Login

Managing Secure Firewall ASA with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing Secure Firewall ASA with Security Cloud Control
- The Firewall Dashboard
Get Started
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
    - Create or Edit ASA Network Objects and Network Groups
      - Create an ASA Network Object
      - Create an ASA Network Group
      - Edit an ASA Network Object
      - Edit an ASA Network Group
      - Add Additional Values to a Shared Network Group in Security Cloud Control
      - Edit Additional Values in a Shared Network Group in Security Cloud Control
      - Deleting Network Objects and Groups in Security Cloud Control
  - Trustpoint Objects
    - Adding an Identity Certificate Object Using PKCS12
    - Creating a Self-Signed Identity Certificate Object
    - Adding an Identity Certificate Object for Certificate Signing Request (CSR)
    - Adding a Trusted CA Certificate Object
    - Self-Signed and CSR Certificate Generation Based on Certificate Contents
  - RA VPN Objects
  - Service Objects
    - Create and Edit ASA Service Objects
      - Create an ASA Service Group
      - Edit an ASA Service Object or Service Group
  - ASA Time Range Objects
    - Create an ASA Time Range Object
    - Edit an ASA Time Range Object
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Enable the Option to Schedule Automatic Deployments
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Configure a Default Recurring Backup Schedule
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Onboard Devices and Services
- Secure Device Connector
  - Connect Security Cloud Control to your Managed Devices
  - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
  - Deploy a Secure Device Connector On Your VM
  - Bootstrap a Secure Device Connector on the Deployed Host
  - Deploy a Secure Device Connector to vSphere Using Terraform
  - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
  - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
  - Change the IP Address of a Secure Device Connector
  - Remove a Secure Device Connector
  - Move an ASA from one SDC to Another
  - Rename a Secure Device Connector
  - Specify a Default Secure Device Connector
  - Update your Secure Device Connector
  - Using Multiple SDCs on a Single Security Cloud Control Tenant
  - Security Cloud Control Devices that Use the Same SDC
  - Open Source and Third-Party License in SDC
- Supported Devices, Software, and Hardware
  - ASA Support Specifics
  - Cloud Device Support Specifics
- Onboard ASA Devices
  - Onboard ASA Device to Security Cloud Control
  - Onboard a High Availability Pair of ASA Devices to Security Cloud Control
  - Onboard an ASA in Multi-Context Mode to Security Cloud Control
  - Onboard Multiple ASAs to Security Cloud Control
    - Pause and Resume Onboarding Multiple ASAs
  - Create and Import an ASA Model to Security Cloud Control
    - Import ASA Configuration
  - Import Configuration for Offline Device Management
  - Prerequisites for ASA and ASDM Upgrade in Security Cloud Control
  - Upgrade Bulk ASA and ASDM in Security Cloud Control
    - Upgrade Multiple ASAs with Images from your own Repository
  - Upgrade ASA and ASDM Images on a Single ASA
  - Upgrade ASA and ASDM Images in a High Availability Pair
    - Workflow
    - Upgrade ASA and ASDM Images in a High Availability Pair
  - Upgrade an ASA or ASDM Using Your Own Image
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to ASDM
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
  - Global Search
    - Initiate Full Indexing
    - Perform a Global Search
Configuring ASA Devices
- Update ASA Connection Credentials in Security Cloud Control
  - Move an ASA from one SDC to Another
- ASA Interface Configuration
  - Configure an ASA Physical Interface
    - Configure IPv4 Addressing for ASA Physical Interface
    - Configure IPv6 Addressing for ASA Physical Interface
    - Configure Advanced ASA Physical Interface Options
    - Enable the ASA Physical Interface
  - Add an ASA VLAN Subinterface
    - Configure ASA VLAN Subinterfaces
    - Configure IPv4 Addressing for ASA Subinterface
    - Configure IPv6 Addressing for ASA Subinterface
    - Configure Advanced ASA Subinterface Options
    - Enable the Subinterface
    - Remove ASA Subinterface
  - About ASA EtherChannel Interfaces
    - Configure ASA EtherChannel
      - Edit ASA EtherChannel
      - Remove ASA EtherChannel Interface
- ASA System Settings Policy in Security Cloud Control
  - Create an ASA Shared System Settings Policy
    - Configure Basic DNS Settings
    - Configure HTTP Settings
    - Set the Date and Time Using an NTP Server
    - Configure SSH Access
    - Configure System Logging
    - Enable Sysopt Settings
    - Assign a Policy from the Shared System Settings Page
  - Configure or Modify Device Specific System Settings
    - Assign a Policy from Device-Specific Settings Page
  - Auto Assignment of ASA Devices to a Shared System Settings Policy
  - Filter ASA Shared System Settings Policy
  - Disassociate Devices from Shared System Settings Policy
  - Delete Shared Settings Policy
- ASA Routing in Security Cloud Control
  - About ASA Static Route
    - Configure ASA Static Route
    - Edit ASA Static Route
    - Delete a Static Route
- Manage Security Policies in Security Cloud Control
- Manage ASA Network Security Policy
  - About ASA Access Control Lists and Access Groups
  - Create an ASA Access List
  - Add a Rule to an ASA Access List
    - About System Log Activity
    - Deactivate Rules in an Access Control List
    - About Security Group Tags in ASA Policies
  - Assign Interfaces to ASA Access Control List
  - Create an ASA Global Access List
  - Improvements to the ASA Shared Policy Model
  - Share an ASA Access Control List with Multiple ASA Devices
  - Copy an ASA Access Control List to Another ASA
  - Copy a Rule Within or Across ASA Access Lists and Devices
  - Unshare a Shared ASA Access Control List
  - View ASA Access Policies Listing Page
  - Global Search of ASA Access Lists
  - Rename an ASA Access Control List
  - Delete a Rule from an ASA Access Control List
  - Delete an ASA Access Control List
- Compare ASA Network Policies
- Hit Rates
  - View Hit Rates of ASA Policies
- Search and Filter ASA Network Rules in the Access List
- Shadowed Rules
  - Find Network Policies with Shadowed Rules
  - Resolve Issues with Shadowed Rules
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
- API Tokens
- Manage ASA Certificates
  - Install ASA Certificates
  - Install an Identity Certificate Using PKCS12
  - Install a Certificate Using Self-Signed Enrollment
  - Manage a Certificate Signing Request (CSR)
    - Generate a CSR Request
    - Install a Signed Identity Certificate Issued by a Certificate Authority
  - Install a Trusted CA Certificate in ASA
  - Export an Identity Certificate
  - Edit an Installed Certificate
  - Delete an Existing Certificate from ASA
- ASA File Management
  - Upload File to a Single ASA Device
  - Upload File to Multiple ASA Devices
  - Remove Files from ASA
- Managing ASAs with Pre-existing High Availability Configuration
  - Configuration Changes Made to ASAs in Active-Active Failover Mode
- Manage ASA Configuration Files
  - View a Device's Configuration File
- Configure DNS on ASA
  - Procedure
- Security Cloud Control Command Line Interface
  - Using the Command Line Interface
  - Entering Commands in the Command Line Interface
  - Work with Command History
- Bulk Command Line Interface
  - Bulk CLI Interface
  - Send Commands in Bulk
  - Work with Bulk Command History
  - Work with Bulk Command Filters
    - By Response Filter
    - By Device Filter
- Command Line Interface Macros
  - Create a CLI Macro from a New Command
  - Create a CLI Macro from CLI History or from an Existing CLI Macro
  - Run a CLI Macro
  - Edit a CLI Macro
  - Delete a CLI Macro
- Configure ASA Using Security Cloud Control CLI
- Compare ASA Configurations Using Security Cloud Control
- ASA Bulk CLI Use Cases
  - Show all users in the running configuration of an ASA and then delete one of the users
  - Find all SNMP configurations on selected ASAs
- ASA Command Line Interface Documentation
- Export Security Cloud Control CLI Command Results
  - Export CLI Command Results
  - Export the Results of CLI Macros
  - Export the CLI Command History
  - Export the CLI Macro List
- Restore an ASA Configuration
  - Restore an ASA Configuration
  - Troubleshooting
- Manage Cisco IOS Device Configuration Files
  - View a Device's Configuration File
  - Edit a Complete Device Configuration File
    - Procedure
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from an ASA to Security Cloud Control
    - Read Configuration Changes on ASA
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to ASA
    - About Deploying Configuration Changes
    - Deploy Configuration Changes Made Using the Security Cloud Control GUI
    - Schedule Automatic Deployments
    - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
    - Deploy Configuration Changes by Editing the Device Configuration
    - Deploy Configuration Changes for a Shared Object on Multiple Devices
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Managing Virtual Private Network in Security Cloud Control
- Introduction to Site-to-Site Virtual Private Network
  - Site-to-Site VPN Concepts
    - About Global IKE Policies
      - Managing IKEv1 Policies
      - Create an IKEv1 Policy
      - Managing IKEv2 Policies
      - Create an IKEv2 Policy
    - About IPsec Proposals
      - Managing an IKEv1 IPsec Proposal Object
        
        Create an IKEv1 IPsec Proposal Object
      - Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
    - Encryption and Hash Algorithms Used in VPN
  - Site-to-Site VPN Configuration for FDM-Managed
    - Create a Site-To-Site VPN Tunnel Between FDM-managed Devices
    - Configure Networking for Protected Traffic Between the Site-To-Site Peers
    - Edit an Existing Security Cloud Control Site-To-Site VPN
      - Delete a Security Cloud Control Site-To-Site VPN Tunnel
    - Exempt Site-to-Site VPN Traffic from NAT
    - Configure Static and Default Routes for FDM-Managed Devices
  - Site-to-Site VPN Configuration for Cloud-delivered Firewall Management Center-managed Threat Defense
    - Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-managed Threat Defense Devices
    - Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-Managed Threat Defense and Multicloud Defense
    - Create a Site-to-Site VPN Between Cloud-delivered Firewall Management Center-managed Threat Defense and Secure Firewall ASA
  - Site-to-Site VPN Configuration for Secure Firewall ASA
    - Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA
    - Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway
    - Exempt Site-to-Site VPN Traffic from NAT
  - Monitor ASA Site-to-Site Virtual Private Networks
    - Check Site-to-Site VPN Tunnel Connectivity
    - Site-To-Site VPN Dashboard
    - Identify VPN Issues
      - Find VPN Tunnels with Missing Peers
      - Find VPN Peers with Encryption Key Issues
      - Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
      - Find Issues in Tunnel Configuration
      - Resolve Tunnel Configuration Issues
    - Search and Filter Site-to-Site VPN Tunnels
    - Onboard an Unmanaged Site-to-Site VPN Peer
    - View IKE Object Details of Site-To-Site VPN Tunnels
    - View Last Successful Site-to-Site VPN Tunnel Establishment Date
    - View Site-to-Site VPN Tunnel Information
      - Site-to-Site VPN Global View
      - Site-to-Site VPN Tunnels Pane
  - Delete a Security Cloud Control Site-To-Site VPN Tunnel
- Introduction to Remote Access Virtual Private Network
  - Configure Remote Access Virtual Private Network for ASA
    - End-to-End Remote Access VPN Configuration Process for ASA
      - Configure Identity Sources for ASA
        
        Determining the Directory Base DN
        
        RADIUS Servers and Groups
        
        Create an ASA Active Directory Realm Object
        
        Edit an ASA Active Directory Realm Object
        
        Create an ASA RADIUS Server Object or Group
        
        Create an ASA RADIUS Server Object
        
        Create an ASA RADIUS Server Group
        
        Edit an ASA Radius Server Object or Group
      - Create ASA Remote Access VPN Group Policies
        
        ASA Remote Access VPN Group Policy Attributes
      - Create ASA Remote Access VPN Configuration
        
        Modify ASA Remote Access VPN Configuration
      - Configure ASA Remote Access VPN Connection Profile
        
        Configure AAA for a Connection Profile
      - Manage AnyConnect Software Packages on ASA Devices
        
        Upload an AnyConnect Package from Security Cloud Control Repository
        
        Upload an AnyConnect Package to ASA from Server
        
        Upload new AnyConnect Packages to ASA
        
        Upload AnyConnect Packages using File Management Wizard
        
        Replace an AnyConnect Package
        
        Delete an AnyConnect Package
    - Manage and Deploy Pre-existing ASA Remote Access VPN Configuration
      - Device Settings
      - Connection Profile
      - Primary Identity Source
      - AAA Server Groups
      - RADIUS Server Group
      - RADIUS Server
      - Group Policy
    - Create IP Address Pool
    - Remote Access VPN Certificate-Based Authentication
    - Exempt Remote Access VPN Traffic from NAT
    - Install the AnyConnect Client Software on ASA
    - Modify ASA Remote Access VPN Configuration
    - Modify ASA Connection Profile
    - Upload RA VPN AnyConnect Client Profile
    - Verify ASA Remote Access VPN Configuration
    - View ASA Remote Access VPN Configuration Details
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from an ASA to Security Cloud Control
    - Read Configuration Changes on ASA
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to ASA
    - About Deploying Configuration Changes
    - Deploy Configuration Changes Made Using the Security Cloud Control GUI
    - Schedule Automatic Deployments
    - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
    - Deploy Configuration Changes by Editing the Device Configuration
    - Deploy Configuration Changes for a Shared Object on Multiple Devices
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- Change Log Entries after Deploying to an ASA
- Change Log Entries After Reading Changes from an ASA
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- Monitor Jobs in Security Cloud Control
  - Reinitiate a Bulk Action
  - Cancel a Bulk Action
- Monitor Workflows in Security Cloud Control
Cisco Security Analytics and Logging
- About Security Analytics and Logging (SaaS) in Security Cloud Control
- Event Types in Security Cloud Control
- About Security Analytics and Logging (SAL SaaS) for the ASA
- Implementing Secure Logging Analytics (SaaS) for ASA Devices
- Send ASA Syslog Events to the Cisco Cloud using a Security Cloud Control Macro
  - Creating an ASA Security Analytics and Logging (SaaS) Macro
- Send ASA Syslog Events to the Cisco Cloud Using the Command Line Interface
  - Security Cloud Control Command Line Interface for ASA
  - Forward ASA Syslog Events to the Secure Event Connector
  - Send ASA Syslog Events to the Cisco Cloud Using CLI
  - Create a Custom Event List
  - Include the Device ID in Non-EMBLEM Format Syslog Messages
- NetFlow Secure Event Logging (NSEL) for ASA Devices
  - Configuring NSEL for ASA Devices by Using a Security Cloud Control Macro
    - Open the Configuring NSEL Macro
    - Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
    - Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC
    - Define a Policy-Map for NSEL Events
    - Disable Redundant Syslog Messages
    - Review and Send the Macro
  - Delete NetFlow Secure Event Logging (NSEL) Configuration from an ASA
    - Open the DELETE-NSEL Macro
    - Enter the Values in the Macro to Complete the No Commands
  - Determine the Name of an ASA Global Policy
  - Troubleshooting NSEL Data Flows
    - Verify that NSEL Events are Being Sent to the SEC
    - Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
    - Verify that NetFlow Packets are Being Received by the Cisco Cloud
    - Check for Live NSEL Events
    - Check for Historical NSEL Events
- Parsed ASA Syslog Events
- About Secure Event Connectors
- Installing Secure Event Connectors
  - Install a Secure Event Connector on an SDC Virtual Machine
  - Installing an SEC Using a Security Cloud Control Image
    - Install a Security Cloud Control Connector, to Support a Secure Event Connector, Using a Security Cloud Control VM Image
    - Install the Secure Event Connector on the Security Cloud Control Connector VM
  - Deploy Secure Event Connector on Ubuntu Virtual Machine
  - Install an SEC Using Your VM Image
    - Install a Security Cloud Control Connector to Support an SEC Using Your VM Image
    - Additional Configuration for SDCs and Security Cloud Control Connectors Installed on a VM You Created
    - Install the Secure Event Connector on your Security Cloud Control Connector Virtual Machine
  - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
- Remove the Secure Event Connector
  - Remove an SEC from Security Cloud Control
  - Remove a Secure Event Connector from the Secure Device Connector VM
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Provision a Cisco Secure Cloud Analytics Portal
- Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics
- Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
- Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control
  - Inviting Users to Join Your Secure Cloud Analytics Portal
  - Cross-Launching from Security Cloud Control to Secure Cloud Analytics
- Cisco Secure Cloud Analytics and Dynamic Entity Modeling
- Working with Alerts Based on Firewall Events
  - Triage open alerts
  - Snooze alerts for later analysis
  - Update the alert for further investigation
  - Review the alert and start your investigation
  - Examine the entity and users
  - Remediate issues using Secure Cloud Analytics
  - Update and close the alert
- Modifying Alert Priorities
- Viewing Live Events
  - Play/Pause Live Events
- View Historical Events
- Customize the Events View
- Show and Hide Columns on the Event Logging Page
- Change the Time Zone for the Event Timestamps
- Customizable Event Filters
- Searching for and Filtering Events in the Event Logging Page
  - Filter Live or Historical Events
  - Filter Only NetFlow Events
  - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
  - Combine Filter Elements
  - Search Historical Events in the Background
    - Search for Events in the Events Logging Page
    - Schedule a Background Search in the Event Viewer
    - Download a Background Search
- Event Attributes in Security Analytics and Logging
  - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
  - EventName Attributes for Syslog Events
  - Time Attributes in a Syslog Event
- Security Analytics and Logging license and Data Storage Plans
  - View Security Analytics and Logging License Information
  - Extend Event Storage Duration and Increase Event Storage Capacity
  - View Security Analytics and Logging Alerts
  - View Security Analytics and Logging Storage Usage and Event Ingest Rate
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
Securely Connecting Customers to the Cisco Secure Internet Gateway (SIG)
- Managing Umbrella with Firewall in Security Cloud Control
- Onboarding an Umbrella Organization
  - Onboarding an Umbrella Organization
    - Umbrella License Requirements
    - Generate an API Key and Secret
    - Umbrella Organization ID
    - Onboarding an Umbrella Orgnization
    - Reconnect an Umbrella Organization to Security Cloud Control
    - Cross-launch to the Umbrella dashboard
    - Delete a Device from Security Cloud Control
- Configure an Umbrella Organization
  - Read Umbrella Tunnel Configuration
  - Cross-launch to the Umbrella Tunnels Page
  - Configure a SASE Tunnel for Umbrella
  - Edit a SASE Tunnel
  - Delete a SASE Tunnel from Umbrella
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot an Secure Firewall ASA Device
  - ASA Fails to Reconnect to Security Cloud Control After Reboot
  - Cannot onboard ASA due to certificate error
    - Determine the OpenSSL Cipher Suite Used by your ASA
    - Cipher Suites Supported by Security Cloud Control 's Secure Device Connector
    - Updating your ASA's Cipher Suite
  - Troubleshoot ASA using CLI commands
  - Troubleshoot ASA Remote Access VPN
  - ASA Real-time Logging
    - View ASA Real-time Logs
  - ASA Packet Tracer
    - Troubleshoot an ASA Device Security Policy
    - Troubleshoot an Access Rule
    - Troubleshoot a NAT Rule
    - Troubleshoot a Twice NAT Rule
    - Analyze Packet Tracer Results
  - Cisco ASA Advisory cisco-sa-20180129-asa1
  - Confirming ASA Running Configuration Size
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Large ASA Running Configuration Files
- Troubleshoot a Secure Device Connector
  - SDC is Unreachable
  - SDC Status not Active on Security Cloud Control After Deployment
  - Changed IP Address of the SDC is not Reflected in Security Cloud Control
  - Troubleshoot Device Connectivity with the SDC
  - Intermittent or No Connectivity with SDC
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Invalid System Time
  - SDC version is lower than 202311****
  - Certificate or Connection errors with AWS servers
- Troubleshoot a Secure Event Connector
  - Troubleshoot SEC Onboarding Failures
  - Troubleshoot Secure Event Connector Registration Failure
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Troubleshooting NSEL Data Flows
  - Event Logging Troubleshooting Log Files
  - SEC Status is Inactive in Security Cloud Control
  - The SEC is online, but there are no events in Security Cloud Control Event Logging Page
  - Remove an SEC from Your Host
  - Use Health Check to Learn the State of your Secure Event Connector
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Troubleshoot User Access with Security Cloud Control
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Troubleshooting Troubleshoot an Secure Firewall ASA Device Cannot onboard ASA due to certificate error

Last updated: Jun 09, 2025

Cannot onboard ASA due to certificate error

Environment: ASA is configured with client-side certificate authentication.

Solution: Disable client-side certificate authentication.

Details: ASAs support credential-based authentication as well as client-side certificate authentication. Security Cloud Control cannot connect to ASAs that use client-side certificate authentication. Before onboarding your ASA to Security Cloud Control, make sure it does not have client-certificate authentication enabled by using this procedure:

Procedure

1	Open a terminal window and connect to the ASA using SSH.
2	Enter global configuration mode.
3	At the hostname (config)# prompt, enter this command: `no ssl certificate-authentication interface interface-name port 443` The interface name is the name of the interface Security Cloud Control connects to.

Previous topic ASA Fails to Reconnect to Security Cloud Control After Reboot Next topic Determine the OpenSSL Cipher Suite Used by your ASA