML File
(Optional) Configure Split Tunneling
(Optional) Configure Dynamic Split Tunneling
Verify Dynamic Split Tunneling Configuration
Verify the Configuration
Create a Copy of an Existing Remote Access VPN Policy
Set Target Devices for a Remote Access VPN Policy
Associate Local Realm with Remote Access VPN Policy
Additional Remote Access VPN Configurations
Configure Connection Profile Settings
Configure IP Addresses for VPN Clients
Configure AAA Settings for Remote Access VPN
RADIUS Server Attributes for Secure Firewall Threat Defense
Create or Update Aliases for a Connection Profile
Configure Access Interfaces for Remote Access VPN
Configure Advanced Options for Remote Access VPN
Cisco Secure Client Image
Adding a Secure Client Image to the Secure Firewall Management Center
Update Secure Client Image for Remote Access VPN Clients
Add a Cisco Secure Client External Browser Package to the Secure Firewall Management Center
Remote Access VPN Address Assignment Policy
Configure Certificate to Connection Profile Mapping
Configure Group Policies
Configuring LDAP Attribute Mapping
Configuring VPN Load Balancing
Configure Group Settings for VPN Load Balancing
Configure Additional Settings for Load Balancing
Configure Settings for Participating Devices
Configure IPsec Settings
Configure Remote Access VPN Crypto Maps
IKE Policies in Remote Access VPNs
Configuring Remote Access VPN IKE Policies
Configure Remote Access IKE/IPsec Settings
Customize Cisco Secure Client
Guidelines and Limitations for Secure Client Customizations
Customize and Localize Secure Client GUI Text and Messages
How to Customize Secure Client GUI Text and Messages
Customize Secure Client Icons and Images
How to Customize Secure Client Images and Icons
Deploy Scripts on Endpoint Devices Using Secure Client
How to Add Customized Scripts for Secure Client
Deploy Custom Applications Using Cisco Secure Client APIs
How to Deploy Custom Applications Using Cisco Secure Client API
Customize the Secure Client Installer
Localize the Client Installer
How to Customize or Localize the Client Installer
Verify Secure Client Customizations
Configure Secure Client Management VPN Tunnel
Requirements and Prerequisites for Secure Client Management VPN Tunnel
Limitations of Secure Client Management VPN Tunnel
Configuring Secure Client Management VPN Tunnel on Threat Defense
Multiple Certificate Authentication
Guidelines and Limitations of Multiple Certificate Authentication
Configuring Multiple Certificate Authentication
Customizing Remote Access VPN AAA Settings
Authenticate VPN Users via Client Certificates
Configure VPN User Authentication via Client Certificate and AAA Server
Manage Password Changes over VPN Sessions
Send Accounting Records to the RADIUS Server
Delegating Group Policy Selection to Authorization Server
Override the Selection of Group Policy or Other Attributes by the Authorization Server
Deny VPN Access to a User Group
Restrict Connection Profile Selection for a User Group
Update the Secure Client Profile for Remote Access VPN Clients
RADIUS Dynamic Authorization
Configuring RADIUS Dynamic Authorization
Two-Factor Authentication
Configuring RSA Two-Factor Authentication
Configuring Duo Two-Factor Authentication
Secondary Authentication
Configure Remote Access VPN Secondary Authentication
Single Sign-On Authentication with SAML 2.0
Guidelines and Limitations for SAML 2.0
Configuring a SAML Single Sign-On Authentication
Configuring SAML Authorization
Configure SAML Authorization
Advanced Secure Client Configurations
Configure Secure Client Modules on a Threat Defense
Types of Secure Client Modules
Prerequisites for Configuring Secure Client Modules
Guidelines for Configuring Secure Client Modules
Install Secure Client Modules using a Threat Defense
Configure a Remote Access VPN Group Policy with Secure Client Modules
Verify Secure Client Modules Configuration
Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices
Prerequisites and Licensing for Configuring Per App VPN Tunnels
Determine the Application IDs for Mobile Applications
Configure Application-Based VPN Tunnels
Verify Per App Configuration
Remote Access VPN Examples
How to Limit Secure Client Bandwidth Per User
How to Use VPN Identity for User-Id Based Access Control Rules
Configure Threat Defense Multiple Certificate Authentication
Dynamic Access Policies
About Secure Firewall Threat Defense Dynamic Access Policy
Hierarchy of Policy Enforcement of Permissions and Attributes in Threat Defense
Prerequisites for Dynamic Access Policy
Guidelines and Limitations for Dynamic Access Policies
Configure a Dynamic Access Policy (DAP)
Create a Dynamic Access Policy
Create a Dynamic Access Policy Record
Configure AAA Criteria Settings for DAP
Configure Endpoint Attribute Selection Criteria in DAP
Add an Anti-Malware Endpoint Attribute to a DAP
Add a Device Endpoint Attribute to a DAP
Add Secure Client Endpoint Attributes to a DAP
Add NAC Endpoint Attributes to a DAP
Add an Application Attribute to a DAP
Add a Personal Firewall Endpoint Attribute to a DAP
Add an Operating System Endpoint Attribute to a DAP
Add a Process Endpoint Attribute to a DAP
Add a Registry Endpoint Attribute to a DAP
Add a File Endpoint Attribute to a DAP
Add Certificate Authentication Attributes to a DAP
Configure Advanced Settings for DAP
Associate Dynamic Access Policy with Remote Access VPN
History for Dynamic Access Policy
VPN Monitoring and Troubleshooting in Security Cloud Control
VPN Summary Dashboard
Monitor Remote Access VPN Sessions
SD-WAN Summary Dashboard
Prerequisites for Using SD-WAN Summary Dashboard
Monitor WAN Devices and Interfaces Using the SD-WAN Summary Dashboard
Monitor Application Performance Metrics of WAN Interfaces Using the SD-WAN Summary Dashboard
System Messages
Debug Commands
debug aaa
debug crypto
debug crypto ca
debug crypto ikev1
debug crypto ikev2
debug crypto ipsec
debug ldap
debug ssl
debug webvpn
Access Control
Access Control Overview
Introduction to Access Control
Introduction to Rules
Filtering Rules by Device
Rule and Other Policy Warnings
Access Control Policy Default Action
Deep Inspection Using File and Intrusion Policies
Access Control Traffic Handling with Intrusion and File Policies
File and Intrusion Inspection Order
Access Control Policy Inheritance
Best Practices for Application Control
Recommendations for Application Control
Best Practices for Configuring Application Control
Application Characteristics
Application-Specific Notes and Limitations
Best Practices for Access Control Rules
General Best Practices for Access Control
Best Practices for Ordering Rules
Rule Preemption
Rule Actions and Rule Order
Application Rule Order
URL Rule Order
Best Practices for Simplifying and Focusing Rules
Maximum Number of Access Control Rules and Intrusion Policies
Access Control Policies
Access Control Policy Components
System-Created Access Control Policies
Requirements and Prerequisites for Access Control Policies
Managing Access Control Policies
Creating a Basic Access Control Policy
Editing an Access Control Policy
Locking an Access Control Policy
Managing Access Control Policy Inheritance
Choosing a Base Access Control Policy
Inheriting Access Control Policy Settings from the Base Policy
Locking Settings in Descendant Access Control Policies
Requiring an Access Control Policy in a Domain
Setting Target Devices for an Access Control Policy
Logging Settings for Access Control Policies
Access Control Policy Advanced Settings
Associating Other Policies with Access Control
Viewing Rule Hit Counts
Analyzing Rule Conflicts and Warnings
Searching for Rules
History for Access Control Policies
Access Control Rules
Introduction to Access Control Rules
Access Control Rule Management
Access Control Rule Components
Access Control Rule Order
Access Control Rule Actions
Access Control Rule Monitor Action
Access Control Rule Trust Action
Access Control Rule Blocking Actions
Access Control Rule Interactive Blocking Actions
Access Control Rule Allow Action
Requirements and Prerequisites for Access Control Rules
Guidelines and Limitations for Access Control Rules
Managing Access Control Rules
Adding an Access Control Rule Category
Create and Edit Access Control Rules
Access Control Rule Conditions
Security/Tunnel Zone Rule Conditions
Network Rule Conditions
Original Client in Network Conditions (Filtering Proxied Traffic)
VLAN Tags Rule Conditions
User Rule Conditions
Application Rule Conditions
Configuring Application Conditions and Filters
Port, Protocol, and ICMP Code Rule Conditions
URL Rule Conditions
Dynamic Attributes Rule Conditions
About API-Created Dynamic Objects
Configure Dynamic Attributes Conditions
Time and Day Rule Conditions
Enabling and Disabling Access Control Rules
Copying Access Control Rules from One Access Control Policy to Another
Moving Access Control Rules to a Prefilter Policy
Positioning an Access Control Rule
Adding Comments to an Access Control Rule
Examples for Access Control Rules
How to Control Access Using Security Zones
How to Control Application Usage
How to Block Threats
How to Block QUIC Traffic
Cisco Secure Dynamic Attributes Connector
About the Cisco Secure Dynamic Attributes Connector
How It Works
Enable the Cisco Secure Dynamic Attributes Connector
About the Dashboard
Dashboard of an Unconfigured System
Dashboard of a Configured System
Add, Edit, or Delete Connectors
Add, Edit, or Delete Dynamic Attributes Filters
Create a Connector
Amazon Web Services Connector—About User Permissions and Imported Data
Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create an AWS Connector
Azure Connector—About User Permissions and Imported Data
Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create an Azure Connector
Create an Azure Service Tags Connector
Create a Multicloud Defense Connector
Create a Generic Text Connector
Create a GitHub Connector
Google Cloud Connector—About User Permissions and Imported Data
Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create a Google Cloud Connector
Create an Office 365 Connector
Create a Webex Connector
Create a Zoom Connector
Create an Adapter
How to Create an On-Prem Firewall Management Center Adapter
How to Create a Cloud-delivered Firewall Management Center Adapter
Create Dynamic Attributes Filters
Dynamic Attribute Filter Examples
Disable the Cisco Secure Dynamic Attributes Connector
Use Dynamic Objects in Access Control Policies
About Dynamic Objects in Access Control Rules
Create Access Control Rules Using Dynamic Attributes Filters
Troubleshoot the Dynamic Attributes Connector
Troubleshoot Error Messages
Get Your Tenant ID
URL Filtering
URL Filtering Overview
About URL Filtering with Category and Reputation
URL Category and Reputation Descriptions
URL Filtering Data from the Cisco Cloud
Best Practices for URL Filtering
Filtering HTTPS Traffic
Use Categories in URL Filtering
License Requirements for URL Filtering
Requirements and Prerequisites for URL Filtering
How to Configure URL Filtering with Category and Reputation
Enable URL Filtering Using Category and Reputation
URL Filtering Options
Configuring URL Conditions
Rules with URL Conditions
URL Rule Order
DNS Filtering: Identify URL Reputation and Category During DNS Lookup
Enable DNS Filtering to Identify URLs During Domain Lookup
DNS Filtering Limitations
DNS Filtering and Events
Manual URL Filtering
Manual URL Filtering Options
Supplement or Selectively Override Category and Reputation-Based URL Filtering
Configure HTTP Response Pages
Limitations to HTTP Response Pages
Requirements and Prerequisites for HTTP Response Pages
Choosing HTTP Response Pages
Configure Interactive Blocking with HTTP Response Pages
Configuring Interactive Blocking
Setting the User Bypass Timeout for a Blocked Website
Configure URL Filtering Health Monitors
Dispute URL Category and Reputation
If the URL Category Set Changes, Take Action
URL Category and Reputation Changes: Effect on Events
Troubleshoot URL Filtering
Security Intelligence
About Security Intelligence
Best Practices for Security Intelligence
License Requirements for Security Intelligence
Requirements and Prerequisites for Security Intelligence
Security Intelligence Sources
Configure Security Intelligence
Security Intelligence Options
Security Intelligence Categories
Block List Icons
Configuration Example: Security Intelligence Blocking
Security Intelligence Monitoring
Override Security Intelligence Blocking
Troubleshooting Security Intelligence
Security Intelligence Categories Are Missing from the Available Options List
DNS Policies
DNS Policy Overview
Cisco Umbrella DNS Policies
DNS Policy Components
License Requirements for DNS Policies
Requirements and Prerequisites for DNS Policies
Managing DNS and Umbrella DNS Policies
Creating Basic DNS Policies
Editing DNS Policies
DNS Rules
Creating and Editing DNS Rules
DNS Rule Management
Enabling and Disabling DNS Rules
DNS Rule Order Evaluation
DNS Rule Actions
DNS Rule Conditions
Security Zone Rule Conditions
Network Rule Conditions
VLAN Tags Rule Conditions
DNS Rule Conditions
How to Create DNS Rules
Controlling Traffic Based on DNS and Security Zone
Controlling Traffic Based on DNS and Network
Controlling Traffic Based on DNS and VLAN
Controlling Traffic Based on DNS List or Feed
DNS Policy Deploy
Cisco Umbrella DNS Policies
How to Redirect DNS Requests to Cisco Umbrella
Prerequisites for Configuring the Umbrella DNS Connector
Configure Cisco Umbrella Connection Settings
Create an Umbrella DNS Policy
Edit Umbrella DNS Policies and Rules
Associate the Umbrella DNS Policy with an Access Control Policy
Prefiltering and Prefilter Policies
About Prefiltering
About Prefilter Policies
Tunnel vs Prefilter Rules
Prefiltering vs Access Control
Passthrough Tunnels and Access Control
Best Practices for Fastpath Prefiltering
Best Practices for Encapsulated Traffic Handling
Requirements and Prerequisites for Prefilter Policies
Configure Prefiltering
Tunnel and Prefilter Rule Components
Prefilter Rule Conditions
Interface Rule Conditions
Network Rule Conditions
VLAN Tags Rule Conditions
Port Rule Conditions for Prefilter Rules
Time and Day Rule Conditions
Tunnel Rule Conditions
Encapsulation Rule Conditions
Tunnel Zones and Prefiltering
Using Tunnel Zones
Creating Tunnel Zones
Moving Prefilter Rules to an Access Control Policy
Prefilter Policy Hit Counts
Large Flow Offloads
Flow Offload Limitations
Service Policies
About Threat Defense Service Policies
How Service Policies Relate to FlexConfig and Other Features
What Are Connection Settings?
Requirements and Prerequisites for Service Policies
Guidelines and Limitations for Service Policies
Configure Threat Defense Service Policies
Configure a Service Policy Rule
Bypass TCP State Checks for Asymetrical Routing (TCP State Bypass)
The Asymetrical Routing Problem
Guidelines and Limitations for TCP State Bypass
Configure TCP State Bypass
Disable TCP Sequence Randomization
Examples for Service Policy Rules
Protect Servers from a SYN Flood DoS Attack (TCP Intercept)
Make the Threat Defense Device Appear on Traceroutes
Monitoring Service Policies
Intelligent Application Bypass
Introduction to IAB
IAB Options
Requirements and Prerequisites for Intelligent Application Bypass
Configuring Intelligent Application Bypass
IAB Logging and Analysis
Content Restriction
About Content Restriction
Requirements and Prerequisites for Content Restriction
Guidelines and Limitations for Content Restriction
Using Access Control Rules to Enforce Content Restriction
Safe Search Options for Access Control Rules
Using a DNS Sinkhole to Enforce Content Restriction
Zero Trust Access
About Zero Trust Access
How Threat Defense Works with Zero Trust Access
Why Use Zero Trust Access?
Components of a Zero Trust Access Configuration
Zero Trust Access Workflow
Limitations for Zero Trust Access
Prerequisites for Zero Trust Application Policy
Manage Zero Trust Application Policies
Create a Zero Trust Application Policy
Create an Application Group
Create an Application
Set Targeted Devices for Zero Trust Access Policy
Edit a Zero Trust Application Policy
Monitor Zero Trust Sessions
History for Zero Trust Access
Intrusion Detection and Prevention
Network Analysis and Intrusion Policies Overview
Network Analysis and Intrusion Policy Basics
How Policies Examine Traffic For Intrusions
Decoding, Normalizing, and Preprocessing: Network Analysis Policies
Access Control Rules: Intrusion Policy Selection
Intrusion Inspection: Intrusion Policies, Rules, and Variable Sets
Intrusion Event Generation
System-Provided and Custom Network Analysis and Intrusion Policies
System-Provided Network Analysis and Intrusion Policies
Benefits of Custom Network Analysis and Intrusion Policies
Benefits of Custom Network Analysis Policies
Benefits of Custom Intrusion Policies
Limitations of Custom Policies
License Requirements for Network Analysis and Intrusion Policies
Requirements and Prerequisites for Network Analysis and Intrusion Policies
The Navigation Panel: Network Analysis and Intrusion Policies
Conflicts and Changes: Network Analysis and Intrusion Policies
Exiting a Network Analysis or Intrusion Policy
Getting Started with Intrusion Policies
Intrusion Policy Basics
License Requirements for Intrusion Policies
Requirements and Prerequisites for Intrusion Policies
Managing Intrusion Policies
Custom Intrusion Policy Creation
Creating a Custom Snort 2 Intrusion Policy
Editing Snort 2 Intrusion Policies
Intrusion Policy Changes
Access Control Rule Configuration to Perform Intrusion Prevention
Access Control Rule Configuration and Intrusion Policies
Configuring an Access Control Rule to Perform Intrusion Prevention
Drop Behavior in an Inline Deployment
Setting Drop Behavior in an Inline Deployment
Drop Behavior in a Dual System Deployment
Intrusion Policy Advanced Settings
Optimizing Performance for Intrusion Detection and Prevention
Tuning Intrusion Policies Using Rules
Intrusion Rule Tuning Basics
Intrusion Rule Types
License Requirements for Intrusion Rules
Requirements and Prerequisites for Intrusion Rules
Viewing Intrusion Rules in an Intrusion Policy
Intrusion Rules Page Columns
Intrusion Rule Details
Viewing Intrusion Rule Details
Setting a Threshold for an Intrusion Rule
Setting Suppression for an Intrusion Rule
Setting a Dynamic Rule State from the Rule Details Page
Setting an SNMP Alert for an Intrusion Rule
Adding a Comment to an Intrusion Rule
Intrusion Rule Filters in an Intrusion Policy
Intrusion Rule Filters Notes
Intrusion Policy Rule Filters Construction Guidelines
Intrusion Rule Configuration Filters
Intrusion Rule Content Filters
Intrusion Rule Categories
Intrusion Rule Filter Components
Intrusion Rule Filter Usage
Setting a Rule Filter in an Intrusion Policy
Intrusion Rule States
Intrusion Rule State Options
Setting Intrusion Rule States
Intrusion Event Notification Filters in an Intrusion Policy
Intrusion Event Thresholds
Intrusion Event Thresholds Configuration
Adding and Modifying Intrusion Event Thresholds
Viewing and Deleting Intrusion Event Thresholds
Intrusion Policy Suppression Configuration
Intrusion Policy Suppression Types
Suppressing Intrusion Events for a Specific Rule
Viewing and Deleting Suppression Conditions
Dynamic Intrusion Rule States
Dynamic Intrusion Rule State Configuration
Setting a Dynamic Rule State from the Rules Page
Adding Intrusion Rule Comments
Custom Intrusion Rules
Custom Intrusion Rules Overview
License Requirements for the Intrusion Rule Editor
Requirements and Prerequisites for the Intrusion Rule Editor
Rule Anatomy
The Intrusion Rule Header
Intrusion Rule Header Action
Intrusion Rule Header Protocol
Intrusion Rule Header Direction
Intrusion Rule Header Source and Destination IP Addresses
IP Address Syntax in Intrusion Rules
Intrusion Rule Header Source and Destination Ports
Port Syntax in Intrusion Rules
Intrusion Event Details
Adding a Custom Classification
Defining an Event Priority
Defining an Event Reference
Custom Rule Creation
Writing New Rules
Modifying Existing Rules
Adding Comments to Intrusion Rules
Deleting Custom Rules
Searching for Rules
Search Criteria for Intrusion Rules
Rule Filtering on the Intrusion Rules Editor Page
Filtering Guidelines
Keyword Filtering
Character String Filtering
Combination Keyword and Character String Filtering
Filtering Rules
Keywords and Arguments in Intrusion Rules
The content and protected_content Keywords
Basic content and protected_content Keyword Arguments
content and protected_content Keyword Search Locations
Permitted Combinations: content Search Location Arguments
Permitted Combinations: protected_content Search Location Arguments
content and protected_content Search Location Arguments
Overview: HTTP content and protected_content Keyword Arguments
HTTP content and protected_content Keyword Arguments
Overview: content Keyword Fast Pattern Matcher
content Keyword Fast Pattern Matcher Arguments
The replace Keyword
The byte_jump Keyword
The byte_test Keyword
The byte_extract Keyword
The byte_math Keyword
Overview: The pcre Keyword
pcre Syntax
pcre Modifier Options
pcre Example Keyword Values
The metadata Keyword
Service Metadata
Metadata Search Guidelines
IP Header Values
ICMP Header Values
TCP Header Values and Stream Size
The stream_reassembly Keyword
SSL Keywords
The appid Keyword
Application Layer Protocol Values
The RPC Keyword
The ASN.1 Keyword
The urilen Keyword
DCE/RPC Keywords
dce_iface
The dce_opnum Keyword
The dce_stub_data Keyword
SIP Keywords
The sip_header Keyword
The sip_body Keyword
The sip_method Keyword
The sip_stat_code Keyword
GTP Keywords
The gtp_version Keyword
The gtp_type Keyword
The gtp_info Keyword
SCADA Keywords
Modbus Keywords
DNP3 Keywords
CIP and ENIP Keywords
S7Commplus Keywords
Packet Characteristics
Active Response Keywords
The resp Keyword
The react Keyword
The detection_filter Keyword
The tag Keyword
The flowbits Keyword
flowbits Keyword Options
Guidelines for Using the flowbits Keyword
flowbits Keyword Examples
flowbits Keyword Example: A Configuration Using state_name
flowbits Keyword Example: A Configuration Resulting in False Positive Events
flowbits Keyword Example: A Configuration for Preventing False Positive Events
The http_encode Keyword
http_encode Keyword Syntax
http_encode Keyword example: Using Two http_endcode Keywords to Search for Two Encodings
Overview: The file_type and file_group Keywords
The file_type and file_group Keywords
The file_data Keyword
The pkt_data Keyword
The base64_decode and base64_data Keywords
Layers in Intrusion and Network Analysis Policies
Layer Basics
License Requirements for Network Analysis and Intrusion Policy Layers
Requirements and Prerequisites for Network Analysis and Intrusion Policy Layers
The Layer Stack
The Base Layer
System-Provided Base Policies
Custom Base Policies
The Effect of Rule Updates on Base Policies
Changing the Base Policy
The Cisco Recommendations Layer
Layer Management
Shared Layers
Managing Layers
Navigating Layers
Intrusion Rules in Layers
Configuring Intrusion Rules in Layers
Removing Rule Settings from Multiple Layers
Accepting Rule Changes from a Custom Base Policy
Preprocessors and Advanced Settings in Layers
Configuring Preprocessors and Advanced Settings in Layers
Tailoring Intrusion Protection to Your Network Assets
About Cisco Recommended Rules
Default Settings for Cisco Recommendations
Advanced Settings for Cisco Recommendations
Generating and Applying Cisco Recommendations
Script Detection
Sensitive Data Detection
Sensitive Data Detection Basics
Global Sensitive Data Detection Options
Individual Sensitive Data Type Options
System-Provided Sensitive Data Types
License Requirements for Sensitive Data Detection
Requirements and Prerequisites for Sensitive Data Detection
Configuring Sensitive Data Detection
Monitored Application Protocols and Sensitive Data
Special Case: Sensitive Data Detection in FTP Traffic
Custom Sensitive Data Types
Data Patterns in Custom Sensitive Data Types
Configuring Custom Sensitive Data Types
Editing Custom Sensitive Data Types
Global Limit for Intrusion Event Logging
Global Rule Thresholding Basics
Global Rule Thresholding Options
License Requirements for Global Thresholds
Requirements and Prerequisites for Global Thresholds
Configuring Global Thresholds
Disabling the Global Threshold
Intrusion Prevention Performance Tuning
About Intrusion Prevention Performance Tuning
License Requirements for Intrusion Prevention Performance Tuning
Requirements and Prerequisites for Intrusion Prevention Performance Tuning
Limiting Pattern Matching for Intrusions
Regular Expression Limits Overrides for Intrusion Rules
Overriding Regular Expression Limits for Intrusion Rules
Per Packet Intrusion Event Generation Limits
Limiting Intrusion Events Generated Per Packet
Packet and Intrusion Rule Latency Threshold Configuration
Latency-Based Performance Settings
Packet Latency Thresholding
Packet Latency Thresholding Notes
Enabling Packet Latency Thresholding
Configuring Packet Latency Thresholding
Rule Latency Thresholding
Rule Latency Thresholding Notes
Configuring Rule Latency Thresholding
Intrusion Performance Statistic Logging Configuration
Configuring Intrusion Performance Statistic Logging
Network Malware Protection and File Policies
Network Malware Protection and File Policies
About Network Malware Protection and File Policies
File Policies
Requirements and Prerequisites for File Policies
License Requirements for File and Malware Policies
Best Practices for File Policies and Malware Detection
File Rule Best Practices
File Detection Best Practices
File Blocking Best Practices
File Policy Best Practices
How to Configure Malware Protection
Plan and Prepare for Malware Protection
Configure File Policies
Add File Policies to Your Access Control Configuration
Configuring an Access Control Rule to Perform Malware Protection
Set Up Maintenance and Monitoring of Malware Protection
Cloud Connections for Malware Protection
AMP Cloud Connection Configurations
Requirements and Best Practices for AMP Cloud Connections
Change AMP Options
Dynamic Analysis Connections
Requirements for Dynamic Analysis
Viewing the Default Dynamic Analysis Connection
Enabling Access to Dynamic Analysis Results in the Public Cloud
Maintain Your System: Update File Types Eligible for Dynamic Analysis
File Policies and File Rules
Create or Edit a File Policy
Advanced and Archive File Inspection Options
Archive Files
Override File Disposition Using Custom Lists
Centralized File Lists from AMP for Endpoints
Managing File Policies
File Rules
File Rule Components
File Rule Actions
Malware Protection Options (in File Rule Actions)
Comparison of Malware Protection Options
Spero Analysis
AMP Cloud Lookup
Local Malware Analysis
Cached Disposition Longevity
Dynamic Analysis
Which Files Are Eligible for Dynamic Analysis?
Dynamic Analysis and Capacity Handling
Captured Files and File Storage
Malware Storage Pack
Block All Files by Type
File Rule Actions: Evaluation Order
Creating File Rules
Access Control Rule Logging for Malware Protection
Retrospective Disposition Changes
File and Malware Inspection Performance and Storage Options
Tuning File and Malware Inspection Performance and Storage
(Optional) Malware Protection with AMP for Endpoints
Comparison of Malware Protection: Firepower vs. AMP for Endpoints
About Integrating Firepower with AMP for Endpoints
Benefits of Integrating Firepower and AMP for Endpoints
AMP for Endpoints and AMP Private Cloud
Integrate Firepower and Secure Endpoint
History for Network Malware Protection and File Policies
Policy Tools
Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
About Policy Analyzer and Optimizer
Analysis, Remediation, and Reporting
Prerequisites to Use Policy Analyzer and Optimizer
Policy Analyzer and Optimizer Licensing Requirements
Enable Policy Analyzer and Optimizer for Cloud-delivered Firewall Management Center
Enable Policy Analyzer and Optimizer for Security Cloud Control-managed On-Premises Firewall Management Center
Policy Analysis
Analyze Cloud-delivered Firewall Management Center Policies
Analyze On-Premises Firewall Management Center Policies
Policy Reporting
Policy Analysis Summary
Duplicate Rules
Overlapping Objects
Expired Rules
Mergeable Rules
Policy Insights
Policy Remediation
Apply Policy Remediation
What Does the Policy Remediation Report Contain?
Troubleshooting Policy Analyzer and Optimizer
Policy Analyzer and Optimizer Does Not Analyze Policies
Policy Analyzer and Optimizer Does Not Fetch Policies
Frequently Asked Questions About Policy Analyzer and Optimizer
Encrypted Traffic Handling
Traffic Decryption Overview
Traffic Decryption Explained
TLS/SSL Handshake Processing
ClientHello Message Handling
ServerHello and Server Certificate Message Handling
Decryption Rule and Policy Basics
The Case for Decryption
When to Decrypt Traffic, When Not to Decrypt
Decrypt and Resign (Outgoing Traffic)
Known Key Decryption (Incoming Traffic)
Other Decryption Rule Actions
Decryption Rule Components
Decryption Rule Order Evaluation
Multi-Rule Example
How to Configure Decryption Policies and Rules
How to Configure Decryption Policies and Rules
History for Decryption Policy
Decryption Policies
About Decryption Policies
Requirements and Prerequisites for Decryption Policies
Create a Decryption Policy
Create a Decryption Policy with Outbound Connection Protection
Create a Decryption Policy with Inbound Connection Protection
Decryption Policy Exclusions
Generate an Internal CA for Outbound Protection
Upload an Internal CA for Outbound Protection
Upload an Internal Certificate for Inbound Protection
Create a Decryption Policy with Other Rule Actions
Decryption Policy Default Actions
Default Handling Options for Undecryptable Traffic
Set Default Handling for Undecryptable Traffic
Decryption Policy Advanced Options
TLS 1.3 Decryption Best Practices
Decryption Rules
Decryption Rules Overview
Requirements and Prerequisites for Decryption Rules
Decryption Rule Guidelines and Limitations
Guidelines for Using TLS/SSL Decryption
Decryption Rule Unsupported Features
TLS/SSL Do Not Decrypt Guidelines
TLS/SSL Decrypt - Resign Guidelines
TLS/SSL Decrypt - Known Key Guidelines
TLS/SSL Block Guidelines
TLS/SSL Certificate Pinning Guidelines
TLS/SSL Heartbeat Guidelines
TLS/SSL Anonymous Cipher Suite Limitation
TLS/SSL Normalizer Guidelines
Other Decryption Rule Guidelines
Decryption Rule Traffic Handling
Encrypted Traffic Inspection Configuration
Decryption Rule Order Evaluation
Decryption Rule Conditions
Security Zone Rule Conditions
Network Rule Conditions
VLAN Tags Rule Conditions
User Rule Conditions
Application Rule Conditions
Port Rule Conditions
Category Rule Conditions
Server Certificate-Based Decryption Rule Conditions
Certificate Decryption Rule Conditions
Distinguished Name (DN) Rule Conditions
Trusting External Certificate Authorities
Certificate Status Decryption Rule Conditions
Cipher Suite Decryption Rule Conditions
Encryption Protocol Version Decryption Rule Conditions
Decryption Rule Actions
Decryption Rule Monitor Action
Decryption Rule Do Not Decrypt Action
Decryption Rule Blocking Actions
Decryption Rule Decrypt Actions
Troubleshoot Decryption Rules
About TLS/SSL Oversubscription
Troubleshoot TLS/SSL Oversubscription
About TLS Heartbeat
Troubleshoot TLS Heartbeat
About TLS/SSL Pinning
Troubleshoot TLS/SSL Pinning
Troubleshoot Unknown or Bad Certificates or Certificate Authorities
Verify TLS/SSL Cipher Suites
Decryption Rules and Policy Example
Decryption Rule Examples
Run the Decryption Policy Wizard
Decryption Policy Exclusions
First Manual Do Not Decrypt Rule: Specific Traffic
Next Manual Rule: Decrypt Specific Test Traffic
Last Manual Decryption Rules: Block or Monitor Certificates and Protocol Versions
Example: Decryption Rule to Monitor or Block Certificate Status
Example: Decryption Rule to Monitor or Block Protocol Versions
Optional Example: Manual Decryption Rule to Monitor or Block Certificate Distinguished Name
Associate the Decryption Policy with an Access Control Policy and Advanced Settings
Traffic to Prefilter
Decryption Rule Settings
User Identity
User Identity Overview
About User Identity
Identity Terminology
About User Identity Sources
Best Practices for User Identity
Identity Deployments
How to Set Up an Identity Policy
The User Activity Database
The Users Database
Cloud-delivered Firewall Management Center Host and User Limits
Cloud-delivered Firewall Management Center Host Limit
Cloud-delivered Firewall Management Center User Limit
User Limits for Microsoft Azure Active Directory Realms
Realms
About Realms and Realm Sequences
Realms and Trusted Domains
Supported Servers for Realms
Supported Server Object Class and Attribute Names
License Requirements for Realms
Requirements and Prerequisites for Realms
Create a Proxy Sequence
Create a Microsoft Azure AD (SAML) Realm
How to Create a Microsoft Azure AD Realm for Passive Authentication
About Azure AD and Cisco ISE with Resource Owned Password Credentials
About Azure AD and Cisco ISE with TEAP/EAP-TLS
How to Configure ISE for Microsoft Azure AD (SAML)Microsoft Azure AD
Configure Microsoft Azure Active Directory for Passive Authentication
Configure Azure AD Basic Settings
Get Required Information For Your Microsoft Azure AD Realm
Create a Microsoft Azure AD (SAML) Realm for Passive Authentication
Microsoft Azure AD (SAML) Realm: SAML Details
Microsoft Azure AD (SAML) Realm: Azure AD Details
Microsoft Azure AD (SAML) Realm: User Session Timeout
How to Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)
Configure Azure AD Basic Settings
Configure a Single Sign-On (SSO) App in Azure AD
Create a Decryption Rule with Decrypt - Resign Action
Get Required Information For Your Microsoft Azure AD Realm (Active Authentication Only)
Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)
Microsoft Azure AD (SAML) Realm: SAML Details
Microsoft Azure AD (SAML) Realm: SAML Service Provider (SP) Metadata
Microsoft Azure AD (SAML) Realm: SAML Identity Provider (IdP) Metadata
Microsoft Azure AD (SAML) Realm: Azure AD Details
Microsoft Azure AD (SAML) Realm: User Session Timeout
Create an LDAP Realm or an Active Directory Realm and Realm Directory
Prerequisites for Kerberos Authentication
Realm Fields
Realm Directory and Synchronize fields
Connect Securely to Active Directory
Find the Active Directory Server's Name
Export the Active Directory Server's Root Certificate
Synchronize Users and Groups
Create a Realm Sequence
Configure the Management Center for Cross-Domain-Trust: The Setup
Configure the Secure Firewall Management Center for Cross-Domain-Trust Step 1: Configure Realms and Directories
Configure the management center for Cross-Domain-Trust Step 2: Synchronize Users and Groups
Configure the management center for Cross-Domain-Trust Step 3: Resolve Issues
Manage a Realm
Compare Realms
Troubleshoot Realms and User Downloads
Troubleshoot Cross-Domain Trust
History for Realms
User Control with the Passive Identity Agent
The Passive Identity Agent Identity Source
Deploy the Passive Identity Agent
Simple Passive Identity Agent Deployment
Single Passive Identity Agent Monitoring Multiple Domain Controllers
Multiple Passive Identity Agents Monitoring Multiple Domain Controllers
Passive Identity Agent Primary/Secondary Agent Deployments
How to Create a Passive Identity Agent Identity Source
Configure the Passive Identity Agent
Create a Microsoft Active Directory Realm
Create a Passive Identity Agent Identity Source
Create a Standalone Passive Identity Agent Identity Source
Create a Primary or Secondary Passive Identity Agent Identity Source
About Passive Identity Agent Roles
Create a Cisco Security Cloud Control User for the Passive Identity Agent
Troubleshoot the Passive Identity Agent
Get an API Token for the Passive Identity Agent
Install the Passive Identity Agent Software
Uninstall the Passive Identity Agent Software
Monitor the Passive Identity Agent
Manage the Passive Identity Agent
Edit Passive Identity Agents
Delete a Standalone Passive Identity Agent
Delete Primary and Secondary Passive Identity Agents
Troubleshoot the Passive Identity Agent
Security Requirements for the Passive Identity Agent
Internet Access Requirements for the Passive Identity Agent
History for the Passive Identity Agent
User Control with ISE/ISE-PIC
The ISE/ISE-PIC Identity Source
Source and Destination Security Group Tag (SGT) Matching
License Requirements for ISE/ISE-PIC
Requirements and Prerequisites for ISE/ISE-PIC
ISE/ISE-PIC Guidelines and Limitations
How to Configure ISE/ISE-PIC for User Control
How to Configure ISE/ISE-PIC Without a Realm
How to Configure ISE/ISE-PIC for User Control Using a Realm
Configure ISE/ISE-PIC
Configure Security Groups and SXP Publishing in ISE
Export Certificates from the ISE/ISE-PIC Server for Use in the Management Center
Export a System Certificate
Generate a Self-Signed Certificate
Import ISE/ISE-PIC Certificates
Configure ISE for User Control
ISE/ISE-PIC Configuration Fields
Ways to Configure the Cisco Identity Services Engine (Cisco ISE) Identity Source
About Cisco ISE Quick Configuration
Prerequisites for ISE Quick Configuration
Quick Configuration
ISE Quick Configuration Results
Cisco ISE Advanced Configuration
ISE/ISE-PIC Configuration Fields
Troubleshoot the ISE/ISE-PIC or Cisco TrustSec Issues
History for ISE/ISE-PIC
User Control with Captive Portal
The Captive Portal Identity Source
About Hostname Redirect
License Requirements for Captive Portal
Requirements and Prerequisites for Captive Portal
Captive Portal Guidelines and Limitations
How to Configure the Captive Portal for User Control
Configure the Captive Portal Part 1: Create a Network Object
Configure the Captive Portal Part 2: Create an Identity Policy and Active Authentication Rule
Update a Custom Authentication Form
Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule
Configure the Captive Portal Part 4: Create a User Access Control Rule
Captive Portal Example: Create a Decryption Policy with an Outbound Rule
Configure Captive Portal Part 6: Associate Identity and Decryption Policies with the Access Control Policy
Captive Portal Fields
Exclude Applications from Captive Portal
Troubleshoot the Captive Portal Identity Source
History for Captive Portal
User Control with the pxGrid Cloud Identity Source
About the pxGrid Cloud Identity Source
Limitations of the pxGrid Cloud Identity Source
How the pxGrid Cloud Identity Source Identity Source Works
How to Configure a pxGrid Cloud Identity Source
Enable pxGrid Cloud Service in Cisco ISE
Register Cisco ISE with the Cisco DNA Portal
Register the pxGrid Cloud Connection with Cisco ISE
Create and Subscribe to the Firewall Management Center Application
Create a pxGrid Cloud Identity Source
Create an App Instance
Create the Identity Source
Activate the App Instance
Verify It's Working
Create Dynamic Attributes Filters for the pxGrid Cloud Identity Source
Create Access Control Rules Using Dynamic Attributes Filters
History for the pxGrid Cloud Identity Source
User Control with Remote Access VPN
The Remote Access VPN Identity Source
Configure RA VPN for User Control
Troubleshoot the Remote Access VPN Identity Source
Not Observing Correct Settings for VPN Statistics
User Control with TS Agent
The Terminal Services (TS) Agent Identity Source
TS Agent Guidelines
User Control with TS Agent
Troubleshoot the TS Agent Identity Source
History for TS Agent
User Identity Policies
About Identity Policies
License Requirements for Identity Policies
Requirements and Prerequisites for Identity Policies
Create an Identity Policy
Create an Identity Mapping Filter
Identity Rule Conditions
Security Zone Rule Conditions
Network Rule Conditions
Redirect to Host Name Network Rule Conditions
VLAN Tags Rule Conditions
Port Rule Conditions
Port, Protocol, and ICMP Code Rule Conditions
Realm & Settings Rule Conditions
Create an Identity Rule
Identity Rule Fields
Sample Identity Policies and Rules
Create an Identity Policy with a Passive Authentication Rule
Create a Sample Identity Policy with an Active Authentication Rule
Active Authentication Using a Realm
Active Authentication Using a Realm Sequence
Manage an Identity Policy
Manage an Identity Rule
Troubleshoot User Control
Network Discovery
Network Discovery Overview
About Detection of Host, Application, and User Data
Host and Application Detection Fundamentals
Passive Detection of Operating System and Host Data
Active Detection of Operating System and Host Data
Current Identities for Applications and Operating Systems
Current User Identities
Application and Operating System Identity Conflicts
NetFlow Data
Requirements for Using NetFlow Data
Differences between NetFlow and Managed Device Data
Host Identity Sources
Overview: Host Data Collection
Requirements and Prerequisites for Host Identity Sources
Determining Which Host Operating Systems the System Can Detect
Identifying Host Operating Systems
Custom Fingerprinting
Managing Fingerprints
Activating and Deactivating Fingerprints
Editing an Active Fingerprint
Editing an Inactive Fingerprint
Creating a Custom Fingerprint for Clients
Creating a Custom Fingerprint for Servers
Host Input Data
Requirements for Using Third-Party Data
Third-Party Product Mappings
Mapping Third-Party Products
Mapping Third-Party Product Fixes
Mapping Third-Party Vulnerabilities
Custom Product Mappings
Creating Custom Product Mappings
Editing Custom Product Mapping Lists
Activating and Deactivating Custom Product Mappings
Application Detection
Overview: Application Detection
Application Detector Fundamentals
Identification of Application Protocols in the Web Interface
Implied Application Protocol Detection from Client Detection
Host Limits and Discovery Event Logging
Special Considerations for Application Detection
Application Detection in Snort 2 and Snort 3
Requirements and Prerequisites for Application Detection
Custom Application Detectors
Custom Application Detector and User-Defined Application Fields
Configuring Custom Application Detectors
Creating a User-Defined Application
Specifying Detection Patterns in Basic Detectors
Specifying Detection Criteria in Advanced Detectors
Specifying EVE Process Assignments
Testing a Custom Application Protocol Detector
Viewing or Downloading Detector Details
Sorting the Detector List
Filtering the Detector List
Filter Groups for the Detector List
Navigating to Other Detector Pages
Activating and Deactivating Detectors
Editing Custom Application Detectors
Deleting Detectors
Network Discovery Policies
Overview: Network Discovery Policies
Requirements and Prerequisites for Network Discovery Policies
Network Discovery Customization
Configuring the Network Discovery Policy
Network Discovery Rules
Configuring Network Discovery Rules
Actions and Discovered Assets
Monitored Networks
Restricting the Monitored Network
Configuring Rules for NetFlow Data Discovery
Creating Network Objects During Discovery Rule Configuration
Port Exclusions
Excluding Ports in Network Discovery Rules
Creating Port Objects During Discovery Rule Configuration
Zones in Network Discovery Rules
Configuring Zones in Network Discovery Rules
The Traffic-Based Detection Identity Source
Configuring Traffic-Based User Detection
Configuring Advanced Network Discovery Options
Network Discovery General Settings
Configuring Network Discovery General Settings
Network Discovery Identity Conflict Settings
Configuring Network Discovery Identity Conflict Resolution
Network Discovery Vulnerability Impact Assessment Options
Enabling Network Discovery Vulnerability Impact Assessment
Indications of Compromise
Enabling Indications of Compromise Rules
Adding NetFlow Exporters to a Network Discovery Policy
Network Discovery Data Storage Settings
Configuring Network Discovery Data Storage
Configuring Network Discovery Event Logging
Adding Network Discovery OS and Server Identity Sources
Troubleshooting Your Network Discovery Strategy
FlexConfig Policies
FlexConfig Policies
FlexConfig Policy Overview
Recommended Usage for FlexConfig Policies
CLI Commands in FlexConfig Objects
Determine the ASA Software Version and Current CLI Configuration
Prohibited CLI Commands
Template Scripts
FlexConfig Variables
How to Process Variables
Single Value Variables
Multiple Value Variables, All Values Are the Same Type
Multiple Value Variables, Values Are Different Types
Multiple Value Variables that Resolve to a Table of Values
How to See What a Variable Will Return for a Device
FlexConfig Policy Object Variables
FlexConfig System Variables
Predefined FlexConfig Objects
Predefined Text Objects
Requirements and Prerequisites for FlexConfig Policies
Guidelines and Limitations for FlexConfig
Customizing Device Configuration with FlexConfig Policies
Configure FlexConfig Objects
Add a Policy Object Variable to a FlexConfig Object
Configure Secret Keys
Configure FlexConfig Text Objects
Configure the FlexConfig Policy
Set Target Devices for a FlexConfig Policy
Preview the FlexConfig Policy
Verify the Deployed Configuration
Remove Features Configured Using FlexConfig
Convert from FlexConfig to Managed Feature
Examples for FlexConfig
How to Configure Precision Time Protocol (ISA 3000)
How to Configure Automatic Hardware Bypass for Power Failure (ISA 3000)
Migrating FlexConfig Policies
Advanced Network Analysis and Preprocessing
Advanced Access Control Settings for Network Analysis and Intrusion Policies
About Advanced Access Control Settings for Network Analysis and Intrusion Policies
Requirements and Prerequisites for Advanced Access Control Settings for Network Analysis and Intrusion Policies
Inspection of Packets That Pass Before Traffic Is Identified
Best Practices for Handling Packets That Pass Before Traffic Identification
Specify a Policy to Handle Packets That Pass Before Traffic Identification
Advanced Settings for Network Analysis Policies
Setting the Default Network Analysis Policy
Network Analysis Rules
Network Analysis Policy Rule Conditions
Security Zone Rule Conditions
Network Rule Conditions
VLAN Tags Rule Conditions
Configuring Network Analysis Rules
Managing Network Analysis Rules
Get Started with Snort 3 Network Analysis Policies
Overview of Network Analysis Policies
Manage Network Analysis Policies
Snort 3 Definitions and Terminologies for Network Analysis Policy
Prerequisites for Network Analysis and Intrusion Policies
Custom Network Analysis Policy Creation for Snort 3
Common Industrial Protocol Safety
Detect and Block Safety Segments in CIP Packets
Network Analysis Policy Mapping
View Network Analysis Policy Mapping
Create a Network Analysis Policy
Modify the Network Analysis Policy
Search for an Inspector on the Network Analysis Policy Page
Copy the Inspector Configuration
Customize the Network Analysis Policy
Make Inline Edit for an Inspector to Override Configuration
Revert Unsaved Changes during Inline Edits
View the List of Inspectors with Overrides
Revert Overridden Configuration to Default Configuration
Validate Snort 3 Policies
Examples of Custom Network Analysis Policy Configuration
Network Analysis Policy Settings and Cached Changes
Custom Rules in Snort 3
Overview of Encrypted Visibility Engine
How EVE Works
Indications of Compromise Events
QUIC Fingerprinting in EVE
Configure EVE
View EVE Events
View EVE Dashboard
About Elephant Flow Detection and Remediation
Elephant Flow Upgrade from Intelligent Application Bypass
Configure Elephant Flow
Application Layer Preprocessors
Introduction to Application Layer Preprocessors
License Requirements for Application Layer Preprocessors
Requirements and Prerequisites for Application Layer Preprocessors
The DCE/RPC Preprocessor
Connectionless and Connection-Oriented DCE/RPC Traffic
DCE/RPC Target-Based Policies
RPC over HTTP Transport
DCE/RPC Global Options
DCE/RPC Target-Based Policy Options
Traffic-Associated DCE/RPC Rules
Configuring the DCE/RPC Preprocessor
The DNS Preprocessor
DNS Preprocessor Options
Configuring the DNS Preprocessor
The FTP/Telnet Decoder
Global FTP and Telnet Options
Telnet Options
Server-Level FTP Options
FTP Command Validation Statements
Client-Level FTP Options
Configuring the FTP/Telnet Decoder
The HTTP Inspect Preprocessor
Global HTTP Normalization Options
Server-Level HTTP Normalization Options
Server-Level HTTP Normalization Encoding Options
Configuring The HTTP Inspect Preprocessor
Additional HTTP Inspect Preprocessor Rules
The Sun RPC Preprocessor
Sun RPC Preprocessor Options
Configuring the Sun RPC Preprocessor
The SIP Preprocessor
SIP Preprocessor Options
Configuring the SIP Preprocessor
Additional SIP Preprocessor Rules
The GTP Preprocessor
GTP Preprocessor Rules
Configuring the GTP Preprocessor
The IMAP Preprocessor
IMAP Preprocessor Options
Configuring the IMAP Preprocessor
Additional IMAP Preprocessor Rules
The POP Preprocessor
POP Preprocessor Options
Configuring the POP Preprocessor
Additional POP Preprocessor Rules
The SMTP Preprocessor
SMTP Preprocessor Options
Configuring SMTP Decoding
The SSH Preprocessor
SSH Preprocessor Options
Configuring the SSH Preprocessor
The SSL Preprocessor
How SSL Preprocessing Works
SSL Preprocessor Options
Configuring the SSL Preprocessor
SSL Preprocessor Rules
SCADA Preprocessors
Introduction to SCADA Preprocessors
License Requirements for SCADA Preprocessors
Requirements and Prerequisites for SCADA Preprocessors
The Modbus Preprocessor
Modbus Preprocessor Ports Option
Configuring the Modbus Preprocessor
Modbus Preprocessor Rules
The DNP3 Preprocessor
DNP3 Preprocessor Options
Configuring the DNP3 Preprocessor
DNP3 Preprocessor Rules
The CIP Preprocessor
CIP Preprocessor Options
CIP Events
CIP Preprocessor Rules
Guidelines for Configuring the CIP Preprocessor
Configuring the CIP Preprocessor
The S7Commplus Preprocessor
Configuring the S7Commplus Preprocessor
Transport and Network Layer Preprocessors
Introduction to Transport and Network Layer Preprocessors
License Requirements for Transport and Network Layer Preprocessors
Requirements and Prerequisites for Transport and Network Layer Preprocessors
Advanced Transport/Network Preprocessor Settings
Ignored VLAN Headers
Active Responses in Intrusion Drop Rules
Advanced Transport/Network Preprocessor Options
Configuring Advanced Transport/Network Preprocessor Settings
Checksum Verification
Checksum Verification Options
Verifying Checksums
The Inline Normalization Preprocessor
Inline Normalization Options
Configuring Inline Normalization
The IP Defragmentation Preprocessor
IP Fragmentation Exploits
Target-Based Defragmentation Policies
IP Defragmentation Options
Configuring IP Defragmentation
The Packet Decoder
Packet Decoder Options
Configuring Packet Decoding
TCP Stream Preprocessing
State-Related TCP Exploits
Target-Based TCP Policies
TCP Stream Reassembly
TCP Stream Preprocessing Options
Configuring TCP Stream Preprocessing
UDP Stream Preprocessing
UDP Stream Preprocessing Options
Configuring UDP Stream Preprocessing
Specific Threat Detection
Introduction to Specific Threat Detection
License Requirements for Specific Threat Detection
Requirements and Prerequisites for Specific Threat Detection
Back Orifice Detection
Back Orifice Detection Preprocessor
Detecting Back Orifice
Portscan Detection
Portscan Types, Protocols, and Filtered Sensitivity Levels
Portscan Event Generation
Portscan Event Packet View
Configuring Portscan Detection
Rate-Based Attack Prevention
Rate-Based Attack Prevention Examples
detection_filter Keyword Example
Dynamic Rule State Thresholding or Suppression Example
Policy-Wide Rate-Based Detection and Thresholding or Suppression Example
Rate-Based Detection with Multiple Filtering Methods Example
Rate-Based Attack Prevention Options and Configuration
Rate-Based Attack Prevention, Detection Filtering, and Thresholding or Suppression
Configuring Rate-Based Attack Prevention
Adaptive Profiles
About Adaptive Profiles
License Requirements for Adaptive Profiles
Requirements and Prerequisites for Adaptive Profiles
Adaptive Profile Updates
Adaptive Profile Updates and Cisco Recommended Rules
Adaptive Profile Options
Configuring Adaptive Profiles
Reference
FAQ and Support
Security Cloud Control Platform Maintenance Schedule
Navigate from Security Cloud Control to Cloud-delivered Firewall Management Center
What does the default action "Analyze all tunnel traffic" for prefiltering mean?
How Security Cloud Control Processes Personal Information
Can I restore a backup from a different device?
Does deploying a new prefilter policy immediately affect ongoing sessions?
How do I keep my security databases and feeds up to date?
What version of Secure Firewall Threat Defense can I manage with cloud-delivered Firewall Management Center?
How do I exclude specific traffic (Webex, Zoom, etc) from the remote access VPN?
How do I prevent users from accessing undesirable external network resources, such as inappropriate websites?
Security Feed Questions
How do I update intrusion rules (SRU/LSP)?
How do I update my Cisco vulnerability database (VDB)?
How do I update my Geolocation database?
How do I update Security Intelligence feeds?
How do I update URL reputations?
How do I setup Rate-Based Attack Prevention on the FTD using Snort 2?
Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
Secure Firewall Management Center Command Line Reference
About the Secure Firewall Management Center CLI
Management Center CLI Modes
Secure Firewall Management Center CLI Management Commands
exit
expert
? (question mark)
Secure Firewall Management Center CLI Show Commands
version
Secure Firewall Management Center CLI Configuration Commands
password
Secure Firewall Management Center CLI System Commands
generate-troubleshoot
lockdown
reboot
restart
shutdown
Security, Internet Access, and Communication Ports
Security Requirements
Cisco Clouds
Internet Access Requirements
Communication Port Requirements
>
Optimize Firewall Performance with AIOps
Optimize Firewall Performance with AIOps
Introduction to AIOps Insights