Manage Catalyst SD-WAN Security Policies

An introduction to Catalyst SD-WAN NGFW security policies

The NGFW security policies in Catalyst SD-WAN Manager are a set of rules and configurations designed to protect systems, networks, and data from unauthorized access, misuse, or threats. Catalyst SD-WAN Manager offers a comprehensive framework for implementing and managing NGFW security policies.

Manage existing Catalyst SD-WAN NGFW security policies

You cannot delete a Next-Generation Firewall (NGFW) policy from Security Cloud Control Firewall Management if it is already associated with a policy group in Catalyst SD-WAN.

Procedure

Step 1

Choose Policies > WAN Branch Edge.

Step 2

Navigate to the policy and click the ellipsis (…) under the Action column.

Step 3

Click View, Edit, Associate Policy Group, Delete, or Copy.

Options available for NGFW policy management under Actions column

Create Catalyst SD-WAN security policies

Before you begin

Make sure you have deployed and managed these devices using a configuration group. For more information about creating configuration groups, see Configuration Groups and Feature Profiles.

Procedure

Step 1

Choose Policies > WAN Branch Edge.

Step 2

Click Add NGFW Policy on the Catalyst SD-WAN NGFW Policies page.

This launches the Create NGFW policy workflow.

Step 3

On the Security Policy Name tab, enter Policy Name and Description, and under Device Solution, click the SDWAN radio button.

Step 4

Click Next.

Step 5

On the Select the optional Configuration Group to associate with the NGFW policy page, choose the configuration group to associate with the NGFW policy and click Next.

Step 6

On the Create Sub-Policies tab, click +Add Sub-Policy to add sub-policies for a security policy.

Create NGFW Policy page showing the Create Sub-Policy tab.

Field

Description

VPN / Interface

Specify the VPN or the interface.

Source Zone

Choose the zone that is the source of the data packets. You can choose from these options:

  • Corporate_Users_zone

  • Local_Internet_for_Guests_zone

  • No_zone

  • Payment_Processing_Network_zone

  • Physical_Security_Devices_zone

  • Self

  • Untrusted

Click + Create New to create a new Source Zone. Enter the Name and select the VPN from the drop-down.

Note

 

You can select multiple VPNs within a Source Zone.

Destination Zone

Select the zones to which data traffic is sent. You can choose from these options:

  • Corporate_Users_zone

  • Local_Internet_for_Guests_zone

  • No_zone

  • Payment_Processing_Network_zone

  • Physical_Security_Devices_zone

  • Self

  • Untrusted

To create a new Destination Zone, click + Create New. Enter the Name and select the VPN from the drop-down.

Note

 

You can select multiple VPNs within a Destination Zone.

Step 7

Click Additional Settings to configure additional settings for a security policy. For more information about the steps used in the procedure, Configure NGFW Additional Settings.

Step 8

Click Save.

Create NGFW Policy page showing the Create Sub-Policy tab.

Step 9

Click the ellipsis (...) at the top-left corner of the existing sub-policy to Edit, Delete, or Copy it.

Step 10

To add a rule to a sub-policy, navigate to the sub-policy and click + Add Rule.

Field

Description

Rule Name

The name of the rule.

Sequence

Specify the sequence.

Match

Choose the desired match conditions from the Add Conditions drop-down list. You can choose from these options:

  • Source

    • Geo Location

    • IPv4 Prefix

    • Port

  • Destination

    • FQDN

    • Geo Location

    • IPv4 Prefix

    • Port

  • Protocol

  • Applications

When Identity Services Engine (ISE) is enabled, the SGT option is available in the Source and Destination fields. Identity User or User group is only supported for Source.

Action

Choose the desired action conditions. You can choose from these options:

  • Pass

  • Drop

  • Inspect

  • Log Events: Unified Logging for Inspect Action.

Step 11

To modify an existing rule, click the pencil icon to Edit, Disable, Delete, Clone rule, Add rule on top, or Add rule below.

Create NGFW Policy page showing the Create Sub-Policy tab.

Step 12

Click Next.

Step 13

Review the NGFW Policy, Sub-Policies, and Settings on the Summary page, and click Create NGFW Policy.

Screenshot of the Create NGFW Policy page showing the Summary tab.

Associate a policy group to Catalyst SD-WAN NGFW policy

This section outlines the steps to associate a policy group with a Catalyst SD-WAN NGFW policy, enabling the policy to be deployed to devices managed by that group. This ensures consistent security enforcement across those devices. Once associated, you can deploy the policy group to activate the policy on the devices.

Procedure

Step 1

Choose Policies > WAN Branch Edge.

Step 2

Navigate to the policy you want to associate with a policy group. Click the ellipsis (…) under the Action column, then select Associate Policy Group.

NGFW Policy page showing policy group associations.

Step 3

Select the policy and click Save.

Deploy policy group from Catalyst SD-WAN Manager

A policy group in Catalyst SD-WAN is a logical grouping of related items or configurations used in Next-Generation Firewall (NGFW) security policies. These groups simplify the process of applying policies across multiple devices or sites.

Deploy NGFW policy modifications, including security objects and profiles, from Security Cloud Control Firewall Management to Secure Router devices using Catalyst SD-WAN Manager.

You can access the workflow from the Workflows > Deploy Policy Group menu in Catalyst SD-WAN Manager. This workflow enables you to associate Secure Router devices and deploy the policy group to the selected devices.

For more information, refer to the Deploy Policy Group Workflow section in the Policy Groups Configuration Guide, Cisco IOS XE Catalyst SD-WAN.