Introduction

About Cisco Security Cloud Control

Cisco Security Cloud Control is a security platform that allows you to manage your security products and achieve security outcomes from a single integrated interface.

Integrating security products in the platform is a streamlined experience. After purchasing your subscriptions to Cisco security products, you receive a single email, with a single claim code for all the subscriptions you purchased. Entering the claim code in your new Security Cloud Control organization provisions all your products to Security Cloud Control simultaneously.

Within Security Cloud Control, user and group management occurs at the platform level. Roles are assigned to these users and groups to define their privileges for administering Security Cloud Control and the integrated products.

Navigation between products and tools is intuitive and standardized with a common platform menu and toolbar for all integrated products.

Security Cloud Control provides these additional core services to all integrated products on the platform:

  • Platform Management: Common services such as managing role-based access control, claiming subscriptions and standardized regional deployment of product instances are provided by Security Cloud Control. By centralizing these functions, Security Cloud Control ensures a consistent user experience in provisioning and managing access across all Cisco security products managed from the platform. Administrators reach these common services from the Platform Management menu in the main navigation bar of Security Cloud Control.

  • AI Assistant: The Cisco AI Assistant in Security Cloud Control is designed to streamline security operations by providing AI-driven insights, automation, and contextual guidance. It assists administrators in managing security policies, troubleshooting issues, and optimizing configurations across Cisco’s security products, including Firewall, Duo, , and Secure Access. By leveraging natural language processing and cross-platform intelligence, the assistant enhances efficiency, accelerates incident response, and simplifies security workflows.

  • Global Search: The ability to search for values across products in the platform.

  • Shared Objects: Creating and managing objects that can be shared across devices and policies.

  • Unified documentation portal: A documentation "Help" experience where all documentation is accessible in one portal.

Products You Can Integrate with Security Cloud Control

From Security Cloud Control, you can manage all of these security products:

  • AI Defense

  • Firewall in Security Cloud Control

  • Multicloud Defense

  • Secure Access

  • Secure Workload

Learn more about these products at Products Supported by Security Cloud Control.

Products You Can Launch from Security Cloud Control

From Security Cloud Control, you can launch these security products. After launch, these products operate as standalone products and you cannot manage them through Security Cloud Control. You can only claim or deactivate the licenses of such products from Security Cloud Control.

In the Security Cloud Control toolbar, click the nine-dot menu to launch these products:

  • Cisco Secure Email Threat Defense

  • Cisco Secure Endpoint

  • Cisco Duo

  • Cisco XDR

Products Supported by Security Cloud Control

Currently, these are the products you can integrate with Security Cloud Control .

AI Defense: AI Defense addresses risks for users and providers of AI. Using network visibility and enforcement points in the Security Cloud Control, AI Defense adds detection and enforcement measures to discover sanctioned and unsanctioned AI workloads, applications, models, data, and user access across your distributed cloud environment. For organizations that develop and deliver AI-powered services, AI Defense detects vulnerabilities in your AI models before they're delivered. For your running AI applications, AI Defense guardrails intercept rapidly evolving threats, including prompt injections, denial of service, and data leakage. See AI Defense Documentation for more information.

Firewall in Security Cloud Control: Firewall in Security Cloud Control (formerly Cisco Defense Orchestrator) is a cloud-based security policy manager that simplifies and unifies policy across your Cisco firewalls and other devices. See Firewall in Security Cloud Control Documentation for more information.

Multicloud Defense: Multicloud Defense provides a simplified and highly automated approach to multicloud security. This solution allows organizations to manage and secure their multicloud environments using a single SaaS delivered control plane, and centralized or distributed PaaS-delivered data plane architectures. Multicloud Defense provides continuous visibility, unified protection and dynamic policy updates across all major cloud providers, thereby eliminating the need for separate point solutions for solutions for each cloud provider. See Multicloud Defense Documentation for more information.

Secure Access: Cisco Secure Access is a cloud-based platform that provides multiple levels of defense against internet-based threats. Connect securely to the internet, SaaS apps, and private digital resources from your organization's network or roaming off-network. Using policy rules, configure and enforce security controls on collections of resources, users, and devices. See Secure Access Documentation for more information. Secure Access subscriptions also include the Identity Intelligence integration via Security Cloud Control at no additional charge—this does not include access to the standalone Identity Intelligence dashboard. For more information, see Integrate Cisco Identity Intelligence with Secure Access.

Secure Workload: Cisco Secure Workload (formerly Tetration) seamlessly delivers zero-trust micro-segmentation across any workload, environment, or location from a single console. With comprehensive visibility into every workload interaction and powerful AI/ML-driven automation, Secure Workload reduces the attack surface by preventing lateral movement, identifies workload behavior anomalies, helps rapidly remediate threats, and continuously monitors policy compliance. See Secure Workload Documentation for more information.

About Firewall in Security Cloud Control

Firewall in Security Cloud Control (formerly Cisco Defense Orchestrator) simplifies the management of security policies in distributed environments, ensuring consistent policies across all managed firewalls. The firewalls and devices are managed in Firewall, which is listed under Products in the Security Cloud Control.

It optimizes security policies by identifying inconsistencies and providing resolution tools. The platform enables object and policy sharing, as well as the creation of configuration templates, ensuring policy uniformity across devices.

Coexisting with local device managers like the Adaptive Security Device Manager (ASDM), Security Cloud Control tracks configuration changes made by both itself and other managers, reconciling any discrepancies.

Featuring an intuitive user interface, Security Cloud Control allows management of various devices from a single platform. Advanced users can also utilize an enhanced CLI interface for more efficient management.

The platform offers a guided "Day 0" experience, facilitating the quick onboarding of threat defense devices to your on-premises or Cloud-Delivered Firewall Management Center. It highlights key features for potential benefits and assists in their activation and configuration.

Onboard Devices

Before you onboard a device, make sure that you have successfully completed the installation wizard and licensed the device. Then use Security Cloud Control's onboarding wizard to onboard your device. Security Cloud Control can easily manage large deployments.

See Onboard Devices and Services.


Note

Once you have onboarded devices to a Security Cloud Control tenant, you cannot migrate the devices from one Security Cloud Control tenant to another. If you want to move your devices to a new tenant, you need to re-onboard the devices to the new tenant.

For a complete list of devices that Security Cloud Control supports and manages, see Supported Devices, Software, and Hardware.

Cisco Online Privacy Statement

Cisco Systems, Inc. and its subsidiaries (collectively "Cisco") are committed to protecting your privacy and providing you with a positive experience on our websites and while using our products and services ("Solutions"). Please read Cisco Online Privacy Statement carefully to get a clear understanding of how we collect, use, share, and protect your personal information.

Managing On-Premises Firewall Management Center with Security Cloud Control

About On-Premises Firewall Management Center

On-Premises Management Center support is limited to onboarding, viewing its managed devices, viewing, managing network objects and cross-launching to On-Premises Management Center UI to manage associated devices and objects. Additional features will be supported soon. For functionality that may not be supported by Security Cloud Control at this time, you must use the On-Premises Management Center console. See the Cisco Secure Firewall Management Center Configuration Guide of the version your system is running, to know more about the features provided by On-Premises Management Center.

The On-Premises Management Center is a centralized management console with graphical user interface that you can use to perform administrative, management, analysis, and reporting tasks. It is a management console that is comparable, but not identical, to ASDM and FDM.

For a list of On-Premises Management Center devices and software versions that Security Cloud Control supports, see Software and Hardware support by Security Cloud Control.

Version Support

Security Cloud Control supports version 6.4 and later. An On-Premises Management Center can manage older devices, usually a few major versions back. For example, devices running version 6.6.0 can manage a Version 6.4.0 device. If an On-Premises Management Center manages a device that is running a version earlier than 6.4, the device may be displayed in the Security Devices page, but cannot be deployed to or its policies modified from Security Cloud Control. You must make changes and deploy from the On-Premises Management Center UI.


Note

If a managed device is disabled, or unreachable, Security Cloud Control may display the device in the Security Devices page, but cannot successfully send requests or view device information.

How does Security Cloud Control Communicate with an FMC

Security Cloud Control acts as a REST API client to send requests to the On-Premises Management Center, and the On-Premises Management Center then uses its designated client to channel the requests to its managed devices. Because the device does not allow multiple logins with the same login credentials, we recommend creating a new user on the On-Premises Management Center specifically for Security Cloud Control communication that has administrator-level permissions. This new user will have to be replicated on Security Cloud Control, as either a Security Cloud Control-provided Administrator or a custom user role with system and devices permission. Without an admin login, Security Cloud Control will not be able to successfully use REST API commands to modify or create policy, rules, or objects.

Onboard or Remove an On-Premises Management Center

You can onboard or remove an On-Premises Management Center at any time. The On-Premises Management Center and its registered device must be running at least Version 6.4 to be read by Security Cloud Control. To onboard an On-Premises Management Center and its registered devices, see Onboard an FMC.

Once an On-Premises Management Center is onboarded, select the On-Premises Management Center from Administration > Integrations > Firewall Management Center and click Devices under Management or any actions on the right pane to open up the Verify FMC Cross Launch URL wizard, which lets you enter the public IP address or the FQDN and the port number of your management center. Clicking Continue cross-launches to the selected On-Premises Management Center web UI in a new tab using the IP address you entered. You can also add external links manually in the Add External Links option under External Links on the right pane.

Removing an On-Premises Management Center from your Security Cloud Control tenant also removes the devices registered to that On-Premises Management Center. See Remove an FMC from Security Cloud Control for more information. If an On-Premises Management Center experiences an "Invalid Credentials" status after onboarding, you can reconnect the appliance. See Troubleshoot Invalid Credentials for more information.


Note

Devices running Firepower 6.6 do not support the reconnect feature. If you have to reconnect the appliance, we recommend removing the On-Premises Management Center and re-onboarding the appliance.

On-Premises Management Center High Availability Pairs

Security Cloud Control does not support high availability (HA) functionality for On-Premises Management Center appliances. If a pair of On-Premises Management Center appliances are configured for HA, the pair is listed as individual appliances in the Services page.

Devices Managed by an On-Premises Management Center

Once you onboard an On-Premises Management Center to Security Cloud Control, all of the devices registered to that On-Premises Management Center are also read into Security Cloud Control. From the Security Devices page, you can see device information such as name, IP address, type of device, software version, and the state. Note that your On-Premises Management Center is displayed on the Services page and the devices it manages are listed on the Security Devices page. In the Services page, you can see information such as version, devices managed, type of device, and status. Clicking the devices icon on the Services page, which displays the number of devices your FMC manages, takes you to the Security Devices page, with the device filter applied, so all the devices managed by the On-Premises Management Center you selected are displayed.

You can perform actions using relevant options in the Device Actions, Monitoring, Device Management, and Policies panels on the right pane in the Security Devices. If you select a device that is currently managed by an FMC and click these options, Security Cloud Control automatically launches the On-Premises Management Center console that manages the devices using the cross-launch URL you had entered. Use the filter icon to further organize the Security Devices page. From here you can opt to view all the devices managed by the onboarded On-Premises Management Center, as well as the other supported device types. In addition, you can expand or collapse devices in a cluster and select them indivdually or as a group to perform actions.

Device Health Status

Security Cloud Control displays the health status of threat defense devices in the Security Devices page, such as Normal, Error, Warning, and Disabled; you can click the status of a device to navigate to the Health Monitoring page that corresponds to the device in the On-Premises Management Center user interface.


Note

Security Cloud Control keeps automatically updating the device health status every 10 minutes; however, you can do this manually by selecting the device and clicking Check for Changes.

Manage Security Policies in Security Cloud Control

Security policies examine network traffic with the ultimate goal of allowing the traffic to its intended destination or dropping it if a security threat is identified. You can use Security Cloud Control to configure security policies on many different types of devices.

Objects

After you onboard an On-Premises Management Center to Security Cloud Control, you can choose to discover objects from the On-Premises Management Center and manage them in Security Cloud Control. You can do this by navigating to Administration > Integrations > Firewall Management Center, selecting the desired On-Premises Management Center, and clicking Settings. You can turn the Discover & Manage Network Objects toggle button on; when this option is enabled, Security Cloud Control automatically reads all the objects from the On-Premises Management Center-managed devices into Security Cloud Control. Once imported, the objects can be managed from Security Cloud Control. Note that you need to have the super admin or admin user role to be able to use the Settings button.

When making a configuration change to an object from Security Cloud Control, the change gets staged in Security Cloud Control and you can manually push the change to the On-Premises Management Center after reviewing it from Pending Changes. In addition, when you make a configuration change to an object from the On-Premises Management Center user interface, Security Cloud Control detects those changes as out-of-band changes that can be synchronized later. If you want your changes to be automatically synchronized with on-premises management center and not staged for review, turn the Enable automatic sync of network objects toggle on.

If you have existing objects in Security Cloud Control that you want to assign to your On-Premises Management Center, select the On-Premises Management Center from the Services page and choose Assign Objects on the right pane. Security Cloud Control displays all the existing objects and lets you select ones that you want to associate with the On-Premises Management Center that you selected. This heps promote consistency in network object definitions across platforms managed by Security Cloud Control. Note that you can use the Assign Objects button only if Discover & Manage Network Objects is enabled for the selected on-premises management center.


Note

  • You cannot turn the Discover & Manage Network Objects toggle on if the on-premises management center that you have selected has one or more child domains or has the Chanage Management workflow enabled on it..

  • You cannot turn the Enable automatic sync of network objects toggle on if the Discover & Manage Network Objects toggle is turned off.

On-Premises Management Center supports the following object types:

  • Network Objects

  • Network-Group Objects

Object Issues

Security Cloud Control identifies the duplicate, inconsistent, or ununsed objects. You can filter the issues based on their issue states. However, Security Cloud Control cannot resolve object issues.

Eventing

Searching and filtering the Historical and Live event tables for specific events, works the same way as it does when searching and filtering for other information in Security Cloud Control. For more information, see Firepower Management Center and Cisco Security Analytics and Logging (SaaS) Integration Guide.

Cisco Security Analytics and Logging

Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your devices and view them in one place in Security Cloud Control.

The events are stored in the Cisco cloud and viewable from the Event Logging page in Security Cloud Control where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Firewall Analytics and Monitoring package, the system can apply Secure Cloud Analytics dynamic entity modeling to your events, and use behavioral modeling analytics to generate Secure Cloud Analytics observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your device events and your network traffic, and generates observations and alerts. You can cross-launch from Security Cloud Control to a Secure Cloud Analytics portal provisioned for you, using Cisco Single Sign-On.

The Firewall Dashboard

The Firewall dashboard is your central hub for monitoring and managing tenant-level details across various categories. Upon logging in, you can access a customizable dashboard that offers critical insights and actions to optimize security and operational efficiency.

Customize Your Dashboard

Make your dashboard fit your specific needs by customizing the visible widgets.

  1. On the Home page, click Customize.

  2. Select or deselect the widgets you want to view on the dashboard.

  3. You can drag and drop the widgets to arrange them as you prefer.

The dashboard is divided into three main sections: Top Insights & Alerts, Top Actions, and Top Information. Each section provides different categories of insights to help you maintain optimal security and operational control.

Top Insights & Alerts

This section is visible only if AIOps Insights is enabled for your tenant. You can view insights related to high traffic caused by elephant flows, RA VPN forecast, access control policy anomalies, high CPU and memory usage, snort CPU and memory usage.

Top Actions

This section is visible only if AIOps Insights is enabled for your tenant. If enabled, you can view the following widgets:

  • Policy Analyzer and Optimizer: Analyzes security policies, detects anomalies, and provides optimization recommendations to improve firewall performance.

    For more information, see Policy Analyzer and Optimizer.

  • AIOps Insights: Offers detailed information on all active insights and trends, categorizing anomalies by Configuration, Health & Operations, or Traffic & Capacity.

    For more information, see AIOps Insights.

  • Feature Adoption: Provides insights into feature adoption rates to optimize usage patterns and enhance security measures.

    For more information, see Assess and Improve Feature Adoption.

Top Information

This section provides detailed insights into various tenant-level metrics. If enabled, you can view the following widgets:

  • Configuration States: Indicates the discrepancies between the configurations on your devices and those maintained by Security Cloud Control. This comparison helps identify any inconsistencies or conflicts that may exist.

    For more information, see Device Management.

  • Change Log Management: Helps you to manage the change logs for precise operational control. The widget displays Completed and Pending change logs.

    For more information, see Change Logs.

  • RA VPN Sessions: Helps you to monitor your Remote Access VPN sessions.

    For more information, see RA VPN Sessions.

  • Overall Inventory: Helps you to monitor the health and status of all devices. The widget displays the total number of devices, categorized into Issues, Pending Actions, Other, and Online.

    For more information, see All Devices.

  • Site-to-Site VPN: Helps you to manage and assess your site-to-site VPN connections. The widget displays the total number of VPN tunnels and the percentage that are Active and Idle.

    For more information, see Site-to-site VPN.

  • Accounts and Assets:

    • Helps you to track and manage your multicloud accounts and resources effectively. You can launch the Multicloud Defense Controller from here.

    • Click +Add Account to add a new account.

    For more information, see Multicloud Defense Controller.

  • Top Risky Destinations: Helps you identify and monitor the top risky destinations that are granted access. The widget lists Applications and URL Categories and allows you to filter data for the last 90, 60, or 30 days. You can filter between Allowed (default) and Blocked traffic.

  • Top Intrusion and Malware Events: Helps you to monitor and respond to top intrusion and malware events. The widget displays Intrusion Events and Malware Events and allows you to filter data for the last 90, 60, and 30 days. You can filter between Allowed (default) and Blocked events.

Figure 1. Dashboard with AIOps Insights Enabled

Announcements

Click the Announcements icon to look at the most recent Security Cloud Control features and updates. Links to related doucmentation is provided if you need more information on any of the items listed.