How Security Cloud Control Firewall Management Manages Catalyst SD-WAN NGFW Capabilities

When the Catalyst SD-WAN Manager is integrated with Security Cloud Control Firewall Management, the existing NGFW policies, security objects, and security profiles from the Catalyst SD-WAN Manager are automatically imported into the Firewall Manager. Users can modify these NGFW parameters or create new ones directly from Firewall Manager. All the changes made in Firewall Manager are synchronized and saved within the Catalyst SD-WAN Manager.

After the Catalyst SD-WAN Manager is onboarded to Firewall Manager, the management of policies, objects, and profile can no longer be performed through the Catalyst SD-WAN Manager. Instead, these management tasks must be carried out exclusively from Firewall Manager.

A "Managed by Security Cloud Control (SCC)" banner will be displayed on the Catalyst SD-WAN Manager that is onboarded to Firewall Manager, indicating the integration. This message can be viewed in the Catalyst SD-WAN Manager by navigating to the relevant configuration sections:

• For Security Objects and Profiles: Configuration > Policy Groups > Objects and Profiles > Security Objects

• For NGFW Policies: Configuration > Policy Groups > NGFW

Restrictions for Firewall Manager and Catalyst SD-WAN Manager Integration

• Cloud connectivity is essential

  Catalyst SD-WAN Manager can be deployed either on-premises or hosted in the Cisco cloud. To function properly, it must have cloud connectivity. If Catalyst SD-WAN Manager is placed behind a NAT device, it is supported, but with restrictions. Specifically, only port 443 (HTTPS) needs to be open to enable cloud connectivity.

• Deboard Catalyst SD-WAN Manager to edit NGFW policies, objects, and profiles

  To make changes in the NGFW policies, objects, and profiles from the Catalyst SD-WAN Manager, you have to deboard it from the Firewall Manager.

• Customized IPS profiles not supported

  Security profiles do not support IPS policies (Signature set objects) that are editable or customized.

• Live logs unavailable with SAL

  Live logs cannot be viewed on Firewall Manager using Cisco Security Analytics and Logging. You can only view historical events.

• Modify user role privileges for Firewall Manager users with caution

  Exercise caution when changing user role privileges on Catalyst SD-WAN Manager for users who are part of Firewall Manager. Modifying privileges for Firewall Manager-associated users can result in configuration failures.

• On-Prem multitenant Catalyst SD-WAN Manager not supported

  On-premises multitenant deployments of Catalyst SD-WAN Manager are not supported in Firewall Manager for version 20.18.1. Only single-tenant Catalyst SD-WAN Manager deployments are compatible with Firewall Manager in this release.

• Dark mode not supported

  It is recommended not to enable dark mode in Firewall Manager when Catalyst SD-WAN Manager is integrated.

Changes can be made to the NGFW policies, objects, and profiles from the Catalyst SD-WAN Manager after it has been deboarded from Firewall Manager.

Firewall Manager allows you to perform the following operations:

• Create, modify, or delete NGFW policies, security objects, and security profiles.

• Search security objects across devices using global search functionality.

• Associate a policy group to a Catalyst SD-WAN NFGW policy.