Security Certifications Compliance Recommendations

Cisco recommends that you observe the following best practices when using a system with security certifications compliance enabled:

  • To enable security certifications compliance in your deployment, enable it first on the Secure Firewall Management Center, then enable it in the same mode on all managed devices.

    Caution
    The Secure Firewall Management Center will not receive event data from a managed device unless both are operating in the same security certifications compliance mode.

  • For all users, enable password strength checking and set the minimum password length to the value required by the certifying agency.

  • If you are using Secure Firewall Management Centers in a high-availability configuration, configure them both to use the same security certifications compliance mode.

  • When you configure Secure Firewall Threat Defense on a Firepower 4100/9300 to operate in CC or UCAPL mode, you should also configure the Firepower 4100/9300 to operate in CC mode. For more information, see the Cisco Firepower 4100/9300 FXOS Chassis Manager Configuration Guide.

  • Do not configure the system to use any of the following features:

    • Email reports, alerts, or data pruning notifications.

    • Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.

    • Third-party client access to the system database.

    • External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.

    • Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates to secure the channel between the appliance and the server.

  • Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.

  • Do not enable CACs in deployments using CC mode.

  • Disable access to the Secure Firewall Management Center and managed devices via the Secure Firewall REST API in deployments using CC or UCAPL mode.

  • Enable CACs in deployments using UCAPL mode.

  • Do not configure SSO in deployments using CC mode.

  • Do not configure Secure Firewall Threat Defense devices into a high availability pair unless they are both using the same security certifications compliance mode.

Note

The system does not support CC or UCAPL mode for:

  • Secure Firewall Threat Defense devices in clusters

  • Secure Firewall Threat Defense container instances on the Firepower 4100/9300

  • Exporting event data to an external client using eStreamer.