Clustering: Public Cloud

Login

Cisco Security Cloud Control: Secure Firewall Threat Defense Management

Cisco Security Cloud Control Management: Cloud-Delivered Firewall Management Centerfor Government
- Configure Cloud-Delivered Firewall Management Center-Managed Secure Firewall Threat Defense
  - Introduction to Cloud-Delivered Firewall Management Center
  - Navigate to the Cloud-Delivered Firewall Management Center in your Security Cloud Control Tenant
  - Determine Cloud-Delivered Firewall Management Center Version in Security Cloud Control
  - Enable Cloud-Delivered Firewall Management Center on Your Security Cloud Control Tenant
  - Hardware and Software Support
  - Security Cloud Control Firewall Management platform maintenance schedule
  - Licensing
  - Integrate On-Premises Firewall Management Center With Cisco Security Cloud
  - Security Cloud Control Firewall Management Integrations Page
- Manage Multicloud Defense-Onboarded Secure Firewall Threat Defense Virtual Devices
  - Overview of Multicloud Defense-Onboarded Firewall Threat Defense Virtual Devices
  - Onboard and Configure a Secure Firewall Threat Defense Virtual Device in Multicloud Defense
- Cisco AI Assistant User Guide
  - Onboard with Cisco AI Assistant
  - Prompt Guide for Cisco AI Assistant
  - Online Help Documentation
  - Policy Insights
  - Policy Analyzer and Optimizer
  - Automate Policy Rule Creation
  - Contact Support
  - Notifications Center
  - Cisco AI Assistant Frequently Asked Questions (FAQ)
Onboard Devices to Cloud-Delivered Firewall Management Center
- Onboard a Secure Firewall Threat Defense to the Cloud-Delivered Firewall Management Center
  - Onboarding Overview
  - Maximum Firewall Threat Defense Devices Supported in Cloud-Delivered Firewall Management Center
  - Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
  - Onboard a Device with a CLI Registration Key
  - Onboard a Firewall Threat Defense Device to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Firewall Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
  - Onboard Firewall Threat Defense Devices using Device Templates to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Secure Firewall Threat Defense Cluster
  - Onboard a Chassis
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - Delete Devices from Cloud-Delivered Firewall Management Center
  - Troubleshooting
    - Troubleshoot Cloud-Delivered Firewall Management Center Connectivity with TCP
    - Troubleshoot Firewall Threat Defense Device Connectivity
    - Troubleshoot Device Connectivity Loss After Cloud-Delivered Firewall Management Center Update
    - Troubleshoot Onboarding a Device to the Cloud-Delivered Firewall Management Center Using the CLI Registration Key
      - Error: Device Remains in Pending Setup State After Onboarding
    - Troubleshoot Onboarding a Device to Cloud-Delivered Firewall Management Center Using the Serial Number
      - Device is Offline or Unreachable
      - Error: Serial Number Already Claimed
      - Error: Claim Error
      - Error: Failed to Claim
      - Error: Provisional Error
- Migrate On-Premises Firewall Management Center Managed Secure Firewall Threat Defense to Cloud-Delivered Firewall Management Center
  - Overview of Firewall Threat Defense to Cloud-Delivered Firewall Management Center migration
    - How Firewall Threat Defense Migration to Cloud-Delivered Firewall Management Center Works
    - About 14-day evaluation period
    - How Firewall Threat Defense licenses are handled during migration to Cloud-Delivered Firewall Management Center
  - End-to-End Workflow for Migrating Firewall Threat Defense to Cloud-Delivered Firewall Management Center
  - Event and Analytics Management options during Firewall Threat Defense migration
  - Supported features
  - Unsupported features
  - User Identity Migration Guidelines and Limitations for Firewall Threat Defense Devices
  - Migration guidelines and limitations for VPN configuration
  - Supported On-Premises Firewall Management Center and Firewall Threat Defense software versions for migration
  - Prerequisites for Migrating Firewall Threat Defense to Cloud-Delivered Firewall Management Center
  - Migrate Firewall Threat Defense to Cloud-Delivered Firewall Management Center
  - View a Firewall Threat Defense Migration Job
    - Proceed Migration Process
    - Commit Migration Changes Manually to Cloud-Delivered Firewall Management Center
    - Revert the Firewall Threat Defense Management to On-Premises Firewall Management Center
    - View Migrated Devices
    - Generate a Firewall Threat Defense Migration Report
    - Delete a Migration Job
  - Enable Notification Settings
  - Verify Firewall Threat Defense Connectivity with Cloud-Delivered Firewall Management Center
  - Use the Troubleshoot Feature for Failed Migrations
    - Resolving Firewall Threat Defense Migration to Cloud-Delivered Firewall Management Center Issues
- Device Registration
  - Log Into the Command-Line Interface on the Device
  - Manage device registration
    - About the Device Management Page
    - Add a Device Group
    - Device Management page enhancements
      - Use the enhanced Filters in Device Management page
      - Add a device group
      - Move devices to another group
      - Download the managed device List
    - Register With a New Management Center
    - Shut Down or Restart the Device
    - Download the Managed Device List
    - Migrate Firewall Threat Defense Devices
      - Supported Devices for Migration
      - License for Migration
      - Prerequisites for Migration
      - What Configurations Does the Wizard Migrate?
      - Guidelines and Limitations for Migration
      - Migrate a Secure Firewall Threat Defense
      - Best Practices for Threat Defense Device Migration
    - Use the Security Cloud Control Command Line Interface Tool
- Device Registration Using Device Templates
  - About device registration using device templates
    - Variables and Network Object Overrides
    - Model Mapping
    - Templates and High Availablity
    - Validation of Template Configuration Before and After Application of Template on Device
  - Prerequisites for device registration using device templates
  - Licenses for device registration using device templates
  - Guidelines for device registration using device templates
  - Configure Device Templates
    - Add a Device Template
      - Create a New Device Template
      - Generate a New Device Template from an Existing Device
      - Import a Device Template
    - Configure Device Settings in the Template
      - Add a Physical Interface
      - Add a Logical Interface
      - Edit an Interface
      - Configure Other Device Settings
    - Configure Template Settings
      - Edit General Settings
      - Edit Licenses
      - Edit Applied Policies
      - Edit Advanced Settings
      - Edit Deployment Settings
      - Configure Template Parameters
        
        Supported Variables
        
        Add a Variable
        
        Supported Network Object Overrides
        
        Add a Network Object Override
      - Add Model Mapping
        
        Invalid Model Mappings
    - Configure Site-to-Site VPN Connections in a Device Template
      - Configure an SD-WAN VPN Connection
      - Configure a Route-Based Site-to-Site VPN Connection
      - Configure a Policy-Based Site-to-Site VPN Connection
      - Add a Device to an SD-WAN Topology in a Dual ISP Deployment
    - Configure a Template for Firewall Threat Defense Devices Managed Using the Data Interface
  - Use Templates with Devices
    - Apply Templates to Existing Devices
      - Apply a Template
      - Reapply a Template
  - Monitoring Device Templates
    - View Associated Devices
    - Generate a Template Apply Report
    - Audit Logs
  - Troubleshooting Device Templates
  - History for Device Management using Device Templates
- Transparent or Routed Firewall Mode
  - About the Firewall Mode
    - About Routed Firewall Mode
    - About Transparent Firewall Mode
      - Using the Transparent Firewall in Your Network
      - Passing Traffic For Routed-Mode Features
    - About Bridge Groups
      - Bridge Virtual Interface (BVI)
      - Bridge Groups in Transparent Firewall Mode
      - Bridge Groups in Routed Firewall Mode
      - Allowing Layer 3 Traffic
      - Allowed MAC Addresses
      - BPDU Handling
      - MAC Address vs. Route Lookups
      - Unsupported Features for Bridge Groups in Transparent Mode
      - Unsupported Features for Bridge Groups in Routed Mode
  - Default Settings
  - Guidelines for Firewall Mode
  - Set the Firewall Mode
- Change Management
  - About change management
    - How to configure devices in the change management workflow
    - Creating separate approver and configuration roles
    - Policies and objects that support change management
  - Requirements and prerequisites for change management
  - Guidelines and limitations for change management
  - Enabling or disabling change management
  - Managing tickets
    - Creating change management tickets
    - Opening a ticket for configuration changes
    - Previewing a ticket
    - Submitting a ticket
    - Discarding a ticket
    - Approving or rejecting a ticket
    - Taking over or reassigning tickets
- CLI Users
  - About CLI users
    - Internal and External Users
    - CLI Access
    - CLI User Roles
  - Guidelines for CLI users
  - Add an Internal User at the CLI
  - Troubleshooting LDAP Authentication Connections
- Configuration Deployment
  - About Configuration Deployment
    - Configuration Changes that Require Deployment
    - Deployment Preview
    - Selective Policy Deployment
    - System Username
    - Auto-Enabling of Application Detectors
    - Asset Rediscovery with Network Discovery Policy Changes
    - Snort Restart Scenarios
      - Restart Warnings for Devices
      - Inspect Traffic During Policy Apply
      - Snort Restart Traffic Behavior
      - Configurations that Restart the Snort Process When Deployed or Activated
      - Changes that Immediately Restart the Snort Process
  - Requirements and Prerequisites for Policy Management
  - Best Practices for Deploying Configuration Changes
  - Deploy the Configuration
    - Deploy Configuration Changes
    - Redeploy Existing Configurations to a Device
  - Manage Deployments
    - View Deployment Status
    - View Deployment History
    - Roll Back a Deployment
      - Perform a Rollback
      - View the Deployment Rollback Transcript
    - Download Policy Changes Report for Multiple Devices
    - Compare Policies
    - Generate Current Policy Reports
System Settings
- System Configuration
  - Requirements and Prerequisites for the System Configuration
  - Manage the Secure Firewall Management Center System Configuration
  - Access Control Preferences
  - Audit Log
    - Stream Audit Logs to Syslog
    - Stream Audit Logs to an HTTP Server
  - Audit Log Certificate
    - Securely Stream Audit Logs
    - Obtain a Signed Audit Log Client Certificate for the Firewall Management Center
    - Import an Audit Log Client Certificate into the Firewall Management Center
    - Require Valid Audit Log Server Certificates
    - View the Audit Log Client Certificate on the Firewall Management Center
  - Change Reconciliation
    - Configuring Change Reconciliation
    - Change Reconciliation Options
  - Email Notification
  - Intrusion Policy Preferences
    - Set Intrusion Policy Preferences
  - Network Analysis Policy Preferences
- Users
  - About CLI users
    - Internal and External Users
    - User Roles
  - Troubleshooting LDAP Authentication Connections
  - Configure User Preferences
    - Change the Web Interface Appearance
    - Setting Your Default Time Zone
    - Configure How-To Settings
- Updates
  - Product Upgrades
  - Content Updates
  - Guidelines and Limitations for Content Updates
  - Update the Vulnerability Database (VDB)
    - Schedule VDB Updates
    - Manually Update the VDB
  - Update the Geolocation Database (GeoDB)
    - Schedule GeoDB Updates
    - Manually Update the GeoDB
  - Update Intrusion Rules
    - Schedule Intrusion Rule Updates
    - Manually Update Intrusion Rules
    - Import Local Intrusion Rules
      - Best Practices for Importing Local Intrusion Rules
    - View Intrusion Rule Update Logs
      - Intrusion Rule Update Log Details
- Licenses
  - About Licenses
    - Smart Software Manager and Accounts
    - How Licensing Works for the Management Center and Devices
    - Periodic Communication with the Smart Software Manager
    - Cloud-Delivered Firewall Management Center licensing and registration
    - Out-of-Compliance State
    - Unregistered State
    - End-User License Agreement
    - License Types and Restrictions
      - Essentials Licenses
      - Malware Defense Licenses
      - IPS Licenses
      - Carrier License
      - URL Filtering Licenses
      - Secure Client Licenses
      - Licensing for Export-Controlled Functionality
      - Firewall Threat Defense Virtual Licenses
        
        Firewall Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations
      - License PIDs
  - Requirements and Prerequisites for Licensing
    - Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
      - Licensing for Device High-Availability
      - Licensing for Device Clusters
  - Create a Cisco Account
  - Create a Smart Account and Add Licenses
  - Configure Smart Licensing
    - Register the Firewall Management Center for Smart Licensing
      - Register the Firewall Management Center with the Smart Software Manager
    - Assign Licenses to Devices
      - Assign Licenses to a Single Device
      - Assign Licenses to Multiple Managed Devices
    - Manage Smart Licensing
      - Deregister the Firewall Management Center
      - Monitoring Smart License Status
      - Monitoring Smart Licenses
      - Troubleshooting Smart Licensing
  - Configure Legacy Firewall Management Center PAK-Based Licenses
  - Additional Information about Licensing
- Security Certifications Compliance
  - Security Certifications Compliance Modes
  - Security Certifications Compliance Characteristics
  - Security Certifications Compliance Recommendations
    - Appliance Hardening
    - Protecting Your Network
Optimize Firewall Performance with AIOps
- Introduction to AIOps Insights
  - About AIOps Insights
    - AIOps Licensing Requirements
    - Prerequisites to Use AIOps
  - View AIOps Dashboard
  - View AIOps Insights
  - Detect Application Outages
  - Implement Best Practices and Recommendations
  - Assess and Improve Feature Adoption
  - Manage Software Upgrades
  - Manage Insight Preferences
    - Enable AIOps Insights
    - Disable AIOps Insights
    - Best Practices and Recommendations Insights
    - Feature Adoption Insights
    - Application Insights
    - Operational Insights
  - Frequently Asked Questions About AIOps
  - Additional Resources
Health and Monitoring
- Health
  - Requirements and Prerequisites for Health Monitoring
  - About Health Monitoring
    - Health Modules
    - Configuring Health Monitoring
  - Health Policies
    - Default Health Policy
    - Creating Health Policies
    - Apply a Health Policy
    - Edit a Health Policy
    - Set a Default Health Policy
    - Delete a Health Policy
    - Send Vendor-Neutral Telemetry Streams Using OpenConfig
      - Generate Certificates and Private Keys
      - Configure OpenConfig Streaming Telemetry
      - Troubleshoot OpenConfig Streaming Telemetry
  - Device Exclusion in Health Monitoring
    - Excluding Appliances from Health Monitoring
    - Excluding Health Policy Modules
      - Expired Health Monitor Exclusions
  - Health Monitor Alerts
    - Health Monitor Alert Information
    - Health Alerts for Firewall Threat Defense 200 Series Device
    - Creating Health Monitor Alerts
    - Editing Health Monitor Alerts
    - Deleting Health Monitor Alerts
  - About the Health Monitor
    - Device Health Monitors
      - Viewing System Details and Troubleshooting
      - Viewing the Device Health Monitor
        
        Correlating Device Metrics
    - Cluster Health Monitor
      - Viewing the Cluster Health Monitor
    - Health Monitor Status Categories
  - Health Event Views
    - Viewing Health Events
    - Viewing the Health Events Table
    - The Health Events Table
  - System Auditing
    - Audit Records
      - Audit Log Workflow Fields
      - The Audit Events Table View
- Troubleshooting
  - Guidelines and Best Practices for Troubleshooting
  - System Messages
    - Message Types
    - Message Management
  - View Basic System Information
    - View Appliance Information
  - Manage System Messages
    - View Deployment Messages
    - View Upgrade Messages
    - View Health Messages
    - View Task Messages
    - Manage Task Messages
  - Memory Usage Thresholds for Health Monitor Alerts
  - Disk Usage and Drain of Events Health Monitor Alerts
  - Reduce size of MariaDB undo logs
  - Clear disk space
  - Health Monitor Reports for Troubleshooting
    - Generate Troubleshooting Files for Specific System Functions
    - Download Advanced Troubleshooting Files
  - Enhanced Troubleshooting Experience Using Cisco RADKit Integration
    - Guidelines and Limitations for RADKit Integration
    - Enroll RADKit Service
    - Manage RADKit Service Authorization
    - Enable Sudo Access for Devices
    - Download Session Logs
  - General Troubleshooting
  - Connection-Based Troubleshooting
    - Troubleshoot a Connection
  - Advanced Troubleshooting for the Secure Firewall Threat Defense Device
    - Packet Capture Overview
      - Use the Capture Trace
    - Packet tracer tool
      - Use the Packet Tracer
    - CPU Profiler Overview
      - Use the CPU Profiler
    - Rule Profiler Overview
      - Use the Rule Profiler
    - Use the Firewall Threat Defense Diagnostic CLI from the Web Interface
  - Feature-Specific Troubleshooting
Tools
- Backup/Restore
  - About Backup and Restore
  - Requirements for Backup and Restore
  - Guidelines and Limitations for Backup and Restore
  - Best Practices for Backup and Restore
  - Back Up Managed Devices
    - Back Up a Firewall Threat Defense Device from Cloud-Delivered Firewall Management Center
  - Restore Security Cloud Control-Managed Devices
    - Restore a Firewall Threat Defense Device
    - Restore Firewall Threat Defense from Backup: Firewall Threat Defense Virtual
- Scheduling
  - About Task Scheduling
  - Requirements and Prerequisites for Task Scheduling
  - Configuring a Recurring Task
    - Scheduled Backups
      - Schedule Remote Device Backups
    - Automating Policy Deployment
    - Automating Intrusion Policy Deployment
    - Software Upgrade Automation
      - Automating Software Downloads
      - Automating Software Pushes
      - Automating Software Installs
    - Vulnerability Database Update Automation
      - Automating VDB Update Downloads
      - Automating VDB Update Installs
    - Automating URL Filtering Updates Using a Scheduled Task
  - Scheduled Task Review
    - Task List Details
    - Viewing Scheduled Tasks on the Calendar
    - Editing Scheduled Tasks
    - Deleting Scheduled Tasks
  - History for Scheduled Tasks
- Import/Export
  - About Import/Export
    - Exceptions to Export Behavior
    - Importing Objects and Object Groups
    - Conflict Resolution for Duplicate Configurations
  - Requirements and Prerequisites for Import/Export
  - Guidelines for Import/Export
  - Export Configurations
  - Import Configurations
Reporting and Alerting
- External Alerting with Alert Responses
  - Configuring External alerts with alert responses
    - External alert types
  - Prerequisites for external alerting with alert responses
  - Guidelines for notifying external systems with alert responses
  - Alert responses
    - Create an SNMP alert response
    - Syslog alert responses
      - Syslog alert facilities
      - Syslog severity levels
      - Create a syslog alert response
    - Create an email alert response
    - Create a webhook alert response
  - External alerts
    - Configure impact flag alerts
    - Configure discovery event alerts
    - Configure Malware defense alerts
  - Troubleshoot external alerts and alert response configuration
- External Alerting for Intrusion Events
  - About External Alerting for Intrusion Events
  - License Requirements for External Alerting for Intrusion Events
  - Requirements and Prerequisites for External Alerting for Intrusion Events
  - Configuring SNMP Alerting for Intrusion Events
    - Intrusion SNMP Alert Options
  - Configuring Syslog Alerting for Intrusion Events
    - Facilities and Severities for Intrusion Syslog Alerts
  - Configuring Email Alerting for Intrusion Events
    - Intrusion Email Alert Options
Event and Asset Analysis Tools
- Unified Events
  - About the Unified Events
  - Working with Unified Events
  - Set a Time Range in Unified Events
  - Filters in Unified Events
  - Save a Search in Unified Events
  - Load a Saved Search in Unified Events
  - Save a Column Set
  - Load a Saved Column Set
  - Unified Events Column Descriptions
- Lookups
  - Introduction to Lookups
  - Performing Whois Lookups
- Send Events Directly to Cisco Splunk
  - Splunk Integration: Send Events Directly from Management Center
  - Guidelines and Limitations for Splunk Integration
  - Configure Splunk in Secure Firewall Management Center
    - Configure Splunk Server
    - Select Event Types
    - Select Devices and Interfaces
    - Configure Firewall Certificates
    - Summary
  - Configure Secure Firewall App in Splunk
- Event Investigation Using Web-Based Resources
  - Event Investigation Using Web-Based Resources
    - About Managing Contextual Cross-Launch Resources
    - Requirements for Custom Contextual Cross-Launch Resources
    - Add Contextual Cross-Launch Resources
    - Investigate Events Using Contextual Cross-Launch
Events and Assets
- Monitor Cloud-Delivered Firewall Management Center-Managed Threat Defense Device Events
  - About Security Analytics and Logging
  - Comparison of SAL Remote Event Storage and Monitoring Options
  - About SAL (OnPrem)
    - Licensing for SAL (OnPrem)
  - Manage SAL (OnPrem) for Security Cloud Control-Managed Firewall Threat Defense Devices
  - Configure SAL (OnPrem) Integration
    - Configure a Secure Network Analytics Manager
    - Configure a Secure Network Analytics Data Store
  - About Security Analytics and Logging(SaaS) for Firewall Threat Defense
    - Licensing for SAL (SaaS)
  - Configure the SAL (SaaS) Integration
    - Requirements and Guidelines
    - Send Cloud-Delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
    - Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
    - Enable Individual Threat Defense Devices to Send Events to SAL (SaaS) Using a Direct Connection
    - View and Work with Events in Security Cloud Control
      - View AI Defense Events in Security Cloud Control
- FTD Dashboard
  - About the FTD Dashboard
  - View the FTD Dashboard
  - FTD Dashboard Widgets
    - Top Intrusion Rules Widget
    - Top Intrusion Attackers Widget
    - Top Intrusion Targets Widget
    - Top Malware Signatures Widget
    - Top Malware Senders Widget
    - Top Malware Receivers Widget
    - Malware Events by Disposition Widget
    - Network Activity Widget
    - Event Activity Widget
    - Access Control Actions Widget
    - Top Access Control Policies Widget
    - Top Access Control Rules Widget
    - Top Devices Widget
    - Top Users Widget
    - Top Users by Blocked Connections Widget
    - Top Devices with Health Alerts Widget
    - Top Loaded Devices Widget
    - Top Web Applications Widget
    - Top Client Applications Widget
    - Top Blocked Web Applications Widget
  - Modify Time Settings for the FTD Dashboard
- Connection Logging
  - About Connection Logging
    - Connections That Are Always Logged
    - Other Connections You Can Log
    - How Rules and Policy Actions Affect Logging
      - Logging for Fastpathed Connections
      - Logging for Monitored Connections
      - Logging for Trusted Connections
      - Logging for Blocked Connections
      - Logging for Allowed Connections
    - Beginning vs End-of-Connection Logging
  - Limitations of Connection Logging
  - Best Practices for Connection Logging
  - Requirements and Prerequisites for Connection Logging
  - Configure Connection Logging
    - Logging Connections with Tunnel and Prefilter Rules
    - Logging Decryptable Connections with TLS/SSLDecryption Rules
    - Logging Connections with Security Intelligence
    - Logging Connections with Access Control Rules
    - Logging Connections with a Policy Default Action
    - Limiting Logging of Long URLs
  - Application-Aware and Protocol-Aware Syslogs
    - Guidelines and Limitations for Advanced Logging
    - Enable Advanced Logging
    - Configure Protocols for Advanced Logging
    - Monitor and Troubleshoot Advanced Logging
- Advanced Logging Syslog Fields
  - Common Fields
  - CONN Protocol Fields
  - DNS Protocol Fields
  - FTP Fields
  - HTTP Fields
  - Notice Protocol Fields
  - Weird Protocol Fields
High Availability and Scalability
- Multi-Instance Mode
  - About Multi-Instance Mode
    - Multi-Instance Mode vs. Appliance Mode
    - Chassis Management Interface
    - Instance Interfaces
      - Interface Types
      - Chassis Interfaces vs. Instance Interfaces
      - Shared Interface Scalability
      - Shared Interface Best Practices
    - How the Chassis Classifies Packets
    - Classification Examples
    - Cascading Instances
    - Typical Multi-Instance Deployment
    - Automatic MAC Addresses for Instance Interfaces
    - Performance Scaling Factor for Multi-Instance Mode
    - Instances and High Availability
  - Licenses for Instances
  - Requirements and Prerequisites for Instances
  - Guidelines and Limitations for Instances
  - Configure Instances
    - Convert a Device to Multi-Instance Mode
    - Configure Chassis Interfaces
      - Configure a Physical Interface
      - Configure an EtherChannel
      - Configure a Subinterface
    - Add an Instance
    - Customize the System Configuration
      - Configure SNMP
      - Import or Export the Chassis Configuration
    - Configure Chassis Platform Settings
      - Create a Chassis Platform Settings Policy
      - Configure DNS
      - Configure SSH and SSH Access List
      - Configure Syslog
      - Configure Time Synchronization
      - Configure Time Zones
    - Manage Multi-Instance Mode
      - Onboard the Multi-Instance Chassis Using the CLI
      - Change Interfaces Assigned to an Instance
      - Change Chassis Management Settings at the FXOS CLI
  - Monitoring Multi-Instance Mode
    - Monitoring Multi-Instance Setup
    - Monitoring Instance Interfaces
- Logical Devices on the Firepower 4100/9300
  - About Interfaces
    - Chassis Management Interface
    - Interface Types
    - FXOS Interfaces vs. Application Interfaces
    - Shared Interface Scalability
      - Shared Interface Best Practices
      - Shared Interface Usage Examples
      - Viewing Shared Interface Resources
    - Inline Set Link State Propagation for the Firewall Threat Defense
  - About Logical Devices
    - Standalone and Clustered Logical Devices
    - Logical Device Application Instances: Container and Native
      - Container Instance Interfaces
      - How the Chassis Classifies Packets
      - Classification Examples
      - Cascading Container Instances
      - Typical Multi-Instance Deployment
      - Automatic MAC Addresses for Container Instance Interfaces
      - Container Instance Resource Management
      - Performance Scaling Factor for Multi-Instance Capability
      - Container Instances and High Availability
      - Container Instances and Clustering
  - Licenses for Container Instances
  - Requirements and Prerequisites for Logical Devices
    - Requirements and Prerequisites for Hardware and Software Combinations
    - Requirements and Prerequisites for Container Instances
    - Requirements and Prerequisites for High Availability
    - Requirements and Prerequisites for Clustering
  - Guidelines and Limitations for Logical Devices
    - Guidelines and Limitations for Interfaces
    - General Guidelines and Limitations
  - Configure Interfaces
    - Enable or Disable an Interface
    - Configure a Physical Interface
    - Add an EtherChannel (Port Channel)
    - Add a VLAN Subinterface for Container Instances
  - Configure Logical Devices
    - Add a Resource Profile for Container Instances
    - Add a Standalone Firewall Threat Defense
    - Add a Standalone Threat Defense for the Security Cloud Control
    - Add a High Availability Pair
    - Change an Interface on a Firewall Threat Defense Logical Device
    - Connect to the Console of the Application
- High Availability for Devices
  - About Secure Firewall Threat Defense High Availability
    - High Availability Support on Firewall Threat Defense Devices in a Remote Branch Office Deployment
    - High availability System Requirements
      - Hardware Requirements
      - Software Requirements
      - License Requirements for Firewall Threat Defense Devices in a High Availability Pair
    - Failover and Stateful Failover Links
      - Failover Link
        
        Failover Link Data
        
        Interface for the Failover Link
        
        Connecting the Failover Link
      - Stateful Failover Link
        
        Shared with the Failover Link
        
        Dedicated Interface for the Stateful Failover Link
      - Avoiding Interrupted Failover and Data Links
    - MAC Addresses and IP Addresses in High availability
    - Stateful Failover
      - Supported Features
      - Unsupported Features
    - Bridge Group Requirements for High Availability
    - Failover Health Monitoring
      - Unit Health Monitoring
      - Heartbeat Module Redundancy
      - Interface Monitoring
        
        Interface Tests
        
        Interface Status
    - Failover Triggers and Detection Timing
    - About Active/Standby Failover
      - Primary/Secondary Roles and Active/Standby Status
      - Active Unit Determination at Startup
      - Failover Events
  - Config-Sync Optimization
  - Requirements and Prerequisites for High Availability
  - Guidelines for High availability
  - Add a High Availability Pair
  - Configure Optional High Availability Parameters
    - Configure Standby IP Addresses and Interface Monitoring
    - Edit High Availability Failover Criteria
    - Configure Virtual MAC Addresses
  - Manage High availability
    - Switch the Active Peer in the Firewall Threat Defense High Availability Pair
    - Refresh Node Status for a Single Firewall Threat Defense High Availability Pair
    - Suspend and Resume High Availability
    - Replace a Unit in Firewall Threat Defense High Availability Pair
      - Replace a Primary Firewall Threat Defense HA Unit with no Backup
      - Replace a Secondary Firewall Threat Defense HA Unit with no Backup
    - Break a High Availability Pair
    - Remove a High Availability Pair
  - Monitoring High availability
    - View Failover History
    - View Stateful Failover Statistics
  - Troubleshooting High Availability Break in a Remote Branch Deployment
    - How to Break a High Availability Pair in Active-Active State
    - How to Break a High Availability Pair when Active or Standby Unit has Lost Connectivity
    - How to a Break High Availability Pair when the Secondary Device is in a Failed or Disabled State
  - History for High Availability
- Clustering: Secure Firewall 3100/4200
  - About Clustering for the Secure Firewall 3100/4200
    - How the Cluster Fits into Your Network
    - Control and Data Node Roles
    - Cluster Interfaces
    - Cluster Control Link
    - Configuration Replication
    - Management Network
  - Licenses for clustering
  - Requirements and Prerequisites for Clustering
  - Guidelines for Clustering
  - Configure Clustering
    - About Cluster Interfaces
      - Cluster Control Link
        
        Cluster Control Link Traffic Overview
        
        Cluster Control Link Interfaces and Network
        
        Size the Cluster Control Link
        
        Cluster Control Link Redundancy
        
        Cluster Control Link Reliability
      - Spanned EtherChannels (Recommended)
        
        Spanned EtherChannel Benefits
        
        Guidelines for Maximum Throughput
        
        Load Balancing
        
        EtherChannel Redundancy
        
        Connecting to a Redundant Switch System
      - Individual Interfaces (Routed Firewall Mode Only)
        
        Policy-Based Routing
        
        Equal-Cost Multi-Path Routing
        
        Cisco Intelligent Traffic Director (Routed Firewall Mode Only)
    - Cable and Add Devices to the Firewall Management Center
    - Create a Cluster
    - Configure Interfaces
      - Configure Spanned EtherChannels
      - Configure Individual Interfaces
    - Configure Interfaces
    - Configure Cluster Health Monitor Settings
    - Configure Distributed Site-to-Site VPN
      - About Distributed Site-to-Site VPN
        
        Distributed VPN Connection Roles
        
        Distributed VPN Session Characteristics
        
        Distributed VPN Handling of Cluster Events
        
        IPsec IKEv2 Modifications
        
        CMPv2
      - Licensing for Distributed Site-to-Site VPN
      - Prerequisites for Distributed Site-to-Site VPN
      - Guidelines for Distributed Site-to-Site VPN
      - Enable Distributed Site-to-Site VPN
      - Redistribute Distributed S2S VPN Sessions
  - Manage Cluster Nodes
    - Add a New Cluster Node
    - Break a Node
    - Break the Cluster
    - Disable Clustering
    - Rejoin the Cluster
    - Change the Control Node
    - Edit the Cluster Configuration
    - Reconcile Cluster Nodes
    - Unregister the Cluster or Nodes and Register to a New Firewall Management Center
  - Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Troubleshooting the Cluster
    - Perform a Ping on the Cluster Control Link
  - Examples for Clustering
    - Firewall on a Stick
    - Traffic Segregation
  - Reference for Clustering
    - Firewall Threat Defense Features and Clustering
      - Unsupported Features with Clustering
      - Centralized Features for Clustering
      - Connection Settings and Clustering
      - FTP and Clustering
      - Multicast Routing in Individual Interface Mode
      - Multicast Routing in Individual Interface Mode
      - NAT and Clustering
      - Dynamic Routing
      - Dynamic Routing in Individual Interface Mode
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - Cisco TrustSec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability Within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Clustering
- Clustering: Private Cloud
  - About clustering: private cloud
    - How the Cluster Fits into Your Network
    - Control and Data Node Roles
    - Individual Interfaces
      - Policy-Based Routing
      - Equal-Cost Multi-Path Routing
    - Cluster Control Link
      - Cluster Control Link Traffic Overview
    - Configuration Replication
    - Management Network
  - Licenses for clustering: private cloud
  - Prerequisites for clustering: private cloud
  - Guidelines for clustering: private cloud
  - Configure clustering: private cloud
    - Add Nodes to the Management Center
    - Create a Cluster
    - Configure Interfaces
    - Configure Cluster Health Monitor Settings
  - Manage cluster nodes
    - Add a New Cluster Node
    - Break a Node
    - Break the Cluster
    - Disable Clustering
    - Rejoin the Cluster
    - Change the Control Node
    - Edit the Cluster Configuration
    - Reconcile Cluster Nodes
    - Delete the Cluster or Nodes from the Management Center
  - Monitoring clustering: private cloud
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Reference for clustering: private cloud
    - Threat Defense Features and Clustering
      - Unsupported Features and Clustering
      - Centralized Features for Clustering
      - Connection Settings and Clustering
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - Cisco Trustsec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for clustering: private cloud
- Clustering: Public Cloud
  - About Threat Defense Virtual Clustering in the Public Cloud
    - How the Cluster Fits into Your Network
    - Individual Interfaces
    - Control and Data Node Roles
    - Cluster Control Link
      - Cluster Control Link Traffic Overview
    - Configuration Replication
    - Management Network
  - Licenses for Threat Defense Virtual Clustering
  - Requirements and Prerequisites for Threat Defense Virtual Clustering
  - Guidelines for Threat Defense Virtual Clustering
  - Deploy the Cluster in AWS
    - AWS Gateway Load Balancer and Geneve Single-Arm Proxy
    - Sample Topology
    - End-to-End Process for Deploying Threat Defense Virtual Cluster on AWS
    - Templates
    - Deploy the Stack in AWS Using a CloudFormation Template
    - Deploy the Cluster in AWS Manually
      - Create the Day0 Configuration for AWS
        
        Create the Day0 Configuration With a Fixed Configuration for AWS
      - Deploy Cluster Nodes
  - Deploy the Cluster in Azure
    - Sample Topology for GWLB-based Cluster Deployment
    - Azure Gateway Load Balancer and Paired Proxy
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with GWLB
    - Templates
    - Prerequisites
    - Deploy Cluster on Azure with GWLB Using an Azure Resource Manager Template
    - Sample Topology for NLB-based Cluster Deployment
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with NLB
    - Templates
    - Prerequisites
    - Deploy Cluster on Azure with NLB Using an Azure Resource Manager Template
    - Deploy the Cluster in Azure Manually
      - Create the Day0 Configuration for Azure
        
        Create the Day0 Configuration With a Fixed Configuration for Azure
        
        Create the Day0 Configuration With a Customized Configuration for Azure
      - Deploy Cluster Nodes Manually - GWLB-based Deployment
      - Deploy Cluster Nodes Manually - NLB-based Deployment
    - Troubleshooting Cluster Deployment in Azure
  - Deploy the Cluster in GCP
    - Sample Topology of GCP Clustering Autoscale Solution
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in GCP
    - Templates
    - Deploy the Instance Group in GCP Using an Instance Template
    - Deploy the Cluster in GCP Manually
      - Create the Day0 Configuration for GCP
        
        Create the Day0 Configuration With a Fixed Configuration for GCP
        
        Create the Day0 Configuration With a Customized Configuration for GCP
      - Deploy Cluster Nodes Manually
    - Allow Health Checks for GCP Network Load Balancers
  - Add the Cluster to the Management Center (Manual Deployment)
  - Configure Cluster Health Monitor Settings
  - Manage Cluster Nodes
    - Disable Clustering
    - Rejoin the Cluster
    - Reconcile Cluster Nodes
    - Unregister the Cluster or Nodes and Register to a New Firewall Management Center
  - Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Upgrading the Cluster
  - Reference for Clustering
    - Threat Defense Features and Clustering
      - Unsupported Features and Clustering
      - Centralized Features for Clustering
      - Cisco Trustsec and Clustering
      - Connection Settings and Clustering
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Threat Defense Virtual Clustering in the Public Cloud
- Clustering: Firepower 4100/9300
  - About Clustering on the Firepower 4100/9300 Chassis
    - Bootstrap Configuration
    - Cluster Members
    - Cluster Control Link
      - Size the Cluster Control Link
      - Cluster Control Link Redundancy
      - Cluster Control Link Reliability for Inter-Chassis Clustering
      - Cluster Control Link Network
    - Management Network
    - Management Interface
    - Cluster Interfaces
      - Spanned EtherChannels
    - Configuration Replication
  - Licenses for Clustering
  - Requirements and Prerequisites for Clustering
  - Clustering Guidelines and Limitations
  - Configure Clustering
    - FXOS: Add a Firewall Threat Defense Cluster
      - Create a Firewall Threat Defense Cluster
      - Add More Cluster Nodes
    - Firewall Management Center: Add a Cluster
    - Firewall Management Center: Configure Cluster, Data Interfaces
    - Firewall Management Center: Configure Cluster Health Monitor Settings
  - FXOS: Remove a Cluster Node
  - Firewall Management Center: Manage Cluster Members
    - Add a New Cluster Member
    - Replace a Cluster Member
    - Deactivate a Member
    - Rejoin the Cluster
    - Unregister a Data Node
    - Change the Control Unit
    - Reconcile Cluster Members
  - Firewall Management Center: Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Examples for Clustering
    - Firewall on a Stick
    - Traffic Segregation
  - Reference for Clustering
    - Firewall Threat Defense Features and Clustering
      - Unsupported Features with Clustering
      - Centralized Features for Clustering
      - Connection Settings
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - Multicast Routing and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - TLS/SSL Connections and Clustering
      - Cisco TrustSec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Unit Election
    - High Availability Within the Cluster
      - Chassis-Application Monitoring
      - Unit Health Monitoring
      - Interface Monitoring
      - Decorator Application Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Clustering
Interfaces and Device Settings
- Interface Overview
  - Management Interface
    - Management Interface
    - Diagnostic Interface
  - Interface Mode and Types
  - Security Zones and Interface Groups
  - Auto-MDI/MDIX Feature
  - Redundant Interfaces (Deprecated)
  - Default Settings for Interfaces
  - Create Security Zone and Interface Group Objects
  - Enable the Physical Interface and Configure Ethernet Settings
  - Configure EtherChannel Interfaces
    - About EtherChannels
      - About EtherChannels
        
        Channel Group Interfaces
        
        Connecting to an EtherChannel on Another Device
        
        Link Aggregation Control Protocol
        
        Load Balancing
        
        EtherChannel MAC Address
    - Guidelines for EtherChannels
    - Configure an EtherChannel
  - Sync Interface Changes with the Firewall Management Center
  - Manage the Network Module for the Secure Firewall 3100/4200
    - Configure Breakout Ports
    - Add a Network Module
    - Hot Swap the Network Module
    - Replace the Network Module with a Different Type
    - Remove the Network Module
  - Merge the Management and Diagnostic Interfaces
    - Unmerge the Management Interface
  - History for Interfaces
- Regular Firewall Interfaces
  - Requirements and Prerequisites for Regular Firewall Interfaces
  - Configure switch ports
    - About switch ports
      - Understanding switch ports and interfaces
      - Auto-MDI/MDIX feature
    - Prerequisites for switch ports
    - Guidelines for switch ports
    - Configure switch ports and Power Over Ethernet
      - Enable or disable switch port mode
      - Configure a VLAN interface
      - Configure switch ports as access ports
      - Configure switch ports as trunk ports
      - Configure Power Over Ethernet
  - Configure Loopback Interfaces
    - About Loopback Interfaces
    - Guidelines and Limitations for Loopback Interfaces
    - Configure a Loopback Interface
    - Rate-Limit Traffic to the Loopback Interface
  - Configure VLAN subinterfaces and 802.1Q trunking
    - Guidelines for VLAN subinterfaces
    - Maximum number of VLAN subinterfaces by device model
    - Add a Subinterface
  - Configure VXLAN Interfaces
    - About VXLAN Interfaces
      - Encapsulation
      - VXLAN Tunnel Endpoint
      - VTEP Source Interface
      - VNI Interfaces
      - VXLAN Packet Processing
      - Peer VTEPs
      - VXLAN Use Cases
        
        VXLAN Bridge or Gateway Overview
        
        VXLAN Bridge
        
        VXLAN Gateway (Routed Mode)
        
        Router Between VXLAN Domains
        
        Geneve Single-Arm Proxy
        
        Azure Gateway Load Balancer and Paired Proxy
    - Requirements and Prerequisites for VXLAN Interfaces
    - Guidelines for VXLAN Interfaces
    - Configure VXLAN or Geneve Interfaces
      - Configure VXLAN Interfaces
        
        Configure the VTEP Source Interface
        
        Configure the VNI Interface
      - Configure Geneve Interfaces
        
        Configure the VTEP Source Interface
        
        Configure the VNI
    - Allow Gateway Load Balancer Health Checks
  - Configure Routed and Transparent Mode Interfaces
    - About Routed and Transparent Mode Interfaces
      - Dual IP Stack (IPv4 and IPv6)
      - 31-Bit Subnet Mask
        
        31-Bit Subnet and Clustering
        
        31-Bit Subnet and Failover
        
        31-Bit Subnet and Management
        
        31-Bit Subnet Unsupported Features
    - Guidelines and Limitations for Routed and Transparent Mode Interfaces
    - Configure Routed Mode Interfaces
    - Configure Bridge Group Interfaces
      - Configure General Bridge Group Member Interface Parameters
      - Configure the Bridge Virtual Interface (BVI)
    - Configure IPv6 Addressing
      - About IPv6
        
        IPv6 Addressing
        
        Modified EUI-64 Interface IDs
      - Configure the IPv6 Prefix Delegation Client
        
        About IPv6 Prefix Delegation
        
        IPv6 Prefix Delegation /64 Subnet Example
        
        IPv6 Prefix Delegation /62 Subnet Example
        
        Enable the IPv6 Prefix Delegation Client
      - Configure a Global IPv6 Address
      - Configure IPv6 Neighbor Discovery
  - Configure Advanced Interface Settings
    - About Advanced Interface Configuration
      - About MAC Addresses
        
        Default MAC Addresses
      - About the MTU
        
        Path MTU Discovery
        
        Default MTU
        
        MTU and Fragmentation
        
        MTU and Jumbo Frames
      - About the TCP MSS
        
        Default TCP MSS
        
        Suggested Maximum TCP MSS Setting
      - ARP Inspection for Bridge Group Traffic
      - MAC Address Table
    - Default Settings
    - Guidelines for ARP Inspection and the MAC Address Table
    - Configure the MTU
    - Configure the MAC Address
    - Add a Static ARP Entry
    - Add a Static MAC Address and Disable MAC Learning for a Bridge Group
    - Set Security Configuration Parameters
  - History for Regular Firewall Interfaces
- Inline Sets and Passive Interfaces
  - About IPS Interfaces
    - Inline Sets
      - Multiple Inline Pairs and Asynchronous Routing
    - Passive Interfaces
    - About Hardware Bypass for Inline Sets
      - Hardware Bypass Triggers
      - Hardware Bypass Switchover
      - Snort Fail Open vs. Hardware Bypass
      - Hardware Bypass Status
  - Requirements and Prerequisites for Inline Sets
  - Guidelines for Inline Sets and Passive Interfaces
  - Configure a Passive Interface
  - Configure an Inline Set
- Device Settings
  - Edit General Settings
    - Copy a Configuration to Another Device
    - Export and Import the Device Configuration
  - Edit License Settings
  - View System information
    - View Device Inventory
  - View the Inspection Engine
  - Edit Health Settings
    - Out-of-Band Configuration Detection
      - Guidelines for Out-of-Band Configuration
      - Access Recovery-Config Mode in the Diagnostic CLI
      - Acknowledge the Out-of-Band Configuration
  - Edit Management Settings
    - Configure a Redundant Manager Access Data Interface
    - Change Manager Access Interface Settings
      - Change the Device IP Address
        
        Set the Device IP Address
        
        Modify Firewall Threat Defense Management Interfaces at the CLI
        
        Modify the Firewall Threat Defense Data Interface Used for Management at the CLI
        
        Modify the Firewall Threat Defense Data Interface Used for Management in the GUI
        
        Update the Hostname or IP Address in the Firewall Management Center
      - Change the Firewall Management Center IP Address
      - Change Both Firewall Management Center and Threat Defense IP Addresses
      - Change the Manager Access Interface
        
        Change the Manager Access Interface from Management to Data
        
        Change the Manager Access Interface from Data to Management
    - Troubleshooting the Management Connection
      - Manually Roll Back the Configuration if the Firewall Management Center Loses Connectivity
      - Troubleshoot Management Connectivity on a Data Interface
      - Troubleshoot Management Connectivity on a Data Interface in a High Availability Pair
  - View Inventory Details
  - Edit Applied Policies
  - Edit Advanced Settings
    - Configure Automatic Application Bypass
    - Configure Object Group Search
    - Configure Interface Object Optimization
  - Edit Deployment Settings
  - Edit Cluster Health Monitor Settings
  - Hot swap an SSD
  - Disable the USB port
    - Disable the USB port on a device
    - Disable the USB port in multi-instance mode
  - Configure SNMP for FXOS
    - Enable SNMP for FXOS
    - Create an SNMP Trap for FXOS
    - Create an SNMP user for FXOS
  - Configure alarms for the ISA 3000
    - About alarms
      - Alarm input interfaces
      - Alarm output interface
      - Syslog alarms
      - SNMP Alarms
    - Defaults for alarms
    - Prerequisites for alarms
    - Configure alarms for the ISA 3000
      - Configure alarm input contacts
      - Configure power supply alarms
      - Configure temperature alarms
      - Turn off the external alarm
    - Monitoring alarms
      - Monitoring alarm status
      - Monitoring syslog messages for alarms
  - History for Device Settings
- DHCP and DDNS
  - About DHCP and DDNS Services
    - About the DHCPv4 Server
      - DHCP Options
    - About the DHCPv6 Stateless Server
    - About the DHCP Relay Agent
  - Requirements and Prerequisites for DHCP and DDNS
  - Guidelines for DHCP and DDNS Services
  - Configure the DHCPv4 Server
  - Configure the DHCPv6 Stateless Server
    - Create the DHCP IPv6 Pool
    - Enable the DHCPv6 Stateless Server
  - Configure the DHCP Relay Agent
  - Configure Dynamic DNS
  - History for DHCP and DDNS
- Platform Settings
  - Introduction to Platform Settings
  - Requirements and Prerequisites for Platform Settings Policies
  - Manage Platform Settings Policies
  - ARP Inspection
  - Banner
  - DNS
  - External Authentication
  - Enable Virtual-Router-Aware Interface for External Authentication of Platform
  - Fragment Settings
  - HTTP Access
  - ICMP Access
  - NetFlow
    - Add Collector in NetFlow
    - Add Traffic Class to NetFlow
  - SSH Access
  - SMTP Server
  - SNMP
    - About SNMP
      - SNMP Terminology
      - MIBs and Traps
      - Supported Tables and Objects in MIBs
    - Add SNMPv3 Users
    - Add SNMP Hosts
    - Configure SNMP Traps
  - SSL
    - About SSL Settings
  - Syslog
    - About Syslog
    - Severity Levels
    - Syslog Message Filtering
    - Syslog Message Classes
    - Guidelines for Logging
    - Configure Syslog Logging for Firewall Threat Defense Devices
      - Firewall Threat Defense Platform Settings That Apply to Security Event Syslog Messages
      - Enable Logging and Configure Basic Settings
      - Enable Logging Destinations
      - Send Syslog Messages to an E-mail Address
      - Create a Custom Event List
      - Limit the Rate of Syslog Message Generation
      - Configure Syslog Settings
      - Configure a Syslog Server
  - Timeouts
  - Time Synchronization
  - Time Zone
  - UCAPL/CC Compliance
  - Performance Profile
- FlexConfig policies
  - FlexConfig policy overview
    - Recommended usage for FlexConfig policies
    - CLI commands in FlexConfig objects
      - Determine the ASA software version and current CLI configuration
      - Prohibited CLI commands
    - Template scripts
    - FlexConfig variables
      - How to process variables
        
        Single value variables
        
        Multiple value variables, all values are the same type
        
        Multiple value variables, values are different types
        
        Multiple value variables that resolve to a table of values
      - How to see what a variable will return for a device
      - FlexConfig policy object variables
      - FlexConfig system variables
    - Predefined FlexConfig objects
    - Predefined text objects
  - Requirements and prerequisites for FlexConfig policies
  - Guidelines and limitations for FlexConfig
  - Customizing device configuration with FlexConfig policies
    - Configure FlexConfig objects
      - Add a policy object variable to a FlexConfig object
      - Configure secret keys
    - Configure FlexConfig text objects
    - Configure the FlexConfig policy
    - Set target devices for a FlexConfig policy
    - Preview the FlexConfig policy
    - Verify the deployed configuration
    - Remove features configured using FlexConfig
    - Convert from FlexConfig to managed feature
  - Examples for FlexConfig
    - How to configure Precision Time Protocol (ISA 3000)
    - How to configure automatic hardware bypass for power failure (ISA 3000)
  - Migrating FlexConfig policies
Routing
- Static and Default Routes
  - About Static and Default Routes
    - Default Route
    - Static Routes
    - Route to null0 Interface to Drop Unwanted Traffic
    - Route Priorities
    - Transparent Firewall Mode and Bridge Group Routes
    - Static Route Tracking
  - Requirements and Prerequisites for Static Routes
  - Guidelines for Static and Default Routes
  - Add a Static Route
  - Reference for Routing
    - Path Determination
    - Supported Route Types
      - Static Versus Dynamic
      - Single-Path Versus Multipath
      - Flat Versus Hierarchical
      - Link-State Versus Distance Vector
    - Supported Internet Protocols for Routing
    - Routing Table
      - How the Routing Table Is Populated
        
        Administrative Distances for Routes
        
        Backup Dynamic and Floating Static Routes
      - How Forwarding Decisions Are Made
      - Dynamic Routing and High availability
      - Dynamic Routing in Clustering
      - Dynamic Routing in Individual Interface Mode
    - Routing Table for Management Traffic
    - Equal-Cost Multi-Path (ECMP) Routing
    - Routing GRE Traffic
    - About Route Maps
      - Permit and Deny Clauses
      - Match and Set Clause Values
- Virtual Routers
  - About Virtual Routers and Virtual Routing and Forwarding (VRF)
    - About Virtual Routers and Dynamic VTI
      - How to Configure a Virtual Router with Dynamic VTI
    - Applications of Virtual Routers
    - Global and User-Defined Virtual Routers
    - Configuring Policies to be Virtual-Router-Aware
    - Interconnecting Virtual Routers
    - Overlapping IP Addresses
    - Configuring SNMP on User-Defined Virtual Routers
  - Maximum Number of Virtual Routers By Device Model
  - Requirements and Prerequisites for Virtual Routers
  - Guidelines and Limitations for Virtual Routers
  - Modifications to the Firewall Management Center Web Interface - Routing Page
  - Manage Virtual Routers
  - Create a Virtual Router
    - Configure a Virtual Router
    - Modify a Virtual Router
    - Remove Virtual Routers
  - Monitoring Virtual Routers
  - Configuration Examples for Virtual Routers
    - How to Route to a Distant Server through Virtual Routers
    - How to Provide Internet Access with Overlapping Address Spaces
    - How to Allow RA VPN Access to Internal Networks in Virtual Routing
    - How to Secure Traffic from Networks in Multiple Virtual Routers over a Site-to-Site VPN
    - How to Secure Traffic from Networks with Multiple Virtual Routers over a Site-to-Site VPN with Dynamic VTI
    - How to Route Traffic between Two Overlapping Network Host in Virtual Routing
    - How to Manage Overlapping Segments in Routed Firewall Mode with BVI Interfaces
    - How to Configure User Authentication with Overlapping Networks
    - How to Interconnect Virtual Routers using BGP
- ECMP
  - About ECMP
  - Guidelines and Limitations for ECMP
  - Manage ECMP Page
  - Create an ECMP Zone
  - Configure an Equal Cost Static Route
  - Modify an ECMP Zone
  - Remove an ECMP Zone
  - Configuration Example for ECMP
- Bidirectional Forwarding Detection Routing
  - About BFD Routing
  - Guidelines for BFD Routing
  - Configure BFD
    - Configure BFD Policies
      - Configure Single-Hop BFD Policies
      - Configure Multi-Hop BFD Policies
  - History for BFD Routing
- OSPF
  - OSPF
    - About OSPF
    - OSPF Support for Fast Hello Packets
      - Prerequisites for OSPF Support for Fast Hello Packets
      - OSPF Hello Interval and Dead Interval
      - OSPF Fast Hello Packets
      - Benefits of OSPF Fast Hello Packets
    - Implementation Differences Between OSPFv2 and OSPFv3
  - Requirements and Prerequisites for OSPF
  - Guidelines for OSPF
  - Configure OSPFv2
    - Configure OSPF Areas, Ranges, and Virtual Links
    - Configure OSPF Redistribution
    - Configure OSPF Inter-Area Filtering
    - Configure OSPF Filter Rules
    - Configure OSPF Summary Addresses
    - Configure OSPF Interfaces and Neighbors
    - Configure OSPF Advanced Properties
  - Configure OSPFv3
    - Configure OSPFv3 Areas, Route Summaries, and Virtual Links
    - Configure OSPFv3 Redistribution
    - Configure OSPFv3 Summary Prefixes
    - Configure OSPFv3 Interfaces, Authentication, and Neighbors
    - Configure OSPFv3 Advanced Properties
  - History for OSPF
- EIGRP
  - About EIGRP Routing
  - Requirements and Prerequisites for EIGRP
  - Guidelines and Limitations of EIGRP Routing
  - Configure EIGRP
    - Configure EIGRP Settings
    - Configure EIGRP Neighbors Settings
    - Configure EIGRP Filter Rules Settings
    - Configure EIGRP Redistribution Settings
    - Configure EIGRP Summary Address Settings
    - Configure EIGRP Interfaces Settings
    - Configure EIGRP Advanced Settings
- BGP
  - About BGP
    - Routing Table Changes
    - When to Use BGP
    - BGP Path Selection
      - BGP Multipath
  - Requirements and Prerequisites for BGP
  - Guidelines for BGP
  - Configure BGP
    - Configure BGP Basic Settings
    - Configure BGP General Settings
    - Configure BGP Neighbor Settings
    - Configure BGP Aggregate Address Settings
    - Configure BGPv4 Filtering Settings
    - Configure BGP Network Settings
    - Configure BGP Redistribution Settings
    - Configure BGP Route Injection Settings
    - Configure BGP Route Import/Export Settings
- RIP
  - About RIP
    - Routing Update Process
    - RIP Routing Metric
    - RIP Stability Features
    - RIP Timers
  - Requirements and Prerequisites for RIP
  - Guidelines for RIP
  - Configure RIP
- Multicast
  - About Multicast Routing
    - IGMP Protocol
    - Stub Multicast Routing
    - PIM Multicast Routing
    - PIM Source Specific Multicast Support
    - Multicast Bidirectional PIM
    - PIM Bootstrap Router (BSR)
      - PIM Bootstrap Router (BSR) Terminology
    - Multicast Group Concept
      - Multicast Addresses
    - Clustering
  - Requirements and Prerequisites for Multicast Routing
  - Guidelines for Multicast Routing
  - Configure IGMP Features
    - Enable Multicast Routing
    - Configure IGMP Protocol
    - Configure IGMP Access Groups
    - Configure IGMP Static Groups
    - Configure IGMP Join Groups
  - Configure PIM Features
    - Configure PIM Protocol
    - Configure PIM Neighbor Filters
    - Configure PIM Bidirectional Neighbor Filters
    - Configure PIM Rendezvous Points
    - Configure PIM Route Trees
    - Configure PIM Request Filters
    - Configure the Secure Firewall Threat Defense Device as a Candidate Bootstrap Router
  - Configure Multicast Routes
  - Configure Multicast Boundary Filters
- Policy Based Routing
  - About policy based routing
  - Licenses for policy based routing
  - Guidelines for policy based routing
  - Determining best path route using path monitoring metrics
    - Configure path monitoring settings
    - Add path monitoring dashboard
  - Configure policy-based routing policy
  - Configuration example for policy based routing
  - Configuration example for PBR with path monitoring
  - Useful CLIs for monitoring PBR
  - Troubleshooting PBR
Network Policies
- Network Address Translation
  - Why use NAT?
  - NAT basics
    - NAT terminology
    - NAT types
    - NAT in routed and transparent mode
      - NAT in routed mode
      - NAT in transparent mode or within a bridge group
    - Auto NAT and Manual NAT
      - Auto NAT
      - Manual NAT
      - Comparing Auto NAT and Manual NAT
    - NAT rule order
    - NAT interfaces
    - NAT exemption
    - Configuring routing for NAT
      - Addresses on the same network as the mapped interface
      - Addresses on a unique network
      - The same address as the real address (identity NAT)
  - Requirements and prerequisites for NAT policies
  - Guidelines for NAT
    - Firewall mode guidelines for NAT
    - IPv6 NAT guidelines
    - IPv6 NAT best practices
    - NAT support for inspected protocols
    - FQDN destination guidelines
    - Additional guidelines for NAT
  - Manage NAT policies
    - Creating NAT policies
    - Configuring NAT policy targets
  - Configure NAT for Threat Defense
    - Customizing NAT rules for multiple devices
    - Searching and filtering the NAT rule table
    - Enabling, disabling, or deleting multiple rules
    - Dynamic NAT
      - About dynamic NAT
      - Dynamic NAT disadvantages and advantages
      - Configure dynamic auto NAT
      - Configure dynamic manual NAT
    - Dynamic PAT
      - About dynamic PAT
      - Dynamic PAT disadvantages and advantages
      - PAT pool object guidelines
      - Configure dynamic auto PAT
      - Configure dynamic manual PAT
      - Configure PAT with port block allocation
    - Static NAT
      - About static NAT
        
        Static NAT with port translation
        
        One-to-many static NAT
        
        Other mapping scenarios (not recommended)
      - Configure static auto NAT
      - Configure static manual NAT
    - Identity NAT
      - Configure identity auto NAT
      - Configure identity manual NAT
    - NAT rule properties for Firewall Threat Defense
      - Interface objects NAT properties
      - Translation properties for auto NAT
      - Translation properties for manual NAT
      - PAT pool NAT properties
      - Advanced NAT properties
  - Translating IPv6 networks
    - NAT64/46: translating IPv6 addresses to IPv4
      - NAT64/46 example: inside IPv6 network with outside IPv4 internet
      - NAT64/46 example: inside IPv6 network with outside IPv4 internet and DNS translation
    - NAT66: translating IPv6 addresses to different IPv6 addresses
      - NAT66 example, static translation between networks
      - NAT66 example, simple IPv6 interface PAT
  - Monitoring NAT
  - Examples for NAT
    - Providing access to an inside web server (static auto NAT)
    - Dynamic auto NAT for inside hosts and static NAT for an outside web server
    - Inside load balancer with multiple mapped addresses (static auto NAT, one-to-many)
    - Single address for FTP, HTTP, and SMTP (static auto NAT with port translation)
    - Different translation depending on the destination (dynamic manual PAT)
    - Different Translation Depending on the Destination Address and Port (Dynamic Manual PAT)
    - NAT and site-to-site VPN
    - Rewriting DNS queries and responses using NAT
      - DNS64 reply modification
      - DNS reply modification, DNS server on outside
      - DNS reply modification, DNS server on host network
- Quality of Service
  - Introduction to QoS
  - About QoS Policies
  - Requirements and Prerequisites for QoS
  - Guidelines and limitations for QoS policies
  - Rate Limiting with QoS Policies
    - Creating a QoS Policy
    - Setting Target Devices for a QoS Policy
    - Filtering QoS rules by device
    - Configuring QoS Rules
      - QoS Rule Components
    - QoS Rule Conditions
      - Interface Rule Conditions
      - Network rule conditions
      - User rule conditions
      - Application rule conditions
      - Port rule conditions
        
        Port, protocol, and ICMP code rule conditions
      - URL rule conditions
      - Custom SGT Rule Conditions
      - ISE SGT vs Custom SGT Rule Conditions
      - Autotransition from Custom SGTs to ISE SGTs
Secure Connections
- Secure Connections Overview
  - VPN Types
  - VPN Basics
    - Internet Key Exchange (IKE)
    - IPsec
  - VPN Packet Flow
  - IPsec Flow Offload
  - VPN Licensing
  - How Secure Should a VPN Connection Be?
    - Complying with Security Certification Requirements
    - Deciding Which Encryption Algorithm to Use
    - Deciding Which Hash Algorithms to Use
    - Deciding Which Diffie-Hellman Modulus Group to Use
    - Deciding Which Authentication Method to Use
      - Pre-shared Keys
      - PKI Infrastructure and Digital Certificates
  - Removed or Deprecated Hash Algorithms, Encryption Algorithms, and Diffie-Hellman Modulus Groups
  - VPN Topology Options
    - Point-to-Point VPN Topology
    - Hub and Spoke VPN Topology
    - Full Mesh VPN Topology
    - Implicit Topologies
  - VPN Troubleshooting
    - VPN Health Events
      - Viewing VPN Health Events
    - System Messages
    - Debug Commands
      - debug aaa
      - debug crypto
        
        debug crypto ca
        
        debug crypto ikev1
        
        debug crypto ikev2
        
        debug crypto ipsec
      - debug ldap
      - debug ssl
      - debug webvpn
- Site-to-Site VPN
  - About Site-to-Site VPN
    - Secure Firewall Threat Defense Site-to-site VPN Guidelines and Limitations
  - Types of Site-to-Site VPN Topologies
  - License Requirements for Site-to-Site VPN
  - Requirements and Prerequisites for Site-to-Site VPN
  - Manage Site-to-Site VPNs
  - Configure a Policy-based Site-to-Site VPN
    - Firewall Threat Defense VPN Endpoint Options
    - Firewall Threat Defense VPN IKE Options
    - Firewall Threat Defense VPN IPsec Options
    - Firewall Threat Defense Advanced Site-to-site VPN Deployment Options
      - Firewall Threat Defense VPN Advanced IKE Options
      - Firewall Threat Defense VPN Advanced IPsec Options
      - Firewall Threat Defense Advanced Site-to-site VPN Tunnel Options
  - Configure Virtual Tunnel Interfaces
    - About Virtual Tunnel Interfaces
      - Static VTI
      - Dynamic VTI
    - Guidelines and Limitations for Virtual Tunnel Interfaces
    - Add a VTI Interface
    - Create a Route-based Site-to-Site VPN
      - Configure Endpoints for a Point to Point Topology
        
        Advanced Configurations for a Point to Point Topology in a Route-based VPN
      - Configure Endpoints for a Hub and Spoke Topology
        
        Advanced Configurations for Hub and Spokes in a Route-based VPN
      - Configure Multiple Hubs in a Route-based VPN
        
        Configure Routing for Multiple Hubs in a Route-based VPN
        
        Verify the Multiple Hubs Configuration in a Route-based VPN
    - Route Traffic Through a Backup VTI Tunnel
    - Configure Dynamic VTI for a Route-based Site-to-Site VPN
    - How to Configure a Virtual Router with Dynamic VTI
    - Configure Routing and AC Policies for VTI
    - View Virtual Tunnel Information
  - Deploy a SASE Tunnel on Umbrella
    - Guidelines and Limitations for Configuring SASE Tunnels on Umbrella
    - How to Deploy a SASE Tunnel on Umbrella
      - Prerequisites for Configuring Umbrella SASE Tunnels
      - Map Management Center Umbrella Parameters and Cisco Umbrella API Keys
      - Configure a SASE Tunnel for Umbrella
        
        View SASE Tunnel Status
  - Secure traffic using Cisco Secure Access and Firewall Threat Defense devices
    - License for setting up an automatic tunnel between Secure Access and Firewall Threat Defense devices
    - Prerequisites for setting up an automatic tunnel between Secure Access and Firewall Threat Defense devices
    - Guidelines for setting up an automatic tunnel between Secure Access with Firewall Threat Defense devices
    - Configure an automatic tunnel between Secure Access and Firewall Threat Defense devices using SASE wizard
    - Validate Secure Access integration with Firewall Threat Defense devices
  - Monitoring Site-to-Site Topologies
    - Monitor Site-to-Site VPNs using Site-to-Site VPN Summary Page
    - Monitor Site-to-Site VPNs Using Site-to-Site VPN Dashboard
    - Site to Site VPN Connection Event Monitoring
      - View Site to Site VPN Connection Events
- SD-WAN
  - SD-WAN Capabilities
  - Using SD-WAN Wizard for Secure Branch Network Deployment
    - Guidelines and Limitations for Using SD-WAN Wizard
    - License Requirements for Configuring an SD-WAN Topology
    - Prerequisites for Using the SD-WAN Wizard
    - Configure an SD-WAN Topology Using the SD-WAN Wizard
      - Add a Dynamic Virtual Tunnel Interface for a Hub
    - Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard
      - Dual ISP Deployment: Two Hubs and Four Spokes in the Same Region
      - Dual ISP Deployment: Two Hubs and Four Spokes in Different Regions
    - Verify Tunnel Statuses of an SD-WAN Topology
  - Monitoring SD-WAN Topologies
    - SD-WAN Summary Dashboard
      - Prerequisites for Using SD-WAN Summary Dashboard
      - Monitor WAN Devices and Interfaces Using the SD-WAN Summary Dashboard
      - Monitor Application Performance Metrics of WAN Interfaces Using the SD-WAN Summary Dashboard
- Remote Access VPN
  - Remote Access VPN Overview
    - Remote Access VPN Features
    - Secure Client Components
    - Remote Access VPN Authentication
      - Understanding Policy Enforcement of Permissions and Attributes
      - Understanding AAA Server Connectivity
  - License Requirements for Remote Access VPN
  - Requirements and Prerequisites for Remote Access VPN
  - Guidelines and Limitations for Remote Access VPNs
  - Configuring a New Remote Access VPN Connection
    - Prerequisites for Configuring Remote Access VPN
    - Create a New Remote Access VPN Policy
    - Update the Access Control Policy on the Secure Firewall Threat Defense Device
    - (Optional) Configure NAT Exemption
    - Configure DNS
    - Add Secure Client Profile XML File
    - (Optional) Configure Split Tunneling
    - (Optional) Configure Dynamic Split Tunneling
      - Verify Dynamic Split Tunneling Configuration
    - Verify the Configuration
  - Create a Copy of an Existing Remote Access VPN Policy
  - Set Target Devices for a Remote Access VPN Policy
  - Associate Local Realm with Remote Access VPN Policy
  - Additional Remote Access VPN Configurations
    - Configure Connection Profile Settings
      - Configure IP Addresses for VPN Clients
      - Configure AAA Settings for Remote Access VPN
        
        RADIUS Server Attributes for Secure Firewall Threat Defense
      - Create or Update Aliases for a Connection Profile
    - Configure Access Interfaces for Remote Access VPN
    - Configure Advanced Options for Remote Access VPN
      - Cisco Secure Client Image
        
        Adding a Secure Client Image to the Secure Firewall Management Center
        
        Update Secure Client Image for Remote Access VPN Clients
        
        Add a Cisco Secure Client External Browser Package to the Secure Firewall Management Center
      - Remote Access VPN Address Assignment Policy
      - Configure Certificate Maps
      - Configuring Group Policies
      - Configuring LDAP Attribute Mapping
      - Configuring VPN Load Balancing
        
        Configure Group Settings for VPN Load Balancing
        
        Configure Additional Settings for Load Balancing
        
        Configure Settings for Participating Devices
      - Configuring IPsec Settings for Remote Access VPNs
        
        Configure Remote Access VPN Crypto Maps
        
        IKE Policies in Remote Access VPNs
        
        Configuring Remote Access VPN IKE Policies
        
        Configure Remote Access VPN IPsec/IKEv2 Parameters
      - Customize Cisco Secure Client
        
        Guidelines and Limitations for Secure Client Customizations
        
        Customize and Localize Secure Client GUI Text and Messages
        
        How to Customize Secure Client GUI Text and Messages
        
        Customize Secure Client Icons and Images
        
        How to Customize Secure Client Images and Icons
        
        Deploy Scripts on Endpoint Devices Using Secure Client
        
        How to Add Customized Scripts for Secure Client
        
        Deploy Custom Applications Using Cisco Secure Client APIs
        
        How to Deploy Custom Applications Using Cisco Secure Client API
        
        Customize the Secure Client Installer
        
        Localize the Client Installer
        
        How to Customize or Localize the Client Installer
        
        Verify Secure Client Customizations
    - Configure Secure Client Management VPN Tunnel
      - Requirements and Prerequisites for Secure Client Management VPN Tunnel
      - Limitations of Secure Client Management VPN Tunnel
      - Configuring Secure Client Management VPN Tunnel on Firewall Threat Defense
    - Multiple Certificate Authentication
      - Guidelines and Limitations of Multiple Certificate Authentication
      - Configuring Multiple Certificate Authentication
    - Manage VPN Access of Remote Users Based on Geolocation
      - Workflow to Manage VPN Access of Remote Users Based on Geolocation
      - Guidelines and Limitations for Managing Remote Access VPN Users Based on Geolocation
      - Monitor and Troubleshoot Service Access Policies
  - Customizing Remote Access VPN AAA Settings
    - Authenticate VPN Users via Client Certificates
    - Configure VPN User Authentication via Client Certificate and AAA Server
    - Manage Password Changes over VPN Sessions
    - Send Accounting Records to the RADIUS Server
    - Delegating Group Policy Selection to Authorization Server
      - Override the Selection of Group Policy or Other Attributes by the Authorization Server
      - Deny VPN Access to a User Group
      - Restrict Connection Profile Selection for a User Group
      - Update the Secure Client Profile for Remote Access VPN Clients
    - RADIUS Dynamic Authorization
      - Configuring RADIUS Dynamic Authorization
    - Two-Factor Authentication
      - Configuring RSA Two-Factor Authentication
      - Configuring Duo Two-Factor Authentication
    - Secondary Authentication
      - Configure Remote Access VPN Secondary Authentication
    - Single Sign-On Authentication with SAML 2.0
      - Guidelines and Limitations for SAML 2.0
      - Configuring a SAML Single Sign-On Authentication
      - Configuring SAML Authorization
        
        Configure SAML Authorization
  - Advanced Secure Client Configurations
    - Configure Secure Client Modules on a Firewall Threat Defense
      - Types of Secure Client Modules
      - Prerequisites for Configuring Secure Client Modules
      - Guidelines for Configuring Secure Client Modules
      - Install Secure Client Modules using a Firewall Threat Defense
      - Configure a Remote Access VPN Group Policy with Secure Client Modules
      - Verify Secure Client Modules Configuration
    - Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices
      - Prerequisites and Licensing for Configuring Per App VPN Tunnels
      - Determine the Application IDs for Mobile Applications
      - Configure Application-Based VPN Tunnels
      - Verify Per App Configuration
  - Remote Access VPN Examples
    - How to Limit Secure Client Bandwidth Per User
    - How to Use VPN Identity for User-Id Based Access Control Rules
    - Configure Firewall Threat Defense Multiple Certificate Authentication
  - Monitor Remote Access VPNs
    - Remote Access VPN Dashboard
    - VPN Session and User Information
      - Viewing Remote Access VPN Active Sessions
      - Viewing Remote Access VPN User Activity
- Dynamic Access Policies
  - About Secure Firewall Threat Defense Dynamic Access Policy
    - Hierarchy of Policy Enforcement of Permissions and Attributes in Firewall Threat Defense
  - Prerequisites for Dynamic Access Policy
  - Guidelines and Limitations for Dynamic Access Policies
  - Associate Dynamic Access Policy with Remote Access VPN
- VPN Monitoring and Troubleshooting in Security Cloud Control
  - Monitor Site-to-Site VPNs using Site-to-Site VPN Summary Page
  - Monitor Remote Access VPN Sessions
  - SD-WAN Summary Dashboard
    - Prerequisites for Using SD-WAN Summary Dashboard
    - Monitor WAN Devices and Interfaces Using the SD-WAN Summary Dashboard
    - Monitor Application Performance Metrics of WAN Interfaces Using the SD-WAN Summary Dashboard
Zero Trust Network Access
- Zero Trust Network Access
  - About Clientless and Universal Zero Trust Network Access
  - Zero Trust Access
    - How Threat Defense Works with Zero Trust Access
    - Why use Zero Trust Network Access?
    - Components of a Clientless Zero Trust Network Access Configuration
    - Clientless Zero Trust Network Access Workflow
    - Limitations for Clientless Zero Trust Network Access
    - Prerequisites for Zero Trust Application Policy
    - Manage Zero Trust Application Policies
    - Create a Zero Trust Application Policy
    - Create an Application Group
    - Create an Application
    - Set Targeted Devices for Zero Trust Access Policy
    - Edit a Zero Trust Application Policy
    - Monitor Zero Trust Sessions
  - Universal Zero Trust Network Access
    - How Threat Defense Works with Universal ZTNA
    - Prerequisites for Universal Zero Trust Network Access
    - Limitations of Universal Zero Trust Network Access
    - Enable Cloud-Delivered Firewall Management Center in Security Cloud Control
    - Configure Security Devices
Access Control Policy Basics
- Access Control Policies
  - About access control policies
    - Access control policy components
    - Access control policy default action
    - Access control policy inheritance
    - Rule and other policy warnings
  - Requirements and prerequisites for access control policies
  - Managing access control policies
    - Creating a basic access control policy
    - Editing an access control policy
    - Locking an access control policy
    - Concurrent editing and merging changes
    - Setting the access control default action
    - Managing access control policy inheritance
      - Choosing a base access control policy
      - Locking settings in descendant access control policies
      - Inheriting access control policy settings from the base policy
      - Requiring an access control policy in a domain
    - Assigning devices to an access control policy
    - Logging settings for access control policies
    - Associating other policies with access control
    - Identifying and fixing anomalies with Policy Analyzer & Optimizer
    - Viewing rule hit counts
    - Analyzing rule conflicts and warnings
    - Searching for rules
  - History for access control policies
- Security Intelligence
  - About Security Intelligence
  - Best Practices for Security Intelligence
  - License Requirements for Security Intelligence
  - Requirements and Prerequisites for Security Intelligence
  - Security Intelligence Sources
  - Configure Security Intelligence
    - Security Intelligence Options
    - Security Intelligence Categories
    - Block List Icons
    - Configuration Example: Security Intelligence Blocking
  - Security Intelligence Monitoring
  - Override Security Intelligence Blocking
  - Troubleshooting Security Intelligence
    - Security Intelligence Categories Are Missing from the Available Options List
- Access Control Rules
  - About access control rules
    - Access control rule management
    - Access control rule components
    - Access Control Rule Order
    - Access control rule actions
      - Access control rule monitor action
      - Access control rule trust action
      - Access control rule blocking actions
      - Access control rule interactive blocking actions
      - Access control rule allow action
    - Deep inspection using file and intrusion policies
      - File and intrusion inspection order
      - Access control traffic handling with intrusion and file policies
  - Requirements and prerequisites for access control rules
  - Guidelines and limitations for access control rules
  - Best practices for application control
    - Recommendations for application control
    - Choosing between application matching and port matching
    - Application-specific notes and limitations
  - Best practices for access control rules
    - General best practices for access control
    - Best practices for ordering rules
      - Application rule order
      - Rule preemption
      - Rule actions and rule order
    - Best practices for simplifying and focusing rules
    - Maximum number of access control rules and intrusion policies
  - Managing access control rules
    - Adding an access control rule category
    - Introduction to real-time Policy Analyzer and Optimizer
      - How real-time Policy Analyzer and Optimizer works
      - Prerequisites for using real-time Policy Analyzer and Optimizer
      - Limitations of real-time Policy Analyzer and Optimizer
      - Manage rule anomalies
    - Create and edit access control rules
      - Access control rule conditions
        
        Security/tunnel zone rule conditions
        
        Network rule conditions
        
        Original client in network conditions (filtering proxied traffic)
        
        VLAN tags rule conditions
        
        User rule conditions
        
        Application rule conditions
        
        Configuring application conditions and filters
        
        Port, protocol, and ICMP code rule conditions
        
        URL rule conditions
        
        Dynamic attributes rule conditions
        
        Time and Day Rule Conditions
    - Enabling and disabling access control rules
    - Copying access control rules from one access control policy to another
    - Moving access control rules to a prefilter policy
    - Positioning an access control rule
    - Adding comments to an access control rule
  - Examples for Access Control Rules
    - How to control access using security zones
    - How to control application usage
    - How to block threats
- URL Filtering Rules
  - URL Filtering Overview
    - About URL Filtering with Category and Reputation
      - URL Category and Reputation Descriptions
      - URL Filtering Data from the Cisco Cloud
  - Best Practices for URL Filtering
    - Filtering HTTPS Traffic
    - Use Categories in URL Filtering
    - QUIC Fingerprinting
  - License Requirements for URL Filtering
  - Requirements and Prerequisites for URL Filtering
  - How to Configure URL Filtering with Category and Reputation
    - Enable URL Filtering Using Category and Reputation
      - URL Filtering Options
    - Configuring URL Conditions
      - Rules with URL Conditions
      - URL Rule Order
    - DNS Filtering: Identify URL Reputation and Category During DNS Lookup
      - Enable DNS Filtering to Identify URLs During Domain Lookup
      - DNS Filtering Limitations
      - DNS Filtering and Events
  - Manual URL Filtering
    - Manual URL Filtering Options
    - Supplement or Selectively Override Category and Reputation-Based URL Filtering
  - Configure HTTP Response Pages
    - Limitations to HTTP Response Pages
    - Requirements and Prerequisites for HTTP Response Pages
    - Choosing HTTP Response Pages
    - Configure Interactive Blocking with HTTP Response Pages
      - Configuring Interactive Blocking
      - Setting the User Bypass Timeout for a Blocked Website
  - Configure URL Filtering Health Monitors
  - Dispute URL Category and Reputation
  - If the URL Category Set Changes, Take Action
    - URL Category and Reputation Changes: Effect on Events
  - Troubleshoot URL Filtering
Decryption Policies and Encrypted Visibility for Access Control
- Traffic Decryption Overview
  - Traffic decryption explained
  - TLS/SSL handshake processing
    - ClientHello message handling
    - ServerHello and server certificate message handling
  - Decryption rule and policy basics
    - The case for decryption
    - When to decrypt traffic, when not to decrypt
      - Which type of decryption policy is right for me?
      - Decrypt and re-sign (outgoing traffic)
      - Incoming traffic decryption
      - Known Key decryption (incoming traffic)
    - Other decryption rule actions
    - Decryption rule components
    - Rule-based decryption rule order evaluation
      - Multi-rule example
  - TLS crypto acceleration
    - TLS crypto acceleration guidelines and limitations
    - View the status of TLS crypto acceleration
  - History for decryption policy
- Standard Decryption Policies
  - About standard decryption policies
    - Which type of decryption policy is right for me?
    - Standard decryption policy deployment issues to versions earlier than 10.0.0
  - Create a new standard decryption policy
    - Create a standard decryption policy with inbound protection
      - Security zones
        
        Add security zones (inbound decryption)
      - Internal server details (inbound decryption)
        
        Add internal servers
    - Create a standard decryption policy with outbound protection
      - Security zones
        
        Add security zones (outbound decryption)
      - Decrypt networks and users
        
        Add networks and users
      - Internal certificate authority
        
        Add an internal CA for outbound protection
        
        Generate an internal CA for outbound protection
        
        Upload an internal CA for outbound protection
      - Bypass traffic when decrypting
        
        Bypass sources and destinations
        
        Add bypass sources and destinations
        
        Bypass users
        
        Add bypass users
        
        Bypass applications
        
        Add bypass applications
        
        Bypass URL categories and reputations
        
        Add bypass URL categories and reputations
        
        Intelligent decryption bypass
      - Block connections
        
        Add block connections
  - Standard decryption policy advanced options
    - Add trusted CA certificates
  - Decryption policy actions
    - Convert a standard decryption policy to a rule-based decryption policy
    - Copy a decryption policy
    - Generate a decryption policy report
- Rule-Based Decryption Policies
  - About rule-based decryption policies
    - Which type of decryption policy is right for me?
  - Create a rule-based decryption policy
    - Create a rule-based decryption policy with outbound connection protection
    - Create a rule-based decryption policy with inbound connection protection
    - Rule-based decryption policy block connections
    - Rule-based decryption policy exclusions
    - Generate an internal CA for outbound protection
    - Upload an internal CA for outbound protection
    - Upload an internal certificate for inbound protection
    - Install an internal CA on client machines
    - Create a rule-based decryption policy with other rule actions
  - default actions
  - Default handling options for undecryptable traffic
    - Set default handling for undecryptable traffic
  - advanced options
    - TLS 1.3 decryption best practices
- Rule-Based Decryption Rules
  - About rule-based decryption
  - Requirements and prerequisites for Decryption Rules rule-based decryption rules
  - Decryption Rules rule-based decryption rules guidelines and limitations
    - Guidelines for using TLS/SSL decryption
    - Decryption Rules rule-based decryption rules unsupported features
    - TLS/SSL Do Not Decrypt guidelines
    - TLS/SSL incoming traffic decryption guidelines
    - TLS/SSL Decrypt - Resign guidelines
    - TLS/SSL Block guidelines
    - TLS/SSL certificate pinning guidelines
    - TLS/SSL heartbeat guidelines
    - TLS/SSL anonymous cipher suite limitation
    - TLS/SSL normalizer guidelines
    - Other Rule-based decryption rule guidelines
  - Rule-based decryption rule traffic handling
    - Encrypted traffic inspection configuration
    - Rule-based decryption rule order evaluation
  - Rule-based decryption rule conditions
    - Security zone rule conditions
    - Network rule conditions
    - VLAN tags rule conditions
    - User rule conditions
    - Application rule conditions
    - Port rule conditions
    - Category rule conditions
    - Server certificate-based rule conditions
      - Certificate rule conditions
      - Distinguished Name (DN) rule conditions
      - Trusting external certificate authorities
      - Certificate Status Decryption rule conditions
      - Cipher suite rule conditions
      - Encryption protocol version rule conditions
  - Rule-based decryption rule actions
    - Decryption rule monitor action
    - Decryption rule Do Not Decrypt action
    - Decryption rule blocking actions
    - Decryption rule decrypt actions
      - Incoming traffic decryption actions
        
        Replace an internal certificate (Decrypt - Replace Cert only)
      - Decrypt - Resign rule action
      - Select internal certificate objects
  - Monitor TLS/SSL hardware acceleration
    - Informational counters
    - Alert counters
    - Error counters
    - Fatal counters
  - Troubleshoot Decryption Rules rule-based decryption rules
    - About TLS/SSL oversubscription
      - Troubleshoot TLS/SSL oversubscription
    - About TLS heartbeat
      - Troubleshoot TLS heartbeat
    - About TLS/SSL pinning
      - Troubleshoot TLS/SSL pinning
      - Troubleshoot unknown or bad certificates or certificate authorities
    - Verify TLS/SSL cipher suites
  - Troubleshooting using crypto archives
- Encrypted Visibility Engine
  - Overview of Encrypted Visibility Engine
  - How EVE Works
  - Indications of Compromise Events
  - QUIC Fingerprinting in EVE
  - Configure EVE
    - View Encrypted Visibility Engine Events
  - Configure EVE Exception Rules
    - Add Exception Rule from Unified Events
    - Upgrade EVE Exception Rules
  - Examples for EVE
    - About Encrypted Visibility Engine
    - Benefits
    - Sample Business Scenario
    - Prerequisites
    - High-Level Workflow
    - Configure Block Thresholds in EVE
      - View EVE Events
    - Additional References
Identity Policies for Access Control
- Identity Overview
  - About user identity
    - Identity terminology
    - About user identity sources
    - Best practices for user identity
    - Identity deployments
    - How to set up an identity policy
    - The user activity database
    - The users database
  - Identity realm limit
  - Cloud-Delivered Firewall Management Center Host and User Limits
    - Cloud-Delivered Firewall Management Center host limit
    - Cloud-Delivered Firewall Management Center user limit
  - User limits for Microsoft Azure Active Directory realms
- Realms
  - License requirements for fealms
  - Requirements and prerequisites for realms
  - Create a proxy sequence
  - Create a Microsoft Azure AD (SAML) realm
    - How to create a Microsoft Azure AD realm for passive authentication
      - About Entra ID and Cisco ISE with resource owned password credentials
      - About Entra ID and Cisco ISE with TEAP/EAP-TLS
      - How to Configure Cisco ISE for Microsoft Azure AD (SAML)Microsoft Azure AD
      - Configure Microsoft Entra ID for passive authentication
      - Configure Entra ID basic settings
      - Get required information For Your Microsoft Azure AD realm
      - Create a Microsoft Azure AD (SAML) realm for passive authentication
        
        Microsoft Azure AD (SAML) realm: SAML details
        
        Microsoft Azure AD (SAML) realm: Azure AD details
        
        Microsoft Azure AD (SAML) realm: User session timeout
    - How to Create a Microsoft Azure AD (SAML) realm for active authentication (captive portal)
      - Configure Entra ID basic settings
      - Configure a single sign-on (SSO) app in Entra ID
      - Create a decryption rule with Decrypt - Resign action
      - Get required information for your Microsoft Azure AD realm (active authentication only)
      - Create a Microsoft Azure AD (SAML) realm for active authentication (captive portal)
        
        Microsoft Azure AD (SAML) realm: SAML details
        
        Microsoft Azure AD (SAML) realm: SAML service provider (SP) metadata
        
        Microsoft Azure AD (SAML) Realm: SAML identity provider (IdP) metadata
        
        Microsoft Azure AD (SAML) realm: Azure AD details
        
        Microsoft Azure AD (SAML) realm: User session timeout
  - Create a Microsoft Azure AD Realm
    - About Entra ID and Cisco ISE with resource owned password credentials
    - About Entra ID and Cisco ISE with TEAP/EAP-TLS
    - How to create a Microsoft Azure AD realm for passive authentication
      - Configure Microsoft Entra ID for passive authentication
      - How to Configure Cisco ISE for Microsoft Azure AD (SAML)Microsoft Azure AD
      - Get required information For Your Microsoft Azure AD realm
      - Create an Azure AD Realm
      - Azure AD User Session Timeout
  - Create an LDAP realm or an Active Directory realm and realm directory
    - About realms and realm sequences
      - Realms and trusted domains
      - Supported servers for realms
      - Supported server object class and attribute names
    - Prerequisites for Kerberos authentication
    - Realm fields
    - Realm directory and synchronize fields
    - Connect securely to Active Directory or LDAP
      - Find the Active Directory server's name
      - Export the Active Directory server's root certificate
    - Synchronize users and groups
  - Create a realm sequence
  - Configure the Firewall Management Center for cross-domain trust: The setup
    - Configure the Security Cloud Control for cross-domain-trust step 1: Configure realms and directories
    - Configure the Security Cloud Control for cross-domain trust Step 2: Synchronize users and groups
    - Configure the Security Cloud Control for cross-domain trust step 3: Resolve issues
  - Manage a realm
  - Compare realms
  - Troubleshoot realms and user downloads
    - Troubleshoot cross-domain trust
  - History for realms
- Identity Source: Captive Portal
  - The captive portal identity source
    - About hostname redirect
  - License requirements for captive portal
  - Requirements and prerequisites for captive portal
  - Captive portal guidelines and limitations
  - How to configure the captive portal for user control
    - Create a network object
    - Create an identity policy and active authentication rule
      - Update a custom authentication form
    - Create a TCP port access control rule
    - Create a user access control rule
    - Create a decryption policy with an outbound rule
    - Associate Identity and decryption policies with the access control policy
    - Captive portal fields
    - Exclude applications from captive portal
  - Troubleshoot the captive portal identity source
  - History for captive portal
- Identity Source: ISE/ISE-PIC
  - The ISE/ISE-PIC identity source
    - Source and destination Security Group Tag (SGT) matching
  - License requirements for ISE/ISE-PIC
  - Requirements and prerequisites for ISE/ISE-PIC
  - ISE/ISE-PIC guidelines and limitations
  - How to configure ISE/ISE-PIC for user control
    - How to configure ISE/ISE-PIC without a realm
    - How to configure ISE/ISE-PIC for user control using a realm
  - Configure ISE/ISE-PIC
    - Configure security groups and SXP publishing in ISE
    - Export certificates from the ISE/ISE-PIC server for use in the Secure Firewall Management Center
      - Export a system certificate
      - Generate a self-signed certificate
      - Import ISE/ISE-PIC certificates
  - Configure ISE for user control
    - ISE/ISE-PIC configuration fields
  - Ways to configure the Cisco Identity Services Engine (Cisco ISE) identity source
    - About Cisco ISE quick configuration
      - Prerequisites for Cisco ISE quick configuration
      - Quick configuration
      - Cisco Identity Services Engine (Cisco ISE) quick configuration results
    - Cisco ISE advanced configuration
      - ISE/ISE-PIC configuration fields
  - Troubleshoot Cisco ISE/ISE-PIC or Cisco TrustSec issues
  - History for ISE/ISE-PIC
- Identity Source: Passive Identity Agent
  - The passive identity agent identity source
  - Deploy the passive identity agent
    - Simple passive identity agent deployment
    - Single passive identity agent monitoring multiple domain controllers
    - Multiple passive identity agents monitoring multiple domain controllers
    - Passive identity agent primary/secondary agent deployments
  - How to create a passive identity agent identity source
  - Configure the passive identity agent
    - Enable the dynamic attributes connector
    - Create a Microsoft Active Directory realm
    - Create a passive identity agent identity source
      - Create a standalone passive identity agent identity source
      - Create a primary or secondary passive identity agent identity source
      - About passive identity agent roles
    - Get an API token for the passive identity agent
    - About passive identity agent installation
      - Prerequisites to installing the passive identity agent
        
        Passive identity agent system requirements
        
        Enable the Windows Event Viewer to log Kerberos authentication attempts
        
        Add the Active Directory user to groups
      - Install the Passive Identity Agent Software
        
        Add Log On to the Passive Identity Agent Service
    - Uninstall the passive identity agent software
    - Upgrade the passive identity agent software
  - Monitor the passive identity agent
  - Manage the passive identity agent
    - Edit passive identity agents
    - Delete a standalone passive identity agent
    - Delete primary and secondary passive identity agents
  - Troubleshoot the passive identity agent
  - Security requirements for the passive identity agent
  - Internet access requirements for the passive identity agent
  - History for the passive identity agent
- Identity Source: pxGrid Cloud Identity (ISE 3.3 and Earlier)
  - About the pxGrid Cloud identity source
    - Limitations of the pxGrid Cloud identity source
    - How the pxGrid Cloud identity source works
  - How to configure a pxGrid Cloud identity source
    - How to configure a pxGrid Cloud identity source (Cisco ISE 3.3 or earlier)
  - Enable the pxGrid Cloud service in Cisco ISE
  - Register Cisco ISE with the Catalyst Cloud Portal
  - Register the pxGrid Cloud connection with Cisco ISE
  - Create a pxGrid Cloud identity source
    - Create an app instance
    - Create the identity source
    - Activate the app instance
    - Activate the pxGrid Cloud identity source
    - Test the pxGrid Cloud identity source
  - Create dynamic attributes filters
  - Create access control rules or DNS rules using dynamic attributes filters
  - Troubleshoot the pxGrid Cloud identity source
    - Primary device cannot be processed
  - Deactivate and delete the pxGrid Cloud identity source
    - Deactivate the pxGrid Cloud app instance
    - Delete the pxGrid Cloud identity source
  - Troubleshoot the ISE Subscription
- Identity Source: pxGrid Cloud Identity (ISE 3.4 and Later)
  - About the pxGrid Cloud identity source
    - Limitations of the pxGrid Cloud identity source
    - How the pxGrid Cloud identity source works
  - How to configure a pxGrid Cloud identity source
    - How to configure a pxGrid Cloud identity source (Cisco ISE 3.4 or later)
  - Enable the pxGrid Cloud service in Cisco ISE
    - Verify Cisco ISE registration in the Catalyst Cloud Portal
  - Create an app instance
  - Create the identity source
  - Activate the app instance
  - Activate the pxGrid Cloud identity source
  - Test the pxGrid Cloud identity source
  - Troubleshoot the pxGrid Cloud identity source
    - Primary device cannot be processed
  - Create dynamic attributes filters
  - Create access control rules or DNS rules using dynamic attributes filters
  - Deactivate and delete the pxGrid Cloud identity source
    - Deactivate the pxGrid Cloud app instance
    - Delete the pxGrid Cloud identity source
- Identity Source: Remote Access VPN
  - The Remote Access VPN Identity Source
  - Configure RA VPN for User Control
  - Troubleshoot the Remote Access VPN Identity Source
    - Not Observing Correct Settings for VPN Statistics
- Identity Source: TS Agent
  - The Terminal Services (TS) Agent identity source
  - TS Agent guidelines
  - Identity Source: TS Agent
  - Troubleshoot the TS Agent identity source
  - History for TS Agent
- Identity Policies
  - About identity policies
  - License requirements for identity policies
  - Requirements and prerequisites for identity policies
  - Create an identity policy
    - Create an identity mapping filter
  - Identity rule conditions
    - Security zone rule conditions
    - Network rule conditions
      - Redirect to host name network rule conditions
    - VLAN tags rule conditions
    - Port rule conditions
      - Port, protocol, and ICMP code rule conditions
    - Realm & settings rule conditions
  - Create an identity rule
    - Identity rule fields
  - Sample identity policies and rules
    - Create an identity policy with a passive authentication rule
    - Create a Sample Identity Policy with an Active Authentication Rule
      - Active authentication using a realm
      - Active Authentication Using a Realm Sequence
  - Manage an identity policy
  - Manage an identity rule
  - Troubleshoot user control
Advanced Policies and Settings for Access Control
- Prefilter Policies
  - About prefilter policies
    - The default prefilter policy
    - Prefilter policy rule order
    - Tunnel vs prefilter rules
    - How the system processes plain-text tunnels
    - Using tunnel zones to apply access control at the tunnel level
    - Large flow offloads
      - Flow offload limitations
    - Prefilter vs access control policy
  - Requirements and prerequisites for prefilter olicies
  - Guidelines and limitations for the prefilter policy
  - Guidelines and limitations for encapsulated traffic handling
  - Best practices for fastpath prefiltering
  - Configure prefilter policies
    - Configuring the default action
    - Configuring prefilter rules
      - VLAN tags rule conditions
      - Port rule conditions for prefilter rules
    - Configuring tunnel rules
    - Creating tunnel zones
    - Moving prefilter rules to an access control policy
  - Examples of the prefilter policy
    - How to rezone tunnels for customized inspection
    - How to offload large flows
- DNS Policies for Security Intelligence
  - DNS Policy Overview
  - Cisco Umbrella DNS Policies
  - DNS Policy Components
  - License Requirements for DNS Policies
  - Requirements and Prerequisites for DNS Policies
  - Managing DNS and Umbrella DNS Policies
    - Creating Basic DNS Policies
    - Editing DNS Policies
  - DNS Rules
    - Creating and Editing DNS Rules
    - DNS Rule Management
      - Enabling and Disabling DNS Rules
    - DNS Rule Order Evaluation
    - DNS Rule Actions
    - DNS Rule Conditions
      - Security zone rule conditions
      - Network rule conditions
      - VLAN tags rule conditions
      - DNS Policy Rule Conditions
      - Dynamic Attributes Rule Conditions
  - How to Create DNS Rules
    - Controlling Traffic Based on DNS and Security Zone
    - Controlling Traffic Based on DNS and Network
    - Controlling Traffic Based on DNS and VLAN
    - Controlling Traffic Based on DNS List or Feed
    - Controlling Traffic Based on Security Group Tag or Dynamic Attributes
    - Using a DNS sinkhole to enforce content restriction
  - DNS Policy Deploy
  - Cisco Umbrella DNS Policies
    - How to Redirect DNS Requests to Cisco Umbrella
    - Prerequisites for Configuring the Umbrella DNS Connector
    - Configure Cisco Umbrella Connection Settings
    - Create an Umbrella DNS Policy
    - Edit Umbrella DNS Policies and Rules
    - Associate the Umbrella DNS Policy with an Access Control Policy
- File Policies for Network Malware Protection
  - About Network Malware Protection and File Policies
    - File Policies
  - Requirements and Prerequisites for File Policies
  - License Requirements for File and Malware Policies
  - Best Practices for File Policies and Malware Detection
    - File Rule Best Practices
    - File Detection Best Practices
    - File Blocking Best Practices
    - File Policy Best Practices
  - How to Configure Malware Protection
    - Plan and Prepare for Malware Protection
    - Configure File Policies
    - Add File Policies to Your Access Control Configuration
      - Configuring an Access Control Rule to Perform Malware Protection
    - Set Up Maintenance and Monitoring of Malware Protection
  - Cloud Connections for Malware Protection
    - AMP Cloud Connection Configurations
      - Change AMP Options
    - Dynamic Analysis Connections
      - Requirements for Dynamic Analysis
      - Viewing the Default Dynamic Analysis Connection
      - Enabling Access to Dynamic Analysis Results in the Public Cloud
      - Maintain Your System: File Types Eligible for Dynamic Analysis
  - File Policies and File Rules
    - Create or Edit a File Policy
      - Advanced and Archive File Inspection Options
        
        Archive Files
        
        Override File Disposition Using Custom Lists
        
        Centralized File Lists from Secure Endpoint
    - Managing File Policies
    - File Rules
      - File Rule Components
      - File Rule Actions
        
        Malware Protection Options (in File Rule Actions)
        
        Comparison of Malware Protection Options
        
        Spero Analysis
        
        AMP Cloud Lookup
        
        Local Malware Analysis
        
        Cached Disposition Longevity
        
        Dynamic Analysis
        
        Which Files Are Eligible for Dynamic Analysis?
        
        Dynamic Analysis and Capacity Handling
        
        Captured Files and File Storage
        
        Malware Storage Pack
        
        Block All Files by Type
        
        File Rule Actions: Evaluation Order
      - Creating File Rules
    - Access Control Rule Logging for Malware Protection
  - Retrospective Disposition Changes
  - File and Malware Inspection Performance and Storage Options
  - Tuning File and Malware Inspection Performance and Storage
  - (Optional) Malware Protection with Secure Endpoint
    - Comparison of Malware Protection: Firepower vs. Secure Endpoint
    - About Integrating Firepower with Secure Endpoint
      - Benefits of Integrating Firepower and Secure Endpoint
      - Secure Endpoint and AMP Private Cloud
      - Integrate Firepower and Secure Endpoint
- Dynamic Attributes Connector
  - About the Dynamic Attributes Connector
    - How It Works
  - About the dashboard
    - Dashboard of an unconfigured system
    - Dashboard of a configured system
    - Add, edit, or delete connectors
    - Add, edit, or delete dynamic attributes filters
  - Create a connector
    - Amazon Web Services connector—About user permissions and imported data
      - Create an AWS user with minimal permissions for the dynamic attributes connector
      - Create an AWS connector
    - Amazon Web Services Security Groups connector—About user permissions
      - Create an AWS Security Groups connector
    - Create an AWS service tags connector
    - Azure connector—About user permissions and imported data
      - Create an Azure user with minimal permissions for the dynamic attributes connector
      - Create an Azure connector
    - Create an Azure Service Tags connector
    - Create a Multicloud Defense connector
    - Create a Cisco Cyber Vision connector
    - Create a generic text connector
      - Manually get a certificate authority (CA) chain
    - Create a GitHub connector
    - Google Cloud connector—About user permissions and imported data
      - Create a Google Cloud user with minimal permissions for the dynamic attributes connector
      - Create a Google Cloud connector
    - Create an Office 365 connector
    - Tenable connector
      - About the Tenable connector
      - Get the Tenable API key and secret
      - Create a Tenable connector
      - About Tenable dynamic objects in IDS, IPS, and access control policies
    - Create a Webex connector
    - Create a Zoom Connector
  - Create an adapter
    - How to create an On-Premises Firewall Management Center adapter
    - How to create a Cloud-Delivered Firewall Management Center adapter
  - Create dynamic attributes filters
    - Dynamic attribute filter examples
  - Dynamic firewall
    - About the dynamic firewall
    - How to configure the dynamic firewall
      - Get required information for Identity Intelligence
      - Create an identity source and realm for the dynamic firewall
      - Create a dynamic firewall instance
      - Associate an identity source with Identity Intelligence
      - Configure Identity Intelligence
      - View system-defined filters
      - View system-defined access control rules
      - Edit the user exclusion list
      - View and edit the system-created access control policy
    - Create dynamic attributes filters
  - Use Dynamic Objects in Access Control Policies
    - About dynamic objects in access control rules
    - Create dynamic attributes filters
    - Dynamic attributes rule conditions
    - Create access control rules or DNS rules using dynamic attributes filters
    - Use dynamic objects in DNS policies
  - Troubleshoot the Dynamic Attributes Connector
    - Troubleshoot error messages
    - Get Your Tenant ID
- Advanced Settings for Access Control
  - Requirements and prerequisites for advanced settings
  - Configuring advanced settings for the access control policy
    - General settings
    - TLS server identity discovery
    - Intelligent application bypass
      - Configuring intelligent application bypass
      - IAB logging and analysis
    - Transport/network layer preprocessor settings
    - Detection enhancement settings
      - Adaptive profile updates
      - Adaptive profile updates and recommended rules
    - Performance settings
    - Latency-Based Performance Settings
- Service Policies
  - About Threat Defense service policies
    - How service policies relate to FlexConfig and other features
    - What are connection settings?
  - Requirements and prerequisites for service policies
  - Guidelines and limitations for service policies
  - Configure Threat Defense service policies
    - Configure a service policy rule
    - Bypass TCP state checks for asymetrical routing (TCP state bypass)
      - The asymetrical routing problem
      - Guidelines and limitations for TCP state bypass
      - Configure TCP state bypass
    - Disable TCP sequence randomization
  - Monitoring service policies
  - Examples for service policy rules
    - Protect servers from a SYN flood DoS attack (TCP intercept)
    - Make the Firewall Threat Defense device appear on traceroutes
- Threat Detection
  - Portscan detection and prevention
    - Pre-defined sensitivity levels for portscan detection
    - Detection in the low sensitivity level
  - Requirements and prerequisites for threat detection
  - Guidelines and limitations for threat detection
  - Best practices for portscan prevention
  - Configure portscan detection and prevention
  - Monitoring threat detection
    - Viewing portscan alerts
    - Monitoring portscan on the firewall
    - Unblocking a host
- Elephant Flow Detection
  - About Elephant Flow Detection and Remediation
  - Elephant Flow Upgrade from Intelligent Application Bypass
  - Configure elephant flow detection
  - Examples for Elephant Flow Detection
    - About Elephant Flows
    - Benefits of Elephant Flow Detection and Remediation
    - Elephant Flow Workflow
    - Sample Business Scenario
    - Prerequisites
    - Configure Elephant Flow Parameters
      - View Events for Elephant Flows
    - Configure Elephant Flow Remediation Exemption
      - View Events for Elephant Flow Remediation Exemption
    - Additional References
- Policy Analyzer and Optimizer
  - About Policy Analyzer and Optimizer
    - Analysis, Remediation, and Reporting
  - Prerequisites to Use Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Licensing Requirements
  - Enable Policy Analyzer and Optimizer for Cloud-Delivered Firewall Management Center
  - Enable Policy Analyzer and Optimizer for Security Cloud Control-managed On-Premises Firewall Management Center
  - Policy Analysis
    - Analyze Cloud-Delivered Firewall Management Center Policies
    - Analyze On-Premises Firewall Management Center Policies
  - Policy Reporting
    - Policy analysis summary
    - Duplicate Rules
    - Overlapping Objects
    - Expired Rules
    - Mergeable Rules
    - Policy insights
  - Policy Remediation
    - Apply Policy Remediation
    - What Does the Policy Remediation Report Contain?
  - Troubleshooting Policy Analyzer and Optimizer
    - Policy Analyzer and Optimizer Does Not Analyze Policies
    - Policy Analyzer and Optimizer Does Not Fetch Policies
  - Frequently Asked Questions About Policy Analyzer and Optimizer
Custom Intrusion Policies for Access Control
- Intrusion Prevention
  - About Intrusion Prevention
  - Snort Inspection Engine
  - About Snort 3
  - Guidelines and Limitations for Network Analysis and Intrusion Policies
  - How Policies Examine Traffic For Intrusions
    - Decoding, Normalizing, and Preprocessing: Network Analysis Policies
    - Access Control Rules: Intrusion Policy Selection
    - Intrusion Inspection: Intrusion Policies, Rules, and Variable Sets
    - Intrusion Event Generation
  - System-Provided and Custom Network Analysis and Intrusion Policies
    - System-Provided Network Analysis and Intrusion Policies
    - Benefits of Custom Network Analysis and Intrusion Policies
      - Benefits of Custom Network Analysis Policies
      - Benefits of Custom Intrusion Policies
    - Limitations of Custom Policies
  - Prerequisites for Network Analysis and Intrusion Policies
- Migrate from Snort 2 to Snort 3
  - Snort 3 Inspection Engine
  - Snort 2 versus Snort 3
  - Prerequisites for Network Analysis and Intrusion Policies
  - How to Migrate from Snort 2 to Snort 3
    - Prerequisites for Migrating from Snort 2 to Snort 3
    - Enable Snort 3 on an Individual Device
    - Enable Snort 3 on Multiple Devices
    - Convert Snort 2 Custom IPS Rules to Snort 3
      - Convert all Snort 2 Custom Rules across all Intrusion Policies to Snort 3
      - Convert Snort 2 Custom Rules of a Single Intrusion Policy to Snort 3
  - View Snort 2 and Snort 3 Base Policy Mapping
  - Synchronize Snort 2 Rules with Snort 3
  - Deploy Configuration Changes
  - Examples for Migration
    - Migrate from Snort 2 to Snort 3
    - Benefits of Migrating to Snort 3
    - Sample Business Scenario
    - Best Practices for Migrating from Snort 2 to Snort 3
    - Prerequisites
    - End-to-End Migration Workflow
    - Enable Snort 3 on Threat Defense
    - Convert Snort 2 Rules of a Single Intrusion Policy to Snort 3
    - Deploy Configuration Changes
- Intrusion Policies
  - Overview of Intrusion Policies
  - Prerequisites for Network Analysis and Intrusion Policies
  - Create a Custom Snort 3 Intrusion Policy
  - Edit Snort 3 Intrusion Policies
    - Rule Group Reporting
    - Rule Action Logging
  - Change the Base Policy of an Intrusion Policy
  - View Snort 2 and Snort 3 Base Policy Mapping
  - Synchronize Snort 2 Rules with Snort 3
  - Manage Intrusion Policies
  - Access Control Rule Configuration to Perform Intrusion Prevention
    - Access Control Rule Configuration and Intrusion Policies
    - Configure an Access Control Rule to Perform Intrusion Prevention
  - Tune Intrusion Policies Using Rules
    - Overview of Tuning Intrusion Rules
    - Intrusion Rule Types
    - Prerequisites for Network Analysis and Intrusion Policies
    - Custom Rules in Snort 3
    - View Snort 3 Intrusion Rules in an Intrusion Policy
    - Intrusion Rule Action
      - Intrusion Rule Action Options
      - Set Intrusion Rule Action
    - Intrusion Event Notification Filters in an Intrusion Policy
      - Intrusion Event Thresholds
        
        Set Intrusion Event Thresholds
        
        Set Threshold for an Intrusion Rule in Snort 3
        
        View and Delete Intrusion Event Thresholds
      - Intrusion Policy Suppression Configuration
        
        Intrusion Policy Suppression Types
        
        Set Suppression for an Intrusion Rule in Snort 3
        
        View and Delete Suppression Conditions
    - Add Intrusion Rule Comments
    - Snort 2 Custom Rules Conversion to Snort 3
      - Convert all Snort 2 Custom Rules across all Intrusion Policies to Snort 3
      - Convert Snort 2 Custom Rules of a Single Intrusion Policy to Snort 3
    - Add Custom Rules to Rule Groups
    - Add Rule Groups with Custom Rules to an Intrusion Policy
    - Manage Custom Rules in Snort 3
    - Delete Custom Rules
    - Delete Rule Groups
  - Recommended Rules
    - Snort 3 Rule Changes in LSP Updates
    - Overview of Secure Firewall Recommended Rules
    - Prerequisites for Network Analysis and Intrusion Policies
    - Generate New Secure Firewall Recommendations in Snort 3
  - Mitigate Threats Using MITRE Framework in Snort 3 Intrusion Policies
    - About MITRE ATT&CK Framework
    - Benefits of MITRE Framework
    - Sample Business Scenario for MITRE Network
    - Prerequisites for MITRE Framework
    - View and Edit Your Snort 3 Intrusion Policy
    - View Intrusion Events
    - Additional References
- Intrusion Prevention Performance Tuning
  - About Intrusion Prevention Performance Tuning
  - License Requirements for Intrusion Prevention Performance Tuning
  - Requirements and Prerequisites for Intrusion Prevention Performance Tuning
  - Limiting Pattern Matching for Intrusions
  - Regular Expression Limits Overrides for Intrusion Rules
  - Overriding Regular Expression Limits for Intrusion Rules
  - Per Packet Intrusion Event Generation Limits
  - Limiting Intrusion Events Generated Per Packet
  - Packet and Intrusion Rule Latency Threshold Configuration
    - Latency-Based Performance Settings
    - Packet Latency Thresholding
      - Packet Latency Thresholding Notes
      - Enabling Packet Latency Thresholding
      - Configuring Packet Latency Thresholding
    - Rule Latency Thresholding
      - Rule Latency Thresholding Notes
      - Configuring Rule Latency Thresholding
  - Intrusion Performance Statistic Logging Configuration
  - Configuring Intrusion Performance Statistic Logging
- Network Analysis Policies
  - Overview of Network Analysis Policies
  - Manage Network Analysis Policies
  - Snort 3 Definitions and Terminologies for Network Analysis Policy
  - Prerequisites for Network Analysis and Intrusion Policies
  - Custom Network Analysis Policy Creation for Snort 3
    - Common Industrial Protocol Safety
    - Detect and Block Safety Segments in CIP Packets
    - Network Analysis Policy Mapping
    - View Network Analysis Policy Mapping
    - Create a Network Analysis Policy
    - Modify the Network Analysis Policy
    - Search for an Inspector on the Network Analysis Policy Page
    - Copy the Inspector Configuration
    - Customize the Network Analysis Policy
    - Make Inline Edit for an Inspector to Override Configuration
    - Revert Unsaved Changes during Inline Edits
    - View the List of Inspectors with Overrides
    - Revert Overridden Configuration to Default Configuration
    - Validate Snort 3 Policies
    - Examples of Custom Network Analysis Policy Configuration
  - Network Analysis Policy Settings and Cached Changes
  - Generate Snort 3 Recommendations
    - Snort 3 Rule Recommendations
    - Benefits
    - Sample Business Scenario
    - Best Practices
    - Prerequisites
    - Generate Snort 3 Recommendations
- Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - About Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - Requirements and Prerequisites for Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - Inspection of Packets That Pass Before Traffic Is Identified
    - Best Practices for Handling Packets That Pass Before Traffic Identification
    - Specify a Policy to Handle Packets That Pass Before Traffic Identification
  - Advanced Settings for Network Analysis Policies
    - Setting the Default Network Analysis Policy
    - Network Analysis Rules
      - Network Analysis Policy Rule Conditions
        
        Security zone rule conditions
        
        Network rule conditions
        
        VLAN tags rule conditions
      - Configuring Network Analysis Rules
      - Managing Network Analysis Rules
Network Discovery
- Network Discovery Overview
  - About Detection of Host, Application, and User Data
  - Host and Application Detection Fundamentals
    - Passive Detection of Operating System and Host Data
    - Active Detection of Operating System and Host Data
    - Current Identities for Applications and Operating Systems
    - Current User Identities
    - Application and Operating System Identity Conflicts
    - NetFlow Data
      - Requirements for Using NetFlow Data
      - Differences between NetFlow and Managed Device Data
- Host Identity Sources
  - Overview: Host Data Collection
  - Requirements and Prerequisites for Host Identity Sources
  - Determining Which Host Operating Systems the System Can Detect
  - Identifying Host Operating Systems
  - Custom Fingerprinting
    - Managing Fingerprints
      - Activating and Deactivating Fingerprints
      - Editing an Active Fingerprint
      - Editing an Inactive Fingerprint
      - Creating a Custom Fingerprint for Clients
      - Creating a Custom Fingerprint for Servers
  - Host Input Data
    - Requirements for Using Third-Party Data
    - Third-Party Product Mappings
      - Mapping Third-Party Products
      - Mapping Third-Party Product Fixes
    - Mapping Third-Party Vulnerabilities
    - Custom Product Mappings
      - Creating Custom Product Mappings
      - Editing Custom Product Mapping Lists
      - Activating and Deactivating Custom Product Mappings
- Application Detection
  - Overview: Application Detection
    - Application Detector Fundamentals
    - Identification of Application Protocols in the Web Interface
    - Implied Application Protocol Detection from Client Detection
    - Host Limits and Discovery Event Logging
    - Special Considerations for Application Detection
      - Application Detection in Snort 3
  - Requirements and Prerequisites for Application Detection
  - Custom Application Detectors
    - Custom Application Detector and User-Defined Application Fields
    - Configuring Custom Application Detectors
      - Create a User-Defined Application
      - Specifying Detection Patterns in Basic Detectors
      - Specifying Detection Criteria in Advanced Detectors
      - Specifying EVE Process Assignments
      - Testing a Custom Application Protocol Detector
  - Viewing or Downloading Detector Details
  - Sorting the Detector List
  - Filtering the Detector List
    - Filter Groups for the Detector List
  - Navigating to Other Detector Pages
  - Activating and Deactivating Detectors
  - Editing Custom Application Detectors
  - Deleting Detectors
- Network Discovery Policies
  - Overview: Network Discovery Policies
  - Requirements and Prerequisites for Network Discovery Policies
  - Network Discovery Customization
    - Configuring the Network Discovery Policy
  - Network Discovery Rules
    - Configuring Network Discovery Rules
      - Actions and Discovered Assets
      - Monitored Networks
        
        Restricting the Monitored Network
        
        Configuring Rules for NetFlow Data Discovery
        
        Creating Network Objects During Discovery Rule Configuration
      - Port Exclusions
        
        Excluding Ports in Network Discovery Rules
        
        Creating Port Objects During Discovery Rule Configuration
      - Zones in Network Discovery Rules
        
        Configuring Zones in Network Discovery Rules
      - The Traffic-Based Detection Identity Source
        
        Configuring Traffic-Based User Detection
  - Configuring Advanced Network Discovery Options
    - Network Discovery General Settings
      - Configuring Network Discovery General Settings
    - Network Discovery Identity Conflict Settings
      - Configuring Network Discovery Identity Conflict Resolution
    - Network Discovery Vulnerability Impact Assessment Options
      - Enabling Network Discovery Vulnerability Impact Assessment
    - Indications of Compromise
      - Enabling Indications of Compromise Rules
    - Adding NetFlow Exporters to a Network Discovery Policy
    - Network Discovery Data Storage Settings
      - Configuring Network Discovery Data Storage
    - Configuring Network Discovery Event Logging
    - Adding Network Discovery OS and Server Identity Sources
  - Troubleshooting Your Network Discovery Strategy
Objects and Certificates
- Object Management
  - Introduction to Objects
  - The Object Manager
    - Importing Objects
    - Editing Objects
    - Viewing Objects and Their Usage
    - Filtering Objects or Object Groups
    - Object Groups
      - Grouping Reusable Objects
    - Object Overrides
      - Managing Object Overrides
      - Allowing Object Overrides
      - Adding Object Overrides
      - Editing Object Overrides
  - AAA Server
    - Add a RADIUS Server Group
      - RADIUS Server Group Options
      - RADIUS Server Options
      - RADIUS Server-Enabled Message Authenticator Compatibility Matrix
    - Add a Single Sign-on Server
  - Access List
    - Configure Extended ACL Objects
    - Configure a Service Access Object
    - Configure Standard ACL Objects
  - Address Pools
  - Application filters
  - AS Path
  - BFD Template
  - Cipher Suite List
    - Creating Cipher Suite Lists
  - Community List
    - Extended Community
  - DHCP IPv6 Pool
  - Distinguished Name
    - Creating Distinguished Name Objects
  - DNS Server Group
    - Creating DNS Server Group Objects
  - External Attributes
    - Dynamic Objects
      - Create Dynamic Objects with Cloud-Delivered Firewall Management Center
      - Create Dynamic Objects with Cloud-Delivered Firewall Management Center and On-Premises Dynamic Attributes Connector
      - Work With Dynamic Objects
      - Dynamic Object Mappings
      - About API-Created Dynamic Objects
        
        Add or Edit an API-Created Dynamic Object
    - Security Group Tag
      - Creating Security Group Tag Objects
  - File List
    - Source Files for File Lists
    - Adding Individual SHA-256 Values to File Lists
    - Uploading Individual Files to File Lists
    - Uploading Source Files to File Lists
    - Editing SHA-256 Values in File Lists
    - Downloading Source Files from File Lists
  - FlexConfig
  - Geolocation
    - Creating Geolocation Objects
  - Interface
  - Key Chain
    - Creating Key Chain Objects
  - Network
    - Network Wildcard Mask
    - Creating Network Objects
    - Importing Network Objects
    - Editing and Deleting Network Objects and Groups
  - PKI
    - Internal Certificate Authority Objects
      - CA Certificate and Private Key Import
      - Importing a CA Certificate and Private Key
      - Generating a New CA Certificate and Private Key
      - New Signed Certificates
      - Creating an Unsigned CA Certificate and CSR
      - Uploading a Signed Certificate Issued in Response to a CSR
      - CA Certificate and Private Key Downloads
      - Downloading a CA Certificate and Private Key
    - Trusted Certificate Authority Objects
      - Trusted CA Object
      - Adding a Trusted CA Object
      - Certificate Revocation Lists in Trusted CA Objects
      - Adding a Certificate Revocation List to a Trusted CA Object
    - External Certificate Objects
      - Adding External Certificate Objects
    - Internal Certificate Objects
      - Adding Internal Certificate Objects
    - Certificate Enrollment Objects
      - Adding Certificate Enrollment Objects
      - Add Certificate Enrollment
      - Certificate Enrollment Object EST Options
      - Certificate Enrollment Object SCEP Options
      - Certificate Enrollment Object ACME Options
        
        Prerequisites for Using ACME Certificates
        
        Limitations for Using ACME Certificates
      - Certificate Enrollment Object Certificate Parameters
      - Certificate Enrollment Object Key Options
        
        PKI Enrollment of Certificates with Weak-Crypto
      - Certificate Enrollment Object Revocation Options
  - Policy List
  - Port
    - Creating Port Objects
    - Importing Port Objects
  - Prefix List
    - Configure IPv6 Prefix List
    - Configure IPv4 Prefix List
  - Route Map
  - Security Intelligence
    - How to Modify Security Intelligence Objects
    - Global and Domain Security Intelligence Lists
      - Security Intelligence Lists and Multitenancy
      - Delete Entries from Global Security Intelligence Lists
    - List and Feed Updates for Security Intelligence
      - Changing the Update Frequency for Security Intelligence Feeds
    - Custom Security Intelligence Lists and Feeds
      - Custom Lists and Feeds: Requirements
      - URL Lists and Feeds: URL Syntax and Matching Criteria
      - Custom Security Intelligence Feeds
        
        Creating Security Intelligence Feeds
        
        Manually Updating Security Intelligence Feeds
      - Custom Security Intelligence Lists
        
        Uploading New Security Intelligence Lists to the Secure Firewall Management Center
        
        Updating Security Intelligence Lists
  - Sinkhole
    - Creating Sinkhole Objects
  - SLA Monitor
  - Time Range
    - Creating Time Range Objects
  - Time Zone
  - Tunnel Zone
  - URL
    - Creating URL Objects
  - Variable Set
    - Variable Sets in Intrusion Policies
    - Variables
      - Predefined Default Variables
      - Network Variables
      - Port Variables
      - Advanced Variables
      - Variable Reset
      - Adding Variables to Sets
        
        Example: Adding User-Defined Variables to Default Sets
        
        Example: Adding User-Defined Variables to Custom Sets
    - Nesting Variables
    - Managing Variable Sets
      - Creating Variable Sets
    - Managing Variables
      - Adding Variables
      - Editing Variables
  - VLAN Tag
    - Creating VLAN Tag Objects
  - VPN
    - Certificate Map Objects
    - Secure Client Custom Attributes Objects
      - Add Secure Client Custom Attributes Objects
      - Add Custom Attributes to a Group Policy
    - Firewall Threat Defense Group Policy Objects
      - Configure Group Policy Objects
      - Group Policy General Options
      - Group Policy Secure Client Options
      - Group Policy Advanced Options
    - Firewall Threat Defense IPsec Proposals
      - Configure IKEv1 IPsec Proposal Objects
      - Configure IKEv2 IPsec Proposal Objects
    - IKE Policies
      - Configure IKEv1 Policy Objects
      - Configure IKEv2 Policy Objects
    - Secure Client Customization
    - File Objects
- Certificates
  - Requirements and Prerequisites for Certificates
  - Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations
  - Managing Firewall Threat Defense Certificates
    - Automatically Update CA Bundles
  - Installing a Certificate Using Self-Signed Enrollment
  - Installing a Certificate using EST Enrollment
  - Installing a Certificate Using SCEP Enrollment
  - Installing a Certificate Using Manual Enrollment
  - Installing a Certificate Using a PKCS12 File
  - Installing a Certificate Using ACME Enrollment
  - Troubleshooting Firewall Threat Defense Certificates
Reference
- FAQ and Support
  - Security Cloud Control Firewall Management platform maintenance schedule
  - Navigate from Security Cloud Control to Cloud-Delivered Firewall Management Center
  - What does the default action "Analyze all tunnel traffic" for prefiltering mean?
  - How Security Cloud Control Processes Personal Information
  - Can I restore a backup from a different device?
  - Does deploying a new prefilter policy immediately affect ongoing sessions?
  - How do I keep my security databases and feeds up to date?
  - What version of Secure Firewall Threat Defense can I manage with Cloud-Delivered Firewall Management Center?
  - How do I exclude specific traffic (Webex, Zoom, etc) from the remote access VPN?
  - How do I prevent users from accessing undesirable external network resources, such as inappropriate websites?
  - Security Feed Questions
    - How do I update intrusion rules (SRU/LSP)?
    - How do I update my Cisco vulnerability database (VDB)?
    - How do I update my Geolocation database?
    - How do I update Security Intelligence feeds?
    - How do I update URL reputations?
  - How do I setup Rate-Based Attack Prevention on the FTD using Snort 2?
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - About Data Interfaces
  - End-of-Support for management of Secure Firewall Threat Defense devices, Version 7.0.x, managed by Cloud-Delivered Firewall Management Center
- Secure Firewall Management Center Command Line Reference
  - About the Secure Firewall Management Center CLI
    - Firewall Management Center CLI Modes
  - Secure Firewall Management Center CLI Management Commands
    - exit
    - expert
    - ? (question mark)
  - Secure Firewall Management Center CLI Show Commands
    - version
  - Secure Firewall Management Center CLI Configuration Commands
    - password
  - Secure Firewall Management Center CLI System Commands
    - generate-troubleshoot
    - lockdown
    - reboot
    - restart
    - show max-logins
    - configure max-logins
    - shutdown
- Security, Internet Access, and Communication Ports
  - Communication Ports for Managed Devices
  - Internet resources accessed by managed devices

High Availability and Scalability Clustering: Public Cloud

Last updated: Mar 23, 2026

Previous topic History for clustering: private cloud Next topic About Threat Defense Virtual Clustering in the Public Cloud