Device Onboarding in Security Cloud Control

You can onboard both live devices and model devices to Security Cloud Control. Model devices are uploaded configuration files that you can view and edit using Security Cloud Control.

Most live devices and services require an open HTTPS connection so that the Secure Device Connector can connect Security Cloud Control to the device or service.

See About Secure Device Connector for more information on the SDC and its state.

This chapter covers the following sections:

Supported Devices, Software, and Hardware for Security Cloud Control Firewall Management

Security Cloud Control Firewall Management is a cloud-based management solution enabling the management of security policies and device configurations across multiple security platforms.

This section describes the supported device types, software, hardware, and constraints for managing firewall, cloud, SD-WAN, Cisco IOS, Cisco Umbrella, and management center integrations in Security Cloud Control Firewall Management.

Support scope

Security Cloud Control Firewall Management is a cloud-based management solution for security policies and device configurations across multiple security platforms. The source identifies support for these management areas:

  • Cisco Secure Firewall ASA, both on-premises and virtual

  • Cisco Secure Firewall Threat Defense (FTD), both on-premises and virtual

  • Cisco Catalyst SD-WAN Manager

  • Cisco Secure Firewall Management Center, on-premises

  • Cisco Meraki MX

  • Cisco IOS devices

  • Cisco Umbrella

  • AWS Security Groups

Security Cloud Control Firewall Management documentation identifies the devices, software, and hardware that Security Cloud Control Firewall Management supports. If the documentation does not explicitly claim support for a software version or device type, Security Cloud Control Firewall Management does not support it.

Cisco Secure Firewall ASA

Cisco Adaptive Security Appliance (ASA) is a security device that integrates firewall, VPN, and intrusion prevention capabilities. Security Cloud Control supports ASA device management to streamline configuration management and support regulatory compliance across the network infrastructure.

Cisco Secure Firewall Threat Defense

Cisco Secure Firewall Threat Defense integrates traditional firewall features with advanced threat protection capabilities. It includes security functions such as intrusion prevention, application control, URL filtering, and advanced malware protection.

A Secure Firewall Threat Defense device can be deployed on ASA hardware appliances, Cisco firewall hardware appliances, and virtual environments. You can manage threat defense devices through management interfaces such as Cisco Firewall Management Center, Security Cloud Control, and Firewall Device Manager.

Firewall Threat Defense integrates traditional firewall features with advanced threat protection capabilities. It offers comprehensive security functions, including intrusion prevention, application control, URL filtering, advanced malware protection, and so on. An FTD can be deployed on ASA hardware appliances, and Cisco firewall hardware appliances, and in virtual environments. Managing threat defense devices is possible through various management interfaces, such as Cisco Firewall Management Center, Security Cloud Control Firewall Management, and Firewall Device Manager.

For more information on software and hardware compatibility, see the Cisco Secure Firewall Threat Defense Compatibility Guide.

Firewall Device Manager is a web-based management interface explicitly designed for threat defense device management. It provides a simplified approach for configuring and monitoring threat defense devices, making it ideal for smaller-scale deployments or organizations preferring an intuitive interface.

FDM offers basic configuration capabilities for network settings, access control policies, NAT rules, VPN configuration, monitoring, and basic troubleshooting. Typically accessed through a web browser, FDM is directly available on the FTD device, eliminating the need for additional management servers or appliances.

Cisco Catalyst SD-WAN Manager

Security Cloud Control offers centralized management for Catalyst SD-WAN and Branch WAN environments, allowing organizations to efficiently configure, monitor, and enforce security policies across their networks. This integration also facilitates advanced troubleshooting, rule optimization, and change management on the Catalyst SD-WAN Manager.

For more information on software and hardware compatibility, see Cisco Catalyst SD-WAN Device Compatibility.

Cisco Secure Firewall Management Center

Security Cloud Control Firewall Management simplifies the management of on-premises Firewall Management Center by establishing a secure integration, discovering security devices, and enabling centralized policy management. Security policies such as firewall rules, VPN settings, and intrusion prevention policies can be efficiently managed and deployed across all devices under FMC.

Cisco Meraki MX

The Cisco Meraki MX appliance is an enterprise-grade security and SD-WAN next-generation firewall appliance for decentralized deployments. Security Cloud Control Firewall Management supports management of layer 3 network rules on Meraki MX devices.

When you onboard a Meraki device to Security Cloud Control Firewall Management, Security Cloud Control Firewall Management communicates with the Meraki dashboard to manage that device. Security Cloud Control Firewall Management transfers configuration requests to the Meraki dashboard, and the Meraki dashboard applies the new configuration to the device.

Security Cloud Control Firewall Management support for Cisco Meraki MX includes centralized policy management, backup and restore, monitoring and reporting, compliance checking, and automation capabilities.

Cisco IOS devices

Cisco IOS software manages network functions such as routing, switching, and other networking protocols. Cisco IOS includes features and commands to configure and maintain Cisco network devices.

Cisco Umbrella

Security Cloud Control Firewall Management manages Cisco Umbrella through integrations such as the Umbrella ASA Integration. This integration lets administrators include Cisco Adaptive Security Appliance (ASA) devices in their Umbrella configuration by using per-interface policies.

The integration enables ASA devices to redirect DNS queries to Umbrella and use Umbrella DNS security, web filtering, and threat intelligence capabilities.

AWS Security Groups

Security Cloud Control Firewall Management provides a simplified management interface for Amazon Web Services (AWS) Virtual Private Clouds (VPCs). Source-backed capabilities include monitoring AWS Site-to-Site VPN connections, tracking changes to AWS devices, and viewing AWS Site-to-Site VPN tunnels.

Switching and Routing Support Specifics

The following table describes Cisco IOS software and device type support for devices specific to switching and routing. Read the affiliated links for more information about onboarding and feature functionality for the device types in the table below:

Devices Types

Notes

Cisco IOS

Security Cloud Control supports devices running Cisco IOS version 12.4 or later.

Onboard a Cisco IOS Device

You can onboard a live Cisco device running Cisco IOS (Internetwork Operating System).

Onboard a Cisco IOS Device

Before you begin

Before you begin, ensure that all prerequisites are met.

  • Your Cisco IOS server must support ciphers that are compatible with Security Cloud Control. Currently, Security Cloud Control supports a limited set of ciphers for onboarding Cisco IOS devices. Supported ciphers are aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes128-gcm@openssh.com, aes256-gcm, aes256-gcm@openssh.com.

    Log in to your Secure Device Connector (SDC) and run the command ssh -vv <ip_address> to view the ciphers your server supports.

  • You must have an active on-premises Secure Device Connector (SDC) in your network to add a Cisco IOS device.

    For more information about SDCs and deployment scenarios, refer to About Secure Device Connector.

Procedure

Step 1

Click Security Devices

Step 2

Click the blue add button Blue add button. to begin onboarding the device.

Step 3

Click the Integrations tile.

If the tile is grayed out, there is no active Secure Device Connector deployed in your network for your Security Cloud Control tenant.

Step 4

Enter these details in the Locate Device page.

  1. Select IOS from the drop-down list under Create Integrations.

  2. Click the About Secure Device Connector button and select the SDC in your network that this device will communicate with. The default SDC appears. To choose a different SDC, click the SDC name.

  3. Enter a name for the device.

  4. Enter the device location (FQDN or IPv4).

  5. Enter the port number. The default connection port is 22.

  6. Click Next.

Step 5

Enter these details in the SSH Fingerprint page.

  1. Enter the device administrator name and password.

    Note

     

    Currently, Security Cloud Control does not support connections using public key authentication.

  2. If you have set an enable password on the device, enter it in the Enable Password field.

  3. Click Next.

    You can download and review the SSH fingerprint by clicking the copy icon.

Step 6

(Optional) Enter a label for the device in the Done page. For more information about labels and label groups, refer to Labels and Label Groups.

Step 7

Click Go to Security Devices to return to the Security Devices page.

After successful onboarding, the Configuration Status changes to 'Synced,' and Connectivity changes to 'Online.'

To write a note about the device, enter it in the Device Notes page for the device. For more information about the notes page, refer to Device Notes.

Create and Import an ASR or ISR Model

When you onboard a Cisco Integrated Services Router (ISR) or Aggregation Services Router (ASR) device to Security Cloud Control, the device’s running configuration is represented as a Cisco IOS model. This model is a copy of the device configuration and is used to centrally manage supported security settings, such as firewall and VPN policies. You can download the Cisco IOS model as a text file and import it into another tenant that you manage to replicate or reuse the configuration.

Download ASR or ISR Configuration

You can download the configuration for an onboarded Integrated Services Router (ISR) or Aggregation Services Router (ASR) device from Security Cloud Control and use it to bootstrap the device or save its current managed configuration locally.

Procedure

Step 1

Click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the IOS tab and select a device.

Step 4

Click Configuration under the Management section.

Step 5

Click Download to download the device configuration to your local computer.

Device configuration page.
Import ASR or ISR Configuration

You can import an Integrated Services Router (ISR) or Aggregation Services Router (ASR) configuration file into Security Cloud Control without onboarding a physical device. Uploading a text-based configuration file creates a model device in Security Cloud Control. You can use this model for analysis, labeling, and policy management. After you import and process the configuration, the model appears in the Security Devices list for further use.

Procedure

Step 1

Click Security Devices.

Step 2

Click the blue add (Blue add button.) button to import the configuration.

Step 3

Click the Import tile.

Step 4

Enter these details in the Configuration for Model Device page.

  1. Enter a name for the device.

  2. Select the Device Type as ASR or ISR.

  3. Click Browse and select the configuration file (text format) to upload.

  4. Click Upload.

Step 5

Once the configuration is verified, you are prompted to label the device or service. For more information about labels and label groups, refer to Labels and Label Groups.

Step 6

After labeling your model device, you can view it in the Security Devices list.

Note

 

The system may take some time to analyze the configuration, depending on its size and the number of devices or services.

Import Configuration for Offline Device Management

Importing a device configuration for offline management allows you to review, analyze, and optimize the settings of a device without requiring access to a live device in your network. In Security Cloud Control, these uploaded configuration files are referred to as models. A model represents a copy of a device configuration that you can be used for policy review, planning, and reuse.

You can import the configurations for the following device types into Security Cloud Control:

  • Cisco IOS devices such as Aggregation Services Routers (ASRs) and Integrated Services Routers (ISRs): You can upload a text-based running configuration file to create an IOS model for offline analysis and reuse. For more information, refer to Create and Import an ASR or ISR Model.

After you import and process a configuration file, the model appears in the Security Devices list, where it can be labeled, reviewed, and managed like other supported devices in Security Cloud Control.

Delete a Device from Security Cloud Control

Follow these steps to delete a device from Security Cloud Control:

Procedure

Step 1

Choose Security Devices.

Step 2

Select the device you want to delete.

Step 3

Click Remove in the Device Actions pane.

Step 4

To confirm device removal, click OK.

To keep the device onboarded, click Cancel.