Search

Managing Cisco Secure Firewall Threat Defense with Cloud-Delivered Firewall Management Center

The Cloud-Delivered Firewall Management Center is a software-as-a-service (SaaS) product that manages Secure Firewall Threat Defense devices and is delivered via Security Cloud Control. The Cloud-Delivered Firewall Management Center offers many of the same functions as an on-premises Secure Firewall Management Center.The Cloud-Delivered Firewall Management Center has the same appearance and behavior as an on-premises Secure Firewall Management Center and uses the same FMC API. As a SaaS product, the Security Cloud Control operations team is responsible for deploying and maintaining Cloud-Delivered Firewall Management Center software. As new features are introduced, the Security Cloud Control operations team updates your Security Cloud Control tenant's Cloud-Delivered Firewall Management Center for you.A migration wizard is available to help you migrate your Secure Firewall Threat Defense devices from your on-premises Secure Firewall Management Center to the Cloud-Delivered Firewall Management Center. The devices must have Threat Defense software Version 7.0.3 or a later 7.0.x release, or Version 7.2 or later installed to be migrated. Threat Defense 7.1 releases are not supported.Onboarding Secure Firewall Threat Defense devices is carried out in Security Cloud Control using familiar processes such as onboarding a device with its serial number or using a CLI command that includes a registration key. Once the device is onboarded, it is visible both in Security Cloud Control and in the Cloud-Delivered Firewall Management Center, however, you configure the device in the Cloud-Delivered Firewall Management Center. In Security Cloud Control, you can view device-specific information such as version, configuration status, connectivity, health status, and node status. When you click on the health status from Security Cloud Control, you are taken to the respective device's health monitoring page in the Cloud-Delivered Firewall Management Center user interface.Security Cloud Control provides high availability support for the threat defense devices that it manages through the data interface. This feature is supported for devices running software version 7.2 or later.You can analyze syslog events generated by your onboarded threat defense devices using Security Analytics and Logging (SaaS) or Security Analytics and Logging (On-Premises). The SaaS version stores events in the cloud and you view the events in Security Cloud Control. The on-premises version stores events in an on-premises Secure Network Analytics appliance and analysis is done in the on-premises Secure Firewall Management Center. In both cases, just as with an on-premises FMC today, you can still send logs to a log collector of your choice directly from the sensors. The license for Cloud-Delivered Firewall Management Center is a per-device-managed license and there is no license required for the Cloud-Delivered Firewall Management Center itself. Existing Secure Firewall Threat Defense devices re-use their existing smart licenses and new Secure Firewall Threat Defense devices provision new smart licenses for each feature implemented on the FTD. Existing customers can continue to use Security Cloud Control for managing other device types like, the Secure Firewall ASA, Meraki, Cisco IOS devices, Umbrella, and AWS virtual private clouds. If you use Security Cloud Control to manage a Secure Firewall Threat Defense device configured for local management with Firepower Device Manager, you can continue to manage them with Security Cloud Control as well.To learn how to have a Cloud-Delivered Firewall Management Center provisioned on your tenant, see Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant. Learn more about the Firewall Management Center features we support in Cloud-Delivered Firewall Management Center

• Sep 22, 2025
• Product Secure Firewall Threat Defense
• Version 7.6

UEFI Secure Boot Environment for Resource Connector Images

The Secure Access Resource Connector images for AWS support UEFI Secure Boot, which provides a trusted boot environment for the connector instance.Requirements for the UEFI Secure Boot EnvironmentIf you choose an AWS instance type that is not recommended by Cisco Secure Access, we can not guarantee that your Resource Connector instance can boot in AWS. Review the AWS documentation to verify whether your instance type supports UEFI Secure Boot.You can deploy Resource Connector images with UEFI Secure Boot on these architectures:Intel x86_64AMD64We recommend that you redeploy your Resource Connector instances with the UEFI Secure Boot environment.

• Nov 24, 2025
• Product Secure Access

Allow Outbound Network Access to Secure Access

The Cisco AD Connector server requires outbound access to certain URLs. If you use a transparent HTTP web proxy, ensure that the following URLs on port 80/443 are excluded from the proxy, and not subject to authentication:443 (TCP) to devices.api.secureaccessfed.cisco to sync the AD Users and Groups.Access to additional URLs on port 80/443 (TCP) for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see AD Connector Communication Flow and Troubleshooting.

• Nov 24, 2025

Configure a Connector Server

You must configure a server that is a member of the AD domain with the following environment:Windows Server 2012, 2012 R2, 2016, 2019 or 2022 with the latest service packs and 100MB free hard disk drive space..NET Framework 4.5 or newer.If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes.You may deploy the Cisco AD Connector directly on the domain controller. In this case, the domain controller must meet all prerequisites. Only one Cisco AD Connector is required to provision users and groups from an AD domain. For redundancy, add an optional second connector.

• Nov 24, 2025

Prerequisites

Full Admin user role. For more information, see Manage Accounts.Configure a Connector Server.Allow Outbound Network Access to Secure Access.Create the Connector Account. Full Admin user role. For more information, see Manage Accounts.Configure a Connector Server.Allow Outbound Network Access to Secure Access.Create the Connector Account. Full Admin user role. For more information, see Manage Accounts.

• Nov 24, 2025

Create the Connector Account

When you deploy the Cisco AD Connector, you must create a new user account in the AD domain. This account must have these attributes:Set the account name (sAMAccountName) to Cisco_Connector. You can sign in with a custom username that has the required permissions.Select Password never expires.Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets ( ), or colons.Assign Read and Replicating Directory Changes permissions.Alternately, you can make the Cisco AD Connector account a member of the built-in Enterprise Read-only Domain Controllers group, which automatically assigns these permissions. The Cisco AD Connector does an initial synchronization of the AD structure to Secure Access. After the sync, it detects changes to the AD structure and communicates these changes only. The detection of the changes requires the Replicating Directory Changes permission. The Cisco AD Connector can not function without this permission. The Replicating Directory Changes permission is different from the Replicating Directory Changes All permission, which enables retrieval of password hashes. The Cisco AD Connector does not read password hashes and thus does not require the Replicating Directory Changes All permission.

• Nov 24, 2025

SSH Key Generation

To troubleshoot a resource connector, Secure Access requires an SSH key pair. Use the SSH key pair to log in to your resource connector instance. The username is acadmin.(Recommended) Generate an SSH key pair using a standard tool such as ssh-keygen. When you configure the resource connector, add your public key.Supported SSH public key types are ssh-rsa and ssh-ed25519.For keys of type ssh-rsa, we recommend the key length of 2048 bits or 4096 bits.Save your SSH key in your location environment.You can not set up the SSH login after you deploy the connector.

• Dec 01, 2025
• Product Secure Access

Network Tunnel Configuration

Before you configure a network tunnel in a device, view the IPsec tunnel parameters supported by Umbrella. For more information, see Supported IPsec Parameters.When you set up a network tunnel, configure the tunnel with an Umbrella head-end data center to connect the network tunnel to Umbrella. For more information see, Connect to Cisco Umbrella Through Tunnel.Umbrella provides various instructions to set up a tunnel in a network device. For more information, see Network Tunnel Configuration.

• Dec 05, 2025
• Product Umbrella

Requirements for Downloading PAC Files to User Devices

To download the Umbrella PAC file or custom PAC files on a user device in the organization, the device must either:Connect to Umbrella on a Registered Network or Network Tunnel, orDeploy the Cisco Secure Client with the Umbrella Roaming Security module on the user device. To download the Umbrella PAC file or custom PAC files on a user device in the organization, the device must either:

• Dec 08, 2025
• Product Umbrella

Best Practices

When enabling the intelligent proxy, we highly recommend also selecting SSL Decryption, which broadens the scope of your protection. With SSL Decryption selected, you can also create a list of content categories to exclude from being sent to the intelligent proxy. The SSL Decryption feature allows the intelligent proxy to decrypt and inspect traffic that's sent over HTTPS.Note: We do not recommend that you apply the same deployed identities in both your DNS policies with the intelligent proxy configured and Web policy rules with secure web gateway (SWG) controls enabled. Choose the type of policy, deployments, and configuration components that best match the identities and traffic in your organization.

• Dec 08, 2025
• Product Umbrella