Login

Cisco Security Cloud Control for Firewall Management Configuration Guide

Introduction
- Overview of Firewall in Security Cloud Control
  - About Cisco Security Cloud Control
  - Products Managed by Cisco Security Cloud Control
  - An Introduction to Firewall in Security Cloud Control
  - Cloud-delivered Firewall Management Center in Security Cloud Control
  - Maintenance Plan for Security Cloud
    - Security Cloud Control Platform Maintenance Schedule
    - Cloud-Delivered Firewall Management Center Maintenance Schedule
  - The Firewall Dashboard
Get Started
- Cisco AI Assistant User Guide
  - Onboard with Cisco AI Assistant
  - Prompt Guide for Cisco AI Assistant
  - Online Help Documentation
  - Policy Insights
  - Policy Analyzer and Optimizer
  - Automate Policy Rule Creation
  - Contact Support
  - Notifications Center
  - Cisco AI Assistant Frequently Asked Questions (FAQ)
- Manage Tenants and Users
  - Manage a Security Cloud Control Tenant
    - Configure User Preferences
      - General Preferences
        
        Change the Security Cloud Control Web Interface Appearance
      - User Notification Preferences
      - View Security Cloud Control Notifications
    - Tenant Settings
      - Enable Change Request Tracking
      - Prevent Cisco Support from Viewing your Tenant
      - Enable the Option to Auto-accept Device Changes
      - Default Conflict Detection Interval
      - Enable the Option to Schedule Automatic Deployments
      - Web Analytics
      - Share Event Data with Cisco Talos
      - Configure a Default Recurring Backup Schedule
      - Tenant ID
      - Tenant Name
      - Security Cloud Control Platform Navigator
    - Organization Notification Settings
      - Enable Email Subscribers
        
        Add an Email Subscription
        
        Edit Email Subscriptions
        
        Delete an Email Subscription
      - Enable Service Integrations for Security Cloud Control Notifications
        
        Incoming Webhooks for Webex Teams
        
        Incoming Webhooks for Slack
        
        Incoming Webhooks for a Custom Integration
    - Logging Settings
    - Integrate Your SAML Single Sign-On with Security Cloud Control
    - Renew SSO Certificate
    - My Tokens
    - API Tokens
      - API Token Format and Claims
      - Manage API-only Users for Firewall in Security Cloud Control
      - Token Management
        
        Generate an API Token
        
        Refresh an API Token
        
        Revoke an API Token
    - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
      - Login Workflow
      - Implications of this Architecture
        
        Customers Who Use Cisco Security Cloud Sign On
        
        Customers Who Have Their Own Identity Provider
        
        Cisco Managed Service Providers
        
        Related Topics
    - MSSP Portal
      - Security Devices Details
      - Add a Tenant to the MSSP Portal
      - Delete a Tenant from the MSSP Portal
      - Manage MSSP Portal Settings
        
        Settings
        
        Switch Tenant
    - The Cisco Success Network
  - Manage Users in Security Cloud Control
    - Manage Super Admins on Your Tenant
    - View the User Records Associated with your Tenant
  - Active Directory Groups in User Management
    - Prerequisites for Adding an Active Directory Group to Security Cloud Control
    - Add an Active Directory Group for User Management
    - Edit an Active Directory Group for User Management
    - Delete an Active Directory Group for User Management
  - Create a New Security Cloud Control User
    - Create a Cisco Security Cloud Sign On Account for the New User
      - About Logging in to Security Cloud Control
      - Before You Log In
      - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
    - Create a User Record with Your Security Cloud Control Username
    - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
  - User Roles in Security Cloud Control
    - Read-only Role
    - Edit-Only Role
    - Deploy-Only Role
    - VPN Sessions Manager Role
    - Admin Role
    - Super Admin Role
    - Change The Record of the User Role
  - Add a User Account to Security Cloud Control
    - Create a User Record
    - Create API Only Users
  - Edit a User Record for a User Role
    - Edit a User Role
  - Delete a User Record for a User Role
    - Delete a User Record
- Integrating Security Cloud Control with Cisco Security Cloud Sign On
  - Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Manage Security Devices
- Onboard Devices and Services
  - Secure Device Connector
    - Connect Security Cloud Control to your Managed Devices
    - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
    - Deploy a Secure Device Connector On Your VM
    - Bootstrap a Secure Device Connector on the Deployed Host
    - Deploy a Secure Device Connector to vSphere Using Terraform
    - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
    - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
    - Change the IP Address of a Secure Device Connector
    - Remove a Secure Device Connector
    - Rename a Secure Device Connector
    - Specify a Default Secure Device Connector
    - Update your Secure Device Connector
    - Using Multiple SDCs on a Single Security Cloud Control Tenant
    - Security Cloud Control Devices that Use the Same SDC
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
- Onboard a Threat Defense Device
  - Onboarding Overview
  - Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
  - Onboard a Device with a CLI Registration Key
  - Onboard a Threat Defense Device to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
  - Onboard Threat Defense Devices using Device Templates to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Deploy a Threat Defense Device with AWS
  - Deploy a Threat Defense Device in Azure
    - Onboard an Azure VNet Environment
    - Deploy a Firewall Threat Defense Virtual in Azure
  - Deploy a Threat Defense Device to Google Cloud Platform
    - Create VPC Networks for GCP
    - Deploy a Threat Defense Device on Google Cloud Platform
  - Onboard a Secure Firewall Threat Defense Cluster
  - Onboard a Chassis
  - Delete Devices from Cloud-Delivered Firewall Management Center
  - Troubleshooting
    - Troubleshoot Cloud-Delivered Firewall Management Center Connectivity with TCP
    - Troubleshoot Threat Defense Device Connectivity
    - Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update
    - Troubleshoot Onboarding a Device to the Cloud-Delivered Firewall Management Center Using the CLI Registration Key
      - Error: Device Remains in Pending Setup State After Onboarding
    - Troubleshoot Onboarding a Device to Cloud-Delivered Firewall Management Center Using the Serial Number
      - Device is Offline or Unreachable
      - Error: Serial Number Already Claimed
      - Error: Claim Error
      - Error: Failed to Claim
      - Error: Provisional Error
  - Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
- Onboard ASA Devices
  - Onboard ASA Devices
    - Onboard ASA Device to Security Cloud Control
    - Onboard a High Availability Pair of ASA Devices to Security Cloud Control
    - Onboard an ASA in Multi-Context Mode to Security Cloud Control
    - Onboard Multiple ASAs to Security Cloud Control
      - Pause and Resume Onboarding Multiple ASAs
    - Create and Import an ASA Model to Security Cloud Control
      - Import ASA Configuration
- Onboard an On-Premises Firewall Management Center
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
  - Onboard an On-Premises Firewall Management Center
    - Onboard an On-Premises Management Center to Security Cloud Control
      - Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
        
        Integrate On-Premises Management Center With Cisco Security Cloud
        
        Disable Auto-Onboarding of an On-Premises Management Center
      - Onboard an On-Premises Firewall Management Center to Security Cloud Control with Credentials
      - Redirect Security Cloud Control to an On-Premises Firewall Management Center
    - Remove an On-Premises Firewall Management Center from Security Cloud Control
- Onboard Security Cloud Control Integrations
  - Onboard Security Cloud Control Integrations
    - Onboard an SSH Device
      - Onboard an SSH Device
      - Delete a Device from Security Cloud Control
    - Onboard a Cisco IOS Device
      - Onboard a Cisco IOS Device
        
        Create and Import an ASR or ISR Model
        
        Download ASR or ISR Configuration
        
        Import ASR or ISR Configuration
      - Delete a Device from Security Cloud Control
      - Import Configuration for Offline Device Management
      - Delete a Device from Security Cloud Control
- Onboard Meraki MX Devices
  - Onboard Meraki MX Devices
    - Onboard Meraki MX to Security Cloud Control
      - Generate and Retrieve Meraki API Key
      - Onboard an MX Device to Security Cloud Control
    - Onboard Meraki Templates to Security Cloud Control
      - Generate and Retrieve Meraki API Key
      - Onboard an Meraki Template to Security Cloud Control
    - Update Meraki MX Connection Credentials
    - Delete a Device from Security Cloud Control
- Onboarding an Umbrella Organization
  - Onboarding an Umbrella Organization
    - Umbrella License Requirements
    - Generate an API Key and Secret
    - Umbrella Organization ID
    - Onboarding an Umbrella Orgnization
    - Reconnect an Umbrella Organization to Security Cloud Control
    - Cross-launch to the Umbrella dashboard
    - Delete a Device from Security Cloud Control
- Onboard an AWS VPC
  - Onboard an AWS VPC
  - Supported Devices, Software, and Hardware
- Manage Onboarded Device Settings
  - Changing a Device's IP Address in Security Cloud Control
  - Changing a Device's Name in Security Cloud Control
  - Export a List of Devices and Services
  - Export Device Configuration
  - External Links for Devices
    - Create an External Link from your Device
    - Create an External Link to ASDMFDM
    - Create an External Link for Multiple Devices
    - Edit or Delete External Links
    - Edit or Delete External Links for Multiple Devices
  - Bulk Reconnect Devices to Security Cloud Control
  - Moving Devices Between Tenants
  - Device Certificate Expiry Detection
  - Update Meraki MX Connection Credentials
  - Write a Device Note
  - Delete a Device from Security Cloud Control
  - Manage Security Devices
  - Security Devices Overview
  - Security Cloud Control Labels and Filtering
    - Apply Labels to Devices and Objects
    - Labels and Tags in AWS VPC
    - Filters
  - Use Security Cloud Control Search Functionality
    - Page Level Search
    - Global Search
      - Initiate Full Indexing
      - Perform a Global Search
- Upgrade Devices and Services
  - FDM Software Upgrade Paths
    - Other Upgrade Limitations
    - 4100 and 9300 Series Devices
  - FDM-Managed Device Upgrade Prerequisites
  - Upgrade a Single FDM-Managed Device
    - Upgrade A Single FDM-Managed Device with Images from Security Cloud Control 's Repository
    - Upgrade a Single FDM-Managed Device with Images from your own Repository
    - Monitor the Upgrade Process
  - Bulk FDM-Managed Devices Upgrade
    - Upgrade Bulk FDM-Managed Devices with Images from Security Cloud Control 's Repository
    - Upgrade Bulk FDM-Managed Devices with Images from your own Repository
    - Monitor the Bulk Upgrade Process
  - Upgrade an FDM-Managed High Availability Pair
    - Upgrade an FDM-Managed HA Pair with Images from Security Cloud Control's Repository
    - Upgrade an FDM-Managed HA Pair with Images from your own Repository
    - Monitor the Upgrade Process
  - Upgrade to Snort 3.0
    - Upgrade the Device and the Intrusion Prevention Engine Simultaneously
    - Upgrade the Intrusion Prevention Engine
    - Monitor the Upgrade Process
  - Revert From Snort 3.0 for FDM-Managed Device
    - Revert From Snort 3.0
  - Schedule a Security Database Update
    - Edit a Scheduled Security Database Update
  - Prerequisites for ASA and ASDM Upgrade in Security Cloud Control
  - Upgrade Bulk ASA and ASDM in Security Cloud Control
    - Upgrade Multiple ASAs with Images from your own Repository
  - Upgrade ASA and ASDM Images on a Single ASA
  - Upgrade ASA and ASDM Images in a High Availability Pair
    - Workflow
    - Upgrade ASA and ASDM Images in a High Availability Pair
  - Upgrade an ASA or ASDM Using Your Own Image
Migrate Devices
- Migrate Threat Defense to Cloud-delivered Firewall Management Center
  - About Migrating Threat Defense to Cloud-delivered Firewall Management Center
  - Supported On-Premises Firewall Management Center and Threat Defense Software for Migration
  - Licensing
  - Supported Features
  - Unsupported Features
  - Migration Guidelines and Limitations for VPN Configuration
  - Managing Threat Defense Events and Analytics
  - Before You Begin Migration
  - Migrate Threat Defense to Cloud-Delivered Firewall Management Center
  - View a Threat Defense Migration Job
    - Proceed Migration Process
    - Commit Migration Changes Manually to Cloud-delivered Firewall Management Center
    - Revert the Threat Defense Management to On-Premises Firewall Management Center
    - View Migrated Devices
    - Generate a Threat Defense Migration Report
    - Delete a Migration Job
  - Enable Notification Settings
  - Troubleshoot Threat Defense Migration to Cloud-Delivered Firewall Management Center
    - Verify Threat Defense Connectivity with Cloud-delivered Firewall Management Center
- Migrate Firewalls with the Migration Tool in Security Cloud Control
  - Is This Guide for You?
  - Get Started with the Firewall Migration Tool in Security Cloud Control
    - Supported Configurations
    - Licenses
    - Initialize a New Migration Instance
    - Delete a Migration Instance
    - Using the Demo Mode in the Secure Firewall Migration Tool
  - Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrating Microsoft Azure Native Firewall with the Firewall Migration Tool in Security Cloud Control
  - Migrate FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrating Check Point Firewall to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Fortinet Firewall with the Firewall Migration Tool in Security Cloud Control
  - Migrating Fortinet Firewall to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Secure Firewall ASA to Multicloud Defense with the Firewall Migration Tool in Firewall in Security Cloud Control
  - Migrate Palo Alto Networks Firewall to Multicloud Defense with the Firewall Migration Tool in Firewall in Security Cloud Control
  - Related Documentation
Configure Devices And Services
- Configure Cloud-Delivered Firewall Management Center-Managed Secure Firewall Threat Defense
  - Security Cloud Control Services Page
  - Navigate to the Cloud-Delivered Firewall Management Center in your Security Cloud Control Tenant
  - Enable Cloud-Delivered Firewall Management Center on Your Security Cloud Control Tenant
- Configure Secure Firewall ASA Devices
  - Managing Secure Firewall ASA with Security Cloud Control
  - Update ASA Connection Credentials in Security Cloud Control
    - Move an ASA from one SDC to Another
  - ASA Interface Configuration
    - Configure an ASA Physical Interface
      - Configure IPv4 Addressing for ASA Physical Interface
      - Configure IPv6 Addressing for ASA Physical Interface
      - Configure Advanced ASA Physical Interface Options
      - Enable the ASA Physical Interface
    - Add an ASA VLAN Subinterface
      - Configure ASA VLAN Subinterfaces
      - Configure IPv4 Addressing for ASA Subinterface
      - Configure IPv6 Addressing for ASA Subinterface
      - Configure Advanced ASA Subinterface Options
      - Enable the Subinterface
      - Remove ASA Subinterface
    - About ASA EtherChannel Interfaces
      - Configure ASA EtherChannel
        
        Edit ASA EtherChannel
        
        Remove ASA EtherChannel Interface
  - ASA System Settings Policy in Security Cloud Control
    - Create an ASA Shared System Settings Policy
      - Configure Basic DNS Settings
      - Configure HTTP Settings
      - Set the Date and Time Using an NTP Server
      - Configure SSH Access
      - Configure System Logging
      - Enable Sysopt Settings
      - Assign a Policy from the Shared System Settings Page
    - Configure or Modify Device Specific System Settings
      - Assign a Policy from Device-Specific Settings Page
    - Auto Assignment of ASA Devices to a Shared System Settings Policy
    - Filter ASA Shared System Settings Policy
    - Disassociate Devices from Shared System Settings Policy
    - Delete Shared Settings Policy
  - ASA Routing in Security Cloud Control
    - About ASA Static Route
      - Configure ASA Static Route
      - Edit ASA Static Route
      - Delete a Static Route
  - Manage Security Policies in Security Cloud Control
  - Manage ASA Network Security Policy
    - About ASA Access Control Lists and Access Groups
    - Create an ASA Access List
    - Add a Rule to an ASA Access List
      - About System Log Activity
      - Deactivate Rules in an Access Control List
      - About Security Group Tags in ASA Policies
    - Assign Interfaces to ASA Access Control List
    - Create an ASA Global Access List
    - Improvements to the ASA Shared Policy Model
    - Share an ASA Access Control List with Multiple ASA Devices
    - Copy an ASA Access Control List to Another ASA
    - Copy a Rule Within or Across ASA Access Lists and Devices
    - Unshare a Shared ASA Access Control List
    - View ASA Access Policies Listing Page
    - Global Search of ASA Access Lists
    - Rename an ASA Access Control List
    - Delete a Rule from an ASA Access Control List
    - Delete an ASA Access Control List
  - Compare ASA Network Policies
  - Hit Rates
    - View Hit Rates of ASA Policies
  - Search and Filter ASA Network Rules in the Access List
  - Shadowed Rules
    - Find Network Policies with Shadowed Rules
    - Resolve Issues with Shadowed Rules
  - Network Address Translation
  - Order of Processing NAT Rules
  - Network Address Translation Wizard
    - Create a NAT Rule by using the NAT Wizard
  - Common Use Cases for NAT
    - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
    - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
    - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
      - NAT Incoming FTP Traffic to an FTP Server
      - NAT Incoming HTTP Traffic to an HTTP Server
      - NAT Incoming SMTP Traffic to an SMTP Server
    - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
      - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
    - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
      - Create a Twice NAT Rule
  - API Tokens
  - Manage ASA Certificates
    - Install ASA Certificates
    - Install an Identity Certificate Using PKCS12
    - Install a Certificate Using Self-Signed Enrollment
    - Manage a Certificate Signing Request (CSR)
      - Generate a CSR Request
      - Install a Signed Identity Certificate Issued by a Certificate Authority
    - Install a Trusted CA Certificate in ASA
    - Export an Identity Certificate
    - Edit an Installed Certificate
    - Delete an Existing Certificate from ASA
  - ASA File Management
    - Upload File to a Single ASA Device
    - Upload File to Multiple ASA Devices
    - Remove Files from ASA
  - Managing ASAs with Pre-existing High Availability Configuration
    - Configuration Changes Made to ASAs in Active-Active Failover Mode
  - Manage ASA Configuration Files
    - View a Device's Configuration File
  - Configure DNS on ASA
    - Procedure
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Security Cloud Control
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure On-Premises Firewall Management Center-Managed Secure Firewall Threat Defense Devices
  - Managing On-Premises Firewall Management Center with Security Cloud Control
  - View Onboarded On-Premises Management Center
  - Discover and Manage On-Prem Firewall Management Center Network Objects
  - Manage Device Configuration
  - Read All Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
  - Remove an On-Premises Firewall Management Center from Security Cloud Control
- Configure Cisco Umbrella Tunnel Configuration
  - Read Umbrella Tunnel Configuration
  - Cross-launch to the Umbrella Tunnels Page
  - Configure a SASE Tunnel for Umbrella
  - Edit a SASE Tunnel
  - Delete a SASE Tunnel from Umbrella
- Configure Amazon Web Services Virtual Private Cloud
  - Managing AWS with Firewall in Security Cloud Control
  - Update AWS VPC Connection Credentials
  - Monitor AWS VPC Tunnels using AWS Transit Gateway
  - Search and Filter Site-to-Site VPN Tunnels
  - View a history of changes made to the AWS VPC tunnels
  - Manage Security Policies in Security Cloud Control
    - AWS VPC Policy
      - AWS VPCs and Security Groups in Security Cloud Control
      - AWS VPC Security Groups Rules
      - Create a Security Group Rule
      - Edit a Security Group Rule
      - Delete a Security Group Rule
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure Cisco Meraki
  - Managing Meraki with Firewall in Security Cloud Control
  - How Does Security Cloud Control Communicate With Meraki
  - Meraki Access Control Policy
  - Meraki Templates
- Configure Cisco IOS
  - Managing IOS Devices with Security Cloud Control
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Security Cloud Control
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
  - Manage Device Configuration
  - Read All Device Configurations
  - Read Changes from Firewalls
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Configure SSH Devices
  - Managing SSH Devices with Firewall in Security Cloud Control
- Manage Objects
  - Manage Objects
    - Object Types
    - Shared Objects
    - Object Overrides
    - Unassociated Objects
    - Compare Objects
    - Filters
      - Object Filters
        
        Configure Object Filters
        
        When to Exclude a Device from Filter Criteria
    - Deleting Objects
      - Delete a Single Object
      - Delete a Group of Unused Objects
    - Create IP Address Pool
    - Network Objects
      - Create or Edit ASA Network Objects and Network Groups
        
        Create an ASA Network Object
        
        Create an ASA Network Group
        
        Edit an ASA Network Object
        
        Edit an ASA Network Group
        
        Add Additional Values to a Shared Network Group in Security Cloud Control
        
        Edit Additional Values in a Shared Network Group in Security Cloud Control
        
        Deleting Network Objects and Groups in Security Cloud Control
      - Create or Edit a Firepower Network Object or Network Groups
        
        Create a Firepower Network Object
        
        Create a Firepower Network Group
        
        Edit a Firepower Network Object
        
        Edit a Firepower Network Group
        
        Add an Object Override
        
        Edit Object Overrides
        
        Add Additional Values to a Shared Network Group
        
        Edit Additional Values in a Shared Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
      - Discover and Manage On-Prem Firewall Management Center Network Objects
      - Objects Associated with Meraki Devices
      - Create a Local Meraki Network Object
      - Create or Edit a Meraki Network Object or Network Group
        
        Create a Meraki Network Object
        
        Create a Meraki Network Group
        
        Edit a Firepower Network Object or Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
    - URL Objects
      - Create or Edit an FDM-Managed URL Object
      - Create a Firepower URL Group
        
        Edit a Firepower URL Object or URL Group
    - Application Filter Objects
      - Create and Edit a Firepower Application Filter Object
        
        Create a Firepower Application Filter Object
        
        Edit a Firepower Application Filter Object
    - Geolocation Objects
      - Create and Edit a Firepower Geolocation Filter Object
        
        Edit a Geolocation Object
    - DNS Group Objects
      - Create a DNS Group Object
      - Edit a DNS Group Object
      - Delete a DNS Group Object
    - Certificate Objects
      - About Certificates
      - Certificate Types Used by Feature
      - Configuring Certificates
      - Uploading Internal and Internal CA Certificates
        
        Procedure
      - Uploading Trusted CA Certificates
        
        Procedure
      - Generating Self-Signed Internal and Internal CA Certificates
        
        Procedure
    - Trustpoint Objects
      - Adding an Identity Certificate Object Using PKCS12
      - Create a Self-Signed Identity Certificate Object
      - Add an Identity Certificate Object for Certificate Signing Request (CSR)
      - Add a Trusted CA Certificate Object
      - Self-Signed and CSR Certificate Generation Based on Certificate Contents
    - About IPsec Proposals
      - Managing an IKEv1 IPsec Proposal Object
        
        Create or Edit an IKEv1 IPsec Proposal Object
      - Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
    - About Global IKE Policies
      - Managing IKEv1 Policies
        
        Create or Edit an IKEv1 Policy
      - Managing IKEv2 Policies
        
        Create or Edit an IKEv2 Policy
    - RA VPN Objects
      - Configure Identity Sources for ASA
        
        Determining the Directory Base DN
        
        RADIUS Servers and Groups
        
        Create an ASA Active Directory Realm Object
        
        Edit an ASA Active Directory Realm Object
        
        Create an ASA RADIUS Server Object or Group
        
        Create an ASA RADIUS Server Object
        
        Create an ASA RADIUS Server Group
        
        Edit an ASA Radius Server Object or Group
      - Create ASA Remote Access VPN Group Policies
        
        ASA Remote Access VPN Group Policy Attributes
      - Create New RA VPN Group Policies
        
        RA VPN Group Policy Attributes
    - AWS Security Groups and Cloud Security Group Objects
      - Sharing Objects Between AWS and other Managed Devices
    - Service Objects
      - Create and Edit ASA Service Objects
        
        Create an ASA Service Group
        
        Edit an ASA Service Object or Service Group
      - Create and Edit Firepower Service Objects
        
        Create a Firepower Service Group
        
        Edit a Firepower Service Object or Service Group
      - Create or Edit a Meraki Service Object
        
        Create a Service Object
        
        Create a Service Group
        
        Edit a Service Object or a Service Group
    - Security Group Tag Group
      - Security Group Tags
      - Create an SGT Group
      - Edit an SGT Group
      - Add an SGT Group to an Access Control Rule
    - ASA Time Range Objects
      - Create an ASA Time Range Object
      - Edit an ASA Time Range Object
- Cisco Secure Dynamic Attributes Connector
  - About the Cisco Secure Dynamic Attributes Connector
    - How It Works
  - About the Dashboard
    - Dashboard of an Unconfigured System
    - Dashboard of a Configured System
    - Add, Edit, or Delete Connectors
    - Add, Edit, or Delete Dynamic Attributes Filters
    - Add, Edit, or Delete Adapters
  - Create a Connector
    - Amazon Web Services Connector—About User Permissions and Imported Data
      - Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an AWS Connector
    - Amazon Web Services Security Groups Connector—About User Permissions and Imported Data
      - Create an AWS Security Groups Connector
    - Create an AWS Service Tags Connector
    - Azure Connector—About User Permissions and Imported Data
      - Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an Azure Connector
    - Create an Azure Service Tags Connector
    - Create a Multicloud Defense Connector
    - Create a Cisco Cyber Vision Connector
    - Create a Generic Text Connector
    - Create a GitHub Connector
    - Google Cloud Connector—About User Permissions and Imported Data
      - Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create a Google Cloud Connector
    - Create an Office 365 Connector
    - Create a Webex Connector
    - Create a Zoom Connector
  - Create an Adapter
    - How to Create an On-Prem Firewall Management Center Adapter
    - How to Create a Cloud-Delivered Firewall Management Center Adapter
  - Create Dynamic Attributes Filters
    - Dynamic Attribute Filter Examples
  - Use Dynamic Objects in Access Control Policies
    - About Dynamic Objects in Access Control Rules
    - Dynamic Attributes Rule Conditions
    - Create Access Control Rules Using Dynamic Attributes Filters
  - Troubleshoot the Cisco Secure Dynamic Attributes Connector
    - Troubleshoot Error Messages
    - Get Your Tenant ID
Establish Secure Connections
- Virtual Private Network Management
  - Configure Virtual Private Network Management
    - Introduction to Site-to-Site Virtual Private Network
      - Site-to-Site VPN Concepts
        
        About Global IKE Policies
        
        Managing IKEv1 Policies
        
        Create an IKEv1 Policy
        
        Managing IKEv2 Policies
        
        Create an IKEv2 Policy
        
        About IPsec Proposals
        
        Managing an IKEv1 IPsec Proposal Object
        
        Create an IKEv1 IPsec Proposal Object
        
        Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
        
        Encryption and Hash Algorithms Used in VPN
      - Site-to-Site VPN Configuration for FDM-Managed
        
        Create a Site-To-Site VPN Tunnel Between FDM-managed Devices
        
        Configure Networking for Protected Traffic Between the Site-To-Site Peers
        
        Edit an Existing Security Cloud Control Site-To-Site VPN
        
        Delete a Security Cloud Control Site-To-Site VPN Tunnel
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Site-to-Site VPN Configuration for Cloud-Delivered Firewall Management Center-managed Threat Defense
        
        Create a Site-to-Site VPN Tunnel Between Cloud-Delivered Firewall Management Center-managed Threat Defense Devices
        
        Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-Managed Threat Defense and Multicloud Defense
        
        Create a Site-to-Site VPN Between Cloud-Delivered Firewall Management Center-managed Threat Defense and Secure Firewall ASA
      - Site-to-Site VPN Configuration for Secure Firewall ASA
        
        Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA
        
        Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Monitor ASA Site-to-Site Virtual Private Networks
        
        Check Site-to-Site VPN Tunnel Connectivity
        
        Site-To-Site VPN Dashboard
        
        Identify VPN Issues
        
        Find VPN Tunnels with Missing Peers
        
        Find VPN Peers with Encryption Key Issues
        
        Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
        
        Find Issues in Tunnel Configuration
        
        Resolve Tunnel Configuration Issues
        
        Search and Filter Site-to-Site VPN Tunnels
        
        Onboard an Unmanaged Site-to-Site VPN Peer
        
        Viewing AWS Site-to-Site VPN Tunnels
        
        View IKE Object Details of Site-To-Site VPN Tunnels
        
        View Last Successful Site-to-Site VPN Tunnel Establishment Date
        
        View Site-to-Site VPN Tunnel Information
        
        Site-to-Site VPN Global View
        
        Site-to-Site VPN Tunnels Pane
      - Delete a Security Cloud Control Site-To-Site VPN Tunnel
    - Introduction to Remote Access Virtual Private Network
      - Introduction to Remote Access Virtual Private Network
        
        Configure Remote Access Virtual Private Network for ASA
        
        End-to-End Remote Access VPN Configuration Process for ASA
        
        Create ASA Remote Access VPN Configuration
        
        Modify ASA Remote Access VPN Configuration
        
        Configure ASA Remote Access VPN Connection Profile
        
        Configure AAA for a Connection Profile
        
        Manage AnyConnect Software Packages on ASA Devices
        
        Upload an AnyConnect Package from Security Cloud Control Repository
        
        Upload an AnyConnect Package to ASA from Server
        
        Upload new AnyConnect Packages to ASA
        
        Upload AnyConnect Packages using File Management Wizard
        
        Replace an AnyConnect Package
        
        Delete an AnyConnect Package
        
        Manage and Deploy Pre-existing ASA Remote Access VPN Configuration
        
        Device Settings
        
        Connection Profile
        
        Primary Identity Source
        
        AAA Server Groups
        
        RADIUS Server Group
        
        RADIUS Server
        
        Group Policy
        
        Remote Access VPN Certificate-Based Authentication
        
        Exempt Remote Access VPN Traffic from NAT
        
        Install the AnyConnect Client Software on ASA
        
        Modify ASA Remote Access VPN Configuration
        
        Modify ASA Connection Profile
        
        Upload RA VPN AnyConnect Client Profile
        
        Verify ASA Remote Access VPN Configuration
        
        View ASA Remote Access VPN Configuration Details
Manage Device Configuration
- Manage Device Configuration
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
Monitor and Analyze
- Events in Security Cloud Control
  - About Security Analytics and Logging (SaaS) in Security Cloud Control
  - Event Types in Security Cloud Control
  - Security Analytics and Logging license and Data Storage Plans
    - View Security Analytics and Logging License Information
    - Extend Event Storage Duration and Increase Event Storage Capacity
    - View Security Analytics and Logging Alerts
    - View Security Analytics and Logging Storage Usage and Event Ingest Rate
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Deprovisioning Cisco Security Analytics and Logging (SaaS)
- Secure Event Connectors
  - About Secure Event Connectors
  - Installing Secure Event Connectors
    - Install a Secure Event Connector on an SDC Virtual Machine
    - Installing an SEC Using a Security Cloud Control Image
      - Install a Security Cloud Control Connector, to Support a Secure Event Connector, Using a Security Cloud Control VM Image
      - Install the Secure Event Connector on the Security Cloud Control Connector VM
    - Deploy Secure Event Connector on Ubuntu Virtual Machine
    - Install an SEC Using Your VM Image
      - Install a Security Cloud Control Connector to Support an SEC Using Your VM Image
      - Additional Configuration for SDCs and Security Cloud Control Connectors Installed on a VM You Created
      - Install the Secure Event Connector on your Security Cloud Control Connector Virtual Machine
    - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
  - Remove the Secure Event Connector
    - Remove an SEC from Security Cloud Control
    - Remove a Secure Event Connector from the Secure Device Connector VM
  - Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Secure Logging Analytics (SaaS) for ASA Devices
  - About Security Analytics and Logging (SAL SaaS) for the ASA
  - Implementing Secure Logging Analytics (SaaS) for ASA Devices
  - Send ASA Syslog Events to the Cisco Cloud using a Security Cloud Control Macro
    - Creating an ASA Security Analytics and Logging (SaaS) Macro
  - Send ASA Syslog Events to the Cisco Cloud Using the Command Line Interface
    - Security Cloud Control Command Line Interface for ASA
    - Forward ASA Syslog Events to the Secure Event Connector
    - Send ASA Syslog Events to the Cisco Cloud Using CLI
    - Create a Custom Event List
    - Include the Device ID in Non-EMBLEM Format Syslog Messages
  - NetFlow Secure Event Logging (NSEL) for ASA Devices
    - Configuring NSEL for ASA Devices by Using a Security Cloud Control Macro
      - Open the Configuring NSEL Macro
      - Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
      - Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC
      - Define a Policy-Map for NSEL Events
      - Disable Redundant Syslog Messages
      - Review and Send the Macro
    - Delete NetFlow Secure Event Logging (NSEL) Configuration from an ASA
      - Open the DELETE-NSEL Macro
      - Enter the Values in the Macro to Complete the No Commands
    - Determine the Name of an ASA Global Policy
    - Troubleshooting NSEL Data Flows
      - Verify that NSEL Events are Being Sent to the SEC
      - Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
      - Verify that NetFlow Packets are Being Received by the Cisco Cloud
      - Check for Live NSEL Events
      - Check for Historical NSEL Events
  - Parsed ASA Syslog Events
- Security Analytics and Logging (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
  - Send Cloud-Delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
  - Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
  - Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
- View Events in Security Cloud Control
  - Viewing Live Events
    - Play/Pause Live Events
  - View Historical Events
  - Customize the Events View
    - Correlate Threat Defense Event Fields and Column Names
  - Show and Hide Columns on the Event Logging Page
  - Change the Time Zone for the Event Timestamps
  - Customizable Event Filters
  - Search and Filter Events Using the Event Logging Page
    - Filter Live or Historical Events
    - Filter Only NetFlow Events
    - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
    - Combine Filter Elements
    - Search Events Using the Events Logging Page
      - Use Sample Filters to Search Events
      - Search Historical Events in the Background
        
        Schedule to Generate a Search Report in the Background
        
        Download a Search Report
  - Event Attributes in Security Analytics and Logging
    - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
    - EventName Attributes for Syslog Events
    - Time Attributes in a Syslog Event
- Use Cisco Secure Cloud Analytics Portal
  - Provision a Cisco Secure Cloud Analytics Portal
  - Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics
  - Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
  - Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control
    - Inviting Users to Join Your Secure Cloud Analytics Portal
    - Cross-Launching from Security Cloud Control to Secure Cloud Analytics
  - Cisco Secure Cloud Analytics and Dynamic Entity Modeling
  - Working with Alerts Based on Firewall Events
    - Triage open alerts
    - Snooze alerts for later analysis
    - Update the alert for further investigation
    - Review the alert and start your investigation
    - Examine the entity and users
    - Remediate issues using Secure Cloud Analytics
    - Update and close the alert
  - Modifying Alert Priorities
- Monitor Remote Access Virtual Private Network Sessions from Secure Firewall ASA and Threat Defense
  - Monitor Remote Access Virtual Private Network Sessions
    - Monitor Live AnyConnect Remote Access VPN Sessions
      - View Live Remote Access VPN Data
    - Monitor Historical AnyConnect Remote Access VPN Sessions
      - View Historical Remote Access VPN Data
    - Search and Filter Remote Access VPN Sessions
    - Customize the Remote Access VPN Monitoring View
    - Export Remote Access VPN Sessions to a CSV File
    - Remote Access VPN Dashboard
    - Disconnect Remote Access VPN Sessions of an ASA User
      - Disconnect all Active RA VPN Sessions of a User
    - Disconnect Remote Access VPN Sessions on FDM-Managed Device
    - Disconnect Remote Access VPN Sessions on FTD
- FTD Dashboard
  - About the FTD Dashboard
  - View the FTD Dashboard
  - FTD Dashboard Widgets
    - Top Intrusion Rules Widget
    - Top Intrusion Attackers Widget
    - Top Intrusion Targets Widget
    - Top Malware Signatures Widget
    - Top Malware Senders Widget
    - Top Malware Receivers Widget
    - Malware Events by Disposition Widget
    - Network Activity Widget
    - Event Activity Widget
    - Access Control Actions Widget
    - Top Access Control Policies Widget
    - Top Access Control Rules Widget
    - Top Devices Widget
    - Top Users Widget
    - Top Users by Blocked Connections Widget
    - Top Devices with Health Alerts Widget
    - Top Loaded Devices Widget
    - Top Web Applications Widget
    - Top Client Applications Widget
    - Top Blocked Web Applications Widget
  - Modify Time Settings for the FTD Dashboard
- Monitor and Report Change Logs, Workflows, and Jobs
  - Monitor and Report Change Logs, Workflows, and Jobs
  - Manage Change Logs in Security Cloud Control
  - Change Log Entries after Deploying to an ASA
  - Change Log Entries After Reading Changes from an ASA
  - View Change Log Differences
  - Change Request Management
    - Enable Change Request Management
    - Create a Change Request
    - Associate a Change Request with a Change Log Event
    - Search for Change Log Events with Change Requests
    - Search for a Change Request
    - Filter Change Requests
    - Clear the Change Request Toolbar
    - Clear a Change Request Associated with a Change Log Event
    - Delete a Change Request
    - Disable Change Request Management
    - Change Request Management Use Cases
  - Export the Change Log
    - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
  - Monitor Jobs in Security Cloud Control
    - Reinitiate a Bulk Action
    - Cancel a Bulk Action
  - Monitor Workflows in Security Cloud Control
Optimize Network Security and Efficiency with AI
- Introduction to AIOps Insights
  - About AIOps Insights
    - AIOps Licensing Requirements
    - Prerequisites to Use AIOps
  - View Summary Insights
  - Implement Best Practices and Recommendations
  - Assess and Improve Feature Adoption
  - Enable or Disable Insight Preferences and Configure Threshold Settings
    - Enable AIOps Insights
    - Traffic and Capacity Insights
    - Best Practices and Recommendations Insights
    - Feature Adoption Insights
    - Health and Operations Insights
  - Frequently Asked Questions About AIOps
  - Additional Resources
  - Troubleshooting for the Secure Firewall Threat Defense using Cloud-Delivered Firewall Management Center
- Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
  - About Policy Analyzer and Optimizer
    - Analysis, Remediation, and Reporting
  - Prerequisites to Use Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Licensing Requirements
  - Enable Policy Analyzer and Optimizer for Cloud-Delivered Firewall Management Center
  - Enable Policy Analyzer and Optimizer for Security Cloud Control -managed On-Premises Firewall Management Center
  - Policy Analysis
    - Analyze Cloud-Delivered Firewall Management Center Policies
    - Analyze On-Premises Firewall Management Center Policies
  - Policy Reporting
    - Policy Analysis Summary
    - Duplicate Rules
    - Overlapping Objects
    - Expired Rules
    - Mergeable Rules
    - Policy Insights
  - Policy Remediation
    - Apply Policy Remediation
    - What Does the Policy Remediation Report Contain?
  - Troubleshooting Policy Analyzer and Optimizer
    - Policy Analyzer and Optimizer Does Not Analyze Policies
    - Policy Analyzer and Optimizer Does Not Fetch Policies
  - Frequently Asked Questions About Policy Analyzer and Optimizer
Troubleshoot
- Troubleshooting
  - Troubleshoot an Secure Firewall ASA Device
    - ASA Fails to Reconnect to Security Cloud Control After Reboot
    - Cannot onboard ASA due to certificate error
      - Determine the OpenSSL Cipher Suite Used by your ASA
      - Cipher Suites Supported by Security Cloud Control 's Secure Device Connector
      - Updating your ASA's Cipher Suite
    - Troubleshoot ASA using CLI commands
    - Troubleshoot ASA Remote Access VPN
    - ASA Real-time Logging
      - View ASA Real-time Logs
    - ASA Packet Tracer
      - Troubleshoot an ASA Device Security Policy
      - Troubleshoot an Access Rule
      - Troubleshoot a NAT Rule
      - Troubleshoot a Twice NAT Rule
      - Analyze Packet Tracer Results
    - Cisco ASA Advisory cisco-sa-20180129-asa1
    - Confirming ASA Running Configuration Size
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Security Cloud Control -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Large ASA Running Configuration Files
  - Troubleshoot a Secure Device Connector
    - SDC is Unreachable
    - SDC Status not Active on Security Cloud Control After Deployment
    - Changed IP Address of the SDC is not Reflected in Security Cloud Control
    - Troubleshoot Device Connectivity with the SDC
    - Intermittent or No Connectivity with SDC
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Security Cloud Control -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Invalid System Time
    - SDC version is lower than 202311****
    - Certificate or Connection errors with AWS servers
  - Troubleshoot a Secure Event Connector
    - Troubleshoot SEC Onboarding Failures
    - Troubleshoot Secure Event Connector Registration Failure
    - Troubleshooting NSEL Data Flows
    - Event Logging Troubleshooting Log Files
    - SEC Status is Inactive in Security Cloud Control
    - The SEC is online, but there are no events in Security Cloud Control Event Logging Page
    - Remove an SEC from Your Host
    - Use Health Check to Learn the State of your Secure Event Connector
  - Troubleshoot Security Cloud Control
    - Troubleshooting Access and Certificates
      - Troubleshoot User Access with Security Cloud Control
      - Resolve New Fingerprint Detected State
      - Troubleshooting SSL Decryption Issues
    - Troubleshooting Objects
      - Resolve Duplicate Object Issues
      - Resolving Inconsistent or Unused Security Zone Objects
      - Resolve Unused Object Issues
        
        Resolve an Unused Object Issue
        
        Remove Unused Objects in Bulk
      - Resolve Inconsistent Object Issues
      - Resolve Object Issues in Bulk
      - Unignore Objects
  - Device Connectivity States
    - Troubleshoot Device Unregistered
    - Troubleshoot Insufficient Licenses
    - Troubleshoot Invalid Credentials
    - Troubleshoot New Certificate Issues
      - New Certificate Detected
    - Troubleshoot Onboarding Error
    - Resolve the Conflict Detected Status
    - Resolve the Not Synced Status
- FAQ and Support
  - Security Cloud Control
  - FAQ About Onboarding Devices to Security Cloud Control
    - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
    - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
    - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-Delivered Firewall Management Center
    - FAQs About On-Premises Secure Firewall Management Center
    - FAQs About Onboarding Meraki Devices to Security Cloud Control
    - FAQs About Onboarding SSH Devices to Security Cloud Control
    - FAQs About Onboarding IOS Devices to Security Cloud Control
  - Device Types
  - Security
  - End-of-Support for management of the Secure Firewall Threat Defense Version 7.0.x managed by Cloud-Delivered Firewall Management Center
  - Troubleshooting
  - Terminologies and Definitions used in Zero-Touch Provisioning
  - Policy Optimization
  - Connectivity
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - About Data Interfaces
  - How Security Cloud Control Processes Personal Information
  - Contact Security Cloud Control Support
    - Export The Workflow
    - Open a Support Ticket with TAC
      - How Security Cloud Control Customers Open a Support Ticket with TAC
      - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
    - Security Cloud Control Service Status Page
Appendix
- Security and Internet Access
  - Internet Access Requirements
- Terraform
  - About Terraform
- Open Source and 3rd Party License Attribution
  - Open Source and Third-Party License in SDC

Platform GCP

Activity Upgrade

Establish Secure Connections Virtual Private Network Management Configure Virtual Private Network Management Introduction to Site-to-Site Virtual Private Network Monitor ASA Site-to-Site Virtual Private Networks Check Site-to-Site VPN Tunnel Connectivity

Last updated: Aug 08, 2025

Check Site-to-Site VPN Tunnel Connectivity

Use the Check Connectivity button to trigger a real-time connectivity check against the tunnel to identify whether the tunnel is currently active or idle. Unless you click the on-demand connectivity check button, a check across all tunnels, available across all onboarded devices, occurs once an hour.

Security Cloud Control runs this connectivity check command on the ASAFTD to determine if a tunnel is active or idle:
```
show vpn-sessiondb l2l sort ipaddress
```
Model ASA device(s) tunnels will always show as Idle.

To check tunnel connectivity from the VPN page:

Procedure

1	In the Security Cloud Control platform menu, choose Products > Firewall.
2	In the left pane, choose Manage > Secure Connections > Network Connections > Site to Site VPN.
3	Search and filter the list of tunnels for your site-to-site VPN tunnel and select it.
4	In the Actions pane at the right, click Check Connectivity.

Previous topic Monitor ASA Site-to-Site Virtual Private Networks Next topic Site-To-Site VPN Dashboard