Login

Cisco Security Cloud Control for Firewall Management Configuration Guide

Introduction
- Welcome to Firewall in Security Cloud Control
  - About Cisco Security Cloud Control
  - Products Managed by Cisco Security Cloud Control
  - About Firewall in Security Cloud Control
  - Cloud-delivered Firewall Management Center in Security Cloud Control
  - Maintenance Plan for Security Cloud
    - Security Cloud Control Platform Maintenance Schedule
    - Cloud-Delivered Firewall Management Center Maintenance Schedule
  - The Firewall Dashboard
Get Started
- Cisco AI Assistant User Guide
  - Onboard with Cisco AI Assistant
  - Prompt Guide for Cisco AI Assistant
  - Online Help Documentation
  - Policy Insights
  - Policy Analyzer and Optimizer
  - Automate Policy Rule Creation
  - Contact Support
  - Notifications Center
  - Cisco AI Assistant Frequently Asked Questions (FAQ)
- Manage Tenants and Users
  - Manage a Security Cloud Control Tenant
    - Configure User Preferences
      - General Preferences
        
        Change the Security Cloud Control Web Interface Appearance
      - User Notification Preferences
      - View Security Cloud Control Notifications
    - Tenant Settings
      - Enable Change Request Tracking
      - Prevent Cisco Support from Viewing your Tenant
      - Enable the Option to Auto-accept Device Changes
      - Default Conflict Detection Interval
      - Enable the Option to Schedule Automatic Deployments
      - Web Analytics
      - Share Event Data with Cisco Talos
      - Configure a Default Recurring Backup Schedule
      - Tenant ID
      - Tenant Name
      - Security Cloud Control Platform Navigator
    - Organization Notification Settings
      - Enable Email Subscribers
        
        Add an Email Subscription
        
        Edit Email Subscriptions
        
        Delete an Email Subscription
      - Enable Service Integrations for Security Cloud Control Notifications
        
        Incoming Webhooks for Webex Teams
        
        Incoming Webhooks for Slack
        
        Incoming Webhooks for a Custom Integration
    - Logging Settings
    - Integrate Your SAML Single Sign-On with Security Cloud Control
    - Renew SSO Certificate
    - My Tokens
    - API Tokens
      - API Token Format and Claims
      - Manage API-only Users for Firewall in Security Cloud Control
      - Token Management
        
        Generate an API Token
        
        Refresh an API Token
        
        Revoke an API Token
    - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
      - Login Workflow
      - Implications of this Architecture
        
        Customers Who Use Cisco Security Cloud Sign On
        
        Customers Who Have Their Own Identity Provider
        
        Cisco Managed Service Providers
        
        Related Topics
    - MSSP Portal
      - Security Devices Details
      - Add a Tenant to the MSSP Portal
      - Delete a Tenant from the MSSP Portal
      - Manage MSSP Portal Settings
        
        Settings
        
        Switch Tenant
    - The Cisco Success Network
  - Manage Users in Security Cloud Control
    - Manage Super Admins on Your Tenant
    - View the User Records Associated with your Tenant
  - Active Directory Groups in User Management
    - Prerequisites for Adding an Active Directory Group to Security Cloud Control
    - Add an Active Directory Group for User Management
    - Edit an Active Directory Group for User Management
    - Delete an Active Directory Group for User Management
  - Create a New Security Cloud Control User
    - Create a Cisco Security Cloud Sign On Account for the New User
      - About Logging in to Security Cloud Control
      - Before You Log In
      - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
    - Create a User Record with Your Security Cloud Control Username
    - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
  - User Roles in Security Cloud Control
    - Read-only Role
    - Edit-Only Role
    - Deploy-Only Role
    - VPN Sessions Manager Role
    - Admin Role
    - Super Admin Role
    - Change The Record of the User Role
  - Add a User Account to Security Cloud Control
    - Create a User Record
    - Create API Only Users
  - Edit a User Record for a User Role
    - Edit a User Role
  - Delete a User Record for a User Role
    - Delete a User Record
- Integrating Security Cloud Control with Cisco Security Cloud Sign On
  - Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Manage Security Devices
- Onboard Devices and Services
  - Secure Device Connector
    - Connect Security Cloud Control to your Managed Devices
    - Deploy a VM for Running the Secure Device Connector and Secure Event Connector
    - Deploy a Secure Device Connector On Your VM
    - Bootstrap a Secure Device Connector on the Deployed Host
    - Deploy a Secure Device Connector to vSphere Using Terraform
    - Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
    - Migrate an On-Premises Secure Device Connector and Secure Event Connector from a CentOS 7 Virtual Machine to an Ubuntu Virtual Machine
    - Change the IP Address of a Secure Device Connector
    - Remove a Secure Device Connector
    - Rename a Secure Device Connector
    - Specify a Default Secure Device Connector
    - Update your Secure Device Connector
    - Using Multiple SDCs on a Single Security Cloud Control Tenant
    - Security Cloud Control Devices that Use the Same SDC
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Secure Firewall Threat Defense Device Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
- Onboard a Threat Defense Device
  - Onboarding Overview
  - Prerequisites to Onboard a Device to Cloud-Delivered Firewall Management Center
  - Onboard a Device with a CLI Registration Key
  - Onboard a Threat Defense Device to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
  - Onboard Threat Defense Devices using Device Templates to Cloud-Delivered Firewall Management Center using Zero-Touch Provisioning
  - Deploy a Threat Defense Device with AWS
  - Deploy a Threat Defense Device in Azure
    - Onboard an Azure VNet Environment
    - Deploy a Firewall Threat Defense Virtual in Azure
  - Deploy a Threat Defense Device to Google Cloud Platform
    - Create VPC Networks for GCP
    - Deploy a Threat Defense Device on Google Cloud Platform
  - Onboard a Secure Firewall Threat Defense Cluster
  - Onboard a Chassis
  - Delete Devices from Cloud-Delivered Firewall Management Center
  - Troubleshooting
    - Troubleshoot Cloud-Delivered Firewall Management Center Connectivity with TCP
    - Troubleshoot Threat Defense Device Connectivity
    - Troubleshoot Device Connectivity Loss After Cloud-delivered Firewall Management Center Update
    - Troubleshoot Onboarding a Device to the Cloud-Delivered Firewall Management Center Using the CLI Registration Key
      - Error: Device Remains in Pending Setup State After Onboarding
    - Troubleshoot Onboarding a Device to Cloud-Delivered Firewall Management Center Using the Serial Number
      - Device is Offline or Unreachable
      - Error: Serial Number Already Claimed
      - Error: Claim Error
      - Error: Failed to Claim
      - Error: Provisional Error
  - Onboard a Threat Defense Device to On-Prem Firewall Management Center using Zero-Touch Provisioning
- Onboard ASA Devices
  - Onboard ASA Devices
    - Onboard ASA Device to Security Cloud Control
    - Onboard a High Availability Pair of ASA Devices to Security Cloud Control
    - Onboard an ASA in Multi-Context Mode to Security Cloud Control
    - Onboard Multiple ASAs to Security Cloud Control
      - Pause and Resume Onboarding Multiple ASAs
    - Create and Import an ASA Model to Security Cloud Control
      - Import ASA Configuration
- Onboard an On-Premises Firewall Management Center
  - Supported Devices, Software, and Hardware
    - ASA Support Specifics
    - Secure Firewall Threat Defense Device Support Specifics
    - Cloud Device Support Specifics
    - Switching and Routing Support Specifics
  - Onboard an On-Premises Firewall Management Center
    - Onboard an On-Premises Management Center to Security Cloud Control
      - Auto-Onboard an On-Premises Management Center Integrated with Cisco Security Cloud
        
        Integrate On-Premises Management Center With Cisco Security Cloud
        
        Disable Auto-Onboarding of an On-Premises Management Center
      - Onboard an On-Premises Firewall Management Center to Security Cloud Control with Credentials
      - Redirect Security Cloud Control to an On-Premises Firewall Management Center
    - Remove an On-Premises Firewall Management Center from Security Cloud Control
- Onboard Security Cloud Control Integrations
  - Onboard Security Cloud Control Integrations
    - Onboard an SSH Device
      - Onboard an SSH Device
      - Delete a Device from Security Cloud Control
    - Onboard a Cisco IOS Device
      - Onboard a Cisco IOS Device
        
        Create and Import an ASR or ISR Model
        
        Download ASR or ISR Configuration
        
        Import ASR or ISR Configuration
      - Delete a Device from Security Cloud Control
      - Import Configuration for Offline Device Management
      - Delete a Device from Security Cloud Control
- Onboard Meraki MX Devices
  - Onboard Meraki MX Devices
    - Onboard Meraki MX to Security Cloud Control
      - Generate and Retrieve Meraki API Key
      - Onboard an MX Device to Security Cloud Control
    - Onboard Meraki Templates to Security Cloud Control
      - Generate and Retrieve Meraki API Key
      - Onboard an Meraki Template to Security Cloud Control
    - Update Meraki MX Connection Credentials
    - Delete a Device from Security Cloud Control
- Onboarding an Umbrella Organization
  - Onboarding an Umbrella Organization
    - Umbrella License Requirements
    - Generate an API Key and Secret
    - Umbrella Organization ID
    - Onboarding an Umbrella Orgnization
    - Reconnect an Umbrella Organization to Security Cloud Control
    - Cross-launch to the Umbrella dashboard
    - Delete a Device from Security Cloud Control
- Onboard an AWS VPC
  - Onboard an AWS VPC
  - Supported Devices, Software, and Hardware
- Onboard FDM-Managed Device
  - Onboard FDM-Managed Device
    - Managing an FDM-Managed Device from the Inside Interface
      - Manage an FDM-Managed Device from the Inside Interface
    - Managing an FDM-Managed Device from the Outside Interface
      - Manage the FDM-Managed Device's Outside Interface
    - Onboard an FDM-Managed Device to Security Cloud Control
      - Onboard an FDM-Managed Device Using Username, Password, and IP Address
      - Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
        
        Unregister a Smart-licensed FDM-Managed Device
        
        Procedure to Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
      - Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
        
        Unregistering an FDM-Managed Device from Cisco Cloud Services
        
        Procedure to Onboad an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
      - Onboard an FDM-Managed Device using the Device's Serial Number
        
        Workflow and Prerequisites to Onboard the FDM-Managed Device Using Zero-Touch Provisioning
        
        Onboard a Secure Firewall Threat Defense Device With Zero-Touch Provisioning
        
        Onboard a Configured FDM-Managed Device using the Device's Serial Number
      - Onboard an FDM-Managed High Availability Pair
        
        Onboard an FDM-Managed High Availablity Pair with a Registration Key
        
        Onboard an FDM-Managed HA Pair Running Version 6.4 or Version 6.5
        
        Onboard an FDM-Managed HA Pair Running Threat Defense Version 6.6 or Version 6.7 and later
        
        Onboard an FDM-Managed High Availability Pair
      - Onboard an FTD Cluster
        
        Onboard a Clustered Secure Firewall Threat Defense Device
    - Applying or Updating a Smart License
      - Smart-License an FDM-Managed Device When Onboarding Using a Registration Key
      - Smart-License an FDM-Managed Device After Onboarding the Device Using a Registration Key or its Credentials
      - Updating an Existing Smart License of an FDM-Managed Device
      - Change the Smart License Applied to an FDM-Managed Device Onboarded Using a Registration Key
      - Change the Smart License Applied to an FDM-Managed Device Onboarded Using its Credentials
    - Security Cloud Control Support for DHCP Addressing of FDM-Managed Devices
    - FDM-Managed Device Licensing Types
      - Virtual FDM-Managed Device Tiered Licenses
      - Viewing Smart-Licenses for a Device
      - Enabling or Disabling Optional Licenses
      - Impact of Expired or Disabled Optional Licenses
    - Create and Import an Firewall Device Manager Model
      - Export FDM-Managed Device Configuration
      - Import FDM-Managed Device Configuration
    - Backing Up FDM-Managed Devices
      - Back up an FDM-Managed Device On-Demand
        
        Procedure
      - Configure a Recurring Backup Schedule for a Single FDM-Managed Device
        
        Procedure
      - Download the Device Backup
      - Edit a Backup
      - Delete a Backup
      - Managing Device Backup
      - Restore a Backup to an FDM-Managed Device
    - Update FDM-Managed Device Security Databases
- Manage Onboarded Device Settings
  - Changing a Device's IP Address in Security Cloud Control
  - Changing a Device's Name in Security Cloud Control
  - Export a List of Devices and Services
  - Export Device Configuration
  - External Links for Devices
    - Create an External Link from your Device
    - Create an External Link to ASDMFDM
    - Create an External Link for Multiple Devices
    - Edit or Delete External Links
    - Edit or Delete External Links for Multiple Devices
  - Bulk Reconnect Devices to Security Cloud Control
  - Moving Devices Between Tenants
  - Device Certificate Expiry Detection
  - Update Meraki MX Connection Credentials
  - Write a Device Note
  - Delete a Device from Security Cloud Control
  - Manage Security Devices
  - Security Devices Overview
  - Security Cloud Control Labels and Filtering
    - Apply Labels to Devices and Objects
    - Labels and Tags in AWS VPC
    - Filters
  - Use Security Cloud Control Search Functionality
    - Page Level Search
    - Global Search
      - Initiate Full Indexing
      - Perform a Global Search
- Upgrade Devices and Services
  - FDM Software Upgrade Paths
    - Other Upgrade Limitations
    - 4100 and 9300 Series Devices
  - FDM-Managed Device Upgrade Prerequisites
  - Upgrade a Single FDM-Managed Device
    - Upgrade A Single FDM-Managed Device with Images from Security Cloud Control 's Repository
    - Upgrade a Single FDM-Managed Device with Images from your own Repository
    - Monitor the Upgrade Process
  - Bulk FDM-Managed Devices Upgrade
    - Upgrade Bulk FDM-Managed Devices with Images from Security Cloud Control 's Repository
    - Upgrade Bulk FDM-Managed Devices with Images from your own Repository
    - Monitor the Bulk Upgrade Process
  - Upgrade an FDM-Managed High Availability Pair
    - Upgrade an FDM-Managed HA Pair with Images from Security Cloud Control's Repository
    - Upgrade an FDM-Managed HA Pair with Images from your own Repository
    - Monitor the Upgrade Process
  - Upgrade to Snort 3.0
    - Upgrade the Device and the Intrusion Prevention Engine Simultaneously
    - Upgrade the Intrusion Prevention Engine
    - Monitor the Upgrade Process
  - Revert From Snort 3.0 for FDM-Managed Device
    - Revert From Snort 3.0
  - Schedule a Security Database Update
    - Edit a Scheduled Security Database Update
  - Prerequisites for ASA and ASDM Upgrade in Security Cloud Control
  - Upgrade Bulk ASA and ASDM in Security Cloud Control
    - Upgrade Multiple ASAs with Images from your own Repository
  - Upgrade ASA and ASDM Images on a Single ASA
  - Upgrade ASA and ASDM Images in a High Availability Pair
    - Workflow
    - Upgrade ASA and ASDM Images in a High Availability Pair
  - Upgrade an ASA or ASDM Using Your Own Image
Configure Devices And Services
- Configure Cloud-Delivered Firewall Management Center-Managed Secure Firewall Threat Defense
  - Security Cloud Control Services Page
  - Navigate to the Cloud-Delivered Firewall Management Center in your Security Cloud Control Tenant
  - Enable Cloud-Delivered Firewall Management Center on Your Security Cloud Control Tenant
- Configure Secure Firewall ASA Devices
  - Managing Secure Firewall ASA with Security Cloud Control
  - Update ASA Connection Credentials in Security Cloud Control
    - Move an ASA from one SDC to Another
  - ASA Interface Configuration
    - Configure an ASA Physical Interface
      - Configure IPv4 Addressing for ASA Physical Interface
      - Configure IPv6 Addressing for ASA Physical Interface
      - Configure Advanced ASA Physical Interface Options
      - Enable the ASA Physical Interface
    - Add an ASA VLAN Subinterface
      - Configure ASA VLAN Subinterfaces
      - Configure IPv4 Addressing for ASA Subinterface
      - Configure IPv6 Addressing for ASA Subinterface
      - Configure Advanced ASA Subinterface Options
      - Enable the Subinterface
      - Remove ASA Subinterface
    - About ASA EtherChannel Interfaces
      - Configure ASA EtherChannel
        
        Edit ASA EtherChannel
        
        Remove ASA EtherChannel Interface
  - ASA System Settings Policy in Security Cloud Control
    - Create an ASA Shared System Settings Policy
      - Configure Basic DNS Settings
      - Configure HTTP Settings
      - Set the Date and Time Using an NTP Server
      - Configure SSH Access
      - Configure System Logging
      - Enable Sysopt Settings
      - Assign a Policy from the Shared System Settings Page
    - Configure or Modify Device Specific System Settings
      - Assign a Policy from Device-Specific Settings Page
    - Auto Assignment of ASA Devices to a Shared System Settings Policy
    - Filter ASA Shared System Settings Policy
    - Disassociate Devices from Shared System Settings Policy
    - Delete Shared Settings Policy
  - ASA Routing in Security Cloud Control
    - About ASA Static Route
      - Configure ASA Static Route
      - Edit ASA Static Route
      - Delete a Static Route
  - Manage Security Policies in Security Cloud Control
  - Manage ASA Network Security Policy
    - About ASA Access Control Lists and Access Groups
    - Create an ASA Access List
    - Add a Rule to an ASA Access List
      - About System Log Activity
      - Deactivate Rules in an Access Control List
      - About Security Group Tags in ASA Policies
    - Assign Interfaces to ASA Access Control List
    - Create an ASA Global Access List
    - Improvements to the ASA Shared Policy Model
    - Share an ASA Access Control List with Multiple ASA Devices
    - Copy an ASA Access Control List to Another ASA
    - Copy a Rule Within or Across ASA Access Lists and Devices
    - Unshare a Shared ASA Access Control List
    - View ASA Access Policies Listing Page
    - Global Search of ASA Access Lists
    - Rename an ASA Access Control List
    - Delete a Rule from an ASA Access Control List
    - Delete an ASA Access Control List
  - Compare ASA Network Policies
  - Hit Rates
    - View Hit Rates of ASA Policies
  - Search and Filter ASA Network Rules in the Access List
  - Shadowed Rules
    - Find Network Policies with Shadowed Rules
    - Resolve Issues with Shadowed Rules
  - Network Address Translation
  - Order of Processing NAT Rules
  - Network Address Translation Wizard
    - Create a NAT Rule by using the NAT Wizard
  - Common Use Cases for NAT
    - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
    - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
    - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
      - NAT Incoming FTP Traffic to an FTP Server
      - NAT Incoming HTTP Traffic to an HTTP Server
      - NAT Incoming SMTP Traffic to an SMTP Server
    - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
      - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
    - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
      - Create a Twice NAT Rule
  - API Tokens
  - Manage ASA Certificates
    - Install ASA Certificates
    - Install an Identity Certificate Using PKCS12
    - Install a Certificate Using Self-Signed Enrollment
    - Manage a Certificate Signing Request (CSR)
      - Generate a CSR Request
      - Install a Signed Identity Certificate Issued by a Certificate Authority
    - Install a Trusted CA Certificate in ASA
    - Export an Identity Certificate
    - Edit an Installed Certificate
    - Delete an Existing Certificate from ASA
  - ASA File Management
    - Upload File to a Single ASA Device
    - Upload File to Multiple ASA Devices
    - Remove Files from ASA
  - Managing ASAs with Pre-existing High Availability Configuration
    - Configuration Changes Made to ASAs in Active-Active Failover Mode
  - Manage ASA Configuration Files
    - View a Device's Configuration File
  - Configure DNS on ASA
    - Procedure
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Security Cloud Control
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
      - Discard Changes Procedure
      - If Reverting Pending Changes Fails
      - Review Conflict Procedure
      - Accept Without Review Procedure
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure On-Premises Firewall Management Center-Managed Secure Firewall Threat Defense Devices
  - Managing On-Premises Firewall Management Center with Security Cloud Control
  - View Onboarded On-Premises Management Center
  - Discover and Manage On-Prem Firewall Management Center Network Objects
  - Manage Device Configuration
  - Read All Device Configurations
  - Preview and Deploy On-Premises Firewall Management Center Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Discard On-Premises Firewall Management Center Configuration Changes
  - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
  - Remove an On-Premises Firewall Management Center from Security Cloud Control
- Configure Cisco Umbrella Tunnel Configuration
  - Read Umbrella Tunnel Configuration
  - Cross-launch to the Umbrella Tunnels Page
  - Configure a SASE Tunnel for Umbrella
  - Edit a SASE Tunnel
  - Delete a SASE Tunnel from Umbrella
- Configure Amazon Web Services Virtual Private Cloud
  - Managing AWS with Firewall in Security Cloud Control
  - Update AWS VPC Connection Credentials
  - Monitor AWS VPC Tunnels using AWS Transit Gateway
  - Search and Filter Site-to-Site VPN Tunnels
  - View a history of changes made to the AWS VPC tunnels
  - Manage Security Policies in Security Cloud Control
    - AWS VPC Policy
      - AWS VPCs and Security Groups in Security Cloud Control
      - AWS VPC Security Groups Rules
      - Create a Security Group Rule
      - Edit a Security Group Rule
      - Delete a Security Group Rule
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
      - Discard Changes Procedure
      - If Reverting Pending Changes Fails
      - Review Conflict Procedure
      - Accept Without Review Procedure
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
- Configure Cisco Meraki
  - Managing Meraki with Firewall in Security Cloud Control
  - How Does Security Cloud Control Communicate With Meraki
  - Meraki Access Control Policy
  - Meraki Templates
- Configure Cisco IOS
  - Managing IOS Devices with Security Cloud Control
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Compare ASA Configurations Using Security Cloud Control
  - ASA Bulk CLI Use Cases
    - Show all users in the running configuration of an ASA and then delete one of the users
    - Find all SNMP configurations on selected ASAs
  - ASA Command Line Interface Documentation
  - Command Line Interface Documentation
  - Restore an ASA Configuration
    - Restore an ASA Configuration
    - Troubleshooting
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
    - Edit a Complete Device Configuration File
      - Procedure
  - Security Cloud Control Command Line Interface
    - Using the Command Line Interface
    - Entering Commands in the Command Line Interface
    - Work with Command History
  - Bulk Command Line Interface
    - Bulk CLI Interface
    - Send Commands in Bulk
    - Work with Bulk Command History
    - Work with Bulk Command Filters
      - By Response Filter
      - By Device Filter
  - Command Line Interface Macros
    - Create a CLI Macro from a New Command
    - Create a CLI Macro from CLI History or from an Existing CLI Macro
    - Run a CLI Macro
    - Edit a CLI Macro
    - Delete a CLI Macro
  - Manage Cisco IOS Device Configuration Files
    - View a Device's Configuration File
  - Manage Device Configuration
  - Read All Device Configurations
  - Read Changes from Firewalls
  - Preview and Deploy Configuration Changes for All Devices
  - Bulk Deploy Device Configurations
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Configure SSH Devices
  - Managing SSH Devices with Firewall in Security Cloud Control
- Configure FDM-Managed Devices
  - Managing FDM-Managed Devices with Firewall in Security Cloud Control
  - Interfaces
    - Guidelines and Limitations for Firepower Interface Configuration
      - Maximum Number of VLAN Members by Device Model
    - Firepower Data Interfaces
    - Management/Diagnostic Interface
    - Interface Settings
      - Use of Security Zones in Firepower Interface Settings
      - Assign an FDM-Managed Device Interface to a Security Zone
        
        Assign a Firepower Interface to a Security Zone
      - Use of Auto-MDI/MDX in Firepower Interface Settings
      - Use of MAC Addresses in Firepower Interface Settings
      - Use of MTU Settings in Firepower Interface Settings
    - IPv6 Addressing for Firepower Interfaces
    - Configuring Firepower Interfaces
      - Configure a Physical Firepower Interface
        
        Procedure
        
        Configure IPv4 Addressing for the Physical Interface
        
        Configure IPv6 Addressing for the Physical Interface
        
        Enable the Physical Interface
      - Configure Firepower VLAN Subinterfaces and 802.1Q Trunking
        
        Procedure
        
        Configure IPv4 Addressing for the Subinterface
        
        Configure IPv6 Addressing for the Subinterface
        
        Enable the Physical Interface
      - Configure Advanced Firepower Interface Options
      - Configure a Bridge Group
        
        Configure the Name of the Bridge Group Interface and Select the Bridge Group Members
        
        Configure the IPv4 Address for the BVI
        
        Configure the IPv6 Address for the BVI
        
        Configure Advanced Interface Options
        
        Bridge Group Compatibility in FDM-Managed Configurations
        
        Delete a Bridge Group
      - Add an EtherChannel Interface for an FDM-Managed Device
        
        Add an EtherChannel Interface
      - Edit Or Remove an EtherChannel Interface for FDM-Managed Device
        
        Edit an EtherChannel
        
        Remove an EtherChannel Interface
      - Add a Subinterface to an EtherChannel Interface
        
        Add a Subinterface to an EtherChannel Interface
      - Edit or Remove a Subinterface from an EtherChannel
        
        Edit a Subinterface
        
        Remove a Subinterface from an EtherChannel
      - Add Interfaces to a Virtual FDM-Managed Device
      - Switch Port Mode Interfaces for an FDM-Managed Device
      - Configure an FDM-Managed Device VLAN
      - Configure an FDM-Managed Device VLAN for Switch Port Mode
        
        Create a VLAN Interface for Switch Port Mode
        
        Configure an Existing Physical Interface for Switch Port Mode
    - Viewing and Monitoring Firepower Interfaces
      - Monitoring Interfaces in the CLI
  - Synchronizing Interfaces Added to a Firepower Device using FXOS
  - Routing
    - About Static Routing and Default Routes
      - Default Route
      - Static Routes
    - The Routing Table and Route Selection
      - How the Routing Table is Populated
      - How Forwarding Decisions are Made
    - Configure Static and Default Routes for FDM-Managed Devices
      - Procedure
      - Static Route Example
    - Monitoring Routing
    - Static Route Network Diagram
    - About Virtual Routing and Forwarding
  - Manage Objects
    - Manage Objects
      - Object Types
      - Shared Objects
      - Object Overrides
      - Unassociated Objects
      - Compare Objects
      - Filters
        
        Object Filters
        
        Configure Object Filters
        
        When to Exclude a Device from Filter Criteria
      - Deleting Objects
        
        Delete a Single Object
        
        Delete a Group of Unused Objects
      - Create IP Address Pool
      - Network Objects
        
        Create or Edit ASA Network Objects and Network Groups
        
        Create an ASA Network Object
        
        Create an ASA Network Group
        
        Edit an ASA Network Object
        
        Edit an ASA Network Group
        
        Add Additional Values to a Shared Network Group in Security Cloud Control
        
        Edit Additional Values in a Shared Network Group in Security Cloud Control
        
        Deleting Network Objects and Groups in Security Cloud Control
        
        Create or Edit a Firepower Network Object or Network Groups
        
        Create a Firepower Network Object
        
        Create a Firepower Network Group
        
        Edit a Firepower Network Object
        
        Edit a Firepower Network Group
        
        Add an Object Override
        
        Edit Object Overrides
        
        Add Additional Values to a Shared Network Group
        
        Edit Additional Values in a Shared Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
        
        Discover and Manage On-Prem Firewall Management Center Network Objects
        
        Objects Associated with Meraki Devices
        
        Create a Local Meraki Network Object
        
        Create or Edit a Meraki Network Object or Network Group
        
        Create a Meraki Network Object
        
        Create a Meraki Network Group
        
        Edit a Firepower Network Object or Network Group
        
        Deleting Network Objects and Groups in Security Cloud Control
      - URL Objects
        
        Create or Edit an FDM-Managed URL Object
        
        Create a Firepower URL Group
        
        Edit a Firepower URL Object or URL Group
      - Application Filter Objects
        
        Create and Edit a Firepower Application Filter Object
        
        Create a Firepower Application Filter Object
        
        Edit a Firepower Application Filter Object
      - Geolocation Objects
        
        Create and Edit a Firepower Geolocation Filter Object
        
        Edit a Geolocation Object
      - DNS Group Objects
        
        Create a DNS Group Object
        
        Edit a DNS Group Object
        
        Delete a DNS Group Object
        
        Add a DNS Group Object as an FDM-Managed DNS Server
      - Certificate Objects
        
        About Certificates
        
        Certificate Types Used by Feature
        
        Configuring Certificates
        
        Uploading Internal and Internal CA Certificates
        
        Procedure
        
        Uploading Trusted CA Certificates
        
        Procedure
        
        Generating Self-Signed Internal and Internal CA Certificates
        
        Procedure
      - Trustpoint Objects
        
        Adding an Identity Certificate Object Using PKCS12
        
        Create a Self-Signed Identity Certificate Object
        
        Add an Identity Certificate Object for Certificate Signing Request (CSR)
        
        Add a Trusted CA Certificate Object
        
        Self-Signed and CSR Certificate Generation Based on Certificate Contents
      - About IPsec Proposals
        
        Managing an IKEv1 IPsec Proposal Object
        
        Create or Edit an IKEv1 IPsec Proposal Object
        
        Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
      - About Global IKE Policies
        
        Managing IKEv1 Policies
        
        Create or Edit an IKEv1 Policy
        
        Managing IKEv2 Policies
        
        Create or Edit an IKEv2 Policy
      - RA VPN Objects
        
        Configure Identity Sources for ASA
        
        Determining the Directory Base DN
        
        RADIUS Servers and Groups
        
        Create an ASA Active Directory Realm Object
        
        Edit an ASA Active Directory Realm Object
        
        Create an ASA RADIUS Server Object or Group
        
        Create an ASA RADIUS Server Object
        
        Create an ASA RADIUS Server Group
        
        Edit an ASA Radius Server Object or Group
        
        Create ASA Remote Access VPN Group Policies
        
        ASA Remote Access VPN Group Policy Attributes
        
        Configure Identity Sources for FDM-Managed Device
        
        Determining the Directory Base DN
        
        RADIUS Servers and Groups
        
        Create or Edit an Active Directory Realm Object
        
        Create an FTD Active Directory Realm Object
        
        Edit an FTD Active Directory Realm Object
        
        Create or Edit a RADIUS Server Object or Group
        
        Create a RADIUS Server Object
        
        Create a RADIUS Server Group
        
        Edit a Radius Server Object or Group
        
        Create New RA VPN Group Policies
        
        RA VPN Group Policy Attributes
      - AWS Security Groups and Cloud Security Group Objects
        
        Sharing Objects Between AWS and other Managed Devices
      - Security Zone Object
        
        Create or Edit a Firepower Security Zone Object
        
        Create a Security Zone Object
        
        Edit a Security Zone Object
      - Service Objects
        
        Create and Edit ASA Service Objects
        
        Create an ASA Service Group
        
        Edit an ASA Service Object or Service Group
        
        Create and Edit Firepower Service Objects
        
        Create a Firepower Service Group
        
        Edit a Firepower Service Object or Service Group
        
        Create or Edit a Meraki Service Object
        
        Create a Service Object
        
        Create a Service Group
        
        Edit a Service Object or a Service Group
      - Security Group Tag Group
        
        Security Group Tags
        
        Create an SGT Group
        
        Edit an SGT Group
        
        Add an SGT Group to an Access Control Rule
      - Syslog Server Objects
        
        Create and Edit Syslog Server Objects
        
        Edit Syslog Server Objects
        
        Create a Syslog Server Object for Secure Logging Analytics (SaaS)
        
        Procedure
      - ASA Time Range Objects
        
        Create an ASA Time Range Object
        
        Edit an ASA Time Range Object
  - Manage Security Policies in Security Cloud Control
  - FDM Policy Configuration
    - FDM-Managed Access Control Policy
      - Read an FDM-Managed Access Control Policy
      - Configure the FDM Access Control Policy
        
        Create or Edit an FDM-Managed Access Control Policy
        
        Configuring Access Policy Settings
        
        Procedure
        
        About TLS Server Identity Discovery
      - Copy FDM-Managed Access Control Rules
        
        Copy Rules within the Device
        
        Copy Rules from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
      - Move FDM-Managed Access Control Rules
        
        Move Rules within the Device
        
        Move a Rule from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
      - Behavior of Objects when Pasting Rules to Another Device
      - Source and Destination Criteria in an FDM-Managed Access Control Rule
      - URL Conditions in an FDM-Managed Access Control Rule
        
        Specifying a Reputation for a URL Category Used in a Rule
      - Intrusion Policy Settings in an FDM-Managed Access Control Rule
      - File Policy Settings in an FDM-Managed Access Control Rule
      - Logging Settings in an FDM-Managed Access Control Rule
        
        Procedure
      - Application Criteria in an FDM-Managed Access Control Rule
      - Intrusion, File, and Malware Inspection in FDM-Managed Access Control Policies
      - Custom IPS Policy in an FDM-Managed Access Control Rule
      - TLS Server Identity Discovery in Firepower Threat Defense
        
        Enable the TLS Server Identity Discovery
    - Intrusion Prevention System
      - Threat Events
      - Custom Firepower Intrusion Prevention System Policy
        
        Configure Firepower Custom IPS Policies
        
        Create a Custom IPS Policy
        
        Edit a Custom IPS Policy
        
        Edit Rule Groups in a Custom IPS Policy
        
        Delete a Custom IPS policy
    - Security Intelligence Policy
      - Configure the Firepower Security Intelligence Policy
        
        Configure Firepower Security Intelligence Policy
      - Making Exceptions to the Firepower Security Intelligence Policy Blocked Lists
      - Security Intelligence Feeds for Firepower Security Intelligence Policies
    - FDM-Managed Device Identity Policy
      - How to Implement an Identity Policy
        
        Procedure
      - Configure Identity Policies
        
        Procedure
      - Configure Identity Policy Settings
        
        Procedure
      - Configure the Identity Policy Default Action
        
        Procedure
      - Configure Identity Rules
        
        Procedure
    - SSL Decryption Policy
      - How to Implement and Maintain the SSL Decryption Policy
        
        Procedure
      - About SSL Decryption
        
        Why Implement SSL Decryption?
        
        Actions You Can Apply to Encrypted Traffic
        
        Automatically Generated SSL Decryption Rules
        
        Handling Undecryptable Traffic
        
        License Requirements for SSL Decryption Policies
        
        Guidelines for SSL Decryption
      - Configure SSL Decryption Policies
        
        Procedure
        
        Enable the SSL Decryption Policy
        
        Procedure
        
        Configure the Default SSL Decryption Action
        
        Procedure
        
        Configure SSL Decryption Rules
        
        Procedure
        
        Source/Destination Criteria for SSL Decryption Rules
        
        URL Criteria for SSL Decryption Rules
        
        User Criteria for SSL Decryption Rules
      - Configure Certificates for Known Key and Re-Sign Decryption
      - Downloading the CA Certificate for Decrypt Re-Sign Rules
        
        Procedure
        
        Warning
    - Rulesets
      - Configure Rulesets for a Device
        
        Create or Edit a Ruleset
        
        Deploy a Ruleset to Multiple FDM-Managed Devices or Templates
        
        Add Devices to a Ruleset from the Ruleset page
        
        Add Rulesets to a Device from the Device Policy page
      - Rulesets with FDM-Managed Templates
      - Create Rulesets from Existing Device Rules
      - Impact of Out-of-Band Changes on Rulesets
      - Impact of Discarding Staged Ruleset Changes
      - View Rules and Rulesets
        
        View Rules from Device Policy Page
        
        View Rulesets
        
        Search Rulesets
        
        View Jobs Associated with Rulesets
      - Change Log Entries after Creating Rulesets
      - Detach FDM-Managed Devices from a Selected Ruleset
      - Delete Rules and Rulesets
        
        Delete Rules from a Ruleset
        
        Delete a Ruleset
      - Remove a Ruleset From a Selected FDM-Managed Device
        
        Delete a Ruleset From a Selected FDM-Managed Device
        
        Disassociate a Ruleset From a Selected FDM-Managed Device
    - Adding Comments to Rules in Policies and Rulesets
      - Adding a Comment to a Rule
      - Editing Comments about Rules in Policies and Rulesets
        
        Editing a comment on a rule in a policy
        
        Editing a comment on a rule in a ruleset
    - Network Address Translation
    - Order of Processing NAT Rules
    - Network Address Translation Wizard
      - Create a NAT Rule by using the NAT Wizard
    - Common Use Cases for NAT
      - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
      - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
      - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
        
        NAT Incoming FTP Traffic to an FTP Server
        
        NAT Incoming HTTP Traffic to an HTTP Server
        
        NAT Incoming SMTP Traffic to an SMTP Server
      - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
        
        Translate a Pool of Inside Addresses to a Pool of Outside Addresses
      - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
        
        Create a Twice NAT Rule
  - Templates
    - FDM-Managed Device Templates
    - Configure an FDM Template
      - Create an FDM Template
      - Edit an FDM-Managed Device Template
      - Delete an FDM Template
    - Apply an FDM Template
      - Apply Template to an FDM-Managed Device
      - Review Device and Networking Settings
      - Deploy Changes to the Device
  - Backing Up FDM-Managed Devices
    - Back up an FDM-Managed Device On-Demand
      - Procedure
    - Configure a Recurring Backup Schedule for a Single FDM-Managed Device
      - Procedure
    - Download the Device Backup
    - Edit a Backup
    - Delete a Backup
    - Managing Device Backup
    - Restore a Backup to an FDM-Managed Device
  - FDM-Managed High Availability
    - FDM-Managed High Availability Pair Requirements
    - Create an FDM-Managed High Availability Pair
      - Procedure
    - FDM-Managed Devices in High Availability Page
      - High Availability Management Page
      - Edit High Availability Failover Criteria
      - Break an FDM-Managed High Availability Pairing
        
        Break High Availability
        
        Break Out-of-Band High Availability
      - Force a Failover on an FDM-Managed High Availability Pair
      - FDM-Managed High Availability Failover History
      - Refresh the FDM-Managed High Availability Status
      - Failover and Stateful Link for FDM-Managed High Availability
  - FDM-Managed Device Settings
    - Configure an FDM-Managed Device's System Settings
    - Configure Management Access
      - Create Rules for Management Interfaces
      - Create Rules for Data Interfaces
    - Configure Logging Settings
      - Message Severity Levels
    - Configure DHCP Servers
    - Configure DNS Server
    - Management Interface
    - Hostname
    - Configure NTP Server
    - Configure URL Filtering
    - Cloud Services
      - Connecting to the Cisco Success Network
      - Sending Events to the Cisco Cloud
    - Enabling or Disabling Web Analytics
  - Create a REST API Macro
    - Using the API Tool
    - How to Enter a Secure Firewall Threat Defense REST API Request
    - About FTD REST API Macros
      - Create a REST API Macro
        
        Create a REST API Macro from a New Command
        
        Create a REST API Macro from History or from an Existing REST API Macro
      - Run a REST API Macro
      - Edit a REST API Macro
      - Delete a REST API Macro
  - Update FDM-Managed Device Security Databases
- Cisco Secure Dynamic Attributes Connector
  - About the Cisco Secure Dynamic Attributes Connector
    - How It Works
  - About the Dashboard
    - Dashboard of an Unconfigured System
    - Dashboard of a Configured System
    - Add, Edit, or Delete Connectors
    - Add, Edit, or Delete Dynamic Attributes Filters
    - Add, Edit, or Delete Adapters
  - Create a Connector
    - Amazon Web Services Connector—About User Permissions and Imported Data
      - Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an AWS Connector
    - Amazon Web Services Security Groups Connector—About User Permissions and Imported Data
      - Create an AWS Security Groups Connector
    - Create an AWS Service Tags Connector
    - Azure Connector—About User Permissions and Imported Data
      - Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create an Azure Connector
    - Create an Azure Service Tags Connector
    - Create a Multicloud Defense Connector
    - Create a Cisco Cyber Vision Connector
    - Create a Generic Text Connector
    - Create a GitHub Connector
    - Google Cloud Connector—About User Permissions and Imported Data
      - Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
      - Create a Google Cloud Connector
    - Create an Office 365 Connector
    - Create a Webex Connector
    - Create a Zoom Connector
  - Create an Adapter
    - How to Create an On-Prem Firewall Management Center Adapter
    - How to Create a Cloud-Delivered Firewall Management Center Adapter
  - Create Dynamic Attributes Filters
    - Dynamic Attribute Filter Examples
  - Use Dynamic Objects in Access Control Policies
    - About Dynamic Objects in Access Control Rules
    - Dynamic Attributes Rule Conditions
    - Create Access Control Rules Using Dynamic Attributes Filters
  - Troubleshoot the Cisco Secure Dynamic Attributes Connector
    - Troubleshoot Error Messages
    - Get Your Tenant ID
Migrate Devices
- Migrate Threat Defense to Cloud-delivered Firewall Management Center
  - About Migrating Threat Defense to Cloud-delivered Firewall Management Center
  - Supported On-Premises Firewall Management Center and Threat Defense Software for Migration
  - Licensing
  - Supported Features
  - Unsupported Features
  - Migration Guidelines and Limitations for VPN Configuration
  - Managing Threat Defense Events and Analytics
  - Before You Begin Migration
  - Migrate Threat Defense to Cloud-Delivered Firewall Management Center
  - View a Threat Defense Migration Job
    - Proceed Migration Process
    - Commit Migration Changes Manually to Cloud-delivered Firewall Management Center
    - Revert the Threat Defense Management to On-Premises Firewall Management Center
    - View Migrated Devices
    - Generate a Threat Defense Migration Report
    - Delete a Migration Job
  - Enable Notification Settings
  - Troubleshoot Threat Defense Migration to Cloud-Delivered Firewall Management Center
    - Verify Threat Defense Connectivity with Cloud-delivered Firewall Management Center
- Migrate Firewalls with the Migration Tool in Security Cloud Control
  - Is This Guide for You?
  - Get Started with the Firewall Migration Tool in Security Cloud Control
    - Supported Configurations
    - Licenses
    - Initialize a New Migration Instance
    - Delete a Migration Instance
    - Using the Demo Mode in the Secure Firewall Migration Tool
  - Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrating Microsoft Azure Native Firewall with the Firewall Migration Tool in Security Cloud Control
  - Migrate FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrating Check Point Firewall to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Fortinet Firewall with the Firewall Migration Tool in Security Cloud Control
  - Migrating Fortinet Firewall to Multicloud Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Security Cloud Control
  - Migrate Secure Firewall ASA to Multicloud Defense with the Firewall Migration Tool in Firewall in Security Cloud Control
  - Migrate Palo Alto Networks Firewall to Multicloud Defense with the Firewall Migration Tool in Firewall in Security Cloud Control
  - Related Documentation
Establish Secure Connections
- Virtual Private Network Management
  - Configure Virtual Private Network Management
    - Introduction to Site-to-Site Virtual Private Network
      - Site-to-Site VPN Concepts
        
        About Global IKE Policies
        
        Managing IKEv1 Policies
        
        Create an IKEv1 Policy
        
        Managing IKEv2 Policies
        
        Create an IKEv2 Policy
        
        About IPsec Proposals
        
        Managing an IKEv1 IPsec Proposal Object
        
        Create an IKEv1 IPsec Proposal Object
        
        Managing an IKEv2 IPsec Proposal Object
        
        Create or Edit an IKEv2 IPsec Proposal Object
        
        Encryption and Hash Algorithms Used in VPN
      - Site-to-Site VPN Configuration for FDM-Managed
        
        Create a Site-To-Site VPN Tunnel Between FDM-managed Devices
        
        Configure Networking for Protected Traffic Between the Site-To-Site Peers
        
        Edit an Existing Security Cloud Control Site-To-Site VPN
        
        Delete a Security Cloud Control Site-To-Site VPN Tunnel
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Site-to-Site VPN Configuration for Cloud-Delivered Firewall Management Center-managed Threat Defense
        
        Create a Site-to-Site VPN Tunnel Between Cloud-Delivered Firewall Management Center-managed Threat Defense Devices
        
        Create a Site-to-Site VPN Tunnel Between Cloud-delivered Firewall Management Center-Managed Threat Defense and Multicloud Defense
        
        Create a Site-to-Site VPN Between Cloud-Delivered Firewall Management Center-managed Threat Defense and Secure Firewall ASA
      - Site-to-Site VPN Configuration for Secure Firewall ASA
        
        Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA
        
        Create a Site-to-Site VPN Between ASA and Multicloud Defense Gateway
        
        Exempt Site-to-Site VPN Traffic from NAT
      - Monitor FDM-Managed DeviceASAAWS Site-to-Site Virtual Private Networks
        
        Check Site-to-Site VPN Tunnel Connectivity
        
        Site-To-Site VPN Dashboard
        
        Identify VPN Issues
        
        Find VPN Tunnels with Missing Peers
        
        Find VPN Peers with Encryption Key Issues
        
        Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
        
        Find Issues in Tunnel Configuration
        
        Resolve Tunnel Configuration Issues
        
        Search and Filter Site-to-Site VPN Tunnels
        
        Onboard an Unmanaged Site-to-Site VPN Peer
        
        Viewing AWS Site-to-Site VPN Tunnels
        
        View IKE Object Details of Site-To-Site VPN Tunnels
        
        View Last Successful Site-to-Site VPN Tunnel Establishment Date
        
        View Site-to-Site VPN Tunnel Information
        
        Site-to-Site VPN Global View
        
        Site-to-Site VPN Tunnels Pane
      - Delete a Security Cloud Control Site-To-Site VPN Tunnel
    - Introduction to Remote Access Virtual Private Network
      - Introduction to Remote Access Virtual Private Network
        
        Configure Remote Access Virtual Private Network for ASA
        
        End-to-End Remote Access VPN Configuration Process for ASA
        
        Create ASA Remote Access VPN Configuration
        
        Modify ASA Remote Access VPN Configuration
        
        Configure ASA Remote Access VPN Connection Profile
        
        Configure AAA for a Connection Profile
        
        Manage AnyConnect Software Packages on ASA Devices
        
        Upload an AnyConnect Package from Security Cloud Control Repository
        
        Upload an AnyConnect Package to ASA from Server
        
        Upload new AnyConnect Packages to ASA
        
        Upload AnyConnect Packages using File Management Wizard
        
        Replace an AnyConnect Package
        
        Delete an AnyConnect Package
        
        Manage and Deploy Pre-existing ASA Remote Access VPN Configuration
        
        Device Settings
        
        Connection Profile
        
        Primary Identity Source
        
        AAA Server Groups
        
        RADIUS Server Group
        
        RADIUS Server
        
        Group Policy
        
        Remote Access VPN Certificate-Based Authentication
        
        Exempt Remote Access VPN Traffic from NAT
        
        Install the AnyConnect Client Software on ASA
        
        Modify ASA Remote Access VPN Configuration
        
        Modify ASA Connection Profile
        
        Upload RA VPN AnyConnect Client Profile
        
        Verify ASA Remote Access VPN Configuration
        
        View ASA Remote Access VPN Configuration Details
        
        Configuring Remote Access VPN for an FDM-Managed Device
        
        Split Tunneling for RA VPN Users (Hair Pinning)
        
        Control User Permissions and Attributes Using RADIUS and Group Policies
        
        Attributes Sent to the RADIUS Server
        
        Two-Factor Authentication
        
        Duo Two-Factor Authentication Using RADIUS
        
        How to Configure Two-Factor Authentication using Duo RADIUS
        
        System Flow for Duo RADIUS Secondary Authentication
        
        Configure Duo RADIUS Secondary Authentication
        
        Create a Duo Account
        
        Configure Device for Duo RADIUS Using Security Cloud Control
        
        Duo Two-Factor Authentication using LDAP
        
        How to Configure Two-Factor Authentication using Duo LDAP
        
        System Flow for Duo LDAP Secondary Authentication
        
        Configure Duo LDAP Secondary Authentication
        
        Create a Duo Account
        
        Upload a Trusted CA Certificate to an FDM-Managed Device
        
        Configure FTD for Duo LDAP in Security Cloud Control
        
        End-to-End Remote Access VPN Configuration Process for an FDM-Managed Device
        
        Download AnyConnect Client Software Packages
        
        Upload AnyConnect Software Packages to an FDM-Managed Device Running Version 6.4.0
        
        Upload AnyConnect Software Packages to an FDM-Managed Device Running Version 6.5 or Later
        
        Upload an AnyConnect Package from Security Cloud Control Repository
        
        Before you Begin
        
        Upload new AnyConnect Packages
        
        Replace an Existing AnyConnect Package
        
        Delete the AnyConnect Package
        
        Create an RA VPN Configuration
        
        Procedure
        
        Modify RA VPN Configuration
        
        Configure an RA VPN Connection Profile
        
        Procedure
        
        Configure AAA for a Connection Profile
        
        Allow Traffic Through the Remote Access VPN
        
        Upgrade AnyConnect Package on an FDM-Managed Device Running Version 6.4.0
        
        Prerequisites
        
        Upload your desired AnyConnect Package to Secure Firewall Threat Defense using Firewall Device Manager
        
        Verify the new package is referenced in the RA VPN connection profile
        
        Upload RA VPN AnyConnect Client Profile
        
        Guidelines and Limitations of Remote Access VPN for FDM-Managed Device
        
        How Users Can Install the AnyConnect Client Software on FDM-Managed Device
        
        Distribute new AnyConnect Client Software version
        
        Upload RA VPN AnyConnect Client Profile
        
        Licensing Requirements for Remote Access VPN
        
        Maximum Concurrent VPN Sessions By Device Model
        
        RADIUS Change of Authorization
        
        Configure Change of Authorization on the FDM-Managed Device
        
        Procedure
        
        Verify Remote Access VPN Configuration of FDM-Managed Device
        
        View Remote Access VPN Configuration Details of FDM-Managed Device
Manage Device Configuration
- Manage Device Configuration
  - Reading, Discarding, and Deploying Configuration Changes
    - Read All Device Configurations
    - Read Configuration Changes from an ASA to Security Cloud Control
      - Read Configuration Changes on ASA
    - Read Configuration Changes from FDM-Managed Device to Security Cloud Control
      - Discard Changes Procedure
      - If Reverting Pending Changes Fails
      - Review Conflict Procedure
      - Accept Without Review Procedure
    - Read Changes from Firewalls
    - Preview and Deploy Configuration Changes for All Devices
    - Deploy Configuration Changes from Security Cloud Control to ASA
      - About Deploying Configuration Changes
      - Deploy Configuration Changes Made Using the Security Cloud Control GUI
      - Schedule Automatic Deployments
      - Deploy Configuration Changes Using Security Cloud Control 's CLI Interface
      - Deploy Configuration Changes by Editing the Device Configuration
      - Deploy Configuration Changes for a Shared Object on Multiple Devices
    - Deploy Configuration Changes from Security Cloud Control to FDM-Managed Device
    - Deploy Changes to a Device
      - Cancelling Changes
      - Discarding Changes
    - Bulk Deploy Device Configurations
    - Preview and Deploy On-Premises Firewall Management Center Configurations
    - About Scheduled Automatic Deployments
      - Schedule an Automatic Deployment
      - Edit a Scheduled Deployment
      - Delete a Scheduled Deployment
    - Check for Configuration Changes
    - Discard Configuration Changes
    - Discard On-Premises Firewall Management Center Configuration Changes
    - Out-of-Band Changes on Devices
  - Synchronizing Configurations Between Security Cloud Control and Device
    - Conflict Detection
      - Enable Conflict Detection
      - Enable Conflict Detection for an On-Premises Management Center
    - Automatically Accept Out-of-Band Changes from your Device
      - Configure Auto-Accept Changes
      - Disabling Auto-Accept Changes for All Devices on the Tenant
    - Resolve Configuration Conflicts
      - Resolve the Not Synced Status
      - Resolve the Conflict Detected Status
    - Schedule Polling for Device Changes
    - Schedule a Security Database Update
      - Create a Scheduled Security Database Update
      - Edit a Scheduled Security Database Update
Monitor and Analyze
- Events in Security Cloud Control
  - About Security Analytics and Logging (SaaS) in Security Cloud Control
  - Event Types in Security Cloud Control
  - Security Analytics and Logging license and Data Storage Plans
    - View Security Analytics and Logging License Information
    - Extend Event Storage Duration and Increase Event Storage Capacity
    - View Security Analytics and Logging Alerts
    - View Security Analytics and Logging Storage Usage and Event Ingest Rate
  - Troubleshooting Network Problems Using Security and Analytics Logging Events
  - Deprovisioning Cisco Security Analytics and Logging (SaaS)
- Secure Event Connectors
  - About Secure Event Connectors
  - Installing Secure Event Connectors
    - Install a Secure Event Connector on an SDC Virtual Machine
    - Installing an SEC Using a Security Cloud Control Image
      - Install a Security Cloud Control Connector, to Support a Secure Event Connector, Using a Security Cloud Control VM Image
      - Install the Secure Event Connector on the Security Cloud Control Connector VM
    - Deploy Secure Event Connector on Ubuntu Virtual Machine
    - Install an SEC Using Your VM Image
      - Install a Security Cloud Control Connector to Support an SEC Using Your VM Image
      - Additional Configuration for SDCs and Security Cloud Control Connectors Installed on a VM You Created
      - Install the Secure Event Connector on your Security Cloud Control Connector Virtual Machine
    - Install a Secure Event Connector on an AWS VPC Using a Terraform Module
  - Remove the Secure Event Connector
    - Remove an SEC from Security Cloud Control
    - Remove a Secure Event Connector from the Secure Device Connector VM
  - Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
- Secure Logging Analytics (SaaS) for ASA Devices
  - About Security Analytics and Logging (SAL SaaS) for the ASA
  - Implementing Secure Logging Analytics (SaaS) for ASA Devices
  - Send ASA Syslog Events to the Cisco Cloud using a Security Cloud Control Macro
    - Creating an ASA Security Analytics and Logging (SaaS) Macro
  - Send ASA Syslog Events to the Cisco Cloud Using the Command Line Interface
    - Security Cloud Control Command Line Interface for ASA
    - Forward ASA Syslog Events to the Secure Event Connector
    - Send ASA Syslog Events to the Cisco Cloud Using CLI
    - Create a Custom Event List
    - Include the Device ID in Non-EMBLEM Format Syslog Messages
  - NetFlow Secure Event Logging (NSEL) for ASA Devices
    - Configuring NSEL for ASA Devices by Using a Security Cloud Control Macro
      - Open the Configuring NSEL Macro
      - Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
      - Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC
      - Define a Policy-Map for NSEL Events
      - Disable Redundant Syslog Messages
      - Review and Send the Macro
    - Delete NetFlow Secure Event Logging (NSEL) Configuration from an ASA
      - Open the DELETE-NSEL Macro
      - Enter the Values in the Macro to Complete the No Commands
    - Determine the Name of an ASA Global Policy
    - Troubleshooting NSEL Data Flows
      - Verify that NSEL Events are Being Sent to the SEC
      - Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
      - Verify that NetFlow Packets are Being Received by the Cisco Cloud
      - Check for Live NSEL Events
      - Check for Historical NSEL Events
  - Parsed ASA Syslog Events
- Secure Logging Analytics (SaaS) for FDM-Managed Devices
  - About Secure Analytics and Logging (SaaS) for FDM-Managed Devices
  - Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices
  - Send FDM Events to Security Cloud Control Events Logging
  - Send FDM-Managed Events Directly to the Cisco Cloud
- Security Analytics and Logging (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
  - Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
  - Send Cloud-Delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
  - Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
  - Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
- View Events in Security Cloud Control
  - Viewing Live Events
    - Play/Pause Live Events
  - View Historical Events
  - Customize the Events View
    - Correlate Threat Defense Event Fields and Column Names
  - Show and Hide Columns on the Event Logging Page
  - Change the Time Zone for the Event Timestamps
  - Customizable Event Filters
  - Search and Filter Events Using the Event Logging Page
    - Filter Live or Historical Events
    - Filter Only NetFlow Events
    - Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
    - Combine Filter Elements
    - Search Events Using the Events Logging Page
      - Use Sample Filters to Search Events
      - Search Historical Events in the Background
        
        Schedule to Generate a Search Report in the Background
        
        Download a Search Report
  - Event Attributes in Security Analytics and Logging
    - EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
    - EventName Attributes for Syslog Events
    - Time Attributes in a Syslog Event
- Use Cisco Secure Cloud Analytics Portal
  - Provision a Cisco Secure Cloud Analytics Portal
  - Review Sensor Health and Security Cloud Control Integration Status in Secure Cloud Analytics
  - Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
  - Viewing Cisco Secure Cloud Analytics Alerts from Security Cloud Control
    - Inviting Users to Join Your Secure Cloud Analytics Portal
    - Cross-Launching from Security Cloud Control to Secure Cloud Analytics
  - Cisco Secure Cloud Analytics and Dynamic Entity Modeling
  - Working with Alerts Based on Firewall Events
    - Triage open alerts
    - Snooze alerts for later analysis
    - Update the alert for further investigation
    - Review the alert and start your investigation
    - Examine the entity and users
    - Remediate issues using Secure Cloud Analytics
    - Update and close the alert
  - Modifying Alert Priorities
- Monitor Remote Access Virtual Private Network Sessions from Secure Firewall ASA and Threat Defense
  - Monitor Remote Access Virtual Private Network Sessions
    - Monitor Live AnyConnect Remote Access VPN Sessions
      - View Live Remote Access VPN Data
    - Monitor Historical AnyConnect Remote Access VPN Sessions
      - View Historical Remote Access VPN Data
    - Search and Filter Remote Access VPN Sessions
    - Customize the Remote Access VPN Monitoring View
    - Export Remote Access VPN Sessions to a CSV File
    - Remote Access VPN Dashboard
    - Disconnect Remote Access VPN Sessions of an ASA User
      - Disconnect all Active RA VPN Sessions of a User
    - Disconnect Remote Access VPN Sessions on FDM-Managed Device
    - Disconnect Remote Access VPN Sessions on FTD
- FTD Dashboard
  - About the FTD Dashboard
  - View the FTD Dashboard
  - FTD Dashboard Widgets
    - Top Intrusion Rules Widget
    - Top Intrusion Attackers Widget
    - Top Intrusion Targets Widget
    - Top Malware Signatures Widget
    - Top Malware Senders Widget
    - Top Malware Receivers Widget
    - Malware Events by Disposition Widget
    - Network Activity Widget
    - Event Activity Widget
    - Access Control Actions Widget
    - Top Access Control Policies Widget
    - Top Access Control Rules Widget
    - Top Devices Widget
    - Top Users Widget
    - Top Users by Blocked Connections Widget
    - Top Devices with Health Alerts Widget
    - Top Loaded Devices Widget
    - Top Web Applications Widget
    - Top Client Applications Widget
    - Top Blocked Web Applications Widget
  - Modify Time Settings for the FTD Dashboard
- Monitoring and Reporting Change Logs, Workflows, and Jobs
  - Monitoring and Reporting Change Logs, Workflows, and Jobs
  - Manage Change Logs in Security Cloud Control
  - Change Log Entries after Deploying to an ASA
  - Change Log Entries After Reading Changes from an ASA
  - Change Log Entries After Deploying to FDM-Managed Device
  - Change Log Entries After Reading Changes from an FDM-Managed Device
  - View Change Log Differences
  - Export the Change Log
    - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
  - Change Request Management
    - Enable Change Request Management
    - Create a Change Request
    - Associate a Change Request with a Change Log Event
    - Search for Change Log Events with Change Requests
    - Search for a Change Request
    - Filter Change Requests
    - Clear the Change Request Toolbar
    - Clear a Change Request Associated with a Change Log Event
    - Delete a Change Request
    - Disable Change Request Management
    - Change Request Management Use Cases
  - FDM-Managed Device Executive Summary Report
    - Generating FDM-Managed Device Executive Summary Reports
  - Monitor Jobs in Security Cloud Control
    - Reinitiate a Bulk Action
    - Cancel a Bulk Action
  - Monitor Workflows in Security Cloud Control
Optimize Network Security and Efficiency with AI
- Introduction to AIOps Insights
  - About AIOps Insights
    - AIOps Licensing Requirements
    - Prerequisites to Use AIOps
  - View Summary Insights
  - Implement Best Practices and Recommendations
  - Assess and Improve Feature Adoption
  - Enable or Disable Insight Preferences and Configure Threshold Settings
    - Enable AIOps Insights
    - Traffic and Capacity Insights
    - Best Practices and Recommendations Insights
    - Feature Adoption Insights
    - Health and Operations Insights
  - Frequently Asked Questions About AIOps
  - Additional Resources
  - Troubleshooting for the Secure Firewall Threat Defense using Cloud-Delivered Firewall Management Center
- Analyzing, Detecting, and Fixing Policy Anomalies Using Policy Analyzer and Optimizer
  - About Policy Analyzer and Optimizer
    - Analysis, Remediation, and Reporting
  - Prerequisites to Use Policy Analyzer and Optimizer
  - Policy Analyzer and Optimizer Licensing Requirements
  - Enable Policy Analyzer and Optimizer for Cloud-Delivered Firewall Management Center
  - Enable Policy Analyzer and Optimizer for Security Cloud Control -managed On-Premises Firewall Management Center
  - Policy Analysis
    - Analyze Cloud-Delivered Firewall Management Center Policies
    - Analyze On-Premises Firewall Management Center Policies
  - Policy Reporting
    - Policy Analysis Summary
    - Duplicate Rules
    - Overlapping Objects
    - Expired Rules
    - Mergeable Rules
    - Policy Insights
  - Policy Remediation
    - Apply Policy Remediation
    - What Does the Policy Remediation Report Contain?
  - Troubleshooting Policy Analyzer and Optimizer
    - Policy Analyzer and Optimizer Does Not Analyze Policies
    - Policy Analyzer and Optimizer Does Not Fetch Policies
  - Frequently Asked Questions About Policy Analyzer and Optimizer
Troubleshoot
- Troubleshooting
  - Troubleshoot an Secure Firewall ASA Device
    - ASA Fails to Reconnect to Security Cloud Control After Reboot
    - Cannot onboard ASA due to certificate error
      - Determine the OpenSSL Cipher Suite Used by your ASA
      - Cipher Suites Supported by Security Cloud Control 's Secure Device Connector
      - Updating your ASA's Cipher Suite
    - Troubleshoot ASA using CLI commands
    - Troubleshoot ASA Remote Access VPN
    - ASA Real-time Logging
      - View ASA Real-time Logs
    - ASA Packet Tracer
      - Troubleshoot an ASA Device Security Policy
      - Troubleshoot an Access Rule
      - Troubleshoot a NAT Rule
      - Troubleshoot a Twice NAT Rule
      - Analyze Packet Tracer Results
    - Cisco ASA Advisory cisco-sa-20180129-asa1
    - Confirming ASA Running Configuration Size
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Security Cloud Control -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Large ASA Running Configuration Files
  - Troubleshoot FDM-Managed Devices
    - Troubleshoot the Executive Summary Report
    - Troubleshoot FDM-Managed Device Onboarding
    - Failed Because of Insufficient License
    - Troubleshoot Device Unregistered
    - Troubleshooting Device Registration Failure during Onboarding with a Registration Key
    - Troubleshooting SSL Decryption Issues
    - Troubleshoot FDM-Managed HA Creation
    - FDM-Managed Device Executive Summary Report
  - Troubleshoot a Secure Device Connector
    - SDC is Unreachable
    - SDC Status not Active on Security Cloud Control After Deployment
    - Changed IP Address of the SDC is not Reflected in Security Cloud Control
    - Troubleshoot Device Connectivity with the SDC
    - Intermittent or No Connectivity with SDC
    - Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
      - Updating a Security Cloud Control -Standard SDC Host
      - Updating a Custom SDC Host
      - Bug Tracking
    - Invalid System Time
    - SDC version is lower than 202311****
    - Certificate or Connection errors with AWS servers
  - Troubleshoot a Secure Event Connector
    - Troubleshoot SEC Onboarding Failures
    - Troubleshoot Secure Event Connector Registration Failure
    - Troubleshooting NSEL Data Flows
    - Event Logging Troubleshooting Log Files
    - SEC Status is Inactive in Security Cloud Control
    - The SEC is online, but there are no events in Security Cloud Control Event Logging Page
    - Remove an SEC from Your Host
    - Use Health Check to Learn the State of your Secure Event Connector
  - Troubleshoot Security Cloud Control
    - Troubleshooting Access and Certificates
      - Troubleshoot User Access with Security Cloud Control
      - Resolve New Fingerprint Detected State
      - Troubleshooting SSL Decryption Issues
    - Troubleshooting Objects
      - Resolve Duplicate Object Issues
      - Resolving Inconsistent or Unused Security Zone Objects
      - Resolve Unused Object Issues
        
        Resolve an Unused Object Issue
        
        Remove Unused Objects in Bulk
      - Resolve Inconsistent Object Issues
      - Resolve Object Issues in Bulk
      - Unignore Objects
  - Device Connectivity States
    - Troubleshoot Device Unregistered
    - Troubleshoot Insufficient Licenses
    - Troubleshoot Invalid Credentials
    - Troubleshoot New Certificate Issues
      - New Certificate Detected
    - Troubleshoot Onboarding Error
    - Troubleshoot FDM-Managed Device Onboarding Using Serial Number
      - Claim Error
      - Provisioning Error
    - Resolve the Conflict Detected Status
    - Resolve the Not Synced Status
    - Troubleshoot Unreachable Connection State
- FAQ and Support
  - Security Cloud Control
  - FAQ About Onboarding Devices to Security Cloud Control
    - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
    - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
    - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-Delivered Firewall Management Center
    - FAQs About On-Premises Secure Firewall Management Center
    - FAQs About Onboarding Meraki Devices to Security Cloud Control
    - FAQs About Onboarding SSH Devices to Security Cloud Control
    - FAQs About Onboarding IOS Devices to Security Cloud Control
  - Device Types
  - Security
  - End-of-Support for management of the Secure Firewall Threat Defense Version 7.0.x managed by Cloud-Delivered Firewall Management Center
  - Troubleshooting
  - Terminologies and Definitions used in Zero-Touch Provisioning
  - Policy Optimization
  - Connectivity
  - Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
  - About Data Interfaces
  - How Security Cloud Control Processes Personal Information
  - Contact Security Cloud Control Support
    - Export The Workflow
    - Open a Support Ticket with TAC
      - How Security Cloud Control Customers Open a Support Ticket with TAC
      - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
    - Security Cloud Control Service Status Page
Appendix
- Security and Internet Access
  - Internet Access Requirements
- Terraform
  - About Terraform
- Open Source and 3rd Party License Attribution
  - Open Source and Third-Party License in SDC

Platform GCP

Activity Upgrade

Establish Secure Connections Virtual Private Network Management Configure Virtual Private Network Management Introduction to Site-to-Site Virtual Private Network Monitor FDM-Managed DeviceASAAWS Site-to-Site Virtual Private Networks Identify VPN Issues Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

Last updated: Jul 29, 2025

Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

The "incomplete or misconfigured access-list" condition could only occur on ASA devices.

Procedure

1	In the Security Cloud Control platform menu, choose Products > Firewall.
2	In the left pane, click Manage > Secure Connections > Network Connections > Site to Site VPN to open the VPN page.
3	Select Table View.
4	Open the Filter panel by clicking the filter icon .
5	Select each device reporting an issue and look in the Peers pane at the right. The peer information shows you both peers.
6	Click on View Peers for one of the devices.
7	Double-click the device reporting the issue in the Diagram View.
8	Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"

Previous topic Find VPN Peers with Encryption Key Issues Next topic Find Issues in Tunnel Configuration