Login

Cisco Multicloud Defense User Guide

Multicloud Defense User Guide
- About Multicloud Defense
  - About Multicloud Defense
    - Multicloud Defense Naming Conventions
    - Supported Regions
    - Recommended Versions of Multicloud Defense Components
      - Third Party Product Support and Versioning
    - Multicloud Defense in Cisco Security Cloud Control
  - Multicloud Defense Components
  - Multicloud Defense Controller Dashboard
    - My Profile Information
  - Multicloud Defense 90-Day Free Trial
Setup with the Multicloud Defense Wizard
- Setup with the Multicloud Defense Wizard
  - Connect Cloud Account
    - Connect An AWS Account
    - Connect Azure Account
    - Connect Google Cloud Platform Account
    - Connect to an OCI Account
      - Prepare Your OCI Account
      - Connect Oracle Account
  - Enable Traffic Visibility
    - Enable Traffic for an AWS Account
    - Enable Traffic for an Azure Account
    - Enable Traffic for a GCP Project
  - Secure Your Account
    - Centralized Model: Add a VPC or VNet
    - Distributed Model
      - Azure Distributed Model: Create a Gateway
Account Onboarding
- AWS
  - AWS Overview
  - Connect AWS Account to Multicloud Defense Controller from the Multicloud Defense Dashboard
    - CloudFormation Outputs
    - Roles Created by Multicloud Defense
      - MCDControllerRole
      - MCDGatewayRole
      - MCDInventoryRole
      - InventoryMonitorRule
- Azure
  - Prepare Your Azure Account
    - Register Application in Microsoft Entra ID
    - Create a custom role to assign to the Application
    - Connect an Azure Subscription to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - Accept Marketplace Terms
  - Connect an Azure Subscription to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - VNet Route Tables for your Azure Subscription
    - Roles Created by Multicloud Defense
      - Azure IAM Roles
  - Post-Onboarding Procedures
    - Azure VNet Setup
      - Subnets
      - Security Groups
      - Launch ARM Template
- GCP
  - GCP Overview
    - Overview of Creating a GCP Controller Service Account
    - Create a GCP Firewall Service Account
  - Connect a GCP Project to the Multicloud Defense Controller from the Multicloud Defense Dashboard
    - Roles Created by Multicloud Defense
      - GCP IAM Roles
- OCI
  - Prepare Your OCI Account
  - Connect the Oracle OCI Tenant to the Multicloud Defense Controller from the Multicloud Defense Dashboard
- Remove a Cloud Service Provider From Multicloud Defense
  - Delete a GCP Project From Multicloud Defense
  - Delete an AWS Account From Multicloud Defense
  - Delete an Azure Account From Multicloud Defense
  - Delete an OCI Account From Multicloud Defense
Secure Your AI Assets with AI Defense
- AI Defense
  - AI Defense Integration with Multicloud Defense
Discovery
- Asset and Inventory Discovery
  - Discovery Summary
  - Inventory
    - Applications
    - Discovered Assets
    - Enable Asset Discovery and Inventory
  - Security Insights
    - Types of Security Insights
      - Security Groups
      - Application Security Groups
      - Network ACL
      - Subnets
      - Route Tables
      - Network Interfaces
      - VPCs\VNets
      - Applications
      - Load Balancers
      - Instances
      - Tags
      - Certificates
      - Topology
      - Insights
  - Rules and Findings
    - Rules and Findings
    - Pre-Defined Rules
    - Custom Rules
    - Findings
Multicloud Defense Gateway
- The Multicloud Defense Gateway and Service VPCs or VNets
  - Supported Gateway Use Cases
    - Secure Firewall Threat Defense Virtual
    - Multicloud Defense Egress Gateways
    - Multicloud Defense Ingress Gateways
    - Multicloud Defense East-West Gateways
    - Multicloud Defense Distributed Gateways
    - Gateways Deployed in Centralized / Hub Mode
    - Advanced Gateway Configuration: Use Your Own Load Balancer
  - Configure Service VPCs and Service VNets
    - Create a Service VPC or VNet
    - Secure Spoke VPC or VNet
      - Manage the Service VPC/VNet
      - Export a Spoke VPC or VNet
      - Delete a Spoke VPC or Vnet
  - Configure Your Gateway
    - Before You Begin
      - Resources Created by Multicloud Defense
    - Add a Multicloud Defense Gateway
    - Create an FTDv Gateway
    - Edit a Multicloud Defense Gateway
    - Upgrade the Multicloud Defense Gateway
    - Upgrade Your Threat Defense Virtual Device
    - Abort a Multicloud Defense Gateway
    - Enable a Multicloud Defense Gateway
    - Disable a Multicloud Defense Gateway
    - Export a Multicloud Defense Gateway
    - Delete a Multicloud Defense Gateway
    - Protect Multiple Servers with Ingress Gateways
- Site-to-Site VPN Tunnel Connection
  - Prerequisites and Limitations for Site-to-Site VPN Tunnels
  - Enable VPN Within the Gateway
  - Create a Site-to-Site VPN Connection
  - Edit a Site-to-Site VPN Tunnel
  - Clone a Site-2-Site VPN Tunnel Connection
  - Delete a VPN Tunnel Connection
- Bring Your Own VPC into Multicloud Defense
  - Bring Your Own VPC
  - Guidelines to Configure Bring Your Own VPC
  - Bring Your Own VPC Into Multicloud Defense
  - Deploy the Multicloud Defense Gateway
  - Protect Egress Forwarding Proxy for Subnets
  - Troubleshooting For Bring Your Own VPC
- Configure a Virtual Network Connection for Azure Virtual WAN
  - Overview of Virtual WAN
  - Guidelines for Virtual WAN Connections to Azure vHub
  - Create Service VPC with Virtual WAN Attachment
  - Modify Service VPC with Virtual WAN Attachment
Security Policies
- Policy Objects
  - Objects Overview
  - How to Tag Object Resources
  - Add a Tagged Object to a Policy
  - Address Objects
    - Address Objects
      - Src/Dest
        
        Dynamic Cloud Constructs
        
        Geo IP
        
        Group
        
        Source or Destination Address Object Parameters
      - Reverse Proxy Target Address Object
        
        Reverse Proxy Target Address Object Parameters
      - System Objects
    - Create a Source/Destination Address Object
    - Create a Reverse Proxy Target Address Object
    - Edit Address Objects
    - Clone Address Objects
    - Delete Address Object
    - View Details
  - FQDN Objects
    - FQDN Match Object
      - Standalone vs. Group
      - Create Standalone FQDN Match Object
      - Create Group FQDN Match Object
      - Associate the Object
      - Block an FQDN Match Object
  - Service Objects
    - Reverse Proxy Service Object (Ingress)
    - Forward Proxy Service Object (Egress / East-West)
    - Forwarding Service Object (Egress / East-West)
- Rules and Rule Sets
  - Policy Management
    - Policy Rule Set Gateway and Management
  - Rules
  - Rule Sets and Rule Set Groups
    - Create Policy Rule Set
    - Create a Rule in a Rule Set
      - Add or Edit a Forwarding Rule in a Rule Set
      - Add or Edit a Reverse Proxy Rule in a Rule Set
      - Add or Edit a Forward Proxy Rule in a Rule Set
      - Disable, Edit, Clone, or Delete Rules in a Rule Set
    - Create a Policy Rule Set Group
- Objects
  - About the Multicloud Defense Connector
  - Import Objects From Security Cloud Control
- Address Objects
  - Address Objects
    - Src/Dest
      - Dynamic Cloud Constructs
      - Geo IP
      - Group
      - Source or Destination Address Object Parameters
    - Reverse Proxy Target Address Object
      - Reverse Proxy Target Address Object Parameters
    - System Objects
  - Create a Source/Destination Address Object
  - Create a Reverse Proxy Target Address Object
  - Edit Address Objects
  - Clone Address Objects
  - Delete Address Object
  - View Details
- FQDN Objects
  - FQDN Match Object
    - Standalone vs. Group
    - Create Standalone FQDN Match Object
    - Create Group FQDN Match Object
    - Associate the Object
    - Block an FQDN Match Object
- Service Objects
  - Reverse Proxy Service Object (Ingress)
  - Forward Proxy Service Object (Egress / East-West)
  - Forwarding Service Object (Egress / East-West)
- Certificates and Keys
  - Certificates and Keys
    - Import Certificate
    - AWS - KMS
    - AWS - Secrets Manager
    - Azure Key Vault
    - GCP - Secret Manager
  - Server Certificate Validation
    - Server Certificate Validation in the TLS Decryption Profile
    - Server Certificate Validation in the FQDN Service Object
    - Certificate for Custom Root CA
- Certificate and Keys Tech Notes
  - Generate a Self-Signed Root CA
  - Generate a Certificate Signed by your Self-Signed Root CA
  - Generate an Intermediate CA Signed by Your Root CA
  - App Certificate signed using the Intermediate CA
  - Install Root CA as Trusted CA on the Hosts
Traffic Discovery and Visiblilty
- Types of Traffic
  - Enable DNS Logs
    - AWS: Enable DNS Logs
    - GCP: Enable DNS Logs
    - Azure: DNS Logs
  - Enable VPC Flow Logs
    - AWS: Enable VPC Flow Logs
    - GCP: Enable VPC Flow Logs
    - Azure: Enable NSG Flow Logs
Profiles for Security and Gateway
- Security Profiles
  - Decryption Profile
    - Create a Decryption Profile
  - Network Intrusion (IDS/IPS) Profile
    - Create an IPS/IDS Profile
  - Data Loss Prevention (DLP) Profile
    - Create a Data Loss Prevention Profile
  - Anti-Malware Profile
    - Create an Anti-Malware Profile
  - Web Application Firewall (WAF) Profile
    - Create WAF Profile
      - Event Filtering
  - Layer 7 DOS
    - Create L7 DoS Profile
  - URL (Uniform Resource Locator) Filter Profile
    - Create the URL Filtering Profile
  - Fully Qualified Domain Name Filter Profile
    - Create a Standalone FQDN Filter Profile
    - Create a Group FQDN Filter Profile
  - Malicious IP Profile
    - Create a Malicious IP Profile
    - IP Reputation
  - (Preview Only) Identity Profile
    - Create an Identity Profile
  - (Preview Only) User Profile
    - Create a User Profile
  - AI Guardrails Profile
    - Create an AI Guardrails Profile
- Gateway Profiles
  - Packet Capture Profile
    - Create a Packet Capture Profile
  - Log Forwarding Profile
    - Create a Standalone Log Forwarding Profile
    - Create a Log Forwarding Group
  - Gateway Metrics Forwarding Profile
    - Create a Standalone Metrics Forwarding Profile
    - Create a Group Metrics Forwarding Profile
  - (Preview Only) Network Packet Broker Profile
    - Create Network Packet Broker Profile
  - Network Time Protocol Profile
    - Create a Profile
  - IPSec Profile
    - Create an IPSec Profile
  - BGP Profile
    - Create a BGP Profile
- Profile Actions
  - View a Profile Details
  - Edit a Standalone Metrics Forwarding Profile
  - Edit a Group Profile
  - Add a Gateway Association to a Profile
  - Remove a Gateway Association
  - Delete a Profile
- FQDN and URL Filtering Categories
  - FQDN / URL Filtering Categories
  - Malicious Categories
  - Full List of Categories
  - Associating a Filtering Profile with a Policy Ruleset Rule
  - Cisco Talos Intelligence URL / IP Lookup Tool
Investigate and Analysis
- Flow Analytics
  - Flow Analytics - Traffic Summary
  - Flow Analytics - All Events
    - Event Logs
  - Firewall Events
  - Network Threats
  - Web Attacks
  - URL Filtering
  - FQDN Filtering
  - HTTPS Logs
  - VPN Logs
  - EndUser Logs
  - HTTP2 Logs
  - AI Guardrails Logs
- Network Analytics
  - Stats
    - Total Bandwidth
    - CPU Usage
    - Memory Usage
    - Connection Rate
    - HTTP Request Rate
- System Status
  - Audit Logs
    - Search Filter
  - System Logs
    - Search Filter
Threat Research
- Threat Research
  - Network Intrusion
  - Web Protection
  - Malicious Sources
Cloud Visibility Reports
- Cloud Visibility Reports
  - Generate a Discovery Report
  - Generate a Threat And Cloud Analytics Report
Alerting and Log Forwarding
- Alerting Overview
  - Alert Services Overview
- Alert Destinations / SIEMs
  - Datadog
    - Create an Alert Profile Service
    - Create an Alert Rule
  - Microsoft Sentinel
    - Create an Alert Profile Service
    - Create an Alert Rule
  - PagerDuty
    - Create an Alert Profile Service
    - Create an Alert Rule
  - ServiceNow
    - Create an Alert Rule
    - Create an Alert Profile Service
  - Slack
    - Create a Slack Alert Rule
    - Create an Alert Profile Service
  - Microsoft Teams
    - Create a Microsoft Teams Alert Profile Service
    - Create a Microsoft Teams Service Rule
  - Webex
    - Create an Alert Profile Service
    - Create an Alert Rule
  - Splunk
    - Create a Splunk Profile Service
    - Create a Splunk Rule
- Log Forwarding Overview
  - Security Events and Traffic Logs
    - Create a Standalone Event or Traffic Log Profile
    - Edit a Standalone Event or Traffic Log Profile
    - Create a Group Event or Traffic Log Profile
    - Edit a Group Event or Traffic Log Profile
    - View an Event or Traffic Log Forwarding Profile
    - Delete an Event or Traffic Log Profile
  - Discovery Logs
    - Create a Standalone Discovery Log Profile
    - Edit a Standalone Discovery Log Profile
    - Create a Group Discovery Log Profile
    - Edit a Group Discovery Log Profile
    - View a Discovery Log Profile Details
    - Add a Discovery Log Profile with a Cloud Account
    - Remove a Discovery Log Profile from a Cloud Account
    - Delete a Discovery Log Profile
  - Gateway Metrics Forwarding Profile
    - Create a Standalone Metrics Forwarding Profile
    - Edit a Standalone Metrics Forwarding Profile
    - Create a Group Metrics Forwarding Profile
    - Edit a Group Profile
    - Delete a Metrics Forwarding Profile
  - Add an Event, Traffic Log Forwarding Profile, or Metrics Forward Profile to a Gateway
  - Remove an Event, Traffic Log Forwarding Profile, or Metrics Forward Profile from a Gateway
- Log Forwarding Destinations / SIEMs
  - AWS S3 Bucket
  - Datadog
  - GCP Logging
  - Microsoft Sentinel
  - Splunk
  - Sumo Logic
  - Syslogs
  - Webhook
Administration
- Management
  - Management
    - API Keys
      - Create an API Key in Multicloud Defense
      - Delete an API Key from Multicloud Defense
    - Account Level Settings
      - Application Tags
        
        Create an Application Tag
        
        Edit an Application Tag
        
        Delete an Application Tag
      - Custom Tags
        
        Create a Custom Tag
        
        Edit a Custom Tag
        
        Delete a Custom Tag
    - System
    - Metering
  - Alert Profiles
    - Services
      - Create a Service
      - Edit a Service
      - Clone a Service
      - Export a Service
      - Delete a Service
    - Alerts
      - Create an Alert
      - Edit an Alert
      - Clone an Alert
      - Export an Alert
      - Delete an Alert
Manage Your Multicloud Defense Account
- Manage Your Multicloud Defense Account
  - Account (Multicloud Defense Tenant)
  - User Roles in Security Cloud Control
    - Roles in Multicloud Defense
- Cloud Accounts
  - Cloud Accounts
    - Add Account
    - Manage Inventory
    - Edit a Cloud Account
    - Update Log Profile for a Cloud Account
    - Export a Cloud Account
    - Delete a Cloud Account
  - Inventory
Certificates and Awards
Troubleshoot Your Account
- Troubleshoot Connecting Your Account
  - Manually Onboard an Account
    - Manually Onboard a GCP Project
      - GCP Overview
      - Service Accounts
        
        Create Multicloud Defense Controller Service Account Using GCP Cloud Console
        
        Create a Multicloud Defense Firewall Service Account Using the GCP Cloud Console
      - Enable API
        
        Enable API-Using the GCP Cloud Console
      - VPC Setup
        
        VPC and Subnets
        
        Sample VPC and Subnets using CLI
        
        Network Tags (for GCP Gateways)
      - Gateway Creation
    - Manually Onboard an Azure Subscription
      - (Optional) User-assigned Managed Identity for Key Vault and Blob Storage access
      - Register Application in Microsoft Entra ID
      - Create a custom role to assign to the Application
        
        Required Values For Multicloud Defense Controller Onboarding
      - Accept Marketplace Terms
  - Graceful Termination of Connections
  - Terraform Onboarding Scripts for Cloud Accounts
    - About Terraform
    - Terraform Repository
    - Exporting Configuration as Terraform Block

Software Multicloud Defense

Activity Onboard

Security Policies Policy Objects FQDN Objects FQDN Match Object Block an FQDN Match Object

Last updated: Jul 03, 2025

Block an FQDN Match Object

After you define an FQDN object, you can perform actions such as block the FQDN object in a ruleset. Blocking of an FQDN match object is applicable for egress traffic (Forwarding or Forward Proxy service objects). To block an FQDN match object, you will need match the object in a reference rule.

Version 24.08 supports 6-tuple matching with FQDN. This means if you opt to have the first matching rule configured to block a FQDN match, two events are logged instead of one: the first event logged for the L4 Firewall is "Allow" and the second event logged for the FQDN object match is "Deny".

Procedure

1	In the Security Cloud Control platform menu, choose Products > Multicloud Defense .
2	Navigate to Manage > Security Policies > Rule Sets.
3	Perform the steps outlined in Add or Edit a Forward Proxy Rule in a Rule Set.
4	In the Action dropdown list, select Deny Log. This action will automatically drop the connection and deny the request.
5	Click Save after completion of the outlined steps.

Previous topic Associate the Object Next topic Service Objects