Search

Enable the Intelligent Proxy

Custom URL blocking is accomplished through the intelligent proxy, which is designed to complement DNS-layer security. It is not intended for full URL inspection and the filtering of all web traffic. It, therefore, does not allow you to add URLs belonging to high-volume domains. Custom URL blocking is accomplished through the intelligent proxy, which is designed to complement DNS-layer security. It is not intended for full URL inspection and the filtering of all web traffic. It, therefore, does not allow you to add URLs belonging to high-volume domains.

• Nov 06, 2025
• Product Secure Access

Top Destinations report

View requests that the identity made to destinations. View all destination requests or specific requests that pose a security risk. Click View All Destinations to display the Top Destinations report. View requests that the identity made to destinations. View all destination requests or specific requests that pose a security risk. Click View All Destinations to display the Top Destinations report.

• Nov 06, 2025
• Product Secure Access

Top Categories report

View the categories associated with destination requests made by the identity. View all the categories, categories by content, or categories that pose a security risk based on the destination requests. Click View All Categories to display the Top Categories report. View the categories associated with destination requests made by the identity. View all the categories, categories by content, or categories that pose a security risk based on the destination requests. Click View All Categories to display the Top Categories report.

• Nov 06, 2025
• Product Secure Access

Managing Cisco Secure Firewall Threat Defense with Cloud-Delivered Firewall Management Center

The Cloud-Delivered Firewall Management Center is a software-as-a-service (SaaS) product that manages Secure Firewall Threat Defense devices and is delivered via Security Cloud Control. The Cloud-Delivered Firewall Management Center offers many of the same functions as an on-premises Secure Firewall Management Center.The Cloud-Delivered Firewall Management Center has the same appearance and behavior as an on-premises Secure Firewall Management Center and uses the same FMC API. As a SaaS product, the Security Cloud Control operations team is responsible for deploying and maintaining Cloud-Delivered Firewall Management Center software. As new features are introduced, the Security Cloud Control operations team updates your Security Cloud Control tenant's Cloud-Delivered Firewall Management Center for you.A migration wizard is available to help you migrate your Secure Firewall Threat Defense devices from your on-premises Secure Firewall Management Center to the Cloud-Delivered Firewall Management Center. The devices must have Threat Defense software Version 7.0.3 or a later 7.0.x release, or Version 7.2 or later installed to be migrated. Threat Defense 7.1 releases are not supported.Onboarding Secure Firewall Threat Defense devices is carried out in Security Cloud Control using familiar processes such as onboarding a device with its serial number or using a CLI command that includes a registration key. Once the device is onboarded, it is visible both in Security Cloud Control and in the Cloud-Delivered Firewall Management Center, however, you configure the device in the Cloud-Delivered Firewall Management Center. In Security Cloud Control, you can view device-specific information such as version, configuration status, connectivity, health status, and node status. When you click on the health status from Security Cloud Control, you are taken to the respective device's health monitoring page in the Cloud-Delivered Firewall Management Center user interface.Security Cloud Control provides high availability support for the threat defense devices that it manages through the data interface. This feature is supported for devices running software version 7.2 or later.You can analyze syslog events generated by your onboarded threat defense devices using Security Analytics and Logging (SaaS) or Security Analytics and Logging (On-Premises). The SaaS version stores events in the cloud and you view the events in Security Cloud Control. The on-premises version stores events in an on-premises Secure Network Analytics appliance and analysis is done in the on-premises Secure Firewall Management Center. In both cases, just as with an on-premises FMC today, you can still send logs to a log collector of your choice directly from the sensors. The license for Cloud-Delivered Firewall Management Center is a per-device-managed license and there is no license required for the Cloud-Delivered Firewall Management Center itself. Existing Secure Firewall Threat Defense devices re-use their existing smart licenses and new Secure Firewall Threat Defense devices provision new smart licenses for each feature implemented on the FTD. Existing customers can continue to use Security Cloud Control for managing other device types like, the Secure Firewall ASA, Meraki, Cisco IOS devices, Umbrella, and AWS virtual private clouds. If you use Security Cloud Control to manage a Secure Firewall Threat Defense device configured for local management with Firepower Device Manager, you can continue to manage them with Security Cloud Control as well.To learn how to have a Cloud-Delivered Firewall Management Center provisioned on your tenant, see Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant. Learn more about the Firewall Management Center features we support in Cloud-Delivered Firewall Management Center

• Sep 22, 2025
• Product Secure Firewall Threat Defense
• Version 7.6

UEFI Secure Boot Environment for Resource Connector Images

The Secure Access Resource Connector images for AWS support UEFI Secure Boot, which provides a trusted boot environment for the connector instance.Requirements for the UEFI Secure Boot EnvironmentIf you choose an AWS instance type that is not recommended by Cisco Secure Access, we can not guarantee that your Resource Connector instance can boot in AWS. Review the AWS documentation to verify whether your instance type supports UEFI Secure Boot.You can deploy Resource Connector images with UEFI Secure Boot on these architectures:Intel x86_64AMD64We recommend that you redeploy your Resource Connector instances with the UEFI Secure Boot environment.

• Nov 24, 2025
• Product Secure Access

Allow Outbound Network Access to Secure Access

The Cisco AD Connector server requires outbound access to certain URLs. If you use a transparent HTTP web proxy, ensure that the following URLs on port 80/443 are excluded from the proxy, and not subject to authentication:443 (TCP) to devices.api.secureaccessfed.cisco to sync the AD Users and Groups.Access to additional URLs on port 80/443 (TCP) for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see AD Connector Communication Flow and Troubleshooting.

• Nov 24, 2025

Configure a Connector Server

You must configure a server that is a member of the AD domain with the following environment:Windows Server 2012, 2012 R2, 2016, 2019 or 2022 with the latest service packs and 100MB free hard disk drive space..NET Framework 4.5 or newer.If a local anti-virus application is running, allow the CiscoAuditClient.exe and CiscoAuditService.exe processes.You may deploy the Cisco AD Connector directly on the domain controller. In this case, the domain controller must meet all prerequisites. Only one Cisco AD Connector is required to provision users and groups from an AD domain. For redundancy, add an optional second connector.

• Nov 24, 2025

Prerequisites

Full Admin user role. For more information, see Manage Accounts.Configure a Connector Server.Allow Outbound Network Access to Secure Access.Create the Connector Account. Full Admin user role. For more information, see Manage Accounts.Configure a Connector Server.Allow Outbound Network Access to Secure Access.Create the Connector Account. Full Admin user role. For more information, see Manage Accounts.

• Nov 24, 2025

Create the Connector Account

When you deploy the Cisco AD Connector, you must create a new user account in the AD domain. This account must have these attributes:Set the account name (sAMAccountName) to Cisco_Connector. You can sign in with a custom username that has the required permissions.Select Password never expires.Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets ( ), or colons.Assign Read and Replicating Directory Changes permissions.Alternately, you can make the Cisco AD Connector account a member of the built-in Enterprise Read-only Domain Controllers group, which automatically assigns these permissions. The Cisco AD Connector does an initial synchronization of the AD structure to Secure Access. After the sync, it detects changes to the AD structure and communicates these changes only. The detection of the changes requires the Replicating Directory Changes permission. The Cisco AD Connector can not function without this permission. The Replicating Directory Changes permission is different from the Replicating Directory Changes All permission, which enables retrieval of password hashes. The Cisco AD Connector does not read password hashes and thus does not require the Replicating Directory Changes All permission.

• Nov 24, 2025

SSH Key Generation

To troubleshoot a resource connector, Secure Access requires an SSH key pair. Use the SSH key pair to log in to your resource connector instance. The username is acadmin.(Recommended) Generate an SSH key pair using a standard tool such as ssh-keygen. When you configure the resource connector, add your public key.Supported SSH public key types are ssh-rsa and ssh-ed25519.For keys of type ssh-rsa, we recommend the key length of 2048 bits or 4096 bits.Save your SSH key in your location environment.You can not set up the SSH login after you deploy the connector.

• Dec 01, 2025
• Product Secure Access