Before you Begin

This chapter provides an overview of the Security Cloud Control platform and the variety of supported products. It introduces the platform’s management capabilities for Cisco firewalls and other devices.

About Cisco Security Cloud Control

Cisco Security Cloud Control is a security platform that allows you to manage your security products and achieve security outcomes from a single integrated interface.

Integrating security products in the platform is a streamlined experience. After purchasing your subscriptions to Cisco security products, you receive a single email, with a single claim code for all the subscriptions you purchased. Entering the claim code in your new Security Cloud Control organization provisions all your products to Security Cloud Control simultaneously.

Within Security Cloud Control, user and group management occurs at the platform level. Roles are assigned to these users and groups to define their privileges for administering Security Cloud Control and the integrated products.

Navigation between products and tools is intuitive and standardized with a common platform menu and toolbar for all integrated products.

Security Cloud Control provides these additional core services to all integrated products on the platform:

  • Platform Management: Common services such as managing role-based access control, claiming subscriptions and standardized regional deployment of product instances are provided by Security Cloud Control. By centralizing these functions, Security Cloud Control ensures a consistent user experience in provisioning and managing access across all Cisco security products managed from the platform. Administrators reach these common services from the Platform Management menu in the main navigation bar of Security Cloud Control.

  • AI Assistant: The Cisco AI Assistant in Security Cloud Control is designed to streamline security operations by providing AI-driven insights, automation, and contextual guidance. It assists administrators in managing security policies, troubleshooting issues, and optimizing configurations across Cisco’s security products, including Firewall, Duo, , and Secure Access. By leveraging natural language processing and cross-platform intelligence, the assistant enhances efficiency, accelerates incident response, and simplifies security workflows.

  • Global Search: The ability to search for values across products in the platform.

  • Shared Objects: Creating and managing objects that can be shared across devices and policies.

  • Unified documentation portal: A documentation "Help" experience where all documentation is accessible in one portal.

Products You Can Integrate with Security Cloud Control

From Security Cloud Control, you can manage all of these security products:

  • AI Defense

  • Security Cloud Control Firewall Management

  • Multicloud Defense

  • Secure Access

  • Secure Workload

Products You Can Launch from Security Cloud Control

From Security Cloud Control, you can launch these security products. After launch, these products operate as standalone products and you cannot manage them through Security Cloud Control. You can only claim or deactivate the licenses of such products from Security Cloud Control.

In the Security Cloud Control toolbar, click the nine-dot menu to launch these products:

  • Cisco Secure Email Threat Defense

  • Cisco Secure Endpoint

  • Cisco Duo

  • Cisco XDR

Products Supported by Security Cloud Control

Currently, these are the products you can integrate with Security Cloud Control .

AI Defense: AI Defense addresses risks for users and providers of AI. Using network visibility and enforcement points in the Security Cloud Control, AI Defense adds detection and enforcement measures to discover sanctioned and unsanctioned AI workloads, applications, models, data, and user access across your distributed cloud environment. For organizations that develop and deliver AI-powered services, AI Defense detects vulnerabilities in your AI models before they're delivered. For your running AI applications, AI Defense guardrails intercept rapidly evolving threats, including prompt injections, denial of service, and data leakage. See AI Defense Documentation for more information.

Security Cloud Control Firewall Management: Security Cloud Control Firewall Management (formerly Cisco Defense Orchestrator) is a cloud-based security policy manager that simplifies and unifies policy across your Cisco firewalls and other devices. See Firewall in Security Cloud Control Documentation for more information.

Multicloud Defense: Multicloud Defense provides a simplified and highly automated approach to multicloud security. This solution allows organizations to manage and secure their multicloud environments using a single SaaS delivered control plane, and centralized or distributed PaaS-delivered data plane architectures. Multicloud Defense provides continuous visibility, unified protection and dynamic policy updates across all major cloud providers, thereby eliminating the need for separate point solutions for solutions for each cloud provider. See Multicloud Defense Documentation for more information.

Secure Access: Cisco Secure Access is a cloud-based platform that provides multiple levels of defense against internet-based threats. Connect securely to the internet, SaaS apps, and private digital resources from your organization's network or roaming off-network. Using policy rules, configure and enforce security controls on collections of resources, users, and devices. See Secure Access Documentation for more information. Secure Access subscriptions also include the Identity Intelligence integration via Security Cloud Control at no additional charge—this does not include access to the standalone Identity Intelligence dashboard. For more information, see Integrate Cisco Identity Intelligence with Secure Access.

Secure Workload: Cisco Secure Workload (formerly Tetration) seamlessly delivers zero-trust micro-segmentation across any workload, environment, or location from a single console. With comprehensive visibility into every workload interaction and powerful AI/ML-driven automation, Secure Workload reduces the attack surface by preventing lateral movement, identifies workload behavior anomalies, helps rapidly remediate threats, and continuously monitors policy compliance. See Secure Workload Documentation for more information.

About Security Cloud Control Firewall Management

Firewall in Security Cloud Control (formerly Cisco Defense Orchestrator) simplifies the management of security policies in distributed environments, ensuring consistent policies across all managed firewalls. The firewalls and devices are managed in Firewall, which is listed under Products in the Security Cloud Control.

It optimizes security policies by identifying inconsistencies and providing resolution tools. The platform enables object and policy sharing, as well as the creation of configuration templates, ensuring policy uniformity across devices.

Coexisting with local device managers like the Adaptive Security Device Manager (ASDM), Security Cloud Control tracks configuration changes made by both itself and other managers, reconciling any discrepancies.

Featuring an intuitive user interface, Security Cloud Control allows management of various devices from a single platform. Advanced users can also utilize an enhanced CLI interface for more efficient management.

The platform offers a guided "Day 0" experience, facilitating the quick onboarding of threat defense devices to your on-premises or Cloud-Delivered Firewall Management Center. It highlights key features for potential benefits and assists in their activation and configuration.

Onboard Devices

Before you onboard a device, make sure that you have successfully completed the installation wizard and licensed the device. Then use Security Cloud Control's onboarding wizard to onboard your device. Security Cloud Control can easily manage large deployments.

See Onboard Devices and Services.


Note

Once you have onboarded devices to a Security Cloud Control tenant, you cannot migrate the devices from one Security Cloud Control tenant to another. If you want to move your devices to a new tenant, you need to re-onboard the devices to the new tenant.

For a complete list of devices that Security Cloud Control supports and manages, see Supported Devices, Software, and Hardware.

Cisco Online Privacy Statement

Cisco Systems, Inc. and its subsidiaries (collectively "Cisco") are committed to protecting your privacy and providing you with a positive experience on our websites and while using our products and services ("Solutions"). Please read Cisco Online Privacy Statement carefully to get a clear understanding of how we collect, use, share, and protect your personal information.

Managing Secure Firewall ASA with Security Cloud Control

Security Cloud Control (formerly Cisco Defense Orchestrator) is a cloud-based, multi-device manager that provides a simple, consistent, and secure way of managing security policies on all your ASA devices.

The goal of this document is to provide customers new to Security Cloud Control with an outline of activities you can use to standardize objects and policies, upgrade managed devices, and manage VPN policies and monitor remote workers. This document assumes the following:

  • Your ASAs are already configured and you are using it in your enterprise.

  • If the ASA you want Security Cloud Control to manage cannot be directly accessed from the internet, then you will need to deploy a Secure Device Connector (SDC) in your network. The SDC manages the communication between Security Cloud Control and your ASA.

    For more information, see Deploy a VM for Running the Secure Device Connector and Secure Event Connector

Secure Device Connectors

When using device credentials to connect Security Cloud Control to your ASA, it is a best practice to download and deploy a Secure Device Connector (SDC) in your network to manage the communication between Security Cloud Control and the ASA. ASAs can all be onboarded to Security Cloud Control using device credentials. If you do not want the SDC to manage communications between your ASA and Security Cloud Control, and your device can be accessed directly from the internet, you do not need to install an SDC in your network. Your ASAs can be onboarded to Security Cloud Control using the cloud Connector.

Deploying more than one SDC for your tenant allows you to manage more devices with your Security Cloud Control tenant without experiencing performance degradation. The number of devices a single SDC can manage depends on the features implemented on those devices and the size of their configuration files. For the purposes of planning your deployment, however, we expect one SDC to support approximately 500 devices.

To view SDC:

  1. Log in to Security Cloud Control.

  2. From the Security Cloud Control menu, choose Admin > Secure Connectors.

Onboard Devices

You can onboard your ASAs to Security Cloud Control in bulk or one at a time.

See Support Specifics for a discussion of ASA software and hardware supported by Security Cloud Control.

Policy Orchestration

Policy orchestration involves reviewing objects and policies. Keep in mind when you are working with ASA policies that Security Cloud Control refers to "access-groups" as "access policies." When you look for ASA access policies you navigate from the Security Cloud Control menu bar Policies > ASA Access Policies.

Resolve Network Object Issues

Over the years, you may have objects on your security device that are no longer used, are duplicates of other objects, or whose values are inconsistent across devices. Begin your orchestration task by fixing these object issues.

Address object issues in a the order below. The work you do in the early steps may resolve the number of issues you have to address in later steps:

  1. Resolve unused objects. Unused objects, are objects that exist in a device but are not referenced by another object, an access-list, or a NAT rule.

  2. Resolve duplicate objects. Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. After resolving duplicate object issues, Security Cloud Control updates all affected object references with the retained object name.

  3. Resolve inconsistent objects. Inconsistent objects are objects with the same name, but different values, on two or more devices. Sometimes users create objects in different configurations with the same name and content, but over time the values of these objects diverge, which creates the inconsistency. This could be a security issue. You may have a rule that is protecting an outdated resource.

Fix Shadow Rules

Now that you have resolved your network object issues, review network policies for shadow rules and fix them. A shadow rule is marked by a half-moon badge on the ASA access policies page. The rules in an access policy are configured in a list and evaluated one at a time from top to bottom. A shadow rule in a policy will never be matched because the network traffic matches a rule above the shadowed rule in the policy. If there is a shadowed rule that will never be hit, remove it, or edit the policy to make the rule effective.

Evaluate Policy Hit Rates

Determine if the rules in your policies are actually evaluating network traffic. Security Cloud Control gathers hit rate data on the rules in your policies every hour. The longer your devices are managed by Security Cloud Control the more meaningful the hit rate data on a particular rule is. Filter ASA access policies by hit count over the time period you're interested in to see if it is getting hit. If it is not, consider rewriting the policy or deleting it.

Troubleshoot Policies

You can use the ASA Packet Tracer to test the path of a synthetic packet through a policy and determine if a rule is inadvertently blocking or allowing access.

Upgrade ASA and ASDM

Next, upgrade to the newest version of ASA and ASDM. Customers have reported time-savings of 75%-90% when upgrading their ASAs using Security Cloud Control.

Security Cloud Control provides a wizard that allows you to upgrade the ASA and ASDM images installed on an individual ASA or on multiple ASAs in single-context or multi-context mode. Security Cloud Control maintains a database of ASA and ASDM images.

Security Cloud Control performs the necessary upgrade compatibility checks behind the scenes. The wizard guides you through the process of choosing compatible ASA and ASDM images, installing them, and rebooting the device to complete the upgrade. Security Cloud Control secures the upgrade process by validating that the images you chose on Security Cloud Control are the ones copied to, and installed on, your ASA.

Security Cloud Control periodically reviews its database and adds the newest ASA and ASDM images to it. Security Cloud Control only supports generally available (GA) images and does not add custom images to its database. If you do not see a specific GA image in the list, please contact Cisco TAC from the Contact Support page. We will process your request using the established support ticket SLAs and upload the missing GA image.

Review Upgrade ASA and ASDM Images on a Single ASA and then continue with Upgrade Multiple ASAs with Images from your own Repository to learn more about upgrading your ASAs.

Monitor and Manage VPN Connections

Review Site-to-Site VPN Issues

Security Cloud Control reports VPN issues present on ASA devices in your network. You can look at your environment two ways, as a table showing a listing of VPN peers or a map showing your VPN connections in a hub and spoke topology. Use the filter sidebar to search of VPN tunnels that need your attention.

Use Security Cloud Control to evaluate your VPN tunnels:

  • Check Site-to-Site VPN Tunnel Connectivity

  • Find VPN Tunnels with Missing Peers

  • Find VPN Peers with Encryption Key Issues

  • Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

  • Find Issues in Tunnel Configuration

Onboard Unmanaged Site-to-Site VPN Peers

Security Cloud Control also identifies unmanaged VPN peers. Once you identify those device use Onboard an Unmanaged Site-to-Site VPN Peer to onboard the device and manage it with Security Cloud Control as well.

ASA Remote Access VPN Support

Security Cloud Control allows creating remote access virtual private network (RA VPN) configurations to allow users to securely access enterprise resources when connecting through the ASA. When your ASAs are onboarded to Security Cloud Control, Security Cloud Control recognizes any RA VPN settings that have already been configured using ASDM or Cisco Security Manager (CSM) so that you can manage them with Security Cloud Control.

AnyConnect is the only client that is supported on endpoint devices for RA VPN connectivity.

Security Cloud Control supports the following aspects of RA VPN functionality on ASA devices:

  • SSL client-based remote access

  • IPv4 and IPv6 addressing

  • Shared RA VPN configuration across multiple ASA devices

See Configure Remote Access Virtual Private Network for ASA for more information.

Monitor Device Configuration Synchronization

Security Cloud Control periodically compares the device configuration it has stored in its database with the one installed on the ASA. The ASA you onboarded to Security Cloud Control can still be onboarded ASA can still be managed by the device's Adaptive Security Device Manager (ASDM), so Security Cloud Control makes sure that the configuration it has is the same as the configuration on the device and alerts you to differences. See Conflict Detection for more information about the Synced, Not Synced or Conflict Detected device states.

Keep Track of Changes in the Change Log

The changes you make to your device's configurations are recorded in the Manage Change Logs in Security Cloud Control. The change log displays information like changes deployed from Security Cloud Control to your device, changes imported from your device to Security Cloud Control, what the change was along with the ability to see a "diff" of that change, when it happened, and who did it.

You can also create and apply a custom label, that uses your company's tracking number, to the changes you make. In the change log, you can filter the list of changes by that custom label, a date range, by a specific user, or by change type to find what you're looking for.

Restore a Previous Configuration

If you make changes to an ASA that you want to "undo," you can use Security Cloud Control to restore the device to a previous configuration. See Restore an ASA Configuration for more information.

Managing Devices Using a Command Line Interface and Command Macros

Security Cloud Control is a web-based management product that provides you with both a graphic user interface (GUI) and a command line interface (CLI) to manage your devices one at a time or many at once.

ASA CLI users will appreciate the extra capabilities of our CLI tool. Here are some of the reasons to use Security Cloud Control's CLI tool rather than connecting to the device with an SSH session:

  • Security Cloud Control knows what user mode is needed for a command. You do not need to elevate or lower your permission level to execute a command, nor do you need to enter the specific command context to execute a command.

  • Security Cloud Control retains command history, so you can easily re-run a command by picking it from a list.

  • CLI actions are logged in the change log, so you can read what command was sent and what action was taken.

  • Commands can be run in bulk mode, allowing you to deploy objects or policies to multiple devices simultaneously.

  • Security Cloud Control supplies CLI macros . CLI macros are stored ready-to-use commands you can run as they are, or "fill-in-the-blank" CLI commands you can complete and run. You can run these commands on one device or send the command to multiple ASAs at the same time.

  • CLI provides you with the complete ASA configuration file. You can view it or, if you are an advanced user, edit it directly and save your changes rather than issuing CLI commands to change it.

Cisco Security Analytics and Logging

With additional licensing, Cisco Security Analytics and Logging allows you to direct syslog events and Netflow Secure Event Logging (NSEL) events from your ASA to a Secure Event Connector (SEC), which then forwards them to the Cisco cloud. Once in the cloud, you can view those events in Security Cloud Control's Event Logging page. There you can filter and review the events to gain a clear understanding of what security rules are triggering in your network. For more information, see Events in Security Cloud Control.

In addition to monitoring events, you can launch the Secure Cloud Analytics portal from the Security Cloud Control to perform behavioral analysis on the events that were logged.

See Implementing Secure Logging Analytics (SaaS) for ASA Devices for a complete explanation of how to implement Cisco Security Analytics and Logging.

What to do Next

Now you can begin onboarding your ASA s and orchestrating your policies.

The Firewall Dashboard

The Firewall dashboard is your central hub for monitoring and managing tenant-level details across various categories. Upon logging in, you can access a customizable dashboard that offers critical insights and actions to optimize security and operational efficiency.

Customize Your Dashboard

Make your dashboard fit your specific needs by customizing the visible widgets.

  1. On the Home page, click Customize.

  2. Select or deselect the widgets you want to view on the dashboard.

  3. You can drag and drop the widgets to arrange them as you prefer.

The dashboard is divided into three main sections: Top Insights & Alerts, Top Actions, and Top Information. Each section provides different categories of insights to help you maintain optimal security and operational control.

Top Insights & Alerts

This section is visible only if AIOps Insights is enabled for your tenant. You can view insights related to high traffic caused by elephant flows, RA VPN forecast, access control policy anomalies, high CPU and memory usage, snort CPU and memory usage.

Top Actions

This section is visible only if AIOps Insights is enabled for your tenant. If enabled, you can view the following widgets:

  • Policy Analyzer and Optimizer: Analyzes security policies, detects anomalies, and provides optimization recommendations to improve firewall performance.

    For more information, see Policy Analyzer and Optimizer.

  • AIOps Insights: Offers detailed information on all active insights and trends, categorizing anomalies by Configuration, Health & Operations, or Traffic & Capacity.

    For more information, see AIOps Insights.

  • Feature Adoption: Provides insights into feature adoption rates to optimize usage patterns and enhance security measures.

    For more information, see Assess and Improve Feature Adoption.

Top Information

This section provides detailed insights into various tenant-level metrics. If enabled, you can view the following widgets:

  • Configuration States: Indicates the discrepancies between the configurations on your devices and those maintained by Security Cloud Control. This comparison helps identify any inconsistencies or conflicts that may exist.

    For more information, see Device Management.

  • Change Log Management: Helps you to manage the change logs for precise operational control. The widget displays Completed and Pending change logs.

    For more information, see Change Logs.

  • RA VPN Sessions: Helps you to monitor your Remote Access VPN sessions.

    For more information, see RA VPN Sessions.

  • Overall Inventory: Helps you to monitor the health and status of all devices. The widget displays the total number of devices, categorized into Issues, Pending Actions, Other, and Online.

    For more information, see All Devices.

  • Site-to-Site VPN: Helps you to manage and assess your site-to-site VPN connections. The widget displays the total number of VPN tunnels and the percentage that are Active and Idle.

    For more information, see Site-to-site VPN.

  • Accounts and Assets:

    • Helps you to track and manage your multicloud accounts and resources effectively. You can launch the Multicloud Defense Controller from here.

    • Click +Add Account to add a new account.

    For more information, see Multicloud Defense Controller.

  • Top Risky Destinations: Helps you identify and monitor the top risky destinations that are granted access. The widget lists Applications and URL Categories and allows you to filter data for the last 90, 60, or 30 days. You can filter between Allowed (default) and Blocked traffic.

  • Top Intrusion and Malware Events: Helps you to monitor and respond to top intrusion and malware events. The widget displays Intrusion Events and Malware Events and allows you to filter data for the last 90, 60, and 30 days. You can filter between Allowed (default) and Blocked events.

Figure 1. Dashboard with AIOps Insights Enabled

Announcements

Click the Announcements icon to look at the most recent Security Cloud Control features and updates. Links to related doucmentation is provided if you need more information on any of the items listed.