This topic discusses requirements and guidelines for Universal Zero Trust Network Access (universal ZTNA).

Licensing Requirements

• Secure Firewall requires a smart license account with export-controlled features. It does not function in universal ZTNA when operating in evaluation mode.

  Secure Firewall requires Threat and Malware licenses if Intrusion Policy or File/Malware Policies are configured.

• Secure Access requires a subscription of Cisco Secure Private Access Essentials or Advantage.

Device Requirements

• All Secure Firewall Management Center and Secure Firewall Threat Defense devices must be running Version 7.7.10 or later.

• All Secure Firewall Threat Defense devices must be configured for routed mode; transparent mode is not supported.

• In Security Cloud Control, when you are configuring universal zero trust access for a device, ensure that the Enrollment Type for the device identity certificate is an object that is created using the PKCS12 file format. No other certificate type is supported. If necessary, you can also create a new certificate object from Security Cloud Control, which supports the PKCS12 format. See Configure Security Devices.

• Configure the Domain Name System (DNS) to resolve Fully Qualified Domain Name (FQDN) of private resources. Use the Platform Settings menu on the Secure Firewall to configure the DNS. See Interface and Device Settings.

• High Availability (HA) devices are supported; they are displayed as one entity.

• Secure Client (with ZTNA module enabled) Version 5.1.10 and later is supported.

  The client must be running in a platform that supports Trusted Platform Module (TPM), such as Windows 11.

Guidelines on Certificate Types

• User Device Identity Certificate: Secure Client, which is zero trust access enabled, presents the user identity certificate during the Mutual Transport Layer Security (mTLS) session with Secure Access and Firewall Threat Defense to request access to private resources.

• Firewall Threat Defense Device Certificate: Threat Defense devices that are universal ZTNA-enabled use device certificates to establish secure mTLS connections with the Secure Client and Secure Access. Ensure that the device identity certificate is of type PKCS12.

  If you have already enrolled a manual certificate for the device, first export it to the PKCS12 format using the Devices > Certificates > Export Certificate menu on Firewall Management Center. Use the exported PKCS12 file to create a new PKCS12 certificate enrollment object.

• Decryption Certificate: (Optional) To decrypt the traffic that is sent to private resources, enable Decryption for the resources in Secure Access and provide the server certificate and key. We recommend that you use a certificate that is signed by a publicly recognized certificate authority (CA).

Supported Devices

Both on-premises Firewall Management Center and cloud-delivered Firewall Management Center can be configured to manage the devices.

Only devices that have 16 cores or more are supported. Such models of Secure Firewall Threat Defense are:

• 1150

• 3105, 3110, 3120, 3130, 3140

• 4115, 4125, 4145, 4112

• 4215, 4225, 4245

• FTDv

• Universal ZTNA does not support IPv6.

• Universal ZTNA-enabled devices do not enforce policies for traffic over a site-to-site tunnel.

• Universal ZTNA does not support clustered devices.

• Universal ZTNA sessions do not support jumbo frames.

• Currently, universal ZTNA supports only the United States and Europe regions.

• Universal ZTNA supports only global VRF.

• Universal ZTNA does not support protocols such as FTP or TFP, where the data or secondary connection originates from a server.

  For example, an active FTP connection uses a persistent control connection for commands and creates temporary data connections for file transfers. Universal ZTNA does not support such data connections that originate from the server.