The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Security objects and security profiles in Catalyst SD-WAN Manager are essential for creating and enforcing next-generation firewall (NGFW) security policies. They safeguard networks from cyber threats, ensure seamless connectivity, and optimize application performance. These features are vital for robust network security management and effective NGFW policy implementation.
Use Security Cloud Control Firewall Management to create new Catalyst SD-WAN objects and profiles.
|
Step 1 |
Choose Objects. |
|
Step 2 |
Click the WAN Branch Edge tab. |
|
Step 3 |
Click the Create Object (
|
|
Step 4 |
Click the object or profile you want to create: Objects: Profiles: |
|
Step 5 |
Click Save. |
The objects are created in Security Cloud Control Firewall Management. To see the logs in Catalyst SD-WAN Manager, navigate to .
The Application List object groups applications into a list for use in NGFW policies.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the application list. |
|
Application or Application Family |
The Application is a collection of specific applications grouped together for policy configuration. It allows administrators to define and manage traffic rules for multiple applications as a single entity. For example, "Webex," "Microsoft Teams," "Zoom." The Application Family groups applications based on their functional category. For example, "Web," "Instant Messaging," "Network Services." |
The Selected items field displays the items that have been chosen.
The Data Prefix objects are specific IP address ranges or prefixes that are used to define and manage traffic routing policies within the SD-WAN fabric.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the data prefix object. |
|
Data Prefix |
The data prefix value. |
The Fully Qualified Domain Name (FQDN) object is used to match standalone servers in data centers or private clouds. When matching public URLs, the recommended match action is drop. If you use inspect for public URLs, you must define all the related sub URLs and redirect URLs.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the FQDN object. |
|
FQDN |
The URL names separated by commas. For example, cisco.com. |
The Geolocation object allows you to configure firewall rules based on geographical locations rather than IP addresses.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the geolocation object. |
|
Geolocation |
Select one or more geolocations from the drop-down list. For example, Africa, Antarctica, Asia, or Europe. |
The Identity object is a security object used to represent user identities and user groups within the SD-WAN fabric. This identity information is integrated into the SD-WAN fabric to enable identity-based firewall policies and micro-segmentation.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the identity object. |
|
Users |
The source of Users and User Groups is Cisco Identity Services Engine (ISE) Active Directory (AD), which is configured in Catalyst SD-WAN Manager. |
|
User Groups |
The Port object is a configuration element used to define and manage port-related settings for devices within the SD-WAN fabric.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the port object. |
|
Port |
The port values separated by commas. The range is 0 to 65535. |
Within security policies, Protocol objects can be selected from a predefined list (for example, TCP, UDP, ICMP) to define specific rules for traffic management and security enforcement.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the protocol object. |
|
Protocol |
Select one or more protocol names from the drop-down list. For example, SNMP, TCP, UDP, ICMP, Echo, Telnet. |
The Selected items field displays the items that have been chosen.
If you use Cisco Identity Services Engine (ISE) to define and use security group tag (SGT) for classifying traffic in a Cisco TrustSec network, you can write access control rules that use SGTs as matching criteria.
SGTs cannot be created or edited in Security Cloud Control Firewall Management. You must create all SGTs in ISE.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the security group tag. |
|
Security Group Tags |
Choose the security group tags by checking the appropriate checkboxes. |
The Selected items field displays the items that have been chosen.
The IPS Signature object refers to a set of rules used by the Intrusion Prevention System (IPS) to detect and prevent network attacks. It blocks vulnerabilities that have a Common Vulnerability Scoring System (CVSS) score of 9 or higher. It also blocks Common Vulnerabilities and Exposures (CVEs) published within the last two years if they belong to the rule categories of Malware CNC, Exploit Kits, SQL Injection, or blocked list.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the object. |
|
IPS Signature |
The IPS signatures in the format Range is 0 to 4294967295. |
The Allow URL object is used to define URLs that should be explicitly permitted through SD-WAN URL filtering feature.
Some important points to note about these lists are:
URLs that are allowed are not subjected to any category-based filtering.
If the same item is configured under both the allowed and blocked lists, the traffic is allowed.
If the traffic does not match either the allowed or blocked lists, it is subjected to category-based and reputation-based filtering.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the allow URL object. |
|
Allow URL |
The URLs to allow. |
The Block URL object is used to define URLs that should be denied through SD-WAN URL filtering feature.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the block URL object. |
|
Block URL |
The URLs to block. |
The Zone object is used to define security boundaries for traffic control. Zones can be configured based on VPNs or Interfaces:
Zones can be created for specific VPNs, such as the Payment Processing Network, Corporate Users, or Local Internet for Guests. These zones allow you to apply security policies to traffic within or between VPNs.
Interfaces can also be assigned to zones. For example, Ethernet, GigabitEthernet, or other interface types can be grouped into zones. This allows for granular control of traffic between interfaces.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the zone. |
|
VPN |
Choose to configure zones with zone type as VPN. Add the VPNs to the zones from the drop-down list. Available options include:
|
|
Interface |
Choose to configure zones with zone type as Interface. Add the interfaces to the zones from the Add Interface drop-down list. |
The Selected items field displays the items that have been chosen.
Apply a global Advanced Inspection Profile (AIP) at the device level. This ensures that all traffic matching the device's predefined rules is thoroughly inspected using the AIP.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the advanced inspection profile. |
|
Intrusion Prevention |
Choose an intrusion prevention option from the drop-down list. |
|
URL Filtering |
Choose a URL filter from the drop-down list. |
|
Advanced Malware Protection |
Choose an advanced malware protection option. |
|
TLS Action |
Choose the TLS action. Available options include:
|
The Advanced Malware Protection (AMP) policy is a security policy specifically designed to integrate advanced malware protection capabilities into the unified security policy framework.
 Note |
For some advanced configurations, a Threat Grid Server configuration is required in Catalyst SD-WAN. |
|
Field |
Description |
|---|---|
|
Object Name |
The name of the advanced malware protection policy. |
|
AMP Cloud Region |
AMT Cloud Region refers to the Analytics, Management, and Telemetry (AMT) Cloud Region associated with the Cisco SD-WAN cloud architecture. |
|
Alert Log Level |
All syslog messages are associated with priority levels that indicate the severity of syslog messages to save. |
|
File Analysis |
Enables file analysis on the uploaded files. |
|
TG Cloud Region |
Choose a region. This refers to the geographical region where the Threat Grid (TG) cloud services are hosted. |
| File Types |
Choose the file types to be analyzed. |
The Intrusion Prevention policy profile is a security feature designed to detect and block known network attacks by leveraging predefined rules and signature.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the intrusion prevention policy. |
|
Signature Set |
Choose a signature set that defines rules for evaluating traffic from the Signature Set drop-down list. |
|
Inspection Mode |
Select the inspection mode. |
|
Custom Signature Set: |
Select one or more web categories from the drop-down list. Custom signature must be enabled from Catalyst SD-WAN Manager under . |
|
Signature Allow List |
Select a signature allow list. |
|
Alerts Log Level |
Choose the alert log level. This refers to the severity levels of logs generated by the system, which can be configured to control the granularity of information logged. |
The TLS/SSL Decryption profile allows administrators to inspect and manage encrypted traffic within the network.
Note |
Before creating a TLS/SSL Decryption profile in Security Cloud Control Firewall Management, you must configure certificate authority (CA) from Catalyst SD-WAN Manager under . |
|
Field |
Description |
|---|---|
|
Object Name |
The name of the TLS/SSL decryption policy. The name can contain a maximum of 32 characters. |
|
Server Certificate Checks |
|
|
Expired Certificate |
Defines what the policy should do if the server certificate has expired. Available options include:
|
|
Untrusted Certificate |
Defines what the policy should do if the server certificate is not trusted. Available options include:
|
|
Certificate Revocation Status |
Defines whether the Online Certificate Status Protocol (OCSP) should be used to check the revocation status of the server certificate. Available options include: Enabled or Disabled. |
|
Unknown Revocation Status |
Defines the policy action if the OCSP revocation status is unknown.
|
|
Unsupported Mode Checks |
|
|
Unsupported Protocol Versions |
Defines the unsupported protocol versions.
|
|
Unsupported Cipher Suites |
Defines the unsupported cipher suites.
|
|
Failure Mode |
Defines the failure mode. The options are Close and Open. |
|
Certificate Bundle |
Select the Use Default CA Certificate checkbox to use the default CA. |
|
Minimal TLS Version |
Sets the minimum version of TLS that the proxy should support. Available options include: TLS 1.0, TLS 1.1, or TLS 1.2 |
|
Proxy Certificate Attributes |
|
|
RSA Keypair Modules |
Defines the Proxy Certificate RSA Key modules. Available options include: 1024-bit RSA, 2048-bit RSA, or 4096-bit RSA |
|
EC Key Type |
Defines the key type. Available options include: P256, P384, or P521 |
|
Certificate Lifetime (in Days) |
Sets the lifetime of the proxy certificate (in days). |
The TLS/SSL Profile policy is used to manage encrypted traffic within a unified security policy. To create a TLS/SSL profile policy in Security Cloud Control Firewall Management, you must first configure the certificate authority (CA) certificate in Catalyst SD-WAN. This is a prerequisite for enabling the TLS proxy functionality.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the TLS/SSL profile. |
|
Categories to assign action |
Set the categories and assign actions: Decrypt, No Decrypt, and Pass Through URL Categories. Alternatively, choose multiple categories and set the action. |
|
Reputation |
Enable reputation to choose the Decrypt Threshold. Supports actions based on URL reputation levels. |
|
Decrypt Domain List |
Choose the decrypt domain list. |
|
No Decrypt Domain List |
Choose the no decrypt domain list. |
|
Fail Decrypt |
Enable the fail decrypt option if decryption fails. |
The URL Filtering profile policy is a security feature that allows administrators to control access to websites based on categories, reputation, and custom lists.
|
Field |
Description |
|---|---|
|
Object Name |
The name of the URL filtering policy. |
|
Web Category |
Choose the web category. Available options include: Block and Allow. The websites are classified into categories. |
|
Web Reputation |
Choose the web reputation from the drop-down list. The URLs are assigned a reputation score based on their risk level. |
|
Allowlist |
Select an allow URL list. |
|
Blocklist |
Select a block URL list. |
|
Block Page Server |
Choose one of the options:
The blocked users can be redirected to a custom page or shown a message. |
|
Alerts and Logs |
Choose the alert and log type:
|
Use this procedure to modify the values associated with Catalyst SD-WAN security objects and security profiles from Security Cloud Control Firewall Management.
|
Step 1 |
Choose . |
|
Step 2 |
Choose Objects. |
|
Step 3 |
Click the WAN Branch Edge tab. |
|
Step 4 |
Select the security object or profile to modify. To find an object, use the filter. |
|
Step 5 |
In the Actions pane, click Edit. Modify the configurations you want to change. |
|
Step 6 |
Click Save to confirm.
|
You can delete one or multiple Catalyst SD-WAN security objects.
If the security object was synchronized with Catalyst SD-WAN Manager, deleting it updates both Security Cloud Control Firewall Management and Catalyst SD-WAN Manager for consistency.
Security policies or configurations that reference the deleted object do not get deleted automatically. You must remove the references manually from the security policies before deleting the object.
Delete actions are logged for auditing and traceability.
Verify that the Catalyst SD-WAN security objects you want to delete are not used or referenced in other objects, policies, or configurations.
|
Step 1 |
Choose . |
|
Step 2 |
Choose Objects. |
|
Step 3 |
Click the WAN Branch Edge tab. |
|
Step 4 |
Check one or multiple security objects you want to delete. |
|
Step 5 |
In the Actions pane, click Remove.
|
|
Step 6 |
Click OK to confirm. |
Selected Catalyst SD-WAN security objects are deleted. Delete actions are logged for audit purposes, ensuring traceability of changes.
To view the logs:
In the Security Cloud Control application, choose .
In the Catalyst SD-WAN Manager application, choose .
The ability to filter and search for Catalyst SD-WAN security objects by Object Type and Profile Type allows users to efficiently locate, review, modify, and, when needed, delete these objects. This approach helps maintain optimal system performance.
You can filter objects using two parameters: Object Type and Profile Type.
Choose .
Choose Objects.
Click the WAN Branch Edge tab.
Click the filter icon (
) and select objects by Object Type or Profile Type.
You can use filters to search for objects. Refine the results by typing the object name, IP address, or port number to narrow the search.
) icon.
Feedback