Zero Trust Access
Zero Trust Access is based on Zero Trust Network Access (ZTNA) principles. ZTNA is a zero trust security model that eliminates implicit trust. The model grants the least privilege access after verifying the user, the context of the request, and after analyzing the risk if access is granted.
Zero Trust Access enables you to authenticate and authorize access to protected web based resources and applications from inside (on-premises) or outside (remote) the network using an external Security Assertion Markup Language (SAML) identity provider (IdP) policy.
The features are:
-
Supports multiple SAML-based identity providers such as Duo, Azure Active Directory (Azure AD), Okta, and other identity providers.
-
Client applications such as Cisco Secure Client are not required on the endpoint (client devices) for secure access.
-
Access and authentication is through the browser.
-
Supports only TLS web applications.
-
Client device posture is supported through agents such as Duo Health, using which the posture of the device can be evaluated against a policy in Duo, and access can be provided based on the same. The same functionality can be performed in conjunction with third-party identity providers that support posture evaluation with their agents such as Okta or PingID.
-
Supports HTTP-Redirect SAML binding.
-
Supports application groups that make it easier to enable zero trust access protection on a set of applications.
-
Leverages threat defense intrusion and malware protection on zero trust application traffic.
You can use the Secure Firewall Management Center web interface to create a Zero Trust Application Policy that allows you to define private applications and assign threat policies to them. The policy is application specific where the administrator decides the inspection levels based on the threat perception for that application.
How Threat Defense Works with Zero Trust Access

-
Using a browser, a remote or on-prem user sends a HTTPS request to connect to an application from an endpoint.
-
The HTTPS request is intercepted by the firewall that protects the application.
-
The firewall redirects the user to application’s configured IdP for authentication.
Note
In the figure, each firewall protects a set of web applications. The user can directly access the applications behind the firewall after authentication and authorization.
-
After the authentication and authorization process is complete, the firewall allows the user to access the application.
Why Use Zero Trust Access?
Zero Trust Access leverages the existing deployment of threat defense as an enforcement point to application access. It allows for segmented access to a private application with per application authorization and per application tunnel for remote and on-premises users.
The feature hides the network from users and allows users to only access applications they are authorized for. Authorization for one application in the network does not give an implicit authorization for other applications on the network, thereby reducing the attack surface significantly. In other words, every access to an application must be explicitly authorized.
Adding the zero trust access functionality to threat defense enables migration to a more secure access model without having to install or manage yet another device in the network.
The feature is easy to manage as it does not require a client and is per application access.
Components of a Zero Trust Access Configuration
A new configuration consists of a Zero Trust Application Policy, Application Group, and Applications.
-
Zero Trust Application Policy— Consists of application groups, and grouped or ungrouped applications. Security Zones and Security Controls settings are associated at a global level for all the ungrouped applications and group of applications.
A global port pool is assigned to the policy, by default. A unique port is automatically assigned from this pool to each private application that is configured.
Zero Trust Application policy consists of application groups, and grouped or ungrouped applications.
-
Application Groups—Consists of a logical group of applications that share SAML authentication settings and can optionally share Security Zones and Security Controls settings.
Application Groups inherit the Security Zones and Security Controls settings from the global policy and can override the values.
When an Application Group is created, the same SAML IdP configuration can be used for authenticating multiple applications. Applications that are part of an Application Group inherit the Application Group’s SAML configuration. This eliminates the need to configure the SAML settings for each application. After the Application Group is created, new applications can be added to it without configuring the IdP for it.
When an end user tries to access an Application that is part of group, the user is authenticated to the Application Group for the first time. When the user tries to access other applications that are part of the same Application Group, the user is provided access without being redirected again to the IdP for authentication. This prevents overloading the IdP with requests for application access and optimizes the usage of the IdP if a limit is enabled.
-
Applications—There are two types:
-
Ungrouped Applications— Are standalone applications. SAML settings must be configured for every application. The applications inherit the Security Zones and Security Controls settings from the global policy and can be overridden by the application.
-
Grouped Applications— Are multiple applications that are grouped under an Application Group. The SAML settings are inherited from the Application Group and cannot be overridden. However, the Security Zones and Security Controls settings can be overridden for each application.
-
The following certificates are required for the configuration:
-
Identity Certificate—This certificate is used by Firewall Threat Defense to masquerade as the applications.Firewall Threat Defense behaves as a SAML Service Provider (SP). This certificate must be a wildcard or Subject Alternative Name (SAN) certificate that matches the FQDN of the private applications. It is a common certificate for all applications protected by Firewall Threat Defense.
-
IdP Certificate—The IdP provides a certificate for each defined Application or Application Group. This certificate must be configured so that Firewall Threat Defense can verify the IDP’s signature on incoming SAML assertions.
Note
IdP certificates are commonly included within the metadata file; otherwise, users are required to have the IdP certificate readily available during the configuration of applications.
-
Application Certificate—The encrypted traffic from user to the application is decrypted by Firewall Threat Defense using this certificate for the purpose of inspection.
Note
This certificate is required to verify the cookies in the header to authorize connections, even if we are not conducting an IPS/Malware inspection.
Zero Trust Access Workflow
This figure depicts the Zero Trust Access workflow.

The workflow is as follows:
-
User types the application URL in the browser.
-
If the HTTPS request is valid, the user is redirected to the mapped port (Step 6).
-
If the HTTPS request is invalid, the user is sent for authentication per application (Step 2).
-
-
The user is redirected to the configured identity provider (IdP).
-
-
The user is redirected to the configured primary authentication source.
-
The user is challenged with the configured secondary multi-factor authentication, if any.
-
-
The IdP sends a SAML response to threat defense. The user ID and other necessary parameters are retrieved from the SAML response through the browser.
-
The user is redirected to the application.
-
The user is allowed access to the application after validation is successful.
Limitations for Zero Trust Network Access
-
Supports only TLS-enabled web applications. All traffic must be decrypted.
-
Supports only SAML identity providers.
-
Supports IPv6; however, you can use only homogeneous network address translations (NAT) scenarios such as NAT66 and NAT44.
NAT64, and NAT46 scenarios are not supported.
-
Zero trust network access is available on Firewall Threat Defense only if Snort 3 is enabled.
-
By default, the Firewall Threat Defense device uses port 443 for secure communications. Because this is the same port used by TLS-enabled applications likely to be configured for zero trust network access, you must change the device's HTTP server port.
Go to , then edit the Threat Defense Settings policy for the device, click HTTP Access, select the Enable HTTP Server check box, and enter a port other than 443 in the field. When you're finished, click Save in the upper right corner of the page.
The following figure shows an example.
-
All hyperlinks in protected web applications must have a relative path and are not supported on individual mode clusters.
-
Protected web applications running on a virtual host or behind internal load balancers must use the same external and internal URL.
-
Not supported on applications with strict HTTP Host Header validation enabled.
-
If the application server hosts multiple applications and serves content based on the Server Name Indication (SNI) header in the TLS Client Hello, the external URL of the zero trust application configuration must match the SNI of that specific application.
Prerequisites for Zero Trust Application Policy
Prerequisite Type |
Description |
---|---|
Licensing |
|
Configurations |
Create a wildcard or Subject Alternative Name (SAN) certificate that matches the FQDN of private applications. For more information, see Adding Certificate Enrollment Objects. |
Create a security zone through which access to private applications are regulated. For more information, see Create Security Zone and Interface Group Objects. |
Manage Zero Trust Application Policies
You can create, edit, and delete zero trust application policies.
Procedure
Step 1 |
Choose |
Step 2 |
Manage the zero trust access policies:
|
Step 3 |
Click Save. |
What to do next
Ensure that there are no warnings before you deploy the configuration to threat defense. To deploy configuration changes, see Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Create a Zero Trust Application Policy
This tasks configures a Zero Trust Application Policy.
Before you begin
Ensure that you complete all the prerequisites listed in Prerequisites for Zero Trust Application Policy.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click Add Policy. |
||
Step 3 |
In the General section, enter the policy name in the Name field. The description field is optional. |
||
Step 4 |
Enter a domain name in the Domain Name field. Ensure that the domain name is added to the DNS. The domain name resolves to the Firewall Threat Defense gateway interface from where the application is accessed. The domain name is used to generate the ACS URL for all private applications in an Application Group. |
||
Step 5 |
Choose an existing certificate from the Identity Certificate drop-down list. Click the Add ( |
||
Step 6 |
Choose a security zone from the Security Zones drop-down list. ![]() To add security zones, see Create Security Zone and Interface Group Objects. |
||
Step 7 |
In the Global Port Pool section, a default port range is displayed. Modify, if required. Port values range from 1024 to 65535. A unique port from this pool is assigned to each private application.
|
||
Step 8 |
(Optional) In the Security Controls section, you can add an Intrusion or Malware and File policy:
|
||
Step 9 |
Click Save to save the policy. |
What to do next
-
Create an Application Group. See Create an Application Group.
-
Create an Application. See Create an Application.
-
Associate a Zero Trust Application Policy with a device. See Set Targeted Devices for Zero Trust Access Policy
-
Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Create an Application Group
Before you begin
Procedure
Step 1 |
Click Add Application Group. |
Step 2 |
In the Application Group section, type the name in the Name field and click Next. |
Step 3 |
In the SAML Service Provider (SP) Metadata section, the data is dynamically generated. Copy the values of the Entity ID and Assertion Consumer Service (ACS) URL fields or click Download SP Metadata to download this data in XML format for adding it to the IdP. Click Next. |
Step 4 |
In the SAML Identity Provider (IdP) Metadata section, add the metadata using any one of the methods:
Click Next. |
Step 5 |
In the Re-authentication Interval section, enter the value in the Timeout Interval field and click Next. The re-authentication interval allows you to provide a value that determines when a user must authenticate again. |
Step 6 |
In the Security Zones and Security Controls section, the security zones and threat settings are inherited from the parent policy. You can override these settings. Click Next. |
Step 7 |
Review the configuration summary. Click Edit to modify the details in any of the sections. Click Finish. |
Step 8 |
Click Save. The Application Group is created and is displayed on the Zero Trust Application page. |
What to do next
-
Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Create an Application
Use this task to create a Grouped or Ungrouped Application.
Before you begin
-
Create an Application Group (required only for Grouped Applications).
Procedure
Step 1 |
Choose |
||||
Step 2 |
Choose the policy. |
||||
Step 3 |
Click Add Application. |
||||
Step 4 |
In the Application Settings section, complete the following fields.
|
||||
Step 5 |
Click Next. |
||||
Step 6 |
Depending on the type of application:
|
||||
Step 7 |
In the Security Zones and Security Controls section, the security zones and threat settings are inherited from the parent policy or application group. You can override these settings. Click Next. |
||||
Step 8 |
Review the configuration summary. Click Edit to modify the details in any of the sections. Click Finish. |
||||
Step 9 |
Click Save. The application is listed on the Zero Trust Application page and enabled by default. |
What to do next
-
Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Set Targeted Devices for Zero Trust Access Policy
Each Zero Trust Application policy can target multiple devices; each device can have one deployed policy at a time.
Before you begin
Procedure
Step 1 |
Choose |
Step 2 |
Choose the policy. |
Step 3 |
Click Targeted Devices. |
Step 4 |
Choose the devices where you want to deploy the policy using any one of the methods:
|
Step 5 |
Click Apply to save policy assignments. |
Step 6 |
Click Save to save the policy. |
What to do next
Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Edit a Zero Trust Application Policy
You can edit the settings of a Zero Trust Application Policy, Application Group, or Application.
Procedure
Step 1 |
Choose |
||||||||
Step 2 |
Click Edit ( |
||||||||
Step 3 |
Edit your Zero Trust Application Policy. You can change the following settings or perform these actions:
|
What to do next
Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.
Monitor Zero Trust Sessions
Connection Events
After a Zero Trust Application Policy is deployed, new fields are available. To add the fields to the table view:
-
Choose .
-
Click the Table View of Connection Events tab.
-
In the table view of events, multiple fields are hidden by default. To change the fields that are displayed, click the x icon in any column name to display a field selector.
-
Select the following fields:
-
Authentication Source
-
Zero Trust Application
-
Zero Trust Application Group
-
Zero Trust Application Policy
-
-
Click Apply.
See Connection and Security-Related Connection Events in the Secure Firewall Management Center Administration Guide for more information on the connection events.
Zero Trust Dashboard
The Zero Trust dashboard allows you to monitor real-time data from active zero trust sessions on the devices.
The Zero Trust dashboard provides a summary of the top zero trust applications and zero trust users that are managed by the management center. Choose Overview > Dashboards > Zero Trust to access the dashboard.
The dashboard has the following widgets:
-
Top Zero Trust Applications
-
Top Zero Trust Users
CLI Commands
Log in to the device CLI and use the following commands:
CLI Command |
Description |
---|---|
show running-config zero-trust |
To view the running configuration for a zero trust configuration. |
show zero-trust |
To display the run-time zero trust statistics and session information. |
show cluster zero-trust |
To display the summary of zero trust statistics across nodes in a cluster. |
clear zero-trust |
To clear zero trust sessions and statistics. |
show counters protocol zero_trust |
To view the counters that are hit for zero trust flow. |
Diagnostics Tool
The diagnostics tool facilitates the troubleshooting process by detecting possible issues with zero trust configurations. The diagnostics can be classified into two types:
-
Application-specific diagnostics are used to detect issues such as:
-
DNS-related issues
-
Misconfigurations such as socket not open, and issues with classification and NAT rules.
-
Issues with deployment of zero trust policy or SSL rules
-
Issues with source NAT issues and exhaustion of PAT pool
-
-
General diagnostics are used to detect issues such as:
-
Strong cipher license not enabled
-
Invalid application certificate
-
SAML-related issues
-
Home agent and cluster bulk sync issues
-
To run the diagnostic tool:
-
Click Diagnostics (
) next to the zero trust application that you want to troubleshoot. The Diagnostics dialog box appears.
-
Choose the device from the Select Device drop-down list and click Run. A report is generated in the Reports tab after the diagnostic process is complete.
-
To view, copy, or download the logs, click the Logs tab.