Login

Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Security Cloud Control

Managing Cisco Secure Firewall Threat Defense with Cloud-Delivered Firewall Management Center
- Configure Cloud-Delivered Firewall Management Center-Managed Secure Firewall Threat Defense
  - Enable Cloud-Delivered Firewall Management Center on Your Security Cloud Control Tenant
  - Hardware and Software Support
  - Security Cloud Control Platform Maintenance Schedule
- Manage Multicloud Defense-Onboarded Secure Firewall Threat Defense Virtual Devices
  - Overview of Multicloud Defense-Onboarded Firewall Threat Defense Virtual Devices
  - Onboard and Configure a Secure Firewall Threat Defense Virtual Device in Multicloud Defense
- Cisco AI Assistant User Guide
  - Onboard with Cisco AI Assistant
  - Prompt Guide for Cisco AI Assistant
  - Online Help Documentation
  - Policy Insights
  - Policy Analyzer and Optimizer
  - Automate Policy Rule Creation
  - Contact Support
  - Notifications Center
  - Cisco AI Assistant Frequently Asked Questions (FAQ)
Onboard Devices to Cloud-Delivered Firewall Management Center
- Onboard a Secure Firewall Threat Defense to the Cloud-Delivered Firewall Management Center
  - Onboarding Overview
  - Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
  - Onboard a Device with a CLI Registration Key
  - Onboard a Firewall Threat Defense Device to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Firewall Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
  - Onboard Firewall Threat Defense Devices using Device Templates to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Deploy a Threat Defense Device with AWS
  - Deploy a Firewall Threat Defense Device in Azure
    - Onboard an Azure VNet Environment
    - Deploy a Firewall Threat Defense Virtual in Azure
  - Deploy a Firewall Threat Defense Device to Google Cloud Platform
    - Create VPC Networks for GCP
    - Deploy a Firewall Threat Defense Device on Google Cloud Platform
  - Onboard a Secure Firewall Threat Defense Cluster
  - Onboard a Chassis
  - Delete Devices from Cloud-Delivered Firewall Management Center
  - Troubleshooting
    - Troubleshoot Cloud-Delivered Firewall Management Center Connectivity with TCP
    - Troubleshoot Firewall Threat Defense Device Connectivity
    - Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update
    - Troubleshoot Onboarding a Device to the Cloud-Delivered Firewall Management Center Using the CLI Registration Key
      - Error: Device Remains in Pending Setup State After Onboarding
    - Troubleshoot Onboarding a Device to Cloud-Delivered Firewall Management Center Using the Serial Number
      - Device is Offline or Unreachable
      - Error: Serial Number Already Claimed
      - Error: Claim Error
      - Error: Failed to Claim
      - Error: Provisional Error
- Device Management
  - Log Into the Command-Line Interface on the Device
  - Manage Devices
    - About the Device Management Page
    - Add a Device Group
    - Register With a New Management Center
    - Shut Down or Restart the Device
    - Download the Managed Device List
    - Migrate Firewall Threat Defense Devices
      - Supported Devices for Migration
      - License for Migration
      - Prerequisites for Migration
      - What Configurations Does the Wizard Migrate?
      - Guidelines and Limitations for Migration
      - Migrate a Secure Firewall Threat Defense
      - Best Practices for Threat Defense Device Migration
  - Hot Swap an SSD on the Secure Firewall 3100/4200
  - Disable the USB Port
    - Disable the USB Port on a Device
    - Disable the USB Port in Multi-Instance Mode
- Device Management Using Device Templates
  - About Device Management using Device Templates
    - Variables and Network Object Overrides
    - Model Mapping
  - Requirements and Prerequisites for Device Management using Device Templates
  - Licenses for Device Management using Device Templates
  - Guidelines and Limitations for Device Management using Device Templates
  - Template Management
  - Add a Device Template
    - Create a New Device Template
    - Generate a New Device Template from an Existing Device
    - Import a Device Template
  - Configure Device Settings in the Template
    - Add a Physical Interface
    - Add a Logical Interface
    - Edit an Interface
    - Configure Other Device Settings
    - Configure Template Settings
      - Edit General Settings
      - Edit Licenses
      - Edit Applied Policies
      - Edit Advanced Settings
      - Edit Deployment Settings
      - Configure Template Parameters
        
        Supported Variables
        
        Add a Variable
        
        Supported Network Object Overrides
        
        Add a Network Object Override
      - Add Model Mapping
        
        Invalid Model Mappings
  - Configure Site-to-Site VPN Connections in a Device Template
    - Configure an SD-WAN VPN Connection
    - Configure a Route-Based Site-to-Site VPN Connection
    - Configure a Policy-Based Site-to-Site VPN Connection
    - Add a Device to an SD-WAN Topology in a Dual ISP Deployment
  - Apply Templates to Existing Devices
    - Apply a Template
    - Reapply a Template
  - Validation of Template Configuration Before and After Application of Template on Device
  - Monitoring Device Templates
    - View Associated Devices
    - Generate a Template Apply Report
  - Delete Device Template
  - Configure a Template for Firewall Threat Defense Devices Managed Using the Data Interface
  - Templates and High Availablity
  - Audit Logs
  - Troubleshooting Device Templates
  - History for Device Management using Device Templates
- Device Settings
  - Edit General Settings
    - Copy a Configuration to Another Device
    - Export and Import the Device Configuration
  - Edit License Settings
  - View System Information
  - View the Inspection Engine
  - Edit Health Settings
    - Out-of-Band Configuration Detection
      - Guidelines for Out-of-Band Configuration
      - Access Recovery-Config Mode in the Diagnostic CLI
      - Acknowledge the Out-of-Band Configuration
  - Edit Management Settings
    - Update the Hostname or IP Address in the Firewall Management Center
    - Change Both Firewall Management Center and Threat Defense IP Addresses
    - Change the Manager Access Interface from Management to Data
    - Change the Manager Access Interface from Data to Management
    - Configure a Redundant Manager Access Data Interface
    - Modify Firewall Threat Defense Management Interfaces at the CLI
    - Modify the Firewall Threat Defense Data Interface Used for Management at the CLI
    - Change the Firewall Management Center IP Address
    - Manually Roll Back the Configuration if the Firewall Management Center Loses Connectivity
    - Troubleshoot Management Connectivity on a Data Interface
    - Troubleshoot Management Connectivity on a Data Interface in a High Availability Pair
  - View Inventory Details
  - Edit Applied Policies
  - Edit Advanced Settings
    - Configure Automatic Application Bypass
    - Configure Object Group Search
    - Configure Interface Object Optimization
  - Edit Deployment Settings
  - Edit Cluster Health Monitor Settings
  - History for Device Settings
- Change Management
  - About Change Management
    - How to Configure Devices in the Change Management Workflow
    - Creating Separate Approver and Configuration Roles
    - Policies and Objects that Support Change Management
  - Requirements and Prerequisites for Change Management
  - Guidelines and Limitations for Change Management
  - Enabling or Disabling Change Management
  - Managing Tickets
    - Creating Change Management Tickets
    - Opening a Ticket for Configuration Changes
    - Previewing a Ticket
    - Submitting a Ticket
    - Discarding a Ticket
    - Approving or Rejecting a Ticket
    - Taking Over or Reassigning Tickets
  - History for Change Management
- Users for Devices
  - About Users
    - Internal and External Users
    - CLI Access
    - CLI User Roles
  - Requirements and Prerequisites for User Accounts for Devices
  - Guidelines and Limitations for User Accounts for Devices
  - Add an Internal User at the CLI
  - Troubleshooting LDAP Authentication Connections
- Configuration Deployment
  - About Configuration Deployment
    - Configuration Changes that Require Deployment
    - Deployment Preview
    - Selective Policy Deployment
    - System Username
    - Auto-Enabling of Application Detectors
    - Asset Rediscovery with Network Discovery Policy Changes
    - Snort Restart Scenarios
      - Restart Warnings for Devices
      - Inspect Traffic During Policy Apply
      - Snort Restart Traffic Behavior
      - Configurations that Restart the Snort Process When Deployed or Activated
      - Changes that Immediately Restart the Snort Process
  - Requirements and Prerequisites for Policy Management
  - Best Practices for Deploying Configuration Changes
  - Deploy the Configuration
    - Deploy Configuration Changes
    - Redeploy Existing Configurations to a Device
  - Manage Deployments
    - View Deployment Status
    - View Deployment History
    - Download Policy Changes Report for Multiple Devices
    - Compare Policies
    - Generate Current Policy Reports
  - History for Configuration Deployment
System Settings
- System Configuration
  - Requirements and Prerequisites for the System Configuration
  - Manage the Secure Firewall Management Center System Configuration
  - Access Control Preferences
  - Change Reconciliation
    - Configuring Change Reconciliation
    - Change Reconciliation Options
  - Email Notification
  - Intrusion Policy Preferences
    - Set Intrusion Policy Preferences
  - Manager Remote Access
  - Network Analysis Policy Preferences
- Users for the Firewall Management Center
  - About Users
    - Internal and External Users
    - User Roles
  - Troubleshooting LDAP Authentication Connections
  - Configure User Preferences
    - Change the Web Interface Appearance
    - Setting Your Default Time Zone
    - Configure How-To Settings
- Updates
  - Content Updates
  - Guidelines and Limitations for Content Updates
  - Update the Vulnerability Database (VDB)
    - Schedule VDB Updates
    - Manually Update the VDB
  - Update the Geolocation Database (GeoDB)
    - Schedule GeoDB Updates
    - Manually Update the GeoDB
  - Update Intrusion Rules
    - Schedule Intrusion Rule Updates
    - Manually Update Intrusion Rules
    - Import Local Intrusion Rules
      - Best Practices for Importing Local Intrusion Rules
    - View Intrusion Rule Update Logs
      - Intrusion Rule Update Log Details
- Licenses
  - About Licenses
    - Smart Software Manager and Accounts
    - How Licensing Works for the Management Center and Devices
    - Periodic Communication with the Smart Software Manager
    - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
    - Out-of-Compliance State
    - Unregistered State
    - End-User License Agreement
    - License Types and Restrictions
      - Essentials Licenses
      - Malware Defense Licenses
      - IPS Licenses
      - Carrier License
      - URL Filtering Licenses
      - Secure Client Licenses
      - Licensing for Export-Controlled Functionality
      - Firewall Threat Defense Virtual Licenses
        
        Firewall Threat Defense Virtual Performance Tier Licensing Guidelines and Limitations
      - License PIDs
  - Requirements and Prerequisites for Licensing
    - Requirements and Prerequisites for Licensing for High Availability, Clustering, and Multi-Instance
      - Licensing for Device High-Availability
      - Licensing for Device Clusters
  - Create a Cisco Account
  - Create a Smart Account and Add Licenses
  - Configure Smart Licensing
    - Register the Firewall Management Center for Smart Licensing
      - Register the Firewall Management Center with the Smart Software Manager
    - Assign Licenses to Devices
      - Assign Licenses to a Single Device
      - Assign Licenses to Multiple Managed Devices
    - Manage Smart Licensing
      - Deregister the Firewall Management Center
      - Monitoring Smart License Status
      - Monitoring Smart Licenses
      - Troubleshooting Smart Licensing
  - Configure Legacy Firewall Management Center PAK-Based Licenses
  - Additional Information about Licensing
- Security Certifications Compliance
  - Security Certifications Compliance Modes
  - Security Certifications Compliance Characteristics
  - Security Certifications Compliance Recommendations
    - Appliance Hardening
    - Protecting Your Network
Optimize Firewall Performance with AIOps
- Introduction to AIOps Insights
  - About AIOps Insights
    - AIOps Licensing Requirements
    - Prerequisites to Use AIOps
  - View Summary Insights
  - Implement Best Practices and Recommendations
  - Assess and Improve Feature Adoption
  - Enable or Disable Insight Preferences and Configure Threshold Settings
    - Enable AIOps Insights
    - Traffic and Capacity Insights
    - Best Practices and Recommendations Insights
    - Feature Adoption Insights
    - Health and Operations Insights
  - Frequently Asked Questions About AIOps
  - Additional Resources
  - Troubleshooting for the Secure Firewall Threat Defense using Cloud-Delivered Firewall Management Center
Health and Monitoring
- Health
  - Requirements and Prerequisites for Health Monitoring
  - About Health Monitoring
    - Health Modules
    - Configuring Health Monitoring
  - Health Policies
    - Default Health Policy
    - Creating Health Policies
    - Apply a Health Policy
    - Edit a Health Policy
    - Set a Default Health Policy
    - Delete a Health Policy
    - Send Vendor-Neutral Telemetry Streams Using OpenConfig
      - Generate Certificates and Private Keys
      - Configure OpenConfig Streaming Telemetry
      - Troubleshoot OpenConfig Streaming Telemetry
  - Device Exclusion in Health Monitoring
    - Excluding Appliances from Health Monitoring
    - Excluding Health Policy Modules
      - Expired Health Monitor Exclusions
  - Health Monitor Alerts
    - Health Monitor Alert Information
    - Creating Health Monitor Alerts
    - Editing Health Monitor Alerts
    - Deleting Health Monitor Alerts
  - About the Health Monitor
    - Using Firewall Management Center Health Monitor
      - Running All Modules for an Appliance
      - Running a Specific Health Module
      - Generating Health Module Alert Graphs
      - Hardware Statistics on Management Center
    - Device Health Monitors
      - Viewing System Details and Troubleshooting
      - Viewing the Device Health Monitor
        
        Correlating Device Metrics
    - Cluster Health Monitor
      - Viewing the Cluster Health Monitor
    - Health Monitor Status Categories
  - Health Event Views
    - Viewing Health Events
    - Viewing the Health Events Table
    - The Health Events Table
  - About System Auditing
    - Audit Records
      - Audit Log Workflow Fields
      - The Audit Events Table View
- Troubleshooting
  - Best Practices for Troubleshooting
  - System Messages
    - Message Types
    - Message Management
  - View Basic System Information
    - View Appliance Information
  - Manage System Messages
    - View Deployment Messages
    - View Upgrade Messages
    - View Health Messages
    - View Task Messages
    - Manage Task Messages
  - Memory Usage Thresholds for Health Monitor Alerts
  - Disk Usage and Drain of Events Health Monitor Alerts
  - Clear Disk Space
  - Health Monitor Reports for Troubleshooting
    - Generate Troubleshooting Files for Specific System Functions
    - Download Advanced Troubleshooting Files
  - Enhanced Troubleshooting Experience Using Cisco RADKit Integration
    - Enroll RADKit Service
    - Manage RADKit Service Authorization
    - Enable Sudo Access for Devices
    - Download Session Logs
  - General Troubleshooting
  - Connection-Based Troubleshooting
    - Troubleshoot a Connection
  - Advanced Troubleshooting for the Secure Firewall Threat Defense Device
    - Packet Capture Overview
      - Use the Capture Trace
    - Packet Tracer Overview
      - Use the Packet Tracer
    - CPU Profiler Overview
      - Use the CPU Profiler
    - Rule Profiler Overview
      - Use the Rule Profiler
    - Use the Firewall Threat Defense Diagnostic CLI from the Web Interface
  - Feature-Specific Troubleshooting
Tools
- Backup/Restore
  - About Backup and Restore
  - Requirements for Backup and Restore
  - Guidelines and Limitations for Backup and Restore
  - Best Practices for Backup and Restore
  - Back Up Managed Devices
    - Back Up a Firewall Threat Defense Device from Cloud-delivered Firewall Management Center
  - Restore Security Cloud Control -Managed Devices
    - Restore a Firewall Threat Defense Device
    - Restore Firewall Threat Defense from Backup: Firewall Threat Defense Virtual
- Scheduling
  - About Task Scheduling
  - Requirements and Prerequisites for Task Scheduling
  - Configuring a Recurring Task
    - Scheduled Backups
      - Schedule Remote Device Backups
    - Automating Policy Deployment
    - Automating Intrusion Policy Deployment
    - Software Upgrade Automation
      - Automating Software Downloads
      - Automating Software Pushes
      - Automating Software Installs
    - Vulnerability Database Update Automation
      - Automating VDB Update Downloads
      - Automating VDB Update Installs
    - Automating URL Filtering Updates Using a Scheduled Task
  - Scheduled Task Review
    - Task List Details
    - Viewing Scheduled Tasks on the Calendar
    - Editing Scheduled Tasks
    - Deleting Scheduled Tasks
- Import/Export
  - About Configuration Import/Export
    - Configurations that Support Import/Export
    - Special Considerations for Configuration Import/Export
  - Requirements and Prerequisites for Configuration Import/Export
  - Exporting Configurations
  - Importing Configurations
    - Import Conflict Resolution
Reporting and Alerting
- External Alerting with Alert Responses
  - Secure Firewall Management Center Alert Responses
    - Configurations Supporting Alert Responses
  - Requirements and Prerequisites for Alert Responses
  - Creating an SNMP Alert Response
  - Creating a Syslog Alert Response
    - Syslog Alert Facilities
    - Syslog Severity Levels
  - Creating an Email Alert Response
  - Create a Webhook Alert Response
- External Alerting for Intrusion Events
  - About External Alerting for Intrusion Events
  - License Requirements for External Alerting for Intrusion Events
  - Requirements and Prerequisites for External Alerting for Intrusion Events
  - Configuring SNMP Alerting for Intrusion Events
    - Intrusion SNMP Alert Options
  - Configuring Syslog Alerting for Intrusion Events
    - Facilities and Severities for Intrusion Syslog Alerts
  - Configuring Email Alerting for Intrusion Events
    - Intrusion Email Alert Options
Event and Asset Analysis Tools
- Unified Events
  - About the Unified Events
  - Working with Unified Events
  - Set a Time Range in Unified Events
  - Filters in Unified Events
  - Save a Search in Unified Events
  - Load a Saved Search in Unified Events
  - Save a Column Set
  - Load a Saved Column Set
  - Unified Events Column Descriptions
- Lookups
  - Introduction to Lookups
  - Performing Whois Lookups
- Event Investigation Using Web-Based Resources
  - Event Investigation Using Web-Based Resources
    - About Managing Contextual Cross-Launch Resources
    - Requirements for Custom Contextual Cross-Launch Resources
    - Add Contextual Cross-Launch Resources
    - Investigate Events Using Contextual Cross-Launch
Events and Assets
- Security Analytics and Logging (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - About Security Analytics and Logging
  - Comparison of SAL Remote Event Storage and Monitoring Options
  - About SAL (OnPrem)
    - Licensing for SAL (OnPrem)
  - Manage SAL (OnPrem) for Security Cloud Control -Managed Firewall Threat Defense Devices
  - Configure SAL (OnPrem) Integration
    - Configure a Secure Network Analytics Manager
    - Configure a Secure Network Analytics Data Store
  - About SAL (SaaS)
    - Licensing for SAL (SaaS)
- Connection Logging
  - About Connection Logging
    - Connections That Are Always Logged
    - Other Connections You Can Log
    - How Rules and Policy Actions Affect Logging
      - Logging for Fastpathed Connections
      - Logging for Monitored Connections
      - Logging for Trusted Connections
      - Logging for Blocked Connections
      - Logging for Allowed Connections
    - Beginning vs End-of-Connection Logging
  - Limitations of Connection Logging
  - Best Practices for Connection Logging
  - Requirements and Prerequisites for Connection Logging
  - Configure Connection Logging
    - Logging Connections with Tunnel and Prefilter Rules
    - Logging Decryptable Connections with TLS/SSLDecryption Rules
    - Logging Connections with Security Intelligence
    - Logging Connections with Access Control Rules
    - Logging Connections with a Policy Default Action
    - Limiting Logging of Long URLs
Device Operations
- Transparent or Routed Firewall Mode
  - About the Firewall Mode
    - About Routed Firewall Mode
    - About Transparent Firewall Mode
      - Using the Transparent Firewall in Your Network
      - Passing Traffic For Routed-Mode Features
    - About Bridge Groups
      - Bridge Virtual Interface (BVI)
      - Bridge Groups in Transparent Firewall Mode
      - Bridge Groups in Routed Firewall Mode
      - Allowing Layer 3 Traffic
      - Allowed MAC Addresses
      - BPDU Handling
      - MAC Address vs. Route Lookups
      - Unsupported Features for Bridge Groups in Transparent Mode
      - Unsupported Features for Bridge Groups in Routed Mode
  - Default Settings
  - Guidelines for Firewall Mode
  - Set the Firewall Mode
- Logical Devices on the Firepower 4100/9300
  - About Interfaces
    - Chassis Management Interface
    - Interface Types
    - FXOS Interfaces vs. Application Interfaces
    - Shared Interface Scalability
      - Shared Interface Best Practices
      - Shared Interface Usage Examples
      - Viewing Shared Interface Resources
    - Inline Set Link State Propagation for the Firewall Threat Defense
  - About Logical Devices
    - Standalone and Clustered Logical Devices
    - Logical Device Application Instances: Container and Native
      - Container Instance Interfaces
      - How the Chassis Classifies Packets
      - Classification Examples
      - Cascading Container Instances
      - Typical Multi-Instance Deployment
      - Automatic MAC Addresses for Container Instance Interfaces
      - Container Instance Resource Management
      - Performance Scaling Factor for Multi-Instance Capability
      - Container Instances and High Availability
      - Container Instances and Clustering
  - Licenses for Container Instances
  - Requirements and Prerequisites for Logical Devices
    - Requirements and Prerequisites for Hardware and Software Combinations
    - Requirements and Prerequisites for Container Instances
    - Requirements and Prerequisites for High Availability
    - Requirements and Prerequisites for Clustering
  - Guidelines and Limitations for Logical Devices
    - Guidelines and Limitations for Interfaces
    - General Guidelines and Limitations
  - Configure Interfaces
    - Enable or Disable an Interface
    - Configure a Physical Interface
    - Add an EtherChannel (Port Channel)
    - Add a VLAN Subinterface for Container Instances
  - Configure Logical Devices
    - Add a Resource Profile for Container Instances
    - Add a Standalone Firewall Threat Defense
    - Add a Standalone Threat Defense for the Cisco Security Cloud Control
    - Add a High Availability Pair
    - Change an Interface on a Firewall Threat Defense Logical Device
    - Connect to the Console of the Application
- Multi-Instance Mode for the Secure Firewall 3100/4200
  - About Multi-Instance Mode
    - Multi-Instance Mode vs. Appliance Mode
    - Chassis Management Interface
    - Instance Interfaces
      - Interface Types
      - Chassis Interfaces vs. Instance Interfaces
      - Shared Interface Scalability
      - Shared Interface Best Practices
    - How the Chassis Classifies Packets
    - Classification Examples
    - Cascading Instances
    - Typical Multi-Instance Deployment
    - Automatic MAC Addresses for Instance Interfaces
    - Performance Scaling Factor for Multi-Instance Mode
    - Instances and High Availability
  - Licenses for Instances
  - Requirements and Prerequisites for Instances
  - Guidelines and Limitations for Instances
  - Configure Instances
    - Convert a Device to Multi-Instance Mode
    - Enable Multi-Instance Mode
    - Add a Multi-Instance Chassis to the Management Center
    - Configure Chassis Interfaces
      - Configure a Physical Interface
      - Configure an EtherChannel
      - Configure a Subinterface
    - Add an Instance
    - Customize the System Configuration
      - Configure SNMP
      - Import or Export the Chassis Configuration
    - Configure Chassis Platform Settings
      - Create a Chassis Platform Settings Policy
      - Configure DNS
      - Configure SSH and SSH Access List
      - Configure Syslog
      - Configure Time Synchronization
      - Configure Time Zones
    - Manage Multi-Instance Mode
      - Onboard the Multi-Instance Chassis Using the CLI
      - Change Interfaces Assigned to an Instance
      - Change Chassis Management Settings at the FXOS CLI
  - Monitoring Multi-Instance Mode
    - Monitoring Multi-Instance Setup
    - Monitoring Instance Interfaces
  - History for Multi-Instance Mode
- High Availability
  - About Secure Firewall Threat Defense High Availability
    - High Availability Support on Firewall Threat Defense Devices in a Remote Branch Office Deployment
    - High Availability System Requirements
      - Hardware Requirements
      - Software Requirements
      - License Requirements for Firewall Threat Defense Devices in a High Availability Pair
    - Failover and Stateful Failover Links
      - Failover Link
        
        Failover Link Data
        
        Interface for the Failover Link
        
        Connecting the Failover Link
      - Stateful Failover Link
        
        Shared with the Failover Link
        
        Dedicated Interface for the Stateful Failover Link
      - Avoiding Interrupted Failover and Data Links
    - MAC Addresses and IP Addresses in High Availability
    - Stateful Failover
      - Supported Features
      - Unsupported Features
    - Bridge Group Requirements for High Availability
    - Failover Health Monitoring
      - Unit Health Monitoring
      - Heartbeat Module Redundancy
      - Interface Monitoring
        
        Interface Tests
        
        Interface Status
    - Failover Triggers and Detection Timing
    - About Active/Standby Failover
      - Primary/Secondary Roles and Active/Standby Status
      - Active Unit Determination at Startup
      - Failover Events
  - Config-Sync Optimization
  - Requirements and Prerequisites for High Availability
  - Guidelines for High Availability
  - Add a High Availability Pair
  - Configure Optional High Availability Parameters
    - Configure Standby IP Addresses and Interface Monitoring
    - Edit High Availability Failover Criteria
    - Configure Virtual MAC Addresses
  - Manage High Availability
    - Switch the Active Peer in the Firewall Threat Defense High Availability Pair
    - Refresh Node Status for a Single Firewall Threat Defense High Availability Pair
    - Suspend and Resume High Availability
    - Replace a Unit in Firewall Threat Defense High Availability Pair
      - Replace a Primary Firewall Threat Defense HA Unit with no Backup
      - Replace a Secondary Firewall Threat Defense HA Unit with no Backup
    - Break a High Availability Pair
    - Remove a High Availability Pair
  - Monitoring High Availability
    - View Failover History
    - View Stateful Failover Statistics
  - Troubleshooting High Availability Break in a Remote Branch Deployment
    - How to Break a High Availability Pair in Active-Active State
    - How to Break a High Availability Pair when Active or Standby Unit has Lost Connectivity
    - How to a Break High Availability Pair when the Secondary Device is in a Failed or Disabled State
  - History for High Availability
- Clustering for the Secure Firewall 3100/4200
  - About Clustering for the Secure Firewall 3100/4200
    - How the Cluster Fits into Your Network
    - Control and Data Node Roles
    - Cluster Interfaces
    - Cluster Control Link
    - Configuration Replication
    - Management Network
  - Licenses for Clustering
  - Requirements and Prerequisites for Clustering
  - Guidelines for Clustering
  - Configure Clustering
    - About Cluster Interfaces
      - Cluster Control Link
        
        Cluster Control Link Traffic Overview
        
        Cluster Control Link Interfaces and Network
        
        Size the Cluster Control Link
        
        Cluster Control Link Redundancy
        
        Cluster Control Link Reliability
      - Spanned EtherChannels (Recommended)
        
        Spanned EtherChannel Benefits
        
        Guidelines for Maximum Throughput
        
        Load Balancing
        
        EtherChannel Redundancy
        
        Connecting to a Redundant Switch System
      - Individual Interfaces (Routed Firewall Mode Only)
        
        Policy-Based Routing
        
        Equal-Cost Multi-Path Routing
        
        Cisco Intelligent Traffic Director (Routed Firewall Mode Only)
    - Cable and Add Devices to the Firewall Management Center
    - Create a Cluster
    - Configure Interfaces
      - Configure Spanned EtherChannels
      - Configure Individual Interfaces
    - Configure Interfaces
    - Configure Cluster Health Monitor Settings
  - Manage Cluster Nodes
    - Add a New Cluster Node
    - Break a Node
    - Break the Cluster
    - Disable Clustering
    - Rejoin the Cluster
    - Change the Control Node
    - Edit the Cluster Configuration
    - Reconcile Cluster Nodes
    - Unregister the Cluster or Nodes and Register to a New Firewall Management Center
  - Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Troubleshooting the Cluster
    - Perform a Ping on the Cluster Control Link
  - Examples for Clustering
    - Firewall on a Stick
    - Traffic Segregation
  - Reference for Clustering
    - Firewall Threat Defense Features and Clustering
      - Unsupported Features with Clustering
      - Centralized Features for Clustering
      - Connection Settings and Clustering
      - FTP and Clustering
      - Multicast Routing in Individual Interface Mode
      - Multicast Routing in Individual Interface Mode
      - NAT and Clustering
      - Dynamic Routing
      - Dynamic Routing in Individual Interface Mode
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - Cisco TrustSec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability Within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Clustering
- Clustering for Threat Defense Virtual in a Private Cloud
  - About Threat Defense Virtual Clustering in the Private Cloud
    - How the Cluster Fits into Your Network
    - Control and Data Node Roles
    - Individual Interfaces
      - Policy-Based Routing
      - Equal-Cost Multi-Path Routing
    - Cluster Control Link
      - Cluster Control Link Traffic Overview
    - Configuration Replication
    - Management Network
  - Licenses for Threat Defense Virtual Clustering
  - Requirements and Prerequisites for Threat Defense Virtual Clustering
  - Guidelines for Threat Defense Virtual Clustering
  - Configure Threat Defense Virtual Clustering
    - Add Nodes to the Management Center
    - Create a Cluster
    - Configure Interfaces
    - Configure Cluster Health Monitor Settings
  - Manage Cluster Nodes
    - Add a New Cluster Node
    - Break a Node
    - Break the Cluster
    - Disable Clustering
    - Rejoin the Cluster
    - Change the Control Node
    - Edit the Cluster Configuration
    - Reconcile Cluster Nodes
    - Delete the Cluster or Nodes from the Management Center
  - Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Reference for Clustering
    - Threat Defense Features and Clustering
      - Unsupported Features and Clustering
      - Centralized Features for Clustering
      - Connection Settings and Clustering
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - Cisco Trustsec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Threat Defense Virtual Clustering in a Private Cloud
- Clustering for Threat Defense Virtual in a Public Cloud
  - About Threat Defense Virtual Clustering in the Public Cloud
    - How the Cluster Fits into Your Network
    - Individual Interfaces
    - Control and Data Node Roles
    - Cluster Control Link
      - Cluster Control Link Traffic Overview
    - Configuration Replication
    - Management Network
  - Licenses for Threat Defense Virtual Clustering
  - Requirements and Prerequisites for Threat Defense Virtual Clustering
  - Guidelines for Threat Defense Virtual Clustering
  - Deploy the Cluster in AWS
    - AWS Gateway Load Balancer and Geneve Single-Arm Proxy
    - Sample Topology
    - AWS Gateway Load Balancer and Geneve Dual-Arm Proxy
    - End-to-End Process for Deploying Threat Defense Virtual Cluster on AWS
    - Templates
    - Deploy the Stack in AWS Using a CloudFormation Template
      - Management Center NAT Configuration for Dual-Arm Deployment
    - Deploy the Cluster in AWS Manually
      - Create the Day0 Configuration for AWS
        
        Create the Day0 Configuration With a Fixed Configuration for AWS
      - Deploy Cluster Nodes
  - Deploy the Cluster in Azure
    - Sample Topology for GWLB-based Cluster Deployment
    - Azure Gateway Load Balancer and Paired Proxy
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with GWLB
    - Templates
    - Prerequisites
    - Deploy Cluster on Azure with GWLB Using an Azure Resource Manager Template
    - Sample Topology for NLB-based Cluster Deployment
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in Azure with NLB
    - Templates
    - Prerequisites
    - Deploy Cluster on Azure with NLB Using an Azure Resource Manager Template
    - Deploy the Cluster in Azure Manually
      - Create the Day0 Configuration for Azure
        
        Create the Day0 Configuration With a Fixed Configuration for Azure
        
        Create the Day0 Configuration With a Customized Configuration for Azure
      - Deploy Cluster Nodes Manually - GWLB-based Deployment
    - Deploy Cluster Nodes Manually - NLB-based Deployment
    - Troubleshooting Cluster Deployment in Azure
  - Deploy the Cluster in GCP
    - Sample Topology
    - End-to-End Process for Deploying Threat Defense Virtual Cluster in GCP
    - Templates
    - Deploy the Instance Group in GCP Using an Instance Template
    - Deploy the Cluster in GCP Manually
      - Create the Day0 Configuration for GCP
        
        Create the Day0 Configuration With a Fixed Configuration for GCP
        
        Create the Day0 Configuration With a Customized Configuration for GCP
      - Deploy Cluster Nodes Manually
    - Allow Health Checks for GCP Network Load Balancers
  - Add the Cluster to the Management Center (Manual Deployment)
  - Configure Cluster Health Monitor Settings
  - Manage Cluster Nodes
    - Disable Clustering
    - Rejoin the Cluster
    - Reconcile Cluster Nodes
    - Unregister the Cluster or Nodes and Register to a New Firewall Management Center
  - Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Upgrading the Cluster
  - Reference for Clustering
    - Threat Defense Features and Clustering
      - Unsupported Features and Clustering
      - Centralized Features for Clustering
      - Cisco Trustsec and Clustering
      - Connection Settings and Clustering
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Node Election
    - High Availability within the Cluster
      - Node Health Monitoring
      - Interface Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Threat Defense Virtual Clustering in the Public Cloud
- Clustering for the Firepower 4100/9300
  - About Clustering on the Firepower 4100/9300 Chassis
    - Bootstrap Configuration
    - Cluster Members
    - Cluster Control Link
      - Size the Cluster Control Link
      - Cluster Control Link Redundancy
      - Cluster Control Link Reliability for Inter-Chassis Clustering
      - Cluster Control Link Network
    - Management Network
    - Management Interface
    - Cluster Interfaces
      - Spanned EtherChannels
    - Configuration Replication
  - Licenses for Clustering
  - Requirements and Prerequisites for Clustering
  - Clustering Guidelines and Limitations
  - Configure Clustering
    - FXOS: Add a Firewall Threat Defense Cluster
      - Create a Firewall Threat Defense Cluster
      - Add More Cluster Nodes
    - Firewall Management Center : Add a Cluster
    - Firewall Management Center : Configure Cluster, Data Interfaces
    - Firewall Management Center : Configure Cluster Health Monitor Settings
  - FXOS: Remove a Cluster Node
  - Firewall Management Center : Manage Cluster Members
    - Add a New Cluster Member
    - Replace a Cluster Member
    - Deactivate a Member
    - Rejoin the Cluster
    - Unregister a Data Node
    - Change the Control Unit
    - Reconcile Cluster Members
  - Firewall Management Center : Monitoring the Cluster
    - Cluster Health Monitor Dashboard
      - Viewing Cluster Health
      - Cluster Metrics
  - Examples for Clustering
    - Firewall on a Stick
    - Traffic Segregation
  - Reference for Clustering
    - Firewall Threat Defense Features and Clustering
      - Unsupported Features with Clustering
      - Centralized Features for Clustering
      - Connection Settings
      - Dynamic Routing and Clustering
      - FTP and Clustering
      - Multicast Routing and Clustering
      - NAT and Clustering
      - SIP Inspection and Clustering
      - SNMP and Clustering
      - Syslog and Clustering
      - TLS/SSL Connections and Clustering
      - Cisco TrustSec and Clustering
      - VPN and Clustering
    - Performance Scaling Factor
    - Control Unit Election
    - High Availability Within the Cluster
      - Chassis-Application Monitoring
      - Unit Health Monitoring
      - Interface Monitoring
      - Decorator Application Monitoring
      - Status After Failure
      - Rejoining the Cluster
      - Data Path Connection State Replication
    - How the Cluster Manages Connections
      - Connection Roles
      - New Connection Ownership
      - Sample Data Flow for TCP
      - Sample Data Flow for ICMP and UDP
  - History for Clustering
Interfaces and Device Settings
- Interface Overview
  - Management Interface
    - Management Interface
    - Diagnostic Interface
  - Interface Mode and Types
  - Security Zones and Interface Groups
  - Auto-MDI/MDIX Feature
  - Redundant Interfaces (Deprecated)
  - Default Settings for Interfaces
  - Create Security Zone and Interface Group Objects
  - Enable the Physical Interface and Configure Ethernet Settings
  - Configure EtherChannel Interfaces
    - About EtherChannels
      - About EtherChannels
        
        Channel Group Interfaces
        
        Connecting to an EtherChannel on Another Device
        
        Link Aggregation Control Protocol
        
        Load Balancing
        
        EtherChannel MAC Address
    - Guidelines for EtherChannels
    - Configure an EtherChannel
  - Sync Interface Changes with the Firewall Management Center
  - Manage the Network Module for the Secure Firewall 3100/4200
    - Configure Breakout Ports
    - Add a Network Module
    - Hot Swap the Network Module
    - Replace the Network Module with a Different Type
    - Remove the Network Module
  - Merge the Management and Diagnostic Interfaces
    - Unmerge the Management Interface
  - History for Interfaces
- Regular Firewall Interfaces
  - Requirements and Prerequisites for Regular Firewall Interfaces
  - Configure Firepower 1010 and Secure Firewall 1210/1220 Switch Ports
    - About Switch Ports
      - Understanding Switch Ports and Interfaces
      - Auto-MDI/MDIX Feature
    - Guidelines and Limitations for Switch Ports
    - Configure Switch Ports and Power Over Ethernet
      - Enable or Disable Switch Port Mode
      - Configure a VLAN Interface
      - Configure Switch Ports as Access Ports
      - Configure Switch Ports as Trunk Ports
      - Configure Power Over Ethernet
  - Configure Loopback Interfaces
    - About Loopback Interfaces
    - Guidelines and Limitations for Loopback Interfaces
    - Configure a Loopback Interface
    - Rate-Limit Traffic to the Loopback Interface
  - Configure VLAN Subinterfaces and 802.1Q Trunking
    - Guidelines and Limitations for VLAN Subinterfaces
    - Maximum Number of VLAN Subinterfaces by Device Model
    - Add a Subinterface
  - Configure VXLAN Interfaces
    - About VXLAN Interfaces
      - Encapsulation
      - VXLAN Tunnel Endpoint
      - VTEP Source Interface
      - VNI Interfaces
      - VXLAN Packet Processing
      - Peer VTEPs
      - VXLAN Use Cases
        
        VXLAN Bridge or Gateway Overview
        
        VXLAN Bridge
        
        VXLAN Gateway (Routed Mode)
        
        Router Between VXLAN Domains
        
        Geneve Single-Arm Proxy
        
        Azure Gateway Load Balancer and Paired Proxy
    - Requirements and Prerequisites for VXLAN Interfaces
    - Guidelines for VXLAN Interfaces
    - Configure VXLAN or Geneve Interfaces
      - Configure VXLAN Interfaces
        
        Configure the VTEP Source Interface
        
        Configure the VNI Interface
      - Configure Geneve Interfaces
        
        Configure the VTEP Source Interface
        
        Configure the VNI
    - Allow Gateway Load Balancer Health Checks
  - Configure Routed and Transparent Mode Interfaces
    - About Routed and Transparent Mode Interfaces
      - Dual IP Stack (IPv4 and IPv6)
      - 31-Bit Subnet Mask
        
        31-Bit Subnet and Clustering
        
        31-Bit Subnet and Failover
        
        31-Bit Subnet and Management
        
        31-Bit Subnet Unsupported Features
    - Guidelines and Limitations for Routed and Transparent Mode Interfaces
    - Configure Routed Mode Interfaces
    - Configure Bridge Group Interfaces
      - Configure General Bridge Group Member Interface Parameters
      - Configure the Bridge Virtual Interface (BVI)
    - Configure IPv6 Addressing
      - About IPv6
        
        IPv6 Addressing
        
        Modified EUI-64 Interface IDs
      - Configure the IPv6 Prefix Delegation Client
        
        About IPv6 Prefix Delegation
        
        IPv6 Prefix Delegation /64 Subnet Example
        
        IPv6 Prefix Delegation /62 Subnet Example
        
        Enable the IPv6 Prefix Delegation Client
      - Configure a Global IPv6 Address
      - Configure IPv6 Neighbor Discovery
  - Configure Advanced Interface Settings
    - About Advanced Interface Configuration
      - About MAC Addresses
        
        Default MAC Addresses
      - About the MTU
        
        Path MTU Discovery
        
        Default MTU
        
        MTU and Fragmentation
        
        MTU and Jumbo Frames
      - About the TCP MSS
        
        Default TCP MSS
        
        Suggested Maximum TCP MSS Setting
      - ARP Inspection for Bridge Group Traffic
      - MAC Address Table
    - Default Settings
    - Guidelines for ARP Inspection and the MAC Address Table
    - Configure the MTU
    - Configure the MAC Address
    - Add a Static ARP Entry
    - Add a Static MAC Address and Disable MAC Learning for a Bridge Group
    - Set Security Configuration Parameters
  - History for Regular Firewall Interfaces
- Inline Sets and Passive Interfaces
  - About IPS Interfaces
    - Inline Sets
      - Multiple Inline Pairs and Asynchronous Routing
    - Passive Interfaces
    - About Hardware Bypass for Inline Sets
      - Hardware Bypass Triggers
      - Hardware Bypass Switchover
      - Snort Fail Open vs. Hardware Bypass
      - Hardware Bypass Status
  - Requirements and Prerequisites for Inline Sets
  - Guidelines for Inline Sets and Passive Interfaces
  - Configure a Passive Interface
  - Configure an Inline Set
- DHCP and DDNS
  - About DHCP and DDNS Services
    - About the DHCPv4 Server
      - DHCP Options
    - About the DHCPv6 Stateless Server
    - About the DHCP Relay Agent
  - Requirements and Prerequisites for DHCP and DDNS
  - Guidelines for DHCP and DDNS Services
  - Configure the DHCPv4 Server
  - Configure the DHCPv6 Stateless Server
    - Create the DHCP IPv6 Pool
    - Enable the DHCPv6 Stateless Server
  - Configure the DHCP Relay Agent
  - Configure Dynamic DNS
  - History for DHCP and DDNS
- SNMP for the Firepower 1000
  - About SNMP for the Firepower 1000
  - Enabling SNMP and Configuring SNMP Properties for Firepower 1000
  - Creating an SNMP Trap for Firepower 1000
  - Creating an SNMP User for Firepower 1000
- Quality of Service
  - Introduction to QoS
  - About QoS Policies
  - Requirements and Prerequisites for QoS
  - Rate Limiting with QoS Policies
    - Creating a QoS Policy
    - Setting Target Devices for a QoS Policy
    - Configuring QoS Rules
      - QoS Rule Components
    - QoS Rule Conditions
      - Interface Rule Conditions
      - Network Rule Conditions
      - User Rule Conditions
      - Application Rule Conditions
      - Port Rule Conditions
        
        Port, Protocol, and ICMP Code Rule Conditions
      - URL Rule Conditions
      - Custom SGT Rule Conditions
      - ISE SGT vs Custom SGT Rule Conditions
      - Autotransition from Custom SGTs to ISE SGTs
- Platform Settings
  - Introduction to Platform Settings
  - Requirements and Prerequisites for Platform Settings Policies
  - Manage Platform Settings Policies
  - ARP Inspection
  - Banner
  - DNS
  - External Authentication
  - Enable Virtual-Router-Aware Interface for External Authentication of Platform
  - Fragment Settings
  - HTTP Access
  - ICMP Access
  - NetFlow
    - Add Collector in NetFlow
    - Add Traffic Class to NetFlow
  - SSH Access
  - SMTP Server
  - SNMP
    - About SNMP
      - SNMP Terminology
      - MIBs and Traps
      - Supported Tables and Objects in MIBs
    - Add SNMPv3 Users
    - Add SNMP Hosts
    - Configure SNMP Traps
  - SSL
    - About SSL Settings
  - Syslog
    - About Syslog
    - Severity Levels
    - Syslog Message Filtering
    - Syslog Message Classes
    - Guidelines for Logging
    - Configure Syslog Logging for Firewall Threat Defense Devices
      - Firewall Threat Defense Platform Settings That Apply to Security Event Syslog Messages
      - Enable Logging and Configure Basic Settings
      - Enable Logging Destinations
      - Send Syslog Messages to an E-mail Address
      - Create a Custom Event List
      - Limit the Rate of Syslog Message Generation
      - Configure Syslog Settings
      - Configure a Syslog Server
  - Timeouts
  - Time Synchronization
  - Time Zone
  - UCAPL/CC Compliance
  - Performance Profile
- Network Address Translation
  - Why Use NAT?
  - NAT Basics
    - NAT Terminology
    - NAT Types
    - NAT in Routed and Transparent Mode
      - NAT in Routed Mode
      - NAT in Transparent Mode or Within a Bridge Group
    - Auto NAT and Manual NAT
      - Auto NAT
      - Manual NAT
      - Comparing Auto NAT and Manual NAT
    - NAT Rule Order
    - NAT Interfaces
    - NAT Exemption
    - Configuring Routing for NAT
      - Addresses on the Same Network as the Mapped Interface
      - Addresses on a Unique Network
      - The Same Address as the Real Address (Identity NAT)
  - Requirements and Prerequisites for NAT Policies
  - Guidelines for NAT
    - Firewall Mode Guidelines for NAT
    - IPv6 NAT Guidelines
    - IPv6 NAT Best Practices
    - NAT Support for Inspected Protocols
    - FQDN Destination Guidelines
    - Additional Guidelines for NAT
  - Manage NAT Policies
    - Creating NAT Policies
    - Configuring NAT Policy Targets
  - Configure NAT for Threat Defense
    - Customizing NAT Rules for Multiple Devices
    - Searching and Filtering the NAT Rule Table
    - Enabling, Disabling, or Deleting Multiple Rules
    - Dynamic NAT
      - About Dynamic NAT
      - Dynamic NAT Disadvantages and Advantages
      - Configure Dynamic Auto NAT
      - Configure Dynamic Manual NAT
    - Dynamic PAT
      - About Dynamic PAT
      - Dynamic PAT Disadvantages and Advantages
      - PAT Pool Object Guidelines
      - Configure Dynamic Auto PAT
      - Configure Dynamic Manual PAT
      - Configure PAT with Port Block Allocation
    - Static NAT
      - About Static NAT
        
        Static NAT with Port Translation
        
        One-to-Many Static NAT
        
        Other Mapping Scenarios (Not Recommended)
      - Configure Static Auto NAT
      - Configure Static Manual NAT
    - Identity NAT
      - Configure Identity Auto NAT
      - Configure Identity Manual NAT
    - NAT Rule Properties for Firewall Threat Defense
      - Interface Objects NAT Properties
      - Translation Properties for Auto NAT
      - Translation Properties for Manual NAT
      - PAT Pool NAT Properties
      - Advanced NAT Properties
  - Translating IPv6 Networks
    - NAT64/46: Translating IPv6 Addresses to IPv4
      - NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet
      - NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet and DNS Translation
    - NAT66: Translating IPv6 Addresses to Different IPv6 Addresses
      - NAT66 Example, Static Translation between Networks
      - NAT66 Example, Simple IPv6 Interface PAT
  - Monitoring NAT
  - Examples for NAT
    - Providing Access to an Inside Web Server (Static Auto NAT)
    - Dynamic Auto NAT for Inside Hosts and Static NAT for an Outside Web Server
    - Inside Load Balancer with Multiple Mapped Addresses (Static Auto NAT, One-to-Many)
    - Single Address for FTP, HTTP, and SMTP (Static Auto NAT-with-Port-Translation)
    - Different Translation Depending on the Destination (Dynamic Manual PAT)
    - Different Translation Depending on the Destination Address and Port (Dynamic Manual PAT)
    - NAT and Site-to-Site VPN
    - Rewriting DNS Queries and Responses Using NAT
      - DNS64 Reply Modification
      - DNS Reply Modification, DNS Server on Outside
      - DNS Reply Modification, DNS Server on Host Network
- Alarms for the Cisco ISA 3000
  - About Alarms
    - Alarm Input Interfaces
    - Alarm Output Interface
    - Syslog Alarms
    - SNMP Alarms
  - Defaults for Alarms
  - Requirements and Prerequisites for Alarms
  - Configure the Alarms for the ISA 3000
    - Configure Alarm Input Contacts
    - Configure Power Supply Alarms
    - Configure Temperature Alarms
  - Monitoring Alarms
    - Monitoring Alarm Status
    - Monitoring Syslog Messages for Alarms
    - Turning Off the External Alarm
Routing
- Static and Default Routes
  - About Static and Default Routes
    - Default Route
    - Static Routes
    - Route to null0 Interface to Drop Unwanted Traffic
    - Route Priorities
    - Transparent Firewall Mode and Bridge Group Routes
    - Static Route Tracking
  - Requirements and Prerequisites for Static Routes
  - Guidelines for Static and Default Routes
  - Add a Static Route
  - Reference for Routing
    - Path Determination
    - Supported Route Types
      - Static Versus Dynamic
      - Single-Path Versus Multipath
      - Flat Versus Hierarchical
      - Link-State Versus Distance Vector
    - Supported Internet Protocols for Routing
    - Routing Table
      - How the Routing Table Is Populated
        
        Administrative Distances for Routes
        
        Backup Dynamic and Floating Static Routes
      - How Forwarding Decisions Are Made
      - Dynamic Routing and High Availability
      - Dynamic Routing in Clustering
      - Dynamic Routing in Individual Interface Mode
    - Routing Table for Management Traffic
    - Equal-Cost Multi-Path (ECMP) Routing
    - About Route Maps
      - Permit and Deny Clauses
      - Match and Set Clause Values
- Virtual Routers
  - About Virtual Routers and Virtual Routing and Forwarding (VRF)
    - About Virtual Routers and Dynamic VTI
      - How to Configure a Virtual Router with Dynamic VTI
    - Applications of Virtual Routers
    - Global and User-Defined Virtual Routers
    - Configuring Policies to be Virtual-Router-Aware
    - Interconnecting Virtual Routers
    - Overlapping IP Addresses
    - Configuring SNMP on User-Defined Virtual Routers
  - Maximum Number of Virtual Routers By Device Model
  - Requirements and Prerequisites for Virtual Routers
  - Guidelines and Limitations for Virtual Routers
  - Modifications to the Firewall Management Center Web Interface - Routing Page
  - Manage Virtual Routers
  - Create a Virtual Router
    - Configure a Virtual Router
    - Modify a Virtual Router
    - Remove Virtual Routers
  - Monitoring Virtual Routers
  - Configuration Examples for Virtual Routers
    - How to Route to a Distant Server through Virtual Routers
    - How to Provide Internet Access with Overlapping Address Spaces
    - How to Allow RA VPN Access to Internal Networks in Virtual Routing
    - How to Secure Traffic from Networks in Multiple Virtual Routers over a Site-to-Site VPN
    - How to Secure Traffic from Networks with Multiple Virtual Routers over a Site-to-Site VPN with Dynamic VTI
    - How to Route Traffic between Two Overlapping Network Host in Virtual Routing
    - How to Manage Overlapping Segments in Routed Firewall Mode with BVI Interfaces
    - How to Configure User Authentication with Overlapping Networks
    - How to Interconnect Virtual Routers using BGP
- ECMP
  - About ECMP
  - Guidelines and Limitations for ECMP
  - Manage ECMP Page
  - Create an ECMP Zone
  - Configure an Equal Cost Static Route
  - Modify an ECMP Zone
  - Remove an ECMP Zone
  - Configuration Example for ECMP
- Bidirectional Forwarding Detection Routing
  - About BFD Routing
  - Guidelines for BFD Routing
  - Configure BFD
    - Configure BFD Policies
      - Configure Single-Hop BFD Policies
      - Configure Multi-Hop BFD Policies
  - History for BFD Routing
- OSPF
  - OSPF
    - About OSPF
    - OSPF Support for Fast Hello Packets
      - Prerequisites for OSPF Support for Fast Hello Packets
      - OSPF Hello Interval and Dead Interval
      - OSPF Fast Hello Packets
      - Benefits of OSPF Fast Hello Packets
    - Implementation Differences Between OSPFv2 and OSPFv3
  - Requirements and Prerequisites for OSPF
  - Guidelines for OSPF
  - Configure OSPFv2
    - Configure OSPF Areas, Ranges, and Virtual Links
    - Configure OSPF Redistribution
    - Configure OSPF Inter-Area Filtering
    - Configure OSPF Filter Rules
    - Configure OSPF Summary Addresses
    - Configure OSPF Interfaces and Neighbors
    - Configure OSPF Advanced Properties
  - Configure OSPFv3
    - Configure OSPFv3 Areas, Route Summaries, and Virtual Links
    - Configure OSPFv3 Redistribution
    - Configure OSPFv3 Summary Prefixes
    - Configure OSPFv3 Interfaces, Authentication, and Neighbors
    - Configure OSPFv3 Advanced Properties
  - History for OSPF
- EIGRP
  - About EIGRP Routing
  - Requirements and Prerequisites for EIGRP
  - Guidelines and Limitations of EIGRP Routing
  - Configure EIGRP
    - Configure EIGRP Settings
    - Configure EIGRP Neighbors Settings
    - Configure EIGRP Filter Rules Settings
    - Configure EIGRP Redistribution Settings
    - Configure EIGRP Summary Address Settings
    - Configure EIGRP Interfaces Settings
    - Configure EIGRP Advanced Settings
- BGP
  - About BGP
    - Routing Table Changes
    - When to Use BGP
    - BGP Path Selection
      - BGP Multipath
  - Requirements and Prerequisites for BGP
  - Guidelines for BGP
  - Configure BGP
    - Configure BGP Basic Settings
    - Configure BGP General Settings
    - Configure BGP Neighbor Settings
    - Configure BGP Aggregate Address Settings
    - Configure BGPv4 Filtering Settings
    - Configure BGP Network Settings
    - Configure BGP Redistribution Settings
    - Configure BGP Route Injection Settings
    - Configure BGP Route Import/Export Settings
- RIP
  - About RIP
    - Routing Update Process
    - RIP Routing Metric
    - RIP Stability Features
    - RIP Timers
  - Requirements and Prerequisites for RIP
  - Guidelines for RIP
  - Configure RIP
- Multicast
  - About Multicast Routing
    - IGMP Protocol
    - Stub Multicast Routing
    - PIM Multicast Routing
    - PIM Source Specific Multicast Support
    - Multicast Bidirectional PIM
    - PIM Bootstrap Router (BSR)
      - PIM Bootstrap Router (BSR) Terminology
    - Multicast Group Concept
      - Multicast Addresses
    - Clustering
  - Requirements and Prerequisites for Multicast Routing
  - Guidelines for Multicast Routing
  - Configure IGMP Features
    - Enable Multicast Routing
    - Configure IGMP Protocol
    - Configure IGMP Access Groups
    - Configure IGMP Static Groups
    - Configure IGMP Join Groups
  - Configure PIM Features
    - Configure PIM Protocol
    - Configure PIM Neighbor Filters
    - Configure PIM Bidirectional Neighbor Filters
    - Configure PIM Rendezvous Points
    - Configure PIM Route Trees
    - Configure PIM Request Filters
    - Configure the Secure Firewall Threat Defense Device as a Candidate Bootstrap Router
  - Configure Multicast Routes
  - Configure Multicast Boundary Filters
- Policy Based Routing
  - About Policy Based Routing
  - Guidelines and Limitations for Policy Based Routing
  - Path Monitoring
    - Configure Path Monitoring Settings
  - Configure Policy-Based Routing Policy
    - Add Path Monitoring Dashboard
  - Configuration Example for Policy Based Routing
  - Configuration Example for PBR with Path Monitoring
Objects and Certificates
- Object Management
  - Introduction to Objects
  - The Object Manager
    - Importing Objects
    - Editing Objects
    - Viewing Objects and Their Usage
    - Filtering Objects or Object Groups
    - Object Groups
      - Grouping Reusable Objects
    - Object Overrides
      - Managing Object Overrides
      - Allowing Object Overrides
      - Adding Object Overrides
      - Editing Object Overrides
  - AAA Server
    - Add a RADIUS Server Group
      - RADIUS Server Group Options
      - RADIUS Server Options
      - RADIUS Server-Enabled Message Authenticator Compatibility Matrix
    - Add a Single Sign-on Server
  - Access List
    - Configure Extended ACL Objects
    - Configure a Service Access Object
    - Configure Standard ACL Objects
  - Address Pools
  - Application Filters
  - AS Path
  - BFD Template
  - Cipher Suite List
    - Creating Cipher Suite Lists
  - Community List
    - Extended Community
  - DHCP IPv6 Pool
  - Distinguished Name
    - Creating Distinguished Name Objects
  - DNS Server Group
    - Creating DNS Server Group Objects
  - External Attributes
    - Dynamic Objects
      - Create Dynamic Objects with Cloud-Delivered Firewall Management Center
      - Create Dynamic Objects with Cloud-Delivered Firewall Management Center and On-Premises Cisco Secure Dynamic Attributes Connector
      - Work With Dynamic Objects
      - Dynamic Object Mappings
      - About API-Created Dynamic Objects
        
        Add or Edit an API-Created Dynamic Object
    - Security Group Tag
      - Creating Security Group Tag Objects
  - File List
    - Source Files for File Lists
    - Adding Individual SHA-256 Values to File Lists
    - Uploading Individual Files to File Lists
    - Uploading Source Files to File Lists
    - Editing SHA-256 Values in File Lists
    - Downloading Source Files from File Lists
  - FlexConfig
  - Geolocation
    - Creating Geolocation Objects
  - Interface
  - Key Chain
    - Creating Key Chain Objects
  - Network
    - Network Wildcard Mask
    - Creating Network Objects
    - Importing Network Objects
    - Editing and Deleting Network Objects and Groups
  - PKI
    - Internal Certificate Authority Objects
      - CA Certificate and Private Key Import
      - Importing a CA Certificate and Private Key
      - Generating a New CA Certificate and Private Key
      - New Signed Certificates
      - Creating an Unsigned CA Certificate and CSR
      - Uploading a Signed Certificate Issued in Response to a CSR
      - CA Certificate and Private Key Downloads
      - Downloading a CA Certificate and Private Key
    - Trusted Certificate Authority Objects
      - Trusted CA Object
      - Adding a Trusted CA Object
      - Certificate Revocation Lists in Trusted CA Objects
      - Adding a Certificate Revocation List to a Trusted CA Object
    - External Certificate Objects
      - Adding External Certificate Objects
    - Internal Certificate Objects
      - Adding Internal Certificate Objects
    - Certificate Enrollment Objects
      - Adding Certificate Enrollment Objects
      - Add Certificate Enrollment
      - Certificate Enrollment Object EST Options
      - Certificate Enrollment Object SCEP Options
      - Certificate Enrollment Object Certificate Parameters
      - Certificate Enrollment Object Key Options
        
        PKI Enrollment of Certificates with Weak-Crypto
      - Certificate Enrollment Object Revocation Options
  - Policy List
  - Port
    - Creating Port Objects
    - Importing Port Objects
  - Prefix List
    - Configure IPv6 Prefix List
    - Configure IPv4 Prefix List
  - Route Map
  - Security Intelligence
    - How to Modify Security Intelligence Objects
    - Global and Domain Security Intelligence Lists
      - Security Intelligence Lists and Multitenancy
      - Delete Entries from Global Security Intelligence Lists
    - List and Feed Updates for Security Intelligence
      - Changing the Update Frequency for Security Intelligence Feeds
    - Custom Security Intelligence Lists and Feeds
      - Custom Lists and Feeds: Requirements
      - URL Lists and Feeds: URL Syntax and Matching Criteria
      - Custom Security Intelligence Feeds
        
        Creating Security Intelligence Feeds
        
        Manually Updating Security Intelligence Feeds
      - Custom Security Intelligence Lists
        
        Uploading New Security Intelligence Lists to the Secure Firewall Management Center
        
        Updating Security Intelligence Lists
  - Sinkhole
    - Creating Sinkhole Objects
  - SLA Monitor
  - Time Range
    - Creating Time Range Objects
  - Time Zone
  - Tunnel Zone
  - URL
    - Creating URL Objects
  - Variable Set
    - Variable Sets in Intrusion Policies
    - Variables
      - Predefined Default Variables
      - Network Variables
      - Port Variables
      - Advanced Variables
      - Variable Reset
      - Adding Variables to Sets
        
        Example: Adding User-Defined Variables to Default Sets
        
        Example: Adding User-Defined Variables to Custom Sets
    - Nesting Variables
    - Managing Variable Sets
      - Creating Variable Sets
    - Managing Variables
      - Adding Variables
      - Editing Variables
  - VLAN Tag
    - Creating VLAN Tag Objects
  - VPN
    - Certificate Map Objects
    - Secure Client Custom Attributes Objects
      - Add Secure Client Custom Attributes Objects
      - Add Custom Attributes to a Group Policy
    - Firewall Threat Defense Group Policy Objects
      - Configure Group Policy Objects
      - Group Policy General Options
      - Group Policy Secure Client Options
      - Group Policy Advanced Options
    - Firewall Threat Defense IPsec Proposals
      - Configure IKEv1 IPsec Proposal Objects
      - Configure IKEv2 IPsec Proposal Objects
    - Firewall Threat Defense IKE Policies
      - Configure IKEv1 Policy Objects
      - Configure IKEv2 Policy Objects
    - Secure Client Customization
    - File Objects
- Certificates
  - Requirements and Prerequisites for Certificates
  - Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations
  - Managing Firewall Threat Defense Certificates
    - Automatically Update CA Bundles
  - Installing a Certificate Using Self-Signed Enrollment
  - Installing a Certificate using EST Enrollment
  - Installing a Certificate Using SCEP Enrollment
  - Installing a Certificate Using Manual Enrollment
  - Installing a Certificate Using a PKCS12 File
  - Troubleshooting Firewall Threat Defense Certificates
  - History for Certificates
SD-WAN
- SD-WAN Capabilities
  - Overview of SD-WAN Capabilities
  - Using SD-WAN Wizard for Secure Branch Network Deployment
    - Guidelines and Limitations for Using SD-WAN Wizard
    - Prerequisites for Using the SD-WAN Wizard
    - Configure an SD-WAN Topology Using the SD-WAN Wizard
      - Add a Dynamic Virtual Tunnel Interface for a Hub
    - Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard
      - Dual ISP Deployment: Two Hubs and Four Spokes in the Same Region
      - Dual ISP Deployment: Two Hubs and Four Spokes in Different Regions
    - Verify Tunnel Statuses of an SD-WAN Topology
VPN
- VPN Overview
  - VPN Types
  - VPN Basics
    - Internet Key Exchange (IKE)
    - IPsec
  - VPN Packet Flow
  - IPsec Flow Offload
  - VPN Licensing
  - How Secure Should a VPN Connection Be?
    - Complying with Security Certification Requirements
    - Deciding Which Encryption Algorithm to Use
    - Deciding Which Hash Algorithms to Use
    - Deciding Which Diffie-Hellman Modulus Group to Use
    - Deciding Which Authentication Method to Use
      - Pre-shared Keys
      - PKI Infrastructure and Digital Certificates
  - Removed or Deprecated Hash Algorithms, Encryption Algorithms, and Diffie-Hellman Modulus Groups
  - VPN Topology Options
    - Point-to-Point VPN Topology
    - Hub and Spoke VPN Topology
    - Full Mesh VPN Topology
    - Implicit Topologies
- Site-to-Site VPNs
  - About Site-to-Site VPN
    - Secure Firewall Threat Defense Site-to-site VPN Guidelines and Limitations
  - Types of Site-to-Site VPN Topologies
  - Requirements and Prerequisites for Site-to-Site VPN
  - Manage Site-to-Site VPNs
  - Configure a Policy-based Site-to-Site VPN
    - Firewall Threat Defense VPN Endpoint Options
    - Firewall Threat Defense VPN IKE Options
    - Firewall Threat Defense VPN IPsec Options
    - Firewall Threat Defense Advanced Site-to-site VPN Deployment Options
      - Firewall Threat Defense VPN Advanced IKE Options
      - Firewall Threat Defense VPN Advanced IPsec Options
      - Firewall Threat Defense Advanced Site-to-site VPN Tunnel Options
  - About Virtual Tunnel Interfaces
    - Static VTI
    - Dynamic VTI
  - Guidelines and Limitations for Virtual Tunnel Interfaces
  - Add a VTI Interface
  - Create a Route-based Site-to-Site VPN
    - Configure Endpoints for a Point to Point Topology
      - Advanced Configurations for a Point to Point Topology in a Route-based VPN
    - Configure Endpoints for a Hub and Spoke Topology
      - Advanced Configurations for Hub and Spokes in a Route-based VPN
    - Configure Multiple Hubs in a Route-based VPN
      - Configure Routing for Multiple Hubs in a Route-based VPN
      - Verify the Multiple Hubs Configuration in a Route-based VPN
  - Route Traffic Through a Backup VTI Tunnel
  - Configure Dynamic VTI for a Route-based Site-to-Site VPN
  - How to Configure a Virtual Router with Dynamic VTI
  - Configure Routing and AC Policies for VTI
  - View Virtual Tunnel Information
  - Deploy a SASE Tunnel on Umbrella
  - Guidelines and Limitations for Configuring SASE Tunnels on Umbrella
  - How to Deploy a SASE Tunnel on Umbrella
    - Prerequisites for Configuring Umbrella SASE Tunnels
    - Map Management Center Umbrella Parameters and Cisco Umbrella API Keys
    - Configure a SASE Tunnel for Umbrella
      - View SASE Tunnel Status
  - Monitoring the Site-to-Site VPNs
  - History for Site-to-Site VPN
- Remote Access VPN
  - Remote Access VPN Overview
    - Remote Access VPN Features
    - Secure Client Components
    - Remote Access VPN Authentication
      - Understanding Policy Enforcement of Permissions and Attributes
      - Understanding AAA Server Connectivity
  - License Requirements for Remote Access VPN
  - Requirements and Prerequisites for Remote Access VPN
  - Guidelines and Limitations for Remote Access VPNs
  - Configuring a New Remote Access VPN Connection
    - Prerequisites for Configuring Remote Access VPN
    - Create a New Remote Access VPN Policy
    - Update the Access Control Policy on the Secure Firewall Threat Defense Device
    - (Optional) Configure NAT Exemption
    - Configure DNS
    - Add Secure Client Profile XML File
    - (Optional) Configure Split Tunneling
    - (Optional) Configure Dynamic Split Tunneling
      - Verify Dynamic Split Tunneling Configuration
    - Verify the Configuration
  - Create a Copy of an Existing Remote Access VPN Policy
  - Set Target Devices for a Remote Access VPN Policy
  - Associate Local Realm with Remote Access VPN Policy
  - Additional Remote Access VPN Configurations
    - Configure Connection Profile Settings
      - Configure IP Addresses for VPN Clients
      - Configure AAA Settings for Remote Access VPN
        
        RADIUS Server Attributes for Secure Firewall Threat Defense
      - Create or Update Aliases for a Connection Profile
    - Configure Access Interfaces for Remote Access VPN
    - Configure Advanced Options for Remote Access VPN
      - Cisco Secure Client Image
        
        Adding a Secure Client Image to the Secure Firewall Management Center
        
        Update Secure Client Image for Remote Access VPN Clients
        
        Add a Cisco Secure Client External Browser Package to the Secure Firewall Management Center
      - Remote Access VPN Address Assignment Policy
      - Configure Certificate Maps
      - Configuring Group Policies
      - Configuring LDAP Attribute Mapping
      - Configuring VPN Load Balancing
        
        Configure Group Settings for VPN Load Balancing
        
        Configure Additional Settings for Load Balancing
        
        Configure Settings for Participating Devices
      - Configuring IPsec Settings for Remote Access VPNs
        
        Configure Remote Access VPN Crypto Maps
        
        IKE Policies in Remote Access VPNs
        
        Configuring Remote Access VPN IKE Policies
        
        Configure Remote Access VPN IPsec/IKEv2 Parameters
      - Customize Cisco Secure Client
        
        Guidelines and Limitations for Secure Client Customizations
        
        Customize and Localize Secure Client GUI Text and Messages
        
        How to Customize Secure Client GUI Text and Messages
        
        Customize Secure Client Icons and Images
        
        How to Customize Secure Client Images and Icons
        
        Deploy Scripts on Endpoint Devices Using Secure Client
        
        How to Add Customized Scripts for Secure Client
        
        Deploy Custom Applications Using Cisco Secure Client APIs
        
        How to Deploy Custom Applications Using Cisco Secure Client API
        
        Customize the Secure Client Installer
        
        Localize the Client Installer
        
        How to Customize or Localize the Client Installer
        
        Verify Secure Client Customizations
    - Configure Secure Client Management VPN Tunnel
      - Requirements and Prerequisites for Secure Client Management VPN Tunnel
      - Limitations of Secure Client Management VPN Tunnel
      - Configuring Secure Client Management VPN Tunnel on Firewall Threat Defense
    - Multiple Certificate Authentication
      - Guidelines and Limitations of Multiple Certificate Authentication
      - Configuring Multiple Certificate Authentication
    - Manage VPN Access of Remote Users Based on Geolocation
      - Workflow to Manage VPN Access of Remote Users Based on Geolocation
      - Guidelines and Limitations for Managing Remote Access VPN Users Based on Geolocation
      - Monitor and Troubleshoot Service Access Policies
  - Customizing Remote Access VPN AAA Settings
    - Authenticate VPN Users via Client Certificates
    - Configure VPN User Authentication via Client Certificate and AAA Server
    - Manage Password Changes over VPN Sessions
    - Send Accounting Records to the RADIUS Server
    - Delegating Group Policy Selection to Authorization Server
      - Override the Selection of Group Policy or Other Attributes by the Authorization Server
      - Deny VPN Access to a User Group
      - Restrict Connection Profile Selection for a User Group
      - Update the Secure Client Profile for Remote Access VPN Clients
    - RADIUS Dynamic Authorization
      - Configuring RADIUS Dynamic Authorization
    - Two-Factor Authentication
      - Configuring RSA Two-Factor Authentication
      - Configuring Duo Two-Factor Authentication
    - Secondary Authentication
      - Configure Remote Access VPN Secondary Authentication
    - Single Sign-On Authentication with SAML 2.0
      - Guidelines and Limitations for SAML 2.0
      - Configuring a SAML Single Sign-On Authentication
      - Configuring SAML Authorization
        
        Configure SAML Authorization
  - Advanced Secure Client Configurations
    - Configure Secure Client Modules on a Firewall Threat Defense
      - Types of Secure Client Modules
      - Prerequisites for Configuring Secure Client Modules
      - Guidelines for Configuring Secure Client Modules
      - Install Secure Client Modules using a Firewall Threat Defense
      - Configure a Remote Access VPN Group Policy with Secure Client Modules
      - Verify Secure Client Modules Configuration
    - Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices
      - Prerequisites and Licensing for Configuring Per App VPN Tunnels
      - Determine the Application IDs for Mobile Applications
      - Configure Application-Based VPN Tunnels
      - Verify Per App Configuration
  - Remote Access VPN Examples
    - How to Limit Secure Client Bandwidth Per User
    - How to Use VPN Identity for User-Id Based Access Control Rules
    - Configure Firewall Threat Defense Multiple Certificate Authentication
- Dynamic Access Policies
  - About Secure Firewall Threat Defense Dynamic Access Policy
    - Hierarchy of Policy Enforcement of Permissions and Attributes in Firewall Threat Defense
  - Prerequisites for Dynamic Access Policy
  - Guidelines and Limitations for Dynamic Access Policies
  - Associate Dynamic Access Policy with Remote Access VPN
  - History for Dynamic Access Policy
- VPN Monitoring and Troubleshooting in Security Cloud Control
  - Site-to-Site VPN Summary Page
  - Monitor Remote Access VPN Sessions
  - SD-WAN Summary Dashboard
    - Prerequisites for Using SD-WAN Summary Dashboard
    - Monitor WAN Devices and Interfaces Using the SD-WAN Summary Dashboard
    - Monitor Application Performance Metrics of WAN Interfaces Using the SD-WAN Summary Dashboard
  - System Messages
  - Debug Commands
    - debug aaa
    - debug crypto
      - debug crypto ca
      - debug crypto ikev1
      - debug crypto ikev2
      - debug crypto ipsec
    - debug ldap
    - debug ssl
    - debug webvpn
Access Control
- Access Control Overview
  - Introduction to Access Control
  - Introduction to Rules
    - Filtering Rules by Device
    - Rule and Other Policy Warnings
  - Access Control Policy Default Action
  - Deep Inspection Using File and Intrusion Policies
    - Access Control Traffic Handling with Intrusion and File Policies
    - File and Intrusion Inspection Order
  - Access Control Policy Inheritance
  - Best Practices for Application Control
    - Recommendations for Application Control
    - Best Practices for Configuring Application Control
    - Application Characteristics
    - Application-Specific Notes and Limitations
  - Best Practices for Access Control Rules
    - General Best Practices for Access Control
    - Best Practices for Ordering Rules
      - Rule Preemption
      - Rule Actions and Rule Order
      - Application Rule Order
      - URL Rule Order
    - Best Practices for Simplifying and Focusing Rules
    - Maximum Number of Access Control Rules and Intrusion Policies
- Access Control Policies
  - Access Control Policy Components
  - System-Created Access Control Policies
  - Requirements and Prerequisites for Access Control Policies
  - Managing Access Control Policies
    - Creating a Basic Access Control Policy
    - Editing an Access Control Policy
    - Locking an Access Control Policy
    - Managing Access Control Policy Inheritance
      - Choosing a Base Access Control Policy
      - Inheriting Access Control Policy Settings from the Base Policy
      - Locking Settings in Descendant Access Control Policies
      - Requiring an Access Control Policy in a Domain
    - Assigning Devices to an Access Control Policy
    - Logging Settings for Access Control Policies
    - Access Control Policy Advanced Settings
      - Associating Other Policies with Access Control
    - Identifying and Fixing Anomalies with Policy Analyzer & Optimizer
    - Viewing Rule Hit Counts
    - Analyzing Rule Conflicts and Warnings
    - Searching for Rules
  - History for Access Control Policies
- Access Control Rules
  - Introduction to Access Control Rules
    - Access Control Rule Management
    - Access Control Rule Components
    - Access Control Rule Order
    - Access Control Rule Actions
      - Access Control Rule Monitor Action
      - Access Control Rule Trust Action
      - Access Control Rule Blocking Actions
      - Access Control Rule Interactive Blocking Actions
      - Access Control Rule Allow Action
  - Requirements and Prerequisites for Access Control Rules
  - Guidelines and Limitations for Access Control Rules
  - Managing Access Control Rules
    - Adding an Access Control Rule Category
    - Create and Edit Access Control Rules
      - Access Control Rule Conditions
        
        Security/Tunnel Zone Rule Conditions
        
        Network Rule Conditions
        
        Original Client in Network Conditions (Filtering Proxied Traffic)
        
        VLAN Tags Rule Conditions
        
        User Rule Conditions
        
        Application Rule Conditions
        
        Configuring Application Conditions and Filters
        
        Port, Protocol, and ICMP Code Rule Conditions
        
        URL Rule Conditions
        
        Dynamic Attributes Rule Conditions
        
        About API-Created Dynamic Objects
        
        Configure Dynamic Attributes Conditions
        
        Time and Day Rule Conditions
    - Enabling and Disabling Access Control Rules
    - Copying Access Control Rules from One Access Control Policy to Another
    - Moving Access Control Rules to a Prefilter Policy
    - Positioning an Access Control Rule
    - Adding Comments to an Access Control Rule
  - Examples for Access Control Rules
    - How to Control Access Using Security Zones
    - How to Control Application Usage
    - How to Block Threats
- Cisco Secure Dynamic Attributes Connector
  - About the Cisco Secure Dynamic Attributes Connector
    - How It Works
  - About the Dashboard
    - Dashboard of an Unconfigured System
    - Dashboard of a Configured System
    - Add, Edit, or Delete Connectors
    - Add, Edit, or Delete Dynamic Attributes Filters
  - Create a Connector
    - Amazon Web Services Connector—About User Permissions and Imported Data
      - Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an AWS Connector
    - Amazon Web Services Security Groups Connector—About User Permissions and Imported Data
      - Create an AWS Security Groups Connector
    - Create an AWS Service Tags Connector
    - Azure Connector—About User Permissions and Imported Data
      - Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an Azure Connector
    - Create an Azure Service Tags Connector
    - Create a Multicloud Defense Connector
    - Create a Cisco Cyber Vision Connector
    - Create a Generic Text Connector
    - Create a GitHub Connector
    - Google Cloud Connector—About User Permissions and Imported Data
      - Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create a Google Cloud Connector
    - Create an Office 365 Connector
    - Create a Webex Connector
    - Create a Zoom Connector
  - Create an Adapter
    - How to Create an On-Prem Firewall Management Center Adapter
    - How to Create a Cloud-Delivered Firewall Management Center Adapter
  - Create Dynamic Attributes Filters
    - Dynamic Attribute Filter Examples
  - Use Dynamic Objects in Access Control Policies
    - About Dynamic Objects in Access Control Rules
    - Dynamic Attributes Rule Conditions
    - Create Access Control Rules Using Dynamic Attributes Filters
  - Troubleshoot the Cisco Secure Dynamic Attributes Connector
    - Troubleshoot Error Messages
    - Get Your Tenant ID
- URL Filtering
  - URL Filtering Overview
    - About URL Filtering with Category and Reputation
      - URL Category and Reputation Descriptions
      - URL Filtering Data from the Cisco Cloud
  - Best Practices for URL Filtering
    - Filtering HTTPS Traffic
    - Use Categories in URL Filtering
  - License Requirements for URL Filtering
  - Requirements and Prerequisites for URL Filtering
  - How to Configure URL Filtering with Category and Reputation
    - Enable URL Filtering Using Category and Reputation
      - URL Filtering Options
    - Configuring URL Conditions
      - Rules with URL Conditions
      - URL Rule Order
    - DNS Filtering: Identify URL Reputation and Category During DNS Lookup
      - Enable DNS Filtering to Identify URLs During Domain Lookup
      - DNS Filtering Limitations
      - DNS Filtering and Events
  - Manual URL Filtering
    - Manual URL Filtering Options
    - Supplement or Selectively Override Category and Reputation-Based URL Filtering
  - Configure HTTP Response Pages
    - Limitations to HTTP Response Pages
    - Requirements and Prerequisites for HTTP Response Pages
    - Choosing HTTP Response Pages
    - Configure Interactive Blocking with HTTP Response Pages
      - Configuring Interactive Blocking
      - Setting the User Bypass Timeout for a Blocked Website
  - Configure URL Filtering Health Monitors
  - Dispute URL Category and Reputation
  - If the URL Category Set Changes, Take Action
    - URL Category and Reputation Changes: Effect on Events
  - Troubleshoot URL Filtering
- Security Intelligence
  - About Security Intelligence
  - Best Practices for Security Intelligence
  - License Requirements for Security Intelligence
  - Requirements and Prerequisites for Security Intelligence
  - Security Intelligence Sources
  - Configure Security Intelligence
    - Security Intelligence Options
    - Security Intelligence Categories
    - Block List Icons
    - Configuration Example: Security Intelligence Blocking
  - Security Intelligence Monitoring
  - Override Security Intelligence Blocking
  - Troubleshooting Security Intelligence
    - Security Intelligence Categories Are Missing from the Available Options List
- DNS Policies
  - DNS Policy Overview
  - Cisco Umbrella DNS Policies
  - DNS Policy Components
  - License Requirements for DNS Policies
  - Requirements and Prerequisites for DNS Policies
  - Managing DNS and Umbrella DNS Policies
    - Creating Basic DNS Policies
    - Editing DNS Policies
  - DNS Rules
    - Creating and Editing DNS Rules
    - DNS Rule Management
      - Enabling and Disabling DNS Rules
    - DNS Rule Order Evaluation
    - DNS Rule Actions
    - DNS Rule Conditions
      - Security Zone Rule Conditions
      - Network Rule Conditions
      - VLAN Tags Rule Conditions
      - DNS Policy Rule Conditions
  - How to Create DNS Rules
    - Controlling Traffic Based on DNS and Security Zone
    - Controlling Traffic Based on DNS and Network
    - Controlling Traffic Based on DNS and VLAN
    - Controlling Traffic Based on DNS List or Feed
  - DNS Policy Deploy
  - Cisco Umbrella DNS Policies
    - How to Redirect DNS Requests to Cisco Umbrella
    - Prerequisites for Configuring the Umbrella DNS Connector
    - Configure Cisco Umbrella Connection Settings
    - Create an Umbrella DNS Policy
    - Edit Umbrella DNS Policies and Rules
    - Associate the Umbrella DNS Policy with an Access Control Policy
- Prefiltering and Prefilter Policies
  - About Prefiltering
    - About Prefilter Policies
    - Tunnel vs Prefilter Rules
    - Prefiltering vs Access Control
    - Passthrough Tunnels and Access Control
  - Best Practices for Fastpath Prefiltering
  - Best Practices for Encapsulated Traffic Handling
  - Requirements and Prerequisites for Prefilter Policies
  - Configure Prefiltering
    - Tunnel and Prefilter Rule Components
    - Prefilter Rule Conditions
      - Interface Rule Conditions
      - Network Rule Conditions
      - VLAN Tags Rule Conditions
      - Port Rule Conditions for Prefilter Rules
      - Time and Day Rule Conditions
    - Tunnel Rule Conditions
      - Encapsulation Rule Conditions
  - Tunnel Zones and Prefiltering
    - Using Tunnel Zones
    - Creating Tunnel Zones
  - Moving Prefilter Rules to an Access Control Policy
  - Prefilter Policy Hit Counts
  - Large Flow Offloads
    - Flow Offload Limitations
- Service Policies
  - About Threat Defense Service Policies
    - How Service Policies Relate to FlexConfig and Other Features
    - What Are Connection Settings?
  - Requirements and Prerequisites for Service Policies
  - Guidelines and Limitations for Service Policies
  - Configure Threat Defense Service Policies
    - Configure a Service Policy Rule
    - Bypass TCP State Checks for Asymetrical Routing (TCP State Bypass)
      - The Asymetrical Routing Problem
      - Guidelines and Limitations for TCP State Bypass
      - Configure TCP State Bypass
    - Disable TCP Sequence Randomization
  - Examples for Service Policy Rules
    - Protect Servers from a SYN Flood DoS Attack (TCP Intercept)
    - Make the Firewall Threat Defense Device Appear on Traceroutes
  - Monitoring Service Policies
- Elephant Flow Detection
  - About Elephant Flow Detection and Remediation
  - Elephant Flow Upgrade from Intelligent Application Bypass
  - Configure Elephant Flow
- Intelligent Application Bypass
  - Introduction to IAB
  - IAB Options
  - Requirements and Prerequisites for Intelligent Application Bypass
  - Configuring Intelligent Application Bypass
  - IAB Logging and Analysis
- Content Restriction
  - About Content Restriction
  - Requirements and Prerequisites for Content Restriction
  - Guidelines and Limitations for Content Restriction
  - Using Access Control Rules to Enforce Content Restriction
    - Safe Search Options for Access Control Rules
  - Using a DNS Sinkhole to Enforce Content Restriction
- Zero Trust Access
  - About Clientless and Universal Zero Trust Network Access
  - Zero Trust Access
    - How Threat Defense Works with Zero Trust Access
    - Why Use Zero Trust Access?
    - Components of a Zero Trust Access Configuration
    - Zero Trust Access Workflow
    - Limitations for Zero Trust Access
    - Prerequisites for Zero Trust Application Policy
    - Manage Zero Trust Application Policies
    - Create a Zero Trust Application Policy
    - Create an Application Group
    - Create an Application
    - Set Targeted Devices for Zero Trust Access Policy
    - Edit a Zero Trust Application Policy
    - Monitor Zero Trust Sessions
  - Overview of Universal Zero Trust Network Access
    - How Threat Defense Works with Universal ZTNA
    - Prerequisites for Universal Zero Trust Network Access
    - Limitations of Universal Zero Trust Network Access
    - Enable Cloud-Delivered Firewall Management Center in Security Cloud Control
    - Configure Security Devices
    - Configure Network Connections
  - History for Zero Trust Access
Intrusion Detection and Prevention
- An Overview of Network Analysis and Intrusion Policies
  - About Network Analysis and Intrusion Policies
  - Snort Inspection Engine
  - Snort 3
  - Feature Limitations of Snort 3 for Firewall Management Center -Managed Firewall Threat Defense
  - How Policies Examine Traffic For Intrusions
    - Decoding, Normalizing, and Preprocessing: Network Analysis Policies
    - Access Control Rules: Intrusion Policy Selection
    - Intrusion Inspection: Intrusion Policies, Rules, and Variable Sets
    - Intrusion Event Generation
  - System-Provided and Custom Network Analysis and Intrusion Policies
    - System-Provided Network Analysis and Intrusion Policies
    - Benefits of Custom Network Analysis and Intrusion Policies
      - Benefits of Custom Network Analysis Policies
      - Benefits of Custom Intrusion Policies
    - Limitations of Custom Policies
  - Prerequisites for Network Analysis and Intrusion Policies
- Migrate from Snort 2 to Snort 3
  - Snort 3 Inspection Engine
  - Prerequisites for Network Analysis and Intrusion Policies
  - How to Migrate from Snort 2 to Snort 3
    - Prerequisites for Migrating from Snort 2 to Snort 3
    - Enable Snort 3 on an Individual Device
    - Enable Snort 3 on Multiple Devices
    - Convert Snort 2 Custom IPS Rules to Snort 3
      - Convert all Snort 2 Custom Rules across all Intrusion Policies to Snort 3
      - Convert Snort 2 Custom Rules of a Single Intrusion Policy to Snort 3
  - View Snort 2 and Snort 3 Base Policy Mapping
  - Synchronize Snort 2 Rules with Snort 3
  - Deploy Configuration Changes
  - Generate Secure Firewall Recommendations in Snort 3: Upgrade Scenarios
- Get Started with Snort 3 Intrusion Policies
  - Overview of Intrusion Policies
  - Prerequisites for Network Analysis and Intrusion Policies
  - Create a Custom Snort 3 Intrusion Policy
  - Edit Snort 3 Intrusion Policies
    - Rule Group Reporting
    - Rule Action Logging
  - Change the Base Policy of an Intrusion Policy
  - Manage Intrusion Policies
  - Access Control Rule Configuration to Perform Intrusion Prevention
    - Access Control Rule Configuration and Intrusion Policies
    - Configure an Access Control Rule to Perform Intrusion Prevention
  - Deploy Configuration Changes
- Tune Intrusion Policies Using Rules
  - Overview of Tuning Intrusion Rules
  - Intrusion Rule Types
  - Prerequisites for Network Analysis and Intrusion Policies
  - Custom Rules in Snort 3
  - View Snort 3 Intrusion Rules in an Intrusion Policy
  - Intrusion Rule Action
    - Intrusion Rule Action Options
    - Set Intrusion Rule Action
  - Intrusion Event Notification Filters in an Intrusion Policy
    - Intrusion Event Thresholds
      - Set Intrusion Event Thresholds
      - Set Threshold for an Intrusion Rule in Snort 3
      - View and Delete Intrusion Event Thresholds
    - Intrusion Policy Suppression Configuration
      - Intrusion Policy Suppression Types
      - Set Suppression for an Intrusion Rule in Snort 3
      - View and Delete Suppression Conditions
  - Add Intrusion Rule Comments
  - Snort 2 Custom Rules Conversion to Snort 3
    - Convert all Snort 2 Custom Rules across all Intrusion Policies to Snort 3
    - Convert Snort 2 Custom Rules of a Single Intrusion Policy to Snort 3
  - Add Custom Rules to Rule Groups
  - Add Rule Groups with Custom Rules to an Intrusion Policy
  - Manage Custom Rules in Snort 3
  - Delete Custom Rules
  - Delete Rule Groups
  - Intrusion Rule State Options
    - Setting Intrusion Rule States
- Tailor Intrusion Protection for Your Network Assets
  - Snort 3 Rule Changes in LSP Updates
  - Overview of Secure Firewall Recommended Rules
  - Prerequisites for Network Analysis and Intrusion Policies
  - Generate New Secure Firewall Recommendations in Snort 3
- Custom Intrusion Rules
  - Custom Intrusion Rules Overview
  - License Requirements for the Intrusion Rule Editor
  - Requirements and Prerequisites for the Intrusion Rule Editor
  - Rule Anatomy
    - The Intrusion Rule Header
      - Intrusion Rule Header Action
      - Intrusion Rule Header Protocol
      - Intrusion Rule Header Direction
      - Intrusion Rule Header Source and Destination IP Addresses
        
        IP Address Syntax in Intrusion Rules
      - Intrusion Rule Header Source and Destination Ports
        
        Port Syntax in Intrusion Rules
    - Intrusion Event Details
      - Adding a Custom Classification
      - Defining an Event Priority
      - Defining an Event Reference
  - Custom Rule Creation
    - Writing New Rules
    - Modifying Existing Rules
    - Adding Comments to Intrusion Rules
    - Deleting Custom Rules
  - Searching for Rules
    - Search Criteria for Intrusion Rules
  - Rule Filtering on the Intrusion Rules Editor Page
    - Filtering Guidelines
    - Keyword Filtering
    - Character String Filtering
    - Combination Keyword and Character String Filtering
    - Filtering Rules
  - Keywords and Arguments in Intrusion Rules
    - The content and protected_content Keywords
      - Basic content and protected_content Keyword Arguments
      - content and protected_content Keyword Search Locations
        
        Permitted Combinations: content Search Location Arguments
        
        Permitted Combinations: protected_content Search Location Arguments
        
        content and protected_content Search Location Arguments
      - Overview: HTTP content and protected_content Keyword Arguments
        
        HTTP content and protected_content Keyword Arguments
      - Overview: content Keyword Fast Pattern Matcher
        
        content Keyword Fast Pattern Matcher Arguments
    - The replace Keyword
    - The byte_jump Keyword
    - The byte_test Keyword
    - The byte_extract Keyword
    - The byte_math Keyword
    - Overview: The pcre Keyword
      - pcre Syntax
      - pcre Modifier Options
      - pcre Example Keyword Values
    - The metadata Keyword
      - Service Metadata
      - Metadata Search Guidelines
    - IP Header Values
    - ICMP Header Values
    - TCP Header Values and Stream Size
    - The stream_reassembly Keyword
    - SSL Keywords
    - The appid Keyword
    - Application Layer Protocol Values
      - The RPC Keyword
      - The ASN.1 Keyword
      - The urilen Keyword
      - DCE/RPC Keywords
        
        dce_iface
        
        The dce_opnum Keyword
        
        The dce_stub_data Keyword
      - SIP Keywords
        
        The sip_header Keyword
        
        The sip_body Keyword
        
        The sip_method Keyword
        
        The sip_stat_code Keyword
      - GTP Keywords
        
        The gtp_version Keyword
        
        The gtp_type Keyword
        
        The gtp_info Keyword
    - SCADA Keywords
      - Modbus Keywords
      - DNP3 Keywords
      - CIP and ENIP Keywords
      - S7Commplus Keywords
    - Packet Characteristics
    - Active Response Keywords
      - The resp Keyword
      - The react Keyword
    - The detection_filter Keyword
    - The tag Keyword
    - The flowbits Keyword
      - flowbits Keyword Options
      - Guidelines for Using the flowbits Keyword
      - flowbits Keyword Examples
        
        flowbits Keyword Example: A Configuration Using state_name
        
        flowbits Keyword Example: A Configuration Resulting in False Positive Events
        
        flowbits Keyword Example: A Configuration for Preventing False Positive Events
    - The http_encode Keyword
      - http_encode Keyword Syntax
      - http_encode Keyword example: Using Two http_endcode Keywords to Search for Two Encodings
    - Overview: The file_type and file_group Keywords
      - The file_type and file_group Keywords
    - The file_data Keyword
    - The pkt_data Keyword
    - The base64_decode and base64_data Keywords
- Intrusion Prevention Performance Tuning
  - About Intrusion Prevention Performance Tuning
  - License Requirements for Intrusion Prevention Performance Tuning
  - Requirements and Prerequisites for Intrusion Prevention Performance Tuning
  - Limiting Pattern Matching for Intrusions
  - Regular Expression Limits Overrides for Intrusion Rules
  - Overriding Regular Expression Limits for Intrusion Rules
  - Per Packet Intrusion Event Generation Limits
  - Limiting Intrusion Events Generated Per Packet
  - Packet and Intrusion Rule Latency Threshold Configuration
    - Latency-Based Performance Settings
    - Packet Latency Thresholding
      - Packet Latency Thresholding Notes
      - Enabling Packet Latency Thresholding
      - Configuring Packet Latency Thresholding
    - Rule Latency Thresholding
      - Rule Latency Thresholding Notes
      - Configuring Rule Latency Thresholding
  - Intrusion Performance Statistic Logging Configuration
  - Configuring Intrusion Performance Statistic Logging
- Get Started with Snort 3 Network Analysis Policies
  - Overview of Network Analysis Policies
  - Manage Network Analysis Policies
  - Snort 3 Definitions and Terminologies for Network Analysis Policy
  - Prerequisites for Network Analysis and Intrusion Policies
  - Custom Network Analysis Policy Creation for Snort 3
    - Common Industrial Protocol Safety
    - Detect and Block Safety Segments in CIP Packets
    - Network Analysis Policy Mapping
    - View Network Analysis Policy Mapping
    - Create a Network Analysis Policy
    - Modify the Network Analysis Policy
    - Search for an Inspector on the Network Analysis Policy Page
    - Copy the Inspector Configuration
    - Customize the Network Analysis Policy
    - Make Inline Edit for an Inspector to Override Configuration
    - Revert Unsaved Changes during Inline Edits
    - View the List of Inspectors with Overrides
    - Revert Overridden Configuration to Default Configuration
    - Validate Snort 3 Policies
    - Examples of Custom Network Analysis Policy Configuration
  - Network Analysis Policy Settings and Cached Changes
- Encrypted Visibility Engine
  - Overview of Encrypted Visibility Engine
  - How EVE Works
  - Indications of Compromise Events
  - QUIC Fingerprinting in EVE
  - Configure EVE
    - View Encrypted Visibility Engine Events
    - View EVE Dashboard
- Elephant Flow Detection
  - About Elephant Flow Detection and Remediation
  - Elephant Flow Upgrade from Intelligent Application Bypass
  - Configure Elephant Flow
- Use Case - Migrate from Snort 2 to Snort 3 In Secure Firewall Management Center
  - Migrate from Snort 2 to Snort 3
  - Benefits of Migrating to Snort 3
  - Sample Business Scenario
  - Best Practices for Migrating from Snort 2 to Snort 3
  - Prerequisites
  - End-to-End Migration Workflow
  - Enable Snort 3 on Threat Defense
  - Convert Snort 2 Rules of a Single Intrusion Policy to Snort 3
  - Deploy Configuration Changes
- Use Case - Generate Snort 3 Recommendations In Secure Firewall Management Center
  - Snort 3 Rule Recommendations
  - Benefits
  - Sample Business Scenario
  - Best Practices
  - Prerequisites
  - Generate Snort 3 Recommendations
  - Deploy Configuration Changes
- Use Case - Block Traffic Based on the EVE Threat Confidence Score
  - About Encrypted Visibility Engine
  - Benefits
  - Sample Business Scenario
  - Prerequisites
  - High-Level Workflow
  - Configure Block Thresholds in EVE
    - View EVE Events
  - Additional References
- Use Case - Configure Elephant Flow Detection Outcomes
  - About Elephant Flows
  - Benefits of Elephant Flow Detection and Remediation
  - Elephant Flow Workflow
  - Sample Business Scenario
  - Prerequisites
  - Configure Elephant Flow Parameters
    - View Events for Elephant Flows
  - Configure Elephant Flow Remediation Exemption
    - View Events for Elephant Flow Remediation Exemption
  - Additional References
- Mitigate Threats Using MITRE Framework in Snort 3 Intrusion Policies
  - About MITRE ATT&CK Framework
  - Benefits of MITRE Framework
  - Sample Business Scenario for MITRE Network
  - Prerequisites for MITRE Framework
  - View and Edit Your Snort 3 Intrusion Policy
  - View Intrusion Events
  - Additional References
Network Malware Protection and File Policies
- Network Malware Protection and File Policies
  - About Network Malware Protection and File Policies
    - File Policies
  - Requirements and Prerequisites for File Policies
  - License Requirements for File and Malware Policies
  - Best Practices for File Policies and Malware Detection
    - File Rule Best Practices
    - File Detection Best Practices
    - File Blocking Best Practices
    - File Policy Best Practices
  - How to Configure Malware Protection
    - Plan and Prepare for Malware Protection
    - Configure File Policies
    - Add File Policies to Your Access Control Configuration
      - Configuring an Access Control Rule to Perform Malware Protection
    - Set Up Maintenance and Monitoring of Malware Protection
  - Cloud Connections for Malware Protection
    - AMP Cloud Connection Configurations
      - Change AMP Options
    - Dynamic Analysis Connections
      - Requirements for Dynamic Analysis
      - Viewing the Default Dynamic Analysis Connection
      - Enabling Access to Dynamic Analysis Results in the Public Cloud
      - Maintain Your System: File Types Eligible for Dynamic Analysis
  - File Policies and File Rules
    - Create or Edit a File Policy
      - Advanced and Archive File Inspection Options
        
        Archive Files
        
        Override File Disposition Using Custom Lists
        
        Centralized File Lists from Secure Endpoint
    - Managing File Policies
    - File Rules
      - File Rule Components
      - File Rule Actions
        
        Malware Protection Options (in File Rule Actions)
        
        Comparison of Malware Protection Options
        
        Spero Analysis
        
        AMP Cloud Lookup
        
        Local Malware Analysis
        
        Cached Disposition Longevity
        
        Dynamic Analysis
        
        Which Files Are Eligible for Dynamic Analysis?
        
        Dynamic Analysis and Capacity Handling
        
        Captured Files and File Storage
        
        Malware Storage Pack
        
        Block All Files by Type
        
        File Rule Actions: Evaluation Order
      - Creating File Rules
    - Access Control Rule Logging for Malware Protection
  - Retrospective Disposition Changes
  - File and Malware Inspection Performance and Storage Options
  - Tuning File and Malware Inspection Performance and Storage
  - (Optional) Malware Protection with Secure Endpoint
    - Comparison of Malware Protection: Firepower vs. Secure Endpoint
    - About Integrating Firepower with Secure Endpoint
      - Benefits of Integrating Firepower and Secure Endpoint
      - Secure Endpoint and AMP Private Cloud
      - Integrate Firepower and Secure Endpoint
  - History for Network Malware Protection and File Policies
Policy Tools
- Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
  - About Policy Analyzer and Optimizer
    - Analysis, Remediation, and Reporting
  - Prerequisites to Use Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Licensing Requirements
  - Enable Policy Analyzer and Optimizer for Cloud-Delivered Firewall Management Center
  - Enable Policy Analyzer and Optimizer for Security Cloud Control -managed On-Premises Firewall Management Center
  - Policy Analysis
    - Analyze Cloud-Delivered Firewall Management Center Policies
    - Analyze On-Premises Firewall Management Center Policies
  - Policy Reporting
    - Policy Analysis Summary
    - Duplicate Rules
    - Overlapping Objects
    - Expired Rules
    - Mergeable Rules
    - Policy Insights
  - Policy Remediation
    - Apply Policy Remediation
    - What Does the Policy Remediation Report Contain?
  - Troubleshooting Policy Analyzer and Optimizer
    - Policy Analyzer and Optimizer Does Not Analyze Policies
    - Policy Analyzer and Optimizer Does Not Fetch Policies
  - Frequently Asked Questions About Policy Analyzer and Optimizer
Encrypted Traffic Handling
- Traffic Decryption Overview
  - Traffic Decryption Explained
  - TLS/SSL Handshake Processing
    - ClientHello Message Handling
    - ServerHello and Server Certificate Message Handling
  - Decryption Rule and Policy Basics
    - The Case for Decryption
    - When to Decrypt Traffic, When Not to Decrypt
      - Decrypt and Resign (Outgoing Traffic)
      - Known Key Decryption (Incoming Traffic)
    - Other Decryption Rule Actions
    - Decryption Rule Components
    - Decryption Rule Order Evaluation
      - Multi-Rule Example
  - How to Configure Decryption Policies and Rules
  - History for Decryption Policy
- Decryption Policies
  - About Decryption Policies
  - Requirements and Prerequisites for Decryption Policies
  - Create a Decryption Policy
    - Create a Create a Decryption Policy with Outbound Connection Protection
    - Create a Create a Decryption Policy with Inbound Connection Protection
    - Decryption Policy Exclusions
    - Generate an Internal CA for Outbound Protection
    - Upload an Internal CA for Outbound Protection
    - Upload an Internal Certificate for Inbound Protection
    - Create a Create a Decryption Policy with Other Rule Actions
  - Decryption Policy Default Actions
  - Default Handling Options for Undecryptable Traffic
    - Set Default Handling for Undecryptable Traffic
  - Decryption Policy Advanced Options
    - TLS 1.3 Decryption Best Practices
- Decryption Rules
  - Decryption Rules Overview
  - Requirements and Prerequisites for Decryption Rules
  - Decryption Rule Guidelines and Limitations
    - Guidelines for Using TLS/SSL Decryption
    - Decryption Rule Unsupported Features
    - TLS/SSL Do Not Decrypt Guidelines
    - TLS/SSL Decrypt - Resign Guidelines
    - TLS/SSL Decrypt - Known Key Guidelines
    - TLS/SSL Block Guidelines
    - TLS/SSL Certificate Pinning Guidelines
    - TLS/SSL Heartbeat Guidelines
    - TLS/SSL Anonymous Cipher Suite Limitation
    - TLS/SSL Normalizer Guidelines
    - Other Decryption Rule Guidelines
  - Decryption Rule Traffic Handling
    - Encrypted Traffic Inspection Configuration
    - Decryption Rule Order Evaluation
  - Decryption Rule Conditions
    - Security Zone Rule Conditions
    - Network Rule Conditions
    - VLAN Tags Rule Conditions
    - User Rule Conditions
    - Application Rule Conditions
    - Port Rule Conditions
    - Category Rule Conditions
    - Server Certificate-Based Decryption Rule Conditions
      - Certificate Decryption Rule Conditions
      - Distinguished Name (DN) Rule Conditions
      - Trusting External Certificate Authorities
      - Certificate Status Decryption Rule Conditions
      - Cipher Suite Decryption Rule Conditions
      - Encryption Protocol Version Decryption Rule Conditions
  - Decryption Rule Actions
    - Decryption Rule Monitor Action
    - Decryption Rule Do Not Decrypt Action
    - Decryption Rule Blocking Actions
    - Decryption Rule Decrypt Actions
  - Troubleshoot Decryption Rules
    - About TLS/SSL Oversubscription
      - Troubleshoot TLS/SSL Oversubscription
    - About TLS Heartbeat
      - Troubleshoot TLS Heartbeat
    - About TLS/SSL Pinning
      - Troubleshoot TLS/SSL Pinning
      - Troubleshoot Unknown or Bad Certificates or Certificate Authorities
    - Verify TLS/SSL Cipher Suites
- Decryption Rules and Policy Example
  - Decryption Rule Examples
  - Run the Decryption Policy Wizard
    - Decryption Policy Exclusions
  - First Manual Do Not Decrypt Rule: Specific Traffic
  - Next Manual Rule : Decrypt Specific Test Traffic
  - Last Manual Decryption Rules : Block or Monitor Certificates and Protocol Versions
    - Example: Decryption Rule to Monitor or Block Certificate Status
    - Example: Decryption Rule to Monitor or Block Protocol Versions
    - Optional Example: Manual Decryption Rule to Monitor or Block Certificate Distinguished Name
  - Associate the Decryption Policy with an Access Control Policy and Advanced Settings
  - Traffic to Prefilter
  - Decryption Rule Settings
User Identity
- User Identity Overview
  - About User Identity
    - Identity Terminology
    - About User Identity Sources
    - Best Practices for User Identity
    - Identity Deployments
    - How to Set Up an Identity Policy
    - The User Activity Database
    - The Users Database
  - Identity Realm Limit
  - Cloud-Delivered Firewall Management Center Host and User Limits
    - Cloud-Delivered Firewall Management Center Host Limit
    - Cloud-Delivered Firewall Management Center User Limit
  - User Limits for Microsoft Azure Active Directory Realms
- Realms
  - License Requirements for Realms
  - Requirements and Prerequisites for Realms
  - Create a Proxy Sequence
  - Create a Microsoft Azure AD (SAML) Realm
    - How to Create a Microsoft Azure AD Realm for Passive Authentication
      - About Entra ID and Cisco ISE with Resource Owned Password Credentials
      - About Entra ID and Cisco ISE with TEAP/EAP-TLS
      - How to Configure ISE for Microsoft Azure AD (SAML)Microsoft Azure AD
      - Configure Microsoft Entra ID for Passive Authentication
      - Configure Entra ID Basic Settings
      - Get Required Information For Your Microsoft Azure AD Realm
      - Create a Microsoft Azure AD (SAML) Realm for Passive Authentication
        
        Microsoft Azure AD (SAML) Realm: SAML Details
        
        Microsoft Azure AD (SAML) Realm: Azure AD Details
        
        Microsoft Azure AD (SAML) Realm: User Session Timeout
    - How to Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)
      - Configure Entra ID Basic Settings
      - Configure a Single Sign-On (SSO) App in Entra ID
      - Create a Decryption Rule with Decrypt - Resign Action
      - Get Required Information For Your Microsoft Azure AD Realm (Active Authentication Only)
      - Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)
        
        Microsoft Azure AD (SAML) Realm: SAML Details
        
        Microsoft Azure AD (SAML) Realm: SAML Service Provider (SP) Metadata
        
        Microsoft Azure AD (SAML) Realm: SAML Identity Provider (IdP) Metadata
        
        Microsoft Azure AD (SAML) Realm: Azure AD Details
        
        Microsoft Azure AD (SAML) Realm: User Session Timeout
  - Create an LDAP Realm or an Active Directory Realm and Realm Directory
    - About Realms and Realm Sequences
      - Realms and Trusted Domains
      - Supported Servers for Realms
      - Supported Server Object Class and Attribute Names
    - Prerequisites for Kerberos Authentication
    - Realm Fields
    - Realm Directory and Synchronize fields
    - Connect Securely to Active Directory or LDAP
      - Find the Active Directory Server's Name
      - Export the Active Directory Server's Root Certificate
    - Synchronize Users and Groups
  - Create a Realm Sequence
  - Configure the Firewall Management Center for Cross-Domain-Trust: The Setup
    - Configure the Cisco Security Cloud Control for Cross-Domain-Trust Step 1: Configure Realms and Directories
    - Configure the Cisco Security Cloud Control for Cross-Domain-Trust Step 2: Synchronize Users and Groups
    - Configure the Cisco Security Cloud Control for Cross-Domain-Trust Step 3: Resolve Issues
  - Manage a Realm
  - Compare Realms
  - Troubleshoot Realms and User Downloads
    - Troubleshoot Cross-Domain Trust
  - History for Realms
- User Control with the Passive Identity Agent
  - The Passive Identity Agent Identity Source
  - Deploy the Passive Identity Agent
    - Simple Passive Identity Agent Deployment
    - Single Passive Identity Agent Monitoring Multiple Domain Controllers
    - Multiple Passive Identity Agents Monitoring Multiple Domain Controllers
    - Passive Identity Agent Primary/Secondary Agent Deployments
  - How to Create a Passive Identity Agent Identity Source
  - Configure the Passive Identity Agent
    - Create a Microsoft Active Directory Realm
    - Create a Passive Identity Agent Identity Source
      - Create a Standalone Passive Identity Agent Identity Source
      - Create a Primary or Secondary Passive Identity Agent Identity Source
      - About Passive Identity Agent Roles
    - Troubleshoot the Passive Identity Agent
    - Get an API Token for the Passive Identity Agent
    - About Passive Identity Agent Installation
      - Prerequisites to Installing the Passive Identity Agent
      - Install the Passive Identity Agent Software
    - Uninstall the Passive Identity Agent Software
    - Upgrade the Passive Identity Agent Software
  - Monitor the Passive Identity Agent
  - Manage the Passive Identity Agent
    - Edit Passive Identity Agents
    - Delete a Standalone Passive Identity Agent
    - Delete Primary and Secondary Passive Identity Agents
  - Troubleshoot the Passive Identity Agent
  - Security Requirements for the Passive Identity Agent
  - Internet Access Requirements for the Passive Identity Agent
  - History for the Passive Identity Agent
- User Control with ISE/ISE-PIC
  - The ISE/ISE-PIC Identity Source
    - Source and Destination Security Group Tag (SGT) Matching
  - License Requirements for ISE/ISE-PIC
  - Requirements and Prerequisites for ISE/ISE-PIC
  - ISE/ISE-PIC Guidelines and Limitations
  - How to Configure ISE/ISE-PIC for User Control
    - How to Configure ISE/ISE-PIC Without a Realm
    - How to Configure ISE/ISE-PIC for User Control Using a Realm
  - Configure ISE/ISE-PIC
    - Configure Security Groups and SXP Publishing in ISE
    - Export Certificates from the ISE/ISE-PIC Server for Use in the Firewall Management Center
      - Export a System Certificate
      - Generate a Self-Signed Certificate
      - Import ISE/ISE-PIC Certificates
  - Configure ISE for User Control
    - ISE/ISE-PIC Configuration Fields
  - Ways to Configure the Cisco Identity Services Engine (Cisco ISE) Identity Source
    - About Cisco ISE Quick Configuration
      - Prerequisites for ISE Quick Configuration
      - Quick Configuration
      - Cisco Identity Services Engine (Cisco ISE) Quick Configuration Results
    - Cisco ISE Advanced Configuration
      - ISE/ISE-PIC Configuration Fields
  - Troubleshoot the ISE/ISE-PIC or Cisco TrustSec Issues
  - History for ISE/ISE-PIC
- User Control with Captive Portal
  - The Captive Portal Identity Source
    - About Hostname Redirect
  - License Requirements for Captive Portal
  - Requirements and Prerequisites for Captive Portal
  - Captive Portal Guidelines and Limitations
  - How to Configure the Captive Portal for User Control
    - Configure the Captive Portal Part 1: Create a Network Object
    - Configure the Captive Portal Part 2: Create an Identity Policy and Active Authentication Rule
      - Update a Custom Authentication Form
    - Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule
    - Configure the Captive Portal Part 4: Create a User Access Control Rule
    - Captive Portal Example: Create a Decryption Policy with an Outbound Rule
    - Configure Captive Portal Part 6: Associate Identity and Decryption Policies with the Access Control Policy
    - Captive Portal Fields
    - Exclude Applications from Captive Portal
  - Troubleshoot the Captive Portal Identity Source
  - History for Captive Portal
- User Control with the pxGrid Cloud Identity Source
  - About the pxGrid Cloud Identity Source
    - Limitations of the pxGrid Cloud Identity Source
    - How the pxGrid Cloud Identity SourceWorks
  - How to Configure a pxGrid Cloud Identity Source
  - Enable pxGrid Cloud Service in Cisco ISE
  - Register Cisco ISE with the Catalyst Cloud Portal
  - Register the pxGrid Cloud Connection with Cisco ISE
  - Create and Subscribe to the Firewall Management Center Application
  - Create a pxGrid Cloud Identity Source
    - Create an App Instance
    - Create the Identity Source
    - Activate the App Instance
    - Verify It's Working
  - Configure the pxGrid Cloud Identity Source
  - About the Cisco Identity Controller Dashboard
  - Create Dynamic Attributes Filters Using the Cisco Identity Controller
  - Create Access Control Rules Using Dynamic Attributes Filters
  - History for the pxGrid Cloud Identity Source
- User Control with Remote Access VPN
  - The Remote Access VPN Identity Source
  - Configure RA VPN for User Control
  - Troubleshoot the Remote Access VPN Identity Source
    - Not Observing Correct Settings for VPN Statistics
- User Control with TS Agent
  - The Terminal Services (TS) Agent Identity Source
  - TS Agent Guidelines
  - User Control with TS Agent
  - Troubleshoot the TS Agent Identity Source
  - History for TS Agent
- User Identity Policies
  - About Identity Policies
  - License Requirements for Identity Policies
  - Requirements and Prerequisites for Identity Policies
  - Create an Identity Policy
    - Create an Identity Mapping Filter
  - Identity Rule Conditions
    - Security Zone Rule Conditions
    - Network Rule Conditions
      - Redirect to Host Name Network Rule Conditions
    - VLAN Tags Rule Conditions
    - Port Rule Conditions
      - Port, Protocol, and ICMP Code Rule Conditions
    - Realm & Settings Rule Conditions
  - Create an Identity Rule
    - Identity Rule Fields
  - Sample Identity Policies and Rules
    - Create an Identity Policy with a Passive Authentication Rule
    - Create a Sample Identity Policy with an Active Authentication Rule
      - Active Authentication Using a Realm
      - Active Authentication Using a Realm Sequence
  - Manage an Identity Policy
  - Manage an Identity Rule
  - Troubleshoot User Control
Network Discovery
- Network Discovery Overview
  - About Detection of Host, Application, and User Data
  - Host and Application Detection Fundamentals
    - Passive Detection of Operating System and Host Data
    - Active Detection of Operating System and Host Data
    - Current Identities for Applications and Operating Systems
    - Current User Identities
    - Application and Operating System Identity Conflicts
    - NetFlow Data
      - Requirements for Using NetFlow Data
      - Differences between NetFlow and Managed Device Data
- Host Identity Sources
  - Overview: Host Data Collection
  - Requirements and Prerequisites for Host Identity Sources
  - Determining Which Host Operating Systems the System Can Detect
  - Identifying Host Operating Systems
  - Custom Fingerprinting
    - Managing Fingerprints
      - Activating and Deactivating Fingerprints
      - Editing an Active Fingerprint
      - Editing an Inactive Fingerprint
      - Creating a Custom Fingerprint for Clients
      - Creating a Custom Fingerprint for Servers
  - Host Input Data
    - Requirements for Using Third-Party Data
    - Third-Party Product Mappings
      - Mapping Third-Party Products
      - Mapping Third-Party Product Fixes
    - Mapping Third-Party Vulnerabilities
    - Custom Product Mappings
      - Creating Custom Product Mappings
      - Editing Custom Product Mapping Lists
      - Activating and Deactivating Custom Product Mappings
- Application Detection
  - Overview: Application Detection
    - Application Detector Fundamentals
    - Identification of Application Protocols in the Web Interface
    - Implied Application Protocol Detection from Client Detection
    - Host Limits and Discovery Event Logging
    - Special Considerations for Application Detection
      - Application Detection in Snort 3
  - Requirements and Prerequisites for Application Detection
  - Custom Application Detectors
    - Custom Application Detector and User-Defined Application Fields
    - Configuring Custom Application Detectors
      - Create a User-Defined Application
      - Specifying Detection Patterns in Basic Detectors
      - Specifying Detection Criteria in Advanced Detectors
      - Specifying EVE Process Assignments
      - Testing a Custom Application Protocol Detector
  - Viewing or Downloading Detector Details
  - Sorting the Detector List
  - Filtering the Detector List
    - Filter Groups for the Detector List
  - Navigating to Other Detector Pages
  - Activating and Deactivating Detectors
  - Editing Custom Application Detectors
  - Deleting Detectors
- Network Discovery Policies
  - Overview: Network Discovery Policies
  - Requirements and Prerequisites for Network Discovery Policies
  - Network Discovery Customization
    - Configuring the Network Discovery Policy
  - Network Discovery Rules
    - Configuring Network Discovery Rules
      - Actions and Discovered Assets
      - Monitored Networks
        
        Restricting the Monitored Network
        
        Configuring Rules for NetFlow Data Discovery
        
        Creating Network Objects During Discovery Rule Configuration
      - Port Exclusions
        
        Excluding Ports in Network Discovery Rules
        
        Creating Port Objects During Discovery Rule Configuration
      - Zones in Network Discovery Rules
        
        Configuring Zones in Network Discovery Rules
      - The Traffic-Based Detection Identity Source
        
        Configuring Traffic-Based User Detection
  - Configuring Advanced Network Discovery Options
    - Network Discovery General Settings
      - Configuring Network Discovery General Settings
    - Network Discovery Identity Conflict Settings
      - Configuring Network Discovery Identity Conflict Resolution
    - Network Discovery Vulnerability Impact Assessment Options
      - Enabling Network Discovery Vulnerability Impact Assessment
    - Indications of Compromise
      - Enabling Indications of Compromise Rules
    - Adding NetFlow Exporters to a Network Discovery Policy
    - Network Discovery Data Storage Settings
      - Configuring Network Discovery Data Storage
    - Configuring Network Discovery Event Logging
    - Adding Network Discovery OS and Server Identity Sources
  - Troubleshooting Your Network Discovery Strategy
FlexConfig Policies
- FlexConfig Policies
  - FlexConfig Policy Overview
    - Recommended Usage for FlexConfig Policies
    - CLI Commands in FlexConfig Objects
      - Determine the ASA Software Version and Current CLI Configuration
      - Prohibited CLI Commands
    - Template Scripts
    - FlexConfig Variables
      - How to Process Variables
        
        Single Value Variables
        
        Multiple Value Variables, All Values Are the Same Type
        
        Multiple Value Variables, Values Are Different Types
        
        Multiple Value Variables that Resolve to a Table of Values
      - How to See What a Variable Will Return for a Device
      - FlexConfig Policy Object Variables
      - FlexConfig System Variables
    - Predefined FlexConfig Objects
    - Predefined Text Objects
  - Requirements and Prerequisites for FlexConfig Policies
  - Guidelines and Limitations for FlexConfig
  - Customizing Device Configuration with FlexConfig Policies
    - Configure FlexConfig Objects
      - Add a Policy Object Variable to a FlexConfig Object
      - Configure Secret Keys
    - Configure FlexConfig Text Objects
    - Configure the FlexConfig Policy
    - Set Target Devices for a FlexConfig Policy
    - Preview the FlexConfig Policy
    - Verify the Deployed Configuration
    - Remove Features Configured Using FlexConfig
    - Convert from FlexConfig to Managed Feature
  - Examples for FlexConfig
    - How to Configure Precision Time Protocol (ISA 3000)
    - How to Configure Automatic Hardware Bypass for Power Failure (ISA 3000)
  - Migrating FlexConfig Policies
Advanced Network Analysis and Preprocessing
- Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - About Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - Requirements and Prerequisites for Advanced Access Control Settings for Network Analysis and Intrusion Policies
  - Inspection of Packets That Pass Before Traffic Is Identified
    - Best Practices for Handling Packets That Pass Before Traffic Identification
    - Specify a Policy to Handle Packets That Pass Before Traffic Identification
  - Advanced Settings for Network Analysis Policies
    - Setting the Default Network Analysis Policy
    - Network Analysis Rules
      - Network Analysis Policy Rule Conditions
        
        Security Zone Rule Conditions
        
        Network Rule Conditions
        
        VLAN Tags Rule Conditions
      - Configuring Network Analysis Rules
      - Managing Network Analysis Rules
- Get Started with Snort 3 Network Analysis Policies
  - Overview of Network Analysis Policies
  - Manage Network Analysis Policies
  - Snort 3 Definitions and Terminologies for Network Analysis Policy
  - Prerequisites for Network Analysis and Intrusion Policies
  - Custom Network Analysis Policy Creation for Snort 3
    - Common Industrial Protocol Safety
    - Detect and Block Safety Segments in CIP Packets
    - Network Analysis Policy Mapping
    - View Network Analysis Policy Mapping
    - Create a Network Analysis Policy
    - Modify the Network Analysis Policy
    - Search for an Inspector on the Network Analysis Policy Page
    - Copy the Inspector Configuration
    - Customize the Network Analysis Policy
    - Make Inline Edit for an Inspector to Override Configuration
    - Revert Unsaved Changes during Inline Edits
    - View the List of Inspectors with Overrides
    - Revert Overridden Configuration to Default Configuration
    - Validate Snort 3 Policies
    - Examples of Custom Network Analysis Policy Configuration
  - Network Analysis Policy Settings and Cached Changes
  - Custom Rules in Snort 3
  - Overview of Encrypted Visibility Engine
  - How EVE Works
  - Indications of Compromise Events
  - QUIC Fingerprinting in EVE
  - Configure EVE
    - View Encrypted Visibility Engine Events
    - View EVE Dashboard
  - About Elephant Flow Detection and Remediation
  - Elephant Flow Upgrade from Intelligent Application Bypass
  - Configure Elephant Flow
- Application Layer Preprocessors
  - Introduction to Application Layer Preprocessors
  - License Requirements for Application Layer Preprocessors
  - Requirements and Prerequisites for Application Layer Preprocessors
  - The DCE/RPC Preprocessor
    - Connectionless and Connection-Oriented DCE/RPC Traffic
    - DCE/RPC Target-Based Policies
      - RPC over HTTP Transport
    - DCE/RPC Global Options
    - DCE/RPC Target-Based Policy Options
    - Traffic-Associated DCE/RPC Rules
    - Configuring the DCE/RPC Preprocessor
  - The DNS Preprocessor
    - DNS Preprocessor Options
    - Configuring the DNS Preprocessor
  - The FTP/Telnet Decoder
    - Global FTP and Telnet Options
    - Telnet Options
    - Server-Level FTP Options
      - FTP Command Validation Statements
    - Client-Level FTP Options
    - Configuring the FTP/Telnet Decoder
  - The HTTP Inspect Preprocessor
    - Global HTTP Normalization Options
    - Server-Level HTTP Normalization Options
      - Server-Level HTTP Normalization Encoding Options
    - Configuring the HTTP Inspect Preprocessor
    - Additional HTTP Inspect Preprocessor Rules
  - The Sun RPC Preprocessor
    - Sun RPC Preprocessor Options
    - Configuring the Sun RPC Preprocessor
  - The SIP Preprocessor
    - SIP Preprocessor Options
    - Configuring the SIP Preprocessor
    - Additional SIP Preprocessor Rules
  - The GTP Preprocessor
    - GTP Preprocessor Rules
    - Configuring the GTP Preprocessor
  - The IMAP Preprocessor
    - IMAP Preprocessor Options
    - Configuring the IMAP Preprocessor
    - Additional IMAP Preprocessor Rules
  - The POP Preprocessor
    - POP Preprocessor Options
    - Configuring the POP Preprocessor
    - Additional POP Preprocessor Rules
  - The SMTP Preprocessor
    - SMTP Preprocessor Options
    - Configuring SMTP Decoding
  - The SSH Preprocessor
    - SSH Preprocessor Options
    - Configuring the SSH Preprocessor
  - The SSL Preprocessor
    - How SSL Preprocessing Works
    - SSL Preprocessor Options
    - Configuring the SSL Preprocessor
    - SSL Preprocessor Rules
- SCADA Preprocessors
  - Introduction to SCADA Preprocessors
  - License Requirements for SCADA Preprocessors
  - Requirements and Prerequisites for SCADA Preprocessors
  - The Modbus Preprocessor
    - Modbus Preprocessor Ports Option
    - Configuring the Modbus Preprocessor
    - Modbus Preprocessor Rules
  - The DNP3 Preprocessor
    - DNP3 Preprocessor Options
    - Configuring the DNP3 Preprocessor
    - DNP3 Preprocessor Rules
  - The CIP Preprocessor
    - CIP Preprocessor Options
    - CIP Events
    - CIP Preprocessor Rules
    - Guidelines for Configuring the CIP Preprocessor
    - Configuring the CIP Preprocessor
  - The S7Commplus Preprocessor
    - Configuring the S7Commplus Preprocessor
- Transport and Network Layer Preprocessors
  - Introduction to Transport and Network Layer Preprocessors
  - License Requirements for Transport and Network Layer Preprocessors
  - Requirements and Prerequisites for Transport and Network Layer Preprocessors
  - Advanced Transport/Network Preprocessor Settings
    - Ignored VLAN Headers
    - Active Responses in Intrusion Drop Rules
    - Advanced Transport/Network Preprocessor Options
    - Configuring Advanced Transport/Network Preprocessor Settings
  - Checksum Verification
    - Checksum Verification Options
    - Verifying Checksums
  - The Inline Normalization Preprocessor
    - Inline Normalization Options
    - Configuring Inline Normalization
  - The IP Defragmentation Preprocessor
    - IP Fragmentation Exploits
    - Target-Based Defragmentation Policies
    - IP Defragmentation Options
    - Configuring IP Defragmentation
  - The Packet Decoder
    - Packet Decoder Options
    - Configuring Packet Decoding
  - TCP Stream Preprocessing
    - State-Related TCP Exploits
    - Target-Based TCP Policies
    - TCP Stream Reassembly
    - TCP Stream Preprocessing Options
    - Configuring TCP Stream Preprocessing
  - UDP Stream Preprocessing
    - UDP Stream Preprocessing Options
    - Configuring UDP Stream Preprocessing
- Specific Threat Detection
  - Introduction to Specific Threat Detection
  - License Requirements for Specific Threat Detection
  - Requirements and Prerequisites for Specific Threat Detection
  - Back Orifice Detection
    - Back Orifice Detection Preprocessor
    - Detecting Back Orifice
  - Portscan Detection
    - Portscan Types, Protocols, and Filtered Sensitivity Levels
    - Portscan Event Generation
    - Portscan Event Packet View
    - Configuring Portscan Detection
  - Rate-Based Attack Prevention
    - Rate-Based Attack Prevention Examples
      - detection_filter Keyword Example
      - Dynamic Rule State Thresholding or Suppression Example
      - Policy-Wide Rate-Based Detection and Thresholding or Suppression Example
      - Rate-Based Detection with Multiple Filtering Methods Example
    - Rate-Based Attack Prevention Options and Configuration
      - Rate-Based Attack Prevention, Detection Filtering, and Thresholding or Suppression
    - Configuring Rate-Based Attack Prevention
- Adaptive Profiles
  - About Adaptive Profiles
  - License Requirements for Adaptive Profiles
  - Requirements and Prerequisites for Adaptive Profiles
  - Adaptive Profile Updates
  - Adaptive Profile Updates and Cisco Recommended Rules
  - Adaptive Profile Options
  - Configuring Adaptive Profiles
Advanced Network Analysis in Snort 3
- Get Started with Snort 3 Network Analysis Policies
  - Overview of Network Analysis Policies
  - Manage Network Analysis Policies
  - Snort 3 Definitions and Terminologies for Network Analysis Policy
  - Prerequisites for Network Analysis and Intrusion Policies
  - Custom Network Analysis Policy Creation for Snort 3
    - Common Industrial Protocol Safety
    - Detect and Block Safety Segments in CIP Packets
    - Network Analysis Policy Mapping
    - View Network Analysis Policy Mapping
    - Create a Network Analysis Policy
    - Modify the Network Analysis Policy
    - Search for an Inspector on the Network Analysis Policy Page
    - Copy the Inspector Configuration
    - Customize the Network Analysis Policy
    - Make Inline Edit for an Inspector to Override Configuration
    - Revert Unsaved Changes during Inline Edits
    - View the List of Inspectors with Overrides
    - Revert Overridden Configuration to Default Configuration
    - Validate Snort 3 Policies
    - Examples of Custom Network Analysis Policy Configuration
  - Network Analysis Policy Settings and Cached Changes
Reference
- FAQ and Support
  - Security Cloud Control Platform Maintenance Schedule
  - Navigate from Security Cloud Control to Cloud-Delivered Firewall Management Center
  - What does the default action "Analyze all tunnel traffic" for prefiltering mean?
  - How Security Cloud Control Processes Personal Information
  - Can I restore a backup from a different device?
  - Does deploying a new prefilter policy immediately affect ongoing sessions?
  - How do I keep my security databases and feeds up to date?
  - What version of Secure Firewall Threat Defense can I manage with Cloud-Delivered Firewall Management Center?
  - How do I exclude specific traffic (Webex, Zoom, etc) from the remote access VPN?
  - How do I prevent users from accessing undesirable external network resources, such as inappropriate websites?
  - Security Feed Questions
    - How do I update intrusion rules (SRU/LSP)?
    - How do I update my Cisco vulnerability database (VDB)?
    - How do I update my Geolocation database?
    - How do I update Security Intelligence feeds?
    - How do I update URL reputations?
  - How do I setup Rate-Based Attack Prevention on the FTD using Snort 2?
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - About Data Interfaces
  - End-of-Support for management of the Secure Firewall Threat Defense Version 7.0.x managed by Cloud-Delivered Firewall Management Center
- Secure Firewall Management Center Command Line Reference
  - About the Secure Firewall Management Center CLI
    - Firewall Management Center CLI Modes
  - Secure Firewall Management Center CLI Management Commands
    - exit
    - expert
    - ? (question mark)
  - Secure Firewall Management Center CLI Show Commands
    - version
  - Secure Firewall Management Center CLI Configuration Commands
    - password
  - Secure Firewall Management Center CLI System Commands
    - generate-troubleshoot
    - lockdown
    - reboot
    - restart
    - shutdown
- Security, Internet Access, and Communication Ports
  - Communication Ports
  - Internet Resources Accessed
  - Cloud Services

Intrusion Detection and Prevention Mitigate Threats Using MITRE Framework in Snort 3 Intrusion Policies View Intrusion Events

Last updated: Aug 18, 2025

View Intrusion Events

You can view the MITRE ATT&CK techniques and rule groups in the intrusion events on the Classic Event Viewer and Unified Event Viewer pages. Talos provides mappings from Snort rules (GID:SID) to MITRE ATT&CK techniques and rule groups. These mappings are installed as part of the Lightweight Security Package (LSP).

Procedure

1	Click Analysis and select Events under Intrusions.
2	Click the Table View of Events tab.
3	Under MITRE ATT&CK, you can see the techniques for an intrusion event. Click 1 Technique to view the MITRE ATT&CK techniques. In this example, Exploit Public-Facing Application is the technique.
4	Click Close.
5	Click Analysis and select Unified Events.
6	If not enabled, click the column selector icon to enable the MITRE ATT&CK and Rule Group columns.
7	In this example, the intrusion event is triggered by an event that is mapped to one rule group. Click 1 Group under the Rule Group column.
8	You can view Protocol, which is the parent rule group, and the DNS rule group under it. Choose Protocol > DNS to search for all the intrusion events that have at least one rule group that is . The search results are displayed.

Previous topic View and Edit Your Snort 3 Intrusion Policy Next topic Additional References