Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

PDF

Configure NGFW policy using a workflow

Want to summarize with AI?

Log in

Configure a security policy using the Create Security Policy workflow to create policies, add sub-policies, and add rules to existing sub-policies.


Follow these steps to configure NGFW policy using a policy group:

Using the Create NGFW Policy workflow, you can create a security policy, add sub-policy, add rules to existing sub-policies, and so on.

In Cisco Catalyst SD-WAN Manager Release 20.15.1 and earlier releases, Create NGFW Policy is called Create Security Policy.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library > Create Security Policy > Create NGFW Policy. Alternatively, choose Configuration > Policy Groups.

2.

Click NGFW.

In Cisco Catalyst SD-WAN Manager Release 20.15.1 and earlier releases, NGFW is called Embedded Security.

3.

On the NGFW page, click Add NGFW Policy.

This launches the NGFW policy workflow.

4.

Enter Policy Name and Description and click Next.

5.

On the Select the optional Configuration Group to associate with the NGFW policy page, choose the configuration groups and click Next.

6.

Click Add Sub-Policy.

Refer to the steps used in the procedure, Configure an NGFW Sub-Policy.

7.

Click Submit.


Edit NGFW policy

In Cisco Catalyst SD-WAN Manager Release 20.15.1 and earlier releases, NGFW is called Embedded Security.

For more information on NGFW, see Enterprise Firewall with Application Awareness.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > NGFW.

2.

Choose an NGFW policy and click Edit.

3.

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.2) Click Add Rule or Rule with Rule Sets.

From Cisco IOS XE Catalyst SD-WAN Release 26.1.1, you can drag and drop rules in a policy to modify the priority or sequence number of each rule.

Field

Description

Rule Name

The name of the rule.

Sequence

Specify the sequence.

Destination Zone

In the Destination Zone drop-down list, choose the zone to which data traffic is sent. The options are:

  • No-Zone

  • Corporate_Users

  • Local_Internet_for_Guests

  • Payment_Processing_Network

  • Physical_Security_Devices

  • Self

  • Untrusted

Zones are created based on the VPNs in the configuration group selected in the create security policy workflow.

Match (Rule)

Match Conditions

You can choose the desired match conditions for a rule from the Add Conditions drop-down list. Available options include:

  • Type

    • IPv4

    • IPv6

      You can configure IPv6 from Cisco Catalyst SD-WAN Manager Release 20.18.2

  • Applications

  • Protocol

  • Source

    • Geo Location (Supported when the chosen type is IPV4

    • IPv4 Prefix

    • Port

  • Destination

    • FQDN

    • Geo Location (Supported when the chosen type is IPV4

    • IPv4 Prefix

    • Port

When ISE is enabled, the SGT option becomes available for both Source and Destination.

When adding conditions for Source or Destination, select Object in Data Prefix and choose a policy object from the list.

Identity User or User group is only supported for Source.

From Cisco Catalyst SD-WAN Manager Release 20.18.2, you can create Object Groups. Object groups allow users to combine multiple objects into a single group for easier policy management.

You can add or select an Object Group only after deselecting other items in the IPv4/IPv6 rule dropdown lists.

Match (Rule set)

Match Conditions

From Cisco Catalyst SD-WAN Manager Release 20.18.2, you can choose the desired match conditions for a rule set from the Add Conditions drop-down list. Available options include:

  • Type

    • IPv4

    • IPv6

  • Protocol

  • Source

    • Geo Location (Supported when the chosen type is IPV4

    • IPv4 Prefix

    • Port

  • Destination

    • FQDN

    • Geo Location (Supported when the chosen type is IPV4

    • IPv4 Prefix

    • Port

When adding conditions for Source or Destination, select an object created from Objects and Profiles or create new values or objects.

Identity user or user group is only supported for Source.

You can create Object Groups. Object groups allow users to combine multiple objects into a single group for easier policy management.

You can add an Object Group only when you deselect all other items in the drop-down list.

Action

Choose the desired action conditions. The options are:

  • Pass

  • Drop

  • Inspect

  • Log Events: Unified Logging for Inspect Action. Select Advanced Inspection Profile from the drop-down list.

Note

From Cisco Catalyst SD-WAN Manager Release 20.18.2 you can pre-configure Object Groups, Data Prefix IPv6, and Rule set under Policy Groups > Object and Profiles > Security Objects . Configured security objects appear as selectable options in the drop-down list when creating rules or rule sets.


Import and export policies

From Cisco IOS XE Catalyst SD-WAN Release 26.1.1 you can import or export the firewall policies. You can use Cisco SD-WAN Manager to export policies as a CSV file, modify the rules as needed, and then import the updated file. This process allows you to efficiently add or update existing rules.

For any NGFW sub-policy, click ... and select Export to download the CSV file. After making your modifications, click Import to upload the updated CSV file. During the import process, Cisco SD-WAN Manager validates the file and flags any errors.


Hit count

From Cisco IOS XE Catalyst SD-WAN Release 26.1.1 you can view the hit count of each rule within a sub-policy.

A rule hit count represents the total number of times a firewall rule has been accessed. This helps you to analyze rule effectiveness and identify unused rules for removal. For any NGFW sub-policy, click ... and choose Hit count. In the sidebar you can view the list of all the firewall rules for the sub-policy and the hit count for each rule. You can also view the hit count for all the sites or a specific site using the sites drop-down menu.


Configure an NGFW Sub-Policy

In Cisco Catalyst SD-WAN Manager Release 20.15.1 and earlier releases, NGFW is called Embedded Security.

Procedure

1.

From the Configuration > Policy Groups, choose NGFW.

2.

Choose an NGFW policy from the list, click .... Select Edit.

3.

Click Add Sub-Policy to add sub-policies for a security policy and enter the required details.

Table 1. Sub-Policy configuration fields

Field

Description

VPN / Interface

Specify the VPN or the interface.

Source Zone

Choose the zone that is the source of the data packets.

Zone List Name

The name of a zone list.

VPN

Choose to configure zones with zone type as VPN. Add the VPNs to the zones from the drop-down list. The options are:

  • Payment Processing Network

  • Corporate Users

  • Local Internet for Guests

  • Physical Security Devices

Interface

Choose to configure zones with zone type as Interface. Add the interfaces to the zones from the Add Interface drop-down list.

Rule Name

The name of the rule.

Sequence

Specify the sequence.

Destination Zone

Choose the zone to which data traffic is sent. The options are:

  • Any

  • Corporate_Users

  • Local_Internet_for_Guests

  • Payment_Processing_Network

  • Physical_Security_Devices

  • Self

  • Untrusted (VPN 0)

Match

Choose the desired match conditions from the Add Conditions drop-down list. The options are:

  • Applications

  • Protocol

  • Source

    • Geo Location

    • IPv4 Prefix

    • Port

  • Destination

    • FQDN

    • Geo Location

    • IPv4 Prefix

    • Port

Action

Choose the desired action conditions. The options are:

  • Pass

  • Drop

  • Inspect

  • Log Events - Unified Logging for Inspect Action. Select Advanced Inspection Profile from the drop-down list.

User / User Group

An identity service engine has to be enabled to configure User / User Group sub policies. You can configure using Administration > Integration Management > Identity Service Engine.

If you edit a NGFW sub-policy and disable any rule, the variables for match conditions are still shown during the deployment process. Since the rule is disabled, these values for the variables are not applicable to the device.

If the NGFW sub-policy with disabled rules is deployed on new devices, the variables are shown in the deployment process. Enter a placeholder values in order to proceed with the deployment.


Configure additional settings for an NGFW policy

Procedure

SUMMARY STEPS

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups , choose NGFW.
  2. Choose an NGFW policy from the list and click Edit.
  3. Click Additional Settings.
  4. Choose the profile from the Advanced Inspection Profile drop-down list or click Create New .
  5. Click Save.

DETAILED STEPS

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups , choose NGFW.

In Cisco Catalyst SD-WAN Manager Release 20.15.1 and earlier releases, NGFW is called Embedded Security.

2.

Choose an NGFW policy from the list and click Edit.

3.

Click Additional Settings.

Field

Description

TCP SYN Flood Limit

Specify the threshold of SYN flood packets per second for each destination address.

Max Incomplete

Specify the timeout limits for the firewall policy. A Max Incomplete timeout limit protects firewall resources and keeps these resources from being used up.

TCP Limit

Specify the maximum TCP half-open sessions allowed on a device.

UDP Limit

Specify the maximum UDP half-open sessions allowed on a device.

ICMP Limit

Specify the maximum ICMP half-open sessions allowed on a device.

Audit Trail

Enable the Audit Trail option. This option is only applicable for rules with an inspect action.

Unified Logging

Enable the unified logging feature.

Optimized Policy

Enable the optimized policy option.

Session Reclassify Allow

Allow re-classification of traffic on policy change.

ICMP Unreachable Allow

Allow ICMP unreachable packets to pass through.

Advanced Inspection Profile

Attach a global advanced inspection profile (AIP) at a device level. All the rules in the device that match the traffic to be inspected are inspected using the advance inspection profile.

High Speed Logging Source Interface

Specify the server labels of the source interface used to collect logs for high-speed logging (HSL). You can configure up to four log collector servers for HSL.

Ensure that you enable security logging before specifing the source interface. For more information, see Configure Security Logging .

SysLog Server Source Interface

Specify the server label of the source interface associated with the external syslog server to export UTD logs.

Ensure that you enable security logging before specifing the source interface. For more information, see Configure Security Logging .

4.

Choose the profile from the Advanced Inspection Profile drop-down list or click Create New .

Field

Description

Profile Name

The name of the profile.

Description

The description of the profile.

  1. Choose the intrusion prevention from the Intrusion Prevention drop-down list or click Create New.

    Field

    Description

    Profile Name

    The name of the profile. The name can have a maximum of 32 characters.

    Signature Set

    Specify the signature set. The options are:

    • Balanced

    • Connectivity

    • Security

    Inspection Mode

    Specify the inspection mode. The options are:

    • Detection

    • Protection

    Advanced

    Customer Signature Set

    Enable customer signature set to add a new global custom signature. In the Add New Global Custom Signature window, choose Download From the following options:

    • Remote Server

    • Local Server (Not Recommended)

    Select an Signature Allow List

    Select an allowed signature list or Create New to create a new IPS signature list.

    Alert Log Level

    Choose the alert log level:

    • Error

    • Emergency

    • Alert

    • Critical

    • Warning

    • Notice

    • Info

    • Debug

    Click Add.

  2. Choose a URL filter from the URL Filter drop-down list or Create New.

    Field

    Description

    Profile Name

    The name of the profile. The name can have a maximum of 32 characters.

    Web Category

    Choose the web category from the drop-down list. The options are:

    • Block

    • Allow

    Select one or more web categories

    Choose one or more web categories from the drop-down list. The options are: abortion, abused-drugs and so on.

    Web Reputation

    Choose the web reputation from the drop-down list. The reputation options are:

    • High Risk

    • Suspicious

    • Moderate Risk

    • Low Risk

    • Trustworthy

    Advanced

    Select allow url list

    Select an allowed URL list or Create New to create a new allow URL list.

    Select block url list

    Select a blocked URL list or Create New to create a new block URL list.

    Block Page Server

    Choose the block page server from the drop-down list. The options are:

    • Block Page Content

    • Redirect URL: Specify the redirect URL

    Alerts And Logs

    Choose one or more file type from the drop-down list:

    • Blocklist

    • Allowlist

    • Reputation/Category

    Click Add.

  3. Choose the advanced malware protection profile from the Advanced Malware Protection drop-down list or click Create New.

    Field

    Description

    Profile Name

    The name of the profile. The name can have a maximum of 32 characters.

    Select AMP Cloud Region

    Choose the AMP cloud region. The options are:

    • NAM

    • EU

    • APJC

    Inspection Mode

    Specify the inspection mode. The options are:

    • Detection

    • Protection

    Alert Log Level

    Choose the alert log level:

    • Critical

    • Warning

    • Info

    File Analaysis

    Enable file analysis.

    Select TG Cloud Region

    Choose the cloud region from the drop-down list. The options are:

    • NAM

    • EU

    Alert Log Level

    Choose the alert log level:

    • Critical

    • Warning

    • Info

    Select one or more file types

    Choose one or more file type from the drop-down list:

    • All

    • pdf

    • ms-exe

    • new-office

    • rtf

    • mdb

    • mscab

    • msole2

    • wri

    • xlw

    • flv

    • swf

    Click Add .

  4. Choose TLS Action.

    Field

    Description

    TLS Action

    Choose the web category from the drop-down list. The options are:

    • Decrypt

    • Pass Through

    • Do not Decrypt

    Select an TLS/SSL Decryption

    Choose the TLS/SSL decryption profile from the drop-down list or Create New profile.

5.

Click Save.


Version control for NGFW

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a and Cisco Catalyst SD-WAN Manager Release 20.18.1

Procedure

SUMMARY STEPS

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups, choose NGFW.
  2. Choose a security policy from the list and click Edit.
  3. Click Show version control to track and manage changes to the security policy.
  4. Select two versions of the security policy and click View diff to view the changes made in these versions.
  5. Click Revert next to a version if you wish to move back to an older version of the security policy configuration.

DETAILED STEPS

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups, choose NGFW.

2.

Choose a security policy from the list and click Edit.

3.

Click Show version control to track and manage changes to the security policy.

4.

Select two versions of the security policy and click View diff to view the changes made in these versions.

If you have added any configurations to the security policy, it is highlighted in green. If you have removed any configuration parameters, it is highlighted in red.

Visual diff for large policy configurations is not available. You can download the configuration using the Download config button and compare them manually.

5.

Click Revert next to a version if you wish to move back to an older version of the security policy configuration.

For large policies, create and revert operations can take upto two minutes.