Enterprise security SSL proxy yang commands
These SSL proxy commands are qualified to use with Cisco SD-Routing devices on Cisco SD-WAN Manager.
Example configuration for enterprise security SSL proxy
sd-routing
enable
system-ip 172.16.255.16
site-id 400
organization-name "vIPtela Inc Regression"
vbond name vbond
wan-interface GigabitEthernet1
!
config-template-name VM6-CG
!
sslproxy
enable
ca-cert-bundle /bootflash/vmanage-admin/sslProxyDefaultCAbundle.pem
rsa-key-modulus 2048
certificate-lifetime 1
eckey-type P256
ca-tp-label PROXY-SIGNING-CA
settings expired-certificate decrypt
settings untrusted-certificate decrypt
settings certificate-revocation-check none
settings unsupported-protocol-versions drop
settings unsupported-cipher-suites drop
settings failure-mode close
settings minimum-tls-ver TLSv1
!
memory free low-watermark processor 225112
service timestamps debug datetime msec
service timestamps log datetime msec
no service tcp-small-servers
no service udp-small-servers
platform console serial
platform qfp utilization monitor load 80
platform sslvpn use-pd
hostname vm6
enable secret 9 $9$smaK7BO8DMjHMk$OjOtm7rOUv5Yk4lOAHMjVGJak7dIJYCQ7TsErbwkHMM
username admin privilege 15 secret 9 $9$0mZUAUfuU.hLUE$YWjsVetm4y4i/VikZv3cGN5yQcVvdRlp1mUetVYLl4U
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no ip finger
no ip rcmd rcp-enable
no ip rcmd rsh-enable
no ip dhcp use class
ip host vbond 10.0.12.26 2001:a0:c::1a
ip route 0.0.0.0 0.0.0.0 10.1.14.13
ip scp server enable
ip ssh pubkey-chain
username admin
key-hash ssh-rsa 493AD24794ED9657FE2F2550CEB48CDA tester@sdwan-ra-vtest
!
!
!
ip ssh bulk-mode 131072
ip tcp RST-count 10 RST-window 5000
ip access-list extended SP-VM6_123202412748732_0-seq-Rule1-acl_
11 permit object-group zbfw_svc any any
!
ip access-list extended health_probes_accesslist
10 permit udp any eq 3367 any eq 3367
!
ip http authentication local
ip http server
ip http secure-server
ip http client source-interface GigabitEthernet5
no ip http ctc authentication
no ip rsvp signalling rate-limit
ipv6 unicast-routing
ipv6 route ::/0 2001:a1:e::d
class-map type inspect match-all SP-VM6_123202412748732_0-seq-Rule1-cm_
match access-group name SP-VM6_123202412748732_0-seq-Rule1-acl_
!
class-map match-all health_probes_cmap
match access-group name health_probes_accesslist
!
policy-map type inspect SP-VM6_123202412748732_0
class type inspect SP-VM6_123202412748732_0-seq-Rule1-cm_
inspect AIP-VM4-pmap_
!
class class-default
drop
!
!
policy-map health_probes_pmap
class health_probes_cmap
priority level 1
!
!
interface GigabitEthernet1
no shutdown
ip address <removed>
ipv6 address <removed>
negotiation auto
zone-member security Local_LAN
exit
interface GigabitEthernet2
no shutdown
ip address <removed>
ipv6 address <removed>
negotiation auto
zone-member security Remote-WAN
exit
interface GigabitEthernet3
no shutdown
ip address <removed>
ipv6 address <removed>
negotiation auto
exit
interface GigabitEthernet4
no shutdown
ip address <removed>
ipv6 address <removed>
negotiation auto
exit
interface GigabitEthernet5
no shutdown
vrf forwarding Mgmt-intf
ip address <removed>
ip dhcp client client-id ascii 9KLLRDXK1VM
ipv6 address <removed>
negotiation auto
exit
interface VirtualPortGroup0
no shutdown
ip address <removed>
exit
interface VirtualPortGroup1
no shutdown
ip address <removed>
service-policy output health_probes_pmap
exit
interface VirtualPortGroup2
no shutdown
ip address <removed>
service-insertion appqoe
exit
object-group service zbfw_svc
ip
exit
!
control-plane
!
no logging console
no logging queue-limit
aaa new-model
aaa authentication enable default enable
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa session-id common
login on-success log
subscriber templating
parameter-map type inspect AIP-VM4-pmap_
utd-policy AIP-VM4
!
parameter-map type inspect-global
alert on
log dropped-packets
multi-tenancy
utd-policy AIP-VM4
!
zone security Local_LAN
!
zone security Remote-WAN
!
zone-pair security ZP_Local_LAN_Remote-_-2063742066 source Local_LAN destination Remote-WAN
service-policy type inspect SP-VM6_123202412748732_0
!
no crypto ikev2 diagnose error
no crypto isakmp diagnose error
crypto pki trustpoint PROXY-SIGNING-CA
enrollment url bootflash:vmanage-admin/
fqdn none
fingerprint e88dc0ac7284efd4734d63dd1957eb8355866931
hash sha256
revocation-check none
rsakeypair PROXY-SIGNING-CA 2048
subject-name CN=C8K-0187c60c-bee4-4015-98a5-73bb67db607f
!
no network-clock revertive
service-insertion appnav-controller-group appqoe ACG-APPQOE
appnav-controller 192.168.2.1
!
service-insertion service-node-group appqoe SNG-APPQOE
service-node 192.168.2.2
!
service-insertion service-context appqoe/1
appnav-controller-group ACG-APPQOE
service-node-group SNG-APPQOE
cluster-type integrated-service-node
enable
vrf global
!
fhrp version vrrp v2
line aux 0
!
line con 0
exec-timeout 0
stopbits 1
!
line vty 0 4
exec-timeout 0
! login local
transport input ssh
!
line vty 5 15
! login local
transport input ssh
!
iox
app-hosting appid utd
app-resource package-profile cloud-low
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.1.0.2 netmask 255.255.255.0
!
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.0.2.2 netmask 255.255.255.252
!
start
!
canbus baudrate 125000
diagnostic bootup level minimal
ignition off-timer 300
ignition undervoltage threshold 9 000
no ignition sense
no ignition enable
ignition battery-type 12v
ignition sense-voltage threshold 13 000
utd engine standard unified-policy
threat-inspection profile IP-VM4
threat detection
policy balanced
logging level err
exit
tls-decryption profile VM4-TLS-Profile-tls-profile
categories decrypt
abortion
abused-drugs
adult-and-pornography
alcohol-and-tobacco
auctions
bot-nets
business-and-economy
cdns
cheating
computer-and-internet-info
computer-and-internet-security
confirmed-spam-sources
cult-and-occult
dating
dead-sites
dynamic-content
educational-institutions
entertainment-and-arts
fashion-and-beauty
financial-services
gambling
games
government
gross
hacking
hate-and-racism
health-and-medicine
home
hunting-and-fishing
illegal
image-and-video-search
individual-stock-advice-and-tools
internet-communications
internet-portals
job-search
keyloggers-and-monitoring
kids
legal
local-information
malware-sites
marijuana
military
motor-vehicles
music
news-and-media
nudity
online-greeting-cards
online-personal-storage
open-http-proxies
p2p
parked-sites
pay-to-surf
personal-sites-and-blogs
philosophy-and-political-advocacy
phishing-and-other-frauds
private-ip-addresses
proxy-avoid-and-anonymizers
questionable
real-estate
recreation-and-hobbies
reference-and-research
religion
search-engines
sex-education
shareware-and-freeware
shopping
social-network
society
spam-urls
sports
spyware-and-adware
streaming-media
swimsuits-and-intimate-apparel
training-and-tools
translation
travel
uncategorized
unconfirmed-spam-sources
violence
weapons
web-advertisements
web-based-email
web-hosting
exit
log level error
exit
policy AIP-VM4
tls-decryption profile VM4-TLS-Profile-tls-profile
tls-decryption action decrypt
threat-inspection profile IP-VM4
exit
exit
!
!