Login

Managing FDM Devices with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing FDM-Managed Devices with Firewall in Security Cloud Control
- The Firewall Dashboard
Get Started
- Networking Requirements
  - Managing an FDM-Managed Device from the Inside Interface
    - Manage an FDM-Managed Device from the Inside Interface
  - Managing an FDM-Managed Device from the Outside Interface
    - Manage the FDM-Managed Device's Outside Interface
- Create a Security Cloud Control Tenant
- Browsers Supported in Security Cloud Control
- Login Requirements for Security Cloud Control
  - Initial Login to Your New Security Cloud Control Tenant
  - Signing in to Security Cloud Control in Different Regions
  - Troubleshooting Login Failures
- Migrate to Cisco Security Cloud Sign On Identity Provider
  - Troubleshooting Login Failures after Migration
- Launch a Security Cloud Control Tenant
- Security Cloud Control Services Page
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
    - Create or Edit a Firepower Network Object or Network Groups
      - Create a Firepower Network Object
      - Create a Firepower Network Group
      - Edit a Firepower Network Object
      - Edit a Firepower Network Group
      - Add an Object Override
      - Edit Object Overrides
      - Add Additional Values to a Shared Network Group
      - Edit Additional Values in a Shared Network Group
      - Deleting Network Objects and Groups in Security Cloud Control
  - URL Objects
    - Create or Edit an FDM-Managed URL Object
    - Create a Firepower URL Group
      - Edit a Firepower URL Object or URL Group
  - Application Filter Objects
    - Create and Edit a Firepower Application Filter Object
      - Create a Firepower Application Filter Object
      - Edit a Firepower Application Filter Object
  - Geolocation Objects
    - Create and Edit a Firepower Geolocation Filter Object
      - Edit a Geolocation Object
  - DNS Group Objects
    - Create a DNS Group Object
    - Edit a DNS Group Object
    - Delete a DNS Group Object
    - Add a DNS Group Object as an FDM-Managed DNS Server
  - Certificate Objects
    - About Certificates
    - Certificate Types Used by Feature
    - Configuring Certificates
    - Uploading Internal and Internal CA Certificates
      - Procedure
    - Uploading Trusted CA Certificates
      - Procedure
    - Generating Self-Signed Internal and Internal CA Certificates
      - Procedure
  - About IPsec Proposals
    - Managing an IKEv1 IPsec Proposal Object
      - Create or Edit an IKEv1 IPsec Proposal Object
    - Managing an IKEv2 IPsec Proposal Object
      - Create or Edit an IKEv2 IPsec Proposal Object
  - About Global IKE Policies
    - Managing IKEv1 Policies
      - Create or Edit an IKEv1 Policy
    - Managing IKEv2 Policies
      - Create or Edit an IKEv2 Policy
  - RA VPN Objects
  - Security Zone Object
    - Create or Edit a Firepower Security Zone Object
      - Create a Security Zone Object
      - Edit a Security Zone Object
  - Service Objects
    - Create and Edit Firepower Service Objects
      - Create a Firepower Service Group
      - Edit a Firepower Service Object or Service Group
  - Security Group Tag Group
    - Security Group Tags
    - Create an SGT Group
    - Edit an SGT Group
    - Add an SGT Group to an Access Control Rule
  - Syslog Server Objects
    - Create and Edit Syslog Server Objects
      - Edit Syslog Server Objects
    - Create a Syslog Server Object for Secure Logging Analytics (SaaS)
      - Procedure
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Enable the Option to Schedule Automatic Deployments
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Configure a Default Recurring Backup Schedule
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Onboard Devices and Services
- Secure Device Connector
  - Connect Security Cloud Control to your Managed Devices
  - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
  - Deploy a Secure Device Connector On Your VM
  - Bootstrap a Secure Device Connector on the Deployed Host
  - Deploy a Secure Device Connector to vSphere Using Terraform
  - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
  - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
  - Change the IP Address of a Secure Device Connector
  - Remove a Secure Device Connector
  - Move an ASA from one SDC to Another
  - Rename a Secure Device Connector
  - Update your Secure Device Connector
  - Using Multiple SDCs on a Single Security Cloud Control Tenant
  - Security Cloud Control Devices that Use the Same SDC
  - Open Source and Third-Party License in SDC
- Supported Devices, Software, and Hardware
  - Secure Firewall Threat Defense Device Support Specifics
- Onboard FDM-Managed Device
  - Managing an FDM-Managed Device from the Inside Interface
    - Manage an FDM-Managed Device from the Inside Interface
  - Managing an FDM-Managed Device from the Outside Interface
    - Manage the FDM-Managed Device's Outside Interface
  - Onboard an FDM-Managed Device to Security Cloud Control
    - Onboard an FDM-Managed Device Using Username, Password, and IP Address
    - Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
      - Unregister a Smart-licensed FDM-Managed Device
      - Procedure to Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
    - Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
      - Unregistering an FDM-Managed Device from Cisco Cloud Services
      - Procedure to Onboad an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
    - Onboard an FDM-Managed Device using the Device's Serial Number
      - Workflow and Prerequisites to Onboard the FDM-Managed Device Using Zero-Touch Provisioning
        
        Onboard a Secure Firewall Threat Defense Device With Zero-Touch Provisioning
      - Onboard a Configured FDM-Managed Device using the Device's Serial Number
    - Onboard an FDM-Managed High Availability Pair
      - Onboard an FDM-Managed High Availablity Pair with a Registration Key
        
        Onboard an FDM-Managed HA Pair Running Version 6.4 or Version 6.5
        
        Onboard an FDM-Managed HA Pair Running Threat Defense Version 6.6 or Version 6.7 and later
      - Onboard an FDM-Managed High Availability Pair
    - Onboard an FTD Cluster
      - Onboard a Clustered Secure Firewall Threat Defense Device
  - Applying or Updating a Smart License
    - Smart-License an FDM-Managed Device When Onboarding Using a Registration Key
    - Smart-License an FDM-Managed Device After Onboarding the Device Using a Registration Key or its Credentials
    - Updating an Existing Smart License of an FDM-Managed Device
    - Change the Smart License Applied to an FDM-Managed Device Onboarded Using a Registration Key
    - Change the Smart License Applied to an FDM-Managed Device Onboarded Using its Credentials
  - Security Cloud Control Support for DHCP Addressing of FDM-Managed Devices
  - FDM-Managed Device Licensing Types
    - Virtual FDM-Managed Device Tiered Licenses
    - Viewing Smart-Licenses for a Device
    - Enabling or Disabling Optional Licenses
    - Impact of Expired or Disabled Optional Licenses
  - Create and Import an Firewall Device Manager Model
    - Export FDM-Managed Device Configuration
    - Import FDM-Managed Device Configuration
  - Backing Up FDM-Managed Devices
    - Back up an FDM-Managed Device On-Demand
      - Procedure
    - Configure a Recurring Backup Schedule for a Single FDM-Managed Device
      - Procedure
    - Download the Device Backup
    - Edit a Backup
    - Delete a Backup
    - Managing Device Backup
    - Restore a Backup to an FDM-Managed Device
  - FDM Software Upgrade Paths
    - Other Upgrade Limitations
    - 4100 and 9300 Series Devices
  - FDM-Managed Device Upgrade Prerequisites
  - Upgrade a Single FDM-Managed Device
    - Upgrade A Single FDM-Managed Device with Images from Security Cloud Control 's Repository
    - Upgrade a Single FDM-Managed Device with Images from your own Repository
    - Monitor the Upgrade Process
  - Bulk FDM-Managed Devices Upgrade
    - Upgrade Bulk FDM-Managed Devices with Images from Security Cloud Control 's Repository
    - Upgrade Bulk FDM-Managed Devices with Images from your own Repository
    - Monitor the Bulk Upgrade Process
  - Upgrade an FDM-Managed High Availability Pair
    - Upgrade an FDM-Managed HA Pair with Images from Security Cloud Control's Repository
    - Upgrade an FDM-Managed HA Pair with Images from your own Repository
    - Monitor the Upgrade Process
  - Upgrade to Snort 3.0
    - Upgrade the Device and the Intrusion Prevention Engine Simultaneously
    - Upgrade the Intrusion Prevention Engine
    - Monitor the Upgrade Process
  - Revert From Snort 3.0 for FDM-Managed Device
    - Revert From Snort 3.0
  - Schedule a Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to FDM
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
  - Global Search
    - Initiate Full Indexing
    - Perform a Global Search
Configuring FDM-Managed Devices
- Interfaces
  - Guidelines and Limitations for Firepower Interface Configuration
    - Maximum Number of VLAN Members by Device Model
  - Firepower Data Interfaces
  - Management/Diagnostic Interface
  - Interface Settings
    - Use of Security Zones in Firepower Interface Settings
    - Assign an FDM-Managed Device Interface to a Security Zone
      - Assign a Firepower Interface to a Security Zone
    - Use of Auto-MDI/MDX in Firepower Interface Settings
    - Use of MAC Addresses in Firepower Interface Settings
    - Use of MTU Settings in Firepower Interface Settings
  - IPv6 Addressing for Firepower Interfaces
  - Configuring Firepower Interfaces
    - Configure a Physical Firepower Interface
      - Procedure
      - Configure IPv4 Addressing for the Physical Interface
      - Configure IPv6 Addressing for the Physical Interface
      - Enable the Physical Interface
    - Configure Firepower VLAN Subinterfaces and 802.1Q Trunking
      - Procedure
      - Configure IPv4 Addressing for the Subinterface
      - Configure IPv6 Addressing for the Subinterface
      - Enable the Physical Interface
    - Configure Advanced Firepower Interface Options
    - Configure a Bridge Group
      - Configure the Name of the Bridge Group Interface and Select the Bridge Group Members
      - Configure the IPv4 Address for the BVI
      - Configure the IPv6 Address for the BVI
      - Configure Advanced Interface Options
      - Bridge Group Compatibility in FDM-Managed Configurations
      - Delete a Bridge Group
    - Add an EtherChannel Interface for an FDM-Managed Device
      - Add an EtherChannel Interface
    - Edit Or Remove an EtherChannel Interface for FDM-Managed Device
      - Edit an EtherChannel
      - Remove an EtherChannel Interface
    - Add a Subinterface to an EtherChannel Interface
      - Add a Subinterface to an EtherChannel Interface
    - Edit or Remove a Subinterface from an EtherChannel
      - Edit a Subinterface
      - Remove a Subinterface from an EtherChannel
    - Add Interfaces to a Virtual FDM-Managed Device
    - Switch Port Mode Interfaces for an FDM-Managed Device
    - Configure an FDM-Managed Device VLAN
    - Configure an FDM-Managed Device VLAN for Switch Port Mode
      - Create a VLAN Interface for Switch Port Mode
      - Configure an Existing Physical Interface for Switch Port Mode
  - Viewing and Monitoring Firepower Interfaces
    - Monitoring Interfaces in the CLI
- Synchronizing Interfaces Added to a Firepower Device using FXOS
- Routing
  - About Static Routing and Default Routes
    - Default Route
    - Static Routes
  - The Routing Table and Route Selection
    - How the Routing Table is Populated
    - How Forwarding Decisions are Made
  - Configure Static and Default Routes for FDM-Managed Devices
    - Procedure
    - Static Route Example
  - Monitoring Routing
  - Static Route Network Diagram
  - About Virtual Routing and Forwarding
- Manage Objects
  - Manage Objects
    - Object Types
    - Shared Objects
    - Object Overrides
    - Unassociated Objects
    - Compare Objects
    - Filters
      - Object Filters
        
        Configure Object Filters
        
        When to Exclude a Device from Filter Criteria
    - Unignore Objects
    - Deleting Objects
      - Delete a Single Object
      - Delete a Group of Unused Objects
    - Network Objects
      - Create or Edit a Firepower Network Object or Network Groups
        
        Create a Firepower Network Object
        
        Create a Firepower Network Group
        
        Edit a Firepower Network Object
        
        Edit a Firepower Network Group
        
        Add an Object Override
        
        Edit Object Overrides
        
        Add Additional Values to a Shared Network Group
        
        Edit Additional Values in a Shared Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
    - URL Objects
      - Create or Edit an FDM-Managed URL Object
      - Create a Firepower URL Group
        
        Edit a Firepower URL Object or URL Group
    - Application Filter Objects
      - Create and Edit a Firepower Application Filter Object
        
        Create a Firepower Application Filter Object
        
        Edit a Firepower Application Filter Object
    - Geolocation Objects
      - Create and Edit a Firepower Geolocation Filter Object
        
        Edit a Geolocation Object
    - DNS Group Objects
      - Create a DNS Group Object
      - Edit a DNS Group Object
      - Delete a DNS Group Object
      - Add a DNS Group Object as an FDM-Managed DNS Server
    - Certificate Objects
      - About Certificates
      - Certificate Types Used by Feature
      - Configuring Certificates
      - Uploading Internal and Internal CA Certificates
        
        Procedure
      - Uploading Trusted CA Certificates
        
        Procedure
      - Generating Self-Signed Internal and Internal CA Certificates
        
        Procedure
    - About IPsec Proposals
      - Managing an IKEv1 IPsec Proposal Object
        
        Create or Edit an IKEv1 IPsec Proposal Object
      - Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
    - About Global IKE Policies
      - Managing IKEv1 Policies
        
        Create or Edit an IKEv1 Policy
      - Managing IKEv2 Policies
        
        Create or Edit an IKEv2 Policy
    - RA VPN Objects
    - Security Zone Object
      - Create or Edit a Firepower Security Zone Object
        
        Create a Security Zone Object
        
        Edit a Security Zone Object
    - Service Objects
      - Create and Edit Firepower Service Objects
        
        Create a Firepower Service Group
        
        Edit a Firepower Service Object or Service Group
    - Security Group Tag Group
      - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - Syslog Server Objects
      - Create and Edit Syslog Server Objects
        
        Edit Syslog Server Objects
      - Create a Syslog Server Object for Secure Logging Analytics (SaaS)
        
        Procedure
- Manage Security Policies in Security Cloud Control
- FDM Policy Configuration
  - FDM-Managed Access Control Policy
    - Read an FDM-Managed Access Control Policy
    - Configure the FDM Access Control Policy
      - Create or Edit an FDM-Managed Access Control Policy
      - Configuring Access Policy Settings
        
        Procedure
      - About TLS Server Identity Discovery
    - Copy FDM-Managed Access Control Rules
      - Copy Rules within the Device
      - Copy Rules from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
    - Move FDM-Managed Access Control Rules
      - Move Rules within the Device
      - Move a Rule from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
    - Behavior of Objects when Pasting Rules to Another Device
    - Source and Destination Criteria in an FDM-Managed Access Control Rule
    - URL Conditions in an FDM-Managed Access Control Rule
      - Specifying a Reputation for a URL Category Used in a Rule
    - Intrusion Policy Settings in an FDM-Managed Access Control Rule
    - File Policy Settings in an FDM-Managed Access Control Rule
    - Logging Settings in an FDM-Managed Access Control Rule
      - Procedure
    - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - Application Criteria in an FDM-Managed Access Control Rule
    - Intrusion, File, and Malware Inspection in FDM-Managed Access Control Policies
    - Custom IPS Policy in an FDM-Managed Access Control Rule
    - TLS Server Identity Discovery in Firepower Threat Defense
      - Enable the TLS Server Identity Discovery
  - Intrusion Prevention System
    - Threat Events
    - Custom Firepower Intrusion Prevention System Policy
      - Configure Firepower Custom IPS Policies
        
        Create a Custom IPS Policy
        
        Edit a Custom IPS Policy
        
        Edit Rule Groups in a Custom IPS Policy
        
        Delete a Custom IPS policy
  - Security Intelligence Policy
    - Configure the Firepower Security Intelligence Policy
      - Configure Firepower Security Intelligence Policy
    - Making Exceptions to the Firepower Security Intelligence Policy Blocked Lists
    - Security Intelligence Feeds for Firepower Security Intelligence Policies
  - FDM-Managed Device Identity Policy
    - How to Implement an Identity Policy
      - Procedure
    - Configure Identity Policies
      - Procedure
    - Configure Identity Policy Settings
      - Procedure
    - Configure the Identity Policy Default Action
      - Procedure
    - Configure Identity Rules
      - Procedure
  - SSL Decryption Policy
    - How to Implement and Maintain the SSL Decryption Policy
      - Procedure
    - About SSL Decryption
      - Why Implement SSL Decryption?
      - Actions You Can Apply to Encrypted Traffic
      - Automatically Generated SSL Decryption Rules
      - Handling Undecryptable Traffic
      - License Requirements for SSL Decryption Policies
      - Guidelines for SSL Decryption
    - Configure SSL Decryption Policies
      - Procedure
      - Enable the SSL Decryption Policy
        
        Procedure
      - Configure the Default SSL Decryption Action
        
        Procedure
      - Configure SSL Decryption Rules
        
        Procedure
      - Source/Destination Criteria for SSL Decryption Rules
      - URL Criteria for SSL Decryption Rules
      - User Criteria for SSL Decryption Rules
    - Configure Certificates for Known Key and Re-Sign Decryption
    - Downloading the CA Certificate for Decrypt Re-Sign Rules
      - Procedure
      - Warning
  - Rulesets
    - Configure Rulesets for a Device
      - Create or Edit a Ruleset
      - Deploy a Ruleset to Multiple FDM-Managed Devices or Templates
      - Add Devices to a Ruleset from the Ruleset page
      - Add Rulesets to a Device from the Device Policy page
    - Rulesets with FDM-Managed Templates
    - Create Rulesets from Existing Device Rules
    - Impact of Out-of-Band Changes on Rulesets
    - Impact of Discarding Staged Ruleset Changes
    - View Rules and Rulesets
      - View Rules from Device Policy Page
      - View Rulesets
      - Search Rulesets
      - View Jobs Associated with Rulesets
    - Change Log Entries after Creating Rulesets
    - Detach FDM-Managed Devices from a Selected Ruleset
    - Delete Rules and Rulesets
      - Delete Rules from a Ruleset
      - Delete a Ruleset
    - Remove a Ruleset From a Selected FDM-Managed Device
      - Delete a Ruleset From a Selected FDM-Managed Device
      - Disassociate a Ruleset From a Selected FDM-Managed Device
  - Adding Comments to Rules in Policies and Rulesets
    - Adding a Comment to a Rule
    - Editing Comments about Rules in Policies and Rulesets
      - Editing a comment on a rule in a policy
      - Editing a comment on a rule in a ruleset
  - Network Address Translation
  - Order of Processing NAT Rules
  - Network Address Translation Wizard
    - Create a NAT Rule by using the NAT Wizard
  - Common Use Cases for NAT
    - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
    - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
    - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
      - NAT Incoming FTP Traffic to an FTP Server
      - NAT Incoming HTTP Traffic to an HTTP Server
      - NAT Incoming SMTP Traffic to an SMTP Server
    - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
      - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
    - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
      - Create a Twice NAT Rule
- Templates
  - FDM-Managed Device Templates
  - Configure an FDM Template
    - Create an FDM Template
    - Edit an FDM-Managed Device Template
    - Delete an FDM Template
  - Apply an FDM Template
    - Apply Template to an FDM-Managed Device
    - Review Device and Networking Settings
    - Deploy Changes to the Device
- FDM-Managed High Availability
  - FDM-Managed High Availability Pair Requirements
  - Create an FDM-Managed High Availability Pair
    - Procedure
  - FDM-Managed Devices in High Availability Page
    - High Availability Management Page
    - Edit High Availability Failover Criteria
    - Break an FDM-Managed High Availability Pairing
      - Break High Availability
      - Break Out-of-Band High Availability
    - Force a Failover on an FDM-Managed High Availability Pair
    - FDM-Managed High Availability Failover History
    - Refresh the FDM-Managed High Availability Status
    - Failover and Stateful Link for FDM-Managed High Availability
- FDM-Managed Device Settings
  - Configure an FDM-Managed Device's System Settings
  - Configure Management Access
    - Create Rules for Management Interfaces
    - Create Rules for Data Interfaces
  - Configure Logging Settings
    - Message Severity Levels
  - Configure DHCP Servers
  - Configure DNS Server
  - Management Interface
  - Hostname
  - Configure NTP Server
  - Configure URL Filtering
  - Cloud Services
    - Connecting to the Cisco Success Network
    - Sending Events to the Cisco Cloud
  - Enabling or Disabling Web Analytics
- Security Cloud Control Command Line Interface
  - Using the Command Line Interface
  - Entering Commands in the Command Line Interface
  - Work with Command History
- Bulk Command Line Interface
  - Bulk CLI Interface
  - Send Commands in Bulk
  - Work with Bulk Command History
  - Work with Bulk Command Filters
    - By Response Filter
    - By Device Filter
- Command Line Interface Macros
  - Create a CLI Macro from a New Command
  - Create a CLI Macro from CLI History or from an Existing CLI Macro
  - Run a CLI Macro
  - Edit a CLI Macro
  - Delete a CLI Macro
- Command Line Interface Documentation
- Export Security Cloud Control CLI Command Results
  - Export CLI Command Results
  - Export the Results of CLI Macros
  - Export the CLI Command History
  - Export the CLI Macro List
- Security Cloud Control Public API
- Create a REST API Macro
  - Using the API Tool
  - How to Enter a Secure Firewall Threat Defense REST API Request
  - About FTD REST API Macros
    - Create a REST API Macro
      - Create a REST API Macro from a New Command
      - Create a REST API Macro from History or from an Existing REST API Macro
    - Run a REST API Macro
    - Edit a REST API Macro
    - Delete a REST API Macro
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
    - Discard Changes Procedure
    - If Reverting Pending Changes Fails
    - Review Conflict Procedure
    - Accept Without Review Procedure
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
  - Schedule a Security Database Update
    - Create a Scheduled Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
    - Workflows
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
    - Discard Changes Procedure
    - If Reverting Pending Changes Fails
    - Review Conflict Procedure
    - Accept Without Review Procedure
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
  - Schedule a Security Database Update
    - Create a Scheduled Security Database Update
    - Edit a Scheduled Security Database Update
  - Update FDM-Managed Device Security Databases
    - Workflows
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- Change Log Entries After Deploying to FDM-Managed Device
- Change Log Entries After Reading Changes from an FDM-Managed Device
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- FDM-Managed Device Executive Summary Report
  - Generating FDM-Managed Device Executive Summary Reports
- Monitor Jobs in Security Cloud Control
  - Reinitiate a Bulk Action
  - Cancel a Bulk Action
- Monitor Workflows in Security Cloud Control
Cisco Security Analytics and Logging
- About Security Analytics and Logging (SaaS) in Security Cloud Control
- Event Types in Security Cloud Control
- About Secure Analytics and Logging (SaaS) for FDM-Managed Devices
- Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices
- Send FDM Events to Security Cloud Control Events Logging
- Send FDM-Managed Events Directly to the Cisco Cloud
- Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
- Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
- Send Cloud-delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
- Send Cloud-delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
- Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
- About Secure Event Connectors
- Installing Secure Event Connectors
  - Install a Secure Event Connector on an SDC Virtual Machine
  - Installing an SEC Using a Security Cloud Control Image
    - Install a Security Cloud Control Connector, to Support a Secure Event Connector, Using a Security Cloud Control VM Image
    - Install the Secure Event Connector on the Security Cloud Control Connector VM
  - Deploy Secure Event Connector on Ubuntu Virtual Machine
  - Install an SEC Using Your VM Image
    - Install a Security Cloud Control Connector to Support an SEC Using Your VM Image
    - Additional Configuration for SDCs and Security Cloud Control Connectors Installed on a VM You Created
    - Install the Secure Event Connector on your Security Cloud Control Connector Virtual Machine
  - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
- Remove the Secure Event Connector
  - Remove an SEC from Security Cloud Control
  - Remove a Secure Event Connector from the Secure Device Connector VM
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Provision a Cisco Secure Cloud Analytics Portal
- Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics
- Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
- Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control
  - Inviting Users to Join Your Secure Cloud Analytics Portal
  - Cross-Launching from Security Cloud Control to Secure Cloud Analytics
- Cisco Secure Cloud Analytics and Dynamic Entity Modeling
- Working with Alerts Based on Firewall Events
  - Triage open alerts
  - Snooze alerts for later analysis
  - Update the alert for further investigation
  - Review the alert and start your investigation
  - Examine the entity and users
  - Remediate issues using Secure Cloud Analytics
  - Update and close the alert
- Modifying Alert Priorities
- Viewing Live Events
  - Play/Pause Live Events
- View Historical Events
- Customize the Events View
  - Correlate Threat Defense Event Fields and Column Names
- Show and Hide Columns on the Event Logging Page
- Change the Time Zone for the Event Timestamps
- Customizable Event Filters
- Searching for and Filtering Events in the Event Logging Page
  - Filter Live or Historical Events
  - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
  - Combine Filter Elements
  - Search Historical Events in the Background
    - Search for Events in the Events Logging Page
    - Schedule a Background Search in the Event Viewer
    - Download a Background Search
- Event Attributes in Security Analytics and Logging
  - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
  - EventName Attributes for Syslog Events
  - Time Attributes in a Syslog Event
- Security Analytics and Logging license and Data Storage Plans
  - View Security Analytics and Logging License Information
  - Extend Event Storage Duration and Increase Event Storage Capacity
  - View Security Analytics and Logging Alerts
  - View Security Analytics and Logging Storage Usage and Event Ingest Rate
- Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot FDM-Managed Devices
  - Troubleshoot the Executive Summary Report
  - Troubleshoot FDM-Managed Device Onboarding
  - Failed Because of Insufficient License
  - Troubleshoot Device Unregistered
  - Troubleshooting Device Registration Failure during Onboarding with a Registration Key
  - Troubleshooting SSL Decryption Issues
  - Troubleshoot FDM-Managed Device Onboarding Using Serial Number
    - Claim Error
    - Provisioning Error
  - Troubleshoot FDM-Managed HA Creation
- Troubleshoot a Secure Device Connector
  - SDC is Unreachable
  - SDC Status not Active on Security Cloud Control After Deployment
  - Changed IP Address of the SDC is not Reflected in Security Cloud Control
  - Troubleshoot Device Connectivity with the SDC
  - Intermittent or No Connectivity with SDC
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Invalid System Time
  - SDC version is lower than 202311****
  - Certificate or Connection errors with AWS servers
- Troubleshoot a Secure Event Connector
  - Troubleshoot SEC Onboarding Failures
  - Troubleshoot Secure Event Connector Registration Failure
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Troubleshooting NSEL Data Flows
  - Event Logging Troubleshooting Log Files
  - SEC Status is Inactive in Security Cloud Control
  - The SEC is online, but there are no events in Security Cloud Control Event Logging Page
  - Remove an SEC from Your Host
  - Use Health Check to Learn the State of your Secure Event Connector
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolving Inconsistent or Unused Security Zone Objects
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Device Unregistered
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
  - Troubleshoot Unreachable Connection State
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Software Secure Firewall Threat Defense

Platform Secure Firewall Threat Defense Virtual

Activity Onboard

Cisco Security Analytics and Logging Working with Alerts Based on Firewall Events Triage open alerts

Last updated: Jun 09, 2025

Triage open alerts

Triage the open alerts, especially if more than one have yet to be investigated:

See Monitoring Secure Cloud Analytics Alerts Generated from FTD Events for more information on cross-launching from Security Cloud Control to Secure Cloud Analytics, and viewing alerts.

Ask the following questions:

Have you configured this alert type as high priority?
Did you set a high sensitivity for the affected subnet?
Is this unusual behavior from a new entity on your network?
What is the entity's normal role, and how does the behavior in this alert fit that role?
Is this an exceptional deviation from normal behavior for this entity?
If a user is involved, is this expected behavior from the user, or exceptional?
Is protected or sensitive data at risk of being compromised?
How severe is the impact to your network if this behavior is allowed to continue?
If there is communication with external entities, have these entities established connections with other entities on your network in the past?

If this is a high priority alert, consider quarantining the entity from the internet, or otherwise closing its connections, before continuing your investigation.

Previous topic Working with Alerts Based on Firewall Events Next topic Snooze alerts for later analysis