Login

Cisco Security Cloud Control for Firewall Management Configuration Guide

Introduction
- Overview of Security Cloud Control Firewall Management
  - About Cisco Security Cloud Control
  - Products Managed by Cisco Security Cloud Control
  - An Introduction to Security Cloud Control Firewall Management
  - Cloud-delivered Firewall Management Center in Firewall Manager
  - Maintenance Plan for Security Cloud
    - Firewall Manager Platform Maintenance Schedule
    - Cloud-Delivered Firewall Management Center Maintenance Schedule
  - The Firewall Dashboard
Get Started
- Cisco AI Assistant User Guide
  - Onboard with Cisco AI Assistant
  - Prompt Guide for Cisco AI Assistant
  - Online Help Documentation
  - Policy Insights
  - Policy Analyzer and Optimizer
  - Automate Policy Rule Creation
  - Contact Support
  - Notifications Center
  - Cisco AI Assistant Frequently Asked Questions (FAQ)
- Manage Tenants and Users
  - Manage a Firewall Manager Tenant
    - Configure User Preferences
      - General Preferences
        
        Change the Firewall Manager Web Interface Appearance
      - User Notification Preferences
      - View Firewall Manager Notifications
    - Tenant Settings
      - Enable Change Request Tracking
      - Prevent Cisco Support from Viewing your Tenant
      - Enable the Option to Auto-accept Device Changes
      - Default Conflict Detection Interval
      - Enable the Option to Schedule Automatic Deployments
      - Web Analytics
      - Share Event Data with Cisco Talos
      - Configure a Default Recurring Backup Schedule
      - Tenant ID
      - Tenant Name
      - Firewall Manager Platform Navigator
    - Organization Notification Settings
      - Enable Email Subscribers
        
        Add an Email Subscription
        
        Edit Email Subscriptions
        
        Delete an Email Subscription
      - Enable Service Integrations for Firewall Manager Notifications
        
        Incoming Webhooks for Webex Teams
        
        Incoming Webhooks for Microsoft Teams
        
        Incoming Webhooks for Slack
        
        Incoming Webhooks for a Custom Integration
    - Logging Settings
    - Integrate Your SAML Single Sign-On with Security Cloud Control
    - Renew SSO Certificate
    - My Tokens
    - API Tokens
      - API Token Format and Claims
      - Manage API-only Users for Security Cloud Control Firewall Management
      - Token Management
        
        Generate an API Token
        
        Refresh an API Token
        
        Revoke an API Token
    - Relationship Between the Identity Provider Accounts and Firewall Manager User Records
      - Login Workflow
      - Implications of this Architecture
        
        Customers Who Use Cisco Security Cloud Sign On
        
        Customers Who Have Their Own Identity Provider
        
        Cisco Managed Service Providers
        
        Related Topics
    - MSSP Portal
      - Security Devices Details
      - Add a Tenant to the MSSP Portal
      - Delete a Tenant from the MSSP Portal
      - Manage MSSP Portal Settings
        
        Settings
        
        Switch Tenant
    - The Cisco Success Network
  - Manage Users in Firewall Manager
    - Manage Super Admins on Your Tenant
    - View the API User Records Associated with your Tenant
  - Active Directory Groups in User Management
    - Prerequisites for Adding an Active Directory Group to Firewall Manager
    - Add an Active Directory Group for User Management
    - Edit an Active Directory Group for User Management
    - Delete an Active Directory Group for User Management
  - Create a New Firewall Manager User
    - Create a Cisco Security Cloud Sign On Account for the New User
      - About Logging in to Firewall Manager
      - Before You Log In
      - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
    - Create a User Record with Your Firewall Manager Username
    - The New User Opens Firewall Manager from the Cisco Secure Sign-On Dashboard
  - User Roles in Firewall Manager
    - Read-only Role
    - Edit-Only Role
    - Deploy-Only Role
    - VPN Sessions Manager Role
    - Admin Role
    - Super Admin Role
    - Change The Record of the User Role
  - Add a User Account to Firewall Manager
    - Create a User Record
    - Create API Only Users
  - Edit a User Record for a User Role
    - Edit a User Role
  - Delete a User Record for a User Role
    - Delete a User Record
- Integrating Firewall Manager with Cisco Security Cloud Sign On
  - Merge Your Firewall Manager and Cisco XDR Tenant Accounts
Manage Security Devices
- Onboard Devices and Services
  - Secure Device Connector
    - Connect Firewall Manager to your Managed Devices
    - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
    - Deploy a Secure Device Connector On Your VM
    - Bootstrap a Secure Device Connector on the Deployed Host
    - Deploy a Secure Device Connector to vSphere Using Terraform
    - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
    - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
    - Change the IP Address of a Secure Device Connector
    - Remove a Secure Device Connector
    - Rename a Secure Device Connector
    - Specify a Default Secure Device Connector
    - Update your Secure Device Connector
    - Using Multiple SDCs on a Single Firewall Manager Tenant
    - Firewall Manager Devices that Use the Same SDC
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
- Onboard a Firewall Threat Defense Device
  - Onboarding Overview
  - Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
  - Onboard a Device with a CLI Registration Key
  - Onboard a Firewall Threat Defense Device to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Firewall Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
  - Onboard Firewall Threat Defense Devices using Device Templates to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Deploy a Threat Defense Device with AWS
  - Deploy a Firewall Threat Defense Device in Azure
    - Onboard an Azure VNet Environment
    - Deploy a Firewall Threat Defense Virtual in Azure
  - Deploy a Firewall Threat Defense Device to Google Cloud Platform
    - Create VPC Networks for GCP
    - Deploy a Firewall Threat Defense Device on Google Cloud Platform
  - Onboard a Secure Firewall Threat Defense Cluster
  - Onboard a Chassis
  - Delete Devices from Cloud-Delivered Firewall Management Center
  - Troubleshooting
    - Troubleshoot Cloud-Delivered Firewall Management Center Connectivity with TCP
    - Troubleshoot Firewall Threat Defense Device Connectivity
    - Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update
    - Troubleshoot Onboarding a Device to the Cloud-Delivered Firewall Management Center Using the CLI Registration Key
      - Error: Device Remains in Pending Setup State After Onboarding
    - Troubleshoot Onboarding a Device to Cloud-Delivered Firewall Management Center Using the Serial Number
      - Device is Offline or Unreachable
      - Error: Serial Number Already Claimed
      - Error: Claim Error
      - Error: Failed to Claim
      - Error: Provisional Error
  - Onboard a Firewall Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
- Onboard ASA Devices
  - Onboard ASA Devices
    - Onboard ASA Device to Firewall Manager
    - Onboard a High Availability Pair of ASA Devices to Firewall Manager
    - Onboard an ASA in Multi-Context Mode to Firewall Manager
    - Onboard Multiple ASAs to Firewall Manager
      - Pause and Resume Onboarding Multiple ASAs
    - Create and Import an ASA Model to Firewall Manager
      - Import ASA Configuration
- Onboard an On-Premises Firewall Management Center
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
  - Onboard an On-Premises Firewall Management Center
    - Onboard an On-Premises Management Center to Firewall Manager
      - Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
        
        Integrate On-Premises Management Center With Cisco Security Cloud
        
        Disable Auto-Onboarding of an On-Premises Management Center
      - Onboard an On-Premises Firewall Management Center to Firewall Manager with Credentials
      - Redirect Firewall Manager to an On-Premises Firewall Management Center
    - Remove an On-Premises Firewall Management Center from Firewall Manager
- Onboard a Catalyst SD-WAN Manager to Firewall Manager
  - Minimum Software Requirements
  - Onboard a Catalyst SD-WAN Manager to Security Cloud Control Firewall Management
  - Remove Catalyst SD-WAN Manager from Security Cloud Control Firewall Management
  - Alignment of RBAC Models of Security Cloud Control Firewall Management and Catalyst SD-WAN Manager
  - How Security Cloud Control Firewall Management Manages Catalyst SD-WAN NGFW Capabilities
- Onboard Firewall Manager Integrations
  - Onboard Firewall Manager Integrations
    - Onboard an SSH Device
      - Onboard an SSH Device
      - Delete a Device from Security Cloud Control
    - Onboard a Cisco IOS Device
      - Onboard a Cisco IOS Device
        
        Create and Import an ASR or ISR Model
        
        Download ASR or ISR Configuration
        
        Import ASR or ISR Configuration
      - Delete a Device from Security Cloud Control
      - Import Configuration for Offline Device Management
      - Delete a Device from Security Cloud Control
- Onboard Meraki MX Devices
  - Onboard Meraki MX Devices
    - Onboard Meraki MX to Firewall Manager
      - Generate and Retrieve Meraki API Key
      - Onboard an MX Device to Firewall Manager
    - Onboard Meraki Templates to Firewall Manager
      - Generate and Retrieve Meraki API Key
      - Onboard an Meraki Template to Firewall Manager
    - Update Meraki MX Connection Credentials
    - Delete a Device from Security Cloud Control
- Onboarding an Umbrella Organization
  - Onboarding an Umbrella Organization
    - Umbrella License Requirements
    - Generate an API Key and Secret
    - Umbrella Organization ID
    - Onboarding an Umbrella Orgnization
    - Reconnect an Umbrella Organization to Firewall Manager
    - Cross-launch to the Umbrella dashboard
    - Delete a Device from Security Cloud Control
- Onboard an AWS VPC
  - Onboard an AWS VPC
  - Supported Devices, Software, and Hardware
- Manage Onboarded Device Settings
  - Changing a Device's IP Address in Firewall Manager
  - Changing a Device's Name in Firewall Manager
  - Export a List of Devices and Services
  - Export Device Configuration
  - External Links for Devices
    - Create an External Link from your Device
    - Create an External Link to ASDMFDM
    - Create an External Link for Multiple Devices
    - Edit or Delete External Links
    - Edit or Delete External Links for Multiple Devices
  - Bulk Reconnect Devices to Firewall Manager
  - Moving Devices Between Tenants
  - Device Certificate Expiry Detection
  - Update Meraki MX Connection Credentials
  - Write a Device Note
  - Delete a Device from Security Cloud Control
  - Manage Security Devices
  - Security Devices Overview
  - Firewall Manager Labels and Filtering
    - Apply Labels to Devices and Objects
    - Labels and Tags in AWS VPC
    - Filters
  - Use Firewall Manager Search Functionality
    - Page Level Search
    - Global Search
      - Initiate Full Indexing
      - Perform a Global Search
- Manage CLI Templates
  - CLI Templates
  - Create a CLI Template
  - Edit a CLI Template
  - Export a CLI Template
  - Delete a CLI Template
- Upgrade Devices and Services
  - FDM Software Upgrade Paths
    - Other Upgrade Limitations
    - 4100 and 9300 Series Devices
  - FDM-Managed Device Upgrade Prerequisites
  - Upgrade a Single FDM-Managed Device
    - Upgrade A Single FDM-Managed Device with Images from Firewall Manager 's Repository
    - Upgrade a Single FDM-Managed Device with Images from your own Repository
    - Monitor the Upgrade Process
  - Bulk FDM-Managed Devices Upgrade
    - Upgrade Bulk FDM-Managed Devices with Images from Firewall Manager 's Repository
    - Upgrade Bulk FDM-Managed Devices with Images from your own Repository
    - Monitor the Bulk Upgrade Process
  - Upgrade an FDM-Managed High Availability Pair
    - Upgrade an FDM-Managed HA Pair with Images from Security Cloud Control's Repository
    - Upgrade an FDM-Managed HA Pair with Images from your own Repository
    - Monitor the Upgrade Process
  - Upgrade to Snort 3.0
    - Upgrade the Device and the Intrusion Prevention Engine Simultaneously
    - Upgrade the Intrusion Prevention Engine
    - Monitor the Upgrade Process
  - Revert From Snort 3.0 for FDM-Managed Device
    - Revert From Snort 3.0
  - Schedule a Security Database Update
    - Edit a Scheduled Security Database Update
  - Prerequisites for ASA and ASDM Upgrade in Firewall Manager
  - Upgrade Bulk ASA and ASDM in Firewall Manager
    - Upgrade Multiple ASAs with Images from your own Repository
  - Upgrade ASA and ASDM Images on a Single ASA
  - Upgrade ASA and ASDM Images in a High Availability Pair
    - Workflow
    - Upgrade ASA and ASDM Images in a High Availability Pair
  - Upgrade an ASA or ASDM Using Your Own Image
Migrate Devices
- Migrate Threat Defense to Cloud-delivered Firewall Management Center
  - About Migrating Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - Supported On-Premises Firewall Management Center and Firewall Threat Defense Software for Migration
  - Licensing
  - Supported Features
  - Unsupported Features
  - Migration Guidelines and Limitations for VPN Configuration
  - Managing Threat Defense Events and Analytics
  - Before You Begin Migration
  - Migrate Firewall Threat Defense to Cloud-Delivered Firewall Management Center
  - View a Firewall Threat Defense Migration Job
    - Proceed Migration Process
    - Commit Migration Changes Manually to Cloud-delivered Firewall Management Center
    - Revert the Firewall Threat Defense Management to On-Premises Firewall Management Center
    - View Migrated Devices
    - Generate a Firewall Threat Defense Migration Report
    - Delete a Migration Job
  - Enable Notification Settings
  - Troubleshoot Firewall Threat Defense Migration to Cloud-Delivered Firewall Management Center
    - Verify Firewall Threat Defense Connectivity with Cloud-delivered Firewall Management Center
- Migrate Firewalls with the Migration Tool in Firewall Manager
  - Is This Guide for You?
  - Get Started with the Firewall Migration Tool in Firewall Manager
    - Supported Configurations
    - Licenses
    - Initialize a New Migration Instance
    - Delete a Migration Instance
    - Using the Demo Mode in the Secure Firewall Migration Tool
  - Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Firewall Manager
  - Migrating Microsoft Azure Native Firewall with the Firewall Migration Tool in Firewall Manager
  - Migrate FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Firewall Manager
  - Migrate Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Firewall Manager
  - Migrating Check Point Firewall to Multicloud Defense with the Firewall Migration Tool in Firewall Manager
  - Migrate Fortinet Firewall with the Firewall Migration Tool in Firewall Manager
  - Migrating Fortinet Firewall to Multicloud Defense with the Firewall Migration Tool in Firewall Manager
  - Migrate Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Firewall Manager
  - Migrate Secure Firewall ASA to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control Firewall Management
  - Migrate Palo Alto Networks Firewall to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control Firewall Management
  - Related Documentation
Configure Devices And Services
- Configure Cloud-Delivered Firewall Management Center-Managed Secure Firewall Threat Defense
  - Firewall Manager Integrations Page
  - Navigate to the Cloud-Delivered Firewall Management Center in your Firewall Manager Tenant
  - Enable Cloud-Delivered Firewall Management Center on Your Firewall Manager Tenant
- Configure Secure Firewall ASA Devices
  - Managing Secure Firewall ASA with Firewall Manager
  - Update ASA Connection Credentials in Firewall Manager
    - Move an ASA from one SDC to Another
  - ASA Interface Configuration
    - Configure an ASA Physical Interface
      - Configure IPv4 Addressing for ASA Physical Interface
      - Configure IPv6 Addressing for ASA Physical Interface
      - Configure Advanced ASA Physical Interface Options
      - Enable the ASA Physical Interface
    - Add an ASA VLAN Subinterface
      - Configure ASA VLAN Subinterfaces
      - Configure IPv4 Addressing for ASA Subinterface
      - Configure IPv6 Addressing for ASA Subinterface
      - Configure Advanced ASA Subinterface Options
      - Enable the Subinterface
      - Remove ASA Subinterface
    - About ASA EtherChannel Interfaces
      - Configure ASA EtherChannel
        
        Edit ASA EtherChannel
        
        Remove ASA EtherChannel Interface
  - ASA System Settings Policy in Firewall Manager
    - Create an ASA Shared System Settings Policy
      - Configure Basic DNS Settings
      - Configure HTTP Settings
      - Set the Date and Time Using an NTP Server
      - Configure SSH Access
      - Configure System Logging
      - Enable Sysopt Settings
      - Assign a Policy from the Shared System Settings Page
    - Configure or Modify Device Specific System Settings
      - Assign a Policy from Device-Specific Settings Page
    - Auto Assignment of ASA Devices to a Shared System Settings Policy
    - Filter ASA Shared System Settings Policy
    - Disassociate Devices from Shared System Settings Policy
    - Delete Shared Settings Policy
  - ASA Routing in Firewall Manager
    - About ASA Static Route
      - Configure ASA Static Route
      - Edit ASA Static Route
      - Delete a Static Route
  - Manage Security Policies in Firewall Manager
  - Manage ASA Network Security Policy
    - About ASA Access Control Lists and Access Groups
    - Create an ASA Access List
    - Add a Rule to an ASA Access List
      - About System Log Activity
      - Deactivate Rules in an Access Control List
      - About Security Group Tags in ASA Policies
    - Assign Interfaces to ASA Access Control List
    - Create an ASA Global Access List
    - Improvements to the ASA Shared Policy Model
    - Share an ASA Access Control List with Multiple ASA Devices
    - Copy an ASA Access Control List to Another ASA
    - Copy a Rule Within or Across ASA Access Lists and Devices
    - Unshare a Shared ASA Access Control List
    - View ASA Access Policies Listing Page
    - Global Search of ASA Access Lists
    - Rename an ASA Access Control List
    - Delete a Rule from an ASA Access Control List
    - Delete an ASA Access Control List
  - Compare ASA Network Policies
  - Hit Rates
    - View Hit Rates of ASA Policies
  - Search and Filter ASA Network Rules in the Access List
  - Shadowed Rules
    - Find Network Policies with Shadowed Rules
    - Resolve Issues with Shadowed Rules
  - Network Address Translation
  - Order of Processing NAT Rules
  - Network Address Translation Wizard
    - Create a NAT Rule by using the NAT Wizard
  - Common Use Cases for NAT
    - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
    - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
    - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
      - NAT Incoming FTP Traffic to an FTP Server
      - NAT Incoming HTTP Traffic to an HTTP Server
      - NAT Incoming SMTP Traffic to an SMTP Server
    - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
      - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
    - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
      - Create a Twice NAT Rule
  - API Tokens
  - Manage ASA Certificates
    - Install ASA Certificates
    - Install an Identity Certificate Using PKCS12
    - Install a Certificate Using Self-Signed Enrollment
    - Manage a Certificate Signing Request (CSR)
      - Generate a CSR Request
      - Install a Signed Identity Certificate Issued by a Certificate Authority
    - Install a Trusted CA Certificate in ASA
    - Export an Identity Certificate
    - Edit an Installed Certificate
    - Delete an Existing Certificate from ASA
  - ASA File Management
    - Upload File to a Single ASA Device
    - Upload File to Multiple ASA Devices
    - Remove Files from ASA
  - Managing ASAs with Pre-existing High Availability Configuration
    - Configuration Changes Made to ASAs in Active-Active Failover Mode
  - Manage ASA Configuration Files
    - View a Device's Configuration File
  - Configure DNS on ASA
    - Procedure
  - Firewall Manager Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Firewall Manager
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Firewall Manager
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Firewall Manager to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Firewall Manager GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Firewall Manager 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Firewall Manager and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure On-Premises Firewall Management Center-Managed Secure Firewall Threat Defense Devices
  - Managing On-Premises Firewall Management Center with Firewall Manager
  - View Onboarded On-Premises Management Center
  - Discover and Manage On-Prem Firewall Management Center Network Objects
  - Manage Device Configuration
  - Read All Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Firewall Manager and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
  - Remove an On-Premises Firewall Management Center from Firewall Manager
- Configure Catalyst SD-WAN Manager
  - An Introduction to Catalyst SD-WAN Devices
  - Supported Operations on Catalyst SD-WAN Devices
  - View Configuration of Catalyst SD-WAN Devices
  - Cross-Launch Policy Groups on Catalyst SD-WAN
  - An Introduction to Catalyst SD-WAN Security Objects and Security Profiles
  - Create new Catalyst SD-WAN Security Objects and Security Profiles
    - SDWAN Application List
    - SDWAN Data Prefixes
    - SDWAN FQDN
    - SDWAN Geolocation
    - SDWAN Identity
    - SDWAN Port Object
    - SDWAN Protocol Object
    - SDWAN Security Group Tag
    - SDWAN Signatures
    - SDWAN URL Allow List
    - SDWAN URL Block List
    - SDWAN Zone
    - SDWAN Advanced Inspection Profile Policy
    - SDWAN Advanced Malware Protection Policy
    - SDWAN Intrusion Prevention Policy
    - SDWAN TLS/SSL Decryption Policy
    - SDWAN TLS/SSL Profile Policy
    - SDWAN URL Filtering Policy
  - Modify Catalyst SD-WAN Security Objects and Security Profiles
  - Delete Catalyst SD-WAN Security Objects
  - Filter Catalyst SD-WAN Security Objects
  - An Introduction to Catalyst SD-WAN NGFW Security Policies
  - Manage Existing Catalyst SD-WAN NGFW Security Policies
  - Create Catalyst SD-WAN Security Policies
  - Associate a Policy Group to Catalyst SD-WAN NGFW Policy
  - Deploy Policy Group from Catalyst SD-WAN Manager
- Configure Cisco Umbrella Tunnel Configuration
  - Read Umbrella Tunnel Configuration
  - Cross-launch to the Umbrella Tunnels Page
  - Configure a SASE Tunnel for Umbrella
  - Edit a SASE Tunnel
  - Delete a SASE Tunnel from Umbrella
- Configure Amazon Web Services Virtual Private Cloud
  - Managing AWS with Security Cloud Control Firewall Management
  - Update AWS VPC Connection Credentials
  - Monitor AWS VPC Tunnels using AWS Transit Gateway
  - Search and Filter Site-to-Site VPN Tunnels
  - View a history of changes made to the AWS VPC tunnels
  - Manage Security Policies in Firewall Manager
    - AWS VPC Policy
      - AWS VPCs and Security Groups in Firewall Manager
      - AWS VPC Security Groups Rules
      - Create a Security Group Rule
      - Edit a Security Group Rule
      - Delete a Security Group Rule
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Firewall Manager
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Firewall Manager to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Firewall Manager GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Firewall Manager 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Firewall Manager and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure Cisco Meraki
  - Managing Meraki with Security Cloud Control Firewall Management
  - How Does Firewall Manager Communicate With Meraki
  - Meraki Access Control Policy
  - Meraki Templates
- Configure Cisco IOS
  - Managing IOS Devices with Firewall Manager
  - Firewall Manager Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Firewall Manager
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Firewall Manager Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
  - Manage Device Configuration
  - Read All Device Configurations
  - Read Changes from Firewalls
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Configure SSH Devices
  - Managing SSH Devices with Security Cloud Control Firewall Management
- Manage Objects
  - Manage Objects
    - Object Types
    - Shared Objects
    - Object Overrides
    - Unassociated Objects
    - Compare Objects
    - Filters
      - Object Filters
        
        Configure Object Filters
        
        When to Exclude a Device from Filter Criteria
    - Deleting Objects
      - Delete a Single Object
      - Delete a Group of Unused Objects
    - Create IP Address Pool
    - Network Objects
      - Create or Edit ASA Network Objects and Network Groups
        
        Create an ASA Network Object
        
        Create an ASA Network Group
        
        Edit an ASA Network Object
        
        Edit an ASA Network Group
        
        Add Additional Values to a Shared Network Group in Firewall Manager
        
        Edit Additional Values in a Shared Network Group in Firewall Manager
        
        Deleting Network Objects and Groups in Firewall Manager
      - Create or Edit a Firepower Network Object or Network Groups
        
        Create a Firepower Network Object
        
        Create a Firepower Network Group
        
        Edit a Firepower Network Object
        
        Edit a Firepower Network Group
        
        Add an Object Override
        
        Edit Object Overrides
        
        Add Additional Values to a Shared Network Group
        
        Edit Additional Values in a Shared Network Group
        
        Deleting Network Objects and Groups in Firewall Manager
      - Discover and Manage On-Prem Firewall Management Center Network Objects
      - Objects Associated with Meraki Devices
      - Create a Local Meraki Network Object
      - Create or Edit a Meraki Network Object or Network Group
        
        Create a Meraki Network Object
        
        Create a Meraki Network Group
        
        Edit a Firepower Network Object or Network Group
        
        Deleting Network Objects and Groups in Firewall Manager
    - URL Objects
      - Create or Edit an FDM-Managed URL Object
      - Create a Firepower URL Group
        
        Edit a Firepower URL Object or URL Group
    - Application Filter Objects
      - Create and Edit a Firepower Application Filter Object
        
        Create a Firepower Application Filter Object
        
        Edit a Firepower Application Filter Object
    - Geolocation Objects
      - Create and Edit a Firepower Geolocation Filter Object
        
        Edit a Geolocation Object
    - DNS Group Objects
      - Create a DNS Group Object
      - Edit a DNS Group Object
      - Delete a DNS Group Object
    - Certificate Objects
      - About Certificates
      - Certificate Types Used by Feature
      - Configuring Certificates
      - Uploading Internal and Internal CA Certificates
        
        Procedure
      - Uploading Trusted CA Certificates
        
        Procedure
      - Generating Self-Signed Internal and Internal CA Certificates
        
        Procedure
    - Trustpoint Objects
      - Adding an Identity Certificate Object Using PKCS12
      - Create a Self-Signed Identity Certificate Object
      - Add an Identity Certificate Object for Certificate Signing Request (CSR)
      - Add a Trusted CA Certificate Object
      - Self-Signed and CSR Certificate Generation Based on Certificate Contents
    - About IPsec Proposals
      - Managing an IKEv1 IPsec Proposal Object
        
        Create or Edit an IKEv1 IPsec Proposal Object
      - Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
    - About Global IKE Policies
      - Managing IKEv1 Policies
        
        Create or Edit an IKEv1 Policy
      - Managing IKEv2 Policies
        
        Create or Edit an IKEv2 Policy
    - RA VPN Objects
      - Configure Identity Sources for ASA
        
        Determining the Directory Base DN
        
        RADIUS Servers and Groups
        
        Create an ASA Active Directory Realm Object
        
        Edit an ASA Active Directory Realm Object
        
        Create an ASA RADIUS Server Object or Group
        
        Create an ASA RADIUS Server Object
        
        Create an ASA RADIUS Server Group
        
        Edit an ASA Radius Server Object or Group
      - Create ASA Remote Access VPN Group Policies
        
        ASA Remote Access VPN Group Policy Attributes
      - Create New RA VPN Group Policies
        
        RA VPN Group Policy Attributes
    - AWS Security Groups and Cloud Security Group Objects
      - Sharing Objects Between AWS and other Managed Devices
    - Service Objects
      - Create and Edit ASA Service Objects
        
        Create an ASA Service Group
        
        Edit an ASA Service Object or Service Group
      - Create and Edit Firepower Service Objects
        
        Create a Firepower Service Group
        
        Edit a Firepower Service Object or Service Group
      - Create or Edit a Meraki Service Object
        
        Create a Service Object
        
        Create a Service Group
        
        Edit a Service Object or a Service Group
    - Security Group Tag Group
      - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - ASA Time Range Objects
      - Create an ASA Time Range Object
      - Edit an ASA Time Range Object
- Cisco Secure Dynamic Attributes Connector
  - About the Cisco Secure Dynamic Attributes Connector
    - How It Works
  - About the Dashboard
    - Dashboard of an Unconfigured System
    - Dashboard of a Configured System
    - Add, Edit, or Delete Connectors
    - Add, Edit, or Delete Dynamic Attributes Filters
    - Add, Edit, or Delete Adapters
  - Create a Connector
    - Amazon Web Services Connector—About User Permissions and Imported Data
      - Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an AWS Connector
    - Amazon Web Services Security Groups Connector—About User Permissions and Imported Data
      - Create an AWS Security Groups Connector
    - Create an AWS Service Tags Connector
    - Azure Connector—About User Permissions and Imported Data
      - Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an Azure Connector
    - Create an Azure Service Tags Connector
    - Create a Multicloud Defense Connector
    - Create a Cisco Cyber Vision Connector
    - Create a Generic Text Connector
      - Manually Get a Certificate Authority (CA) Chain
    - Create a GitHub Connector
    - Google Cloud Connector—About User Permissions and Imported Data
      - Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create a Google Cloud Connector
    - Create an Office 365 Connector
    - Create a Webex Connector
    - Create a Zoom Connector
  - Create an Adapter
    - How to Create an On-Prem Firewall Management Center Adapter
    - How to Create a Cloud-Delivered Firewall Management Center Adapter
  - Create Dynamic Attributes Filters
    - Dynamic Attribute Filter Examples
  - Use Dynamic Objects in Access Control Policies
    - About Dynamic Objects in Access Control Rules
    - Dynamic Attributes Rule Conditions
    - Create Access Control Rules Using Dynamic Attributes Filters
  - Troubleshoot the Cisco Secure Dynamic Attributes Connector
    - Troubleshoot Error Messages
    - Get Your Tenant ID
Establish Secure Connections
- Virtual Private Network Management
  - Configure Virtual Private Network Management
    - Introduction to Site-to-Site Virtual Private Network
      - Site-to-Site VPN Concepts
        
        About Global IKE Policies
        
        Managing IKEv1 Policies
        
        Create an IKEv1 Policy
        
        Managing IKEv2 Policies
        
        Create an IKEv2 Policy
        
        About IPsec Proposals
        
        Managing an IKEv1 IPsec Proposal Object
        
        Create an IKEv1 IPsec Proposal Object
        
        Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
        
        Encryption and Hash Algorithms Used in VPN
      - Site-to-Site VPN Configuration for FDM-Managed
        
        Create a Site-To-Site VPN Tunnel Between FDM-managed Devices
        
        Configure Networking for Protected Traffic Between the Site-To-Site Peers
        
        Edit an Existing Firewall Manager Site-To-Site VPN
        
        Delete a Firewall Manager Site-To-Site VPN Tunnel
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Site-to-Site VPN Configuration for Cloud-Delivered Firewall Management Center-managed Firewall Threat Defense
        
        Create a Site-to-Site VPN Tunnel Between Cloud-Delivered Firewall Management Center-managed Firewall Threat Defense Devices
        
        Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-Managed Firewall Threat Defense and Multicloud Defense
        
        Create a Site-to-Site VPN Between Cloud-Delivered Firewall Management Center-managed Firewall Threat Defense and Secure Firewall ASA
      - Site-to-Site VPN Configuration for Secure Firewall ASA
        
        Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA
        
        Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Monitor ASA Site-to-Site Virtual Private Networks
        
        Check Site-to-Site VPN Tunnel Connectivity
        
        Site-To-Site VPN Dashboard
        
        Identify VPN Issues
        
        Find VPN Tunnels with Missing Peers
        
        Find VPN Peers with Encryption Key Issues
        
        Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
        
        Find Issues in Tunnel Configuration
        
        Resolve Tunnel Configuration Issues
        
        Search and Filter Site-to-Site VPN Tunnels
        
        Onboard an Unmanaged Site-to-Site VPN Peer
        
        Viewing AWS Site-to-Site VPN Tunnels
        
        View IKE Object Details of Site-To-Site VPN Tunnels
        
        View Last Successful Site-to-Site VPN Tunnel Establishment Date
        
        View Site-to-Site VPN Tunnel Information
        
        Site-to-Site VPN Global View
        
        Site-to-Site VPN Tunnels Pane
      - Delete a Firewall Manager Site-To-Site VPN Tunnel
    - Introduction to Remote Access Virtual Private Network
      - Introduction to Remote Access Virtual Private Network
        
        Configure Remote Access Virtual Private Network for ASA
        
        End-to-End Remote Access VPN Configuration Process for ASA
        
        Create ASA Remote Access VPN Configuration
        
        Modify ASA Remote Access VPN Configuration
        
        Configure ASA Remote Access VPN Connection Profile
        
        Configure AAA for a Connection Profile
        
        Manage AnyConnect Software Packages on ASA Devices
        
        Upload an AnyConnect Package from Firewall Manager Repository
        
        Upload an AnyConnect Package to ASA from Server
        
        Upload new AnyConnect Packages to ASA
        
        Upload AnyConnect Packages using File Management Wizard
        
        Replace an AnyConnect Package
        
        Delete an AnyConnect Package
        
        Manage and Deploy Pre-existing ASA Remote Access VPN Configuration
        
        Device Settings
        
        Connection Profile
        
        Primary Identity Source
        
        AAA Server Groups
        
        RADIUS Server Group
        
        RADIUS Server
        
        Group Policy
        
        Remote Access VPN Certificate-Based Authentication
        
        Exempt Remote Access VPN Traffic from NAT
        
        Install the AnyConnect Client Software on ASA
        
        Modify ASA Remote Access VPN Configuration
        
        Modify ASA Connection Profile
        
        Upload RA VPN AnyConnect Client Profile
        
        Verify ASA Remote Access VPN Configuration
        
        View ASA Remote Access VPN Configuration Details
- Configuring Firewall for Universal Zero Trust Network Access
  - Overview of Universal Zero Trust Network Access
  - Onboard Applications in Security Cloud Control
  - Enable Cloud-Delivered Firewall Management Center in Security Cloud Control
  - Configure Security Devices
Manage Device Configuration
- Manage Device Configuration
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Firewall Manager
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Firewall Manager to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Firewall Manager GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Firewall Manager 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Firewall Manager and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
Monitor and Analyze
- Events in Security Cloud Control
  - About Security Analytics and Logging (SaaS) in Firewall Manager
  - Event Types in Firewall Manager
  - Security Analytics and Logging license and Data Storage Plans
    - View Security Analytics and Logging License Information
    - Extend Event Storage Duration and Increase Event Storage Capacity
    - View Security Analytics and Logging Alerts
    - View Security Analytics and Logging Storage Usage and Event Ingest Rate
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Deprovisioning Cisco Security Analytics and Logging (SaaS)
- Secure Event Connectors
  - About Secure Event Connectors
  - Installing Secure Event Connectors
    - Install a Secure Event Connector on an SDC Virtual Machine
    - Installing an SEC Using a Firewall Manager Image
      - Install a Firewall Manager Connector, to Support a Secure Event Connector, Using a Firewall Manager VM Image
      - Install the Secure Event Connector on the Firewall Manager Connector VM
    - Deploy Secure Event Connector on Ubuntu Virtual Machine
    - Install an SEC Using Your VM Image
      - Install a Firewall Manager Connector to Support an SEC Using Your VM Image
      - Additional Configuration for SDCs and Firewall Manager Connectors Installed on a VM You Created
      - Install the Secure Event Connector on your Firewall Manager Connector Virtual Machine
    - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
  - Remove the Secure Event Connector
    - Remove an SEC from Firewall Manager
    - Remove a Secure Event Connector from the Secure Device Connector VM
  - Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Secure Logging Analytics (SaaS) for ASA Devices
  - About Security Analytics and Logging (SAL SaaS) for the ASA
  - Implementing Secure Logging Analytics (SaaS) for ASA Devices
  - Send ASA Syslog Events to the Cisco Cloud using a Firewall Manager Macro
    - Creating an ASA Security Analytics and Logging (SaaS) Macro
  - Send ASA Syslog Events to the Cisco Cloud Using the Command Line Interface
    - Firewall Manager Command Line Interface for ASA
    - Forward ASA Syslog Events to the Secure Event Connector
    - Send ASA Syslog Events to the Cisco Cloud Using CLI
    - Create a Custom Event List
    - Include the Device ID in Non-EMBLEM Format Syslog Messages
  - NetFlow Secure Event Logging (NSEL) for ASA Devices
    - Configuring NSEL for ASA Devices by Using a Firewall Manager Macro
      - Open the Configuring NSEL Macro
      - Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
      - Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC
      - Define a Policy-Map for NSEL Events
      - Disable Redundant Syslog Messages
      - Review and Send the Macro
    - Delete NetFlow Secure Event Logging (NSEL) Configuration from an ASA
      - Open the DELETE-NSEL Macro
      - Enter the Values in the Macro to Complete the No Commands
    - Determine the Name of an ASA Global Policy
    - Troubleshooting NSEL Data Flows
      - Verify that NSEL Events are Being Sent to the SEC
      - Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
      - Verify that NetFlow Packets are Being Received by the Cisco Cloud
      - Check for Live NSEL Events
      - Check for Historical NSEL Events
  - Parsed ASA Syslog Events
- Security Analytics and Logging (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
  - Send Cloud-Delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
  - Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
  - Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
- Security Analytics and Logging (SaaS) for Catalyst SD-WAN Devices
  - About Security Analytics and Logging (SaaS) in Firewall Manager
  - Event Types in Firewall Manager
  - Security Analytics and Logging license and Data Storage Plans
    - View Security Analytics and Logging License Information
    - Extend Event Storage Duration and Increase Event Storage Capacity
    - View Security Analytics and Logging Alerts
    - View Security Analytics and Logging Storage Usage and Event Ingest Rate
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Deprovisioning Cisco Security Analytics and Logging (SaaS)
  - About Security Analytics and Logging for Catalyst SD-WAN
  - How Catalyst SD-WAN Router Share Events with Security Cloud Control Firewall Management
  - Prerequisites
  - View Catalyst SD-WAN Events in Security Cloud Control Firewall Management
- View Events in Firewall Manager
  - Viewing Live Events
    - Play/Pause Live Events
  - View Historical Events
  - Customize the Events View
    - Correlate Firewall Threat Defense Event Fields and Column Names
  - Show and Hide Columns on the Event Logging Page
  - Change the Time Zone for the Event Timestamps
  - Customizable Event Filters
  - Search and Filter Events Using the Event Logging Page
    - Filter Live or Historical Events
    - Filter Only NetFlow Events
    - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
    - Combine Filter Elements
    - Search Events Using the Events Logging Page
      - Use Sample Filters to Search Events
      - Search Historical Events in the Background
        
        Schedule to Generate a Search Report in the Background
        
        Download a Search Report
  - Event Attributes in Security Analytics and Logging
    - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
    - EventName Attributes for Syslog Events
    - Time Attributes in a Syslog Event
- Use Cisco Secure Cloud Analytics Portal
  - Provision a Cisco Secure Cloud Analytics Portal
  - Review Sensor Health and Firewall Manager Integration Status in Secure Cloud Analytics
  - Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
  - Viewing Cisco Secure Cloud Analytics Alerts from Firewall Manager
    - Inviting Users to Join Your Secure Cloud Analytics Portal
    - Cross-Launching from Firewall Manager to Secure Cloud Analytics
  - Cisco Secure Cloud Analytics and Dynamic Entity Modeling
  - Working with Alerts Based on Firewall Events
    - Triage open alerts
    - Snooze alerts for later analysis
    - Update the alert for further investigation
    - Review the alert and start your investigation
    - Examine the entity and users
    - Remediate issues using Secure Cloud Analytics
    - Update and close the alert
  - Modifying Alert Priorities
- Monitor Remote Access Virtual Private Network Sessions from Secure Firewall ASA and Firewall Threat Defense
  - Monitor Remote Access Virtual Private Network Sessions
    - Monitor Live AnyConnect Remote Access VPN Sessions
      - View Live Remote Access VPN Data
    - Monitor Historical AnyConnect Remote Access VPN Sessions
      - View Historical Remote Access VPN Data
    - Search and Filter Remote Access VPN Sessions
    - Customize the Remote Access VPN Monitoring View
    - Export Remote Access VPN Sessions to a CSV File
    - Remote Access VPN Dashboard
    - Disconnect Remote Access VPN Sessions of an ASA User
      - Disconnect all Active RA VPN Sessions of a User
    - Disconnect Remote Access VPN Sessions on FDM-Managed Device
    - Disconnect Remote Access VPN Sessions on FTD
- FTD Dashboard
  - About the FTD Dashboard
  - View the FTD Dashboard
  - FTD Dashboard Widgets
    - Top Intrusion Rules Widget
    - Top Intrusion Attackers Widget
    - Top Intrusion Targets Widget
    - Top Malware Signatures Widget
    - Top Malware Senders Widget
    - Top Malware Receivers Widget
    - Malware Events by Disposition Widget
    - Network Activity Widget
    - Event Activity Widget
    - Access Control Actions Widget
    - Top Access Control Policies Widget
    - Top Access Control Rules Widget
    - Top Devices Widget
    - Top Users Widget
    - Top Users by Blocked Connections Widget
    - Top Devices with Health Alerts Widget
    - Top Loaded Devices Widget
    - Top Web Applications Widget
    - Top Client Applications Widget
    - Top Blocked Web Applications Widget
  - Modify Time Settings for the FTD Dashboard
- Monitor and Report Change Logs, Workflows, and Jobs
  - Monitor and Report Change Logs, Workflows, and Jobs
  - Manage Change Logs in Firewall Manager
  - Change Log Entries after Deploying to an ASA
  - Change Log Entries After Reading Changes from an ASA
  - View Change Log Differences
  - Change Request Management
    - Enable Change Request Management
    - Create a Change Request
    - Associate a Change Request with a Change Log Event
    - Search for Change Log Events with Change Requests
    - Search for a Change Request
    - Filter Change Requests
    - Clear the Change Request Toolbar
    - Clear a Change Request Associated with a Change Log Event
    - Delete a Change Request
    - Disable Change Request Management
    - Change Request Management Use Cases
  - Export the Change Log
    - Differences Between Change Log Capacity in Firewall Manager and Size of an Exported Change Log
  - Monitor Jobs in Firewall Manager
    - Reinitiate a Bulk Action
    - Cancel a Bulk Action
  - Monitor Workflows in Firewall Manager
Optimize Network Security and Efficiency with AI
- Introduction to AIOps Insights
  - About AIOps Insights
    - AIOps Licensing Requirements
    - Prerequisites to Use AIOps
  - View the Summary Insights
  - Implement Best Practices and Recommendations
  - Assess and Improve Feature Adoption
  - Enable or Disable Insight Preferences and Configure Threshold Settings
    - Enable AIOps Insights
    - Traffic and Capacity Insights
    - Best Practices and Recommendations Insights
    - Feature Adoption Insights
    - Health and Operations Insights
  - Frequently Asked Questions About AIOps
  - Additional Resources
  - Troubleshooting for the Secure Firewall Threat Defense using Cloud-Delivered Firewall Management Center
- Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
  - About Policy Analyzer and Optimizer
    - Analysis, Remediation, and Reporting
  - Prerequisites to Use Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Licensing Requirements
  - Enable Policy Analyzer and Optimizer for Cloud-Delivered Firewall Management Center
  - Enable Policy Analyzer and Optimizer for Firewall Manager -managed On-Premises Firewall Management Center
  - Policy Analysis
    - Analyze Cloud-Delivered Firewall Management Center Policies
    - Analyze On-Premises Firewall Management Center Policies
  - Policy Reporting
    - Policy Analysis Summary
    - Duplicate Rules
    - Overlapping Objects
    - Expired Rules
    - Mergeable Rules
    - Policy Insights
  - Policy Remediation
    - Apply Policy Remediation
    - What Does the Policy Remediation Report Contain?
  - Troubleshooting Policy Analyzer and Optimizer
    - Policy Analyzer and Optimizer Does Not Analyze Policies
    - Policy Analyzer and Optimizer Does Not Fetch Policies
  - Frequently Asked Questions About Policy Analyzer and Optimizer
Troubleshoot
- Troubleshooting
  - Troubleshoot an Secure Firewall ASA Device
    - ASA Fails to Reconnect to Firewall Manager After Reboot
    - Cannot onboard ASA due to certificate error
      - Determine the OpenSSL Cipher Suite Used by your ASA
      - Cipher Suites Supported by Firewall Manager 's Secure Device Connector
      - Updating your ASA's Cipher Suite
    - Troubleshoot ASA using CLI commands
    - Troubleshoot ASA Remote Access VPN
    - ASA Real-time Logging
      - View ASA Real-time Logs
    - ASA Packet Tracer
      - Troubleshoot an ASA Device Security Policy
      - Troubleshoot an Access Rule
      - Troubleshoot a NAT Rule
      - Troubleshoot a Twice NAT Rule
      - Analyze Packet Tracer Results
    - Cisco ASA Advisory cisco-sa-20180129-asa1
    - Confirming ASA Running Configuration Size
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Firewall Manager -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Large ASA Running Configuration Files
  - Troubleshoot a Secure Device Connector
    - SDC is Unreachable
    - SDC Status not Active on Firewall Manager After Deployment
    - Changed IP Address of the SDC is not Reflected in Firewall Manager
    - Troubleshoot Device Connectivity with the SDC
    - Intermittent or No Connectivity with SDC
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Firewall Manager -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Invalid System Time
    - SDC version is lower than 202311****
    - Certificate or Connection errors with AWS servers
  - Troubleshoot a Secure Event Connector
    - Troubleshoot SEC Onboarding Failures
    - Troubleshoot Secure Event Connector Registration Failure
    - Troubleshooting NSEL Data Flows
    - Event Logging Troubleshooting Log Files
    - SEC Status is Inactive in Firewall Manager
    - The SEC is online, but there are no events in Firewall Manager Event Logging Page
    - Remove an SEC from Your Host
    - Use Health Check to Learn the State of your Secure Event Connector
  - Troubleshoot Firewall Manager
    - Troubleshooting Access and Certificates
      - Troubleshoot User Access with Firewall Manager
      - Resolve New Fingerprint Detected State
      - Troubleshooting SSL Decryption Issues
    - Troubleshooting Objects
      - Resolve Duplicate Object Issues
      - Resolving Inconsistent or Unused Security Zone Objects
      - Resolve Unused Object Issues
        
        Resolve an Unused Object Issue
        
        Remove Unused Objects in Bulk
      - Resolve Inconsistent Object Issues
      - Resolve Object Issues in Bulk
      - Unignore Objects
  - Device Connectivity States
    - Troubleshoot Device Unregistered
    - Troubleshoot Insufficient Licenses
    - Troubleshoot Invalid Credentials
    - Troubleshoot New Certificate Issues
      - New Certificate Detected
    - Troubleshoot Onboarding Error
    - Resolve the Conflict Detected Status
    - Resolve the Not Synced Status
- FAQ and Support
  - Firewall Manager
  - FAQ About Onboarding Devices to Firewall Manager
    - FAQs About Onboarding Secure Firewall ASA to Firewall Manager
    - FAQs About Onboarding FDM-Managed Devices to Firewall Manager
    - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-Delivered Firewall Management Center
    - FAQs About On-Premises Secure Firewall Management Center
    - FAQs About Onboarding Meraki Devices to Firewall Manager
    - FAQs About Onboarding SSH Devices to Firewall Manager
    - FAQs About Onboarding IOS Devices to Firewall Manager
  - Device Types
  - Security
  - End-of-Support for management of the Secure Firewall Threat Defense Version 7.0.x managed by Cloud-Delivered Firewall Management Center
  - Troubleshooting
  - Terminologies and Definitions used in Zero-Touch Provisioning
  - Policy Optimization
  - Connectivity
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - About Data Interfaces
  - How Firewall Manager Processes Personal Information
  - Contact Firewall Manager Support
    - Export The Workflow
    - Open a Support Ticket with TAC
      - How Firewall Manager Customers Open a Support Ticket with TAC
      - How Firewall Manager Trial Customers Open a Support Ticket with TAC
    - Firewall Manager Service Status Page
Appendix
- Security and Internet Access
  - Internet Access Requirements
- Terraform
  - About Terraform
- Open Source and 3rd Party License Attribution
  - Open Source and Third-Party License in SDC

Configure Devices And Services Configure Catalyst SD-WAN Manager Create Catalyst SD-WAN Security Policies

Last updated: Aug 27, 2025

Create Catalyst SD-WAN Security Policies

Before you begin

Ensure that these devices are deployed and managed using a configurations group. For more information about creating configuration groups, see Configuration Groups and Feature Profiles.

Procedure

1

In the Security Cloud Control platform menu, choose Products > Firewall.

2

In the left pane, click Manage > Policies > WAN Branch Edge.

3

On the Catalyst SD-WAN NGFW Policies page, click Add NGFW Policy.

This launches the Create NGFW policy workflow.

4

On the Security Policy Name tab, enter Policy Name and Description, and under Device Solution, select the sdwan radio button and click Next.

5

On the Select the optional Configuration Group to associate with the security policy page, choose the configuration group to associate with the NGFW policy and click Next.

6

On the Create Sub-Policies tab, click +Add Sub-Policy to add sub-policies for a security policy.

Field

Description

VPN / Interface

Specify the VPN or the interface.

Source Zone

Choose the zone that is the source of the data packets. The options are:

Corporate_Users_zone
Local_Internet_for_Guests_zone
No_zone
Payment_Processing_Network_zone
Physical_Security_Devices_zone
Self
Untrusted

To create a new Source Zone, click + Create New. Enter the Name and select the VPN. Note that multiple VPNs can be selected within a Source Zone.

Destination Zone

Select the zone/s to which data traffic is sent. The options are:

Corporate_Users_zone
Local_Internet_for_Guests_zone
No_zone
Payment_Processing_Network_zone
Physical_Security_Devices_zone
Self
Untrusted

To create a new Destination Zone, click + Create New. Enter the Name and select the VPN. Note that multiple VPNs can be selected within a Source Zone.

7

Click Additional Settings to configure additional settings for a security policy. Refer to the steps used in the procedure, Configure NGFW Additional Settings. Click Save.

8

Click on the ellipsis (...) at the top left corner of the existing sub-policy to Edit, Delete, or Copy it.

9

To add a rule to a sub-policy, navigate to the sub-policy and click + Add Rule.

Field	Description
Rule Name	The name of the rule.
Sequence	Specify the sequence.
Match	Choose the desired match conditions from the Add Conditions drop-down list. The options are: Source Geo Location IPv4 Prefix Port Destination FQDN Geo Location IPv4 Prefix Port Protocol Applications When ISE is enabled, then SGT option is available in the Source and Destination. Identity User or User group is only supported for Source.
Action	Choose the desired action conditions. The options are: Pass Drop Inspect Log Events: Unified Logging for Inspect Action.

10

To modify an existing rule, click the pencil icon to Edit, Disable, Delete, Clone rule, Add rule on top, or Add rule below.

Previous topic Manage Existing Catalyst SD-WAN NGFW Security Policies Next topic Associate a Policy Group to Catalyst SD-WAN NGFW Policy