Device Onboarding in Security Cloud Control

You can onboard both live devices and model devices to Security Cloud Control. Model devices are uploaded configuration files that you can view and edit using Security Cloud Control.

Most live devices and services require an open HTTPS connection so that the Secure Device Connector can connect Security Cloud Control to the device or service.

See About Secure Device Connector for more information on the SDC and its state.

This chapter covers the following sections:

Supported Devices, Software, and Hardware for Security Cloud Control Firewall Management

Security Cloud Control Firewall Management is a cloud-based management solution enabling the management of security policies and device configurations across multiple security platforms.

This section describes the supported device types, software, hardware, and constraints for managing firewall, cloud, SD-WAN, Cisco IOS, Cisco Umbrella, and management center integrations in Security Cloud Control Firewall Management.

Support scope

Security Cloud Control Firewall Management is a cloud-based management solution for security policies and device configurations across multiple security platforms. The source identifies support for these management areas:

  • Cisco Secure Firewall ASA, both on-premises and virtual

  • Cisco Secure Firewall Threat Defense (FTD), both on-premises and virtual

  • Cisco Catalyst SD-WAN Manager

  • Cisco Secure Firewall Management Center, on-premises

  • Cisco Meraki MX

  • Cisco IOS devices

  • Cisco Umbrella

  • AWS Security Groups

Security Cloud Control Firewall Management documentation identifies the devices, software, and hardware that Security Cloud Control Firewall Management supports. If the documentation does not explicitly claim support for a software version or device type, Security Cloud Control Firewall Management does not support it.

Cisco Secure Firewall ASA

Cisco Adaptive Security Appliance (ASA) is a security device that integrates firewall, VPN, and intrusion prevention capabilities. Security Cloud Control supports ASA device management to streamline configuration management and support regulatory compliance across the network infrastructure.

Cisco Secure Firewall Threat Defense

Cisco Secure Firewall Threat Defense integrates traditional firewall features with advanced threat protection capabilities. It includes security functions such as intrusion prevention, application control, URL filtering, and advanced malware protection.

A Secure Firewall Threat Defense device can be deployed on ASA hardware appliances, Cisco firewall hardware appliances, and virtual environments. You can manage threat defense devices through management interfaces such as Cisco Firewall Management Center, Security Cloud Control, and Firewall Device Manager.

Firewall Threat Defense integrates traditional firewall features with advanced threat protection capabilities. It offers comprehensive security functions, including intrusion prevention, application control, URL filtering, advanced malware protection, and so on. An FTD can be deployed on ASA hardware appliances, and Cisco firewall hardware appliances, and in virtual environments. Managing threat defense devices is possible through various management interfaces, such as Cisco Firewall Management Center, Security Cloud Control Firewall Management, and Firewall Device Manager.

For more information on software and hardware compatibility, see the Cisco Secure Firewall Threat Defense Compatibility Guide.

Firewall Device Manager is a web-based management interface explicitly designed for threat defense device management. It provides a simplified approach for configuring and monitoring threat defense devices, making it ideal for smaller-scale deployments or organizations preferring an intuitive interface.

FDM offers basic configuration capabilities for network settings, access control policies, NAT rules, VPN configuration, monitoring, and basic troubleshooting. Typically accessed through a web browser, FDM is directly available on the FTD device, eliminating the need for additional management servers or appliances.

Cisco Catalyst SD-WAN Manager

Security Cloud Control offers centralized management for Catalyst SD-WAN and Branch WAN environments, allowing organizations to efficiently configure, monitor, and enforce security policies across their networks. This integration also facilitates advanced troubleshooting, rule optimization, and change management on the Catalyst SD-WAN Manager.

For more information on software and hardware compatibility, see Cisco Catalyst SD-WAN Device Compatibility.

Cisco Secure Firewall Management Center

Security Cloud Control Firewall Management simplifies the management of on-premises Firewall Management Center by establishing a secure integration, discovering security devices, and enabling centralized policy management. Security policies such as firewall rules, VPN settings, and intrusion prevention policies can be efficiently managed and deployed across all devices under FMC.

Cisco Meraki MX

The Cisco Meraki MX appliance is an enterprise-grade security and SD-WAN next-generation firewall appliance for decentralized deployments. Security Cloud Control Firewall Management supports management of layer 3 network rules on Meraki MX devices.

When you onboard a Meraki device to Security Cloud Control Firewall Management, Security Cloud Control Firewall Management communicates with the Meraki dashboard to manage that device. Security Cloud Control Firewall Management transfers configuration requests to the Meraki dashboard, and the Meraki dashboard applies the new configuration to the device.

Security Cloud Control Firewall Management support for Cisco Meraki MX includes centralized policy management, backup and restore, monitoring and reporting, compliance checking, and automation capabilities.

Cisco IOS devices

Cisco IOS software manages network functions such as routing, switching, and other networking protocols. Cisco IOS includes features and commands to configure and maintain Cisco network devices.

Cisco Umbrella

Security Cloud Control Firewall Management manages Cisco Umbrella through integrations such as the Umbrella ASA Integration. This integration lets administrators include Cisco Adaptive Security Appliance (ASA) devices in their Umbrella configuration by using per-interface policies.

The integration enables ASA devices to redirect DNS queries to Umbrella and use Umbrella DNS security, web filtering, and threat intelligence capabilities.

AWS Security Groups

Security Cloud Control Firewall Management provides a simplified management interface for Amazon Web Services (AWS) Virtual Private Clouds (VPCs). Source-backed capabilities include monitoring AWS Site-to-Site VPN connections, tracking changes to AWS devices, and viewing AWS Site-to-Site VPN tunnels.

Cloud Device Support Specifics

The following table describes software and device type support for cloud-based devices. Read the affiliated links for more information about onboarding and feature functionality for the device types in the table below:

Devices Types

Notes

Meraki Security Appliance

  • MX Series

  • Meraki Templates

Meraki MX devices and the Meraki dashboard receive regular software updates through the Meraki cloud. Security Cloud Control Firewall Management works with the latest version of the Meraki dashboard to manage layer 3 network rules enforced by Meraki MX devices. Register the MX device to the Meraki dashboard, or create the template in the Meraki dashboard, before onboarding it to Security Cloud Control Firewall Management.

For more information, refer to Managing Meraki with Security Cloud Control.

You must register an MX device to, or create a template in, the Meraki dashboard before onboarding it to Security Cloud Control Firewall Management.

Google Cloud Platform

Google Cloud Platform (GCP) receives updates through the GCP console. Refer to Google Cloud documentation for more information about the platform and available services.

Microsoft Azure

Azure receives updates through the Azure console. Refer to Azure documentation for more information about the platform and available services.

Onboard Cisco Meraki MX Devices

This chapter provides steps to onboard Cisco Meraki MX device.

Onboard Meraki MX to Security Cloud Control

MX devices can be managed by both Security Cloud Control and the Meraki dashboard. Security Cloud Control deploys configuration changes to the Meraki dashboard. The dashboard then securely deploys the configuration to the device.

Before you begin

  • For information about connecting Security Cloud Control to your managed devices, refer to Allow inbound access for direct cloud connectivity.

  • For information about how Security Cloud Control communicates with Meraki, refer to How Does Security Cloud Control Communicate With Meraki.

  • You must first register the Meraki MX in the Meraki dashboard. Without access to the Meraki dashboard, your organization will not be recognized by the Meraki cloud. As a result, you will not be able to generate an API token to onboard your device.

  • Security Cloud Control converts invalid CIDR prefix notation IP addresses and IP address ranges to valid form by setting all bits associated with the host to zero.

  • Onboarding Meraki MX devices or templates no longer requires a connection through a Secure Device Connector (SDC). If you have Meraki MX devices that were previously onboarded and connect to Security Cloud Control using an SDC, their connection will continue to work. If you remove and re-onboard the device or update its connection credentials, the connection will stop working.

  • MX devices do not need to be connected to the Meraki cloud to be managed by Security Cloud Control. If an MX device has never connected to the cloud, the device connectivity is listed as unreachable. This status is normal and does not affect your ability to manage the device or deploy policies to the device.

Procedure

Step 1

When you onboard a Meraki MX device, you must generate a Meraki API key. This key lets the dashboard authenticate your request so you can securely onboard the device. For more information on generating and retrieving a Meraki API key, refer to Generate and retrieve a Meraki API key.

Step 2

Onboard a Meraki device to Security Cloud Control using the API key.

Generate and Retrieve Meraki API Key

Use this procedure to enable Security Cloud Control access to the Meraki dashboard with API access:

Before you begin
Review the notes and prerequisites in Onboard Meraki MX to Security Cloud Control
Procedure

Step 1

Log in to the Meraki dashboard.

Step 2

Choose Organization > Settings.

Step 3

In the Dashboard API Access section, check Enable access to the Cisco Meraki Dashboard API. If you do not enable this option, you cannot generate API keys to onboard MX devices to Security Cloud Control.

Step 4

Click Save changes.

Step 5

On the Meraki dashboard, click your username and then click My Profile.

Step 6

Locate the API access header and click Generate new API key. Copy the API key, and paste it into a note until you are ready to use it. If you close the window or tab containing the API key before pasting it, you will lose access to the copied API key.

Note

 

You only need one API key per device. You can re-onboard a Meraki device without generating a new key.
What to do next
Continue to Onboard a Meraki Device to Security Cloud Control.

Onboard an MX Device to Security Cloud Control

Use this procedure to onboard a Cisco Meraki device.

Before you begin
Generate and Retrieve Meraki API Key.
Procedure

Step 1

Choose Security Devices.

Step 2

Click the blue add button .

Step 3

Click the Meraki tile.

Step 4

Select the About Secure Device Connector that this device will communicate with. The default SDC is displayed but you can change it by clicking the blue Change link.

Step 5

On the Connect to Cisco Meraki page, follow these steps:

  1. Paste the API access key you copied, and click Connect.

    If the key is incomplete or incorrect, you will not be able to onboard the device.

  2. Use the drop-down list to select the correct organization. The generated list of organizations is retrieved from the Meraki dashboard and includes devices and templates. Click Select.

  3. Use the drop-down list to select the correct network. The generated list of networks is retrieved from the Meraki network. Click Select.

  4. (Optional) Add unique labels for the device. You can filter your list of devices by these labels. Click Continue.

The device begins the onboarding process. After the process completes, you are redirected to the Security Devices page.

Onboard Meraki Templates to Security Cloud Control

Meraki templates help manage multiple locations or networks using a single policy. You can manage these templates using both Security Cloud Control and the Meraki dashboard. Security Cloud Control deploys configuration changes to the Meraki dashboard, and the dashboard then securely deploys the configuration to the template. For more information about how Security Cloud Control communicates with Meraki, refer to How Does Security Cloud Control Communicate With Meraki.


Note

To onboard a template to Security Cloud Control, you must first create a template in the Meraki dashboard. Without access to the Meraki dashboard, the Meraki cloud will not recognize your organization, and you will not be able to generate an API token for your device. In the Meraki dashboard, click Organization > Configuration templates. For more information, refer to Managing Multiple Networks with Configuration Templates.

You must complete these three steps to onboard a Meraki template.

Procedure

Step 1

Create a template network in the Meraki dashboard. For more information about Meraki template best practices, refer to Meraki Templates Best Practices.

Step 2

Generate and retrieve a Meraki API key. When you onboard a Meraki template, you must generate a Meraki API key. Use the key to authenticate the dashboard and securely onboard a device.

Step 3

Onboard a Meraki Template to Security Cloud Control using the key.

Generate and Retrieve Meraki API Key

Use this procedure to enable Security Cloud Control access to the Meraki dashboard with API access:

Procedure

Step 1

Log in to the Meraki dashboard.

Step 2

Choose Organization > Settings.

Step 3

In the Dashboard API Access section, check Enable access to the Cisco Meraki Dashboard API. If you do not enable this option, you cannot generate API keys to onboard MX devices to Security Cloud Control.

Step 4

Click Save changes.

Step 5

On the Meraki dashboard, click your username and then click My Profile.

Step 6

Locate the API access header and click Generate new API key. Copy the API key, and paste it into a note until you are ready to use it. If you close the window or tab containing the API key before pasting it, you will lose access to the copied API key.

Note

 

You only need one API key per template. You can re-onboard a template without generating a new key.

Onboard an Meraki Template to Security Cloud Control

Use this procedure to onboard a Meraki template.

Procedure

Step 1

Choose Security Devices.

Step 2

Click the blue add button .

Step 3

Click Connect to Cisco Meraki.

Step 4

Paste the API access key you copied. If the key is incomplete or incorrect, you will not be able to onboard the device. Click Connect.

Step 5

Use the drop-down list to select the template name as an Organization. The generated list of organizations is retrieved from the Meraki dashboard and includes devices and templates. Select the desired template and click Select.

Step 6

(Optional) You can add unique labels for the device. You can filter your list of devices by these labels.

Step 7

Click Continue.

The device begins the onboarding process. Once completed, Security Cloud Control redirects you to Security Devices. Once the template is synched to Security Cloud Control, the Security Devices page displays the names of the devices associated with the template and the Device Details window of displays the number of networks bound to the template.

Update Meraki MX Connection Credentials

If you generate a new API key from the Meraki dashboard, you must update the connection credentials in Security Cloud Control. For more information about generating a new key, refer to Generate and Retrieve Meraki API Key. Security Cloud Control does not allow you to update the connection credentials for the device itself. If necessary, manually refresh the API key in the Meraki dashboard. You must manually update the API key in the Security Cloud Control UI to update the credentials and restore communication.


Note

If Security Cloud Control fails to sync the device, the connectivity status in Security Cloud Control may show "Invalid Credentials." In this situation, you may have tried to use an API key. Confirm the API key for the selected Meraki MX is correct.

Use this procedure to update the credentials for a Meraki MX device:

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Devices tab and then click the Meraki tab.

Step 3

Select the Meraki MX whose connection credentials you want to update.

Step 4

In the Device Actions pane, click Update Credentials.

Step 5

Enter the API key Security Cloud Control uses to log into the device, and click Update. This API key matches the credential that you used to onboard the Meraki MX unless you changed it. These changes do not require deployment to the device.

Delete a Device from Security Cloud Control

Follow these steps to delete a device from Security Cloud Control:

Procedure

Step 1

Choose Security Devices.

Step 2

Select the device you want to delete.

Step 3

Click Remove in the Device Actions pane.

Step 4

To confirm device removal, click OK.

To keep the device onboarded, click Cancel.