You can use Cisco SD-WAN solutions, including the Catalyst and Secure Router series, with Cisco security portfolio to control and manage network security features.

The integration of Security Cloud Control Firewall Management and Catalyst SD-WAN Manager provides centralized management for Cisco Catalyst SD-WAN and Branch WAN environments. This enables organizations to configure, monitor, and enforce security policies across their networks. It also facilitates advanced troubleshooting, rule optimization, and change management on Catalyst SD-WAN Manager.

Benefits

This integration allows you to:

• Efficiently manage security policies and objects, configure and edit them, and push changes using the Security Cloud Control Firewall Management dashboard.

• Effective monitoring and detection of security threats from a centralized Security Cloud Control Firewall Management dashboard.

• Analyze security threats from logs and events in the Security Cloud Control Firewall Management dashboard with data sent from Security Analytics and Logging.

Security Cloud Control Firewall Management provides these capabilities:

• Security Discovery: Identifies existing security configurations and policies through the onboarded Catalyst SD-WAN Manager.

• Policy Creation: Enables the creation of new security objects and policies using its platform.

• Cohesive Strategy: Supports a cohesive strategy for implementing security objects, policies, and profiles across multiple Cisco solutions.

• Log and Analytics Viewing: Offers capabilities for viewing logs and analytics data.

• View intrusion and malware events: Displays intrusion and malware events detected within the network from Secure Router.

The primary use case for managing the Next-Generation Firewall (NGFW) capabilities of Catalyst SD-WAN through Security Cloud Control Firewall Management is to streamline and centralize security management across Cisco's security products.

The topology diagram illustrates the integration of Catalyst SD-WAN with Security Cloud Control Firewall Management and other cloud services. The diagram shows the flow of information and interactions between various components.

Note	The Cisco Catalyst 8000 and Secure 8000 devices are collectively referred to as the 'Secure Router' hereafter.

• Security Cloud Control: A central point for security policy enforcement and event correlation. It reads Next-Generation Firewall (NGFW) policies and security objects from the onboarded Catalyst SD-WAN Manager and allows customers to modify these NGFW configurations. It also sends queries to Cisco Security Analytics and Logging cloud data store for events.

• Cisco Catalyst SD-WAN consists of:

  • Catalyst SD-WAN Manager: Manages the SD-WAN fabric and displays NGFW policies and security objects in Security Cloud Control when onboarded to it. Catalyst SD-WAN Manager sends the event data received from Secure Router to SD-WAN Analytics.

  • SD-WAN Analytics: Provides analytics data to the Security Services Exchange.

  • Secure Router: The SD-WAN edge device.

• Cisco Security Analytics and Logging Cloud Data Store: A cloud-based repository for security analytics and logging data. It receives security events and logs from Security Services Exchange, which obtains the analytics data from SD-WAN Analytics engine.

• Security Services Exchange: A cloud-based platform designed to facilitate the integration, communication, and management of various Cisco security services. It sends security events and logs received from the SD-WAN environment and forwards them to the Cisco Security Analytics and Logging Cloud data store.

This flowchart illustrates the high-level workflow for managing the firewall capabilities of Catalyst SD-WAN Manager using Security Cloud Control.

Minimum software requirements for Catalyst SD-WAN integration with Security Cloud Control Firewall Management:

• Catalyst SD-WAN Manager supported versions: 20.18 or later

• Secure Router supported versions: Devices supported by the last two versions of Catalyst SD-WAN Manager are compatible from version 20.18 onward. For example, if you use Catalyst SD-WAN Manager version 20.18, devices from versions 20.15 and 20.12 are compatible.

  Contact Cisco TAC to check which indexes are not compatible, and remove any incompatible indexes. For more information, see Cisco SD-WAN Control Components Compatibility Matrix.

User roles in Catalyst SD-WAN Manager and Security Cloud Control Firewall Management operate independently, with each role defined by its specific responsibilities. However, the Role-Based Access Control (RBAC) models across these platforms are aligned to ensure consistent and seamless user actions.

A user with elevated permissions in Security Cloud Control Firewall Management may still encounter restrictions if their role in Catalyst SD-WAN Manager has lower permissions, and vice versa.

Attempting to save changes in Security Cloud Control Firewall Management without appropriate permissions in Catalyst SD-WAN Manager results in an error. For example, users assigned the 'Super Admin' role in Security Cloud Control Firewall Management cannot save NGFW security policies changes to Catalyst SD-WAN Manager if they have the 'Operator' role in that platform.

This table outlines the access permissions for various combinations of user roles in Catalyst SD-WAN Manager and Security Cloud Control Firewall Management.

When Catalyst SD-WAN Manager is integrated with Security Cloud Control Firewall Management, the existing Next-Generation Firewall (NGFW) policies, security objects, and security profiles from Catalyst SD-WAN Manager are automatically imported into Security Cloud Control Firewall Management. You can modify these NGFW parameters or create new ones in Security Cloud Control Firewall Management. Any changes you make in Security Cloud Control Firewall Management are synchronized and saved in Catalyst SD-WAN Manager.

After Catalyst SD-WAN Manager is onboarded to Security Cloud Control Firewall Management, you can no longer manage policies, objects, or profiles through Catalyst SD-WAN Manager. You must manage them exclusively from Security Cloud Control Firewall Management.

A "Managed by Security Cloud Control (SCC)" banner is displayed on Catalyst SD-WAN Manager that is onboarded to Security Cloud Control Firewall Management, indicating the integration. You can view this message in Catalyst SD-WAN Manager by navigating to the relevant configuration sections.

• For Security Objects and Profiles: Choose Configuration > Policy Groups > Objects and Profiles > Security Objects.

• For NGFW Policies: Choose Configuration > Policy Groups > NGFW

Restrictions for Security Cloud Control Firewall Management and Catalyst SD-WAN Manager integration:

• Cloud connectivity is essential

  Catalyst SD-WAN Manager can be deployed either on-premises or hosted in the Cisco cloud. To function properly, it must have cloud connectivity. If Catalyst SD-WAN Manager is placed behind a NAT device, it is supported but with restrictions. Specifically, only port 443 (HTTPS) needs to be open to enable cloud connectivity.

• Deboard Catalyst SD-WAN Manager to edit NGFW policies, objects, and profiles

  To make changes in NGFW policies, objects, and profiles from Catalyst SD-WAN Manager, you have to deboard it from Security Cloud Control Firewall Management.

• Customized IPS profiles not supported

  You cannot edit or customize IPS policies (Signature set objects) within security profiles.

• Live logs unavailable with SAL

  Live logs cannot be viewed on Security Cloud Control Firewall Management using Cisco Security Analytics and Logging. You can only view historical events.

• Modify user role privileges for Security Cloud Control Firewall Management users with caution

  Exercise caution when changing user role privileges on Catalyst SD-WAN Manager for users who are part of Security Cloud Control Firewall Management. Modifying privileges for Security Cloud Control Firewall Management-associated users can result in configuration failures.

• On-premises multitenant Catalyst SD-WAN Manager not supported

  On-premises multitenant deployments of Catalyst SD-WAN Manager are not supported in Security Cloud Control Firewall Management for version 20.18.1. In this release, only single-tenant Catalyst SD-WAN Manager deployments are compatible with Security Cloud Control Firewall Management.

• Dark mode not supported

  Keep dark mode disabled in Security Cloud Control Firewall Management when Catalyst SD-WAN Manager is integrated.

Note	Changes to NGFW policies, objects, and profiles can only be made in Catalyst SD-WAN Manager after it has been deboarded from Security Cloud Control Firewall Management.

Security Cloud Control Firewall Management allows you to perform these operations:

• Create, modify, or delete NGFW policies, security objects, and security profiles.

• Search for security objects across devices using global search functionality.

• Associate a policy group with a Catalyst SD-WAN NGFW policy.

• Cisco Catalyst SD-WAN Security Configuration Guide

• Policy Groups Configuration Guide, Cisco IOS XE Catalyst SD-WAN

• Security Cloud Control Integration with Cisco Catalyst SD-WAN Manager