Create a Zero Trust Application Policy

This tasks configures a Zero Trust Application Policy.

Before you begin

Ensure that you complete all the prerequisites listed in Prerequisites for Zero Trust Application Policy.

Procedure

Step 1

Choose Policies > Zero Trust Application.

Step 2

Click Add Policy.

Step 3

In the General section, enter the policy name in the Name field. The description field is optional.

Step 4

Enter a domain name in the Domain Name field.

Ensure that the domain name is added to the DNS. The domain name resolves to the Firewall Threat Defense gateway interface from where the application is accessed. The domain name is used to generate the ACS URL for all private applications in an Application Group.

If you select an ACME certificate as the policy's identity certificate in the next step, the domain name must match the common name (CN) of the ACME certificate.

Note

When you change the domain name, the SAML Service Provider (SP) metadata gets updated. You must reconfigure the following settings:

  • IdP with the new SAML SP metadata

  • DNS server with new domain name

When a deployment takes place after the domain name change, all the applications will be removed and readded, interrupting application access.

Step 5

Choose an existing certificate from the Identity Certificate drop-down list.

Click the Add (add icon) icon to configure a certificate enrollment object. For more information, see Adding Certificate Enrollment Objects.

You can choose an ACME certificate for authenticating the Firewall Threat Defense device as a SAML SP for a Zero Trust Application policy. ACME certificates automate the lifecycle management of SSL and TLS certificates, including their auto-renewal.

Step 6

Choose a security zone from the Security Zones drop-down list.

Click the Add (add icon) icon to add a new security zone.

To add security zones, see Create Security Zone and Interface Group Objects.

Step 7

In the Global Port Pool section, a default port range is displayed. Modify, if required. Port values range from 1024 to 65535. A unique port from this pool is assigned to each private application.

Note

This port range should avoid any conflicts with the existing NAT range.

Step 8

(Optional) In the Security Controls section, you can add an Intrusion or Malware and File policy:

  • Intrusion Policy—Choose a default policy from the drop-down list or click the Add (add icon) icon to create a new custom intrusion policy. For more information, see Creating a Custom Snort 3 Intrusion Policy topic in the latest version of the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

  • Variable Set—Choose a default variable set from the drop-down list or click the Add (add icon) icon to create a new variable set. For more information, see Creating Variable Sets.

    Note

    To use variable sets, you must have the Secure Firewall Threat Defense IPS license for your managed devices.

  • Malware and File Policy—Choose an existing policy from the drop-down list. Click the Add (add icon) icon to create a new malware and file policy. For more information, see Managing File Policies.

Step 9

Click Save to save the policy.

What to do next

  1. Create an Application Group. See Create an Application Group.

  2. Create an Application. See Create an Application.

  3. Associate a Zero Trust Application Policy with a device. See Set Targeted Devices for Zero Trust Access Policy

  4. Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.