Home
Support
Product Support
Security
Cisco Secure Firewall Management Center
Configuration Guides

Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Getting Started

Cisco Secure Firewall
SD-WAN Capabilities
SD-WAN Features of Cisco Secure Firewall

Simplify Branch to Hub Communication using Dynamic Virtual Tunnel Interface (DVTI)

Route-based VPN in a Hub and Spoke Topology
Benefits
Is This Use Case For You?
Scenario
Network Topology
Best Practices
Prerequisites
Workflow for Configuring a Route-based VPN (Hub and Spoke Topology)
Create a Route-based Site-to-Site VPN
Configure the Endpoint for the Hub Node
Configure the Endpoint for the Spoke Node
Configure OSPF on the Hub Node
Configure OSPF on the Spoke Node
Configure the Access Control Policy
Deploy Configuration
Verify Traffic Flow Over the VPN Tunnel
Configure the Backup VTI Interface on the Spoke Node
Configure an ECMP Zone for the Primary and Secondary VTI Interfaces
Verify the Primary and Secondary Tunnels
Troubleshoot Route-based VPN Tunnels
Additional Resources

Route Application Traffic from the Branch to the Internet Using Direct Internet Access (DIA)

Direct Internet Access
Benefits
Is This Use Case For You?
Components for Direct Internet Access
Best Practices
Prerequisites
Scenario 1: Direct Internet Access
Scenario 2: Direct Internet Access With Path Monitoring
Configure a Trusted DNS Server
Configure Interface Priority
Create an ECMP Zone
Configure an Equal Cost Static Route
Configure Path Monitoring Settings
Configure an Extended ACL Object for YouTube
Configure an Extended ACL Object for WebEx
Configure a Policy Based Routing Policy for YouTube
Configure a Policy Based Routing Policy for WebEx
Configure a Policy Based Routing Policy With Path Monitoring for Webex
Deploy Configuration
Verify Application Traffic Flow
Monitor and Troubleshoot Policy Based Routing
Additional Resources

Secure Internet Traffic Using Umbrella Auto Tunnel

Cisco Umbrella Auto Tunnel
Benefits
Is This Use Case For You?
Scenario
Network Topology
Best Practices for SASE Umbrella Tunnels
Prerequisites for Configuring Umbrella SASE Tunnels
Workflow for Configuring Umbrella Auto Tunnel
Configure a SASE Tunnel for Umbrella
Configure a Static Route
Configure an Extended ACL for DNS and Web Traffic
Configure a PBR Policy for DNS and Web Traffic
Deploy Configuration
Verify SASE Umbrella Tunnel Deployment
Troubleshoot Umbrella Auto Tunnels
Additional Resources

Empower Remote Workers with Secure Connectivity: DIA, Umbrella Auto Tunnel, and DVTI in Action

Enhancing Connectivity and Security for Remote Workers with DIA, Umbrella SASE Auto Tunnel, and DVTI
Is This Use Case For You?
Sample Scenario
Network Topology
Workflow for Configuring DIA, Umbrella Auto Tunnel, and DVTI
Additional Resources

Set Up SD-WAN Branch Office with Dual ISPs Using Registration Key and Device Templates

SD-WAN Wizard and Device Templates
Is this Guide for You?
Sample Scenario
System Requirements
Prerequisites for Using SD-WAN Wizard and Device Templates
Guidelines and Limitations for SD-WAN Wizard and Device Templates
Network Topology Depicting Dual ISP with Hubs and Spokes in the Same Region
Workflow for Setting Up SD-WAN Branch Office with Dual ISPs Using Registration Key and Device Templates
Verify Tunnel Statuses and Configurations of SD-WAN Topologies
Troubleshoot Device Templates and SD-WAN Topologies

Set Up SD-WAN Branch Office with Dual ISPs Using Serial Numbers and Device Template

SD-WAN Wizard and Device Templates
Is this Guide for You?
Sample Scenario
System Requirements
Prerequisites for Using SD-WAN Wizard and Device Templates
Guidelines and Limitations for SD-WAN Wizard and Device Templates
Network Topology Depicting Dual ISP with Hubs and Spokes
Workflow for Setting Up SD-WAN Branch Office with Dual ISPs Using Serial Number and Device Templates
Validate and Monitor Tunnel Statuses and Configurations of SD-WAN Topologies
Troubleshoot Device Templates and SD-WAN Topologies

Route Application Traffic from the Branch to the Internet Using Direct Internet Access (DIA)

Updated: February 5, 2026

Overview

Provides an overview of how to implement Direct Internet Access (DIA) to route branch application traffic directly to the internet using policy-based routing, improving performance, reducing latency, and optimizing WAN utilization in Cisco Secure Firewall.

In this chapter, we delve into the practical application of Direct Internet Access (DIA) using two use cases. Each use case details the scenario, network topology, best practices, and prerequisites. It also provides a comprehensive end-to-end procedure for seamless implementation.

Direct Internet Access

Learn how to use Direct Internet Access (DIA) to route branch application traffic directly to the internet using policy-based routing for improved performance and reduced latency using Cisco Secure Firewall.

Benefits

Summarizes the benefits of DIA for branches, including reduced latency, improved application performance, and optimized internet-bound traffic with Cisco Secure Firewall.

Is This Use Case For You?

Identifies the intended audience for implementing DIA, including network design, operations, and security personnel managing branch internet breakout.

Components for Direct Internet Access

Describes the key components required to implement DIA.

Best Practices

Lists the best practices for implementing DIA at branch sites to optimize traffic routing, enhance performance, and maintain secure WAN connectivity.

Prerequisites

Lists the prerequisites for deploying Direct Internet Access (DIA) at branch sites to ensure network readiness, compatible devices, and secure WAN connectivity.

Scenario 1: Direct Internet Access

Explains a scenario where Direct Internet Access (DIA) with policy-based routing (PBR) improves performance and lowers latency by routing traffic directly to the internet.

Scenario 2: Direct Internet Access With Path Monitoring

Explains a branch office scenario where policy-based routing with path monitoring directs WebEx traffic to minimize packet loss, reduce lag, and improve meeting quality.

Configure a Trusted DNS Server

Provides instructions to configure a trusted DNS server in Firewall Management Center (FMC) so that Threat Defense devices can resolve application domains for DIA traffic.

Configure Interface Priority

Provides instructions to set interface priority for a Threat Defense device to control preferred internet egress paths when routing internet‑bound traffic.

Create an ECMP Zone

Provides instructions to configure an ECMP zone in Firewall Management Cente (FMC) to enable load balancing and high availability across multiple internet interfaces for Direct Internet Access (DIA) traffic.

Configure an Equal Cost Static Route

Provides instructions to configure static routes for interfaces in ECMP zones in Firewall Management Center (FMC).

Configure Path Monitoring Settings

Provides instructions to configure path monitoring in Firewall Management Center (FMC) to collect link performance metrics and guide intelligent egress selection for Direct Internet Access (DIA) traffic.

Configure an Extended ACL Object for YouTube

Provides instructions to configure an extended access control list (ACL) to match YouTube traffic for policy-based routing and Direct Internet Access (DIA) control in Firewall Management Center (FMC).

Configure an Extended ACL Object for WebEx

Provides instructions to configure an extended access control list (ACL) to match WebEx traffic for policy-based routing and Direct Internet Access (DIA) control in Firewall Management Center (FMC).

Configure a Policy Based Routing Policy for YouTube

Provides instructions to configure a policy-based routing policy to steer YouTube traffic across selected internet interfaces in Firewall Management Center (FMC).

Configure a Policy Based Routing Policy for WebEx

Provides instructions to configure a policy-based routing policy to steer WebEx traffic across selected internet interfaces in Firewall Management Center (FMC).

Configure a Policy Based Routing Policy With Path Monitoring for Webex

Provides instructions to configure a policy-based routing policy to steer WebEx traffic through preferred interfaces for optimal performance in Firewall Management Center (FMC).

Deploy Configuration

Provides instructions to deploy Direct Internet Access (DIA) and policy-based routing configurations on Threat Defense devices to enable optimized branch internet traffic flows.

Verify Application Traffic Flow

Provides instructions to verify WebEx and YouTube traffic flow in Firewall Management Center (FMC).

Monitor and Troubleshoot Policy Based Routing

Provides troubleshooting guidance for Direct Internet Access (DIA) issues, including verifying path monitoring, policy‑based routing, ACLs, and egress interface behavior to restore proper internet‑bound traffic flow.

Additional Resources

Lists additional resources to learn about Cisco Secure Firewall features, configuration, verification, and troubleshooting.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.