Cisco Secure Access for Cisco Catalyst SD-WAN Devices
Feature history for Cisco Secure Access integration
|
Feature |
Release information |
Description |
|---|---|---|
|
Cisco Secure Access Integration |
Cisco IOS XE Catalyst SD-WAN Release 17.13.1a Cisco Catalyst SD-WAN Manager Release 20.13.1 |
Cisco Secure Access is a cloud Security Service Edge (SSE) solution, that provides seamless, transparent, and secure Direct Internet Access (DIA). This feature supports Cisco Secure Access integration through policy groups in Cisco SD-WAN Manager. |
|
Cisco Secure Access integration extended to Cisco Catalyst SD-WAN for Government |
Cisco Catalyst SD-WAN Manager Release 26.1.1.1 |
Cisco Catalyst SD-WAN for Government can integrate with a federally authorized Cisco Security Service Edge (SSE) server to enable Cisco Secure Access integration. |
What is Cisco Secure Access integration
A Cisco Secure Access integration is a cloud security solution that
- provides multiple levels of defense against internet-based threats, and
- integrates with Cisco SD-WAN Manager via REST APIs to share policy information with SD-WAN devices, and
- provides seamless, transparent, and secure Direct Internet Access (DIA) to help users connect from anything to anywhere.
Secure Service Edge policy configuration
To configure Secure Service Edge (SSE), select Cisco Secure Access as the provider in the SSE policy group in Cisco SD-WAN Manager.
The SSE policy group defines IPSec tunnels and tunnel parameters. You can provision network tunnel groups in Cisco Secure Access and provide attributes to the edge devices that are needed to set up IPSec tunnels.
For more information on network tunnel groups, see Manage Network Tunnel Groups.
Restrictions for Cisco Secure Access integration
Configuration and capabilities
- This feature cannot be configured through a CLI template. This feature can be configured using policy groups on Cisco SD-WAN Manager.
Operational limitations
- Cisco SD-WAN Manager does not support API throttling to Cisco Secure Access.
- After Cisco Secure Access integration with Cisco Catalyst SD-WAN, any changes made to the network tunnel group name in Cisco Secure Access dashboard are not reflected in Cisco SD-WAN Manager.
FedRAMP Compliance
- For Cisco Catalyst SD-WAN for Government, the connection between Cisco SD-WAN and Cisco Secure Service Edge has not been assessed for FedRAMP compliance by third-party auditors.
Workflow to set up Cisco Secure Access
Follow these steps to integrate Cisco Secure Access with Cisco Catalyst SD-WAN:
Before you begin
Before you begin, ensure the following prerequisites are met:
- Ensure that a configuration group is associated to the selected WAN edge devices and deployed.
- Configure the IP domain lookup command on the device.
- Configure the DNS server on Cisco SD-WAN Manager to connect to Cisco Secure Access.
Step 1 | Create Cisco Secure Access credentials on the page. |
Step 2 | Create automatic tunnels to Cisco Secure Access using . |
Step 3 | Redirect traffic to Cisco Secure Access using service routes or policy groups. |
Create Cisco Secure Access credentials
Follow these steps to create Cisco Secure Access credentials:
Before you begin
Ensure you use the same Cisco SSE credentials that you originally used to create the SSE tunnels when you remove any tunnel configurations. Changing or updating these credentials before clearing existing Cisco SSE configurations can result in issues. Change the credentials only if absolutely necessary.
If there are two Cisco SD-WAN Manager instances in the SD-WAN overlay, each Cisco SD-WAN Manager instance has its own SSE credentials and the tunnel is unique to that instance. The SSE tunnels cannot be shared across Cisco SD-WAN Manager instances.
Step 1 | From in Cisco SD-WAN Manager, select Cisco Secure Access as the provider. | ||||||||
Step 2 | From Cisco SD-WAN Manager 26.1.1, choose between Commercial or GovCloud. Choose GovCloud only if you are using Cisco Catalyst SD-WAN for Government. When changing, SD-WAN Manager prompts you to enter your Cisco SSE credentials. Before changing this option, remove any configured Cisco SSE features. | ||||||||
Step 3 | Create the credentials in the Administration > Settings page. Click Click here to add Cisco Secure Access Credentials to create the Cisco Secure Access credentials. Enter Cisco Secure Access credentials:
| ||||||||
Step 4 | Click Add. |
Create tunnels to Cisco Secure Access using policy groups
Follow these steps to create tunnels to Cisco Secure Access using policy groups:
|
When ... |
Then for Cisco Secure Access ... |
|---|---|
|
The deletion is initiated from Cisco SD-WAN Manager , the SSE Tunnel is not removed from the SSE dashboard. |
You must manually delete the Remote Tunnel Group, which is the device Chassis ID (specific to Cisco Secure Access), from the SSE dashboard before provisioning it again from Cisco SD-WAN Manager . |
Step 1 | From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Add Secure Service Edge (SSE). | ||||||||||||||||||||||||||||||||||||||||||||||||
Step 2 | Configure a tracker.
| ||||||||||||||||||||||||||||||||||||||||||||||||
Step 3 | Configure tunnel parameters.
| ||||||||||||||||||||||||||||||||||||||||||||||||
Step 4 | Choose a Region from the drop-down list. When you choose the region, a pair of primary and secondary region is selected. Choose the primary region that Cisco Secure Service Edge provides from the drop-down list and the secondary region is auto-selected in Cisco SD-WAN Manager. If the primary region with a unicast IP address is not reachable then the secondary region with a unicast IP address is reachable and vice versa. Cisco Secure Access ensures that both the regions are reachable at all times. You can configure any DNS server on the device which connects to HTTPS to get the public IP address. To configure a source interface for HTTPS, use the ip http client source-interface command on Cisco SD-WAN Manager. | ||||||||||||||||||||||||||||||||||||||||||||||||
Step 5 | To designate active and back-up tunnels and distribute traffic among tunnels configure HA.
| ||||||||||||||||||||||||||||||||||||||||||||||||
Step 6 | Click Add. | ||||||||||||||||||||||||||||||||||||||||||||||||
Redirect traffic to Cisco Secure Access
Follow these steps to redirect traffic to Cisco Secure Access:
You can redirect traffic to a Cisco Secure Access in two ways:
|
Monitor tunnels to Cisco Secure Access
To view information about the Cisco Secure Access tunnels that you have configured from a Cisco Catalyst SD-WAN device, use the show SSE all command.
Device# show sse all
***************************************
SSE Instance Cisco-Secure-Access
***************************************
Tunnel name : Tunnel15000001
Site id: 2678135102
Tunnel id: 617865691
SSE tunnel name: C8K-63a9b72b-f1fa-4973-a323-c36861cf59ee
HA role: Active
Local state: Up
Tracker state: Up
Destination Data Center: 52.42.220.205
Tunnel type: IPSEC
Provider name: Cisco Secure Access
Tunnel name : Tunnel15000002
Site id: 2678135102
Tunnel id: 617865691
SSE tunnel name: C8K-63a9b72b-f1fa-4973-a323-c36861cf59ee
HA role: Backup
Local state: Up
Tracker state: Up
Destination Data Center: 44.241.136.173
Tunnel type: IPSEC
Provider name: Cisco Secure Access
*******************************************
TUNNEL DB ALL
*******************************************
Tun:Tunnel15000001 Instance:Cisco-Secure-Access (Id:2)
Tun:Tunnel15000002 Instance:Cisco-Secure-Access (Id:2)
*******************************************
SERVICE ROUTE LIST ALL
*******************************************
Monitor SIG/SSE tunnels
Use the security operations dashboard to monitor the status and performance of SSE tunnels.
Step 1 | From the Cisco SD-WAN Manager menu, choose . The SIG/SSE Tunnel Status pane shows tunnel information using a donut chart:
Degraded state indicates that the SIG tunnel is up but the Layer 7 health of the tunnel as detected by the tracker does not meet the configured SLA parameters. Traffic is not routed through the tunnel. |
Step 2 | (Optional) Click a section of the donut chart to view detailed information about tunnels having a particular status. Cisco SD-WAN Manager displays detailed information about the tunnels in the SIG/SSE Tunnels dashboard. |
Step 3 | (Optional) Click All SIG/SSE Tunnels to view the SIG/SSE Tunnels dashboard. |
Troubleshooting using Cisco SD-WAN Manager
Follow these steps to view the audit logs:
You can troubleshoot provisioning errors or view the remote tunnel status using the audit logs.
Step 1 | From the Cisco SD-WAN Manager menu, choose . Cisco vManage Release 20.6.1 and earlier: From the Cisco SD-WAN Manager menu, choose . Cisco SD-WAN Manager displays a log of activities both in table and graphical format. |
Step 2 | Click Filter and choose one or more modules to filter the view. You can choose more than one Module type. |
Step 3 | To export data for all audit logs to a file in CSV format, click Export . Cisco SD-WAN Manager downloads all data from the audit logs table to an Excel file to a CSV format. The file is downloaded to your browser’s default download location and is named Audit_Logs.csv. |
Step 4 | To view detailed information about any audit log, for the desired row in the table, click ... and choose Audit Log Details . The Audit Log Details dialog box opens, displaying details of the audit log. |
Step 5 | To view configuration changes made to a Template type Module , for the desired row in the table, click ... adjacent to a log row for a template module, and choose Config Diff . The Config Difference pane displays a side-by-side view of the differences between the configuration that was originally in the template and the changes made to the configuration. To view the changes inline, click Inline Diff . You can view changes to previous and current configurations made only where the module type is template. |
Step 6 | To view the updated configuration on the device, click Configuration . Starting from Cisco IOS XE Catalyst SD-WAN Release 17.6.1a and Cisco SD-WAN Release 20.6.1 , for template and policy configuration changes, the Audit Logs option displays the action performed. To view the previous and current configuration for any action, click Audit Log Details. Audit logs are collected when you create, update, or delete device or feature templates, and localized or centralized, and security policies. Audit logs shows the changes in API payloads when templates or policies are attached or not attached. |