Create a Zero Trust Application Policy

This tasks configures a Zero Trust Application Policy.

Before you begin

Ensure that you complete all the prerequisites listed in Prerequisites for Zero Trust Application Policy.

Procedure

Step 1

Choose Policies > Access Control > Zero Trust Application.

Step 2

Click Add Policy.

Step 3

In the General section, enter the policy name in the Name field. The description field is optional.

Step 4

Enter a domain name in the Domain Name field.

Ensure that the domain name is added to the DNS. The domain name resolves to the threat defense gateway interface from where the application is accessed. The domain name is used to generate the ACS URL for all private applications in an Application Group.

Step 5

Choose an existing certificate from the Identity Certificate drop-down list.

Click the Add (add icon) icon to configure a certificate enrollment object. For more information, see Adding Certificate Enrollment Objects.

Step 6

Choose a security zone from the Security Zones drop-down list.

Click the Add (add icon) icon to add a new security zone.

To add security zones, see Create Security Zone and Interface Group Objects.

Step 7

In the Global Port Pool section, a default port range is displayed. Modify, if required. Port values range from 1024 to 65535. A unique port from this pool is assigned to each private application.

Note

This port range should avoid any conflicts with the existing NAT range.

Step 8

(Optional) In the Security Controls section, you can add an Intrusion or Malware and File policy:

  • Intrusion Policy—Choose a default policy from the drop-down list or click the Add (add icon) icon to create a new custom intrusion policy. For more information, see Creating a Custom Snort 3 Intrusion Policy topic in the latest version of the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

  • Variable Set—Choose a default variable set from the drop-down list or click the Add (add icon) icon to create a new variable set. For more information, see Creating Variable Sets.

    Note

    To use variable sets, you must have the Secure Firewall Threat Defense IPS license for your managed devices.

  • Malware and File Policy—Choose an existing policy from the drop-down list. Click the Add (add icon) icon to create a new malware and file policy. For more information, see Managing File Policies.

Step 9

Click Save to save the policy.

What to do next

  1. Create an Application Group. See Create an Application Group.

  2. Create an Application. See Create an Application.

  3. Associate a Zero Trust Application Policy with a device. See Set Targeted Devices for Zero Trust Access Policy

  4. Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.