Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

PDF

Configure policy objects for an NGFW policy

Updated: March 10, 2026

Want to summarize with AI?

Log in

Guides you through creating and reusing policy objects for NGFW policies, including data prefixes, geo locations, FQDNs, ports, protocols, and security profiles for application, intrusion prevention, URL filtering, malware protection, TLS/SSL decryption, and zone configuration using Cisco SD-WAN Manager.

Before you begin

To save time during policy configuration and deployment, we recommend you to create single policy objects for Data Prefix, Geo Location, FQDN, Port, Protocol, and reuse it in all the common places.

Procedure

SUMMARY STEPS

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Objects and Profiles .
  2. Click Security objects. The list of security objects appears.

    • Application lists

      Field

      Description

      Application List Name

      Name of the application list.

      Note

      See the information about custom applications in Restrictions for Security Policy.

      Applications

      Choose one or more application types from the drop-down list. For example, Third Party Control, ABC News, Microsoft Teams, and so on.

      Choose one or more application family types from the drop-down list. For example, application-service, audio_video, authentication, behavioral, compression, database, encrypted, and so on.

    • Data Prefix

      Field

      Description

      Data Prefix List Name

      Name of the prefix list.

      Data Prefix

      The data prefix value.

    • Data Prefix IPv6

      From Cisco SD-WAN Manager Release 20.18.2, you can configure data prefix IPv6.

      Field

      Description

      Name

      Name of the data prefix list.

      Data Prefix IPv6

      The data prefix IPv6 value.

    • Rule set

      From Cisco SD-WAN Manager Release 20.18.2, you can configure a rule set.

      Field

      Description

      Rule Set name

      Name of the rule set.

      Type

      You can choose IPv6 or IPv4.

    • Object group

      From Cisco SD-WAN Manager Release 20.18.2, you can configure an object group.

      Field

      Description

      Object Group Name

      Name of the object group.

      Description

      Description of the object group

      Type

      You can choose IPv6 or IPv4.

    • Local Domain

      Field

      Description

      Local Domain List Name

      Name of the local domain list.

      Local Domain

      The local domain values separated by comma. For example, cisco.com.

    • FQDN (Fully Qualified Domain Name)

      The FQDN is intended to be used for matching standalone servers in data centers or a private cloud. When matching public URLs, the recommended match action is drop . If you use inspect for public URLs, you must define all related sub URLs and redirect URLs.

      Table 1.

      Field

      Description

      FQDN List Name

      Name of the FQDN list.

      FQDN

      The URL names separated by comma. For example, cisco.com.

      From Cisco Catalyst SD-WAN Manager Release 26.1.1.1 , 256 FQDN entries are supported.

    • Signature

      The signature set blocks vulnerability with a Common Vulnerability Scoring System (CVSS) score that is greater than or equal to 9. It also blocks Common Vulnerabilities and Exposures (CVEs) published in the last two years and that have the rule categories: Malware CNC, Exploit Kits, SQL Injection or blocked list.

      Field

      Description

      IPS Signature List Name

      Name of the IPS signature list.

      IPS Signature

      The signatures in the format Generator ID:Signature ID , separated with commas. For example, 1234:5678.

      Range is 0 to 4294967295

    • URL allow

      List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists. Here are some important points to note about these lists:

      • URLs that are allowed are not subjected to any category-based filtering.

      • If the same item is configured under both the allowed and blocked list, the traffic is allowed.

      • If the traffic does not match either the allowed or blocked lists, then it is subjected to category-based and reputation-based filtering.

      Field

      Description

      Allow URL List Name

      Name of the Allow URL list.

      Allow URL

      The URLs to allow.

    • URL block

      List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists.

      Field

      Description

      Block URL List Name

      Name of the Block URL list.

      Block URL

      The URLs to block.

    • Zone

      Field

      Description

      Zone List Name

      Name of the zone list.

      VPN

      Choose to configure zones with zone type as VPN . Add the VPNs to the zones from the drop-down list. The options are:

      • Payment Processing Network

      • Corporate Users

      • Local Internet for Guests

      • Physical Security Devices

      Interface

      Choose to configure zones with zone type as Interface . Add the interfaces to the zones from the Add Interface drop-down list. The options are:

      • Ethernet

      • FastEthernet

      • FiveGigabitEthernet

      • FortyGigabitEthernet

      • GigabitEthernet

      • HundredGigE

    • Port

      Field

      Description

      Port List Name

      Name of the port list.

      Port

      The port values separated by comma.

      The range is 0 to 65530.

    • Protocol

      Field

      Description

      Protocol List Name

      Name of the protocol list.

      Protocols

      Select one or more protocol names from the drop-down list. For example, snmp, tcp, udp, icmp, echo, telnet, and so on.

    • Geo Location

      Field

      Description

      Geo Location List Name

      Name of the geolocation list.

      Geo Location

      Select one or more geo locations from the drop-down list. For example, Africa, Antartic, Asia, Europe, and so on.
  3. Click Security profiles tab. The list of security profiles appears.

    • Advanced inspection profile

      Field

      Description

      Profile Name

      Name of the advanced inspection profile.

      Description

      The description of the profile.

      Select an Intrusion Prevention

      Choose an intrusion prevention option from the drop-down list.

      Select an URL Filter

      Choose a URL filter from the drop-down list.

      Select an Advanced Malware Protection

      Choose an advanced malware protection.

      TLS Action

      Choose the TLS action. The options are:

      • Decrypt

      • Pass Through

      • Do not Decrypt

    • Intrusion prevention

      Field

      Description

      Profile Name

      Name of the intrusion prevention policy.

      Signature Set

      Choose a signature set that defines the rules for an evaluating traffic from the Signature Set drop-down list. The following options are available.

      • Balanced : Provides protection without significant effect on system performance.

      • Connectivity : Less restrictive and provide better performance by imposing fewer rules.

      • Security : Provides more protection than Balanced but with an impact on performance.

      Inspection Mode

      Choose the inspection mode. The following options are available:

      • Detection: Choose this option for intrusion detection mode.

      • Protection: Choose this option for intrusion protection mode.

      Custom Signature Set

      Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.

      Select an Signature Allow List

      Select a signature allow list.

      Alerts Log Level

      Choose the alert log level:

      • Error

      • Emergency

      • Alert

      • Critical

      • Warning

      • Notice

      • Info

      • Debug

    • URL filtering

      Field

      Description

      Profile Name

      Name of the URL filtering policy.

      Web Category

      Choose the web category. The options are Block and Allow.

      Web Reputation

      Choose the web reputation from the drop-down list. The reputation options are:

      • High Risk

      • Suspicious

      • Moderate Risk

      • Low Risk

      • Trustworthy

      Select one or more web categories

      Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.

      Select allow URL list

      Select an allow URL list.

      Select block URL list

      Select a block URL list.

      Block Page Server

      Choose one of the options:

      • Block Page Content: Enter the default content header and content body.

      • Redirect URL: Enter the redirect URL.

      Alerts and Logs

      Choose the alert and log type:

      • Blocklist

      • Allowlist

      • Reputation/Category

    • Advanced Malware Protection Policy

      Field

      Description

      Profile Name

      Name of the advanced malware protection policy name.

      Select AMP Cloud Region

      Select AMT Cloud region. The options are:

      • NAM

      • EU

      • APJC

      Alert Log Level

      Choose the alert log level. The options are:

      • Critical

      • Warning

      • Info

      File Analysis

      Enable file analysis.

      Select TG Cloud Region

      Select TG Cloud region. The options are NAM and EU.

      Select one or more file types

      Select one or more file types. The options are, pdf, ms-exe, new-office, rtf, mdb, mscab, msole2, wri, xlw, flv, and swf.

    • TLS/SSL profile

      Field

      Description

      Profile Name

      Name of the TLS/SSL profile.

      Select Categories to assign action

      Set the categories between the actions—Decrypt, No Decrypt, and Pass Through URL Categories.

      Alternatively, choose multiple categories and set the action.

      Reputation

      Enable reputation to choose the Decrypt Threshold . The decrypt threshold options are:

      • High Risk

      • Suspicious

      • Moderate Risk

      • Low Risk

      • Trustworthy

      Advanced Options

      Select a Decrypt Domain list

      Choose the decrypt domain list or click Create New to create a new decrypt domain list.

      1. Enter Decrypt Domain List Name .

      2. Enter Decrypt Domain

      3. Click Add .

      Select a No Decrypt Domain list

      Choose the no decrypt domain list or click Create New to create a new no decrypt domain list.

      1. Enter No Decrypt Domain List Name .

      2. Enter No Decrypt Domain

      3. Click Add .

      Fail Decrypt

      Enable the fail decrypt option, if decryption fails.

    • TLS/SSL decryption

      Field Name

      Description

      Policy Name

      Name of the policy. The name can contain a maximum of 32 characters.

      Server Certificate Checks

      Expired Certificate

      Defines what the policy should do if the server certificate has expired. The options are:

      • Drop : Drop traffic

      • Decrypt : Decrypt traffic

      Untrusted Certificate

      Defines what the policy should do if the server certificate is not trusted. The options are:

      • Drop : Drop traffic

      • Decrypt : Decrypt traffic

      Certificate Revocation Status

      Defines whether the Online Certificate Status Protocol (OCSP) should be used to check the revocation status of the server certificate. The options are Enabled or Disabled .

      Unknown Revocation Status

      Defines what the policy does, if the OCSP revocation status is unknown .

      • Drop : Drop traffic

      • Decrypt : Decrypt traffic

      Unsupported Mode Checks

      Unsupported Protocol Versions

      Defines the unsupported protocol versions.

      • Drop : Drop the unsupported protocol versions.

      • Decrypt : Decrypt the unsupported protocol versions.

      Unsupported Cipher Suites

      Defines the unsupported cipher suites.

      • Drop : Drop the unsupported cipher suites.

      • Decrypt : Decrypt the unsupported cipher suites.

      Failure Mode

      Defines the failure mode. The options are close and open.

      Certificate Bundle

      Check the Use default CA certificate bundle checkbox to use the default CA.

      Minimum TLS Version

      Sets the minimum version of TLS that the proxy should support. The options are:

      • TLS 1.0

      • TLS 1.1

      • TLS 1.2

      Proxy Certificate Attributes

      RSA Keypair Modules

      Defines the Proxy Certificate RSA Key modules. The options are:

      • 1024 bit RSA

      • 2048 bit RSA

      • 4096 bit RSA

      Ec Key Type

      Defines the key type. The options are:

      • P256

      • P384

      • P521

      Certificate Lifetime (in Days)

      Sets the lifetime of the proxy certificate, in days.
  4. Click Save.

DETAILED STEPS

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Objects and Profiles .

In SD-WAN Manager 20.18.1 and earlier releases, Objects and Profiles is called Group of Interest.
2.

Click Security objects. The list of security objects appears.

In SD-WAN Manager 20.18.1 and earlier releases, Security objects is called Security.

  • Application lists

    Field

    Description

    Application List Name

    Name of the application list.

    Note

    See the information about custom applications in Restrictions for Security Policy.

    Applications

    Choose one or more application types from the drop-down list. For example, Third Party Control, ABC News, Microsoft Teams, and so on.

    Choose one or more application family types from the drop-down list. For example, application-service, audio_video, authentication, behavioral, compression, database, encrypted, and so on.

  • Data Prefix

    Field

    Description

    Data Prefix List Name

    Name of the prefix list.

    Data Prefix

    The data prefix value.

  • Data Prefix IPv6

    From Cisco SD-WAN Manager Release 20.18.2, you can configure data prefix IPv6.

    Field

    Description

    Name

    Name of the data prefix list.

    Data Prefix IPv6

    The data prefix IPv6 value.

  • Rule set

    From Cisco SD-WAN Manager Release 20.18.2, you can configure a rule set.

    Field

    Description

    Rule Set name

    Name of the rule set.

    Type

    You can choose IPv6 or IPv4.

  • Object group

    From Cisco SD-WAN Manager Release 20.18.2, you can configure an object group.

    Field

    Description

    Object Group Name

    Name of the object group.

    Description

    Description of the object group

    Type

    You can choose IPv6 or IPv4.

  • Local Domain

    Field

    Description

    Local Domain List Name

    Name of the local domain list.

    Local Domain

    The local domain values separated by comma. For example, cisco.com.

  • FQDN (Fully Qualified Domain Name)

    The FQDN is intended to be used for matching standalone servers in data centers or a private cloud. When matching public URLs, the recommended match action is drop . If you use inspect for public URLs, you must define all related sub URLs and redirect URLs.

    Table 2.

    Field

    Description

    FQDN List Name

    Name of the FQDN list.

    FQDN

    The URL names separated by comma. For example, cisco.com.

    From Cisco Catalyst SD-WAN Manager Release 26.1.1.1 , 256 FQDN entries are supported.

  • Signature

    The signature set blocks vulnerability with a Common Vulnerability Scoring System (CVSS) score that is greater than or equal to 9. It also blocks Common Vulnerabilities and Exposures (CVEs) published in the last two years and that have the rule categories: Malware CNC, Exploit Kits, SQL Injection or blocked list.

    Field

    Description

    IPS Signature List Name

    Name of the IPS signature list.

    IPS Signature

    The signatures in the format Generator ID:Signature ID , separated with commas. For example, 1234:5678.

    Range is 0 to 4294967295

  • URL allow

    List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists. Here are some important points to note about these lists:

    • URLs that are allowed are not subjected to any category-based filtering.

    • If the same item is configured under both the allowed and blocked list, the traffic is allowed.

    • If the traffic does not match either the allowed or blocked lists, then it is subjected to category-based and reputation-based filtering.

    Field

    Description

    Allow URL List Name

    Name of the Allow URL list.

    Allow URL

    The URLs to allow.

  • URL block

    List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists.

    Field

    Description

    Block URL List Name

    Name of the Block URL list.

    Block URL

    The URLs to block.

  • Zone

    Field

    Description

    Zone List Name

    Name of the zone list.

    VPN

    Choose to configure zones with zone type as VPN . Add the VPNs to the zones from the drop-down list. The options are:

    • Payment Processing Network

    • Corporate Users

    • Local Internet for Guests

    • Physical Security Devices

    Interface

    Choose to configure zones with zone type as Interface . Add the interfaces to the zones from the Add Interface drop-down list. The options are:

    • Ethernet

    • FastEthernet

    • FiveGigabitEthernet

    • FortyGigabitEthernet

    • GigabitEthernet

    • HundredGigE

  • Port

    Field

    Description

    Port List Name

    Name of the port list.

    Port

    The port values separated by comma.

    The range is 0 to 65530.

  • Protocol

    Field

    Description

    Protocol List Name

    Name of the protocol list.

    Protocols

    Select one or more protocol names from the drop-down list. For example, snmp, tcp, udp, icmp, echo, telnet, and so on.

  • Geo Location

    Field

    Description

    Geo Location List Name

    Name of the geolocation list.

    Geo Location

    Select one or more geo locations from the drop-down list. For example, Africa, Antartic, Asia, Europe, and so on.
3.

Click Security profiles tab. The list of security profiles appears.

  • Advanced inspection profile

    Field

    Description

    Profile Name

    Name of the advanced inspection profile.

    Description

    The description of the profile.

    Select an Intrusion Prevention

    Choose an intrusion prevention option from the drop-down list.

    Select an URL Filter

    Choose a URL filter from the drop-down list.

    Select an Advanced Malware Protection

    Choose an advanced malware protection.

    TLS Action

    Choose the TLS action. The options are:

    • Decrypt

    • Pass Through

    • Do not Decrypt

  • Intrusion prevention

    Field

    Description

    Profile Name

    Name of the intrusion prevention policy.

    Signature Set

    Choose a signature set that defines the rules for an evaluating traffic from the Signature Set drop-down list. The following options are available.

    • Balanced : Provides protection without significant effect on system performance.

    • Connectivity : Less restrictive and provide better performance by imposing fewer rules.

    • Security : Provides more protection than Balanced but with an impact on performance.

    Inspection Mode

    Choose the inspection mode. The following options are available:

    • Detection: Choose this option for intrusion detection mode.

    • Protection: Choose this option for intrusion protection mode.

    Custom Signature Set

    Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.

    Select an Signature Allow List

    Select a signature allow list.

    Alerts Log Level

    Choose the alert log level:

    • Error

    • Emergency

    • Alert

    • Critical

    • Warning

    • Notice

    • Info

    • Debug

  • URL filtering

    Field

    Description

    Profile Name

    Name of the URL filtering policy.

    Web Category

    Choose the web category. The options are Block and Allow.

    Web Reputation

    Choose the web reputation from the drop-down list. The reputation options are:

    • High Risk

    • Suspicious

    • Moderate Risk

    • Low Risk

    • Trustworthy

    Select one or more web categories

    Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.

    Select allow URL list

    Select an allow URL list.

    Select block URL list

    Select a block URL list.

    Block Page Server

    Choose one of the options:

    • Block Page Content: Enter the default content header and content body.

    • Redirect URL: Enter the redirect URL.

    Alerts and Logs

    Choose the alert and log type:

    • Blocklist

    • Allowlist

    • Reputation/Category

  • Advanced Malware Protection Policy

    Field

    Description

    Profile Name

    Name of the advanced malware protection policy name.

    Select AMP Cloud Region

    Select AMT Cloud region. The options are:

    • NAM

    • EU

    • APJC

    Alert Log Level

    Choose the alert log level. The options are:

    • Critical

    • Warning

    • Info

    File Analysis

    Enable file analysis.

    Select TG Cloud Region

    Select TG Cloud region. The options are NAM and EU.

    Select one or more file types

    Select one or more file types. The options are, pdf, ms-exe, new-office, rtf, mdb, mscab, msole2, wri, xlw, flv, and swf.

  • TLS/SSL profile

    Field

    Description

    Profile Name

    Name of the TLS/SSL profile.

    Select Categories to assign action

    Set the categories between the actions—Decrypt, No Decrypt, and Pass Through URL Categories.

    Alternatively, choose multiple categories and set the action.

    Reputation

    Enable reputation to choose the Decrypt Threshold . The decrypt threshold options are:

    • High Risk

    • Suspicious

    • Moderate Risk

    • Low Risk

    • Trustworthy

    Advanced Options

    Select a Decrypt Domain list

    Choose the decrypt domain list or click Create New to create a new decrypt domain list.

    1. Enter Decrypt Domain List Name .

    2. Enter Decrypt Domain

    3. Click Add .

    Select a No Decrypt Domain list

    Choose the no decrypt domain list or click Create New to create a new no decrypt domain list.

    1. Enter No Decrypt Domain List Name .

    2. Enter No Decrypt Domain

    3. Click Add .

    Fail Decrypt

    Enable the fail decrypt option, if decryption fails.

  • TLS/SSL decryption

    Field Name

    Description

    Policy Name

    Name of the policy. The name can contain a maximum of 32 characters.

    Server Certificate Checks

    Expired Certificate

    Defines what the policy should do if the server certificate has expired. The options are:

    • Drop : Drop traffic

    • Decrypt : Decrypt traffic

    Untrusted Certificate

    Defines what the policy should do if the server certificate is not trusted. The options are:

    • Drop : Drop traffic

    • Decrypt : Decrypt traffic

    Certificate Revocation Status

    Defines whether the Online Certificate Status Protocol (OCSP) should be used to check the revocation status of the server certificate. The options are Enabled or Disabled .

    Unknown Revocation Status

    Defines what the policy does, if the OCSP revocation status is unknown .

    • Drop : Drop traffic

    • Decrypt : Decrypt traffic

    Unsupported Mode Checks

    Unsupported Protocol Versions

    Defines the unsupported protocol versions.

    • Drop : Drop the unsupported protocol versions.

    • Decrypt : Decrypt the unsupported protocol versions.

    Unsupported Cipher Suites

    Defines the unsupported cipher suites.

    • Drop : Drop the unsupported cipher suites.

    • Decrypt : Decrypt the unsupported cipher suites.

    Failure Mode

    Defines the failure mode. The options are close and open.

    Certificate Bundle

    Check the Use default CA certificate bundle checkbox to use the default CA.

    Minimum TLS Version

    Sets the minimum version of TLS that the proxy should support. The options are:

    • TLS 1.0

    • TLS 1.1

    • TLS 1.2

    Proxy Certificate Attributes

    RSA Keypair Modules

    Defines the Proxy Certificate RSA Key modules. The options are:

    • 1024 bit RSA

    • 2048 bit RSA

    • 4096 bit RSA

    Ec Key Type

    Defines the key type. The options are:

    • P256

    • P384

    • P521

    Certificate Lifetime (in Days)

    Sets the lifetime of the proxy certificate, in days.
4.

Click Save.