Login

Managing On-Prem FMC with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing On-Premises Firewall Management Center with Security Cloud Control
- The Firewall Dashboard
Get Started
- Create a Security Cloud Control Tenant
- Create a Security Cloud Control Tenant
- Browsers Supported in Security Cloud Control
- Login Requirements for Security Cloud Control
  - Initial Login to Your New Security Cloud Control Tenant
  - Signing in to Security Cloud Control in Different Regions
  - Troubleshooting Login Failures
- Migrate to Cisco Security Cloud Sign On Identity Provider
  - Troubleshooting Login Failures after Migration
- Launch a Security Cloud Control Tenant
- Security Cloud Control Services Page
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
    - Create or Edit ASA Network Objects and Network Groups
      - Create an ASA Network Object
      - Create an ASA Network Group
      - Edit an ASA Network Object
      - Edit an ASA Network Group
      - Add Additional Values to a Shared Network Group in Security Cloud Control
      - Edit Additional Values in a Shared Network Group in Security Cloud Control
      - Deleting Network Objects and Groups in Security Cloud Control
    - Create or Edit a Firepower Network Object or Network Groups
      - Create a Firepower Network Object
      - Create a Firepower Network Group
      - Edit a Firepower Network Object
      - Edit a Firepower Network Group
      - Add an Object Override
      - Edit Object Overrides
      - Add Additional Values to a Shared Network Group
      - Edit Additional Values in a Shared Network Group
      - Deleting Network Objects and Groups in Security Cloud Control
    - Discover and Manage On-Prem Firewall Management Center Network Objects
  - Service Objects
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Connect Your Device
- Secure Device Connector
  - Connect Security Cloud Control to your Managed Devices
  - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
  - Deploy a Secure Device Connector On Your VM
  - Bootstrap a Secure Device Connector on the Deployed Host
  - Deploy a Secure Device Connector to vSphere Using Terraform
  - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
  - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
  - Change the IP Address of a Secure Device Connector
  - Remove a Secure Device Connector
  - Move an ASA from one SDC to Another
  - Rename a Secure Device Connector
  - Update your Secure Device Connector
  - Using Multiple SDCs on a Single Security Cloud Control Tenant
  - Security Cloud Control Devices that Use the Same SDC
  - Open Source and Third-Party License in SDC
Onboard Devices and Services
- Supported Devices, Software, and Hardware
- Onboard an On-Premises Firewall Management Center
  - Onboard an On-Premises Management Center to Security Cloud Control
    - Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
      - Integrate On-Premises Management Center With Cisco Security Cloud
      - Disable Auto-Onboarding of an On-Premises Management Center
    - Onboard an On-Premises Firewall Management Center to Security Cloud Control with Credentials
    - Redirect Security Cloud Control to an On-Premises Firewall Management Center
  - Remove an On-Premises Firewall Management Center from Security Cloud Control
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
  - Global Search
    - Initiate Full Indexing
    - Perform a Global Search
Configuring On-Premises Firewall Management Center Devices
- View Onboarded On-Premises Management Center
- Discover and Manage On-Prem Firewall Management Center Network Objects
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
    - Enable Conflict Detection for an On-Premises Management Center
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
- About Policy Analyzer and Optimizer
  - Analysis, Remediation, and Reporting
- Prerequisites to Use Policy Analyzer and Optimizer
- Policy Analyzer and Optimizer Licensing Requirements
- Enable Policy Analyzer and Optimizer for Cloud-delivered Firewall Management Center
- Enable Policy Analyzer and Optimizer for Security Cloud Control -managed On-Premises Firewall Management Center
- Policy Analysis
  - Analyze Cloud-delivered Firewall Management Center Policies
  - Analyze On-Premises Firewall Management Center Policies
- Policy Reporting
  - Policy Analysis Summary
  - Duplicate Rules
  - Overlapping Objects
  - Expired Rules
  - Mergeable Rules
  - Policy Insights
- Policy Remediation
  - Apply Policy Remediation
  - What Does the Policy Remediation Report Contain?
- Troubleshooting Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Does Not Analyze Policies
  - Policy Analyzer and Optimizer Does Not Fetch Policies
- Frequently Asked Questions About Policy Analyzer and Optimizer
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
    - Enable Conflict Detection for an On-Premises Management Center
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- Monitor Workflows in Security Cloud Control
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot a Secure Device Connector
  - SDC is Unreachable
  - SDC Status not Active on Security Cloud Control After Deployment
  - Changed IP Address of the SDC is not Reflected in Security Cloud Control
  - Troubleshoot Device Connectivity with the SDC
  - Intermittent or No Connectivity with SDC
  - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
    - Updating a Security Cloud Control -Standard SDC Host
    - Updating a Custom SDC Host
    - Bug Tracking
  - Invalid System Time
  - SDC version is lower than 202311****
  - Certificate or Connection errors with AWS servers
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Platform Secure Firewall Management Center Virtual

Activity On-Premises Deployment

Manage Tenants and Users User Roles in Security Cloud Control Edit-Only Role

Last updated: Jun 09, 2025

Edit-Only Role

Users with the Edit-Only role can do the following:

Edit and save device configurations, including but not limited to objects, policies, rulesets, interfaces, VPN, etc.
Allow configuration changes that are made through the Read Configuration action.
Utilize the Change Request Management action.

Edit-Only users cannot do the following:

Deploy changes to a device or to multiple devices.
Discard staged changes or changes that are detected through OOB.
Upload AnyConnect Packages, or configure these settings.
Schedule or manually start image upgrades for devices.
Schedule or manually start a security database upgrade.
Manually switch between Snort 2 and Snort 3 versions.
Create a template.
Change the existing OOB Change settings.
Edit System Management settings.
Onboard devices.
Delete devices.
Delete VPN sessions or user sessions.
Create Security Cloud Control user records.
Change user role.

Previous topic Read-only Role Next topic Deploy-Only Role