Cisco Security

Login

Cisco Secure Access Help

Cisco Secure Access Help
- Welcome to Cisco Secure Access
  - Sign into Secure Access with Security Cloud Sign On
  - Find Your Organization ID
  - Determine Your Current Package
  - View Cloud Security Service Status
    - Secure Access Services Overview
    - Scheduled Maintenance
    - Service Status History
  - Contact Cisco Secure Access Support
  - Onboarding Resources
- Secure Access Single Sign-On Authentication
  - Configure Single Sign-On Authentication
  - Troubleshoot Single Sign On Authentication
- Get Started
  - Begin Secure Access Onboarding Workflow
  - Step 1 – Configure Network Connections
    - Task 1 – Add Network Connections
    - Task 2 – Provision Users and Groups
    - Task 3 – Configure Integrations with SAML Identity Providers
    - What's Next
  - Step 2 – Configure Access to Resources
    - Task 1 – Set Up Private Resources
    - Task 2 – Configure Rule Defaults and Global Settings
    - Task 3 – Add a Policy Rule
    - What's Next
  - Step 3 - Configure End User Connectivity
    - Task 1 – Configure Zero Trust
    - Task 2 – Configure Virtual Private Networks
    - Task 3 – Configure Internet Security
    - Configure Endpoints and Networks
  - Step 4 – Configure Endpoints and Network Sources
    - Add Networks to Secure Access
    - Set Up the Cisco Secure Client
    - Add IPS Profiles
    - Configure Rule Profiles
  - Secure Access Overview Dashboard
    - Get Started Workflow
    - Experience Insights
    - Connectivity
    - Data Transfer
    - Security
      - Security Activity
      - Top Security Categories
    - Users and Groups
    - Private Resources
  - Hybrid Private Access Workflow
    - Procedure
- Quickstarts
  - Prerequisites
  - Quickstart – Cisco Secure Client with Zero Trust Access
    - Procedure
  - Quickstart – Cisco Secure Client with Virtual Private Network
    - Procedure
  - Quickstart – Cisco Secure Client with Internet Security
    - Procedure
  - Quickstart – Browser with SAML Authentication
    - Procedure
  - Quickstart – Bring Your Own Device with Zero Trust
    - Procedure
- Limitations and Range Limits
  - Destinations for Client-Based Zero Trust Traffic
  - Domain Names
  - File Inspection and File Analysis
  - Internet Protocol Versions
  - Other Components
  - Reports
  - Resource Connectors and Resource Connector Groups
  - Service Connections
  - Users and Groups
- Network Requirements for Secure Access
  - Secure Access DNS Resolvers
    - Best Practices
    - Cisco Secure Client
    - Cisco Secure Client and External DNS Resolution
  - Secure Access Encrypted DNS Queries
  - Secure Access DNS, Web, and Block Pages
  - Secure Access DNS and Web – Client Configuration Services
  - Secure Access DNS and Web – Client Sync Services
  - Secure Access DNS and Web – Client Certificate Revocation Services
  - Cisco Secure Client and Captive Portal Detection
  - Cisco Secure Client and Device Hostnames
  - Transport Layer Security Protocol Requirements
    - TLS 1.2 Support in Windows
    - TLS 1.2 Support in macOS
  - Secure Access Secure Web Gateway Services
    - Egress IP Addresses for the Secure Web Gateway
    - Ingress IP Addresses for the Secure Web Gateway
  - Secure Access Encrypted Web Requests
  - Secure Access Realtime DLP Secure ICAP
  - Secure Access SaaS Tenants
    - Microsoft 365
  - Secure Access SAML Gateway Services
    - Active Directory Federation Service SAML Identity Provider
  - Secure Access SAML Identity Provider Domains
    - Azure AD SAML Identity Provider
  - Secure Access SAML Gateway Client Certificate Revocation Services
  - Secure Access VPN Services
  - Secure Access VPN Client Certificate Revocation Services
  - Secure Access Zero Trust Client-Based Enrollment Services
  - Secure Access Zero Trust Client-Based Proxy Services
    - Known Network Restrictions for Zero Trust Clients
  - Secure Access Zero Trust Client-Based Proxy – Client Certificate Revocation Services
  - Secure Access Zero Trust Proxy Services – Unmanaged Devices
  - Secure Access Zero Trust Services and Connector Groups
- Secure Access NAT as a Service
  - Web Traffic and NATaaS
  - Non-Web Traffic and NATaaS
  - Best Practices
  - Reserved IP
    - Network Requirements
    - Best Practices
    - Deployment of the Reserved IP
    - Known Limitations
    - Reporting and Reserved IP
    - Calculate Your Maximum Sessions
    - Troubleshooting
  - Reserved IP Supplemental Terms
- Manage Network Connections
  - IPsec Network Tunnels
  - Resource Connector Groups
  - Comparison of Network Connection Methods
  - If a Private Resource is Served by Both a Tunnel Group and a Connector Group
  - Comparison of Network Connection Methods
    - Resource Connectors (Deployed in Connector Groups)
    - Network Tunnels (Deployed in Network Tunnel Groups)
- Manage Network Tunnel Groups
  - IPsec Network Tunnels
    - Supported IPsec Parameters
  - Add a Network Tunnel Group
  - Delete a Network Tunnel Group
  - Edit a Network Tunnel Group
  - View Network Tunnel Group Details
- Network Tunnel Configuration
  - Establish a Tunnel
  - Routing Options and Guidelines
    - Static Routing
    - Dynamic Routing with BGP
    - Equal-Cost-Multi-Path (ECMP) Support
  - Configure Tunnels with Cisco Catalyst SD-WAN
  - Configure Tunnels with Cisco ISR
  - Configure Tunnels with Cisco Adaptive Security Appliance
    - Prerequisites
      - Licensing and Hardware
      - Network Access
    - Configure Tunnels in Secure Access
    - Configure ASA
    - Test and Verify
  - Configure Tunnels with Cisco Secure Firewall
    - Configure Secure Firewall Policy-based VPN
      - Configure Tunnels in Secure Access
      - Add Network Object
      - Add Traffic Selector ACL
      - Configure Site-to-Site VPN
      - Configure NAT Policy
      - Configure Access Policy
    - Configure Secure Firewall VTI, PBR, and Per Tunnel Identity
      - Configure Tunnels in Secure Access
      - Configure Site-to-Site VPN
      - Configure Policy-based Routing
      - Configure Access Policy
    - Troubleshooting
      - Enable Logging for Debugging
  - Configure Tunnels with Meraki MX
    - Prerequisites
    - Caveats and Considerations
    - Supported Use Cases and Requirements
      - Remote Access VPN and ZTA
      - Branch-to-Branch through Secure Access
      - Secure Internet Access with Non-Meraki VPN
    - Step 1: Add a Network Tunnel Group in Secure Access
    - Step 2: Configure a Tunnel in Meraki MX
    - Verification and Troubleshooting
    - Optional Configurations
  - Configure Tunnels with NEC IX2000 Series Router
    - Prerequisites
    - Configure Tunnels in Secure Access
    - Configure the NEC IX router
    - Test the NEC IX router Deployment
    - Other Resources
      - Supported IPsec Parameters
      - NEC IX router
  - Site-to-Site VPN tunnels with Microsoft Azure
    - Configure Azure S2S Tunnels with Static Routing
    - Configure Azure S2S Tunnels with Dynamic Routing with BGP
  - Configure a Site-to-Site VPN tunnel with Amazon Web Services
- Manage Resource Connectors and Connector Groups
  - Requirements and Prerequisites for Resource Connectors and Connector Groups
    - Guidelines for Connector Groups
    - Requirements and Guidelines for Connectors
    - Connectivity Requirements
    - Capacity Requirements
  - Allow Resource Connector Traffic to Secure Access
    - Region-Specific Destinations
    - Destinations For All Regions
  - Add Resource Connector Groups
    - Prerequisites
    - Guidelines for Configuring Domains and DNS Servers on Connectors Groups
    - Procedure
      - Configure Connector Group Name and Region
      - Estimate the Volume of Traffic to Your Resource Connectors
      - (Optional) Add Domains and DNS Servers for the Connector Group
    - What's Next
  - Add Connectors to a Connector Group
    - Step 1 – Deploy Secure Access Resource Connectors
    - Step 2 – Confirm Connectors
    - Step 3 – Assign Private Resources to Connector Group
  - Obtain the Connector Image
    - Requirements
    - Get the Connector Image for AWS
    - Get the Connector Image for Microsoft Azure
    - Download the Connector Image for VMware
    - Get the Connector Image for Docker
  - Provisioning Keys for Resource Connectors
  - Copy the Provisioning Key for a Connector Group
  - Deploy a Connector in VMware
    - Prerequisites
      - Add a Connector Group
      - Obtain the Connector Image
      - Disk Encryption
      - SSH Key Generation
    - UEFI Secure Boot Environment for Resource Connector Images
    - Procedure
    - Step 1 – Extract the Connector Image for VMware Tar File
    - Step 2 – Verify the Integrity of the Image
      - Validate the Signature
      - Verify the Checksum of the Signing Key
    - Step 3 – Deploy the OVF Template
    - Step 4 – Power on Connector Instances
    - Step 5 – Confirm Connectors
  - Deploy a Connector in AWS
    - Prerequisites
    - Get Connector Images on the AWS Marketplace
    - UEFI Secure Boot Environment for Resource Connector Images
    - Procedure
      - Step 1 – Launch an Amazon Machine Image for the Connector Instance
      - Step 2 – Configure the Connector
      - Step 3 – Launch the Connector Instance
  - Deploy a Connector in Azure
    - Prerequisites
    - UEFI Secure Boot Environment for Resource Connector Images
    - Deployment Requirements
    - Procedure
      - Step 1 – Get Connector Images on Microsoft Azure Marketplace
      - Step 2 – Configure the Resource Connector Virtual Machine
      - Step 3 – Connect to the Resource Connector Instance
  - Deploy a Connector in Docker
    - Set Up the Resource Connector and Container
    - Launch the Resource Connector in the Docker Container
    - Troubleshoot Container Deployments
      - Setup Failures
      - Check the Container's Status
      - Get the Version of the Docker Container Image
      - Stop the Container
      - Restart the Container
      - Delete the Container
      - Run Diagnostic and Techsupport Scripts
  - Determine the Number of Connectors Needed in a Connector Group
    - Procedure
  - Assign Private Resources to a Connector Group
    - Guidelines for Assigning a Private Resource to a Connector Group
    - Procedure
  - View a Connector Group's Connectors and Assigned Resources
    - Procedure
  - Edit a Resource Connector Group
    - Guidelines for Configuring Domains and DNS Servers on Connectors Groups
    - Procedure
      - Edit the Name of the Connector Group
      - Add Domains and DNS Servers for the Connector Group
      - Remove All Configured DNS Servers and Domains
      - Edit Configured Domains and DNS Servers for the Connector Group
  - Disable, Revoke, or Delete Resource Connectors and Groups
    - Disable, Revoke, or Delete a Connector
    - Disable or Delete a Resource Connector Group
  - Maintain and Monitor Resource Connectors and Connector Groups
    - Monitor Connector Group Status
    - View Connector Groups in Secure Access
    - View Connectors in Secure Access
    - Monitor Connector Status
    - View a Connector's Status
    - Enable a Connector in Secure Access
    - Increase Connector Group Capacity
    - Check Connector CPU Load
  - Troubleshoot Resource Connectors and Connector Groups
    - Throughput Capacity is Less Than Expected
    - Users Cannot Connect to Private Resources
    - Connector Software Auto-Upgrades
    - Connector Operating System (OS) Version has Security Vulnerabilities
    - Connector is Expired
    - Stop a Connector
    - Unable to Revoke or Delete a Connector
    - Unable to Sync
    - Connector-Related Status Graphs are not Current
    - (Container Only) Connector Troubleshooting Tools
    - (VM Only) Connector Diagnostics (CLI)
      - Run the Diagnostic Command on the Resource Connector
      - Supported Standard Linux Troubleshooting Commands
    - Diagnostic Codes
- Secure Access Regions
- Manage Users, Groups, and Endpoint Devices
  - View Users Provisioned in Secure Access
    - View User Details
  - View Group and Organizational Unit Details
    - Group Details
    - Organizational Unit Details
  - View Details for Endpoint Devices
    - View a Configured AD Device
  - Unenroll Devices for Client-Based Zero Trust Access
    - Reenroll the User Device on the Secure Client
  - Disconnect Remote Access VPN Sessions
- Manage User Directories and Device Management
  - Configure User Directory Integrations
    - View Directories
  - Manage Cloud Identity Providers
    - Add a Cloud Identity Provider
    - Edit an Identity Provider Integration
    - Delete an Identity Provider Integration
  - Import Users and Groups from CSV File
    - CSV File Format
    - CSV File Fields
    - View Provisioned Users and Groups in Secure Access
  - Manage API Keys for Provisioning Identities
    - Guidelines
    - Add the API Key for Managing Identities
    - Refresh the API Key for Managing Identities
    - Delete API Keys
    - View Details About Provisioned API Keys
    - View Details for Identities Provisioned with the API
    - View Endpoint Devices
  - Manage Active Directory Integration
    - Download the Active Directory Components
    - Edit the Active Directory Connector Auto-Upgrades
    - Edit Authentication Properties for the AD Integration
    - View Active Directory Components
    - Manage Sites for AD Components
    - Delete Active Directory Integration
  - Manage Google Workspace Account
  - Manage Imported Users and Groups
    - Upload a New CSV File with Users and Groups
    - Delete an Imported CSV File
- Manage Advanced Configuration Settings
  - Set Up Authentication Preferences for Identity Providers
  - Set Up IP Surrogates for SSO User Authentication
  - Set Up API Authentication
  - Manage IP Surrogates for User Authentication
    - How HTTPS Inspection Works
    - Enable IP Surrogates for User Authentication
    - Add Internal Networks for Bypass
    - Delete Internal Networks for Bypass
- Configure Identity Providers
  - Provision Users and Groups from Duo
    - Limits and Best Practices
    - Supported Features
    - Add the Duo IdP directory to Secure Access
    - View Provisioned Users and Groups in Secure Access
    - Refresh SCIM Token
    - Attribute Mapping (Mandatory)
  - Provision Users and Groups from Okta
    - Configure the Cisco User Management Connector App in Okta
      - Add the Cisco User Management Connector App in Okta
      - Add the Secure Access SCIM Token and URL in the App
      - Configure User Options in the App
    - (Optional) Add an objectGUID Attribute and Create the User Profile Mapping
      - Add the objectGUID Attribute
      - Create the User Profile Mappings
    - Customize the authName Attribute
    - Map the Custom authName Attribute to a User Profile
    - Assign Users or Groups in the App
    - Push Users or Groups from the App to Secure Access
    - View Logs in the App
  - Provision Users and Groups from Microsoft Entra ID
    - Configure Provisioning in Microsoft Entra ID
    - Configure Guest Users
- Provision Users, Groups, and Endpoint Devices from Active Directory
  - Prerequisites for AD Connectors
  - Connect Multiple Active Directory Domains
  - Manage AD Components
    - Add AD Components in Secure Access
      - Verify Auditing of Logon Events on Domain Controllers
      - Download the Windows Configuration Script for Domain Controllers
      - Run the Windows Configuration Script for the Domain Controllers
      - Add a Domain Controller in Secure Access
      - Add a Domain in Secure Access
    - Manage Sites for AD Components
      - Edit a Site
    - View AD Components in Secure Access
    - Delete AD Components
      - Delete an AD Component
      - Remove All AD Components
  - Manage AD Connectors
    - Configure Authentication for AD Connectors and VAs
      - How to Set Up Your API Credentials
        
        Step 1 – Create the Key Admin API Key Credentials
        
        Step 2 – Add the Key Admin API Key Credentials
      - Refresh Client API Key and Secret
      - Reset Client API Key
    - Configure Updates on AD Connectors
    - Connect Active Directory to Secure Access
      - Step 1 – Download the Active Directory Connector
      - Step 2 - Install the Active Directory Connector
    - (Optional) Specify AD Groups in Selective Sync File
      - Rename Selective Sync File After Upgrading to AD Connector v1.14.4
      - Create AD Groups in a Selective Sync File
    - Deploy LDIF Files for AD Connector
      - Step 1 – Download the Active Directory Connector
      - Step 2 – Install the Cisco AD Connector
      - Step 3 – Deploy the LDIF Source Files
      - Troubleshooting
    - Change the Connector Account Password
    - AD Connector Communication Flow and Troubleshooting
      - Communication Flow
      - Troubleshooting
  - Edit AD Authentication Properties
    - Best Practices: Configuring the AD Authentication Properties
  - AD Integration with Virtual Appliances
    - Network Diagram for VA Deployments
    - How to Set Up AD Components with VAs
    - Prerequisites for AD Connectors and VAs
    - Prepare Your AD Environment
      - About the AD Connector and Logon Events
      - Prerequisites
        
        Additional Prerequisites for the Windows Event Log Collector
      - Integrate AD with Domain Controllers
        
        Support for Multiple AD Domains and AD Forests
        
        Verify Auditing of Logon Events on Domain Controllers
        
        Download the Windows Configuration Script for Domain Controllers
        
        Run the Windows Configuration Script for the Domain Controllers
        
        Add a Domain Controller in Secure Access
        
        View the Registered AD Components in Secure Access
      - Integrate AD with a Centralized Windows Event Log Collector
        
        Step 1 – Add the Windows Event Log Collector in Secure Access
        
        Step 2 – Add the AD Domains in Secure Access
    - Connect Active Directory to VAs
      - How to Configure the Setup of the AD Connector
      - (Optional) Specify AD Groups in Selective Sync File
        
        Rename Selective Sync File After Upgrading to AD Connector v1.14.4
        
        Create AD Groups in a Selective Sync File
      - Step 1 – Add the Windows Event Log Collector in Secure Access
      - Step 2 – Download the Active Directory Connector
      - Step 3 - Install the Active Directory Connector
      - Change Connector Account Password
      - Configure Updates to AD Connectors
    - Multiple AD Domains with Secure Access Sites
      - Active Directory Sites and Secure Access Sites
      - Use Secure Access Sites
- Manage User Authentication Profiles
  - Requirements for Configuring SSO Authentication Profiles
  - About the Default Provisioning Profile
  - Add SSO Authentication Profiles
  - View SSO Authentication Profiles
  - About Single Sign-On for Users
    - Sign-On for Provisioned Users
      - Scenario
      - Sample Sign-On Window
    - Sign-On for Non-Provisioned Users
      - Scenario
      - Sample Sign-On Window
  - Edit an SSO Authentication Profile
    - (OIDC Only) Get Metadata for OIDC Configuration URL
    - Edit SAML User Authentication Profile
    - Edit OIDC User Authentication Profile
  - Delete SSO Authentication Profile
    - Delete SAML User Authentication Profile
    - Delete OIDC User Authentication Profile
- Configure Integrations with OIDC Identity Providers
  - About Using OpenID Connect with Secure Access
  - Use Cases – SSO Authentication
  - Configure Duo for OpenID Connect
    - Configure Duo SSO authentication through OIDC in Secure Access
    - View Provisioned Users and Groups in Secure Access
  - Configure Okta for OpenID Connect
    - Verify the UPN and preferred_username Mapping
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Configure the Identity Provider's OIDC Metadata
      - Step 3a – Add the Secure Access Redirect URI in Okta
      - Step 3b – Configure the Core Grants in Okta
      - Step 3c – Get the Okta OIDC Client ID and Secret
      - Step 3d – Get the Okta OIDC Configuration URL
    - Step 4 – Add the OIDC Metadata in Secure Access
  - Configure Microsoft Entra ID for OpenID Connect
    - Step 1 – Choose an Authentication Method
    - Step 2 – Add an Identity Provider
    - Step 3 – Configure the Identity Provider's OIDC Metadata
      - Step 3a – Add the Secure Access Redirect URI in Entra ID
      - Step 3b – Get the Client ID and Secret for Entra ID OIDC
      - Step 3c – Get the Tenant ID for Entra ID OIDC
    - Step 4 – Add the OIDC Metadata in Secure Access
- Configure Integrations with SAML Identity Providers
  - Use Cases – SSO Authentication
  - Prerequisites for SAML Authentication
  - Configure Microsoft Entra ID for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add SAML Identity Provider in Secure Access
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to Entra ID
      - Step 3c – Add the Entra ID SAML Metadata to Secure Access
  - Configure Okta for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add Okta SAML Identity Provider in Secure Access
    - Step 3 – Download the Secure Access Service Provider Files
    - Step 4 – Configure Okta with the Secure Access SAML Metadata
    - Step 5 – Get Metadata from Okta App Integration
    - Step 6 – Add Okta Metadata in Secure Access
  - Configure AD FS for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add AD FS Identity Provider in Secure Access
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add the Secure Access Service Provider Metadata to AD FS
      - Step 3c – Add the SAML IdP Metadata to Secure Access
  - Configure Duo Security for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add Duo Identity Provider in Secure Access
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to Duo Security
      - Step 3c – Add the Duo Security SAML Metadata to Secure Access
  - Configure Ping Identity for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add Ping Identity Provider in Secure Access
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add the Identity Provider's SAML Metadata
      - Step 3c – Add the Ping Identity SAML Metadata to Secure Access
  - Configure OpenAM for SAML
    - Step 1 – Add SSO Authentication Profile in Secure Access
    - Step 2 – Add OpenAM Identity Provider in Secure Access
    - Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
      - Step 3a – Download the Secure Access Service Provider files
      - Step 3b – Add Secure Access Service Provider Metadata to OpenAM
      - Step 3c – Add the OpenAM Metadata to Secure Access
  - SAML Certificate Renewal Options
  - Test SAML Identity Provider Integration
- Manage End-User Connectivity
  - DNS Servers
  - Traffic Steering for Cisco Secure Client Connections
  - Virtual Private Networks Settings and Profiles
  - Internet Security
- FQDNs for Network Connections
  - About Fully Qualified Domain Names (FQDNs)
  - Global FQDN
  - Regional FQDNs
  - VPN Headend FQDN
- Manage DNS and DDNS Servers
  - Manage DNS Servers
    - Add a DNS Server
    - View DNS Servers
    - Edit a DNS Server
    - Delete a DNS Server
  - Map DNS Servers to Regions
    - Prerequisites
    - Procedure
  - Manage DDNS Servers
    - Prerequisites
    - About Configuring DDNS Servers
    - Add a DDNS Server Group
    - View DDNS Servers
    - Edit a DDNS Server
  - Map DDNS Servers to Regions
    - Prerequisites and Guidelines
    - Procedure
- Manage Virtual Private Networks
  - Manage AAA Servers
  - How to Manage Remote Access VPNs in Secure Access
  - Manage Regions and IP Pools
    - Prerequisites
    - Procedure
      - Add a Region Configuration
  - Add an IP Pool
    - Prerequisites
    - Procedure
      - Add an IP Pool
      - Add a RADIUS Group (optional)
  - Assign and Modify IP Pools
    - Prerequisites
    - Procedure
      - Assign an IP Pool
      - Modify IP Pools
      - Modify IP Pool Assignment
  - Manage RADIUS Servers and Groups
  - RADIUS and AAA Guidelines
    - Groups
    - RADIUS Protocol Support
  - Manage VPN Profiles
  - Add VPN Profiles
    - Prerequisites
    - Step 1 – General Settings
    - Step 2 – Authentication, Authorization, and Accounting
      - SAML
      - Authenticate with CA certificates
      - SAML Configuration
      - SAML Metadata XML Configuration
      - Manual Configuration
      - RADIUS
      - Certificate
    - Step 3 – Traffic Steering (Split Tunnel)
      - Step 3a – Traffic Steering (Split Tunnel)
      - Step 3b – Proxy and DNS Steering Settings
    - Step 4 – Cisco Secure Client Configuration
  - Add a RADIUS Group
    - Prerequisites
    - Procedure
  - Import ASA Device Configuration Files for Remote Access VPN
    - Prerequisites for Importing ASA Configuration Files for Remote Access VPN
    - Import an ASA Configuration to Secure Access Remote Access VPN Profile
  - Manage VPN Settings
    - Restrict manual host entries
  - Manage Machine Tunnels
    - Add a Machine Tunnel
      - Step 2 – Authentication for Machine Certificate
      - Step 3 – Traffic Steering (Split Tunnel)
      - Step 4 – Cisco Secure Client Configuration
    - Machine Tunnel - What to do Next
    - Authenticate Device Identity with Active Directory
      - Configure Active Directory Endpoint Device Management
    - Migrate AD User for Machine Tunnel to Identity Endpoint
  - Manage Application-Based Remote Access VPN (Per App VPN)
    - Benefits
  - Manage Custom Attributes
    - About Cisco Secure Client on Mobile Devices
      - Guidelines and Limitations for Secure Client AnyConnect on Android
      - Guidelines and Limitations for Secure Client AnyConnect on Apple iOS
    - Define Custom Attributes
      - Prerequisites
      - Supported Platforms
      - Limitations
      - Define Per App VPN Custom Attributes
        
        Step 1 - Determine the Application IDs for Mobile Applications
        
        Step 2 - Create a Base64 Encoded String for Each Mobile Application
        
        Step 3 - Create a Custom Attribute Object
      - Define Bypass Virtual Subnets Custom Attributes
        
        Procedure
      - Edit Cisco Secure Client Settings
        
        Procedure
  - Manage Secure Client Scripts
    - Guidelines and Limitations
    - Prerequisites
    - Enable Secure Client Scripts
    - Upload Secure Client Scripts
- Manage Client-Based Zero Trust Access in Secure Access
  - What is ZTA and How Does it Compare to VPN?
  - Zero Trust Access Use Cases
  - Block HTTPS Pages with Zero Trust Access
  - Zero Trust Access with Captive Portal Detection
  - Zero Trust Access Logs
  - Zero Trust Access Requirements and Limitations
  - Post Zero Trust Access Enrollment Action Items
- Manage Traffic Steering in the Default Zero Trust Access Profile
  - Procedure
- Traffic Steering for Zero Trust Access Client-Based Connections
  - Best Practices
  - Limits: Zero Trust Traffic Steering Rules
    - Windows or macOS
    - iOS
    - Android: Samsung, Chrome and Generic
  - Prerequisites
  - Procedure
  - View Zero Trust Traffic Rules
  - Manage Zero Trust Access Profiles
  - Edit a Zero Trust Traffic Rule
  - Delete a Zero Trust Traffic Rule
  - Using Wildcards to Configure Traffic Steering for Private Destinations
    - Exception
    - Prerequisites
    - Procedure
  - Addresses That Never Use Zero Trust Access
    - IPv6
    - IPv4
  - Zero Trust Access to Internet Destinations
    - Solution Overview
  - Manage Threat Defense Devices for Universal Zero Trust Network Access
    - View Threat Defense devices configured for Universal Zero Trust Network Access
      - Procedure
    - Associate Private Resources with Threat Defense Devices
      - Associate Private Resources with Firewall Threat Defense
    - Assign a Trusted Network to Threat Defense devices
      - Procedure
- Manage Internet Security
  - Set Up Internet Security on User Devices
    - Prerequisites
      - Visibility of User Identities in Policy Rules
    - Procedure
      - Download the OrgInfo.json File
      - Copy the PAC File URL
  - Manage Internet Security Bypass
    - About Internet Security Bypass
    - Set Up Internet Security Bypass
    - Add Destinations for Internet Security Bypass
      - Prerequisites
      - Procedure
        
        Steer Traffic to Secure Access or Bypass Domains
      - View Destinations for Internet Security Bypass
    - Edit Destination for Internet Security Bypass
      - Prerequisites
      - Procedure
    - Delete Destination for Internet Security Bypass
      - Prerequisites
      - Procedure
  - Configure Cisco Secure Client Settings
    - Procedure
    - Configure Security Settings
      - Configure DNS and Web Security
    - Configure Advanced Security Settings
      - Use Active Directory for Access Policy
      - Third Party VPN Compatibility
      - DNS Protection
      - Alternate Resolver IPs
      - DNS Backoff Settings
      - Secure Web Gateway Backoff Settings
- Manage PAC Files
  - Requirements for Downloading PAC Files to User Devices
    - Supported Versions of the Secure Client for PAC Files
  - About Using the Secure Client with PAC Files
  - Managing PAC File Deployments
  - Deploy the Secure Access PAC File for Windows
    - Prerequisites
      - Supported Versions of the Secure Client for PAC Files
    - Copy URL for Default PAC File or Custom PAC File
      - Copy URL for the the Secure Access PAC File
      - Copy URL for Custom PAC File
    - Procedure
      - Deploy the Secure Access PAC File URL for Chrome and Edge Browsers
      - Deploy the Secure Access PAC File URL for Firefox
  - Deploy the Secure Access PAC File for macOS
    - Prerequisites
      - Supported Versions of the Secure Client for PAC Files
    - Copy URL for Default PAC File or Custom PAC File
      - Copy URL for Secure Access PAC File
      - Copy URL for Custom PAC File
    - Procedure
      - Deploy the Secure Access PAC File URL to Chrome
      - Deploy the Secure Access PAC File URL to Firefox
      - Deploy the Secure Access PAC File URL to Safari
  - Customize the Secure Access PAC File
    - Prerequisites
    - Procedure
      - Copy the Secure Access PAC File
      - Download the Secure Access PAC File
      - Edit the PAC File
  - Upload Custom PAC Files to Secure Access
    - Prerequisites
    - Requirements for Uploading Custom PAC Files in Secure Access
    - Procedure
      - Uploading Custom PAC File and Error Conditions
    - Manage Uploaded Custom PAC Files
      - View Custom PAC Files in Secure Access
      - Copy URL for Custom PAC File
      - Replace Custom PAC File
      - Rename Custom PAC File
- Manage Proxy Chaining
  - Network Requirements
  - Forwarded-For (XFF) Configuration
    - On-Premises XFF Header Configuration (No Plug-In)
      - Guidelines
    - Browser Plugin XFF Header Configuration (No Proxy Chaining)
- Manage Registered Networks
  - Add Network Resources
    - Prerequisites
      - Dynamic IP Address—IPv4 Only
    - Procedure
      - Step 1 – Select the Network
      - Step 2 – Configure the Network Resource
      - Step 3 – Change the DNS Settings on Your Relevant Network Device
      - Step 4 – Apply a Policy Rule to the Network Resource
      - Step 5 – Test Your Network
  - Point Your DNS to Cisco Secure Access
    - Cisco Secure Access DNS Resolvers – IP addresses
    - Cisco Secure Access DNS Resolvers – Anycast IP Addresses
    - Prerequisites
    - Procedure
      - Step 1 – Identify Where Your Public DNS Server Addresses are Configured
      - Step 2 – Log Into the Server or Router Where DNS is Configured
      - Step 3 – Change Your DNS Server Addresses
        
        Primary and Secondary Servers
      - Step 4 – Test Your New DNS Settings
  - Clear Your DNS Cache
    - Prerequisites
    - Clear Your DNS Cache on Computers and Servers
      - Windows 7 and Earlier
      - Windows 8 and Newer
      - OS X 10.4 TIGER
      - OS X 10.5 and 10.6 LEOPARD
      - OS X 10.7 and 10.8 Lion
      - OS X 10.9 and 10.10
      - Linux
      - Ubuntu Linux
    - Clear Your DNS Cache on Browsers
      - Internet Explorer 8 and Newer – Windows
      - Mozilla Firefox – Windows
      - Apple Safari – macOS
      - Apple Safari – macOS
      - Google Chrome – Windows
      - Google Chrome – macOS
  - Update a Network Resource
    - Prerequisites
    - Edit the Registered Network Resource Name
    - Update the Registered Network Resource
  - Delete a Network Resource
    - Prerequisites
    - Procedure
- Manage Internal Networks
  - Add Internal Network Resources
    - Prerequisites
      - Add Resources to Associate with Internal Networks
    - Procedure
  - Update an Internal Network Resource
    - Prerequisites
    - Procedure
  - Delete an Internal Network Resource
    - Prerequisites
    - Procedure
- Manage Sites
  - How to Add and Associate Sites in Secure Access
- Manage Internet and SaaS Resources
- Manage Destination Lists
  - Add a Destination List
  - Upload Destinations From a File
  - Edit a Destination List
  - Download Destinations to a CSV File
  - Control Access to Custom URLs
    - Block a URL
      - URL Normalization
      - URL Normalization for Destination Lists
      - Troubleshooting Unblocked URLs
      - Reporting for Blocked URLs
    - Examples
  - Control Access to Domains
  - Troubleshoot Destination Lists
- Manage Application Lists
  - Add an Application List
    - Prerequisites
    - Procedure
    - What's Next
  - Application Categories
    - Category Descriptions
  - Delete an Application List
    - Prerequisites
    - Procedure
- Manage Content Category Lists
  - Available Content Categories
  - Add a Content Category List
    - Prerequisites
    - Procedure
  - Request a Category for an Uncategorized Destination
    - Prerequisites
    - Procedure
  - Dispute a Content Category
    - Prerequisites
    - Procedure
  - View Content Categories in Reports
    - Prerequisites
    - View Content Categories in Activity Search Report
    - View Content Categories in Top Threats Report
    - View Content Categories in Total Requests Report
    - View Content Categories in Activity Volume Report
    - View Content Categories in Top Destinations Report
    - View Content Categories in Top Categories Report
- Manage Tenant Control Profiles
  - Control Cloud Access to Microsoft 365
    - Prerequisites
    - Procedure
  - Control Cloud Access to Google G Suite
    - Prerequisites
    - Limitations
    - Procedure
  - Control Cloud Access to Slack
    - Prerequisites
    - Procedure
  - Control Cloud Access to Dropbox
    - Prerequisites
    - Procedure
  - Control Cloud Access to YouTube
    - Prerequisites
    - Procedure
  - Use Tenant Controls in Access Rules
  - Review Tenant Controls Through Reports
    - Prerequisites
    - Procedure
- Manage Network Devices
  - Prerequisites
  - How to Add a Network Device in Secure Access
  - Procedure
    - View the Network Devices in Secure Access
    - Edit a Network Device
    - Remove a Network Device
- Manage Roaming Devices
  - View Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Host Information
      - Secure Web Gateway
      - Security Information – IPv4
      - Security Information – IPv6
  - Edit Internet Security Settings for Roaming Devices
    - Prerequisites
    - Procedure
      - Edit the Auto-Delete Interval for Roaming Devices
      - Disable the Internet Security Settings
      - Enable the Internet Security Settings
      - Remove the Internet Security Override on Roaming Devices
  - Delete a Roaming Device
    - Prerequisites
    - Procedure
- Manage Private Resources
  - Step 1 – Configure Private Resources
    - Optional Configuration for Private Resources
  - Step 2 — Set Up Network Connections, VPN Profiles, and Certificates
  - Step 3 — Add Private Resources in Policy Rules
  - Step 4 — Set Up the Cisco Secure Client and Distribute URLs
  - Add a Private Resource
    - Prerequisites
    - Define a Private Resource
    - Private Resource Address
    - Endpoint Connection Methods
      - Zero-Trust Connections
      - VPN Connections
    - Resource Connector Groups
    - Decryption
    - View Access Rules Associated with a Private Resource
    - What's Next
  - Discover Private Resources
  - Test Private Resource Reachability
  - Add a Private Resource Group
    - Prerequisites
    - Procedure
  - Private Resource Configuration Examples
- Manage Connections to Private Destinations
  - Using Private Resources for SaaS Internet Destinations
  - Comparison of Zero Trust Access and VPN
    - Zero Trust Access security benefits
    - Zero Trust Access end user benefits
  - Timeout Intervals for Zero Trust Access Sessions
    - About Zero Trust Access Sessions
    - ZTA Connections to Private Resources
    - ZTA Connections to Private Resources with IPS or File Malware Scanning
    - ZTA Connections to Internet Destinations
  - Comparison of Client-Based and Browser-Based Zero Trust Access Connections
    - About Client-Based Connections
    - About Browser-Based Connections
  - Requirements for Zero Trust Access
  - Configure Client-Based Zero Trust Access for Private Destinations
  - Configure Browser-Based Zero Trust Access to Private Resources
  - Network Authentication for Zero Trust Access
  - Connection Scenarios for Private Destinations
  - Manage Branch Connections
    - Endpoint Connection Methods
    - Branch Networks in Private Access Rules
      - Users and Groups Connections to Private Resources
      - Sources for Branch Network Connections
      - Destinations for Branch Network Connections
      - Source Connections to Destinations
    - Add an IPS Profile on Private Access Rules
    - Log Connections From Branch Networks to Private Resources
  - Allow SSH and RDP Access to Private Resources
    - Browser-Based Zero Trust Access
      - Configuration overview: Browser-based zero trust access using SSH or RDP
      - Notes for browser-based SSH and RDP access
      - Supported options for SSH access
    - Client-Based Zero Trust Access
  - Application Portal for Zero Trust Access Browser-Based User Access
    - What Users Experience
    - Requirements for Users and User Endpoint Devices
    - Application Portal Prerequisites
    - Configure an Application Portal for Zero Trust Access Browser-Based User Access
    - (Optional) Modify Settings
- Manage Schedules
  - Add a Schedule
  - View and Manage Schedules
    - View Schedules in Secure Access
    - Edit a Schedule
    - Delete a Schedule
- Get Started with Network and Service Objects
  - About Network and Service Objects and Groups
  - Benefits of Adding and Using Network and Service Objects
  - General Limits for Objects
  - General Limits for Groups
  - Get Started with Network and Service Objects
    - Network Objects and Network Object Groups
    - Service Objects and Service Object Groups
  - Quickstart: Network and Service Objects
    - Prerequisites
    - Procedure
  - Access Rules with Network and Service Objects
    - About Network or Service Objects in Access Rules
      - Internet or Private Access Rules
    - Using Network Objects for Sources in Access Rules
    - Using Network and Service Objects for Destinations in Access Rules
  - Combine Destinations with Boolean Logic
    - How Destinations are Combined on Access Rules
      - Logical AND Operator with Network and Service Objects
      - Supported Combinations of Destinations with Logical AND Operator
  - Manage Network Objects and Groups
    - Get Started with Network Objects
      - About Network Objects
      - Add a Network Object
      - Import a CSV File with Network Objects
      - Manage a Network Object
    - Get Started with Network Object Groups
      - Add Network Object Groups
      - Manage a Network Object Group
    - View Network Objects and Groups
    - Add a Network Object
      - Guidelines: Add Network Objects in Secure Access
      - Network Object Prerequisites
      - Add a Network Object
    - Add a Network Object Group
      - Guidelines: Add Network Object Groups in Secure Access
      - Prerequisites
      - Procedure
    - Import CSV File of Network Objects
      - Guidelines: Import Network Objects in Secure Access
      - Prerequisites
      - Procedure
      - Examples of Valid CSV Files
        
        CSV File with Network Object of FQDN Type
        
        CSV File with Network Object of Host Type
        
        CSV File with Network Object of Network Type
        
        CSV File with Network Object of Range Type
    - Manage a Network Object
      - Prerequisites
      - Procedure
        
        Edit a Network Object
        
        Duplicate a Network Object
        
        Delete a Network Object
    - Manage a Network Object Group
      - Prerequisites
      - Procedure
      - View Objects, Groups and Values in a Network Object Group
      - Edit a Network Object Group
      - Duplicate a Network Object Group
      - Delete a Network Object Group
    - View Network Objects and Groups
      - Prerequisites
      - Procedure
  - Manage Service Objects and Groups
    - Get Started with Service Objects
      - About Service Objects
      - Add a Service Object
      - Import CSV File with Service Objects
      - Manage a Service Object
    - Get Started with Service Object Groups
      - Add Service Object Groups
      - Manage a Service Object Group
    - View Service Objects and Groups
    - Add a Service Object
      - Prerequisites
      - Guidelines: Add Service Objects in Secure Access
      - Procedure
    - Add a Service Object Group
      - Guidelines: Add Service Object Groups in Secure Access
      - Prerequisites
      - Procedure
    - Import CSV File of Service Objects
      - Guidelines: Import Service Objects in Secure Access
      - Prerequisites
      - Procedure
      - Examples of Valid CSV Files
        
        CSV File with Service Object and UDP Protocol
        
        CSV File with Service Object and TCP Protocol
        
        CSV File with Service Object and ICMP Protocol
        
        CSV File with Service Object and Any Protocols and Port Range
    - Manage a Service Object
      - Prerequisites
      - Procedure
        
        Edit a Service Object
        
        Duplicate a Service Object
        
        Delete a Service Object
    - Manage a Service Object Group
      - Prerequisites
      - Procedure
      - View Objects, Groups and Values in a Service Object Group
      - Edit a Service Object Group
      - Duplicate a Service Object Group
      - Delete a Service Object Group
    - View Service Objects and Groups
      - Prerequisites
      - Procedure
- Manage the Access Policy
  - Private and Internet Access Rules in Your Policy
  - Default Access Rules in Your Policy
  - Rule Defaults and Global Settings
  - About the Access Policy
    - Best Practices
    - Rule Data
  - Show Additional Data on Your Access Rules
    - Prerequisites
    - Procedure
  - Edit the Order of the Rules in Your Access Policy
  - Rule Defaults: Default Settings for Access Rules
    - Zero Trust Access: Endpoint Posture Profiles
    - Zero Trust Access: User Authentication Interval
      - User Authentication Default Interval Settings
    - Intrusion Prevention (IPS)
    - Security Profile
    - Tenant Control Profile
  - Manage Global Settings for Access Rules
    - Prerequisites
    - Procedure
    - Display User Input Field on Warn Pages
      - About the Warn Page User Input Field
    - Microsoft 365 Compatibility
      - Tenant Controls
      - Limitations
    - Decryption
    - Disable Decryption for Specific Sources
    - Decryption Logging
    - Certificate Pinning
  - Edit Rule Defaults and Global Settings
    - Prerequisites
    - Procedure
  - Edit or View the Default Access Rules
    - Default Internet Access Rule
    - Default Private Access Rule
    - View or Edit Default Access Rules
  - Using Wildcard Masks on Access Rules
    - Wildcard Masks in Composite Sources or Destinations
    - Guidelines
    - Examples of Wildcard Masks
- Get Started With Internet Access Rules
  - Control Egress IP Address for Select SaaS Internet Destinations
  - Components for Internet Access Rules
    - Sources
    - Destinations
    - Security Controls
      - Intrusion Prevention (IPS)
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Intrusion Prevention (IPS) Profiles
        
        Configure the Do Not Decrypt List for IPS
      - Security Profile
        
        Configure Threat Category Settings
        
        Configure SSO Authentication
        
        Set Up Certificates for Decrypting Internet Traffic
        
        Configure Do Not Decrypt Lists
        
        (Optional) Configure Custom End-User Block and Warn Notifications
        
        Configure Security Profiles for Internet Access
      - Tenant Controls
  - Default Settings for Internet Access Rules
  - Add an Internet Access Rule
    - Prerequisites
    - Procedure
    - Access Criteria
      - Disable or Enable the Rule
      - Logging settings
      - Summary
      - Rule Name
      - Rule Order
      - Rule Action
      - Pre-Configured Sources
      - AND Operator With Pre-Configured Sources
      - Composite Sources
      - Pre-Configured Destinations
      - Composite Destinations
      - App Risk Profiles
      - Advanced Application Controls
    - Security Control Options
      - Intrusion Prevention (IPS)
      - Security Profile
      - Tenant Control Profile
      - Schedule Enablement Time and Date
      - Advanced Security Controls
    - Next Steps
  - About Configuring Sources in Internet Access Rules
    - Source Components for Internet Access Rules
    - Composite Sources for Internet Access Rules
    - Combining Multiple Sources in a Rule with Boolean Logic
  - About Configuring Destinations in Internet Access Rules
    - Number of Destinations in a Rule
    - Guidelines: Adding Destinations on Internet Access Rules
    - Pre-Configured Destinations on an Internet Rule
    - About Configuring Threat Categories on Internet Access Rules
    - Application Lists and Application Categories on an Internet Rule
    - Application Protocols on an Internet Rule
      - How Application Protocols Combine with Composite Destinations
    - Network and Service Objects on Internet Access Rules
    - Composite Destinations for Internet Access Rules
      - Limitations of Composite Destinations
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Protocols
      - Adding Composite Destinations
      - Combining Destination Components as a Single Destination
    - Combining Multiple Destinations in a Rule (Boolean Logic)
  - Ensure Rule Matching for Encrypted Internet Traffic
  - Block Internet Access to Geographic Locations
  - Advanced Application Controls
    - Applications with Advanced Controls
      - Cloud Storage
      - Collaboration
      - Content Management
      - Media
      - Office Productivity
      - P2P
      - Social Networking
    - Prerequisites
    - Procedure
    - Troubleshooting
  - Global Settings for Internet Access Rules
  - About Isolated Destinations
    - Secure Access Package Support for RBI and Isolation Rules
    - Verifying Isolation
    - Limitations of Isolation
    - Isolate Downgrade
      - Filter Isolate Rules
      - Duplicate a Downgraded Isolate Rule
  - Troubleshoot Internet Access Rules
    - General troubleshooting tips
    - Problems while creating the rule
      - The Next button is unavailable
    - Problems after creating a rule
      - Internet traffic is unexpectedly blocked
      - Internet traffic is unexpectedly allowed
      - Internet Access rule is not matching traffic as expected
- Get Started With Private Access Rules
  - Components for Private Access Rules
    - Sources
    - Destinations
      - Private Resources
      - Private Resource Groups
      - Network Objects
      - Network Object Groups
      - Service Objects
      - Service Object Groups
    - Endpoint Posture Profiles (for Endpoint Requirements)
    - Security Controls
      - Intrusion Prevention (IPS)
      - Security Profile, for File Inspection and File Type Controls
  - Default Settings for Private Access Rules
  - Add a Private Access Rule
    - Prerequisites
    - Set Up the Private Access Rule
      - Enable the Rule and Edit Your Logging Settings
      - Add a Rule Name
      - Choose a Rule Order
    - Step 1 — Specify Access Options
      - Rule Action
      - Pre-Configured Sources
      - Composite Sources
      - Pre-Configured Destinations
      - Composite Destinations
      - Endpoint Requirements
      - User Authentication Requirements
    - Step 2 — Configure Security Control Options
      - Intrusion Prevention (IPS)
      - Security Profile
    - Summary
  - About Configuring Sources in Private Access Rules
    - Source Components for Private Access Rules
    - Composite Sources for Private Access Rules
      - Limitations of Composite Sources
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Adding Composite Sources
      - Combining IPs, CIDRs, or Wildcard Masks on a Source
    - Combining Multiple Sources in a Rule (Boolean logic)
  - About Configuring Destinations in Private Access Rules
    - Destination Components for Private Access Rules
    - Network and Service Objects on Private Access Rules
    - Composite Destinations for Private Access Rules
      - IP Addresses, CIDR Blocks, and Wildcard Masks
      - Ports
      - Protocols
      - Adding Composite Destinations
      - Combining Destination Components as a Single Destination
    - Combining Multiple Destinations in a Rule (Boolean Logic)
  - About ZTA Private Access Enforcement
    - Most Specific Match Enforcement Mode
    - Multi-App Match Enforcement Mode
      - Examples
        
        Scenario 1: Multiple matching IP/CIDR destinations in different resources
        
        Scenario 2: Multiple matching FQDN destinations in different resources
        
        Scenario 3: Multiple matching rules by source and destination – rule ordering priority in effect
        
        Scenario 4: Tie-breaker scenarios for multiple valid resource destinations in matched rule
    - Multi-App with Resolved IP Match Enforcement Mode
      - Examples
        
        Scenario 1: FQDN resource-based rule at higher priority than IP resource-based rule
        
        Scenario 2: IP resource-based rule at higher priority than FQDN resource-based rule
        
        Scenario 3: Tie-breaker scenario for FQDN-IP overlap within the same rule
  - About Endpoint Requirements in Access Rules
  - Allowing Traffic from Users and Devices on the Network
  - Global Settings for Private Access Rules
  - Troubleshoot Private Access Rules
    - General Troubleshooting Tips
    - Problems While Creating a Rule
      - Next button is not available
    - Problems After Creating a Rule
      - Traffic is unexpectedly blocked
      - Traffic is unexpectedly allowed
      - Rule does not match traffic as expected
- Get Started with the Cisco Assistant
  - Prerequisites
  - Procedure
  - Cisco Assistant Navigation
  - What's Next
  - Add Rules with the Cisco Assistant
  - Enter a Natural Language Prompt to Generate Policy Rules
  - Cisco Assistant Rule Examples
  - Contextual Conversations
  - Find Documented Answers with the Cisco Assistant
    - Best Practices for Prompts
    - Contextual Conversations
  - Troubleshoot with the Cisco Assistant
  - Messages Generated by the Cisco Assistant
    - Examples of Cisco Assistant Responses to Prompts
- Manage Endpoint Security
  - About Endpoint Posture
  - About Posture Profiles
  - Endpoint Posture Assessment
  - Endpoint Attributes
    - Supported Operating Systems
      - Zero Trust Connections
      - VPN Connections
    - Firewall Conditions
    - Endpoint Security Agents
    - System Password Enforcement
    - Disk Encryption
    - Supported Browsers
    - Windows Registry Conditions
    - Windows Domain Join
    - File Conditions
    - Process Conditions
    - Certificate Conditions
      - Prerequisites
      - About Certificate Conditions
- Manage Zero Trust Access Posture Profiles
  - Zero Trust Access Posture Attributes
  - Add a Client-Based Zero Trust Access Posture Profile
    - Prerequisites
    - Procedure
  - Add a Browser-Based Zero Trust Access Posture Profile
    - Prerequisites
    - Procedure
- Manage VPN Connection Posture Profiles
  - VPN Posture Attributes
  - Add a VPN Connection Posture Profile
    - Prerequisites
    - Procedure
- Manage IPS Profiles
  - How IPS Works
    - Hit Counts
    - Cisco-Provided IPS Signature Lists
  - Decryption is Required for Effective Intrusion Prevention
  - Exceptions for Traffic That Should Not be Decrypted
  - IPS is Used in Both Types of Access Rules
  - Add a Custom IPS Signature List
    - Prerequisites
    - Procedure
    - Reset a Signature's Action
- Manage Security Profiles
  - Security Profiles for Internet Access
    - Functionality Included in a Security Profile for Internet Access
    - Decryption
    - SSO Authentication
      - Requirements for Enabling OIDC Authentication
      - Requirements for Enabling SAML Authentication
      - Requirements for Disabling SAML Authentication
    - Security and Acceptable Use Controls
    - End-User Notifications
    - Get Started: Security Profiles for Internet Access
  - Add a Security Profile for Internet Access
    - Prerequisites
    - Procedure
    - Add a Security Profile
    - Enable or Disable Decryption
    - SSO Authentication
    - Security and Acceptable Use Controls
      - Threat Categories
      - File Inspection
      - File Type Blocking
      - SafeSearch
      - AI Supply Chain Blocking
    - Configure End-User Notifications
    - View Security Profiles
    - Configure Additional Security Options
    - Add a Security Profile on Internet Access Rules
    - Edit a Security Profile
    - Delete a Security Profile
  - Enable SafeSearch
    - Enable SafeSearch
    - Confirm That SafeSearch is Working
      - Google
      - YouTube
      - Yahoo
      - Bing
  - Security Profiles for Private Access
  - Add a Security Profile for Private Access
    - Prerequisites
    - Procedure
    - Next steps
- Manage App Risk Profiles
  - App Risk Profile Attributes
  - Add an App Risk Profile
    - Prerequisites
    - Procedure
- Manage Threat Categories
  - Default Threat Category List
  - Reporting on Threat Category Access Attempts
  - Threat Category Descriptions
  - Add a Threat Category List
    - Prerequisites
    - Procedure
  - Dispute a Threat Categorization
    - Prerequisites
    - Procedure
- Manage File Inspection and File Analysis
  - Overview of Configuring File Inspection and Analysis
  - File Inspection Details
    - Cisco Advanced Malware Protection (AMP)
    - Antivirus Scanner
  - Cisco Secure Malware Analytics (formerly Threat Grid) Details
    - Supported Files and File Limitations
    - Secure Malware Analytics Sandbox
  - Enable File Inspection
    - Prerequisites
    - Procedure
  - Enable File Analysis by Cisco Secure Malware Analytics
    - Prerequisites
    - Procedure
  - Test File Inspection for Internet Access
    - Prerequisites
    - Procedure
      - Block Page Diagnostic Information
  - Monitor File Inspection and Analysis Activity
    - Monitor and Review File Inspection and Analytics
    - Monitor and Review Secure Malware Analytics
      - Monitor File Submission Limits
  - Troubleshoot File Inspection and Analysis
- Manage File Type Controls
  - Enable File Type Controls
    - About File Type Controls for Internet Access
    - About File Type Controls for Private Access
    - Prerequisites
    - Procedure
    - Enable File Type Blocking for Internet Access
    - Enable File Type Blocking for Private Access
  - File Types to Block
  - Review File Type Controls Through Reports
    - Prerequisites
    - Procedure
- Manage Notification Pages
  - View Notification Pages Displayed to End Users
  - Display Custom Notification Pages to End Users
  - About Warn Pages for Internet Access Traffic
  - Warn Page: Click Link and Continue to Destination
  - Warn Page: Enter Key Word and Continue to Destination
  - Preview Notification Pages
    - Prerequisites
    - Procedure
  - Create Custom Block and Warn Pages
    - Prerequisites
    - Create Custom Block and Warn Pages
    - Link a Custom Notification Page Appearance to a Security Profile
    - Next Steps
  - Allow Users to Contact an Administrator
    - Prerequisites
    - Procedure
  - Block Page IP Addresses
    - IP Addresses for Secure Access Block Pages
    - Domains for Secure Access Block Pages
- Manage Traffic Decryption
  - Internet Access Features That Require Decryption
  - Internet Traffic That Should Not Be Decrypted
  - Decryption in Private Access Rules
  - Decryption Settings
  - Decryption Requires Certificates
  - Decryption Logging
  - Troubleshooting Decryption
  - Important Information About Do Not Decrypt Lists
    - Do Not Decrypt List for IPS
    - Do Not Decrypt Lists for Security Profiles for Internet Access
    - Differences Between IPS and Features in Security Profiles
    - The System-Provided Do Not Decrypt List
    - Limitation: Do Not Decrypt Based on Content Category
  - Add a Do Not Decrypt List for Security Profiles for Internet Access
    - Prerequisites
    - Procedure
- Manage Certificates
  - Certificate Installation Methods
  - Certificates for Internet Decryption
    - Certificates for Displaying Notifications
    - Certificates for Decrypting Internet Traffic
      - Option 1: Distribute Self-Signed Certificates to End-User Devices
      - Option 2: Use a Signed Certificate for Decrypting Internet Traffic
  - Install the Cisco Secure Access Root Certificate
    - Prerequisites
      - Download the Cisco Secure Access Root Certificate
    - Automatically Install the Cisco Secure Access Root Certificate (For an Active Directory Network)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Microsoft Management Console (MMC)
      - Install the Cisco Secure Access Root Certificate with Group Policy Using the Group Policy Management Console (GPMC)
    - Install the Cisco Secure Access Root Certificate in Firefox Using Group Policy
    - Install the Cisco Secure Access Root Certificate on Chromebooks Using the Google Admin Console
    - Manually Install the Cisco Secure Access Root Certificate (Single Computer)
      - Install the Cisco Secure Access Root Certificate in Edge or Chrome on Windows
      - Install the Cisco Secure Access Root Certificate in Firefox on Windows
      - Install the Cisco Secure Access Root Certificate in All Browsers on Mac OS X
      - Install the Cisco Secure Access Root Certificate on Mac OS X Through the Command Line
      - Install the Cisco Secure Access Root Certificate in Chromium or Chrome on Linux
  - Add Customer CA Signed Root Certificate
    - Prerequisites
      - Certificate Requirements
    - Install Root Certificate in Browsers
    - Procedure
  - View the Cisco Trusted Root Store
    - Prerequisites
      - Download the Cisco Trusted Union Root Bundle
    - Extract the Certificates
      - Step 1: Extract the Signing Certificate
      - Step 2: Extract Certificate Bundle as Message
      - Step 3: Extract PEM-Formatted Certificates From Bundle
      - Step 4: Generate Individual Certificate Files
        
        Linux
        
        macOS
    - View an Individual Certificate File
  - Manage Certificates for Private Resource Decryption
    - Prerequisites
      - Install a Certificate Authority Certificate on a Private Resource
    - Procedure
      - View Notifications About Expired Private Resource Certificates
      - Upload Private Resource Certificates
        
        Option 1: Upload or enter a certificate-key pair directly to the private resource
        
        Option 2: Upload a certificate and key to the Certificates page
  - Certificates for Private Resource Decryption
  - Certificates for SAML Authentication
  - Manage SAML Certificates for Service Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Download Web Security and Zero Trust Service Provider Certificates
      - Download Virtual Private Network Service Provider Certificates
  - Manage SAML VPN Service Provider Certificate Rotation
    - Prerequisites
    - Procedure
      - View Notifications About Expired Service Provider Certificates
      - Activate a New VPN Service Provider Certificate
  - Manage SAML Certificates for Identity Providers
    - Prerequisites
    - Procedure
      - View Notifications About Expired Identity Provider Certificates
      - Manage Web Security and Zero Trust Identity Provider Certificates
      - Manage Virtual Private Network Identity Provider Certificates
  - VPN Certificates for User and Device Authentication
  - Manage CA Certificates for VPN Connections and Zero Trust Access Enrollment
    - Prerequisites
      - Install an Identity Certificate on User Devices
    - Procedures
    - View Notifications About Expired CA Certificates for Client Authentication
    - Upload Certificate Authority (CA) Certificates for client authentication
    - View Uploaded CA Certificates
    - Manage Certificate Revocation Settings
    - View CA Certificate Details
    - Change the Purpose of an Uploaded CA Certificate
    - Delete a Client Authentication CA Certificate
    - Expired Certificates
- Manage the Data Loss Prevention Policy
  - Add a Real Time Rule to the Data Loss Prevention Policy
    - Prerequisites
    - Procedure
  - Understand Exclusions in a Real Time Rule
  - Supported Applications
  - Add a SaaS API Rule to the Data Loss Prevention Policy
  - Add an AI Guardrails Rule to the Data Loss Prevention Policy
    - Prerequisites
    - Procedure
  - Discovery Scan
    - Prerequisites
    - Initiate a Discovery Scan
    - Cancel a Discovery Scan
  - Edit a Data Loss Prevention Rule
  - Delete a Data Loss Prevention Rule
    - Prerequisite
    - Procedure
  - Enable or Disable a Data Loss Prevention Rule
    - Prerequisites
    - Disable a Rule
    - Enable a Rule
  - Supported File and Form Types
  - Best Practices for the Data Loss Protection Policy
- Manage Data Classifications
  - Create a Data Classification
    - Built-In Identifiers
    - Machine Learning Identifiers
    - Custom Identifiers
    - Exact Data Match Identifiers
    - Indexed Document Match Identifiers
    - Prerequisites
    - Procedure
  - Copy and Customize a Built-In Data Classification
    - PII Data Classification
    - PCI Data Classification
    - GDPR Data Classification
    - HIPAA Data Classification
    - Prerequisites
    - Procedure
  - Delete or Edit a Classification
    - Prerequisites
    - Delete a Classification
    - Edit a Classification
  - Create an Exact Data Match Identifier
    - Prerequisites
    - Procedure
  - Index Data for an EDM
    - Prerequisites
    - Run the DLP Indexer to Create an EDM Identifier
    - Update the Indexed Data Set Periodically
    - Troubleshooting
  - Exact Data Match Field Types
    - Supported EDM Types
  - Create an Indexed Document Match Identifier
    - Prerequisites
    - Limitations
    - Create an Indexed Document Match Identifier
    - Monitor the Indexed Data Set and Re-Index as Needed
    - Troubleshooting
  - Built-In Data Classifications
- Built-in Data Identifiers
  - Tolerances
  - Copy and Customize a Data Identifier
    - Prerequisites
    - Procedure
  - Create a Custom Identifier
    - Prerequisites
    - Procedure
  - Custom Regular Expression Patterns
    - Limitations
      - General
      - Regex Syntax
      - Regex Breadth
      - Word Boundary
  - Individual Data Identifiers
    - Drug Name
    - Health Condition
    - ICD-10 Code
    - US Person Name
- Manage AI Guardrails Data Classifications
  - Create an AI Guardrails Data Classification
    - Prerequisites
    - Procedure
  - Copy and Customize a Built-In AI Guardrails Data Classification
    - Security Guardrail
    - Safety Guardrail
    - Privacy Guardrail
    - Prerequisites
    - Procedure
  - Delete or Edit an AI Guardrails Data Classification
    - Prerequisites
    - Delete an AI Guardrails Data Classification
    - Edit an AI Guardrails Data Classification
- Manage Secure ICAP
  - Prerequisites
  - Secure ICAP Integration
  - Modify an ICAP Server Connection
  - Disconnect from an ICAP Server
- Requirements for Salesforce Tenants for Cloud Malware and SaaS API DLP
  - Salesforce sObjects Supported for SaaS API DLP
  - Install or Update Node.js
  - Install the Salesforce CLI
  - Deploy the Salesforce Quarantine Package to your Salesforce Tenant
  - Log In to Your Salesforce Org
  - Set Permissions in Salesforce
- Manage SaaS API Data Loss Prevention
  - Enable SaaS API Data Loss Prevention for AWS Tenants
    - Prerequisites
    - Limitation
    - Enable CloudTrail Event Logging for S3 Buckets and Objects
    - Obtain Your AWS Account ID
    - Authorize an AWS Tenant
    - Create an AWS Stack
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Azure Tenants
    - Prerequisites
    - Limitation
    - Authorize an Azure Tenant
    - Run an Azure PowerShell Script to Obtain Account Information
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Box Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Dropbox Tenants
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Google Drive Tenants
    - Validation
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Microsoft 365 Tenants
    - Prerequisites
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Salesforce Tenants
  - Enable SaaS API Data Loss Prevention for ServiceNow Tenants
    - Prerequisites
    - Limitation
    - Find the Instance Name for your ServiceNow admin Account
    - Assign the oauth_user role to the ServiceNow admin Account
    - Add an OAuth Client to Your ServiceNow Deployment
    - Authorize a Tenant
    - Revoke Authorization
    - View the Cisco Quarantine Table in Service Now
  - Enable SaaS API Data Loss Prevention for Slack Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Revoke Authorization
  - Enable SaaS API Data Loss Prevention for Webex Teams
    - Authorize a Tenant
    - Revoke Authorization
- Manage Cloud Malware Protection
  - Cloud Access Security Broker Protection for Google Drive and Microsoft 365
  - Enable Cloud Malware Protection
    - Prerequisites
    - Procedure
  - Revoke Authorization for a Platform
    - Prerequisites
    - Procedure
  - Enable Cloud Malware Protection for AWS Tenants
    - Prerequisites
    - Limitation
    - Enable CloudTrail Event Logging for S3 Buckets and Objects
    - Obtain Your AWS Account ID
    - Authorize an AWS Tenant
    - Create an AWS Stack
    - Revoke Authorization
  - Enable Cloud Malware Protection for Azure Tenants
    - Prerequisites
    - Limitation
    - Authorize an Azure Tenant
    - Run an Azure PowerShell Script to Obtain Account Information
    - Revoke Authorization
  - Enable Cloud Malware Protection for Box Tenants
    - Prerequisites
    - Limitations
    - Verify Box Application Settings
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Dropbox Tenants
    - Authorize a Tenant
    - Revoke Authorization
  - Enable Cloud Access Security Broker Features for Google Drive
    - Prerequisites
    - Limitation
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Access Security Broker Protection for Microsoft 365 Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Salesforce Tenants
    - Edit a Salesforce Cloud Malware Tenant
  - Enable Cloud Malware Protection for ServiceNow Tenants
    - Prerequisites
    - Limitation
    - Find the Instance Name for your ServiceNow admin Account
    - Assign the oauth_user role to the ServiceNow admin Account
    - Add an OAuth Client to Your ServiceNow Deployment
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
    - View the Cisco Quarantine Table in Service Now
  - Enable Cloud Malware Protection for Slack Tenants
    - Prerequisites
    - Limitations
    - Authorize a Tenant
    - Edit a Tenant
    - Revoke Authorization
  - Enable Cloud Malware Protection for Webex Teams
    - Authorize a Tenant
    - Revoke Authorization
- Manage Logging
  - Enable Logging
  - Enable Logging to Your Own S3 Bucket
    - Procedure to Enable Logging to Your Own S3 Bucket
    - S3 Bucket Data Path
    - Download Files From the S3 Bucket Locally
  - Enable Logging to a Cisco-Managed S3 Bucket
    - Best Practices for Rotating an S3 Bucket Key
      - About the Notifications for the IAM Key
    - Prerequisites
    - Procedure
    - Configure a Cisco-Managed S3 Bucket
    - Rotate Keys on a Cisco-Managed S3 Bucket
    - Get the S3 Bucket Data Path
      - Sample S3 Bucket Data Path
    - Verify Your Access to an S3 Bucket
      - Download Files From the S3 Bucket Locally
        
        Sample Command
        
        Best Practices: Download Files From the S3 Bucket
  - Change the Location of Event Data Logs
    - Implications When You Change Data Warehouse Locations
    - Log Retention
    - Prerequisites
    - Procedure
  - Stop Logging
    - Prerequisites
    - Procedure
  - Delete Logs
    - Prerequisites
    - Procedure
  - Log Formats and Versioning
    - Log File Name Formats
      - Find Your Log Schema Version
        
        View Your Log Schema Version and Last Sync Time
      - Include Headers
      - Log File Fields
      - Estimate the Size of a Log
      - Estimate the Size of an Exported Report
    - Reports and CSV Formats
      - Activity Search Report
        
        Zero Trust Access Activity Search Fields
      - Top Categories Report
      - Top Destinations Report
      - Top Resources Report
    - Admin Audit Log Formats
    - Cloud Firewall Log Formats
    - Data Loss Prevention (DLP) Log Formats
    - DNS Log Formats
    - File Events Log Formats
    - IPS Log Formats
    - Remote Access VPN Log Formats
    - Web Log Formats
    - Zero Trust Access Log Formats
    - Zero Trust Access Flow Log Formats
    - Zero Trust Access Enrollment Log Formats
- Manage API Keys
  - Add Secure Access API Keys
    - Prerequisites
    - Add API Key
    - Refresh API Key
    - Update API Key
    - Delete API Key
  - Add KeyAdmin API Keys
    - Use Cases
    - Prerequisites
    - Add KeyAdmin API Key
    - Refresh KeyAdmin API Key
    - Update KeyAdmin API Key
    - Delete KeyAdmin API Key
- Manage Accounts
  - Add a New Account
    - Prerequisites
    - Procedure
  - Edit Account Settings
    - Prerequisites
    - Procedure
  - Delete an Account
    - Prerequisites
    - Procedure
  - Hide Sources with De-identification
    - Prerequisites
    - Source Types
    - Enable De-identification
    - Disable De-identification
    - Limitations
DNS Forwarders
- Get Started with Virtual Appliances
  - Supported Deployments
  - How Secure Access Virtual Appliances Work
  - Virtual Appliances and Granular Identity Information
    - Without Virtual Appliances
    - With Virtual Appliances
  - Active Directory Integration
  - Configure Granular Rules
  - Prerequisites for Virtual Appliances
    - Endpoint Software
    - Virtual Appliance Requirements
    - Networking Requirements
      - Allow Connections to Various Domains and Services
      - Network Time Protocol Servers
      - Intrusion Protection Systems (IPS) and Deep Packet Inspection (DPI)
      - Network Address Translation (NAT)
    - Encrypting Traffic with DNSCrypt
  - Virtual Appliance Deployment Guidelines
    - Deploy Virtual Appliances in Pairs
    - Multiple DNS Egresses
    - Single DNS Egress
    - Double NAT
  - Virtual Appliance Sizing Guide
    - High-Traffic Sites and Virtual Appliances
    - AD Connector Sizing Guidelines
    - Deployment Considerations
      - Overall Latency
      - Number of Secure Access Sites
      - Number of Users for a VA
- Manage VAs in Secure Access
  - Configure Authentication for Virtual Appliances
    - How to Set Up Your API Credentials
    - Procedure
      - Step 1 – Create the Key Admin API Key Credentials
      - Step 2 – Add the Key Admin API Key Credentials
    - Refresh Client API Key and Secret
    - Reset Client API Key
  - Manage DNS Forwarders
    - Procedure
      - View the DNS Forwarders
      - Sync the Configuration Settings to Deployed VAs
      - Edit a Site
      - Upgrade a Virtual Appliance
      - Reset Password
      - Delete a Virtual Appliance
  - Manage Site for Virtual Appliance
    - Procedure
      - Add a Site
      - Select a Site
      - Rename a Site
      - Delete a Site
  - Configure Updates for Virtual Appliances
    - How Secure Access Updates Your Virtual Appliance
    - Procedure
      - Configure Automatic Updates of Virtual Appliances
      - Manually Configure Update of a Virtual Appliance
      - Postpone Updates to Virtual Appliances
- Deploy Virtual Appliances
  - Guidelines
  - Deploy the Secure Access Virtual Appliances
  - Deploy VAs in Hyper-V for Windows 2012 or Higher
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download and Extract the Hyper-V Installer
      - Step 2 – Import the Virtual Appliance
      - Step 3 – Copy and Rename Image Files
      - Step 4 – Select Network Adapter
      - Step 5 – Select Hard Drive
      - Step 6 – Power on the Virtual Machine
      - Step 7 – Repeat for the Second Virtual Appliance
  - Deploy VAs in VMware
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Download OVF Template
      - Step 2 – Deploy OVF Template
      - Step 3 – Deploy a Second Virtual Appliance
      - Step 4 – Power on the Virtual Machines
  - Deploy VAs in Microsoft Azure
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Before You Begin
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Image on Azure
      - Step 2 – Launch the Virtual Appliance on Azure
  - Deploy VAs in Amazon Web Services
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Amazon Machine Image
      - Step 2 – Launch the Virtual Appliance on Amazon Web Services
  - Deploy VAs in Google Cloud Platform
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Prepare the Virtual Appliance Instance Template on GCP
      - Step 2 – Launch the Virtual Appliance on Google Cloud Platform
  - Deploy VAs in KVM
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Step 1 – Create the qcow2 files for KVM
      - Step 2 – Launch the Virtual Appliance on KVM
  - Deploy VAs in Nutanix
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
  - Deploy VAs in Alibaba Cloud
    - Prerequisites
      - Configure Authentication for the Virtual Appliances
    - Procedure
      - Download and Extract the Hyper-V Installer
      - Alibaba Cloud Setup
      - Procedural Overview
      - Create an Alibaba Virtual Private Cloud (VPC)
      - Create a Bucket for the Secure Access VAs
      - Configure a ZIP Package Decompression Rule
      - Upload the Secure Access VHD Images to the OSS Bucket
    - Create a Custom Image
    - Deploy the Secure Access VAs from the Imported Custom Image
      - What's Next
    - First-time Login to Secure Access VA
      - Related Topics
        
        Dual-NIC Support on the VA
      - IP Addressing
        
        General Guidelines
        
        Support for IPv6 Addressing
      - Anycast Configuration Support
      - DNS Performance on Alibaba ECS Instances
      - Extensions on Alibaba ECS Instances
- Configure Virtual Appliances
  - Prerequisites
  - Enter Configuration Mode on a VA Deployed on VMware, Hyper-V, or KVM
  - Enter Configuration Mode on a VA Deployed in Azure, AWS, or Google Cloud Platform
  - Configure the VA Through Configuration Mode
  - Configure a Second VA
  - Configure Settings on VAs
    - Prerequisites
    - Configure Rate Limiting
      - Enable Rate Limits on a VA
      - Disable Rate Limiting
      - Check Status and Packet Drops
    - Configure NTP Servers
      - Add NTP Servers to the VA
      - Remove NTP Servers
      - View the VA's Current NTP Servers
    - Configure Secure Access Resolvers
      - Use the IPv4 Secure Access DNS Resolvers
      - Use the Alternate Secure Access DNS Resolvers
      - Use the IPv6 Secure Access DNS Resolvers
      - Use the US-Only IPv4 Secure Access DNS Resolvers
      - Use the US-Only IPv6 Secure Access DNS Resolvers
      - Use the Saudi Arabia-Only IPv4 Secure Access DNS Resolvers
      - Use the Saudi Arabia-Only IPv6 Secure Access DNS Resolvers
    - Configure DNSSEC Support
      - Configure VA to Preserve the DO Bit
      - Turn Off the DO Bit
    - Configure Logging to Remote Syslog Server
      - Configure the Destination of the Remote Syslog Server
      - Configure Log Export Internal DNS
      - Configure Log Export Enable Health
      - Configure Log Export Enable Admin
      - Configure Log Export Enable All
      - Configure Log Export Status
      - Turn Off Logging
    - Configure Dual-NIC Support on the VA
      - Configure an Existing VA to Support Dual-NIC
      - Deploy a New VA to Support Dual-NIC DMZ Mode
    - Configure Anycast
      - Configure Anycast over BGP on the VA
      - Configure Load Balancing
        
        Add a Load Balancer
        
        Remove a Load Balancer
      - Configure Identity Association Timeouts
      - Configure API Key Credentials for Authentication
        
        Configure the Client ID and Client Secret
- Local DNS Forwarding
  - Manage Domains in the VA
    - Which domains should be added?
    - (Optional) Add A and PTR Records for the VAs
  - Configure Local DNS Servers on the VA
    - Examples
- Test Virtual Appliance Deployments
  - Prerequisites
  - Resolve Public and Local DNS Queries
    - Test with Endpoints
    - Transition Production Traffic
- SNMP Monitoring for Virtual Appliances
  - Enable SNMP Monitoring
    - SNMPv2.x
    - SNMPv3
    - Privacy Password
    - Configure SNMP in Secure Access Virtual Appliance
    - SNMP Command Syntax
  - About SNMP Monitoring
  - Standard OIDs Supported by the Virtual Appliance
  - Extended OIDs Supported by the Virtual Appliance
- Troubleshoot Virtual Appliances
  - Prerequisites
  - Reset a Virtual Appliance's Password
  - Use Configuration Mode to Troubleshoot
  - Troubleshoot Intermittent DNS Resolution Failures on a VA Deployed on Azure
  - Troubleshoot DNS Resolution in Configuration Mode
  - Troubleshoot DNS Resolution Failures Behind a Firewall
Experience Insights
- About Experience Insights
- Onboard Experience Insights
- Cisco AI Assistant for Experience Insights
  - How to Use the Cisco AI Assistant in Experience Insights
  - Prompt examples
  - Contextual Conversations
- ThousandEyes Account Management in Experience Insights
  - Edit Default Test Target
  - Register ThousandEyes Agents
- Experience Insights Overview
  - Endpoint List
- Wi-Fi Descriptions
- View SaaS Application Performance
- View User Dashboard
  - Procedure
- About Endpoint Agent Tests
  - Manage endpoint tests in Secure Access
    - Endpoint license usage
    - Endpoint tests
    - Default Endpoint tests
  - Manage endpoint agents and tests in ThousandEyes
  - Limitations
  - Estimate Peak Traffic to Custom Targets for Default Endpoint Tests
    - Calculate Estimated Peak Throughput of Test Traffic
    - Mitigation Strategies
    - Recovery Options
  - Create HTTP Server Tests
    - Procedure
  - Create Network Tests
    - Procedure
  - View HTTP Server Test Results
    - Procedure
      - View HTTP Test Results for a Specific Endpoint
  - View Network Test Results
Reports
- Monitor Secure Access with Reports
  - Available Reports
  - Export Report Data to CSV
    - Procedure
  - Bookmark and Share Reports
    - Procedure
  - Report Search Window and Retention
    - Report Search Window
    - Report Retention
  - Report Scheduling
  - Schedule a Report
    - Procedure
      - Check Your Spam Folder
      - Unsubscribe From a Report
  - Update a Scheduled Report
    - Procedure
- Remote Access Log Report
  - View the Remote Access Log Report
    - View Event Details
  - View Zero Trust Access Events in the Remote Access Log
    - View Zero Trust Access Enrollment Logging Event Details
- Activity Search Report
  - View and Customize the Activity Search Report
    - View the Activity Search Report
    - Customize the Activity Search Report
    - Save Activity Search Report columns and filters for future use
    - Customize and Manage Saved Searches
  - View Firewall Events in Activity Search Report
    - Filter the Report by Firewall Requests
  - View Web Events in Activity Search Report
    - Filter the Report by Web Requests
  - View Zero Trust Events in Activity Search Report
    - Procedure
      - Event Details
      - Access Details
      - Block Details
      - Endpoint Details
  - View AI Semantic Inspection Events in Activity Search Report
    - Filter the Report by Semantic Inspection for MCP Servers
  - View Activity Search Report Actions
    - See Full Details
    - Filter Views
  - Schedule an Activity Search Report
  - Use Search and Advanced Search
    - Search
    - Wildcards
      - Domains
      - URLs
      - File Names
    - Advanced Search
    - Inline Column Filtering
- Security Activity Report
  - View Activity and Details by Filters
    - Procedure
  - View Activity and Details by Event Type or Security Category
    - Procedure
      - Group Security Categories
  - View an Event's Details
    - Procedure
  - Search for Security Activity
    - Prerequisites
    - Procedure
      - Advanced Search
- Total Requests Report
  - View Trends in the Total Requests Report
- Activity Volume Report
  - View Requests by Volume of Activity
  - View Activity Volume by Threat Categories
    - Prevent
    - Contain
  - View Activity Volume by Policy Traffic
  - View Trends
- App Discovery Report
  - View the App Discovery Report
    - View the App Discovery Report
  - View the Highest Risk Apps
    - Procedure
  - Review Apps in the Apps Grid
    - Procedure
    - Configure Columns to Display
    - Change the Label of an App
  - View App Details
    - Procedure
  - Change App Details
    - Change the Risk Score for an App
    - Change the Label of an App
  - Control Apps
    - Procedure
    - Control Application Lists
  - Control Advanced Apps
    - Procedure
  - View Traffic Data Through SWG Service
    - View Traffic
    - View Traffic in the Apps Grid
    - View Traffic in the App Details
- Top Destinations Report
  - View the Top Destinations Report
  - View Further Details
  - Destination Details
    - View the Destination Details
    - View the Request Traffic
      - View Requests by Blocked or Allowed
      - View Requests Through Global Traffic %
    - View the Access and Policy Details
    - View Recent Activity
    - View the Most Visited URL Paths
- Top Categories Report
  - View the Top Categories Report
  - Top Categories Quick View
  - View Category in Other Reports
  - Category Details
    - View a Category's Details Overview
    - View a Category's Traffic
      - View the Activity Breakdown
      - View the Traffic Bandwidth
    - View a Category's Identities
    - View the Category's Top Domains
- Third-Party Apps Report
  - View the Third-Party Apps Report
  - Search the Third-Party Apps Report
  - Export the Third-Party Apps Report
  - View App Details
    - Procedure
- Cloud Malware Report
  - View the Cloud Malware Report
  - Use the Cloud Malware Report
    - View Detailed Information About a File
    - Quarantine a Malicious File
    - Restore a Quarantined File
    - Delete a Malicious File
    - Dismiss an Item from the Report
    - Export a Cloud Malware Report
- Data Loss Prevention Report
  - View Events
    - View Event Details
    - Delete File
    - Quarantine File
    - Restore File from Quarantine
    - Use Advanced Search
  - Discovery
    - View a Discovery Scan
- Admin Audit Log Report
  - Generate Admin Audit Log Report
  - Export Admin Audit Log Report to an S3 Bucket
    - Procedure
- AI Supply Chain Report
- AI Semantic Inspection Report
  - View the AI Semantic Inspection Report
- Network Connectivity Log
- Monitor Secure Access with Alert Rules
  - Monitor Alerts from Secure Access
  - Manage Alert Rules
  - Add and Edit Alert Rules for Tunnel Connectivity
  - Add and Edit Alert Rules for API Anomalies
  - Add and Edit User Access Alerts
  - Investigate Alerts
- Events Report
  - Key Features of Events Report
  - View Events Report
  - Event Type Specific Details
  - Filtering and Search Options
  - Known Limitations
    - Data Retrieval Limit (10,000 Offset)
    - Understanding Data Availability (Missing Fields)
    - Protocol-Specific Correlation Behaviors
    - Current Feature Gaps (vs. Activity Search)
    - Known Issues and Ongoing Enhancements
Cisco Secure Client
- Cisco Secure Client Overview
- Get Started and Manage Client-based Zero Trust Access from Mobile Devices
  - Set up the Zero Trust Access App for iOS Devices
    - Guidelines and Limitations
    - Configure Settings in Cisco Secure Access
    - Install the App
    - Have End Users Enroll in Zero Trust Access
    - Notes for administrators
  - Set up the Zero Trust Access App for Android Devices
    - Configure Cisco Secure Access
    - Install the App
    - Notes for administrators
  - Set up the Zero Trust Access App for Android on Samsung Devices
    - Configure Cisco Secure Access
    - Install the App
    - (Optional) Set up the Android device for Zero Trust Access using MDM
      - Add the app to MDM
      - Set up the App on the Samsung Device
    - Enroll the Device in Zero Trust Access
    - Notes for administrators
  - Monitor and Troubleshoot the Zero Trust Access App from Mobile Devices
    - Troubleshoot iOS Devices
    - Troubleshoot Samsung Devices Running Android OS
    - Troubleshoot access issues
- Get Started with Cisco Secure Client on Windows and macOS Devices
  - Windows and macOS Prerequisites
  - Download and Install Cisco Secure Client
    - Step 1 - Navigate to the Download Cisco Secure Client window
    - Step 2 - Download Cisco Secure Client
      - Download the latest version of Secure Client from Secure Access
      - Download the cloud-managed version of Secure Client
      - Download a previous version of Secure Client from Cisco Secure Central
    - Step 3 - Download configuration files
    - Step 4 - Install Secure Client
    - ThousandEyes Endpoint Agent Module
  - Download the OrgInfo.json File
    - Procedure
  - Manual Installation of Cisco Secure Client (Windows and macOS)
  - Mass Deployment Overview
    - Customization Options
  - Mass Deployment (Windows)
  - Customize Windows Installation of Cisco Secure Client
    - Procedure
      - Deploy the Cisco Secure Client VPN Module
      - Deploy the Cisco Secure Client Umbrella Roaming Security Module
      - (Optional) Deploy Cisco Secure Client DART
      - Hide Cisco Secure Client Modules from Add/Remove Programs List
    - Optional OrgInfo.json Parameter Configurations
  - Mass Deployment (macOS)
  - Customize macOS Installation of Cisco Secure Client
    - Step 1 – Make the .dmg Package Writeable
    - Step 2 – Generate the Module Installation Configuration File
    - Step 3 – Copy OrgInfo.json to Cisco Secure Client Installation Directory
    - Step 4 – (Optional) Hide the VPN Module
    - Step 5 – Customize the Cisco Secure Client Installation Modules
    - Sample Customization
    - Step 6 – Set Up the Correct Extension Permission Settings
    - Step 7 – Install Secure Client with Selected Modules
  - VPN Headend Deployment
  - Secure Firewall Management Center and Secure Firewall Threat Defense
    - Prerequisites to provision the Umbrella Module
    - Procedure to enable Secure Client Umbrella Module in Management Center and Threat Defense
    - (OPTIONAL) VPN Local Authentication (Management Center 7.0 or later required)
  - Meraki Systems Manager (SM) Deployment
  - Migration from Seucre Access Roaming Client
  - Install the Root Certificate for All Browsers
    - Inspect and Decrypt HTTPS Traffic
    - Render Block and Warn Pages
  - Cloud Management
    - Deploying Cisco Secure Client
    - Profiles
    - Uploading the Orginfo.json profile
    - Create a Deployment
    - Post Deployment
      - Additional Reference
  - Additional References
  - Remote Monitoring and Management Deployment Tutorials
  - Manage Device Deployment
    - Prerequisites for Device Deployment Management
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
- Manage Zero Trust Access using Cisco Secure Client
  - 1. Install Cisco Secure Client
  - 2. Enroll in Zero Trust Access
  - Requirements for Secure Client with Zero Trust Access
  - Choose Zero Trust Access Enrollment Methods for Your Organization
    - Procedure
  - Enroll Devices in Zero Trust Access Using Certificates
    - Prerequisites
    - Step 1 - Enable certificate-based enrollment for your organization
    - Step 2 - Upload or choose a CA certificate
    - Step 3 - Download the enrollment configuration file
    - Step 4 - Install the enrollment configuration file on user devices
    - Step 5 - Enrollment occurs
    - Switch from SAML-based enrollment to Certificate-based enrollment
  - Enroll Devices in Zero Trust Access Using SSO Authentication
    - Prerequisites
    - Recommended: Use MFA Authentication and Biometric Identity
    - Procedure
  - Troubleshoot Client-Based Zero Trust Access
    - Pre-Enrollment Errors
    - Enrollment Errors
    - Post-Enrollment Errors
    - Requests to Reauthenticate
  - Unenroll a Device from Zero Trust Access
    - Unenroll from the user endpoint device (for enrollments using SSO Authentication only)
- Manage Virtual Private Networks on Cisco Secure Client
  - Prerequisites
  - Download the Virtual Private Network XML Profile
    - Prerequisites
    - Procedure
      - Step 1 – Download the Cisco Secure Client VPN Profile
      - Step 2 – Copy the VPN Profile to the Target Directory
  - CA Certificates for VPN Connections
- Manage Internet Security on Cisco Secure Client
  - Umbrella Roaming Security Module Requirements
    - System Requirements
    - Network Requirements
    - Transport Layer Security Protocol
    - Network Access
    - Roaming Security DNS Requirements
    - Internal Domains
  - Domain Management
    - Internal Domains List
    - DNS Suffixes
    - Operational Flow
    - Advanced Topics
  - Interpret Internet Security Diagnostics
    - Procedure
      - Generate the Diagnostic Report from the Cisco Secure Client
      - Generate the Diagnostic Report on the Command Line
  - DNS Protection Status
    - View DNS Protection Status
  - SWG Protection Status
    - Procedure
Managed iOS
- Cisco Security Connector: Secure Access Setup Guide
  - Requirements
    - Optionally
  - Getting Started
  - Quick Start
    - 1. Install the Cisco Security Connector App
    - 2. Add an Organization Administrator's Email Address
    - 3. Register Your iOS Device Through Your MDM to Secure Access
    - Unregister a Mobile Device
  - Manage Device Deployment
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
- Meraki Registration
  - Anonymization
  - Procedure
    - Verify Push of Profile Config
    - Anonymize Your Device
    - Verify Secure Access on Your Device
  - Verify Secure Access with Meraki
    - Procedure
      - Verify Local Operation on the iOS Device
      - Verify Secure Access
      - Verify Clarity
      - Upgrade the Cisco Security Connector
      - Uninstall the Cisco Security Connector
  - Meraki Documentation
- Register an iOS Device Through Apple Configurator 2
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your Device
- IBM MaaS360 Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Intune Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Jamf Registration
  - Prerequisites
  - Procedure
    - Alternate Configuration
    - Anonymization
    - Verify Secure Access on Your iOS Device
- MobileIron Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS device
  - MobileIron Configuration
    - MobileIron Procedure
    - MobileIron Cloud Configuration
    - MobileIron On-Prem Configuration
- MobiConnect Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Workspace ONE Registration
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify Secure Access on Your iOS Device
- Register an iOS Device Through a Generic MDM System
  - Anonymization
  - Prerequisites
  - Procedure
    - Verify That Your Device is Protected by Secure Access
- Apply an Access Policy to Your Mobile Device
  - Prerequisites
  - Procedure
- Anonymize Devices
  - Prerequisites
  - Procedure
- Export Device Data to CSV
  - Procedure
- Troubleshooting
  - Prerequisites
  - Generate Diagnostics and Email the Secure Access Reports
  - Generate Diagnostics and Share the Secure Access Reports
- Push the Cisco Root Certificate to Managed Devices
  - Prerequisites
  - Procedure
- Configure Cellular and Wifi Domains
  - Prerequisites
  - Procedure
- Configuring DNS Suffix Allow List
  - Prerequisites
  - Procedure
Managed Android
- Secure Access Module for Cisco Secure Client (Android OS)
  - Device Security
  - Prerequisites
  - Known Issues
- Deploy the Android Client
  - Android Configuration Download
    - Procedure
      - Fail Close/Open Scenario
  - Manage Device Deployment
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
  - Cisco Meraki MDM
    - Add App to Cisco Meraki
    - Add Configuration for App
    - Push the App to Devices
    - Push the Cisco Root Certificate
  - MobileIron MDM
    - Configure the App
    - Push the App
    - Push User Identities
    - Push the Cisco Root Certificate
  - VMware Workspace ONE
    - Create Always On VPN Profile
    - Add and Publish the Cisco Secure Client Application
  - Microsoft Intune MDM
    - Publish the Cisco Secure Client - AnyConnect App to Managed Android Devices
    - Configure Secure Access
    - Push User Identities
    - Push the Cisco Root Certificate
  - Samsung Knox MDM
    - Enroll Android Devices
    - Push the App
    - Set Managed Configuration
    - Create Profile in Knox Manage
    - Push User Identities
    - Push the Cisco Root Certificate
  - Push the Cisco Root Certificate to Devices
    - Procedure
- Manage Identities
  - Cisco Meraki Systems Manager
  - Microsoft Intune
  - Samsung Knox
  - VMWare WorkspaceOne
  - Access User Identities on the Secure Access Dashboard
- Export Device Data to CSV
  - Procedure
- Troubleshooting
  - First Launch of App
  - Is this a VPN to Secure Access?
  - An Internal Site Isn't Loading
  - Configuration Issues
  - Check for VPN Connection and Policy
  - Check Block Page
  - Get the Android ID
  - Fail Close/Open Scenario
  - Check Device Registration
  - Missing CA Certificate
  - Org ID on Policy Page is 0
  - App Installation is Blocked
  - Offboarding Users
  - Known Issues
- Frequently Asked Questions
Unmanaged Mobile Device Protection
- Unmanaged Mobile Device Protection
- Administrator Actions
  - Procedure
- End-user Actions
  - Android
    - Registration and Activation
  - iOS
    - Registration and Activation
Integrations
- Manage Third-Party Integrations
  - Chrome Enterprise Browser
    - Procedure
  - Microsoft Intune Third-Party Integration
    - Configure the Microsoft Intune Third-Party Integration
  - Jamf Pro Third-Party Integration
    - Configure the Jamf Pro Third-Party Integration
- Integrate ISE (Identity Services Engine) with Secure Access
  - Solution Overview
  - Components and Prerequisites
  - Solution Workflow
  - Connect Cisco ISE and Cisco pxGrid Cloud
    - Cisco pxGrid Cloud Terminology
    - Cisco pxGrid Cloud and Cisco ISE Integration Workflows
  - Enable Cisco Security Cloud Exchange
  - Integrate Cisco ISE with Secure Access
  - Verify and Monitor Context Sharing
    - Verify Context Sharing in Secure Access
    - Activity Search in Secure Access
- Integrate Catalyst SD-WAN with Secure Access
  - Solution Overview
  - Components and Prerequisites
  - Solution Workflow
    - Related Information
  - Configure Context Sharing Between Catalyst SD-WAN and Secure Access
    - Generate API Key Pair for Context Sharing
    - Create Cisco Secure Access Credentials
    - Add Secure Service Edge (SSE) Policy Group
    - Enable Context Sharing
  - Verify and Monitor Context Sharing
    - Verify Context Sharing in Secure Access
    - Monitor Context Sharing in SD-WAN Manager
    - Monitor Secure Access Tunnels using the CLI
    - Activity Search in Secure Access
- Integrate Cisco Identity Intelligence with Secure Access
  - Configure a New Cisco Identity Intelligence Tenant with Secure Access
  - Configure an Existing Cisco Identity Intelligence Tenant with Secure Access
  - After Integrating Cisco Identity Intelligence
Cisco Security for Chromebook Client
- About Cisco Security for Chromebooks
  - Key benefits
- Prerequisites for Cisco Security for Chromebooks Client
- Limitations for Cisco Security for Chromebooks
- Integrate the Google Workspace Identity Service
  - Limitations
  - Procedure
- Deploy the Cisco Security for Chromebooks Client
  - About DNS-Layer Protection
  - About SWG-Layer Protection
  - High-Level Steps for Deploying Cisco Security for Chromebook Client
  - Step 1
  - Step 2
  - Bypass Internal Domains from DNS-over-HTTPS (DoH)
    - Procedure
      - Verification
  - Enable Reporting for Private IP Address of Chromebook Device
    - Procedure
  - Verify Cisco Security for Chromebooks Client Deployment
    - Procedure
  - Export Device Data to CSV
    - Procedure
  - Manage Device Deployment
    - Add and Activate Deployment Key
    - Manage Deployment Key Compromise
    - Delete a Deployment Key
    - Reverting to Using Legacy Deployment Implementation
    - Backward Compatibility
  - Troubleshoot Cisco Security for Chromebooks Client Deployment
- View Protection Status of Chromebook Devices
  - Procedure
- Add Policies to a Chromebook Device
  - Procedure
- Cisco Security for Chromebooks Client FAQ
- Google Workspace Identity Service FAQ

Cisco Secure Access Help Get Started With Private Access Rules Troubleshoot Private Access Rules Problems After Creating a Rule Traffic is unexpectedly allowed

Last updated: Nov 17, 2025

Previous topic Traffic is unexpectedly blocked Next topic Rule does not match traffic as expected