Home
Support
Product Support
Security
Cisco Secure Firewall Management Center
Configuration Guides

Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Getting Started

Cisco Secure Firewall
SD-WAN Capabilities
SD-WAN Features of Cisco Secure Firewall

Simplify Branch to Hub Communication using Dynamic Virtual Tunnel Interface (DVTI)

Route-based VPN in a Hub and Spoke Topology
Benefits
Is This Use Case For You?
Scenario
Network Topology
Best Practices
Prerequisites
Workflow for Configuring a Route-based VPN (Hub and Spoke Topology)
Create a Route-based Site-to-Site VPN
Configure the Endpoint for the Hub Node
Configure the Endpoint for the Spoke Node
Configure OSPF on the Hub Node
Configure OSPF on the Spoke Node
Configure the Access Control Policy
Deploy Configuration
Verify Traffic Flow Over the VPN Tunnel
Configure the Backup VTI Interface on the Spoke Node
Configure an ECMP Zone for the Primary and Secondary VTI Interfaces
Verify the Primary and Secondary Tunnels
Troubleshoot Route-based VPN Tunnels
Additional Resources

Route Application Traffic from the Branch to the Internet Using Direct Internet Access (DIA)

Direct Internet Access
Benefits
Is This Use Case For You?
Components for Direct Internet Access
Best Practices
Prerequisites
Scenario 1: Direct Internet Access
Scenario 2: Direct Internet Access With Path Monitoring
Configure a Trusted DNS Server
Configure Interface Priority
Create an ECMP Zone
Configure an Equal Cost Static Route
Configure Path Monitoring Settings
Configure an Extended ACL Object for YouTube
Configure an Extended ACL Object for WebEx
Configure a Policy Based Routing Policy for YouTube
Configure a Policy Based Routing Policy for WebEx
Configure a Policy Based Routing Policy With Path Monitoring for Webex
Deploy Configuration
Verify Application Traffic Flow
Monitor and Troubleshoot Policy Based Routing
Additional Resources

Secure Internet Traffic Using Umbrella Auto Tunnel

Cisco Umbrella Auto Tunnel
Benefits
Is This Use Case For You?
Scenario
Network Topology
Best Practices for SASE Umbrella Tunnels
Prerequisites for Configuring Umbrella SASE Tunnels
Workflow for Configuring Umbrella Auto Tunnel
Configure a SASE Tunnel for Umbrella
Configure a Static Route
Configure an Extended ACL for DNS and Web Traffic
Configure a PBR Policy for DNS and Web Traffic
Deploy Configuration
Verify SASE Umbrella Tunnel Deployment
Troubleshoot Umbrella Auto Tunnels
Additional Resources

Empower Remote Workers with Secure Connectivity: DIA, Umbrella Auto Tunnel, and DVTI in Action

Enhancing Connectivity and Security for Remote Workers with DIA, Umbrella SASE Auto Tunnel, and DVTI
Is This Use Case For You?
Sample Scenario
Network Topology
Workflow for Configuring DIA, Umbrella Auto Tunnel, and DVTI
Additional Resources

Set Up SD-WAN Branch Office with Dual ISPs Using Registration Key and Device Templates

SD-WAN Wizard and Device Templates
Is this Guide for You?
Sample Scenario
System Requirements
Prerequisites for Using SD-WAN Wizard and Device Templates
Guidelines and Limitations for SD-WAN Wizard and Device Templates
Network Topology Depicting Dual ISP with Hubs and Spokes in the Same Region
Workflow for Setting Up SD-WAN Branch Office with Dual ISPs Using Registration Key and Device Templates
Verify Tunnel Statuses and Configurations of SD-WAN Topologies
Troubleshoot Device Templates and SD-WAN Topologies

Set Up SD-WAN Branch Office with Dual ISPs Using Serial Numbers and Device Template

SD-WAN Wizard and Device Templates
Is this Guide for You?
Sample Scenario
System Requirements
Prerequisites for Using SD-WAN Wizard and Device Templates
Guidelines and Limitations for SD-WAN Wizard and Device Templates
Network Topology Depicting Dual ISP with Hubs and Spokes
Workflow for Setting Up SD-WAN Branch Office with Dual ISPs Using Serial Number and Device Templates
Validate and Monitor Tunnel Statuses and Configurations of SD-WAN Topologies
Troubleshoot Device Templates and SD-WAN Topologies

Verify Tunnel Statuses and Configurations of SD-WAN Topologies

Updated: February 5, 2026

On this page

Overview

View the Onboarded Device in the Device Management Page
Verify Tunnel Statuses in the Site-to-Site VPN Summary Page
Verify Tunnel Statuses in the Site-to-Site VPN Dashboard
Verify Routing Information of the Firewall Threat Defense Device
View Tunnel Interface Configurations of the Firewall Threat Defense Device

Overview

Provides instructions to verify device onboarding and status of SD‑WAN VPN tunnels to ensure branch connectivity and proper network operation.

View the Onboarded Device in the Device Management Page

After the device template is successfully applied on the device, you can view the device in the Device Management page.

Onboarded device in Device Management page

Verify Tunnel Statuses in the Site-to-Site VPN Summary Page

To verify the statuses of the VPN tunnels, choose Device > VPN > Site To Site.

After the device template is successfully applied on the device, the device (Spoke3) gets added to the SD-WAN topologies.You can view the VPN tunnels between the hubs and the spokes, and also the VPN tunnels between the hubs and the onboarded device, Spoke3.

Tunnel statuses in the Site-to-Site VPN Summary page

Verify Tunnel Statuses in the Site-to-Site VPN Dashboard

To view details of the SD-WAN VPN tunnels, choose Overview > Dashboards > Site-to-site VPN.

Following are the VPN tunnels of the two SD-WAN topologies: SDWAN-VPN1 and SDWAN-VPN2:

Tunnel statuses in the Site-to-Site VPN dashboard

You can also see the VPN tunnels between Spoke3 and the two hubs.

To see more details about each tunnel:

For each tunnel, hover your cursor over a topology and click the View icon to view more information about the tunnels.
Click the CLI Details tab.
Click Maximize View. You can view the output of the following commands:
- show crypto ipsec sa peer: Shows the number of packets that are transmitted through the tunnel.
- show vpn-sessiondb detail l2l filter ipaddress: Shows more detailed data for the VPN connection.

Verify Routing Information of the Firewall Threat Defense Device

To verify the routing information of the hub and the spokes, use the show route command on the device using the Firewall Management Center or the device CLI. You can also use the show bgp command.

In the Firewall Management Center, choose Devices > Device Management.
Click the edit icon adjacent to the device.
Click the Device tab.
Click CLI in the General card.

In the CLI Troubleshoot window, enter show route in the Command field and click Execute.

You can also use the show bgp or show bgp summary commands.

View Tunnel Interface Configurations of the Firewall Threat Defense Device

To verify the interface configuration on the Firewall Threat Defense device, use the show running-config interface command.

To view the dynamic VTIs of hubs and static VTIs of spokes:

Choose Devices > Device Management.
Click the edit icon adjacent to the device.
Click the Interfaces tab.
Click the Virtual Tunnels tab.

For each VTI, you can view details such as name, IP address, IPsec mode, tunnel source interface details, topology, and remote peer IP.

The dynamic VTI and the dynamically created virtual access interfaces of Hub1 are shown in the figure below:

The static VTIs created on Spoke1 are shown in the figure below:

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.