Login

Cisco Secure Access Help

Cisco Secure Access Help
- Welcome to Cisco Secure Access
  - Sign into Secure Access with Security Cloud Sign On
    - Prerequisites
    - Procedure
  - Find Your Organization ID
    - Prerequisites
    - Procedure
  - Determine Your Current Package
    - Prerequisites
    - Procedure
  - View Cloud Security Service Status
    - Secure Access Services Overview
      - Regional Service Status
    - Scheduled Maintenance
    - Service Status History
      - No Incidents Reported
      - Past Incidents
  - Contact Cisco Secure Access Support
- Secure Access Single Sign-On Authentication
  - Configure Single Sign-On Authentication
    - Prerequisites
      - Add Your Organization's Identity Provider in Security Cloud Sign On
      - Add Administrators to Secure Access
    - Procedure
  - Troubleshoot Single Sign On Authentication
- Get Started
  - Begin Secure Access Onboarding Workflow
  - Step 1 – Configure Network Connections
    - Prerequisites
    - Task 1 – Add Network Connections
      - Add Network Tunnel Groups
      - Add Resource Connectors and Connector Groups
    - Task 2 – Provision Users and Groups
    - Task 3 – Configure Integrations with SAML Identity Providers
    - What's Next
  - Step 2 – Configure Access to Resources
    - Prerequisites
    - Task 1 – Set Up Private Resources
    - Task 2 – Configure Rule Defaults and Global Settings
      - Manage Rule Defaults
      - Manage Global Settings
    - Task 3 – Add a Policy Rule
    - What's Next
  - Step 3 - Configure End User Connectivity
    - Prerequisites
    - Task 1 – Configure Zero Trust
    - Task 2 – Configure Virtual Private Networks
    - Task 3 – Configure Internet Security
    - Configure Endpoints and Networks
  - Step 4 – Configure Endpoints and Network Sources
    - Prerequisites
    - Add Networks to Secure Access
    - Set Up the Cisco Secure Client
    - Add IPS Profiles
    - Configure Rule Profiles
  - Secure Access Overview Dashboard
    - Prerequisites
    - Get Started Workflow
    - Experience Insights
    - Connectivity
    - Data Transfer
    - Security
      - Security Activity
      - Top Security Categories
    - Users and Groups
    - Private Resources
- Quickstarts
  - Prerequisites
  - Quickstart – Cisco Secure Client with Zero Trust Access
    - Prerequisites
    - Procedure
    - Test Your Connectivity
  - Quickstart – Cisco Secure Client with Virtual Private Network
    - Prerequisites
    - Procedure
    - Test Your Connectivity
  - Quickstart – Cisco Secure Client with Internet Security
    - Prerequisites
    - Procedure
    - Test Your Connectivity
  - Quickstart – Browser with SAML Authentication
    - Prerequisites
    - Procedure
    - Test Your Connectivity
  - Quickstart – Bring Your Own Device with Zero Trust
    - Prerequisites
    - Procedure
    - Test Your Connectivity
- Limitations and Range Limits
  - Access Policy
  - Cisco Secure Client
  - Data Retention
  - Destinations for Client-Based Zero Trust Traffic
  - Domain Names
  - File Inspection and File Analysis
  - Internet Protocol Versions
  - Other Components
  - Reports
  - Resource Connectors and Resource Connector Groups
  - Service Connections
  - Users and Groups
    - Cloud Identity Providers
    - Users and Private Applications
- Network Requirements for Secure Access
  - Secure Access DNS Resolvers
    - Best Practices
    - Cisco Secure Client
    - Cisco Secure Client and External DNS Resolution
  - Secure Access Encrypted DNS Queries
  - Secure Access DNS, Web, and Block Pages
  - Secure Access DNS and Web – Client Configuration Services
    - Windows Only
  - Secure Access DNS and Web – Client Sync Services
  - Secure Access DNS and Web – Client Certificate Revocation Services
  - Cisco Secure Client and Captive Portal Detection
  - Cisco Secure Client and Device Hostnames
  - Transport Layer Security Protocol Requirements
    - TLS 1.2 Support in Windows
    - TLS 1.2 Support in macOS
  - Secure Access Secure Web Gateway Services
    - Egress IP Addresses for the Secure Web Gateway
    - Ingress IP Addresses for the Secure Web Gateway
  - Secure Access Encrypted Web Requests
  - Secure Access Realtime DLP Secure ICAP
  - Secure Access SaaS Tenants
    - Microsoft 365
  - Secure Access SAML Gateway Services
    - Active Directory Federation Service SAML Identity Provider
  - Secure Access SAML Identity Provider Domains
    - Azure AD SAML Identity Provider
  - Secure Access SAML Gateway Client Certificate Revocation Services
  - Secure Access VPN Services
  - Secure Access VPN Client Certificate Revocation Services
  - Secure Access Zero Trust Client-Based Enrollment Services
  - Secure Access Zero Trust Client-Based Proxy Services
    - Known Network Restrictions for Zero Trust Clients
  - Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
  - Secure Access Zero Trust Proxy Services – Unmanaged Devices
  - Secure Access Zero Trust Services and Connector Groups
- Secure Access NAT as a Service
  - Web Traffic and NATaaS
    - IPv4 Shared Ranges
    - IPv6 Shared Ranges
  - Non-Web Traffic and NATaaS
  - Best Practices
  - Reserved IP
    - Network Requirements
    - Best Practices
    - Deployment of the Reserved IP
    - Known Limitations
      - IPv6
      - Remote Browser Isolation
      - Reserved IP Surrender
      - Port Exhaustion
    - Reporting and Reserved IP
    - Calculate Your Maximum Sessions
      - Example
    - Troubleshooting
  - Reserved IP Supplemental Terms
    - Cisco Secure Access Reserved IP Supplemental Terms
      - Effective January 31, 2024
        
        1. Scope of Use of Reserved IP
        
        2. Third Party Notifications
        
        3. Ownership; Right to Reclaim
        
        4. Right to Modify or Discontinue
        
        5. Compliance with Policies and Assistance
- Manage Network Connections
  - IPsec Network Tunnels
  - Resource Connector Groups
  - Comparison of Network Connection Methods
  - If a Private Resource is Served by Both a Tunnel Group and a Connector Group
  - Comparison of Network Connection Methods
    - Resource Connectors (Deployed in Connector Groups)
    - Network Tunnels (Deployed in Network Tunnel Groups)
- Manage Network Tunnel Groups
  - Failover for Branch Connections in Secure Access Data Centers
    - Primary Traffic Failover to Secondary
    - Recommendations
  - Device Compatibility and Network Tunnels
    - IPsec Tunnel Requirements
    - Supported Devices for Setting Up IPsec Tunnels
  - Add a Network Tunnel Group
    - About Network Tunnel Groups
    - Procedure
      - Step 1 - General Settings
      - Step 2 - Tunnel ID and Passphrase
      - Step 3 - Routing
      - Step 4 - Data for Tunnel Setup
    - What to do Next
  - Delete a Network Tunnel Group
    - Procedure
  - Edit a Network Tunnel Group
    - Procedure
  - View Network Tunnel Group Details
    - Procedure
  - Supported IPsec Parameters
- Network Tunnel Configuration
  - Establish a Tunnel
    - Maximum Transmission Unit (MTU) Size
    - Tunnel Size
    - Carrier-Grade NAT (CGNAT) Requirement
    - Client Reachable Prefixes
    - Throughput and Multiple Tunnels
  - Routing Options and Guidelines
    - Static Routing
    - Dynamic Routing with BGP
      - BGP Guidelines and Best Practices for Secure Access
      - Secure Access BGP Configuration
      - Key Considerations for Dynamic Routing
      - Tunnel Redundancy and High Availability
      - View BGP Routes
      - Important Restrictions
  - Configure Tunnels with Cisco Catalyst SD-WAN
    - Prerequisites
    - Step 1: Add a Network Tunnel Group in Secure Access
    - Step 2: Configure Cisco Catalyst SD-WAN Templates
      - Define the Feature Template
      - Add the IPsec Interface Template
    - Configure Static Routes
    - Verify Tunnel Status
  - Configure Tunnels with Cisco ISR
    - Prerequisites
      - Licensing and Hardware
      - Network Access
    - Configure Tunnels in Secure Access
    - Configure ISR (G2, 4K) or CSR
    - Test Your Configuration
      - Check Tunnel Status
      - Manually Trigger the Tunnel
      - Verify Tunnel Status
  - Configure Tunnels with Cisco Adaptive Security Appliance
    - Prerequisites
      - Licensing and Hardware
      - Network Access
    - Configure Tunnels in Secure Access
    - Configure ASA
    - Test and Verify
  - Configure Tunnels with Cisco Secure Firewall
    - Configure Secure Firewall Policy-based VPN
      - Configure Tunnels in Secure Access
      - Add Network Object
      - Add Traffic Selector ACL
      - Configure Site-to-Site VPN
      - Configure NAT Policy
      - Configure Access Policy
    - Configure Secure Firewall VTI, PBR, and Per Tunnel Identity
      - Configure Tunnels in Secure Access
      - Configure Site-to-Site VPN
      - Configure Policy-based Routing
      - Configure Access Policy
    - Troubleshooting
      - Enable Logging for Debugging
  - Configure Tunnels with Meraki MX
    - Prerequisites
    - Caveats and Considerations
    - Supported Use Cases and Requirements
      - Remote Access VPN and ZTA
      - Branch-to-Branch through Secure Access
      - Secure Internet Access with Non-Meraki VPN
    - Step 1: Add a Network Tunnel Group in Secure Access
    - Step 2: Configure a Tunnel in Meraki MX
    - Verification and Troubleshooting
    - Optional Configurations
  - Configure Tunnels with NEC IX2000 Series Router
    - Prerequisites
    - Configure Tunnels in Secure Access
    - Configure the NEC IX router
    - Test the NEC IX router Deployment
    - Other Resources
      - Supported IPsec Parameters
      - NEC IX router
  - Configure a Site-to-Site VPN tunnel with Microsoft Azure
    - Overview
    - Prerequisites
    - Configure S2S Tunnels with Static Routing
      - Step 1: Create a VPN Gateway in Microsoft Azure
      - Step 2: Create a network tunnel group in Secure Access
      - Step 3: Create two local network gateways in Azure with S2S connections
      - Step 4: Create a static route table in Azure
      - Step 5: Verify tunnel status in Secure Access
    - Configure S2S Tunnels with Dynamic Routing with BGP
      - Step 1: Create a VPN Gateway in Microsoft Azure
      - Step 2: Create a network tunnel group in Secure Access
      - Step 3: Create two local network gateways in Azure with S2S connections
      - Step 4: Verify tunnel status in Azure and Secure Access
    - What to do next
- Manage Resource Connectors and Connector Groups
  - Overview: Setting Up Resource Connectors and Connector Groups
  - Requirements and Prerequisites for Resource Connectors and Connector Groups
    - Guidelines for Connector Groups
      - Connector Group Region
      - Redundancy Across Connector Groups
    - Requirements and Guidelines for Connectors
    - Connectivity Requirements
    - Capacity Requirements
  - Allow Resource Connector Traffic to Secure Access
    - Region-Specific Destinations
    - Destinations For All Regions
  - Add Resource Connector Groups
    - Prerequisites
    - Guidelines for Configuring Domains and DNS Servers on Connectors Groups
      - About Resource Connectors and DNS resolution of Internal Domains
    - Procedure
      - Configure Connector Group Name and Region
      - Estimate the Volume of Traffic to Your Resource Connectors
      - (Optional) Add Domains and DNS Servers for the Connector Group
    - What's Next
  - Add Connectors to a Connector Group
    - Prerequisites
    - Procedure
      - Step 1 – Deploy Secure Access Resource Connectors
      - Step 2 – Confirm Connectors
      - Step 3 – Assign Private Resources to Connector Group
  - Obtain the Connector Image
    - Requirements
    - Get the Connector Image for AWS
    - Get the Connector Image for Microsoft Azure
    - Download the Connector Image for VMware
    - Get the Connector Image for Docker
  - Provisioning Keys for Resource Connectors
    - Important Information about Provisioning Keys
    - Prerequisites
    - Procedure
      - Copy the Provisioning Key for a Connector Group
  - Deploy a Connector in VMware
    - Prerequisites
      - Add a Connector Group
      - Obtain the Connector Image
      - Disk Encryption
      - SSH Key Generation
    - UEFI Secure Boot Environment for Resource Connector Images
      - Requirements for the UEFI Secure Boot Environment
    - Procedure
    - Step 1 – Extract the Connector Image for VMware Tar File
    - Step 2 – Verify the Integrity of the Image
      - Validate the Signature
      - Verify the Checksum of the Signing Key
    - Step 3 – Deploy the OVF Template
    - Step 4 – Power on Connector Instances
    - Step 5 – Confirm Connectors
  - Deploy a Connector in AWS
    - Prerequisites
    - Get Connector Images on the AWS Marketplace
    - UEFI Secure Boot Environment for Resource Connector Images
      - Requirements for the UEFI Secure Boot Environment
    - Procedure
      - Step 1 – Launch an Amazon Machine Image for the Connector Instance
      - Step 2 – Configure the Connector
      - Step 3 – Launch the Connector Instance
  - Deploy a Connector in Azure
    - Prerequisites
    - UEFI Secure Boot Environment for Resource Connector Images
    - Deployment Requirements
    - Procedure
      - Step 1 – Get Connector Images on Microsoft Azure Marketplace
      - Step 2 – Configure the Resource Connector Virtual Machine
      - Step 3 – Connect to the Resource Connector Instance
  - Deploy a Connector in Docker
    - Prerequisites
    - Deployment Guidelines
      - Host or VM Requirements
      - Supported Host OS
    - Procedure
      - Set Up the Resource Connector and Container
      - Launch the Resource Connector in the Docker Container
    - View the Deployed Resource Connectors in Secure Access
    - Troubleshoot Container Deployments
      - Setup Failures
        
        Rate Limit with Docker Pull
        
        Connectivity Issues
      - Check the Container's Status
      - Get the Version of the Docker Container Image
      - Stop the Container
      - Restart the Container
      - Delete the Container
      - About the Diagnostic and Techsupport Scripts
      - Run Diagnostic and Techsupport Scripts
  - Determine the Number of Connectors Needed in a Connector Group
    - Prerequisites
    - Procedure
  - Assign Private Resources to a Connector Group
    - Guidelines for Assigning a Private Resource to a Connector Group
    - Prerequisites
    - Procedure
  - View a Connector Group's Connectors and Assigned Resources
    - Prerequisites
    - Procedure
  - Edit a Resource Connector Group
    - Prerequisites
    - Guidelines for Configuring Domains and DNS Servers on Connectors Groups
    - Procedure
      - Edit the Name of the Connector Group
      - Add Domains and DNS Servers for the Connector Group
      - Remove All Configured DNS Servers and Domains
      - Edit Configured Domains and DNS Servers for the Connector Group
  - Disable, Revoke, or Delete Resource Connectors and Groups
    - About Disabling a Resource Connector
    - About Revoking a Resource Connector
    - About Deleting a Resource Connector
    - Disable, Revoke, or Delete a Connector
    - Disable or Delete a Resource Connector Group
  - Maintain and Monitor Resource Connectors and Connector Groups
    - Resource Connector Software Updates
      - Troubleshooting Connector Software Updates
    - Connector Platform Operating System (OS) Updates
    - Monitor Connector and Connector Group Status
      - Check Connector Group Status on the Overview Page
      - Check Connector Group Status on the Connector Groups Page
      - Check Connector Status
    - Increase Connector Group Capacity
    - Check Connector CPU Load
  - Troubleshoot Resource Connectors and Connector Groups
    - General Troubleshooting
    - About Resource Connector Issues
    - Throughput Capacity is Less Than Expected
    - Users Cannot Connect to Private Resources
    - Connector Software Auto-Upgrade Fails
    - Connector Operating System (OS) Version has Security Vulnerabilities
      - Manage Access Control and Vulnerabilities for Containers
    - Connector is Expired
      - Check the Status of Your Connector
      - (VMware Only) View Connector Diagnostic Information
      - Check for an Expired Connector in Secure Access
      - Clean Up an Expired Connector
      - Delete the Connector Container
    - Stop a Connector
      - Stop the Connector Container
    - Unable to Revoke or Delete a Connector
    - Unable to Sync
    - Connector-Related Status Graphs are not Current
    - (Container Only) Connector Troubleshooting Tools
      - Supported Linux Commands
      - Run Diagnostic or Techsupport Scripts
      - Troubleshoot Container Deployments
    - (VM Only) Connector Diagnostics (CLI)
      - Supported Commands
      - Run the Diagnostic Command
    - Diagnostic Codes
      - Diagnostic Codes for Connector Update Issues
      - Diagnostic Codes for Other Connector Issues
      - Supported Standard Linux Troubleshooting Commands
- Secure Access Regions
- Manage Users, Groups, and Endpoint Devices
  - Get Started with User Configuration Management
    - Step 1 – Manage User Directories
    - Step 2 – Manage User Authentication Profiles
  - Get Started with Endpoint Device Management
  - View Provisioned Users and Groups
  - Manage Remote Access VPN and Zero Trust Device Connections
  - View User Details
    - Prerequisites
    - Procedure
    - View Users Provisioned in Secure Access
    - View User Details
      - General
      - Devices and Connectivity
      - Groups and Events
      - Associated Rules
  - View Group and Organizational Unit Details
    - Prerequisites
    - Procedure
    - Group Details
      - General Group Details
    - Organizational Unit Details
  - View Endpoint Device Details
    - Prerequisites
    - Procedure
    - View Details for Endpoint Devices
    - View a Configured AD Device
      - General
      - Associated Rules
  - Unenroll Devices for Client-Based Zero Trust Access
    - Reenroll the User Device on the Secure Client
    - Prerequisites
    - Procedure
  - Disconnect Remote Access VPN Sessions
    - Prerequisites
    - Procedure
- Manage User Directories and Device Management
  - About Configuring Multiple Cloud Provisioning IdPs
  - Configure User Directory Integrations
  - Manage User Directory Integrations
  - Configure Active Directory Endpoint Device Management
  - Configure User Directory Integrations
    - Prerequisites
    - Procedure
    - View Directories
    - Next Steps
  - Manage Cloud Identity Providers
    - Add a Cloud Identity Provider
      - Prerequisites
      - Requirements
      - Procedure
      - View an Integrated Cloud Provider
      - What's Next
    - Edit an Identity Provider Integration
      - Prerequisites
      - Procedure
    - Delete an Identity Provider Integration
      - Prerequisites
      - Procedure
  - Import Users and Groups from CSV File
    - Prerequisites
    - CSV File Format
    - CSV File Fields
    - Procedure
    - View Provisioned Users and Groups in Secure Access
  - Manage Active Directory Integration
    - Prerequisites
    - Procedure
      - Download the Active Directory Components
      - Edit the Active Directory Connector Auto-Upgrades
      - Edit Authentication Properties for the AD Integration
      - View Active Directory Components
      - Manage Sites for AD Components
      - Delete Active Directory Integration
  - Manage Google Workspace Account
    - Prerequisites
    - Procedure
  - Manage Imported Users and Groups
    - Prerequisites
    - Procedure
      - Upload a New CSV File with Users and Groups
      - Delete an Imported CSV File
- Manage Advanced Configuration Settings
  - Prerequisites
  - Procedure
    - Set Up Authentication Preferences for Identity Providers
    - Set Up IP Surrogates for SSO User Authentication
    - Set Up API Authentication
  - Manage IP Surrogates for User Authentication
    - Prerequisites
    - How HTTPS Inspection Works
    - Procedure
      - Enable IP Surrogates for User Authentication
      - Add Internal Networks for Bypass
    - Delete Internal Networks for Bypass
- Configure Identity Providers
  - Prerequisites
  - Procedure
  - Provision Users and Groups from Okta
    - Prerequisites
    - Limits and Best Practices
    - Supported Features
    - Configure the Cisco User Management Connector App in Okta
      - Step 1 – Add the Cisco User Management Connector App in Okta
      - Step 2 – Add the Secure Access SCIM Token and URL in the App
      - Step 3 – Configure User Options in the App
      - Step 4 – (Optional) Add a New Attribute
    - (Optional) Add an objectGUID Attribute and Create the User Profile Mapping
      - Add the objectGUID Attribute
      - Create the User Profile Mappings
      - Step 5 – (Optional) Provision Custom Attribute to Authenticate Users
    - (Optional) Provision authName Attribute to Authenticate Users
      - Prerequisites
      - Customize the authName Attribute
      - Map the Custom authName Attribute to a User Profile
      - (Optional) Force-Sync Existing Users
      - Step 6 – Assign Users or Groups in the App
      - Step 7 – Push Users or Groups from the App to Secure Access
      - Step 8 – View Logs in the App
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
  - Provision Users and Groups from Microsoft Entra ID
    - Prerequisites
    - Limitations
    - Procedure
      - Configure Provisioning in Microsoft Entra ID
      - Supported Attributes for Users
      - Supported Attributes for Groups
    - Configure Guest Users
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
- Provision Users, Groups, and Endpoint Devices from Active Directory
  - Next Steps
  - Prerequisites for AD Connectors
    - Connector Server
    - Outbound Network Access to Secure Access
    - Connector Account
  - Connect Multiple Active Directory Domains
  - Manage AD Components
    - Add AD Components in Secure Access
      - Prerequisites
        
        Support for Multiple AD Domains and AD Forests
      - Procedure
        
        Verify Auditing of Logon Events on Domain Controllers
        
        Download the Windows Configuration Script for Domain Controllers
        
        Run the Windows Configuration Script for the Domain Controllers
        
        Add a Domain Controller in Secure Access
        
        Add a Domain in Secure Access
    - Manage Sites for AD Components
      - Prerequisites
      - Procedure
        
        Edit a Site
    - View AD Components in Secure Access
      - Prerequisites
      - Procedure
        
        View AD Components in Secure Access
    - Delete AD Components
      - Prerequisites
      - Procedure
        
        Delete an AD Component
        
        Remove All AD Components
  - Manage AD Connectors
    - How to Connect Active Directory to Secure Access
    - Configure Authentication for AD Connectors and VAs
      - How to Set Up Your API Credentials
      - Prerequisites
      - Procedure
        
        Step 1 – Create the Key Admin API Key Credentials
        
        Step 2 – Add the Key Admin API Key Credentials
      - Refresh Client API Key and Secret
      - Reset Client API Key
    - Configure Updates on AD Connectors
      - Prerequisites
      - Procedure
    - Connect Active Directory to Secure Access
      - Prerequisites
      - Procedure
        
        Step 1 – Download the Active Directory Connector
        
        Step 2 - Install the Active Directory Connector
      - (Optional) Specify AD Groups in Selective Sync File
        
        Rename Selective Sync File After Upgrading to AD Connector v1.14.4
        
        Create AD Groups in a Selective Sync File
        
        Supported Organizational Units
        
        Unsupported Organizational Units
        
        Sample File Entries
        
        Total Number of Groups Selected for Synchronization
    - Deploy LDIF Files for AD Connector
      - Best Practices for LDIF Source Deployments
      - Requirements
      - Known Limitations
      - Prerequisites
      - Procedure
        
        Step 1 – Download the Active Directory Connector
        
        Step 2 – Install the Cisco AD Connector
        
        Step 3 – Deploy the LDIF Source Files
      - Troubleshooting
        
        Scenario 1
        
        Scenario 2
        
        Scenario 3
        
        Scenario 4
        
        Analyze Logs
    - Change the Connector Account Password
      - Prerequisites
      - Procedure
    - AD Connector Communication Flow and Troubleshooting
      - Communication Flow
      - Troubleshooting
        
        Network Requirements
        
        Restart the Active Directory Connector
  - Edit AD Authentication Properties
    - Best Practices: Configuring the AD Authentication Properties
    - Prerequisites
    - Procedure
  - AD Integration with Virtual Appliances
    - Network Diagram for VA Deployments
    - How to Set Up AD Components with VAs
    - Prerequisites for AD Connectors and VAs
      - Connector Server
        
        Guidelines for AD Deployments with Secure Access Virtual Appliances
      - Outbound Network Access to Secure Access
      - Connector Account
        
        Guidelines for AD Deployments with Secure Access Virtual Appliances
    - Prepare Your AD Environment
      - About the AD Connector and Logon Events
      - Prerequisites
        
        Additional Prerequisites for the Windows Event Log Collector
      - Procedure
      - Integrate AD with Domain Controllers
        
        Support for Multiple AD Domains and AD Forests
        
        Verify Auditing of Logon Events on Domain Controllers
        
        Download the Windows Configuration Script for Domain Controllers
        
        Run the Windows Configuration Script for the Domain Controllers
        
        Add a Domain Controller in Secure Access
        
        View the Registered AD Components in Secure Access
      - Integrate AD with a Centralized Windows Event Log Collector
        
        Step 1 – Add the Windows Event Log Collector in Secure Access
        
        Step 2 – Add the AD Domains in Secure Access
    - Connect Active Directory to VAs
      - How to Configure the Setup of the AD Connector
      - Prerequisites
      - (Optional) Specify AD Groups in Selective Sync File
        
        Rename Selective Sync File After Upgrading to AD Connector v1.14.4
        
        Create AD Groups in a Selective Sync File
        
        Supported Organizational Units
        
        Unsupported Organizational Units
        
        Sample File Entries
        
        Total Number of Groups Selected for Synchronization
      - Procedure
        
        Step 1 – Set Up Domain Controllers
        
        Step 2 – Download the Active Directory Connector
        
        Step 3 - Install the Active Directory Connector
        
        Step 4 – View the Installed AD Components in Secure Access
      - Change Connector Account Password
      - Configure Updates to AD Connectors
    - Multiple AD Domains with Secure Access Sites
      - Prerequisites
      - Active Directory Sites and Secure Access Sites
        
        Active Directory Sites and Services
        
        Secure Access Sites
        
        When to Use Secure Access Sites
        
        Caveats
      - Use Secure Access Sites
        
        Active Directory Only
- Manage User Authentication Profiles
  - Add User Authentication Profiles
  - About Single Sign-On
  - View User Authentication Profiles
  - Edit a User Authentication Profile
  - Delete a User Authentication Profile
  - Add SSO Authentication Profiles
    - Requirements for Configuring SSO Authentication Profiles
    - About the Default Provisioning Profile
    - Prerequisites
    - Procedure
    - View SSO Authentication Profiles
  - About Single Sign-On for Users
    - Sign-On for Provisioned Users
      - Scenario
      - Sample Sign-On Window
    - Sign-On for Non-Provisioned Users
      - Scenario
      - Sample Sign-On Window
  - Edit an SSO Authentication Profile
    - Prerequisites
      - (OIDC Only) Get Metadata for OIDC Configuration URL
    - Procedure
      - Edit SAML User Authentication Profile
      - Edit OIDC User Authentication Profile
  - Delete SSO Authentication Profile
    - Prerequisites
    - Procedure
      - Delete SAML User Authentication Profile
      - Delete OIDC User Authentication Profile
- Configure Integrations with OIDC Identity Providers
  - About Using OpenID Connect with Secure Access
  - Use Cases – SSO Authentication
    - Secure Internet Access—Networks and Network Tunnels
    - Zero Trust Access with the Cisco Secure Client
    - Zero Trust Access with an Unmanaged Device
  - Configure Identity Providers for OIDC Authentication
    - Secure Access Redirect URI
  - Configure Okta for OpenID Connect
    - Prerequisites
    - Verify the UPN and preferred_username Mapping
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Configure the Identity Provider's OIDC Metadata
      - Step 3a – Add the Secure Access Redirect URI in Okta
      - Step 3b – Configure the Core Grants in Okta
      - Step 3c – Get the Okta OIDC Client ID and Secret
      - Step 3d – Get the Okta OIDC Configuration URL
    - Step 4 – Add the OIDC Metadata in Secure Access
  - Configure Microsoft Entra ID for OpenID Connect
    - Prerequisites
      - Bypass Domains from SSL Decryption
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Configure the Identity Provider's OIDC Metadata
      - Step 3a – Add the Secure Access Redirect URI in Entra ID
      - Step 3b – Get the Client ID and Secret for Entra ID OIDC
      - Step 3c – Get the Tenant ID for Entra ID OIDC
    - Step 4 – Add the OIDC Metadata in Secure Access
- Configure Integrations with SAML Identity Providers
  - Use Cases
    - Secure Internet Access—Networks and Network Tunnels
    - Zero Trust Access with the Cisco Secure Client
    - Zero Trust Access with an Unmanaged Device
  - Configure Identity Providers for SAML Authentication
  - Prerequisites for SAML Authentication
    - Secure Access Service Provider Metadata
    - Requirements
      - Enable SAML and Decryption in the Security Profile
      - Encrypted SAML Assertions
  - Configure Microsoft Entra ID for SAML
    - Prerequisites
      - Bypass Domains from SSL Decryption
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to Entra ID
      - Step 3c – Add the Azure SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Okta for SAML
    - Prerequisites
    - Procedure
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Select Okta SAML Identity Provider in Secure Access
    - Step 3 – Download the Secure Access SP Metadata and Certificates
    - Step 4 – Configure the Okta App Integration
    - Step 5 – Add Okta Metadata in Secure Access
    - Configure Okta with the Secure Access SAML Metadata
    - Get Metadata from Okta App Integration
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure AD FS for SAML
    - Prerequisites
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add the Secure Access Service Provider Metadata to AD FS
      - Step 3c – Add the AD FS SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Duo Security for SAML
    - Prerequisites
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to Duo Security
      - Step 3c – Add the Duo Security SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure Ping Identity for SAML
    - Prerequisites
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add the Identity Provider's SAML Metadata
      - Step 3c – Add the Ping Identity SAML Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - Configure OpenAM for SAML
    - Prerequisites
    - Procedure
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to OpenAM
      - Step 3c – Add the OpenAM Metadata to Secure Access
    - Test the Identity Provider Integration
    - View the SAML Certificates in Secure Access
  - SAML Certificate Renewal Options
    - Known Limitations
    - Automatic Configuration Through the Fixed Metadata URL
      - Prerequisites
    - Manual Import of the Secure Access SAML Certificate
  - Test SAML Identity Provider Integration
    - Prerequisites
    - Procedure
- Manage End-User Connectivity
  - DNS Servers
  - Traffic Steering for Cisco Secure Client Connections
  - Virtual Private Networks Settings and Profiles
  - Internet Security
- FQDNs for Network Connections
  - About Fully Qualified Domain Names (FQDNs)
  - Secure Access Global FQDN
  - Secure Access Regional FQDNs
  - Secure Access VPN Headend FQDN
- Manage DNS and DDNS Servers
  - Manage DNS Servers
    - Add a DNS Server
    - View DNS Servers
    - Edit a DNS Server
    - Delete a DNS Server
  - Map DNS Servers to Regions
    - Prerequisites
    - Procedure
  - Manage DDNS Servers
    - Prerequisites
    - About Configuring DDNS Servers
    - Add a DDNS Server Group
    - View DDNS Servers
    - Edit a DDNS Server
  - Map DDNS Servers to Regions
    - Prerequisites and Guidelines
    - Procedure
- Manage Virtual Private Networks
  - How to Manage Remote Access VPNs in Secure Access
  - Manage Regions and IP Pools
    - Prerequisites
    - Procedure
      - Add a Region Configuration
  - Add an IP Pool
    - Prerequisites
    - Procedure
      - Add an IP Pool
      - Add a RADIUS Group (optional)
  - Assign and Modify IP Pools
    - Prerequisites
    - Procedure
      - Assign an IP Pool
      - Modify IP Pools
      - Modify IP Pool Assignment
  - Manage RADIUS Servers and Groups
  - RADIUS and AAA Guidelines
    - Groups
    - SAML Support
  - Manage VPN Profiles
  - Add VPN Profiles
    - Prerequisites
    - Step 1 – General Settings
    - Step 2 – Authentication, Authorization, and Accounting
      - SAML
      - Authenticate with CA certificates
      - SAML Configuration
      - SAML Metadata XML Configuration
      - Manual Configuration
      - RADIUS
      - Certificate
    - Step 3 – Traffic Steering (Split Tunnel)
      - Step 3a – Traffic Steering (Split Tunnel)
      - Step 3b – Proxy and DNS Steering Settings
    - Step 4 – Cisco Secure Client Configuration
  - Add a RADIUS Group
    - Prerequisites
    - Procedure
  - Manage VPN Settings
    - Restrict manual host entries
  - Manage Machine Tunnels
    - About the VPN Machine Tunnel
    - Limitations
    - Prerequisites
    - Procedure
      - Step 1 – General Settings
      - Step 2 – Authentication for Machine Certificate
      - Step 3 – Traffic Steering (Split Tunnel)
      - Step 4 – Cisco Secure Client Configuration
    - Machine Tunnel - What to do Next
    - Authenticate Device Identity with Active Directory
      - Prerequisites
      - Procedure
        
        Step 1: Configure Active Directory Endpoint Device Management
        
        Download the Active Directory Components
        
        Edit the Active Directory Connector Auto-Upgrades
        
        View Active Directory Components
        
        Manage Sites for AD Components
        
        Delete Active Directory Integration
        
        Step 2: Authenticate Active Directory Devices
        
        Step 3: Use Active Directory Devices as Sources in Access Rules
      - View Endpoint Device Details in Secure Access
    - Provision a Machine Tunnel User
      - Prerequisites
      - Procedure
      - View Provisioned Users and Groups in Secure Access
  - Manage Application-Based Remote Access VPN (Per App VPN)
    - Benefits
  - Manage Custom Attributes
    - About Per APP VPN
    - About Bypass Virtual Subnets
    - About Cisco Secure Client on Mobile Devices
      - Guidelines and Limitations for Secure Client AnyConnect on Android
      - Guidelines and Limitations for Secure Client AnyConnect on Apple iOS
    - Define Custom Attributes
      - Prerequisites
      - Supported Platforms
      - Limitations
      - Define Per App VPN Custom Attributes
        
        Step 1 - Determine the Application IDs for Mobile Applications
        
        Step 2 - Create a Base64 Encoded String for Each Mobile Application
        
        Step 3 - Create a Custom Attribute Object
      - Define Bypass Virtual Subnets Custom Attributes
        
        Procedure
      - Edit Cisco Secure Client Settings
        
        Procedure
  - Manage Secure Client Scripts
    - Guidelines and Limitations
    - Prerequisites
    - Enable Secure Client Scripts
    - Upload Secure Client Scripts
- Traffic Steering for Zero Trust Access Client-Based Connections
  - Best Practices
  - Limits: Zero Trust Traffic Steering Rules
    - Windows or macOS
    - iOS
    - Android: Samsung, Chrome and Generic
  - Prerequisites
  - Procedure
  - View Zero Trust Traffic Rules
  - Add a Zero Trust Traffic Rule
  - Edit a Zero Trust Traffic Rule
  - Delete a Zero Trust Traffic Rule
  - Using Wildcards to Configure Traffic Steering for Private Destinations
    - Exception
    - Prerequisites
    - Procedure
  - Traffic Steering for ZTA Connections to Internet and SaaS Destinations
    - Procedure
  - Addresses That Never Use Zero Trust Access
    - IPv6
    - IPv4
  - Zero Trust Access to Internet Destinations
    - Solution Overview
  - Trusted Networks for Zero Trust Access Connections
    - Prerequisites
    - Procedure
- Manage Internet Security
  - Download Cisco Secure Client or Copy Secure Access PAC File URL
  - Add Bypass Domains and Set Up Internet Security
  - Next Steps
  - Set Up Internet Security on User Devices
    - Prerequisites
      - Visibility of User Identities in Policy Rules
    - Procedure
      - Download the OrgInfo.json File
      - Copy the PAC File URL
  - Manage Internet Security Bypass
    - About Internet Security Bypass
    - Set Up Internet Security Bypass
    - Add Destinations for Internet Security Bypass
      - Prerequisites
      - Procedure
        
        Steer Traffic to Secure Access or Bypass Domains
      - View Destinations for Internet Security Bypass
    - Edit Destination for Internet Security Bypass
      - Prerequisites
      - Procedure
    - Delete Destination for Internet Security Bypass
      - Prerequisites
      - Procedure
  - Configure Cisco Secure Client Settings
    - Prerequisites
    - Procedure
    - Configure Security Settings
      - Configure DNS and Web Security
    - Configure Advanced Security Settings
      - Use Active Directory for Access Policy
      - Third Party VPN Compatibility
      - DNS Protection
      - DNS Backoff Settings
      - Secure Web Gateway Backoff Settings
- Manage PAC Files
  - Requirements for Downloading PAC Files to User Devices
    - Supported Versions of the Secure Client for PAC Files
  - About Using the Secure Client with PAC Files
  - Managing PAC File Deployments
  - Deploy the Secure Access PAC File for Windows
    - Prerequisites
      - Supported Versions of the Secure Client for PAC Files
    - Copy URL for Default PAC File or Custom PAC File
      - Copy URL for the the Secure Access PAC File
      - Copy URL for Custom PAC File
    - Procedure
      - Deploy the Secure Access PAC File URL for Chrome and Edge Browsers
      - Deploy the Secure Access PAC File URL for Firefox
  - Deploy the Secure Access PAC File for macOS
    - Prerequisites
      - Supported Versions of the Secure Client for PAC Files
    - Copy URL for Default PAC File or Custom PAC File
      - Copy URL for Secure Access PAC File
      - Copy URL for Custom PAC File
    - Procedure
      - Deploy the Secure Access PAC File URL to Chrome
      - Deploy the Secure Access PAC File URL to Firefox
      - Deploy the Secure Access PAC File URL to Safari
  - Customize the Secure Access PAC File
    - Prerequisites
    - Procedure
      - Copy the Secure Access PAC File
      - Download the Secure Access PAC File
      - Edit the PAC File
  - Upload Custom PAC Files to Secure Access
    - Prerequisites
    - Requirements for Uploading Custom PAC Files in Secure Access
    - Procedure
      - Uploading Custom PAC File and Error Conditions
    - Manage Uploaded Custom PAC Files
      - View Custom PAC Files in Secure Access
      - Copy URL for Custom PAC File
      - Replace Custom PAC File
      - Rename Custom PAC File
- Manage Proxy Chaining
  - Network Requirements
  - Forwarded-For (XFF) Configuration
    - On-Premises XFF Header Configuration (No Plug-In)
      - Guidelines
    - Browser Plugin XFF Header Configuration (No Proxy Chaining)
- Manage Registered Networks
  - Add Network Resources
    - Prerequisites
      - Dynamic IP Address—IPv4 Only
    - Procedure
      - Step 1 – Select the Network
      - Step 2 – Configure the Network Resource
      - Step 3 – Change the DNS Settings on Your Relevant Network Device
      - Step 4 – Apply a Policy Rule to the Network Resource
      - Step 5 – Test Your Network
  - Point Your DNS to Cisco Secure Access
    - Cisco Secure Access DNS Resolvers – IP addresses
    - Cisco Secure Access DNS Resolvers – Anycast IP Addresses
    - Prerequisites
    - Procedure
      - Step 1 – Identify Where Your Public DNS Server Addresses are Configured
      - Step 2 – Log Into the Server or Router Where DNS is Configured
      - Step 3 – Change Your DNS Server Addresses
        
        Primary and Secondary Servers
      - Step 4 – Test Your New DNS Settings
  - Clear Your DNS Cache
    - Prerequisites
    - Clear Your DNS Cache on Computers and Servers
      - Windows 7 and Earlier
      - Windows 8 and Newer
      - OS X 10.4 TIGER
      - OS X 10.5 and 10.6 LEOPARD
      - OS X 10.7 and 10.8 Lion
      - OS X 10.9 and 10.10
      - Linux
      - Ubuntu Linux
    - Clear Your DNS Cache on Browsers
      - Internet Explorer 8 and Newer – Windows
      - Mozilla Firefox – Windows
      - Apple Safari – macOS
      - Apple Safari – macOS
      - Google Chrome – Windows
      - Google Chrome – macOS
  - Update a Network Resource
    - Prerequisites
    - Edit the Registered Network Resource Name
    - Update the Registered Network Resource
  - Delete a Network Resource
    - Prerequisites
    - Procedure
- Manage Internal Networks
  - Add Resources to Associate with Internal Networks
  - Add Internal Network Resources
    - Prerequisites
      - Add Resources to Associate with Internal Networks
    - Procedure
  - Update an Internal Network Resource
    - Prerequisites
    - Procedure
  - Delete an Internal Network Resource
    - Prerequisites
    - Procedure
- Manage Sites
  - How to Add and Associate Sites in Secure Access
- Manage Destination Lists
  - Best Practices
  - How to Format Your Destination List
  - Add a Destination List
    - Prerequisites
    - Procedure
  - Upload Destinations From a File
    - Prerequisites
    - Procedure
  - Edit a Destination List
    - Prerequisites
    - Procedure
  - Download Destinations to a CSV File
    - Prerequisites
    - Procedure
  - Control Access to Custom URLs
    - Prerequisites
    - Block a URL
      - URL Normalization
      - URL Normalization for Destination Lists
      - Troubleshooting Unblocked URLs
      - Reporting for Blocked URLs
    - Examples
    - Troubleshooting
  - Wildcards in Destination Lists
    - Guidelines
    - Domains and Wildcards
      - Unsupported Domain Entries in Destination Lists
    - URLs and Right-Side Wildcarding
  - Troubleshoot Destination Lists
    - Destination Lists and Common Error Conditions
- Manage AAA Servers
- Manage Schedules
  - About Configuring Schedule Resources
  - Guidelines for Creating Schedules
  - Get Started with Schedules
  - Add a Schedule
    - Prerequisites
    - Procedure
  - View and Manage Schedules
    - Prerequisites
    - Procedure
    - View Schedules in Secure Access
    - Edit a Schedule
    - Delete a Schedule
- Manage Internet and SaaS Resources
- Manage Application Lists
  - Add an Application List
    - Prerequisites
    - Procedure
    - What's Next
  - Application Categories
    - Category Descriptions
  - Delete an Application List
    - Prerequisites
    - Procedure
- Manage Content Category Lists
  - Available Content Categories
  - Add a Content Category List
    - Prerequisites
    - Procedure
  - Request a Category for an Uncategorized Destination
    - Prerequisites
    - Procedure
  - Dispute a Content Category
    - Prerequisites
    - Procedure
  - View Content Categories in Reports
    - Prerequisites
    - View Content Categories in Activity Search Report
    - View Content Categories in Top Threats Report
    - View Content Categories in Total Requests Report
    - View Content Categories in Activity Volume Report
    - View Content Categories in Top Destinations Report
    - View Content Categories in Top Categories Report
- Manage Tenant Control Profiles
  - Add a Tenant Controls Profile
    - Prerequisites
    - Procedure
  - Control Cloud Access to Microsoft 365
    - Prerequisites
    - Procedure
  - Control Cloud Access to Google G Suite
    - Prerequisites
    - Limitations
    - Procedure
  - Control Cloud Access to Slack
    - Prerequisites
    - Procedure
  - Control Cloud Access to Dropbox
    - Prerequisites
    - Procedure
  - Control Cloud Access to YouTube
    - Prerequisites
    - Procedure
  - Use Tenant Controls in Access Rules
  - Review Tenant Controls Through Reports
    - Prerequisites
    - Procedure
- Manage Network Devices
  - Prerequisites
  - How to Add a Network Device in Secure Access
  - Procedure
    - View the Network Devices in Secure Access
    - Edit a Network Device
    - Remove a Network Device
- Manage Roaming Devices
  - View Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Host Information
      - Secure Web Gateway
      - Security Information – IPv4
      - Security Information – IPv6
  - Edit Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Edit the Auto-Delete Interval for Roaming Devices
      - Disable the Internet Security Settings
      - Enable the Internet Security Settings
      - Remove the Internet Security Override on Roaming Devices
  - Delete a Roaming Device
    - Prerequisites
    - Procedure
- Manage Private Resources
  - Step 1 – Configure Private Resources
    - Optional Configuration for Private Resources
  - Step 2 — Set Up Network Connections, VPN Profiles, and Certificates
  - Step 3 — Add Private Resources in Policy Rules
  - Step 4 — Set Up the Cisco Secure Client and Distribute URLs
  - Add a Private Resource
    - Prerequisites
    - Define a Private Resource
    - Communication with Secure Access Cloud
    - Endpoint Connection Methods
      - Zero-Trust Connections
      - VPN Connections
    - Resource Connector Groups
    - Decryption
    - View Access Rules Associated with a Private Resource
    - What's Next
  - Discover Private Resources
    - Procedure
      - Bulk actions
  - Test Private Resource Reachability
    - Prerequisites
    - Procedure
    - Test Results
  - Add a Private Resource Group
    - Prerequisites
    - Procedure
  - Private Resource Configuration Examples
    - Private Resource located in multiple locations
    - Catch-All Private Resource to Prevent Exposing Internal Networks
- Manage Connections to Private Destinations
  - Using Private Resources for SaaS Internet Destinations
  - Comparison of Zero Trust Access and VPN
    - Zero Trust Access security benefits
    - Zero Trust Access end user benefits
  - Timeout Intervals for Zero Trust Access Sessions
    - About Zero Trust Access Sessions
    - ZTA Connections to Private Resources
    - ZTA Connections to Private Resources with IPS or File Malware Scanning
    - ZTA Connections to Internet Destinations
  - Comparison of Client-Based and Browser-Based Zero Trust Access Connections
    - About Client-Based Connections
    - About Browser-Based Connections
  - Requirements for Zero Trust Access
    - Resource Requirements for Client-Based Zero Trust Access
    - Resource Requirements for Browser-Based Zero Trust Access
    - Network Requirements for Zero Trust Access
    - Client Requirements for Client-Based Zero Trust Access
  - Configure Client-Based Zero Trust Access for Private Destinations
  - Configure Browser-Based Zero Trust Access to Private Resources
  - Network Authentication for Zero Trust Access
  - Connection Scenarios for Private Destinations
  - Manage Branch Connections
    - Endpoint Connection Methods
    - Branch Networks in Private Access Rules
      - Users and Groups Connections to Private Resources
      - Sources for Branch Network Connections
      - Destinations for Branch Network Connections
      - Source Connections to Destinations
    - Add an IPS Profile on Private Access Rules
    - Log Connections From Branch Networks to Private Resources
  - Allow SSH and RDP Access to Private Resources
    - Browser-Based Zero Trust Access
      - Configuration overview: Browser-based zero trust access using SSH or RDP
      - Notes for browser-based SSH and RDP access
      - Supported options for SSH access
    - Client-Based Zero Trust Access
  - Application Portal for Zero Trust Access Browser-Based User Access
    - What Users Experience
    - Requirements for Users and User Endpoint Devices
    - Prerequisites
    - Procedure
    - (Optional) Modify Settings
- Get Started with Network and Service Objects
  - About Network and Service Objects and Groups
  - Benefits of Adding and Using Network and Service Objects
  - General Limits for Objects
  - General Limits for Groups
  - Get Started with Network and Service Objects
    - Network Objects and Network Object Groups
    - Service Objects and Service Object Groups
  - Quickstart: Network and Service Objects
    - Prerequisites
    - Procedure
  - Access Rules with Network and Service Objects
    - About Network or Service Objects in Access Rules
      - Internet or Private Access Rules
    - Using Network Objects for Sources in Access Rules
    - Using Network and Service Objects for Destinations in Access Rules
  - Combine Destinations with Boolean Logic
    - How Destinations are Combined on Access Rules
      - Logical AND Operator with Network and Service Objects
      - Supported Combinations of Destinations with Logical AND Operator
  - Manage Network Objects and Groups
    - Get Started with Network Objects
      - About Network Objects
      - Add a Network Object
      - Import a CSV File with Network Objects
      - Manage a Network Object
    - Get Started with Network Object Groups
      - Add Network Object Groups
      - Manage a Network Object Group
    - View Network Objects and Groups
    - Add a Network Object
      - Guidelines: Add Network Objects in Secure Access
      - Prerequisites
      - Procedure
    - Add a Network Object Group
      - Guidelines: Add Network Object Groups in Secure Access
      - Prerequisites
      - Procedure
    - Import CSV File of Network Objects
      - Guidelines: Import Network Objects in Secure Access
      - Prerequisites
      - Procedure
      - Examples of Valid CSV Files
        
        CSV File with Network Object of FQDN Type
        
        CSV File with Network Object of Host Type
        
        CSV File with Network Object of Network Type
        
        CSV File with Network Object of Range Type
    - Manage a Network Object
      - Prerequisites
      - Procedure
        
        Edit a Network Object
        
        Duplicate a Network Object
        
        Delete a Network Object
    - Manage a Network Object Group
      - Prerequisites
      - Procedure
      - View Objects, Groups and Values in a Network Object Group
      - Edit a Network Object Group
      - Duplicate a Network Object Group
      - Delete a Network Object Group
    - View Network Objects and Groups
      - Prerequisites
      - Procedure
  - Manage Service Objects and Groups
    - Get Started with Service Objects
      - About Service Objects
      - Add a Service Object
      - Import CSV File with Service Objects
      - Manage a Service Object
    - Get Started with Service Object Groups
      - Add Service Object Groups
      - Manage a Service Object Group
    - View Service Objects and Groups
    - Add a Service Object
      - Prerequisites
      - Guidelines: Add Service Objects in Secure Access
      - Procedure
    - Add a Service Object Group
      - Guidelines: Add Service Object Groups in Secure Access
      - Prerequisites
      - Procedure
    - Import CSV File of Service Objects
      - Guidelines: Import Service Objects in Secure Access
      - Prerequisites
      - Procedure
      - Examples of Valid CSV Files
        
        CSV File with Service Object and UDP Protocol
        
        CSV File with Service Object and TCP Protocol
        
        CSV File with Service Object and ICMP Protocol
        
        CSV File with Service Object and Any Protocols and Port Range
    - Manage a Service Object
      - Prerequisites
      - Procedure
        
        Edit a Service Object
        
        Duplicate a Service Object
        
        Delete a Service Object
    - Manage a Service Object Group
      - Prerequisites
      - Procedure
      - View Objects, Groups and Values in a Service Object Group
      - Edit a Service Object Group
      - Duplicate a Service Object Group
      - Delete a Service Object Group
    - View Service Objects and Groups
      - Prerequisites
      - Procedure
- Manage the Access Policy
  - Private and Internet Access Rules in Your Policy
  - Default Access Rules in Your Policy
  - Rule Defaults and Global Settings
  - About the Access Policy
    - Best Practices
    - Rule Data
  - Show Additional Data on Your Access Rules
    - Prerequisites
    - Procedure
  - Edit the Order of the Rules in Your Access Policy
  - Rule Defaults: Default Settings for Access Rules
    - Zero Trust Access: Endpoint Posture Profiles
    - Zero Trust Access: User Authentication Interval
      - User Authentication Default Interval Settings
    - Intrusion Prevention (IPS)
    - Security Profile
    - Tenant Control Profile
  - Manage Global Settings for Access Rules
    - Prerequisites
    - Procedure
    - Display User Input Field on Warn Pages
      - About the Warn Page User Input Field
    - Microsoft 365 Compatibility
      - Tenant Controls
      - Limitations
    - Decryption
    - Disable Decryption for Specific Sources
    - Decryption Logging
    - Certificate Pinning
  - Edit Rule Defaults and Global Settings
    - Prerequisites
    - Procedure
  - Edit or View the Default Access Rules
    - Default Internet Access Rule
    - Default Private Access Rule
    - View or Edit Default Access Rules
  - Using Wildcard Masks on Access Rules
    - Wildcard Masks in Composite Sources or Destinations
    - Guidelines
    - Examples of Wildcard Masks
- Get Started With Internet Access Rules
  - Control Egress IP Address for Select SaaS Internet Destinations
  - Components for Internet Access Rules
    - Sources
    - Destinations
      - Rule Enforcement with Destination Lists and Fully Qualified Domain Names
      - Reusable Destinations in Internet Access Rules
      - Additional Configuration Options
    - Security Controls
      - Intrusion Prevention (IPS)
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Intrusion Prevention (IPS) Profiles
        
        Configure the Do Not Decrypt List for IPS
      - Security Profile
        
        Configure Threat Category Settings
        
        Configure SSO Authentication
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Do Not Decrypt Lists
        
        (Optional) Configure Custom End-User Block and Warn Notifications
        
        Configure Security Profiles for Internet Access
      - Tenant Controls
  - Default Settings for Internet Access Rules
  - Add an Internet Access Rule
    - Prerequisites
    - Procedure
    - Access Options
      - Disable or Enable the Rule
      - Logging settings
      - Summary
      - Rule Name
      - Rule Order
      - Rule Action
      - Pre-Configured Sources
      - Composite Sources
      - Pre-Configured Destinations
      - Composite Destinations
      - App Risk Profiles
      - Advanced Application Controls
    - Security Control Options
      - Intrusion Prevention (IPS)
      - Security Profile
      - Tenant Control Profile
      - Schedule Enablement Time and Date
      - Advanced Security Controls
    - Next Steps
  - About Configuring Sources in Internet Access Rules
    - Source Components for Internet Access Rules
    - Composite Sources for Internet Access Rules
      - Limitations of Composite Sources in Internet Rules
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Adding Composite Sources
      - Combining IPs, CIDRs, or Wildcard Masks on a Source
    - Combining Multiple Sources in a Rule (Boolean logic)
  - About Configuring Destinations in Internet Access Rules
    - Number of Destinations in a Rule
    - Guidelines: Adding Destinations on Internet Access Rules
    - Pre-Configured Destinations on an Internet Rule
    - Application Lists and Application Categories on an Internet Rule
    - Application Protocols on an Internet Rule
      - How Application Protocols Combine with Composite Destinations
    - Network and Service Objects on Internet Access Rules
    - Composite Destinations for Internet Access Rules
      - Limitations of Composite Destinations
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Protocols
      - Adding Composite Destinations
      - Combining Destination Components as a Single Destination
    - Combining Multiple Destinations in a Rule (Boolean Logic)
  - Ensure Rule Matching for Encrypted Internet Traffic
  - Block Internet Access to Geographic Locations
  - Advanced Application Controls
    - Applications with Advanced Controls
      - Cloud Storage
      - Collaboration
      - Content Management
      - Media
      - Office Productivity
      - P2P
      - Social Networking
    - Prerequisites
    - Procedure
    - Troubleshooting
  - Global Settings for Internet Access Rules
  - About Isolated Destinations
    - Prerequisites
      - Secure Access Prerequisites
      - Browser Prerequisites
    - Secure Access Package Support for RBI and Isolation Rules
      - Isolate Any
      - Isolate Risky
    - Verifying Isolation
    - Limitations of Isolation
    - Isolate Downgrade
      - Expired or Downgraded Package Support for RBI
      - Isolate Rule Remediation
        
        Prerequisites
        
        Filter Isolate Rules
        
        Duplicate a Downgraded Isolate Rule
  - Troubleshoot Internet Access Rules
    - General troubleshooting tips
    - Problems while creating the rule
      - The Next button is unavailable
    - Problems after creating a rule
      - Internet traffic is unexpectedly blocked
      - Internet traffic is unexpectedly allowed
      - Internet Access rule is not matching traffic as expected
- Get Started With Private Access Rules
  - Components for Private Access Rules
    - Sources
    - Destinations
      - Private Resources
      - Private Resource Groups
      - Network Objects
      - Network Object Groups
      - Service Objects
      - Service Object Groups
    - Endpoint Posture Profiles (for Endpoint Requirements)
    - Security Controls
      - Intrusion Prevention (IPS)
      - Security Profile, for File Inspection and File Type Controls
  - Default Settings for Private Access Rules
  - Add a Private Access Rule
    - Prerequisites
    - Set Up the Private Access Rule
      - Enable the Rule and Edit Your Logging Settings
      - Add a Rule Name
      - Choose a Rule Order
    - Step 1 — Specify Access Options
      - Rule Action
      - Pre-Configured Sources
      - Composite Sources
      - Pre-Configured Destinations
      - Composite Destinations
      - Endpoint Requirements
      - User Authentication Requirements
    - Step 2 — Configure Security Control Options
      - Intrusion Prevention (IPS)
      - Security Profile
    - Summary
  - About Configuring Sources in Private Access Rules
    - Source Components for Private Access Rules
    - Composite Sources for Private Access Rules
      - Limitations of Composite Sources
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Adding Composite Sources
      - Combining IPs, CIDRs, or Wildcard Masks on a Source
    - Combining Multiple Sources in a Rule (Boolean logic)
  - About Configuring Destinations in Private Access Rules
    - Destination Components for Private Access Rules
    - Network and Service Objects on Private Access Rules
    - Composite Destinations for Private Access Rules
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Protocols
      - Adding Composite Destinations
      - Combining Destination Components as a Single Destination
    - Combining Multiple Destinations in a Rule (Boolean Logic)
  - About ZTA Private Access Enforcement
    - Most Specific Match Enforcement Mode
    - Multi-App Match Enforcement Mode
      - Examples
        
        Scenario 1: Multiple matching IP/CIDR destinations in different resources
        
        Scenario 2: Multiple matching FQDN destinations in different resources
        
        Scenario 3: Multiple matching rules by source and destination – rule ordering priority in effect
        
        Scenario 4: Tie-breaker scenarios for multiple valid resource destinations in matched rule
    - Multi-App with Resolved IP Match Enforcement Mode
      - Examples
        
        Scenario 1: FQDN resource-based rule at higher priority than IP resource-based rule
        
        Scenario 2: IP resource-based rule at higher priority than FQDN resource-based rule
        
        Scenario 3: Tie-breaker scenario for FQDN-IP overlap within the same rule
  - About Endpoint Requirements in Access Rules
  - Allowing Traffic from Users and Devices on the Network
  - Global Settings for Private Access Rules
  - Troubleshoot Private Access Rules
    - General Troubleshooting Tips
    - Problems While Creating a Rule
      - Next button is not available
    - Problems After Creating a Rule
      - Traffic is unexpectedly blocked
      - Traffic is unexpectedly allowed
      - Rule does not match traffic as expected
- Get Started with the Cisco Assistant
  - Prerequisites
  - Procedure
  - Cisco Assistant Navigation
  - What's Next
  - Add Rules with the Cisco Assistant
    - Use Cases
    - Capabilities of the Cisco Assistant
    - Limitations
    - Safeguards
    - Procedure
      - Enter a Natural Language Prompt to Generate Policy Rules
      - Invalid Prompts
    - Reporting
    - Contextual Conversations
    - Support
  - Cisco Assistant Rule Examples
    - Core Prompt Components
    - Key Words for Prompts
    - Private Access Rule Examples
      - Allow Action Rule
      - Block Action Rule
      - Include an AND Operator with Allow or Block Action Rule
      - Include a NOT Operator with Allow or Block Action Rule
    - Internet Access Rule Examples
      - Allow Action Rule
      - Block Action Rule
      - Warn Action Rule
      - Isolate Action Rule
      - Include an AND Operator with Allow or Block Action Rule
      - Include a NOT Operator with Allow or Block Action Rule
    - Additional Samples
  - Find Documented Answers with the Cisco Assistant
    - Best Practices for Prompts
    - Contextual Conversations
  - Troubleshoot with the Cisco Assistant
    - Procedure
      - Craft your prompt
      - Event analysis
    - Contextual Conversations
    - What's Next
  - Messages Generated by the Cisco Assistant
    - Examples of Cisco Assistant Responses to Prompts
- Manage Endpoint Security
  - About Endpoint Posture
  - About Posture Profiles
  - Endpoint Posture Assessment
  - Endpoint Attributes
    - Supported Operating Systems
      - Zero Trust Connections
      - VPN Connections
    - Firewall Conditions
    - Endpoint Security Agents
    - System Password Enforcement
    - Disk Encryption
    - Supported Browsers
    - Windows Registry Conditions
    - Windows Domain Join
    - File Conditions
    - Process Conditions
    - Certificate Conditions
      - Prerequisites
      - About Certificate Conditions
- Manage Zero Trust Access Posture Profiles
  - Zero Trust Access Posture Attributes
  - Add a Client-Based Zero Trust Access Posture Profile
    - Prerequisites
    - Procedure
  - Add a Browser-Based Zero Trust Access Posture Profile
    - Prerequisites
    - Procedure
- Manage VPN Connection Posture Profiles
  - VPN Posture Attributes
  - Add a VPN Connection Posture Profile
    - Prerequisites
    - Procedure
- Manage IPS Profiles
  - How IPS Works
    - Hit Counts
    - Cisco-Provided IPS Signature Lists
  - Decryption is Required for Effective Intrusion Prevention
  - Exceptions for Traffic That Should Not be Decrypted
  - IPS is Used in Both Types of Access Rules
  - Add a Custom IPS Signature List
    - Prerequisites
    - Procedure
    - Reset a Signature's Action
- Manage Security Profiles
  - Security Profiles for Internet Access
    - Functionality Included in a Security Profile for Internet Access
    - Decryption
    - SSO Authentication
      - Requirements for Enabling OIDC Authentication
      - Requirements for Enabling SAML Authentication
      - Requirements for Disabling SAML Authentication
    - Security and Acceptable Use Controls
    - End-User Notifications
    - Get Started: Security Profiles for Internet Access
  - Add a Security Profile for Internet Access
    - Prerequisites
    - Procedure
    - Add a Security Profile
    - Enable or Disable Decryption
    - SSO Authentication
    - Security and Acceptable Use Controls
      - Threat Categories
      - File Inspection
      - File Type Blocking
      - SafeSearch
      - AI Supply Chain Blocking
    - Configure End-User Notifications
    - View Security Profiles
    - Configure Additional Security Options
    - Add a Security Profile on Internet Access Rules
    - Edit a Security Profile
    - Delete a Security Profile
  - Enable SafeSearch
    - Enable SafeSearch
    - Confirm That SafeSearch is Working
      - Google
      - YouTube
      - Yahoo
      - Bing
  - Security Profiles for Private Access
  - Add a Security Profile for Private Access
    - Prerequisites
    - Procedure
    - Next steps
- Manage App Risk Profiles
  - App Risk Profile Attributes
  - Add an App Risk Profile
    - Prerequisites
    - Procedure
- Manage Threat Categories
  - Default Threat Category List
  - Reporting on Threat Category Access Attempts
  - Threat Category Descriptions
  - Add a Threat Category List
    - Prerequisites
    - Procedure
  - Dispute a Threat Categorization
    - Prerequisites
    - Procedure
- Manage File Inspection and File Analysis
  - Overview of Configuring File Inspection and Analysis
  - File Inspection Details
    - Cisco Advanced Malware Protection (AMP)
    - Antivirus Scanner
  - Cisco Secure Malware Analytics (formerly Threat Grid) Details
    - Supported Files and File Limitations
    - Secure Malware Analytics Sandbox
  - Enable File Inspection
    - Prerequisites
    - Procedure
  - Enable File Analysis by Cisco Secure Malware Analytics
    - Prerequisites
    - Procedure
  - Test File Inspection for Internet Access
    - Prerequisites
    - Procedure
      - Block Page Diagnostic Information
  - Monitor File Inspection and Analysis Activity
    - Monitor and Review File Inspection and Analytics
    - Monitor and Review Secure Malware Analytics
      - Monitor File Submission Limits
  - Troubleshoot File Inspection and Analysis
    - General Troubleshooting
- Manage File Type Controls
  - Enable File Type Controls
    - About File Type Controls for Internet Access
    - About File Type Controls for Private Access
    - Prerequisites
    - Procedure
    - Enable File Type Blocking for Internet Access
    - Enable File Type Blocking for Private Access
  - File Types to Block
  - Review File Type Controls Through Reports
    - Prerequisites
    - Procedure
- Manage Notification Pages
  - View Notification Pages Displayed to End Users
  - Display Custom Notification Pages to End Users
  - About Warn Pages for Internet Access Traffic
  - Warn Page: Click Link and Continue to Destination
  - Warn Page: Enter Key Word and Continue to Destination
  - Preview Notification Pages
    - Prerequisites
    - Procedure
  - Create Custom Block and Warn Pages
    - Prerequisites
    - Create Custom Block and Warn Pages
    - Link a Custom Notification Page Appearance to a Security Profile
    - Next Steps
  - Allow Users to Contact an Administrator
    - Prerequisites
    - Procedure
  - Block Page IP Addresses
    - IP Addresses for Secure Access Block Pages
    - Domains for Secure Access Block Pages
- Manage Traffic Decryption
  - Internet Access Features That Require Decryption
  - Internet Traffic That Should Not Be Decrypted
  - Decryption in Private Access Rules
  - Decryption Settings
  - Decryption Requires Certificates
  - Decryption Logging
  - Troubleshooting Decryption
  - Important Information About Do Not Decrypt Lists
    - Do Not Decrypt List for IPS
    - Do Not Decrypt Lists for Security Profiles for Internet Access
    - Differences Between IPS and Features in Security Profiles
    - The System-Provided Do Not Decrypt List
    - Limitation: Do Not Decrypt Based on Content Category
  - Add a Do Not Decrypt List for Security Profiles for Internet Access
    - Prerequisites
    - Procedure
- Manage Certificates
  - Certificate Installation Methods
  - Certificates for Internet Decryption
    - Certificates for Displaying Notifications
    - Certificates for Decrypting Internet Traffic
      - Option 1: Distribute Self-Signed Certificates to End-User Devices
      - Option 2: Use a Signed Certificate for Decrypting Internet Traffic
  - Install the Cisco Secure Access Root Certificate
    - Prerequisites
      - Download the Cisco Secure Access Root Certificate
    - Automatically Install the Cisco Secure Access Root Certificate (For an Active Directory Network)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Microsoft Management Console (MMC)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Group Policy Management Console (GPMC)
    - Install the Cisco Secure Access Root Certificate in Firefox Using Group Policy
    - Install the Cisco Secure Access Root Certificate on Chromebooks Using the Google Admin Console
    - Manually Install the Cisco Secure Access Root Certificate (Single Computer)
      - Install the Cisco Secure Access Root Certificate in Edge or Chrome on Windows
      - Install the Cisco Secure Access Root Certificate in Firefox on Windows
      - Install the Cisco Secure Access Root Certificate in All Browsers on Mac OS X
      - Install the Cisco Secure Access Root Certificate on Mac OS X Through the Command Line
      - Install the Cisco Secure Access Root Certificate in Chromium or Chrome on Linux
  - Add Customer CA Signed Root Certificate
    - Prerequisites
      - Certificate Requirements
    - Install Root Certificate in Browsers
    - Procedure
  - View the Cisco Trusted Root Store
    - Prerequisites
      - Download the Cisco Trusted Union Root Bundle
    - Extract the Certificates
      - Step 1: Extract the Signing Certificate
      - Step 2: Extract Certificate Bundle as Message
      - Step 3: Extract PEM-Formatted Certificates From Bundle
      - Step 4: Generate Individual Certificate Files
        
        Linux
        
        macOS
    - View an Individual Certificate File
  - Manage Certificates for Private Resource Decryption
    - Prerequisites
      - Install a Certificate Authority Certificate on a Private Resource
    - Procedure
      - View Notifications About Expired Private Resource Certificates
      - Upload Private Resource Certificates
        
        Option 1: Upload or enter a certificate-key pair directly to the private resource
        
        Option 2: Upload a certificate and key to the Certificates page
  - Certificates for Private Resource Decryption
  - Certificates for SAML Authentication
  - Manage SAML Certificates for Service Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Download Web Security and Zero Trust Service Provider Certificates
      - Download Virtual Private Network Service Provider Certificates
  - Manage SAML VPN Service Provider Certificate Rotation
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Activate a New VPN Service Provider Certificate
  - Manage SAML Certificates for Identity Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Identity Provider Certificates
      - Manage Web Security and Zero Trust Identity Provider Certificates
      - Manage Virtual Private Network Identity Provider Certificates
  - VPN Certificates for User and Device Authentication
  - Manage CA Certificates for VPN Connections and Zero Trust Access Enrollment
    - Prerequisites
      - Install an Identity Certificate on User Devices
    - Procedures
    - View Notifications About Expired CA Certificates for Client Authentication
    - Upload Certificate Authority (CA) Certificates for client authentication
    - View Uploaded CA Certificates
    - Manage Certificate Revocation Settings
    - View CA Certificate Details
    - Change the Purpose of an Uploaded CA Certificate
    - Delete a Client Authentication CA Certificate
    - Expired Certificates
- Manage the Data Loss Prevention Policy
  - Add a Real Time Rule to the Data Loss Prevention Policy
    - Prerequisites
    - Procedure
  - Understand Exclusions in a Real Time Rule
  - Supported Applications
  - Add an SaaS API Rule to the Data Loss Prevention Policy
  - Add an AI Guardrails Rule to the Data Loss Prevention Policy
    - Prerequisites
    - Procedure
  - Discovery Scan
    - Prerequisites
    - Initiate a Discovery Scan
    - Cancel a Discovery Scan
  - Edit a Data Loss Prevention Rule
  - Delete a Data Loss Prevention Rule
    - Prerequisite
    - Procedure
  - Enable or Disable a Data Loss Prevention Rule
    - Prerequisites
    - Disable a Rule
    - Enable a Rule
  - Supported File and Form Types
  - Best Practices for the Data Loss Protection Policy
- Manage Data Classifications
  - Create a Data Classification
    - Built-In Identifiers
    - Machine Learning Identifiers
    - Custom Identifiers
    - Exact Data Match Identifiers
    - Indexed Document Match Identifiers
    - Prerequisites
    - Procedure
  - Copy and Customize a Built-In Data Classification
    - PII Data Classification
    - PCI Data Classification
    - GDPR Data Classification
    - HIPAA Data Classification
    - Prerequisites
    - Procedure
  - Delete or Edit a Classification
    - Prerequisites
    - Delete a Classification
    - Edit a Classification
  - Create an Exact Data Match Identifier
    - Prerequisites
    - Procedure
  - Index Data for an EDM
    - Prerequisites
    - Run the DLP Indexer to Create an EDM Identifier
    - Update the Indexed Data Set Periodically
    - Troubleshooting
  - Exact Data Match Field Types
    - Supported EDM Types
  - Create an Indexed Document Match Identifier
    - Prerequisites
    - Limitations
    - Create an Indexed Document Match Identifier
    - Monitor the Indexed Data Set and Re-Index as Needed
    - Troubleshooting
  - Built-In Data Classifications
- Built-in Data Identifiers
  - Tolerances
  - Copy and Customize a Data Identifier
    - Prerequisites
    - Procedure
  - Create a Custom Identifier
    - Prerequisites
    - Procedure
  - Custom Regular Expression Patterns
    - Limitations
      - General
      - Regex Syntax
      - Regex Breadth
      - Word Boundary
  - Individual Data Identifiers
    - Drug Name
    - Health Condition
    - ICD-10 Code
    - US Person Name
- Manage AI Guardrails Data Classifications
  - Create an AI Guardrails Data Classification
    - Prerequisites
    - Procedure
  - Copy and Customize a Built-In AI Guardrails Data Classification
    - Security Guardrail
    - Safety Guardrail
    - Privacy Guardrail
    - Prerequisites
    - Procedure
  - Delete or Edit an AI Guardrails Data Classification
    - Prerequisites
    - Delete an AI Guardrails Data Classification
    - Edit an AI Guardrails Data Classification
- Manage Secure ICAP
  - Prerequisites
  - Secure ICAP Integration
  - Modify an ICAP Server Connection
  - Disconnect from an ICAP Server
- Manage SaaS API Data Loss Prevention
  - Enable SaaS API Data Loss Prevention for AWS Tenants
    - Prerequisites
    - Limitation
    - Enable CloudTrail Event Logging for S3 Buckets and Objects
    - Obtain Your AWS Account ID
    - Authorize an AWS Tenant
    - Create an AWS Stack
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Azure Tenants
    - Prerequisites
    - Limitation
    - Authorize an Azure Tenant
    - Run an Azure PowerShell Script to Obtain Account Information
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Box Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Dropbox Tenants
    - Prerequisites
    - Limitation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Google Drive Tenants
    - Prerequisites
    - Validation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Microsoft 365 Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for ServiceNow Tenants
    - Prerequisites
    - Limitation
    - Find the Instance Name for your ServiceNow admin Account
    - Assign the oauth_user role to the ServiceNow admin Account
    - Add an OAuth Client to Your ServiceNow Deployment
    - Authorize a Tenant
    - Revoke Authorization
    - View the Cisco Quarantine Table in Service Now
  - Enable SaaS API Data Loss Prevention for Slack Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Webex Teams
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
- Manage Cloud Malware Protection
  - Cloud Access Security Broker Protection for Google Drive and Microsoft 365
  - Enable Cloud Malware Protection
    - Prerequisites
    - Procedure
  - Revoke Authorization for a Platform
    - Prerequisites
    - Procedure
  - Enable Cloud Malware Protection for AWS Tenants
    - Prerequisites
    - Limitation
    - Enable CloudTrail Event Logging for S3 Buckets and Objects
    - Obtain Your AWS Account ID
    - Authorize a Tenant
    - Create an AWS Stack
    - Revoke Authorization
  - Enable Cloud Malware Protection for Azure Tenants
    - Prerequisites
    - Limitation
    - Authorize an Azure Tenant
    - Run an Azure PowerShell Script to Obtain Account Information
    - Revoke Authorization
  - Enable Cloud Malware Protection for Box Tenants
    - Prerequisites
    - Limitations
    - Verify Box Application Settings
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Dropbox Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Revoke Authorization
  - Enable Cloud Access Security Broker Features for Google Drive
    - Prerequisites
    - Limitation
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Access Security Broker Protection for Microsoft 365 Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for ServiceNow Tenants
    - Prerequisites
    - Limitation
    - Find the Instance Name for your ServiceNow admin Account
    - Assign the oauth_user role to the ServiceNow admin Account
    - Add an OAuth Client to Your ServiceNow Deployment
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
    - View the Cisco Quarantine Table in Service Now
  - Enable Cloud Malware Protection for Slack Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Webex Teams
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
- Manage Logging
  - Where are Logs Stored?
    - Logging to the Secure Access Data Warehouse
    - Logging to Amazon S3
    - Advantages and Disadvantages of Configuring a Cisco-Managed Bucket
  - Enable Logging
    - Prerequisites
    - Procedure
  - Enable Logging to Your Own S3 Bucket
    - Prerequisites
      - JSON Bucket Policy
    - Procedure
    - S3 Bucket Data Path
    - Download Files From the S3 Bucket Locally
      - Prerequisites
  - Enable Logging to a Cisco-Managed S3 Bucket
    - Best Practices for Rotating an S3 Bucket Key
      - About the Notifications for the IAM Key
    - Prerequisites
    - Procedure
    - Configure a Cisco-Managed S3 Bucket
    - Rotate Keys on a Cisco-Managed S3 Bucket
    - Get the S3 Bucket Data Path
      - Sample S3 Bucket Data Path
    - Verify Your Access to an S3 Bucket
      - Download Files From the S3 Bucket Locally
        
        Sample Command
        
        Best Practices: Download Files From the S3 Bucket
  - Change the Location of Event Data Logs
    - Implications When You Change Data Warehouse Locations
    - Log Retention
    - Prerequisites
    - Procedure
  - Stop Logging
    - Prerequisites
    - Procedure
  - Delete Logs
    - Prerequisites
    - Procedure
  - Log Formats and Versioning
    - Prerequisites
    - Log File Name Formats
      - Subfolders
      - Find Your Log Schema Version
        
        Log Schema Versions
        
        View Your Log Schema Version and Last Sync Time
      - Include Headers
      - Log File Fields
      - Estimate the Size of a Log
      - Estimate the Size of an Exported Report
    - Reports and CSV Formats
      - Activity Search Report
        
        Zero Trust Access Activity Search Fields
      - Top Categories Report
      - Top Destinations Report
      - Top Resources Report
    - Admin Audit Log Formats
      - Example
      - Order of Fields in Admin Audit Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Cloud Firewall Log Formats
      - Example
      - Order of Fields in the Cloud Firewall Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Data Loss Prevention (DLP) Log Formats
      - Example
      - Order of Fields in the DLP Log
        
        Optional V12 Log Header Format
        
        V12 Log Formats
    - DNS Log Formats
      - Examples
      - Order of Fields in the DNS Log
        
        Optional V12 Log Header Format
        
        V12 Log Formats
    - File Events Log Formats
      - Example
      - Order of Fields in the File Events Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - IPS Log Formats
      - Example
      - Order of Fields in the IPS Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Remote Access VPN Log Formats
      - Examples
      - Order of Fields in the RAVPN Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Web Log Formats
      - Example
      - Order of Fields in the Web Log
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Zero Trust Access Log Formats
      - Example
      - Order of Fields in Zero Trust Access Logs
        
        Optional V12 Log Header Format
        
        V12 Log Format
    - Zero Trust Access Flow Log Formats
      - Example
      - Order of Fields in Zero Trust Access Flow Logs
        
        Optional V12 Log Header Format
        
        V12 Log Format
- Manage API Keys
  - Add Secure Access API Keys
    - Prerequisites
    - Add API Key
    - Refresh API Key
    - Update API Key
    - Delete API Key
  - Add KeyAdmin API Keys
    - Use Cases
    - Prerequisites
    - Add KeyAdmin API Key
    - Refresh KeyAdmin API Key
    - Update KeyAdmin API Key
    - Delete KeyAdmin API Key
- Manage Accounts
  - Add a New Account
    - Prerequisites
    - Procedure
  - Edit Account Settings
    - Prerequisites
    - Procedure
  - Delete an Account
    - Prerequisites
    - Procedure
  - Hide Sources with De-identification
    - Prerequisites
    - Source Types
    - Enable De-identification
    - Disable De-identification
    - Limitations
DNS Forwarders
- Get Started with Virtual Appliances
  - Supported Deployments
  - How Secure Access Virtual Appliances Work
  - Virtual Appliances and Granular Identity Information
    - Without Virtual Appliances
    - With Virtual Appliances
  - Active Directory Integration
  - Configure Granular Rules
  - Prerequisites for Virtual Appliances
    - Endpoint Software
    - Virtual Appliance Requirements
    - Networking Requirements
      - Allow Connections to Various Domains and Services
      - Network Time Protocol Servers
      - Intrusion Protection Systems (IPS) and Deep Packet Inspection (DPI)
      - Network Address Translation (NAT)
    - Encrypting Traffic with DNSCrypt
  - Virtual Appliance Deployment Guidelines
    - Deploy Virtual Appliances in Pairs
    - Multiple DNS Egresses
    - Single DNS Egress
    - Double NAT
  - Virtual Appliance Sizing Guide
    - High-Traffic Sites and Virtual Appliances
    - AD Connector Sizing Guidelines
    - Deployment Considerations
      - Overall Latency
      - Number of Secure Access Sites
      - Number of Users for a VA
- Manage VAs in Secure Access
  - Configure Authentication for Virtual Appliances
    - How to Set Up Your API Credentials
    - Procedure
      - Step 1 – Create the Key Admin API Key Credentials
      - Step 2 – Add the Key Admin API Key Credentials
    - Refresh Client API Key and Secret
    - Reset Client API Key
  - Manage DNS Forwarders
    - Procedure
      - View the DNS Forwarders
      - Sync the Configuration Settings to Deployed VAs
      - Edit a Site
      - Upgrade a Virtual Appliance
      - Reset Password
      - Delete a Virtual Appliance
  - Manage Site for Virtual Appliance
    - Procedure
      - Add a Site
      - Select a Site
      - Rename a Site
      - Delete a Site
  - Configure Updates for Virtual Appliances
    - How Secure Access Updates Your Virtual Appliance
    - Procedure
      - Configure Automatic Updates of Virtual Appliances
      - Manually Configure Update of a Virtual Appliance
      - Postpone Updates to Virtual Appliances
- Deploy Virtual Appliances
  - Guidelines
  - Deploy the Secure Access Virtual Appliances
  - Deploy VAs in Hyper-V for Windows 2012 or Higher
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download and Extract the Hyper-V Installer
      - Step 2 – Import the Virtual Appliance
      - Step 3 – Copy and Rename Image Files
      - Step 4 – Select Network Adapter
      - Step 5 – Select Hard Drive
      - Step 6 – Power on the Virtual Machine
      - Step 7 – Repeat for the Second Virtual Appliance
  - Deploy VAs in VMware
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download OVF Template
      - Step 2 – Deploy OVF Template
      - Step 3 – Deploy a Second Virtual Appliance
      - Step 4 – Power on the Virtual Machines
  - Deploy VAs in Microsoft Azure
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Before You Begin
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Image on Azure
      - Step 2 – Launch the Virtual Appliance on Azure
  - Deploy VAs in Amazon Web Services
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Amazon Machine Image
      - Step 2 – Launch the Virtual Appliance on Amazon Web Services
  - Deploy VAs in Google Cloud Platform
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Instance Template on GCP
      - Step 2 – Launch the Virtual Appliance on Google Cloud Platform
  - Deploy VAs in KVM
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Create the qcow2 files for KVM
      - Step 2 – Launch the Virtual Appliance on KVM
  - Deploy VAs in Nutanix
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
  - Deploy VAs in Alibaba Cloud
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Download and Extract the Hyper-V Installer
      - Alibaba Cloud Setup
      - Procedural Overview
      - Create an Alibaba Virtual Private Cloud (VPC)
      - Create a Bucket for the Secure Access VAs
      - Configure a ZIP Package Decompression Rule
      - Upload the Secure Access VHD Images to the OSS Bucket
    - Create a Custom Image
    - Deploy the Secure Access VAs from the Imported Custom Image
      - What's Next
    - First-time Login to Secure Access VA
      - Related Topics
        
        Dual-NIC Support on the VA
      - IP Addressing
        
        General Guidelines
        
        Support for IPv6 Addressing
      - Anycast Configuration Support
      - DNS Performance on Alibaba ECS Instances
      - Extensions on Alibaba ECS Instances
- Configure Virtual Appliances
  - Prerequisites
  - Enter Configuration Mode on a VA Deployed on VMware, Hyper-V, or KVM
  - Enter Configuration Mode on a VA Deployed in Azure, AWS, or Google Cloud Platform
  - Configure the VA Through Configuration Mode
  - Configure a Second VA
  - Configure Settings on VAs
    - Prerequisites
    - Configure Rate Limiting
      - Enable Rate Limits on a VA
      - Disable Rate Limiting
      - Check Status and Packet Drops
    - Configure NTP Servers
      - Add NTP Servers to the VA
      - Remove NTP Servers
      - View the VA's Current NTP Servers
    - Configure Secure Access Resolvers
      - Use the IPv4 Secure Access DNS Resolvers
      - Use the Alternate Secure Access DNS Resolvers
      - Use the IPv6 Secure Access DNS Resolvers
      - Use the US-Only IPv4 Secure Access DNS Resolvers
      - Use the US-Only IPv6 Secure Access DNS Resolvers
      - Use the Saudi Arabia-Only IPv4 Secure Access DNS Resolvers
      - Use the Saudi Arabia-Only IPv6 Secure Access DNS Resolvers
    - Configure DNSSEC Support
      - Configure VA to Preserve the DO Bit
      - Turn Off the DO Bit
    - Configure Logging to Remote Syslog Server
      - Configure the Destination of the Remote Syslog Server
      - Configure Log Export Internal DNS
      - Configure Log Export Enable Health
      - Configure Log Export Enable Admin
      - Configure Log Export Enable All
      - Configure Log Export Status
      - Turn Off Logging
    - Configure Dual-NIC Support on the VA
      - Configure an Existing VA to Support Dual-NIC
      - Deploy a New VA to Support Dual-NIC DMZ Mode
    - Configure Anycast
      - Configure Anycast over BGP on the VA
      - Configure Load Balancing
        
        Add a Load Balancer
        
        Remove a Load Balancer
      - Configure Identity Association Timeouts
      - Configure API Key Credentials for Authentication
        
        Configure the Client ID and Client Secret
- Local DNS Forwarding
  - Manage Domains in the VA
    - Which domains should be added?
    - (Optional) Add A and PTR Records for the VAs
  - Configure Local DNS Servers on the VA
    - Examples
- Test Virtual Appliance Deployments
  - Prerequisites
  - Resolve Public and Local DNS Queries
    - Test with Endpoints
    - Transition Production Traffic
- SNMP Monitoring for Virtual Appliances
  - Enable SNMP Monitoring
    - SNMPv2.x
    - SNMPv3
    - Privacy Password
    - Configure SNMP in Secure Access Virtual Appliance
    - SNMP Command Syntax
  - About SNMP Monitoring
  - Standard OIDs Supported by the Virtual Appliance
  - Extended OIDs Supported by the Virtual Appliance
- Troubleshoot Virtual Appliances
  - Prerequisites
  - Reset a Virtual Appliance's Password
  - Use Configuration Mode to Troubleshoot
  - Troubleshoot Intermittent DNS Resolution Failures on a VA Deployed on Azure
  - Troubleshoot DNS Resolution in Configuration Mode
  - Troubleshoot DNS Resolution Failures Behind a Firewall
Experience Insights
- About Experience Insights
  - Key Terms
- Onboard Experience Insights
  - Prerequisites
  - Procedure
    - Step 1: ThousandEyes integration
    - Step 2: Default test target
    - Step 3: Unified collaboration application
    - Step 4: ThousandEyes agent
  - Result of Onboarding
- Cisco AI Assistant for Experience Insights
  - Procedure
  - Limitations
  - Prompt examples
  - Contextual Conversations
- Configure Experience Insights
  - Procedure
    - ThousandEyes Organization and Account Group
    - Update Collaboration Application
    - Edit Default Test Target
  - Update Location of ThousandEyes Tenant and Data Storage
  - Register ThousandEyes Agents
- View Endpoint Performance Map
  - Procedure
- View Summary of Endpoints
  - Endpoint Health Status
    - Endpoint thresholds
    - Network thresholds
- Wi-Fi Descriptions
- View Common SaaS Applications
  - Procedure
- View User Dashboard
  - Prerequisites
  - Procedure
    - User Details and Device Details
    - Endpoint health
    - Security Events
    - Segment Visualization
    - Collaboration Application Summary
- About Endpoint Agent Tests
  - Manage endpoint tests in Secure Access
    - Endpoint license usage
    - Endpoint tests
    - Default Endpoint tests
  - Manage endpoint agents and tests in ThousandEyes
  - Limitations
  - Estimate Peak Traffic to Custom Targets for Default Endpoint Tests
    - Calculate Estimated Peak Throughput of Test Traffic
    - Mitigation Strategies
    - Recovery Options
  - Create HTTP Server Tests
    - Prerequisites
      - Zero Trust Access prerequisites:
    - Procedure
  - Create Network Tests
    - Prerequisites
    - Procedure
  - View HTTP Server Test Results
    - Procedure
      - View HTTP Test Results for a Specific Endpoint
  - View Network Test Results
    - Procedure
      - View Network Test Results for a Specific Endpoint
Reports
- Monitor Secure Access with Reports
  - Available Reports
  - Export Report Data to CSV
    - Prerequisites
    - Procedure
  - Bookmark and Share Reports
    - Procedure
  - Report Search Window and Retention
    - Report Search Window
    - Report Retention
  - Report Scheduling
  - Schedule a Report
    - Procedure
      - Check Your Spam Folder
      - Unsubscribe From a Report
  - Update a Scheduled Report
    - Prerequisites
    - Procedure
- Remote Access Log Report
  - View the Remote Access Log Report
    - View the Remote Access Log Report
    - View Event Details
- Activity Search Report
  - View and Customize the Activity Search Report
    - View the Activity Search Report
    - Customize the Activity Search Report
    - Save Activity Search Report columns and filters for future use
  - View Firewall Events in Activity Search Report
    - Filter the Report by Firewall Requests
    - View Firewall Event Details
      - Firewall Event Details Fields
  - View Web Events in Activity Search Report
    - Filter the Report by Web Requests
    - View Web Event Details
      - Web Event Details Fields
  - View Zero Trust Events in Activity Search Report
    - Procedure
      - Event Details
      - Access Details
      - Block Details
      - Endpoint Details
  - View Activity Search Report Actions
    - See Full Details
    - Filter Views
  - Schedule an Activity Search Report
  - Use Search and Advanced Search
    - Prerequisites
    - Search
    - Wildcards
      - Domains
      - URLs
      - File Names
    - Advanced Search
- Security Activity Report
  - View Activity and Details by Filters
    - Procedure
  - View Activity and Details by Event Type or Security Category
    - Prerequisites
    - Procedure
      - Group Security Categories
  - View an Event's Details
    - Prerequisites
    - Procedure
  - Search for Security Activity
    - Prerequisites
    - Procedure
      - Advanced Search
- Total Requests Report
  - Prerequisites
  - View Trends in the Total Requests Report
- Activity Volume Report
  - Prerequisites
  - View Requests by Volume of Activity
  - View Activity Volume by Threat Categories
    - Prevent
    - Contain
  - View Activity Volume by Policy Traffic
  - View Trends
- App Discovery Report
  - View the App Discovery Report
    - Prerequisites
    - View the App Discovery Report
  - View the Highest Risk Apps
    - Prerequisites
    - Procedure
  - Review Apps in the Apps Grid
    - Prerequisites
    - Procedure
    - Configure Columns to Display
    - Change the Label of an App
  - View App Details
    - Prerequisites
    - Procedure
  - Change App Details
    - Prerequisites
    - Change the Risk Score for an App
    - Change the Label of an App
  - Control Apps
    - Prerequisites
    - Procedure
    - Control Application Lists
  - Control Advanced Apps
    - Prerequisites
    - Procedure
  - View Traffic Data Through SWG Service
    - Prerequisites
    - View Traffic
    - View Traffic in the Apps Grid
    - View Traffic in the App Details
- Top Destinations Report
  - Prerequisites
  - View the Top Destinations Report
  - View Further Details
  - Destination Details
    - Prerequisites
    - View the Destination Details
    - View the Request Traffic
      - View Requests by Blocked or Allowed
      - View Requests Through Global Traffic %
    - View the Access and Policy Details
    - View Recent Activity
    - View the Most Visited URL Paths
- Top Categories Report
  - Prerequisites
  - View the Top Categories Report
  - Top Categories Quick View
  - View Category in Other Reports
  - Category Details
    - Prerequisites
    - View a Category's Details Overview
    - View a Category's Traffic
      - View the Activity Breakdown
      - View the Traffic Bandwidth
    - View a Category's Identities
    - View the Category's Top Domains
- Third-Party Apps Report
  - Prerequisites
  - View the Third-Party Apps Report
  - Search the Third-Party Apps Report
  - Export the Third-Party Apps Report
  - View App Details
    - Prerequisites
    - Procedure
- Cloud Malware Report
  - Prerequisites
  - View the Cloud Malware Report
  - Use the Cloud Malware Report
    - Quarantine a Malicious File
    - Restore a Quarantined File
    - Delete a Malicious File
    - Dismiss an Item from the Report
    - Export a Cloud Malware Report
  - More Information
- Data Loss Prevention Report
  - Prerequisites
  - View Events
    - View Details
    - Delete File
    - Quarantine File
    - Restore File from Quarantine
    - Use Advanced Search
  - Discovery
    - Prerequisite
    - View a Discovery Scan
- Admin Audit Log Report
  - Prerequisites
  - Generate Admin Audit Log Report
  - Export Admin Audit Log Report to an S3 Bucket
    - Prerequisites
    - Procedure
- AI Supply Chain Report
  - Prerequisites
  - Procedure
  - More about Risk Categories Provided by Cisco Foundation AI
Cisco Secure Client
- Cisco Secure Client Overview
- Get Started and Manage Client-based Zero Trust Access from Mobile Devices
  - Set up the Zero Trust Access App for iOS Devices
    - Guidelines and Limitations
    - Configure Settings in Cisco Secure Access
    - Install the App
    - Have End Users Enroll in Zero Trust Access
    - Notes for administrators
  - Set up the Zero Trust Access App for Android Devices
    - Configure Cisco Secure Access
    - Install the App
    - Notes for administrators
  - Set up the Zero Trust Access App for Android on Samsung Devices
    - Requirements and Prerequisites
    - Configure Cisco Secure Access
    - Install the App
    - (Optional) Set up the Android device for Zero Trust Access using MDM
      - Add the app to MDM
      - Set up the App on the Samsung Device
    - Enroll the Device in Zero Trust Access
    - Notes for administrators
  - Monitor and Troubleshoot the Zero Trust Access App from Mobile Devices
    - Troubleshoot iOS Devices
    - Troubleshoot Samsung Devices Running Android OS
    - Troubleshoot access issues
- Get Started with Cisco Secure Client on Windows and macOS Devices
  - Prerequisites
    - Secure Access Requirements
    - System Requirements
    - Download the Cisco Secure Client Pre-Deployment Package
  - Download Cisco Secure Client
    - Step 1 - Navigate to the Download Cisco Secure Client window
    - Step 2 - Download Cisco Secure Client
      - Download the latest version of Secure Client from Secure Access
      - Download the cloud-managed version of Secure Client
      - Download a previous version of Secure Client from Cisco Secure Central
    - Step 3 - Download configuration files
    - Step 4 - Install Secure Client
      - ThousandEyes Endpoint Agent Module
  - Download the OrgInfo.json File
    - Prerequisites
    - Procedure
      - Step 1 – Download the OrgInfo.json File
      - Step 2 – Copy the OrgInfo.json File to the Target Directory
  - Manual Installation of Cisco Secure Client (Windows and macOS)
  - Mass Deployment Overview
    - Remote Installation
      - Profile Installation
      - Customization Options
  - Mass Deployment (Windows)
    - (Optional) Package Customization
      - Add Umbrella Profile
    - Automated Installation (Windows)
      - Install Cisco Secure Client
      - Install the Umbrella Profile
      - (Optional) Disable VPN Functionality (Post installation)
  - Customize Windows Installation of Cisco Secure Client
    - Procedure
      - Deploy the Cisco Secure Client VPN Module
      - Deploy the Cisco Secure Client Umbrella Roaming Security Module
      - (Optional) Deploy Cisco Secure Client DART
      - Hide Cisco Secure Client Modules from Add/Remove Programs List
    - Optional OrgInfo.json Parameter Configurations
  - Mass Deployment (macOS)
    - (Optional) Package Customization
      - Add Umbrella Profile
      - (Optional) Disable VPN Functionality
      - Save the .dmg image
    - Automated Installation (macOS)
      - Installation (Pre-Deployment Package)
      - Installation (Web Deployment Package)
      - Install Umbrella Profile
      - (Optional) Disable VPN Functionality (Post-Installation)
      - Allow Secure Client System Extensions
  - Customize macOS Installation of Cisco Secure Client
    - Procedure
      - Step 1 – Make the .dmg Package Writeable
        
        Step 2 – Generate the Module Installation Configuration File
        
        Step 3 – Copy OrgInfo.json to Cisco Secure Client Installation Directory
        
        Step 4 – (Optional) Hide the VPN Module
        
        Step 5 – Customize the Cisco Secure Client Installation Modules
        
        Sample Customization
        
        Step 6 – Set Up the Correct Extension Permission Settings
        
        Step 7 – Install Secure Client with Selected Modules
  - VPN Headend Deployment
  - Secure Firewall Management Center and Secure Firewall Threat Defense
    - Prerequisites to provision the Umbrella Module
    - Procedure to enable Secure Client Umbrella Module in Management Center and Threat Defense
    - (OPTIONAL) VPN Local Authentication (Management Center 7.0 or later required)
  - Meraki Systems Manager (SM) Deployment
  - Migration from Umbrella Roaming Client
  - Install the Root Certificate for All Browsers
    - Inspect and Decrypt HTTPS Traffic
    - Render Block and Warn Pages
  - Cloud Management
    - Overview
    - Deploying Cisco Secure Client
    - Profiles
    - Uploading the Orginfo.json profile
    - Create a Deployment
    - Post Deployment
      - Additional Reference
  - Additional References
  - Remote Monitoring and Management Deployment Tutorials
  - Manage Device Deployment
    - Prerequisites for Device Deployment Management
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
- Manage Zero Trust Access using Cisco Secure Client
  - 1. Install Cisco Secure Client
  - 2. Enroll in Zero Trust Access
  - Requirements for Secure Client with Zero Trust Access
  - Choose Zero Trust Access Enrollment Methods for Your Organization
    - Procedure
  - Enroll Devices in Zero Trust Access Using Certificates
    - Prerequisites
    - Step 1 - Enable certificate-based enrollment for your organization
    - Step 2 - Upload or choose a CA certificate
    - Step 3 - Download the enrollment configuration file
    - Step 4 - Install the enrollment configuration file on user devices
    - Step 5 - Enrollment occurs
    - Switch from SAML-based enrollment to Certificate-based enrollment
  - Enroll Devices in Zero Trust Access Using SSO Authentication
    - Prerequisites
    - Recommended: Use MFA Authentication and Biometric Identity
    - Procedure
  - Troubleshoot Client-Based Zero Trust Access
    - Pre-Enrollment Errors
    - Enrollment Errors
    - Post-Enrollment Errors
    - Requests to Reauthenticate
  - Unenroll a Device from Zero Trust Access
    - Immediately unenroll a device
    - Permanently unenroll a device
    - Unenroll from the user endpoint device (for enrollments using SSO Authentication only)
      - On Windows devices
      - On macOS devices
- Manage Virtual Private Networks on Cisco Secure Client
  - Prerequisites
  - Download the Virtual Private Network XML Profile
    - Prerequisites
    - Procedure
      - Step 1 – Download the Cisco Secure Client VPN Profile
      - Step 2 – Copy the VPN Profile to the Target Directory
  - CA Certificates for VPN Connections
- Manage Internet Security on Cisco Secure Client
  - Umbrella Roaming Security Module Requirements
    - System Requirements
    - Network Requirements
      - Secure Access DNS Block Pages
      - Secure Access and SAML Identity Provider Domains
    - Transport Layer Security Protocol
    - Network Access
      - Host Names
      - Secure Access DNS Resolvers
      - Encrypted DNS
      - External DNS Resolution
      - HTTP and HTTPS
      - Secure Access DNS – Client Configuration Services
      - Secure Access DNS – Client Sync Services
      - Secure Access DNS and Web – Client Certificate Revocation Services
    - Roaming Security DNS Requirements
    - Internal Domains
  - Domain Management
    - Internal Domains List
    - DNS Suffixes
    - Operational Flow
      - Configure Internal Domains
      - Cisco Secure Client and External Queries
      - Cisco Secure Client and Internal Queries
    - Advanced Topics
      - Unencrypted
      - DNS Suffixes (Continued)
  - Interpret Internet Security Diagnostics
    - Prerequisites
    - Procedure
      - Generate the Diagnostic Report from the Cisco Secure Client
      - Generate the Diagnostic Report on the Command Line
  - DNS Protection Status
    - Prerequisites
    - Procedure
    - DNS Protection Status Descriptions
  - SWG Protection Status
    - Prerequisites
    - Procedure
    - Secure Web Gateway Status Descriptions
Managed iOS
- Cisco Security Connector: Secure Access Setup Guide
  - Requirements
    - Optionally
  - Getting Started
  - Quick Start
    - Prerequisites
    - Procedure
      - 1. Install the Cisco Security Connector App
      - 2. Add an Organization Administrator's Email Address
      - 3. Register Your iOS Device Through Your MDM to Secure Access
      - Unregister a Mobile Device
  - Manage Device Deployment
    - Prerequisites for Device Deployment Management
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
- Meraki Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Push of Profile Config
    - Anonymize Your Device
    - Verify Secure Access on Your Device
  - Verify Secure Access with Meraki
    - Prerequisites
    - Procedure
      - Verify Local Operation on the iOS Device
      - Verify Secure Access
      - Verify Clarity
      - Upgrade the Cisco Security Connector
      - Uninstall the Cisco Security Connector
  - Meraki Documentation
- Register an iOS Device Through Apple Configurator 2
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your Device
- IBM MaaS360 Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Intune Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Jamf Registration
  - Prerequisites
  - Procedure
    - Alternate Configuration
    - Anonymization
    - Verify Secure Access on Your iOS Device
- MobileIron Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS device
  - MobileIron Configuration
    - MobileIron Procedure
    - MobileIron Cloud Configuration
    - MobileIron On-Prem Configuration
- MobiConnect Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Workspace ONE Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Register an iOS Device Through a Generic MDM System
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify That Your Device is Protected by Secure Access
- Apply an Access Policy to Your Mobile Device
  - Prerequisites
  - Procedure
- Anonymize Devices
  - Prerequisites
  - Procedure
- Export Device Data to CSV
  - Procedure
- Troubleshooting
  - Prerequisites
  - Generate Diagnostics and Email the Secure Access Reports
  - Generate Diagnostics and Share the Secure Access Reports
- Push the Cisco Root Certificate to Managed Devices
  - Prerequisites
  - Procedure
- Configure Cellular and Wifi Domains
  - Prerequisites
  - Procedure
- Configuring DNS Suffix Allow List
  - Prerequisites
  - Procedure
Managed Android
- Secure Access Module for Cisco Secure Client (Android OS)
  - Device Security
  - Prerequisites
  - Known Issues
- Deploy the Android Client
  - Android Configuration Download
    - Procedure
      - Fail Close/Open Scenario
  - Manage Device Deployment
    - Prerequisites for Device Deployment Management
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
  - Cisco Meraki MDM
    - Add App to Cisco Meraki
    - Add Configuration for App
    - Push the App to Devices
    - Push the Cisco Root Certificate
  - MobileIron MDM
    - Configure the App
    - Push the App
    - Push User Identities
    - Push the Cisco Root Certificate
  - VMware Workspace ONE
    - Prerequisites for Deployment
    - Procedure for Deployment
      - Create Always On VPN Profile
    - Add and Publish the Cisco Secure Client Application
  - Microsoft Intune MDM
    - Publish the Cisco Secure Client - AnyConnect App to Managed Android Devices
    - Configure Secure Access
    - Push User Identities
    - Push the Cisco Root Certificate
  - Samsung Knox MDM
    - Register with the Enterprise Mobile Manager (EMM)
    - Enroll Android Devices
    - Push the App
    - Set Managed Configuration
    - Create Profile in Knox Manage
    - Push User Identities
    - Push the Cisco Root Certificate
  - Push the Cisco Root Certificate to Devices
    - Prerequisites
    - Procedure
- Manage Identities
  - Cisco Meraki Systems Manager
  - Microsoft Intune
  - Samsung Knox
  - VMWare WorkspaceOne
  - Access User Identities on the Secure Access Dashboard
    - Configure Policy Based on User Identity
    - Monitor User Activity
- Export Device Data to CSV
  - Procedure
- Troubleshooting
  - First Launch of App
  - Is this a VPN to Secure Access?
  - An Internal Site Isn't Loading
  - Configuration Issues
  - Check for VPN Connection and Policy
  - Check Block Page
  - Get the Android ID
  - Fail Close/Open Scenario
  - Check Device Registration
  - Missing CA Certificate
  - Org ID on Policy Page is 0
  - App Installation is Blocked
  - Offboarding Users
  - Known Issues
- Frequently Asked Questions
Unmanaged Mobile Device Protection
- Unmanaged Mobile Device Protection
- Administrator Actions
  - Prerequisites
  - Procedure
- End-user Actions
  - Android
    - Prerequisites:
    - Deployment
    - Enrollment
    - Enrollment by QR code
    - Enrollment without Camera Access:
    - Registration and Activation
  - iOS
    - Prerequisites
    - Deployment
    - Enrollment via Link
    - Enrollment by QR code
    - Registration and Activation
Integrations
- Manage Third-Party Integrations
  - Integration Modules
  - Chrome Enterprise Browser
    - Overview
    - Prerequisites
    - Procedure
    - What to do Next
- Integrate ISE (Identity Services Engine) with Secure Access
  - Solution Overview
  - Components and Prerequisites
    - Components Used
    - Prerequisites
  - Solution Workflow
  - Connect Cisco ISE and Cisco pxGrid Cloud
    - About Cisco pxGrid Cloud
    - Cisco pxGrid Cloud Terminology
    - Cisco pxGrid Cloud and Cisco ISE Integration Workflows
  - Enable Cisco Security Cloud Exchange
  - Integrate Cisco ISE with Secure Access
  - Verify and Monitor Context Sharing
    - Verify Context Sharing in Secure Access
    - Activity Search in Secure Access
    - Related Information
- Integrate Catalyst SD-WAN with Secure Access
  - Solution Overview
  - Components and Prerequisites
    - Components Used
    - Prerequisites
  - Solution Workflow
    - Related Information
  - Configure Context Sharing Between Catalyst SD-WAN and Secure Access
    - Prerequisites
    - Generate API Key Pair for Context Sharing
    - Create Cisco Secure Access Credentials
    - Add Secure Service Edge (SSE) Policy Group
    - Enable Context Sharing
  - Verify and Monitor Context Sharing
    - Verify Context Sharing in Secure Access
    - Monitor Context Sharing in SD-WAN Manager
    - Monitor Secure Access Tunnels using the CLI
    - Activity Search in Secure Access
    - Related Information
Cisco Security for Chromebook Client
- About Cisco Security for Chromebooks
  - Key benefits
- Prerequisites for Cisco Security for Chromebooks Client
- Limitations for Cisco Security for Chromebooks
- Integrate the Google Workspace Identity Service
  - Limitations
  - Procedure
- Deploy the Cisco Security for Chromebooks Client
  - About DNS-Layer Protection
  - About SWG-Layer Protection
  - High-Level Steps for Deploying Cisco Security for Chromebook Client
  - Step 1
  - Step 2
  - Bypass Internal Domains from DNS-over-HTTPS (DoH)
    - Procedure
      - Verification
  - Enable Reporting for Private IP Address of Chromebook Device
    - Prerequisites
    - Procedure
  - Verify Cisco Security for Chromebooks Client Deployment
    - Procedure
  - Export Device Data to CSV
    - Procedure
  - Manage Device Deployment
    - Prerequisites for Device Deployment Management
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
  - Troubleshoot Cisco Security for Chromebooks Client Deployment
    - Procedure
- View Protection Status of Chromebook Devices
  - Procedure
- Add Policies to a Chromebook Device
  - Prerequisites
  - Procedure
- Cisco Security for Chromebooks Client FAQ
- Google Workspace Identity Service FAQ

Software Secure Access

Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Establish a Tunnel Carrier-Grade NAT (CGNAT) Requirement

Last updated: Aug 07, 2025

Carrier-Grade NAT (CGNAT) Requirement

The Carrier-Grade NAT (CGNAT) configuration is necessary to ensure that network tunnels to Secure Access are functioning efficiently. CGNAT must be configured in the on-premises tunnel gateway to prevent connectivity issues, such as the inability to access private resources or inconsistent traffic routing, even when test connectivity results are successful. For example, Meraki MX devices may require CGNAT configuration to ensure efficient functioning.

However, this consideration is not limited to Meraki devices and is applicable to other supported network devices depending on the environment and requirements.

Ensure that the following subnets are reviewed for inclusion as part of the CGNAT configuration in your on-premises gateway:

CGNAT IP address range: 100.64.0.0/10
RA VPN and Management IP Pool subnets

Previous topic Tunnel Size Next topic Client Reachable Prefixes