Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2019–2023 Cisco Systems, Inc. All rights reserved.
CONTENTS
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
iii
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
iv
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
v
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
vi
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
vii
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
viii
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
ix
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
x
Contents
GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices 294
Prerequisites for GRE Over IPsec Tunnels Between Cisco IOS XE Devices 294
Restrictions for GRE Over IPsec Tunnels Between Cisco IOS XE Devices 294
Benefits of GRE Over IPsec Tunnels Between Cisco IOS XE Devices 294
Use Case for GRE Over IPsec Tunnels Between Cisco IOS XE Devices 295
Configure GRE Over IPsec Tunnels Between Cisco IOS XE Devices 295
Configure GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices Using the
CLI 296
Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI 297
IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party
Devices 300
Restrictions for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and
Third-Party Devices 300
Supported Devices for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices
and Third-Party Devices 301
Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and
Third-Party Devices Using a CLI Template 301
Verify IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Device Devices and
Third-Party Devices 305
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xi
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xii
Contents
Configure Single Sign-On Using Azure AD and Import Azure AD Metadata to Cisco SD-WAN
Manager 333
Verify Single Sign-On Using Azure AD 334
Integrate with Multiple IdPs 334
Information About Integrating with Multiple IdPs 335
Benefits of Integrating with Multiple IdPs 335
Restrictions for Integrating with Multiple IdPs 335
Use Cases for Integrating with Multiple IdPs 335
Configure Multiple IdPs 335
Verify Integration with Multiple IdPs 337
Troubleshooting Integration with Multiple IdPs 337
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xiii
Contents
Configure OMP Prefixes for IP-SGT Binding Using Cisco SD-WAN Manager 369
Monitor OMP Prefixes for IP-SGT Binding Using the CLI 370
Configure the Unified Threat Defense Resource Profiles Using Cisco SD-WAN Manager 375
Verify Unified Threat Defense Resource Profiles 375
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xiv
Contents
CHAPTER 24 Regular Expression for URL Filtering and DNS Security 395
Overview 399
Support Articles 399
Feedback Request 401
Disclaimer and Caution 401
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xv
Contents
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
xvi
CHAPTER 1
Read Me First
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Related References
• Cisco Catalyst SD-WAN Control Components Compatibility Matrix and Server Recommendations
• Cisco Catalyst SD-WAN Device Compatibility
User Documentation
• User Documentation for Cisco IOS XE Catalyst SD-WAN Release 17
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
1
Read Me First
Documentation Feedback
To provide feedback about Cisco technical documentation use the feedback form available in the right pane
of every online document.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
2
CHAPTER 2
What's New in Cisco IOS XE (SD-WAN)
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Note Cisco is constantly enhancing the Cisco Catalyst SD-WAN solution with every release and we try and keep
the content in line with the latest enhancements. The following table lists new and modified features we
documented in the Configuration, Command Reference, and Hardware Installation guides. For information
on additional features and fixes that were committed to the Cisco Catalyst SD-WAN solution, see the Resolved
and Open Bugs section in the Release Notes.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
3
What's New in Cisco IOS XE (SD-WAN)
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
4
CHAPTER 3
Security Overview
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Security is a critical element of today's networking infrastructure. Network administrators and security officers
are hard pressed to defend their network against attacks and breaches. As a result of hybrid clouds and remote
employee connectivity, the security perimeter around networks is disappearing. There are multiple problems
with the traditional ways of securing networks, including:
• Very little emphasis is placed on ensuring the authenticity of the devices involved in the communication.
• Securing the links between a pair of devices involves tedious and manual setup of keys and shared
passwords.
• Scalability and high availability solutions are often at odds with each other.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
5
Security Overview
Security for Connections to External Devices
• Authentication—The solution ensures that only authentic devices are allowed to send traffic to one
another.
• Encryption—All communication between each pair of devices is automatically secure, completely
eliminating the overhead involved in securing the links.
• Integrity—No group keys or key server issues are involved in securing the infrastructure.
These three components—authentication, encryption, and integrity—are key to securing the Cisco Catalyst
SD-WAN overlay network infrastructure.
The topics on Control Plane Security Overview and Data Plane Security Overview examine how authentication,
encryption, and integrity are implemented throughout the Cisco Catalyst SD-WAN overlay network. The
security discussion refers to the following illustration of the components of the Cisco Catalyst SD-WAN
network—the Cisco SD-WAN Controller, the Cisco SD-WAN Validator, and the routers. The connections
between these devices form the control plane (in orange) and the data plane (in purple), and it is these
connections that need to be protected by appropriate measures to ensure the security of the network devices
and all network traffic.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
6
Security Overview
Control Plane Security Overview
and directing packets towards their destination are handled by routing and switching protocols, which typically
offer few or no mechanisms for authenticating devices or for encrypting routing updates and other control
information. In addition, the traditional methods of providing security are manual and do not scale. For
example, certificates are typically installed manually rather than in an automated fashion, and using preshared
keys is not a secure approach for providing device security.
The Cisco Catalyst SD-WAN control plane has been designed with network and device security in mind. The
foundation of the control plane is one of two security protocols derived from Secure Sockets Layer (SSL)—
the Datagram Transport Layer Security (DTLS) protocol and the Transport Layer Security (TLS) protocol.
The Cisco SD-WAN Controller, which is the centralized brain of the Cisco Catalyst SD-WAN solution,
establishes and maintains DTLS or TLS connections to all Cisco Catalyst SD-WAN devices in the overlay
network—to the routers, the Cisco SD-WAN Validator, to Cisco SD-WAN Manager, and to other Cisco
SD-WAN Controllers. These connections carry control plane traffic. DTLS or TLS provides communication
privacy between Cisco Catalyst SD-WAN devices in the network, using the Advanced Encryption Standard
(AES-256) encryption algorithm to encrypt all the control traffic sent over the connections. For information
about how Cisco SD-WAN Manager communicates with devices and controllers, see Cisco Catalyst SD-WAN
Manager in the Cisco Catalyst SD-WAN Getting Started Guide.
The privacy and encryption in the control plane, which is offered by DTLS and TLS, provide a safe and secure
foundation for the other two security components, that is, authentication and integrity. To perform
authentication, the Cisco Catalyst SD-WAN devices exchange digital certificates. These certificates, which
are either installed by the software or hard-coded into the hardware, depending on the device, identify the
device and allow the devices themselves to automatically determine which ones belong in the network and
which are imposters. For integrity, the DTLS or TLS connections run AES-256-GCM, an authenticated
encryption with associated data (AEAD) that provides encryption and integrity, which ensures that all the
control and data traffic sent over the connections has not been tampered with.
Figure 1: Cisco Catalyst SD-WAN Control Plane Overview
The following are the control plane security components, which function in the privacy provided by DTLS
or TLS connections:
• AES-256-GCM: This algorithm provides encryption services.
• Digital certificates: These are used for authentication.
• AES-256-GCM: This is responsible for ensuring integrity.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
7
Security Overview
DTLS and TLS Infrastructure
In the Cisco Catalyst SD-WAN architecture, the Cisco Catalyst SD-WAN devices use DTLS or TLS as a
tunneling protocol, which is an application-level (Layer 4) tunneling protocol. When the Cisco SD-WAN
Controller, Cisco SD-WAN Validator, Cisco SD-WAN Managers, and routers join the network, they create
provisional DTLS or TLS tunnels between them as part of the device authentication process. After the
authentication process completes successfully, the provisional tunnels between the routers and Cisco SD-WAN
Controller, and those between the Cisco SD-WAN Validator and Cisco SD-WAN Controller, become permanent
and remain up as long as the devices are active in the network. It is these authenticated, secure DTLS or TLS
tunnels that are used by all the protocol applications running on the Cisco Catalyst SD-WAN devices to
transport their traffic. For example, an OMP session on a router communicates with an OMP session on a
Cisco SD-WAN Controller by sending plain IP traffic through the secure DTLS or TLS tunnel between the
two devices. The Overlay Management Protocol is the Cisco Catalyst SD-WAN control protocol used to
exchange routing, policy, and management information among Cisco Catalyst SD-WAN devices, as described
in Overlay Routing Overview.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
8
Security Overview
Control Plane Authentication
A Cisco Catalyst SD-WAN daemon running on each Cisco SD-WAN Controller and router creates and
maintains the secure DTLS or TLS connections between the devices. This daemon is called vdaemon and is
discussed later in this article. After the control plane DTLS or TLS connections are established between these
devices, multiple protocols can create sessions to run and route their traffic over these connections—including
OMP, Simple Network Management Protocol (SNMP), and Network Configuration Protocol (Netconf)—without
needing to be concerned with any security-related issues. The session-related traffic is simply directed over
the secure connection between the routers and Cisco SD-WAN Controller.
In addition to standard PKI components, the Cisco SD-WAN Controller serial numbers and the router chassis
numbers are used in the authentication processes.
Let's first look at the PKI components that are involved in router authentication. On the Cisco IOS XE Catalyst
SD-WAN device, the public and private keys and the certificates are managed automatically, by a hardware
security chip that is built into the router called the Trust Anchor module (TAm). The TAm is a proprietary,
tamper-resistant chip that features non-volatile secure storage for the Secure Unique Device Identifier (SUDI),
as well as secure generation and storage of key pairs with cryptographic services including random number
generation (RNG). When the routers are manufactured, this chip is programmed with a signed certificate.
This certificate includes the router's public key, its serial number, and the router's private key. When the routers
boot up and join the network, they exchange their certificates (including the router's public key and serial
number) with other Cisco Catalyst SD-WAN routers as part of the router authentication process. Note that
the router's private key always remains embedded in the router's Trusted Board ID chip, and it is never
distributed, nor can it ever be retrieved from the router. In fact, any brute-force attempt to read the private
key causes the hardware security chip to fail, thereby disabling all access to the router.
For Cisco SD-WAN Controllers, Cisco Catalyst SD-WAN Validators, and Cisco SD-WAN Manager systems,
the public and private keys and the certificates are managed manually. When you boot these routers for the
first time, the Cisco SD-WAN Controller software generates a unique private key–public key pair for each
software image. The public key needs to be signed by the CA root. The network administrator then requests
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
9
Security Overview
Control Plane Authentication
a signed certificate and manually installs it and the certificate chains on the Cisco SD-WAN Controllers, Cisco
Catalyst SD-WAN Validators, and Cisco SD-WAN Manager systems. A typical network might have only a
small handful of Cisco SD-WAN Controllers, Cisco Catalyst SD-WAN Validators, and Cisco SD-WAN
Managers, so the burden of manually managing the keys and certificates on these routers is small.
When you place an order with Cisco using your Smart and Virtual Account, Cisco updates the Cisco Plug
and Play (PNP) Portal with the chassis and certificate serial numbers of the devices that you purchased. You
can then use Cisco SD-WAN Manager to sync the device information from the PNP portal using your Smart
Account credentials. Alternatively. you can also download the trusted WAN Edge serial file from the PNP
portal and upload it manually to Cisco SD-WAN Manager. Cisco SD-WAN Manager then broadcasts this
information to the other controllers. Both the authorized serial number file and the file listing the Cisco
SD-WAN Controller serial numbers are uploaded and installed on Cisco Catalyst SD-WAN Validators. Then,
during the automatic authentication process, as pairs of devices (routers and controllers) are establishing DTLS
control connections, each device compares the serial numbers (and for routers, the chassis numbers) to those
in the files installed on the router. A router allows a connection to be established only if the serial number or
serial–chassis number combination (for a router) matches. Note that routers only make control connections
to the controllers and not to other routers.
You can display the installed Cisco SD-WAN Controller authorized serial numbers using the show control
valid-vsmarts command on a Cisco SD-WAN Controller and the show orchestrator valid-vsmarts command
on a Cisco Catalyst SD-WAN Validator. You can also run show sdwan control valid-vsmarts on Cisco IOS
XE Catalyst SD-WAN devices. You can display the installed router authorized serial and chassis number
associations using the show control valid-vedges command on a Cisco SD-WAN Controller and the show
orchestrator valid-devices command on a Cisco Catalyst SD-WAN Validator.
Now, let's look at how the PKI authentication components and the router serial and chassis numbers are used
to authenticate router on the Cisco SD-WAN Controller overlay network. When Cisco SD-WAN Controllers,
Cisco Catalyst SD-WAN Validators, and routers first boot up, they establish secure DTLS or TLS connections
between the Cisco SD-WAN Controllers and the routers. Over these connections, the devices authenticate
each other, using the public and private keys, the signed certificates, and the routers serial numbers and
performing a series of handshake operations to ensure that all the devices on the network are valid and not
imposters. The following figure illustrates the key and certificate exchange that occurs when the Cisco
SD-WAN Controller devices boot. For details about the authentication that occurs during the bringup process,
see Bringup Sequence of Events.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
10
Security Overview
Control Plane Encryption
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
11
Security Overview
Control Plane Integrity
A single Cisco Catalyst SD-WAN device can have DTLS or TLS connections to multiple Cisco Catalyst
SD-WAN devices, so vdaemon creates a kernel route for each destination. For example, a router would
typically have one kernel route, and hence one DTLS or TLS connection, for each Cisco SD-WAN Controller.
Similarly, a Cisco SD-WAN Controller would have one kernel route and one DTLS or TLS connection for
each router in its domain.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
12
Security Overview
Data Plane Authentication and Encryption
• Authentication: As mentioned, the Cisco Catalyst SD-WAN control plane contributes the underlying
infrastructure for data plane security. In addition, authentication is enforced by two other mechanisms:
• In the traditional key exchange model, the Cisco Catalyst SD-WAN Controller sends IPsec encryption
keys to each edge device.
In the pairwise keys model, the Cisco SD-WAN Controller sends Diffie-Hellman public values to
the edge devices, and they generate pairwise IPsec encryption keys using Elliptic-curve
Diffie-Hellman (ECDH) and a P-384 curve. For more information, see Pairwise Keys, on page 314.
• By default, IPsec tunnel connections use an enhanced version of the Encapsulating Security Payload
(ESP) protocol for authentication on IPsec tunnels.
• Encryption: An enhanced version of ESP protects a data packet's payload. This version of the protocol
also checks the outer IP and UDP headers. Hence, this option supports an integrity check of the packet,
which is similar to the Authentication Header (AH) protocol. Data encryption is done using the
AES-GCM-256 cipher.
• Integrity: To guarantee that data traffic is transmitted across the network without being tampered with,
the data plane implements several mechanisms from the IPsec security protocol suite:
• An enhanced version of the ESP protocol encapsulates the payload of data packets.
• The enhanced version of ESP uses an AH-like mechanism to check the integrity of the outer IP and
UDP headers. You can configure the integrity methods supported on each router, and this information
is exchanged in the router's TLOC properties. If two peers advertise different authentication types,
they negotiate the type to use, choosing the strongest method.
• The anti-replay scheme protects against attacks in which an attacker duplicates encrypted packets.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
13
Security Overview
Data Plane Authentication and Encryption
for each remote device. This scheme means that in a fully meshed network, each device has to manage n2 key
exchanges and (n-1) keys. As an example, in a 1,000-node network, 1,000,000 key exchanges are required to
authenticate the devices, and each node is responsible for maintaining and managing 999 keys.
The discussion in the previous paragraph points out why an IKE-style key exchange does not scale as network
size increases and why IKE could be a bottleneck in starting and in maintaining data exchange on a large
network:
• The handshaking required to set up the communications channels is both time consuming and resource
intensive.
• The processing required for the key exchange, especially in larger networks, can strain network resources
and can take a long time.
The Cisco Catalyst SD-WAN implementation of data plane authentication and encryption establishes SAs
between each pair of devices that want to exchange data, but it dispenses with IKE altogether. Instead, to
provide a scalable solution to data plane key exchange, the Cisco Catalyst SD-WAN solution takes advantage
of the fact that the DTLS control plane connections in the Cisco Catalyst SD-WAN overlay network are known
to be secure. Because the Cisco Catalyst SD-WAN control plane establishes authenticated, encrypted, and
tamperproof connections, there is no need in the data plane to set up secure communications channels to
perform data plane authentication.
In the Cisco Catalyst SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM,
a symmetric-key algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets.
Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits
this key to the Cisco SD-WAN Controller in OMP route packets, which are similar to IP route updates. These
packets contain information that the Cisco SD-WAN Controller uses to determine the network topology,
including the router's TLOC (a tuple of the system IP address and traffic color) and AES key. The Cisco
SD-WAN Controller then places these OMP route packets into reachability advertisements that it sends to
the other routers in the network. In this way, the AES keys for all the routers are distributed across the network.
Even though the key exchange is symmetric, the routers use it in an asymmetric fashion. The result is a simple
and scalable key exchange process that uses the Cisco Catalyst SD-WAN Controller.
In Cisco SD-WAN Release 19.2.x and Cisco IOS XE SD-WAN Release 16.12.x onwards, Cisco Catalyst
SD-WAN supports IPSec pairwise keys that provide additional security. When IPSec pairwise keys are used,
the edge router generates public and private Diffie-Hellman components and sends the public value to the
Cisco SD-WAN Controller for distribution to all other edge devices. For more information, see IPsec Pairwise
Keys, on page 313
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
14
Security Overview
Data Plane Integrity
If control policies configured on a Cisco SD-WAN Controller limit the communications channels between
network devices, the reachability advertisements sent by the Cisco SD-WAN Controller contain information
only for the routers that they are allowed to exchange data with. So, a router learns the keys only for those
routers that they are allowed to communicate with.
To further strengthen data plane authentication and encryption, routers regenerate their AES keys aggressively
(by default, every 24 hours). Also, the key regeneration mechanism ensures that no data traffic is dropped
when keys change.
In the Cisco Catalyst SD-WAN overlay network, the liveness of SAs between router peers is tracked by
monitoring BFD packets, which are periodically exchanged over the IPsec connection between the peers.
IPsec relays the connection status to the Cisco SD-WAN Controllers. If data connectivity between two peers
is lost, the exchange of BFD packets stops, and from this, the Cisco SD-WAN Controller learns that the
connection has been lost.
The IPsec software has no explicit SA idle timeout, which specifies the time to wait before deleting SAs
associated with inactive peers. Instead, an SA remains active as long as the IPsec connection between two
routers is up, as determined by the periodic exchange of BFD packets between them. Also, the frequency with
which SA keys are regenerated obviates the need to implement an implicit SA idle timeout.
In summary, the Cisco Catalyst SD-WAN data plane authentication offers the following improvements over
IKE:
• Because only n +1 keypaths are required rather than the n2 required by IKE, the Cisco Catalyst SD-WAN
solution scales better as the network grows large.
• Keys are generated and refreshed locally, and key exchange is performed over a secure control plane.
The first of these components, ESP, is the standard IPsec encryption protocol. ESP protects a data packet’s
payload and its inner IP header fields both by encryption, which occurs automatically, and authentication.
For authentication, ESP performs a hash calculation on the data packet's payload and inner header fields using
AES-GCM and places the resultant hash (also called a digest) into a field at the end of the packet. (A hash is
a one-way compression.) The receiving device performs the same checksum and compares its calculated hash
with that in the packet. If the two checksums match, the packet is accepted. Otherwise, it is dropped. In the
figure below, the left stack illustrates the ESP/UDP encapsulation. ESP encrypts and authenticates the inner
headers, payload, MPLS label (if present), and ESP trailer fields, placing the hash in the ICV checksum field
at the end of the packet. The outer header fields added by ESP/UDP are neither encrypted nor authenticated.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
15
Security Overview
Data Plane Integrity
In the Cisco Catalyst SD-WAN solution, there are also enhancements to ESP to enhance its behavior to cover
more of the datagram. These enhancements are similar to the way that AH works. This enhancement performs
a checksum that includes calculating the checksum over all the fields in the packet—the payload, the inner
header, and also all the non-mutable fields in the outer IP header. AH places the resultant hash into the last
field of the packet. The receiving device performs the same checksum, and accepts packets whose checksums
match. In the figure below, the center stack illustrates the encapsulation performed by the enhanced version
of ESP. ESP again encrypts the inner headers, payload, MPLS label (if present), and ESP trailer fields, and
now mimics AH by authenticating the entire packet—the outer IP and UDP headers, the ESP header, the
MPLS label (if present), the original packet, and the ESP trailer—and places its calculated hash into the ICV
checksum field at the end of the packet.
For situations in which data packet authentication is not required, you can disable data packet authentication
altogether. In this case, data packets are processed just by ESP, which encrypts the original packet, the MPLS
label (if present), and the ESP trailer. This scheme is illustrated in the right stack in the figure below.
Note that Cisco Catalyst SD-WAN devices exchange not only the encryption key (which is symmetric), but
also the authentication key that is used to generate the digest. Both are distributed as part of the TLOC properties
for a router.
Even though the IPsec connections over which data traffic is exchanged are secure, they often travel across
a public network space, such as the Internet, where it is possible for a hacker to launch a replay attack (also
called a man-in-the-middle, or MITM, attack) against the IPsec connection. In this type of attack, an adversary
tampers with the data traffic by inserting a copy of a message that was previously sent by the source. If the
destination cannot distinguish the replayed message from a valid message, it may authenticate the adversary
as the source or may incorrectly grant to the adversary unauthorized access to resources or services.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
16
Security Overview
Data Plane Integrity
As a counter to such attacks, the Cisco Catalyst SD-WAN overlay network software implements the IPsec
anti-replay protocol. This protocol consists of two components, both of which protect the integrity of a data
traffic stream. The first component is to associate sequence numbers with each data packets. The sender inserts
a sequence number into each IPsec packet, and the destination checks the sequence number, accepting only
packets with unique, non-duplicate sequence numbers. The second component is a sliding window, which
defines a range of sequence numbers that are current. The sliding window has a fixed length. The destination
accepts only packets whose sequence numbers fall within the current range of values in the sliding window,
and it drops all others. A sliding window is used rather than accepting only packets whose sequence number
is larger than the last known sequence number, because packets often do not arrive in order.
When the destination receives a packet whose sequence number is larger than the highest number in the sliding
window, it slides the window to the right, thus changing the range of valid sequences numbers it will accept.
This scheme protects against an MITM type of attack because, by choosing the proper window size, you can
ensure that if a duplicate packet is inserted into the traffic stream, its sequence number will either be within
the current range but will be a duplicate, or it will be smaller than the lowest current value of the sliding
window. Either way, the destination will drop the duplicate packet. So, the sequence numbering combined
with a sliding window provide protection against MITM type of attacks and ensure the integrity of the data
stream flowing within the IPsec connection.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
17
Security Overview
Carrying VPN Information in Data Packets
For enterprise-wide VPNs, Cisco Catalyst SD-WAN devices support MPLS extensions to data packets that
are transported within IPsec connections. The figure to the right shows the location of the MPLS information
in the data packet header. These extensions provide the security for the network segmentation (that is, for the
VPNs) that is needed to support multi-tenancy in a branch or segmentation in a campus. The Cisco Catalyst
SD-WAN implementation uses IPsec UDP-based overlay network layer protocol encapsulation as defined in
RFC 4023. The security is provided by including the Initialization Vector (IV) at the beginning of the payload
data in the ESP header.
Feature Description
Enterprise Firewall with Application Awareness, on A stateful firewall with NBAR2 application detection
page 44 engine to provide application visibility and granular
control, capable of detecting 1400+ applications.
Intrusion Prevention System, on page 141 This system is backed by Cisco Talos signatures and
are updated automatically. The Intrusion Prevention
System is deployed using a security virtual image.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
18
Security Overview
Supported Platforms
Feature Description
URL Filtering, on page 157 Enforces acceptable use controls to block or allow
URLs based on 82 different categories and a web
reputation score. The URL Filtering system is
deployed using a security virtual image.
Advanced Malware Protection, on page 167 Global threat intelligence, advanced sandboxing, and
real-time malware blocking to prevent breaches. It
also continuously analyzes file activity across your
extended network, so you can quickly detect, contain,
and remove advanced malware. The Advanced
Malware Protection system is deployed using a
security virtual image.
Cisco Umbrella Integration, on page 201 Cloud-delivered enterprise network security which
provides users with a first line of defense against cyber
security threats.
Supported Platforms
For UTD features that use the Security Virtual Image (Intrusion Prevention System, URL filtering, and
Advanced Malware Protection), only the following platforms are supported:
• Cisco 4351 Integrated Services Router (ISR 4351)
• Cisco 4331 Integrated Services Router (ISR 4331)
• Cisco 4321 Integrated Services Router (ISR 4321)
• Cisco 4221X Integrated Services Router (ISR 4221X)
• Cisco 4431 Integrated Services Router (ISR 4431)
• Cisco 4451 Integrated Services Router (ISR 4451)
• Cisco 4461 Integrated Services Router (ISR 4461)
• Cisco Integrated Services Router 1111X-8P (C1111X-8P)
• Cisco Integrated Services Router 1121X-8PLTEP (C1121X-8PLTEP)
• Cisco Integrated Services Router 1121X-8PLTEPWY (C1121X-8PLTEPWY)
• Cisco Integrated Services Router 1126X-8PLTEP (C1126X-8PLTEP)
• Cisco Integrated Services Router 1127X-8PLTEP (C1127X-8PLTEP)
• Cisco Integrated Services Router 1127X-8PMLTEP (C1127X-8PMLTEP)
• Cisco Integrated Services Router 1161X-8P (C1161X-8P)
• Cisco Integrated Services Router 1161X-8PLTEP (C1161X-8PLTEP)
• Cisco Catalyst 8200 Series Edge Platforms
• Cisco Catalyst 8300 Series Edge Platforms
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
19
Security Overview
Restrictions
• Cisco Cloud Services Router 1000v series (CSR 1000v) on Amazon Web Services (AWS)
• Cisco Integrated Services Virtual Router
• Cisco Catalyst 8000V Edge Software
Restrictions
• ISR 1111X-8P does not support all of the IPS signatures because it does not support the pre-compiled
rules of Snort.
• For Intrusion Prevention, URL-Filtering, and Advanced Malware Prevention (features that leverage the
Security Virtual Image), the following restrictions apply:
• ISR platforms must meet the following minimum requirements:
• 8 GB flash memory
• 8 GB DRAM
• When you create a policy for these features, you must specify a target service VPN. When you
enable these features on a single VPN, the corresponding policy is applied to both traffic from and
to the VPN. Note that this is when you specify one VPN and not a comma-separated list of VPNs.
For example, if you applied the policy to a single VPN, say VPN 3, then the security policy is applied
in both the following cases:
• Traffic from VPN 3 to VPN 2.
• Traffic from VPN 6 to VPN 3.
• By default, when a policy is applied to VPN 0 (the global VPN) and enterprise tunnels are in VPN
0, all VPN traffic that uses the enterprise tunnels are not inspected. If you want the traffic of other
VPNs to be inspected, you must explicitly specify the VPNs in the policy.
For example, in both the following cases, a VPN 0 security policy does not inspect traffic:
• Traffic originating from a service-side VPN (for example VPN 3) that is transmitted through
the enterprise tunnel. This traffic is not inspected because VPN 3 is not explicitly specified in
the policy.
• Traffic from the enterprise tunnel that is sent to the service-side VPN (for example VPN 3).
This traffic is also not inspected because VPN 3 is not explicitly specified in the policy.
• You can enable these features on service and transport VPNs. This includes VPN 0.
• The VirtualPortGroup interface for data traffic for UTD uses the 192.0.2.0/30 IP address range. The
use of the 192.0.2.0/24 subnet is defined in RFC 3330. Cisco SD-WAN Manager also automatically
uses 192.0.2.1 and 192.0.2.2 for the data virtual private gateway in VPN 0 for UTD. You can modify
this using a CLI template on Cisco SD-WAN Manager to configure the device. Due to this, you
should not use these IP addresses on devices. Alternatively, you can change the routing configuration
on the device to use a different IP address from the 192.0.2.0/24 subnet.
• Cisco Catalyst 8200 Series Edge Platforms and Cisco Catalyst 8300 Series Edge Platforms must meet
the following minimum requirements to support UTD:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
20
Security Overview
Security Provided by NAT Devices
• 8 GB DRAM
• 16 GB M.2 USB storage
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
21
Security Overview
Security Provided by NAT Devices
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
22
CHAPTER 4
Configure Security Parameters
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
This section describes how to change security parameters for the control plane and the data plane in the Cisco
Catalyst SD-WAN overlay network.
• Configure Control Plane Security Parameters, on page 23
• Configure Data Plane Security Parameters, on page 29
• VPN Interface IPsec , on page 33
• Disable Weak SSH Encryption Algorithms on Cisco SD-WAN Manager, on page 40
With this change, all control plane tunnels between the Cisco SD-WAN Controller and the routers and between
the Cisco SD-WAN Controller and Cisco SD-WAN Manager use TLS. Control plane tunnels to Cisco Catalyst
SD-WAN Validator always use DTLS, because these connections must be handled by UDP.
In a domain with multiple Cisco SD-WAN Controllers, when you configure TLS on one of the Cisco SD-WAN
Controllers, all control plane tunnels from that controller to the other controllers use TLS. Said another way,
TLS always takes precedence over DTLS. However, from the perspective of the other Cisco SD-WAN
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
23
Configure Security Parameters
Configure DTLS in Cisco SD-WAN Manager
Controllers, if you have not configured TLS on them, they use TLS on the control plane tunnel only to that
one Cisco SD-WAN Controller, and they use DTLS tunnels to all the other Cisco SD-WAN Controllers and
to all their connected routers. To have all Cisco SD-WAN Controllers use TLS, configure it on all of them.
By default, the Cisco SD-WAN Controller listens on port 23456 for TLS requests. To change this:
vSmart(config)# security control tls-port number
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT
REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------
vedge dtls 172.16.255.11 100 1 10.0.5.11 12346 10.0.5.11 12346
lte up 0:07:48:58
vedge dtls 172.16.255.21 100 1 10.0.5.21 12346 10.0.5.21 12346
lte up 0:07:48:51
vedge dtls 172.16.255.14 400 1 10.1.14.14 12360 10.1.14.14 12360
lte up 0:07:49:02
vedge dtls 172.16.255.15 500 1 10.1.15.15 12346 10.1.15.15 12346
default up 0:07:47:18
vedge dtls 172.16.255.16 600 1 10.1.16.16 12346 10.1.16.16 12346
default up 0:07:41:52
vsmart tls 172.16.255.19 100 1 10.0.5.19 12345 10.0.5.19 12345
default up 0:00:01:44
vbond dtls - 0 0 10.1.14.14 12346 10.1.14.14 12346
default up 0:07:49:08
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT
REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------
vedge tls 172.16.255.11 100 1 10.0.5.11 12345 10.0.5.11 12345
lte up 0:00:01:18
vedge tls 172.16.255.21 100 1 10.0.5.21 12345 10.0.5.21 12345
lte up 0:00:01:18
vedge tls 172.16.255.14 400 1 10.1.14.14 12345 10.1.14.14 12345
lte up 0:00:01:18
vedge tls 172.16.255.15 500 1 10.1.15.15 12345 10.1.15.15 12345
default up 0:00:01:18
vedge tls 172.16.255.16 600 1 10.1.16.16 12345 10.1.16.16 12345
default up 0:00:01:18
vsmart tls 172.16.255.20 200 1 10.0.12.20 23456 10.0.12.20 23456
default up 0:00:01:32
vbond dtls - 0 0 10.1.14.14 12346 10.1.14.14 12346
default up 0:00:01:33
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
24
Configure Security Parameters
Configure Security Parameters Using the Security Feature Template
The number of ports forwarded depends on the number of vdaemon processes running on the Cisco SD-WAN
Manager. To display information about these processes and about and the number of ports that are being
forwarded, use the show control summary command shows that four vdaemon processes are running:
vManage# show control summary
VBOND VMANAGE VSMART VEDGE
INSTANCE COUNTS COUNTS COUNTS COUNTS
------------------------------------------------
0 2 0 2 7
1 2 0 0 5
2 2 0 0 5
3 2 0 0 4
To see the listening ports, use the show control local-properties command:
vManage# show control local-properties
certificate-validity Valid
certificate-not-valid-before May 20 00:00:00 2015 GMT
certificate-not-valid-after May 20 23:59:59 2016 GMT
dns-name vbond.cisco.com
site-id 5000
domain-id 0
protocol dtls
tls-port 23456
...
...
...
number-active-wan-interfaces 1
This output shows that the listening TCP port is 23456. If you are running Cisco SD-WAN Manager behind
a NAT, you should open the following ports on the NAT device:
• 23456 (base - instance 0 port)
• 23456 + 100 (base + 100)
• 23456 + 200 (base + 200)
• 23456 + 300 (base + 300)
Note that the number of instances is the same as the number of cores you have assigned for the Cisco SD-WAN
Manager, up to a maximum of 8.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
25
Configure Security Parameters
Configure Security Parameters Using the Security Feature Template
SD-WAN Manager and Cisco SD-WAN Controller, use the Security feature template to configure DTLS or
TLS for control plane security.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
When you first open a feature template, for each parameter that has a default value, the scope is set to Default
(indicated by a check mark), and the default setting or value is shown. To change the default or to enter a
value, click the scope drop-down menu to the left of the parameter field and choose one of the following:
Table 2:
Device Specific Use a device-specific value for the parameter. For device-specific parameters, you
(indicated by a host cannot enter a value in the feature template. You enter the value when you attach a
icon) Viptela device to a device template .
When you click Device Specific, the Enter Key box opens. This box displays a key,
which is a unique string that identifies the parameter in a CSV file that you create.
This file is an Excel spreadsheet that contains one column for each key. The header
row contains the key names (one key per column), and each row after that
corresponds to a device and defines the values of the keys for that device. You
upload the CSV file when you attach a Viptela device to a device template. For
more information, see Create a Template Variables Spreadsheet .
To change the default key, type a new string and move the cursor out of the Enter
Key box.
Examples of device-specific parameters are system IP address, hostname, GPS
location, and site ID.
Global (indicated by a Enter a value for the parameter, and apply that value to all devices.
globe icon)
Examples of parameters that you might apply globally to a group of devices are
DNS server, syslog server, and interface MTUs.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
26
Configure Security Parameters
Configure Security Parameters Using the Security Feature Template
Note The Configure Control Plane Security section is applicable to Cisco SD-WAN Manager and Cisco SD-WAN
Controller only.
To configure the control plane connection protocol on a Cisco SD-WAN Manager instance or a Cisco SD-WAN
Controller, choose the Basic Configuration area and configure the following parameters:
Table 3:
Protocol Choose the protocol to use on control plane connections to a Cisco SD-WAN Controller:
• DTLS (Datagram Transport Layer Security). This is the default.
• TLS (Transport Layer Security)
Control TLS Port If you selected TLS, configure the port number to use:Range: 1025 through 65535Default:
23456
Click Save
Rekey Time Specify how often a device changes the AES key used on its secure DTLS connection
to the Cisco SD-WAN Controller. If OMP graceful restart is enabled, the rekeying
time must be at least twice the value of the OMP graceful restart timer.Range: 10
through 1209600 seconds (14 days)
Default: 86400 seconds (24 hours)
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
27
Configure Security Parameters
Configure Security Parameters Using the Security Feature Template
Parameter Description
Name
Authentication Select the authentication types from the Authentication List, and click the arrow pointing
Type right to move the authentication types to the Selected List column.
Authentication types supported from Cisco IOS XE Catalyst SD-WAN Release 17.6.1a:
• esp: Enables Encapsulating Security Payload (ESP) encryption and integrity checking
on the ESP header.
• ip-udp-esp: Enables ESP encryption. In addition to the integrity checks on the ESP
header and payload, the checks also include the outer IP and UDP headers.
• ip-udp-esp-no-id: Ignores the ID field in the IP header so that Cisco Catalyst SD-WAN
can work in conjunction with the non-Cisco devices.
• none: Turns integrity checking off on IPSec packets. We don't recommend using this
option.
Authentication types supported in Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and
earlier:
• ah-no-id: Enable an enhanced version of AH-SHA1 HMAC and ESP HMAC-SHA1
that ignores the ID field in the packet's outer IP header.
• ah-sha1-hmac: Enable AH-SHA1 HMAC and ESP HMAC-SHA1.
• none: Select no authentication.
• sha1-hmac: Enable ESP HMAC-SHA1.
Note For an edge device running on Cisco IOS XE Catalyst SD-WAN Release 17.5.1a
or earlier, you may have configured authentication types using a Cisco Security
template. When you upgrade the device to Cisco IOS XE Catalyst SD-WAN
Release 17.6.1a or later, update the selected authentication types in the Cisco
Security template to the authentication types supported from Cisco IOS XE
Catalyst SD-WAN Release 17.6.1a . To update the authentication types, do the
following:
1. From the Cisco SD-WAN Manager menu, choose Configuration >
Templates.
2. Click Feature Templates.
3. Find the Cisco Security template to update and click … and click Edit.
4. Click Update. Do not modify any configuration.
Cisco SD-WAN Manager updates the Cisco Security template to display
the supported authentication types.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
28
Configure Security Parameters
Configure Data Plane Security Parameters
Click Save.
By default, IPsec tunnel connections use an enhanced version of the Encapsulating Security Payload (ESP)
protocol for authentication. To modify the negotiated interity types, use the following command:
By default, IPsec tunnel connections use AES-GCM-256, which provides both encryption and authentication.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
29
Configure Security Parameters
Change the Rekeying Timer
Configure each authentication type with a separate security ipsec authentication-type command. The
command options map to the following authentication types, which are listed in order from most strong to
least strong:
Note The sha1 in the configuration options is used for historical reasons. The authentication options indicate over
how much of the packet integrity checking is done. They do not specify the algorithm that checks the integrity.
The authentication algorithms supported by Cisco Catalyst SD-WAN do not use SHA1.
• ah-sha1-hmac enables encryption and encapsulation using ESP. However, in addition to the integrity
checks on the ESP header and payload, the checks also include the outer IP and UDP headers. Hence,
this option supports an integrity check of the packet similar to the Authentication Header (AH) protocol.
All integrity and encryption is performed using AES-256-GCM.
• ah-no-id enables a mode that is similar to ah-sha1-hmac, however the ID field of the outer IP header
is ignored. This option accommodates some non-Cisco Catalyst SD-WAN devices, including the Apple
AirPort Express NAT, that have a bug that causes the ID field in the IP header, a non-mutable field, to
be modified. Configure the ah-no-id option in the list of authentication types to have the Cisco Catalyst
SD-WAN AH software ignore the ID field in the IP header so that the Cisco Catalyst SD-WAN software
can work in conjunction with these devices.
• sha1-hmac enables ESP encryption and integrity checking.
For information about which data packet fields are affected by these authentication types, see Data Plane
Integrity, on page 15.
Cisco IOS XE Catalyst SD-WAN devices and Cisco vEdge devices advertise their configured authentication
types in their TLOC properties. The two routers on either side of an IPsec tunnel connection negotiate the
authentication to use on the connection between them, using the strongest authentication type that is configured
on both of the routers. For example, if one router advertises the ah-sha1-hmac and ah-no-id types, and a
second router advertises the ah-no-id type, the two routers negotiate to use ah-no-id on the IPsec tunnel
connection between them. If no common authentication types are configured on the two peers, no IPsec tunnel
is established between them.
For the unicast traffic, the encryption algorithm on IPSec tunnel connections is AES-256-GCM. From Cisco
IOS XE SD-WAN Release 17.2.1r, the multicast traffic also supports AES-256-GCM encryption algorithm.
You cannot modify the encryption algorithm choice made by the software.
When the IPsec authentication type is changed, the AES key for the data path is changed.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
30
Configure Security Parameters
Change the Size of the Anti-Replay Window
If you want to generate new IPsec keys immediately, you can do so without modifying the configuration of
the router. To do this, issue the request platform software sdwan security ipsec-rekey command on the
compromised router.
For example, the following output shows that the local SA has a Security Parameter Index (SPI) of 256:
SOURCE SOURCE
TLOC ADDRESS TLOC COLOR SPI IP PORT KEY HASH
------------------------------------------------------------------------------
172.16.255.15 lte 256 10.1.15.15 12346 *****b93a
A unique key is associated with each SPI. If this key is compromised, use the request platform software
sdwan security ipsec-rekey command to generate a new key immediately. This command increments the
SPI. In our example, the SPI changes to 257 and the key associated with it is now used:
After the new key is generated, the router sends it immediately to the Cisco SD-WAN Controllers using DTLS
or TLS. The Cisco SD-WAN Controllers send the key to the peer routers. The routers begin using it as soon
as they receive it. Note that the key associated with the old SPI (256) will continue to be used for a short
period of time, until it times out.
To stop using the old key immediately, issue the request platform software sdwan security ipsec-rekey
command twice, in quick succession. This sequence of commands removes both SPI 256 and 257 and sets
the SPI to 258. The router then uses the associated key of SPI 258. Note, however, that some packets will be
dropped for a short period of time, until all the remote routers learn the new key.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
31
Configure Security Parameters
Change the Size of the Anti-Replay Window
Packets with sequence numbers that fall to the left of the sliding window range are considered old or duplicates,
and the destination drops them. The destination tracks the highest sequence number it has received, and adjusts
the sliding window when it receives a packet with a higher value.
By default, the sliding window is set to 512 packets. It can be set to any value between 64 and 4096 that is a
power of 2 (that is, 64, 128, 256, 512, 1024, 2048, or 4096). To modify the anti-replay window size, use the
replay-window command, specifying the size of the window:
To help with QoS, separate replay windows are maintained for each of the first eight traffic channels. The
configured replay window size is divided by eight for each channel.
If QoS is configured on a router, that router might experience a larger than expected number of packet drops
as a result of the IPsec anti-replay mechanism, and many of the packets that are dropped are legitimate ones.
This occurs because QoS reorders packets, giving higher-priority packets preferential treatment and delaying
lower-priority packets. To minimize or prevent this situation, you can do the following:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
32
Configure Security Parameters
VPN Interface IPsec
Step 1 From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
Step 2 Click Feature Templates.
Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
33
Configure Security Parameters
Configure IPsec Tunnel Parameters
Enter a value for the parameter, and apply that value to all devices.
Examples of parameters that you might apply globally to a group of devices
Global
are DNS server, syslog server, and interface MTUs.
Once you have created and named the template, enter the following values. Parameters marked with an asterisk
are required.
IKE Replay Window 64, 128, 256, 512, 1024, Specify the replay window size for the IPsec tunnel.
2048, 4096, 8192
Default: 512
IPsec Cipher Suite aes256-cbc-sha1 Specify the authentication and encryption to use on
the IPsec tunnel
aes256-gcm
Default: aes256-gcm
null-sha1
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
34
Configure Security Parameters
Configure Dead-Peer Detection
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a, as part of the security hardening, the weaker
ciphers are deprecated. As part of this change, the option to configure Diffie-Hellman (DH) groups 1, 2, and
5 is no longer supported. DH groups are used in IKE to establish session keys and are also available in IPsec
as support for perfect forward secrecy.
CLI Equivalent
crypto
ipsec
profile ipsec_profile_name
set ikev2-profile ikev2_profile_name
set security-association
lifetime {seconds 120-2592000 | kilobytes disable}
replay {disable | window-size {64 | 128 | 256 | 512 | 1024 | 4096 | 8192}
set pfs group {2 | 14 | 15 | 16 | none}
set transform-set transform_set_name
DPD Interval Specify the interval for IKE to send Hello packets on
the connection.
Range: 10 through 3600 seconds
Default: Disabled
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
35
Configure Security Parameters
Configure IKE
CLI Equivalent
crypto
ikev2
profile ikev2_profile_name
dpd 10-3600 2-60 {on-demand | periodic}
Configure IKE
Table 7: Feature History
SHA256 Support for IPSec Tunnels Cisco IOS XE Catalyst SD-WAN This feature adds support for
Release 17.2.1r HMAC_SHA256 algorithms for
enhanced security.
Note When you create an IPsec tunnel on a Cisco IOS XE Catalyst SD-WAN device, IKE Version 1 is enabled by
default on the tunnel interface.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
36
Configure Security Parameters
Configure IKE
IPsec Rekey Interval 3600 - 1209600 seconds Specify the interval for refreshing
IKE keys.
Range: 1 hour through 14 days
Default: 14400 seconds (4 hours)
IKE Cipher Suite • AES 256 CBC SHA 256 Specify the type of authentication
and encryption to use during IKE
• AES 256 CBC SHA 384 key exchange.
• AES 256 CBC SHA 512 Default: AES 256 CBC SHA 1
• AES 256 CBC SHA 1
• AES 256 GCM
• Nul SHA 256
• Nul SHA 384
• Nul SHA 512
• Nul SHA 1
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
37
Configure Security Parameters
Configure IKE
IKE ID for Remote End Point If the remote IKE peer requires a
remote end point identifier, specify
it.
Range: 1 through 64 characters
Default: Tunnel's destination IP
address
Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Click Basic Configuration.
5. Use the shutdown parameter with the yes option (yes shutdown) to shut down the tunnel.
6. Remove the ISAKMP profile from the IPsec profile.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
38
Configure Security Parameters
Configure IKE
Note Perform this step if you already have an IKEv2 profile. Otherwise, create an IKEv2 profile first.
8. Use the shutdown parameter with the no option (no shutdown) to start up the tunnel.
Note You must issue the shutdown operations in two separate operations.
Note There is no single CLI for changing the IKE version. You need to follow the sequence of steps listed in the
Change the IKE Version from IKEv1 to IKEv2 section.
Summary Steps
1. enable
2. configure terminal
3. crypto isakmp policy priority
4. encryption {des | 3des | aes | aes 192 | aes 256 }
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
39
Configure Security Parameters
Disable Weak SSH Encryption Algorithms on Cisco SD-WAN Manager
Disable Weak SSH Encryption Cisco vManage Release This feature allows you to disable weaker SSH
Algorithms on Cisco SD-WAN 20.9.1 algorithms on Cisco SD-WAN Manager that
Manager may not comply with certain data security
standards.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
40
Configure Security Parameters
Benefits of Disabling Weak SSH Encryption Algorithms on Cisco SD-WAN Manager
• SHA-1
• AES-128
• AES-192
Before disabling these encryption algorithms, ensure that Cisco vEdge devices, if any, in the network, are
using a software release later than Cisco SD-WAN Release 18.4.6.
b. vmanage(config-ssh-server)# commit
c. Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6
or later and enter yes.
b. vmanage(config-ssh-server)# commit
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
41
Configure Security Parameters
Verify that Weak SSH Encryption Algorithms Are Disabled on Cisco SD-WAN Manager Using the CLI
c. Ensure that any Cisco vEdge devices in the network are running Cisco SD-WAN Release 18.4.6
or later and enter yes.
Verify that Weak SSH Encryption Algorithms Are Disabled on Cisco SD-WAN
Manager Using the CLI
1. From the Cisco SD-WAN Manager menu, choose Tools > SSH Terminal.
2. Select the Cisco SD-WAN Manager device you wish to verify.
3. Enter the username and password to log in to the device.
4. Run the following command:
show running-config system ssh-server
5. Confirm that the output shows one or more of the commands that disable weaker encryption algorithms:
• no cipher aes-128-192
• no kex-algo sha1
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
42
CHAPTER 5
Enterprise Firewall with Application Awareness
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
43
Enterprise Firewall with Application Awareness
Enterprise Firewall with Application Awareness
IPv6 Support for Cisco IOS XE This feature adds support for configuring IPv6 Zone-based Firewall
Zone-based Catalyst (ZBFW) in addition to the existing IPv4 ZBFW. IPv6 is supported for
Firewall SD-WAN the following scenarios:
Release 17.11.1a
• Creating firewall rules. For more information, see Create Rules,
Cisco vManage on page 48.
Release 20.11.1
• Creating firewall rulesets. For more information, see Create Rule
Sets, on page 50.
• Creating a unified security policy. For more information, see
Unified Security Policy, on page 87.
• Creating a identity based unified security policy. For more
information, see Cisco Catalyst SD-WAN Identity-Based Firewall
Policy, on page 113.
• Firewall high speed logging. For more information, see Firewall
High-Speed Logging, on page 72.
Cisco’s Enterprise Firewall with Application Awareness feature uses a flexible and easily understood zone-based
model for traffic inspection, compared to the older interface-based model.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
44
Enterprise Firewall with Application Awareness
Overview of Enterprise Firewall with Application Awareness
Matching flows for prefixes, ports, and protocols can be accepted or dropped, and the packet headers
can be logged. Nonmatching flows are dropped by default. Matching applications are denied.
• Zone pair—A container that associates a source zone with a destination zone and that applies a firewall
policy to the traffic that flows between the two zones.
Matching flows that are accepted can be processed in two different ways:
• Inspect—The packet's header can be inspected to determine its source address and port. When a session
is inspected, you do not need to create a service-policy that matches the return traffic.
• Pass—Allow the packet to pass to the destination zone without inspecting the packet's header at all.
When a flow is passed, no sessions are created. For such a flow, you must create a service-policy that
will match and pass the return traffic.
The following figure shows a simple scenario in which three VPNs are configured on a router. One of the
VPNs, VPN 3, has shared resources that you want to restrict access to. These resources could be printers or
confidential customer data. For the remaining two VPNs in this scenario, only users in one of them, VPN 1,
are allowed to access the resources in VPN 3, while users in VPN 2 are denied access to these resources. In
this scenario, we want data traffic to flow from VPN 1 to VPN 3, but we do not want traffic to flow in the
other direction, from VPN 3 to VPN 1.
Note From Cisco IOS XE Catalyst SD-WAN Release 16.12.2r and onwards, Cisco Catalyst SD-WAN Manager
does not show ZBFW statistics for classes that are without any value. If the statistics are "zero" for any of the
configured sequences, these are not shown on the device dashboard for zone-based firewall.
Application Firewall
The Application Firewall blocks traffic based on applications or application-family. This application-aware
firewall feature provides the following benefits:
• Application visibility and granular control
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
45
Enterprise Firewall with Application Awareness
Restrictions
You can create lists of individual applications or application families. A sequence that contains a specified
application or application family list can be inspected. This inspect action is a Layer 4 action. Matching
applications are blocked/denied.
Note The Application Firewall is valid only for Cisco IOS XE Catalyst SD-WAN devices.
The router provides Application Layer Gateway (ALG) FTP support with Network Address Translation –
Direct Internet Access (NAT-DIA), Service NAT, and Enterprise Firewall. Service NAT support is added for
FTP ALG on the client and not on the FTP Server.
Restrictions
• You can configure up to 500 firewall rules in each security policy in Cisco SD-WAN Manager.
• For packets coming from Overlay to Service side, the source VPN of the packet is defaulted to the
destination VPN (service side VPN) for performing a Source Zone lookup when the actual source VPN
cannot be determined locally on the branch. For example, a packet coming from VPN2 from the far end
of a branch in a DC is routed through the Cisco Catalyst SD-WAN overlay network to VPN1 of a branch
router. In this case, if the reverse route lookup for the source IP does not exist on the branch VPN1, the
source VPN for that packet is defaulted to the destination VPN (VPN1). Therefore, VPN1 to VPN1
Zone-pair firewall policy is applied for that packet. This behaviour is expected with policy-based routing
configuration, and below are the examples of such a configuration.
Configuration Command
• Starting from Cisco IOS XE Catalyst SD-WAN Release 17.4.1a, you can configure geolocation and
multiple list features in security policy on the edge devices. You can attach the security policy that has
multiple list or geolocation feature enabled, only when the device is online with control connections up.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
46
Enterprise Firewall with Application Awareness
Start the Security Policy Configuration Wizard
• Create rules or rule sets – Create rules or sets of rules that you apply in the match condition of a firewall
policy.
In Cisco vManage Release 20.4.1 and onwards, rule sets are supported. Rule sets are a method to easily
create multiple rules with the same intent. Unlike rules, you can also reuse rule sets for multiple security
policies. The configurations that Cisco SD-WAN Manager generates for configurations are smaller than
for rules. For rules, a new class-map is generated for each rule. However, since rule sets use a common
action (such as inspect, drop, or pass), a variety of rules are added to one class-map with multiple
object-groups. When creating rules for the same source, destination, or intent, we recommend using rule
sets.
Rules and rule sets can consist of the following conditions:
• Source data prefix(es) or source data prefix list(s).
• Source port(s) or source port list(s).
• Destination data prefix(es) or destination data prefix list(s).
• Destination port(s) or destination port list(s).
Note Destination ports or destination port lists cannot be used with protocols or protocol
lists.
• Define the order – Enter Edit mode and specify the priority of the conditions
• Apply zone-pairs – Define the source and destination zones for the firewall policy.
4. Click Proceed.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
47
Enterprise Firewall with Application Awareness
Create Rules
Create Rules
Table 10: Feature History
Firewall FQDN Cisco IOS XE This enhancement adds support to define a firewall policy using
Support Catalyst SD-WAN fully qualified domain names (FQDN), rather than only IP
Release 17.2.1r addresses. One advantage of using FQDNs is that they account
for changes in the IP addresses assigned to the FQDN if this
changes in the future.
IPv6 Support for Cisco IOS XE This feature adds support for configuring IPv6 Zone-based
Zone-based Firewall Catalyst SD-WAN Firewall (ZBFW) in addition to the existing IPv4 ZBFW.
Release 17.11.1a
Cisco vManage
Release 20.11.1
Notes
• The FQDN is intended to be used for matching standalone servers in data centers or a private cloud.
When matching public URLs, the recommended match action is 'drop'. If you use 'inspect' for public
URLs, you must define all related sub-urls/redirect-urls under the FQDN pattern.
Limitations
• Maximum number of fully qualified domain name (FQDN) patterns supported for a rule under firewall
policy: 64
• Maximum number of entries for FQDN to IP address mapping supported in the database: 5000
• If a firewall policy uses an FQDN in a rule, the policy must explicitly allow DNS packets, or resolution
will fail.
• Firewall policy does not support mapping multiple FQDNs to a single IP address.
• Only two forms of FQDN are supported: full name or a name beginning with an asterisk (*) wildcard.
Example: *.cisco.com
• If you choose the IP address type as IPv6 while creating a firewall rule, FQDN, Identity (user and SGT)
and geo filtering options are not available in this list of Source Data Prefix(es). Additionally, Application
Layer Gateway (ALG) is not supported for IPv6.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
48
Enterprise Firewall with Application Awareness
Create Rules
• Cisco vManage Release 20.3.2 and earlier releases: click Add Rule.
9. If you want matches for this rule to be logged, check the Log check box.
10. Configure one or more of the following fields.
Note For the following fields, you can also enter defined lists or define a list from within the window.
Field Description
Source Data Prefixes IPv4 prefixes or IPv6 prefixes or prefix lists and/or domain names (FQDN)
or list(s).
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1, you can choose an IP address type as IPv4 or
IPv6.
Based on the IP address type that you choose, the Source Data Prefixes
field displays the prefix options.
Note If you choose the IP address type as IPv6 while creating the
rule, FQDN, Identity (user and SGT) and geo filtering options
are not available in this list of Source Data Prefix(es).
Additionally, Application Layer Gateway (ALG) is not
supported for IPv6.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
49
Enterprise Firewall with Application Awareness
Create Rule Sets
Field Description
Destination Data IPv4 prefixes or prefix list(s) and/or domain names (FQDN) or list(s)
Prefix(es)
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1, you can choose an IP address type as IPv4 or
IPv6.
Based on the IP address type that you choose, the Destination Data
Prefix(es) field displays the prefix options.
Note If you choose the IP address type as IPv6 while creating the
rule, FQDN, Identity (user and SGT) and geo filtering options
are not available in this list. Additionally, ALG is not supported
for IPv6.
Support for Rule Sets Cisco IOS XE Catalyst SD-WAN This feature allows you to create
Release 17.4.1a sets of rules called rule sets. Rule
sets are a method to create multiple
Cisco vManage Release 20.4.1
rules that have the same intent. You
can also reuse rule sets between
security policies.
IPv6 Support for Zone-based Cisco IOS XE Catalyst SD-WAN This feature adds support for
Firewall Release 17.11.1a configuring IPv6 Zone-based
Firewall (ZBFW) in addition to the
Cisco vManage Release 20.11.1
existing IPv4 ZBFW.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
50
Enterprise Firewall with Application Awareness
Create Rule Sets
8. If you want matches for this rule to be logged, check the Log check box.
9. Click + next to Rule Sets.
10. Choose from existing rule sets or click + New List to create a new list.
• To choose from an existing rule: click the existing rule(s) and click Save.
• To create a new rule list Cick + New List.
a. Configure a rule using one or more of the following fields.
Field Description
Source Data Prefix(es) IPv4 prefixes or prefix lists and/or domain names (FQDN) or list(s)
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and
Cisco vManage Release 20.11.1, you can choose an IP address type
as IPv4 or IPv6.
Based on the IP address type that you choose, the Source Data
Prefixes field displays the prefix options.
Note If you choose the IP address type as IPv6 while creating
the rule, FQDN, Identity (user and SGT) and geo
filtering options are not available in this list of Source
Data Prefix(es). Additionally, Application Layer
Gateway (ALG) is not supported for IPv6.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
51
Enterprise Firewall with Application Awareness
Create Rule Sets
Field Description
Destination Data IPv4 prefixes or prefix lists and/or domain names (FQDN) or list(s)
Prefix(es)
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and
Cisco vManage Release 20.11.1, you can choose an IP address type
as IPv4 or IPv6.
Based on the IP address type that you choose, the Destination Data
Prefix(es) field displays the prefix options.
Note If you choose the IP address type as IPv6 while creating
the rule, FQDN, Identity (user and SGT) and geo
filtering options are not available in this list.
Additionally, ALG is not supported for IPv6.
You can also create rule sets from outside the Security Policy Wizard as follows:
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Custom Options.
3. Click Lists.
4. Click Rule Sets.
5. Click New Rule Set.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
52
Enterprise Firewall with Application Awareness
Apply Policy to a Zone Pair
6. You can now choose from the various parameters such as source data prefix, port, protocol, and so on.
When you create your rule, click Save Rule to save the rule and add it to your rule set.
7. Create any additional rules that you want to add to your rule set.
8. After creating all the rules that you want for your rule set, click Save Rule Set.
Self Zone Policy Cisco IOS XE This feature allows you to define firewall policies for incoming and
for Zone-Based Catalyst outgoing traffic between a self zone of an edge router and another zone.
Firewalls SD-WAN When a self zone is configured with another zone, the traffic in this
Release 16.12.1b zone pair is filtered as per the applied firewall policy.
Note For IPSEC overlay tunnels in Cisco Catalyst SD-WAN, if a self zone is chosen as a zone pair, firewall sessions
are created for SD-WAN overlay BFD packets if inspect action is configured for UDP.
However, for GRE overlay tunnels, if you chose a self zone as a zone pair with the inspect action of protocol
47, firewall sessions are created only for TCP, UDP, ICMP packets; but not BFD packets.
Warning Control connections may be impacted when you configure drop action from self-zone to VPN0 and vice versa.
This applies for DTLS/TLS, BFD packets, and IPsec overlay tunnel.
Note You can choose self zone for either a source zone or a destination zone, not both.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
53
Enterprise Firewall with Application Awareness
Configure Interface Based Zones and Default Zone
8. To edit or delete a firewall policy, click the ..., and choose the desired option.
9. Click Next to configure the next security block in the wizard. If you do want to configure other security
features in this policy, click Next until the Policy Summary page is displayed.
Note When you upgrade to Cisco SD-WAN Release 20.3.3 and later releases from any previous release, traffic to
and from a service VPN IPSEC interface is considered to be in the service VPN ZBFW zone and not a VPN0
zone. This could result in the traffic getting blackholed, if you allow traffic flow only between service VPN
and VPN0 and not the intra service VPN.
You have to make changes to your ZBFW rules to accommodate this new behavior, so that the traffic flow
in your system is not impacted. To do this, you have to modify your intra area zone pair to allow the required
traffic. For instance, if you have a policy which has the same source and destination zones, you have to ensure
the zone-policy allows the required traffic.
Configure Interface Based Zones Cisco IOS XE Catalyst SD-WAN This feature enables you to
and Default Zone Release 17.7.1a configure an interface-based
firewall policy to control traffic
Cisco vManage Release 20.7.1
between two interfaces or an
interface-VPN-based firewall
policy to control traffic between an
interface and a VPN group.
This feature also provides support
for default zone where a firewall
policy can be configured on a zone
pair that consist of a zone and a
default zone.
Restrictions for Interface Based Zones, Default Zone and Self Zone
• Interface-based firewall policies and default zone can be configured only for unified security policies
and on Cisco IOS XE Catalyst SD-WAN devices only.
Interface types are not listed on the selected device model. You must manually enter the correct interface
type and interface name for a device model.
• A default zone cannot be configured as both the source and the destination zone in a zone-pair.
• When the WAN interface is added to a zone, overlay traffic going over the WAN interface is not included
for inspection. The corresponding tunnel interface created on the device must be added to a zone and a
policy must be configured for the traffic flow.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
54
Enterprise Firewall with Application Awareness
Information About Interface Based Zones and Default Zone
• Interfaces belonging to different VPNs cannot be included in the same zone. Create separate zones for
interfaces attached to each VPN.
• For Overlay traffic, tunnel interfaces corresponding to the physical interfaces must be used. For underlay
traffic, you must add the physical interface as part of a zone. All other logical interfaces can be used as
it is for the overlay traffic (for example ipsec1, gre1).
• When creating a zone-member interface, if the physical interface is not present on the device, then Cisco
Catalyst SD-WAN Manager doesn't show any errors but this zone-member CLI is ignored. Ensure that
there are no typos in the interface name when you enter it manually for the zone.
• When you define a class-map, you can specify an optional type. Generally, firewall uses class-map type
inspect, but for application recognition, you can use a simple class-map with no type. If a class-map
without a type is specified, then it requires NBAR to determine the application. NBAR is not run on
traffic destined to the control plane (self zone) so the application cannot be determined. So, only class-map
with a type of inspect should be used for zone pairs to or from the self zone.
Default Zone
A default zone enables a firewall policy to be configured on a zone pair that consist of a zone and a default
zone. You can configure a policy from a zone to a default zone, or vice versa. In Cisco Catalyst SD-WAN,
any VPN or interface without an explicit zone assignment belongs to a default zone.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
55
Enterprise Firewall with Application Awareness
Benefits of Interface Based Zones and Default Zone
• If neither the interface nor VPN is assigned to zones, then the default zone is considered as a source
zone.
• If a policy is configured for a zone pair of source zone and a destination zone which are based on the
above rules, a zone-pair policy can be applied.
• If no policy is configured for the zone pair of source zoneand destination zone, packets are dropped.
• A default zone cannot be configured as both source and destination zone in a zone-pair.
• If one of the zone pair is default zone and the other is self zone, packets are passed without inspection
by default unless default zone is explicitly provisioned.
• If only one of the zone pair is a default zoneand the other is not self zone, packets are dropped by default
unless default zone is explicitly provisioned.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
56
Enterprise Firewall with Application Awareness
Configure Interface Based Zones and Default Zone Using the CLI
3. In the Add NG Firewall Policy page, click zoneBasedFW to create a zone list.
The Zone List page displays
4. Enter a name for the zone.
5. Click a zone type.
You can choose to configure zones with zone type as Interface or as a VPN. Based on the zone type
you choose, add the interfaces or VPNs to the zones.
6. Click Save to save the zone list.
7. In the Add NG Firewall Policy page, click Add Zone-Pairs.
8. In the Source Zone drop-down list, choose the zone that is the source of the data packets.
9. In the Destination Zone drop-down list, choose the zone that is the destination of the data packets.
Note Default zone appears in the drop-down list while selecting a zone as part of zone-pair. You can choose default
zone for either a source zone or a destination zone, but not both.
You configure Interface Based Zones and Default Zone using a CLI device template in Cisco SD-WAN
Manager. For information about using a device template, see Device Configuration-Based CLI Templates for
Cisco IOS XE Catalyst SD-WAN devices.
To configure Interface Based Zones and Default Zone using the CLI add-on feature template. For information
on using the CLI Add-On template, see Create a CLI Add-On Feature Template.
Configure Interface Based Zones and Default Zone Using the CLI
This section provides example CLI configurations for Interface Based Zones and Default Zones.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
57
Enterprise Firewall with Application Awareness
Configure Interface Based Zones and Default Zone Using the CLI
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
58
Enterprise Firewall with Application Awareness
Configure Interface Based Zones and Default Zone Using the CLI
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
59
Enterprise Firewall with Application Awareness
Monitor Interface Based Zones and Default Zone Using the CLI
Monitor Interface Based Zones and Default Zone Using the CLI
Example 1
The following is sample output from the show policy-firewall config command to validate a configured zone
based firewall.
Zone-pair : ZP_SRC_INTF1_DIA_INTF_TEST
Source Zone : SRC_INTF1
Member Interfaces:
GigabitEthernet3.101
Destination Zone : DIA_INTF
Member Interfaces:
GigabitEthernet1
GigabitEthernet2
GigabitEthernet4
Service-policy inspect : TEST-opt
Class-map : TEST-seq-1-cm_ (match-all)
Match access-group name TEST-seq-Rule_1-acl_
Action : inspect
Parameter-map : Default
Class-map : TEST-seq-11-cm_ (match-all)
Match access-group name TEST-seq-Rule_2-acl_
Action : inspect
Parameter-map : Default
Class-map : class-default (match-any)
Match any
Action : drop log
Parameter-map : Default
Note For more information on HSL, see Firewall High-Speed Logging Overview, on page 73.
a. In the VPN field, enter the VPN that the server is in.
b. In the Server IP field, enter the IP address of the server.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
60
Enterprise Firewall with Application Awareness
Apply a Security Policy to a Device
c. In the Port field, enter the port on which the server is listening.
4. If you configured an application firewall policy, uncheck the “Bypass firewall policy and allow all Internet
traffic to/from VPN 0” check box in the Additional Security Policy Settings area.
5. (Optional) To configure an audit trail, enable the Audit Trail option. This option is only applicable for
rules with an Inspect action.
6. Click Save Policy to save the security policy.
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Create Template drop-down list, choose From Feature Template.
4. From the Device Model drop-down list, choose one of the devices.
5. Click Additional Templates.
The Additional Templates section is displayed.
6. From the Security Policy drop-down list, choose the name of the policy you configured previously.
7. Click Create to apply the security policy to a device.
8. Click … next to the device template that you created.
9. Click Attach Devices.
10. Choose the devices to which you want to attach the device template.
11. Click Attach.
Note If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the
zone-based firewall that is configured in Cisco SD-WAN Manager, you must first remove the security template
from the base template and push the base template. Thereafter, reattach the security template and then push
the template to the device.
Note When a Zone based firewall template in attached to a Cisco IOS XE Catalyst SD-WAN device running on
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a or later, there may be an increase in time for completion
of tasks. This is due to the updates in the software version of Cisco vManage Release 20.6.1.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
61
Enterprise Firewall with Application Awareness
Monitor Enterprise Firewall
172.16.0.1 209.165.202.129
192.168.0.1
255.255.0.0
Note By default, subnet 192.168.1.1/30 and 192.0.2.1/30 used for VPG0 and VPG1
(UTD) and 192.168.2.1/24 used for VPG2 (APPQOE) is configured through
Cisco SD-WAN Manager. Use any RFC 1918 subnet for Transport and Service
VPN configurations other than these netmask.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
62
Enterprise Firewall with Application Awareness
Zone-Based Firewall Configuration Examples
This section provides example CLI configurations to configure zone-based firewall policy.
Note By default, subnet 10.168.1.1/30 and 10.0.2.1/30 used for VPG0 and VPG1 (UTD) and 10.168.2.1/24 used
for VPG2 (APPQOE) is configured through Cisco SD-WAN Manager. Use any RFC 1918 subnet for Transport
and Service VPN configurations other than these netmask.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
63
Enterprise Firewall with Application Awareness
Zone-Based Firewall Configuration Examples
Configure data prefix groups and zones in the Create Groups of Interest screen:
1. Click Data Prefix in the left pane.
2. In the right pane, click New Data Prefix List.
3. Enter a name for the list.
4. Enter the data prefix or prefixes to include in the list.
5. Click Add.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
64
Enterprise Firewall with Application Awareness
Verify Zone-Based Firewall Configuration
6. Click Next to move to Zone-Based Firewall in the zone-based firewall configuration wizard.
Click Next to move to the Apply Configuration in the zone-based firewall configuration wizard.
1. Enter a name and description for the zone-based firewall zone pair.
2. Click Add Zone Pair.
3. In the Source Zone drop-down menu, choose the zone from which data traffic originates.
4. In the Destination Zone drop-down menu, choose the zone to which data traffic is sent.
5. Click Add.
6. Click Save Policy. The Configuration > Security screen is then displayed, and the zone-based firewalls
table includes the newly created policy.
The following is a sample output from the show policy-map type inspect command:
Device#show policy-map type inspect
Policy Map type inspect seq_1
Class seq_1-seq-1-cm_
Inspect
Class seq_1-seq-11-cm_
Inspect
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
65
Enterprise Firewall with Application Awareness
Verify Zone-based Firewall Statistics
Class class-default
Drop
For more information about the CLI commands, see Cisco IOS XE SD-WAN Qualified Command Reference.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
66
Enterprise Firewall with Application Awareness
Verify Zone-based Firewall Statistics
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
67
Enterprise Firewall with Application Awareness
Verify Zone-based Firewall Statistics
bytes-counter 938
attempted-conn 0
current-active-conn 0
max-active-conn 0
current-halfopen-conn 0
max-halfopen-conn 0
current-terminating-conn 0
max-terminating-conn 0
time-since-last-session-create 0
l7-policy-name NONE
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
68
Enterprise Firewall with Application Awareness
Verify Zone-based Firewall Statistics
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Disabled 3963 439403
FirewallInvalidZone 18 1170
FirewallPolicy 11 938
IpTtlExceeded 12 1050
Ipv4NoAdj 151 8456
Ipv4NoRoute 326 46997
Ipv6EgressIntfEnforce 4212 897007
Ipv6NoAdj 6 456
Ipv6NoRoute 3 168
Nat64v6tov4 6 480
SdwanImplicitAclDrop 7033 408502
UnconfiguredIpv6Fia 1349 147590
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
69
Enterprise Firewall with Application Awareness
Verify Zone-based Firewall Statistics
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
70
Enterprise Firewall with Application Awareness
Configure Port-Scanning Detection Using a CLI Template
For more information about the CLI commands, see Cisco IOS XE SD-WAN Qualified Command Reference.
Configure Port-Scanning Detection Cisco IOS XE Catalyst SD-WAN This feature lets you configure
Using a CLI Template Release 17.4.1a port-scanning detection and apply
a severity level (low, medium, or
Cisco vManage Release 20.4.1
high) for identifying and classifying
potential attacks using a CLI
template.
Port scanning is a way of determining the open ports on a network, which receive and send data.
To configure port-scanning detection and include severity levels, use the following commands:
• port-scan
• sense level
Note The port-scan command can detect, but not block possible port-scan attacks.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
71
Enterprise Firewall with Application Awareness
Firewall High-Speed Logging
For more information on using these commands, see the port-scan and sense level commands in the Cisco
SD-WAN Command Reference Guide.
To detect port-scanning activity in your network, configure port-scanning detection on your device by copying
and pasting in the configuration as a Cisco SD-WAN Manager CLI template. For more information on using
CLI templates, see Create a CLI Add-On Feature Template in the Systems and Interfaces Configuration Guide,
Cisco IOS XE Release 17.x.
To generate port-scanning alerts, use Network Mapper (Nmap) commands. Nmap is an open-source tool for
network scanning and discovery. For more information on Nmap command usage and installation, see
https://nmap.org/book/man.html. Run the Nmap commands as an administrator:
1. After port-scanning detection is configured using a Cisco SD-WAN Manager CLI template, run the Linux
Nmap commands from the device where port-scanning detection is configured.
2. After the Nmap commands are run, you can see the port-scanning alerts generated on the router by running
the following Cisco IOS XE command:
Router# show utd engine standard logging events
3. To verify that the port-scanning configuration is applied on the router, use the following Cisco IOS XE
show command:
Router# show utd engine standard config threat-inspection
Router# show utd engine standard config threat-inspection
UTD Engine Standard Configuration:
Firewall Cisco IOS XE This feature allows a firewall to log records with minimum impact to
High-Speed Catalyst packet processing.
Logging SD-WAN
Release 16.12.1b
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
72
Enterprise Firewall with Application Awareness
Information About Firewall High-Speed Logging
Security Logging Cisco IOS XE With this feature you can configure up to four destination servers to
Enhancements Catalyst export the syslogs, and an option to specify a source interface for
SD-WAN high-speed logging (HSL). The IP addresses for the destination servers
Release 17.11.1a can be IPv4, IPv6, or both. For more information about configuring
HSL, see Configure Firewall High-Speed Logging Using the CLI
Cisco vManage
Template, on page 85.
Release 20.11.1
This feature allows you to configure up to four destination servers to
export the syslogs, and an option to specify a source interface for
high-speed logging (HSL). The IP addresses for the destination servers
can be IPv4, IPv6, or both.
This module describes how to configure HSL for zone-based policy firewalls.
The NetFlow collector issues the show platform software interface F0 brief command to map the
FW_SRC_INTF_ID and FW_DST_INTF_ID interface IDs to the interface name.
The following sample output from the show platform software interface F0 brief command shows that the
ID column maps the interface ID to the interface name (Name column):
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
73
Enterprise Firewall with Application Awareness
NetFlow Field ID Descriptions
Name ID QFP ID
GigabitEthernet0/2/0 16 9
GigabitEthernet0/2/1 17 10
GigabitEthernet0/2/2 18 11
GigabitEthernet0/2/3 19 12
Restrictions
• HSL is supported only on NetFlow Version 9 template.
• IPv6 HSL is not supported on tunnel interfaces.
• Unified Logging is not supported on IPv6 address type. For more information about unified logging, see
Information About Unified Logging Security Connection Events, on page 106
• Cisco IOS XE Catalyst SD-WAN devices on Cisco IOS XE Catalyst SD-WAN Release 17.10.1a do not
support IPv6 address or IPv6 HSL even if the device is running a Cisco vManage Release 20.11.1 version
that supports IPv6 address or IPv6 HSL.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
74
Enterprise Firewall with Application Awareness
NetFlow Field ID Descriptions
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
75
Enterprise Firewall with Application Awareness
NetFlow Field ID Descriptions
AAA Fields
Alert Fields
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
76
Enterprise Firewall with Application Awareness
NetFlow Field ID Descriptions
Miscellaneous
FW_CLASS_ID 51 4 Class ID
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
77
Enterprise Firewall with Application Awareness
HSL Messages
HSL Messages
The following are sample syslog messages from Cisco IOS XE Catalyst SD-WAN device:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
78
Enterprise Firewall with Application Awareness
HSL Messages
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
79
Enterprise Firewall with Application Awareness
HSL Messages
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
80
Enterprise Firewall with Application Awareness
HSL Messages
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
81
Enterprise Firewall with Application Awareness
HSL Messages
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
82
Enterprise Firewall with Application Awareness
HSL Messages
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
83
Enterprise Firewall with Application Awareness
How to Configure Firewall High-Speed Logging
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
84
Enterprise Firewall with Application Awareness
Configure Firewall High-Speed Logging Using the CLI Template
You can configure HSL in the Policy Summary page. For more information about the policy summary page,
see Create Unified Security Policy Summary.
To configure Netflow event logging for IPv6, use the following command:
log flow-export v9 udpipv6-destination ipv6 address port port number vrf
vrfid source interface-name
Note From Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you can
configure up to four destination servers to export the syslogs; the IP addresses for the destination servers can
be IPv4, IPv6, or both. Optionally, you can specify a source interface for HSL. A source interface is used to
determine where the logs originated from when they are collected into the destination servers.
3. Configure template timeout-rate interval (in seconds) at which the netflow template formats are advertised.
log flow-export template timeout-rate seconds
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
85
Enterprise Firewall with Application Awareness
Configuration Examples for Firewall High-Speed Logging
1. Configure an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining
to the inspect keyword, and enters parameter-map type inspect configuration mode.
Device(config)# parameter-map type inspect parameter-map-name
4. Configure the threshold and blocking time values for TCP host-specific, denial of service (DoS) detection
and prevention.
Device(config-profile)# tcp max-incomplete host threshold
5. Create an inspect-type policy map and enters policy map configuration mode.
policy-map type inspect policy-map-name
6. Configure the traffic class on which an action is to be performed and enters policy-map class configuration
mode.
class type inspect class-map-name
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1,
you can configure up to four destination servers to export the syslogs to; the IP addresses for these
destination servers can be IPv4, IPv6, or both.
configure terminal
parameter-map type inspect-global
log flow-export v9 udp destination 10.0.2.0 5000 vrf 1 source GigabitEthernet0/0/5
log flow-export v9 udp ipv6-destination 2001:DB8::1 vrf 65528 source GigabitEthernet0/0/3
log flow-export template timeout-rate 5000
end
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
86
Enterprise Firewall with Application Awareness
Example: Configure Firewall High-Speed Logging
Unified Security Policy Cisco IOS XE Catalyst SD-WAN This feature allows you to
Release 17.6.1a configure a single unified security
policy for firewall and Unified
Cisco vManage Release 20.6.1
Threat Defense (UTD) security
features such as IPS, Cisco URL
Filtering, AMP, and TLS/SSL.
Having a single unified security
policy simplifies policy
configuration and enforcement
becuase firewall and UTD policies
can be configured together in a
single security operation rather than
as individual policies.
Resource Limitations and Cisco IOS XE Catalyst SD-WAN This feature enables you to define
Device-global Configuration Release 17.7.1a resource limitation options such as
Options idle timeout and session limits, and
Cisco vManage Release 20.7.1
device-global options in the policy
summary page to fine-tune a
firewall policy behaviour after a
firewall policy is implemented in
Cisco Catalyst SD-WAN.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
87
Enterprise Firewall with Application Awareness
Restrictions for Unified Security Policy
Security Logging Enhancements Cisco IOS XE Catalyst SD-WAN With this feature, you can export
Release 17.11.1a UTD logs to an external syslog
server and specify the source
Cisco vManage Release 20.11.1
interface from which the UTD
syslog originates. For more
information about UTD logging,
see Create Unified Security Policy
Summary, on page 95page.
IPv6 Support for Zone-based Cisco IOS XE Catalyst SD-WAN This feature adds support for
Firewall Release 17.11.1a configuring IPv6 Zone-based
Firewall (ZBFW) in addition to the
Cisco vManage Release 20.11.1
existing IPv4 ZBFW. You can
create firewall rules or rulesets with
IPv6 as the address type in a unified
security policy. For more
information, see Configure Firewall
Policy and Unified Security Policy,
on page 91.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
88
Enterprise Firewall with Application Awareness
Benefits of Unified Security Policy
TLS/SSL Decryption. An advanced inspection profile must be created first, and then attached to a policy at
a rule level or a device level.
After a unified security policy is created, it must be attached to a zone pair and pushed to the device for
implementation.
You have the following options to choose from when you configure a unified policy:
• You can create a new unified security policy. For information, see Configure Unified Security Policy ,
on page 89
• You can continue using the existing security policy where you create separate policies for each feature.
For information, see Configure Firewall Policies.
• You can migrate from an existing firewall security policy to a unified NG firewall security policy only.
For information, see Migrate a Security Policy to a Unified Security Policy, on page 99.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
89
Enterprise Firewall with Application Awareness
Create an Advanced Inspection Profile
When you create a rule, you have the option to either attach an object group, or apply the individual filters
directly to a rule. If you use choose to attach an object group, the individual filters are unavailable. You must
create an object group first, and then attach the object group to a rule. A new object group can also be created
while you are creating a new rule.
To create a new an object group, perform the following steps:
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Custom Options.
3. Click Lists.
4. Click Object Group in the left pane.
5. Click New Object Group.
6. In the Object Group Name field, enter a name for the object group.
7. In the Description field, enter a description for the object group.
8. Set the filters to include in this object group.
9. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
90
Enterprise Firewall with Application Awareness
Configure Firewall Policy and Unified Security Policy
10. In the Advanced Malware Protection field, choose an advanced malware protection policy to add to
the advanced inspection profile. The advanced malware protection policies that you create in the unified
mode determine which policies are available. For information, see Configure Advanced Malware
Protection for Unified Security Policy, on page 173
11. Click a TLS action.
12. If you choose Decrypt as a TLS action, you can choose a TLS/SSL Decryption profile to add to the
advanced inspection profile. The TLS/SSL Decryption profiles that you create in the unified mode
determine which policies are available. For information, see Configure TLS/SSL Profile for Unified
Security Policy, on page 199.
13. Click Save to save the advanced inspection profile.
• For Cisco vManage Release 20.3.2 and earlier releases, click Add Rule.
8. From the Order drop-down list, choose the order for the rule.
9. Enter a name for the rule.
10. Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1,
you can choose an IP address type.
11. From the Action drop-down list, choose an action for the rule.
• Inspect
• Pass
• Drop
12. If you want matches for this rule to be logged, check the Log check box.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
91
Enterprise Firewall with Application Awareness
Configure Firewall Policy and Unified Security Policy
Note Cisco SD-WAN Manager supports log flow only at the rule level and not at the global level.
13. Choose an advanced inspection profile to attach to the policy. This field is available only if you have
chosen the action rule as Inspect. If you have created an advance inspection profile, this field lists all
the advance inspection profiles that you have created. Choose an advance inspection profile from the
list. For information on creating an advance inspection profile, see Create an Advanced Inspection
Profile, on page 90.
14. Click Source, and choose one of the following options:
• Object Group: Use an object group for your rule.
To create a new object group, click New Object Group List. Set the filters for matching, and then
click Save. For information on creating an object group, see Create an Object Group, on page 89.
• Type: You can choose from IPv4 prefixes, IPv6 prefixes, prefix lists, fully qualified domain names
(FQDN), lists, or Geo Location based on the IP address type that you choose.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1, you can choose an IP address type as IPv4 or IPv6.
Based on the IP address type that you choose, the Type field displays the prefix
options.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1, you can choose an IP address type as IPv4 or IPv6.
Based on the IP address type that you choose, the Type field displays the prefix
options.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
92
Enterprise Firewall with Application Awareness
Add a Zone Pair
Note From Cisco IOS XE Catalyst SD-WAN Release 17.6.1a, and Cisco vManage Release 20.6.1, the applications
are attached directly to the rule the way other filters are. If configured as part of access control lists (ACLs),
they are attached to a class-map along with the source and destination.
Note You can choose self zone for either a source zone or a destination zone, but not both.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
93
Enterprise Firewall with Application Awareness
Configure Umbrella DNS Policy Using Cisco SD-WAN Manager
6. From the Add DNS Security Policy drop-down list, choose one of the following:
• Create New: A DNS Security - Policy Rule Configuration wizard is displayed.
• Copy from Existing: Choose a policy from the Policy field, enter a policy name, and click Copy.
7. If you are creating a new policy using the Create New option, the DNS Security - Policy Rule
Configuration wizard is displayed.
8. Enter a policy name in the Policy Name field.
9. The Umbrella Registration Status displays the status of the API Token configuration.
10. Click Manage Umbrella Registration to add a token, if you have not added one already.
11. Click Match All VPN to keep the same configuration for all the available VPNs and continue with Step
13.
Or click Custom VPN Configuration if you need to add target service VPNs to your policy. A Target
VPNs window appears, and continue with the next step.
12. To add target service VPNs, click Target VPNs at the top of the window.
13. Click Save Changes to add the VPN.
14. From the Local Domain Bypass List drop-down list, choose the domain bypass.
15. Configure DNS Server IP from the following options:
• Umbrella Default
• Custom DNS
16. Click Advanced to enable or disable the DNSCrypt. By default, the DNSCrypt is enabled.
17. Click Save DNS Security Policy.
The Configuration > Security window is displayed, and the DNS policy list table includes the newly
created DNS Security Policy.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you
can select Child Org ID from the dropdown when a parent Org ID of a multi-org tenant is added to the SIG
Credentials.
Field Description
Add DNS Security Policy From the Add DNS Security Policy drop-down list,
select Create New to create a new DNS Security
Policy policy.
Copy from Existing: Choose a policy from the Policy
field, enter a policy name, and click Copy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
94
Enterprise Firewall with Application Awareness
Create Unified Security Policy Summary
Field Description
Umbrella Registration Status Displays the status of the API Token configuration.
Match All VPN Click Match All VPN to keep the same configuration
for all the available VPNs.
Custom VPN Configuration choose Custom VPN Configuration to input the
specific VPNs.
5. (Optional) For Cisco IOS XE Catalyst SD-WAN Release 16.12.2r and onwards, to configure high-speed
logging (HSL), enter the following details of the Netflow server that will listen for the Netflow event
logs.
For more information on HSL, see Firewall High-Speed Logging Overview.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
95
Enterprise Firewall with Application Awareness
Create Unified Security Policy Summary
a. In the VPN field, enter the VPN that the server is in.
b. In the Server IP field, enter the IP address of the server.
c. In the Port field, enter the port on which the server is listening.
d. In the Source Interface field, specify the interface for HSL.
Note From Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you can
configure up to four destination servers to export the syslogs; the IP addresses for these destination servers
can be IPv4, IPv6, or both. Optionally, you can specify a source interface for HSL.
6. (Optional) To configure an audit trail, enable the Audit Trail option. This option is only applicable for
rules with an Inspect action.
7. Click Unified Logging to enable the unified logging feature.
Note To enable logging for a class or policy, check the Log check box for the rule in a policy.
Note There is another kind of reclassification which is traffic driven. When FPM (First Packet Match) fails for an
application, the traffic can hit a generalized L3/L4 rule if exists. After the application is fully recognized, the
traffic is reclassified and hit the desired rule that deals with the specific application.
9. Click ICMP unreachable allow to allow ICMP unreachable packets to pass through.
10. Choose an advanced inspection profile.
You have the option to attach an advance inspection profile at a device level. All the rules in the device
that match the traffic to be inspected are inspected using the advance inspection profile.
Note An advanced inspection profile that is attached at a rule level is preferred over an advanced inspection profile
attached at a device level. If the rule does not have advanced inspection profile attached, and if the action is
Inspect, then the advanced inspection profile that is attached at the device level is effective in the policy.
11. (Optional) Choose a TLS/SSL Decryption policy. This field is visible if you have configured a TLS
action in the advanced inspection profile.
12. (Optional) Enter the following details to export the UTD logs to the external syslog server:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
96
Enterprise Firewall with Application Awareness
Configure Resource Limitations and Device-global Configuration Options
• In the VPN field, enter the VPN that the syslog server is in.
• In the Server IP field, enter the IP address of the syslog server.
• From Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1,
enter the interface name in the Source Interface field where the UTD syslogs should originate
from.
Use the following command to display resource limitations and device-global configuration options on a
Cisco IOS XE Catalyst SD-WAN device:
Device# show run | sec parameter-map
parameter-map type inspect-global
icmp-unreachable-allow
session-reclassify-allow
tcp syn-flood limit 5
alert on
max-incomplete tcp 10
max-incomplete udp 11
max-incomplete icmp 12
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Create Template drop-down list, choose From Feature Template.
4. From the Device Model drop-down list, choose one of the devices.
5. Click Additional Templates.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
97
Enterprise Firewall with Application Awareness
Configure Unified Security Policy Using the CLI
Note If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the
zone-based firewall that is configured in Cisco SD-WAN Manager, you must first remove the security template
from the base template and push the base template. Thereafter, reattach the security template and then push
the template to the device.
Note When a Zone based firewall template in attached to a Cisco IOS XE Catalyst SD-WAN device running on
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a or later, there may be an increase in time for completion
of tasks. This is due to the updates in the software version of Cisco vManage Release 20.6.1.
Device# config-transaction
Device(config)# parameter-map type inspect name
Device(config)# utd-policy utd advance inspection profile-name
Device# config-transaction
Device(config)# policy-map type inspect policy-map
Device(config-pmap)# class type inspect class-map
Device(config-pmap-c)# inspect parameter-map
Device# config-transaction
Device(config)# parameter-map type inspect-global
Device(config-profile)# utd-policy utd-aip-name-def
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
98
Enterprise Firewall with Application Awareness
Migrate a Security Policy to a Unified Security Policy
Device# config-transaction
Device(config)# zone-pair security pair source src-zone destination dst-zone
Device(config-sec-zone-pair)# service-policy type inspect policy-map
Device# config-transaction
Device(config)# utd engine standard unified-policy
Device(config-utd-unified-policy)# policy policy-name
Device(config-utd-mt-policy)# threat-inspection profile ips_profile
Device(config-utd-mt-policy)# web-filter url profile urlf_profile
Device(config-utd-mt-policy)# file-inspection profile file_insp_profile
Device(config-utd-mt-policy)# tls-decryption profile tls_dec_profile
Note The flow-logging all command enables unified logging for all the UTD features. If you do not want to enable
unified logging for all UTD features, choose the individual flow-logging options (file-inspection, web-filtering,
threat-inspection .
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
99
Enterprise Firewall with Application Awareness
Monitor Unified Security Policy
Note Existing IPS, URL, AMP and SSL/TLS security policies cannot be migrated to a unified security policy as
is. You must create new unified policies separately and attach them to an advanced inspection profile. The
advanced inspection profile can then be attached to the relevant rules in the unified NG firewall policy.
Alternatively, you can add an existing advanced inspection profile at the device level in Policy Summary
page and further optimize it.
Example 2
The following is a sample output from the show utd engine standard config command. This example displays
the Unified Threat Defense (UTD) configuration.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
100
Enterprise Firewall with Application Awareness
Monitor Unified Security Policy Using the CLI
Policy: uni-utd
VirtualPortGroup Id: 1
Policy: Balanced
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
101
Enterprise Firewall with Application Awareness
Monitor Unified Security Policy Using the CLI
Example 3
The following is a sample output from the show platform hardware qfp active feature utd config command.
This example shows the UTD datapath configuration and status.
Device# show platform hardware qfp active feature utd config
Global configuration
NAT64: disabled
Drop pkts: disabled
Multi-tenancy: disabled
Data plane initialized: yes
TLS Decryption Policy: disabled
Divert controller mode: enabled
SN threads: 12
CFT inst_id 0 feat id 4 fo id 4 chunk id 17
Max flows: 55000
Example 5
The following is a sample output from the show platform hardware qfp active feature firewall drop
command that displays the Max Incomplete UDP after the limit is crossed.
Device# show platform hardware qfp active feature firewall drop
-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
ICMP ERR Pkt:exceed burst lmt 42
ICMP Unreach pkt exceeds lmt 305
UDP - Half-open session limit exceed 2
Example 6
The following is a sample output from the utd command to verify UTD logging.
Device# show run | sec utd
parameter-map type inspect pm1
utd-policy default
!
utd engine standard unified-policy
threat-inspection profile default-threat
threat protection
policy security
utd global
logging host 10.1.1.1
logging host 10.2.2.2 source-interface Loopback2
logging host 10.3.3.3 source-interface GigabitEthernet3
policy default
threat-inspection profile default-threat
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
102
Enterprise Firewall with Application Awareness
Configuration Example for Unified Security Policy
Example 7
The following is a sample output from the show parameter-map type inspect-global command to verify
HSL configuration.
Device#show parameter-map type inspect-global
parameter-map type inspect-global
log flow-export v9 udp destination 10.10.0.2 5050
log flow-export v9 udp destination 10.10.0.2 4040
log flow-export v9 udp ipv6-destination 2001:DB8::1 source GigabitEthernet0/1/0
log flow-export v9 udp ipv6-destination 2001:DB8::1
Flow-logging Information:
-------------------------
State : disabled
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
103
Enterprise Firewall with Application Awareness
Configuration Example of an Application Firewall in a Unified Security Policy
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
104
Enterprise Firewall with Application Awareness
Unified Logging for Security Connection Events
Device(config-service-group)# ip
!
Device(config)# object-group service FW1-Rule_2-svc
Device(config-service-group)# ip
!
Unified Logging for Security Cisco IOS XE Catalyst SD-WAN This feature supports Unified
Connection Events Release 17.7.1a Logging which is used to capture
information about connection
Cisco vManage Release 20.7.1
events across different security
features at different stages during
policy enablement and execution.
With Unified Logging, you can
have visibility to the log data for
Zone-based Firewall and for
Unified Threat Defense features
such as IPS, URL-F and AMP to
understand what traffic, threats,
sites or malware were blocked, and
the rules that blocked the traffic or
sessions with the associated port,
protocol or applications.
Additionally, this feature also
provides support for On-Demand
Troubleshooting. On-Demand
troubleshooting allows a user to
view the connection events of
inspect flows of traffic from a
device within a configured period
of time.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
105
Enterprise Firewall with Application Awareness
Restrictions For Unified Logging for Security Connection Events
Note As of Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, UTD TLS-Decryption events are not reported.
Flow data about ZBFW and UTD features is captured using Netflow. Netflow records the flow data to a JSON
file which is used by Cisco SD-WAN Manager. The flow data can also be exported to an external Netflow
collector. Exporters are assigned to flow monitors to export data from the flow monitor cache to a remote
system such as a Netflow collector. Flow monitors can support more than one exporter. Each exporter can be
customized to meet the requirements of the flow monitor or monitors in which it is used and the Netflow
collector systems to which it is exporting data.
Cisco SD-WAN Manager displays the following data for the security connection events:
ZBFW
• Information about enforcement of ZBFW.
• Zone information (zone pair, source zone, and destination zone).
• Policy enforced on the connection flow.
• Action taken based on the policy on the connection flow (inspect).
• Status of Network Address Translation (NAT) or Port Address Translation (PAT) is enabled or not.
UTD
• Details of which UTD security features acted on a flow.
• Result of a security feature acting on a flow.
• Details of policy enforcement.
Comparison Between Unified Logging for Security Connection Events, ZBFW High Speed Logging and ZBFW
Syslog
ZBFW supports high-speed logging (HSL). HSL allows ZBFW to log records with minimum impact to packet
processing.
With HSL configured, ZBFW logs the following types of events:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
106
Enterprise Firewall with Application Awareness
Information About Unified Logging Security Connection Events
For information about Firewall High-speed logging, see Firewall High-Speed Logging
In the case of Unified Logging, the log data consists of the following types:
IPS • Policy ID
• Action
• Priority
• Generator ID
• Signature ID
• Classification ID
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
107
Enterprise Firewall with Application Awareness
Information About Unified Logging Security Connection Events
AMP • Policy ID
• Action
• Disposition
• File Type
• File Name Hash
• Malware Name Hash
• File SHA
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
108
Enterprise Firewall with Application Awareness
Information About Unified Logging Security Connection Events
Note These are the flow keys that are used for
the Unified Logging:
• IPv4 SrcAddr
• IPv4 DstAddr
• IPv4 Protocol
• Transport SrcPort
• Transport DstPort
• Routing VRF Service
Note Starting from Cisco IOS XE Release 17.9.1a, use the policy ip visibility features ulogging enable command
to manually enable or disable the unified logging fields in flexible netflow (FNF). Use the show sdwan policy
cflowd-upgrade-status command to check which features were enabled before the version upgrade. You
have to manually control the features after a version upgrade using the disable or enable commands.
For more information, see policy ip visibility command page.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
109
Enterprise Firewall with Application Awareness
Benefits of Unified Logging for Security Connection Events
Note Unified Logging for security connection events and ZBFW HSL can be enabled together. If you choose to
enable both these features, there will be a considerable impact on the performance.
On-Demand Troubleshooting
The On-Demand Troubleshooting feature allows a user to view detailed information about the flow of traffic
from a device. A user can use this information for troubleshooting. For information, see On-Demand
Troubleshooting.
Note You can also use the CLI Add-on template for configure Unified Logging for security connection events. For
more information, see Create a CLI Add-On Feature Template.
Configure Unified Logging for Security Connection Events Using the CLI
This section provides example CLI configurations to configure Unified Logging for ZBFW and UTD.
ZBFW
Use this configuration to enable Unified Logging for ZBFW at a global level.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
110
Enterprise Firewall with Application Awareness
Configuration Example for Unified Logging for Security Connection Events
UTD
Use this configuration to enable Unified Logging for all UTD features.
Device(config)# utd engine standard unified-policy
Device(config-utd-unified-policy)# utd global
Device(config-utd-mt-global)# flow-logging all file-inspection threat-inspection
web-filtering
Device(config-utd-mt-global)# logging host host_IP [source-interface Interface]
Note flow-logging all enables unified logging for all the UTD features. If you do not want to enable Unified Logging
for all UTD features, choose the individual flow-logging options (file-inspection, web-filtering,
threat-inspection.
Configure Netflow
Use this configuration to enable Netflow to export log data of ZBFW and UTD features to an external collector.
Device(config)# flow exporter exporter-name
Device(config-flow-exporter)# description description
Device(config-flow-exporter)# destination IP address
Device(config-flow-exporter)# export-protocol netflow-v9
Device(config-flow-exporter)# transport udp udp-port
Use this configuration to enable Unified Logging for ZBFW at a rule level.
Device(config-profile)# log ?
flow Enable flow/connection events for all security policies
flow-export Configure inspect external logging parameters
Note Use ? to view the options for Unified Logging for ZBFW at a rule level.
UTD
Use this configuration to enable Unified Logging for all UTD features.
Device(config)# utd engine standard unified-policy
Device(config-utd-unified-policy)# utd global
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
111
Enterprise Firewall with Application Awareness
Verify Unified Logging for Security Connection Events
Note You can choose to use any of the UTD options if you do not want to enable Unified Logging for all UTD
features.
Note If you are using the Connection Events option for the first time, you need to enable On-Demand
Troubleshooting. For information, see On-Demand Troubleshooting
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
112
Enterprise Firewall with Application Awareness
Cisco Catalyst SD-WAN Identity-Based Firewall Policy
Cisco Catalyst SD-WAN Cisco IOS XE Catalyst SD-WAN This feature allows you to
Identity-Based Firewall Policy Release 17.9.1a configure user identity-based
firewall policies for unified security
Cisco vManage Release 20.9.1
policies.
Cisco Identity Services Engine
(ISE) and Microsoft Active
Directory Services are identity
providers that authenticate and
authorize device users in the
network. When Cisco SD-WAN
Manager and a Cisco Catalyst
SD-WAN Controller establish a
connection to Cisco ISE,
information about user and user
groups—that is, identity-mapping
information—is retrieved from
Cisco ISE. Identity-based policies
are then distributed to Cisco IOS
XE Catalyst SD-WAN devices.
This identity mapping information
is used while creating firewall
policies.
Cisco Catalyst SD-WAN Cisco vManage Release 20.10.1 Cisco Catalyst SD-WAN
Identity-Based Firewall Policy Identity-Based Firewall Policy
Cisco IOS XE Catalyst SD-WAN
Enhancement for SGT Integration Enhancement for SGT Integration
Release 17.10.1a
feature is enhanced to support
Security Group Tag (SGT)
integration with Cisco ISE. SGTs
are assigned in the network to
simplify policy configuration across
devices.
IPv6 Support for Zone-based Cisco IOS XE Catalyst SD-WAN This feature adds support for
Firewall Release 17.11.1a configuring IPv6 Zone-based
Firewall (ZBFW) in addition to the
Cisco vManage Release 20.11.1
existing IPv4 ZBFW. You can
create firewall rules or rulesets with
IPv6 as the address type in a unified
security policy. For more
information, see Create
Identity-Based Unified Security
Firewall Policy, on page 120.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
113
Enterprise Firewall with Application Awareness
Information About Cisco Catalyst SD-WAN Identity-Based Firewall Policy
Cisco ISE
Cisco ISE is an identity provider that is deployed on-premises to manage user identities and to provide services
such as authentication, authorization, and accounting.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
114
Enterprise Firewall with Application Awareness
Information About Cisco Catalyst SD-WAN Identity-Based Firewall Policy
• Cisco IOS XE Catalyst SD-WAN devices with 8GB of system memory or greater can support a maximum
of 100,000 ip-user sessions.
IP-SGT Bindings
• Cisco IOS XE Catalyst SD-WAN devices with 4GB of system memory or less can support a maximum
of 10,000 bindings.
• Cisco IOS XE Catalyst SD-WAN devices with 8GB of system memory or greater can support a maximum
of 100,000 bindings.
In order to provide connectivity of Cisco ISE with Cisco Catalyst SD-WAN Controller to push Cisco pxGrid
service and integrate Cisco SD-WAN Manager with Cisco ISE,
• Cisco ISE version 3.2 supports only two Cisco Catalyst SD-WAN Controllers.
• Cisco ISE version 3.3 or later supports more than three Cisco Catalyst SD-WAN Controllers.
This figure displays the identity information flow between Cisco SD-WAN Manager, Cisco Catalyst SD-WAN
Controller, and Cisco IOS XE Catalyst SD-WAN devices.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
115
Enterprise Firewall with Application Awareness
Information About Cisco Catalyst SD-WAN Identity-Based Firewall Policy
Management Plane
• Cisco SD-WAN Manager obtains the user and user group information from Cisco ISE and pxGrid.
• An administrator authors the security policies using the username and user group.
• Cisco SD-WAN Manager pushes these policies to the Cisco IOS XE Catalyst SD-WAN devices.
Controller Distribution
• A Cisco Catalyst SD-WAN Controller obtains the IP-to-username and user-to-user-group mappings from
Cisco ISE and pxGrid when a user logs in. A session is created.
• The Cisco Catalyst SD-WAN Controller pushes the IP-to-username and user-to-user-group mappings to
the Cisco IOS XE Catalyst SD-WAN devices.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
116
Enterprise Firewall with Application Awareness
Benefits of Cisco Catalyst SD-WAN Identity-Based Firewall Policy
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
117
Enterprise Firewall with Application Awareness
Use Cases for Cisco Catalyst SD-WAN Identity-Based Firewall Policy
The following restrictions are applicable for Cisco vManage Release 20.10.1 and Cisco IOS XE Catalyst
SD-WAN Release 17.10.1a:
• Only one SGT list can be configured per firwall policy rule in each direction.
• SGT is not supported under ruleset or in object-group list.
• Only 8 SGTs are supported in an identity list.
• SGT in policy is supported only for unified policy.
Note Enable the ERS option by choosing Administration > Settings > API Settings > API Service Settings in
ISE in order to enable pxGrid services for Cisco ISE connectivity to Cisco Catalyst SD-WAN Controller.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
118
Enterprise Firewall with Application Awareness
Configure Cisco ISE in Cisco SD-WAN Manager
Note You can download the Cisco ISE server certificate from Cisco ISE. For details on Cisco ISE certificates, see
Generate Certificate Signing Request (CSR).
8. In the PxGrid Server CA pane, choose a file from your desktop or drag and drop to upload.
Note You can download the PxGrid server certificate from Cisco ISE. For details on Cisco ISE certificates, see
Generate Certificate Signing Request (CSR).
9. (Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.10.1a and Cisco vManage Release
20.10.1) In the Feature Subscription field, select the feature for which you want to retrieve the metadata
information from Cisco ISE. The options are:
• User/User Groups
• Security Group Tag (SGT)
10. For User/User Groups, enter the AD Joint Point name and the AD Domain name, as defined in Cisco
ISE.
11. Click Submit.
A connection to Cisco ISE is initiated. An automatic template push to the Cisco SD-WAN Controller
is initiated based on the username and password, Cisco ISE Server IP address, AD domain name, and
VPN name. The Cisco SD-WAN Controller then connects to pxGrid using the pxGrid APIs, and opens
a web socket connection.
When the Cisco Catalyst SD-WAN Controller establishes a connection to Cisco ISE, information about
user and user groups is retrieved from Cisco ISE and distributed to the Cisco IOS XE Catalyst SD-WAN
devices.
To view the list of users and user groups available in the corresponding domain, choose Actions > View
ISE Data.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
119
Enterprise Firewall with Application Awareness
Create an Identity List
Note If you have not completed the integration of Cisco ISE Controller with Cisco SD-WAN Manager, a message
instructs you to complete the integration. After you complete this integration, the Add an Identity list link
is displayed in Identity List window.
Note You can configure either User/ User Group or Security Group Tag (SGT) at a given point, not both.
9. If you choose Security Group Tag (SGT), select one or more SGTs and click Add.
After you add the SGT identity list, you can use it in a unified security policy to create source-based or
destination-based identity security firewall policies.
10. If you choose User/User Groups, select the user groups and click Add. If the user information is
available, the User Groups list displays all the user groups. You can select a maximum of 16 user
groups.
After you add the identity list, you can use it in a unified security policy to create a user-identity-based
security firewall policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
120
Enterprise Firewall with Application Awareness
Create Identity-Based Unified Security Firewall Policy
12. (Optional) Check the Log check box if you want matches for this rule to be logged.
Note Cisco SD-WAN Manager supports log flow only at the rule level and not at the global level.
13. Choose an advanced inspection profile to attach to the policy. This field is available only if you have
chosen the action rule as Inspect. If you have created an advanced inspection profile, this field lists all
the advanced inspection profiles that you have created. Choose an advanced inspection profile from the
list. For information on creating an advanced inspection profile, see Create an Advanced Inspection
Profile.
14. Click Source, and choose Identity as the filter type
15. Click Destination, and choose one of the following options:
• Object Group: Use an object group for your rule.
To create a new object group, click New Object Group List. Set the filters for matching, and then
click Save. For information on creating an object group, see Create an Object Group .
• Type: You can choose from IPv4 prefixes, IPv6 prefixes, prefix lists, fully qualified domain names
(FQDN), lists, or Geo Location based on the IP address type that you choose. When you configure
SGT in the list, identity can be a filter type.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1, you can choose an IP address type as IPv4 or IPv6.
Based on the IP address type that you choose, the Type field displays the prefix
options.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
121
Enterprise Firewall with Application Awareness
Configure Cisco Catalyst SD-WAN Identity-Based Firewall Policy Using a CLI Template
18. Click Application List to configure a list of applications you want to include in the rule. An application
is subject to inspection, dropped, or allowed to pass, based on the application list you configure, and
the other filters that you set for the rule.
Note From Cisco IOS XE Catalyst SD-WAN Release 17.6.1a, and Cisco vManage Release 20.6.1, the applications
are attached directly to a rule the way other filters are. If configured as part of access control lists (ACLs),
they are attached to a class map along with the source and destination.
Configure Cisco SD-WAN Controller to Connect to Cisco ISE Using a CLI Template
For more information about using CLI templates, see CLI Add-On Feature Templates and CLI Templates.
This section provides sample CLI configurations to configure a Cisco SD-WAN Controller to connect to
Cisco ISE.
The following example shows how to configure a Cisco SD-WAN Controller connection to Cisco ISE:
identity
pxgrid
server-address <name>
username <name>
password <name>
subscriptions {user-identity | sgt}
domain-name <domain-name>
vpn 0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
122
Enterprise Firewall with Application Awareness
Configure Identity-Based Firewall Policy Using a CLI Template
Here is the complete configuration example that shows how to connect a Cisco SD-WAN Controller to Cisco
ISE:
identity
pxgrid
server-address 10.27.216.141
user-name vIPtela_Inc_Regression_vsmart1644552134629
password $8$TVGuJQn$8$TVG
subscriptions user-identity
domain-name SDWAN-IDENTITY.CISCO.COM
vpn 0
!
!
This section provides sample CLI configurations to configure an identity-based firewall policy:
The following example shows how to configure an identity-based firewall policy:
class-map type inspect match-any cm3
match identity user-group source Engineering
match identity user-group source Security
match identity user source Jim
Here is the complete configuration example that shows how to configure an Cisco Catalyst SD-WAN
identity-based firewall on a Cisco IOS XE Catalyst SD-WAN device.
class-map type inspect match-any TestID
match identity source user-group "SDWAN-IDENTITY.CISCO.COM/Users/Domain Users"
class-map type inspect match-all visFW-seq-1-cm_
match access-group name visFW-seq-Rule_1-acl_
class-map type inspect match-all visFW-seq-11-cm_
match class-map TestID
match access-group name visFW-seq-Rule_2-acl_
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
123
Enterprise Firewall with Application Awareness
Monitor Cisco Catalyst SD-WAN Identity-Based Firewall Policy
For unified security policies, you can view the log data for security connection events. These events contain
log data of important information when a flow passes through various security features such as zone-based
firewall (ZBFW) and unified threat defense (UTD). The log data includes information about security policies
and rules about traffic or sessions, along with the associated port, protocol, or applications. See Monitor
Unified Logging Security Connection Events.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
124
Enterprise Firewall with Application Awareness
Monitor Cisco Catalyst SD-WAN Identity-Based Firewall Using the CLI
The following is a sample output from the show idmgr user-sessions command executed on Cisco SD-WAN
Controllers. The command output shows the user sessions learned from ISE.
Note Enable passive ID under external identity source while adding Active Directory (AD) to Cisco ISE to see the
user sessions from ISE and Cisco SD-WAN Manager.
--------------------------------------------------------------------------------------------
[email protected] 72.1.1.7 2022-02-18T13:00:54.372-05:00 Authenticated
The following is a sample output from the show idmgr omp ip-user-bindings command executed on Cisco
SD-WAN Controller. The command output shows the ip-user session bindings sent to Overlay Management
Protocol (OMP).
Device# show idmgr omp ip-user-bindings
The following is a sample output from the show idmgr omp user-usergroup-bindings command executed
on Cisco SD-WAN Controllers. The command output shows the user-user-group bindings sent to OMP.
Device# show idmgr omp user-usergroup-bindings
The following is a sample output from the show uidp statistics command executed on an edge device. The
command output shows the UIDP statistics.
Device# show uidp statistics
---------------------------------------
Add/Delete Stats
---------------------------------------
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
125
Enterprise Firewall with Application Awareness
Monitor Cisco Catalyst SD-WAN Identity-Based Firewall Using the CLI
The following is a sample output from the show uidp user-group all command executed on an edge device.
The command output shows the UIDP user group information.
Device# show uidp user-group all
Total Usergroups : 12
-------------------------
SDWAN-IDENTITY.CISCO.COM/Builtin/Users
User Identity Groups:Employee
User Identity Groups:TestUserGroup-1
null
Unknown
sdwan-identity.cisco.com/S-1-5-32-545
S-1-5-21-787885371-2815506856-1818290038-513
SDWAN-IDENTITY.CISCO.COM/Users/Domain Users
cisco
eng
dev
mgmt
cEdge-identity#
cEdge-identity#sh uidp user-group us
cEdge-identity#sh uidp user ?
all Show all users info
ip Show user info by ip
name Show user info by user name
The following is a sample output from the show uidp user ip command executed on an edge device.
Device# show uidp user ip 10.1.1.7
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
126
Enterprise Firewall with Application Awareness
Troubleshooting Cisco Catalyst SD-WAN Identity-Based Firewall Policy
----------------------------------------------------------------------------------------------------------------------------------
User Id User Name IP address
VRF Usergroup Usergroup Name
----------------------------------------------------------------------------------------------------------------------------------
1 [email protected] 72.1.1.7
0 1 SDWAN-IDENTITY.CISCO.COM/Builtin/Users
5 Unknown
6 sdwan-identity.cisco.com/S-1-5-32-545
7 S-1-5-21-787885371-2815506856-1818290038-513
8 SDWAN-IDENTITY.CISCO.COM/Users/Domain Users
The following is a sample output from the show idmgr omp ip-sgt-bindings command executed on a Cisco
SD-WAN Controller. The command output shows the SGT information by IP address.
Device# show idmgr omp ip-sgt-bindings
The following is a sample output from the show cts role-based sgt-map all command.
Device# show cts role-based sgt-map all
VPN
IP Address ID SGT Source
-------------------------------------
10.0.0.0 2 9 OMP
10.0.0.1 2 9 OMP
172.16.0.0 0 15 OMP
172.16.0.1 2 4 OMP
192.168.0.0 3 8 OMP
Problem
User traffic is dropped when it must actually be allowed, based on the policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
127
Enterprise Firewall with Application Awareness
Configuration Example for Cisco Catalyst SD-WAN Identity-Based Firewall
Possible Causes
This issue arises when there are errors while configuring user sessions. Use the show commands to verify the
user session configuration both on the Cisco Catalyst SD-WAN Controller and on the Cisco IOS XE Catalyst
SD-WAN device. See Monitor Cisco Catalyst SD-WAN Identity-Based Firewall Using the CLI to view the
show commands used to the monitor identity-based firewall policy.
Solution
Ensure that the user session information is available on the device for policy enforcement.
The following example shows how to configure a Cisco Catalyst SD-WAN identity-based firewall on a Cisco
IOS XE Catalyst SD-WAN device:
class-map type inspect match-any TestID
match identity source user-group "SDWAN-IDENTITY.CISCO.COM/Users/Domain Users"
class-map type inspect match-all visFW-seq-1-cm_
match access-group name visFW-seq-Rule_1-acl_
class-map type inspect match-all visFW-seq-11-cm_
match class-map TestID
match access-group name visFW-seq-Rule_2-acl_
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
128
Enterprise Firewall with Application Awareness
Configuration Example for Cisco Catalyst SD-WAN Identity-Based Firewall
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
129
Enterprise Firewall with Application Awareness
Configuration Example for Cisco Catalyst SD-WAN Identity-Based Firewall
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
130
CHAPTER 6
Configure Geolocation-Based Firewall Rules for
Network Access
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Geolocation-Based Cisco IOS XE Catalyst This feature enables you to configure firewall rules
Firewall Rules for SD-WAN Release 17.5.1a for allowing or denying network traffic based on the
Allowing or Denying source and destination location instead of IP addresses.
Cisco vManage Release
Network Traffic Based on
20.5.1 This feature adds a new object group, geo, where you
Geolocation
can specify countries and continents as objects in an
Access Control List (ACL). An object group ACL
simplifies policy creation in large networks, especially
if the ACL changes frequently.
New object-group and geo commands were added.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
131
Configure Geolocation-Based Firewall Rules for Network Access
Overview of Geolocation-Based Firewall Rules
An object group can contain a single object or multiple objects. You can nest other geolocation object groups
using the group-object command.
Note You cannot configure nested geo object groups in Cisco SD-WAN Manager. You can configure nested geo
object groups using only the CLI.
Data packets are classified using geolocation-based firewall rules instead of using IP addresses. When
classifying the data packet, if a firewall rule has a geolocation-based filter, an IP address lookup occurs against
the geolocation database to determine which country or continent is associated with the IP address.
Use-Case Scenario
A client (192.168.11.10) in a local area network (LAN) initiates traffic over Dedicated Internet Access (DIA)
to a destination IP addresses belonging to France (FRA) and Germany (GBR). As per the security firewall
policy, traffic to France should be inspected and that to Germany should be dropped.
Note After you have chosen a continent in a security firewall rule, all IP addresses
belonging to that particular continent code are inspected as part of the security
firewall rule.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
132
Configure Geolocation-Based Firewall Rules for Network Access
Prerequisites for Geo Object Groups
• You can add multiple geolocation lists or geolocations using a single policy.
• When you update a geo object group, all the policies that use that geo object group are automatically
updated.
Note An empty geo object group is a geo object group that does not contain any
references to countries. To empty a geo object group, you need to remove any
references to countries within the geo object group.
• As long as a geo object group is in use inside the corresponding ACL or nested in another group, it can
neither be deleted nor emptied.
• A geo object group can be associated only with extended IPv4 ACLs and not with IPv4 standard ACLs.
Note You cannot configure both a fully qualified domain name (FQDN) and a geo as a source data prefix and as a
destination data prefix.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
133
Configure Geolocation-Based Firewall Rules for Network Access
Configure Geolocation-Based Firewall Rules
Configure a Geolocation List Using Configuration > Security > Custom Options
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. From the Custom Options drop-down menu, choose Lists.
3. Click Geo Location in the left pane.
4. Click New Geo Location List.
5. Enter a name for the geolocation list.
6. Choose one or more geolocations from the drop-down menu.
Note If you choose a continent, you cannot choose any of the countries that are part of the continent. If you want
to choose a list of countries, choose the appropriate countries from the list.
7. Click Add.
11. From the Geo Location drop-down menu, choose one or more locations.
12. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
134
Configure Geolocation-Based Firewall Rules for Network Access
Configure Geolocation-Based Firewall Rules Using the CLI
13. Click Destination Data Prefix to add a destination geolocation list or new geolocations.
14. Repeat Step 9 through Step 12.
15. Click Save Firewall Policy to save the security firewall rule.
16. Click Save Policy Changes.
Here, geo_ipv4_db is the name of the geodatabase file downloaded from the Cisco.com path and copied
to the bootflash device or the hard disk.
5. Create a geo object group:
Device(config)# object-group geo GEO_1
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
135
Configure Geolocation-Based Firewall Rules for Network Access
Update the Geolocation Database Using the CLI
For more information on the CLI commands, see Cisco IOS XE SD-WAN Qualified Command Reference.
or
Device# copy tftp: bootflash:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
136
Configure Geolocation-Based Firewall Rules for Network Access
Verify Geolocation-Based Firewall Rules Using the CLI
The following example shows how a geo object group is defined under an extended ACL that is used in a
security firewall class map:
ip access-list extended Zone1_to_Zone1-seq-Rule_1-acl_
15 permit object-group Zone1_to_Zone1-seq-Rule_1-service-og_ object-group
Zone1_to_Zone1-seq-Rule_1-network-src-og_ geo-group Zone1_to_Zone1-seq-Rule_1-geo-dstn-og_
!
ip access-list extended Zone1_to_Zone1-seq-Rule_2-acl_
!
object-group geo Zone1_to_Zone1-seq-Rule_2-geo-dstn-og_
country GBR
!
object-group network Zone1_to_Zone1-seq-Rule_1-network-src-og_
host 192.168.11.10
!
object-group service Zone1_to_Zone1-seq-Rule_1-service-og_
ip
!
ip access-list extended Zone1_to_Zone1-seq-Rule_1-acl_
15 permit object-group Zone1_to_Zone1-seq-Rule_1-service-og_ object-group
Zone1_to_Zone1-seq-Rule_1-network-src-og_ geo-group Zone1_to_Zone1-seq-Rule_1-geo-dstn-og_
!
ip access-list extended Zone1_to_Zone1-seq-Rule_2-acl_
!
object-group geo Zone1_to_Zone1-seq-Rule_2-geo-dstn-og_
country GBR
The following example shows when a geolocation is chosen as part of a security firewall rule either in a source
or a destination data prefix from Cisco SD-WAN Manager, the geodatabase is added by default. If a geolocation
is removed, the geodatabase is removed from the rule.
class-map type inspect match-all Zone1_to_Zone1-seq-1-cm_
match access-group name Zone1_to_Zone1-seq-Rule_1-acl_
!
class-map type inspect match-all Zone1_to_Zone1-seq-11-cm_
match access-group name Zone1_to_Zone1-seq-Rule_2-acl_
!
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
137
Configure Geolocation-Based Firewall Rules for Network Access
Verify Geolocation-Based Firewall Rules Using the CLI
The following is a sample output of the show policy-firewall config zone-pair command used for validating
geolocation configuration:
Device# show policy-firewall config zone-pair ZP_Zone1_Zone0_Zone1_to_Zone1
Zone-pair : ZP_Zone1_Zone0_Zone1_to_Zone1
Source Zone : Zone1
Destination Zone : Zone0
Service-policy inspect : Zone1_to_Zone1
Class-map : Zone1_to_Zone1-seq-1-cm_ (match-all)
Match access-group name Zone1_to_Zone1-seq-Rule_1-acl_
Extended IP access list Zone1_to_Zone1-seq-Rule_1-acl_
15 permit object-group Zone1_to_Zone1-seq-Rule_1-service-og_ object-group
Zone1_to_Zone1-seq-Rule_1-network-src-og_geo-group Zone1_to_Zone1-seq-Rule_1-geo-dstn-og_
Action : inspect
Parameter-map : Default
Class-map : Zone1_to_Zone1-seq-11-cm_ (match-all)
Match access-group name Zone1_to_Zone1-seq-Rule_2-acl_
Extended IP access list Zone1_to_Zone1-seq-Rule_2-acl_
15 permit object-group Zone1_to_Zone1-seq-Rule_2-service-og_ object-group
Zone1_to_Zone1-seq-Rule_2-network-src-og_geo-group Zone1_to_Zone1-seq-Rule_2-geo-dstn-og_
Action : drop log
Parameter-map : Default
Class-map : class-default (match-any)
Match any
Action : drop log
Parameter-map : Default
The following is a sample output of the show policy-map type inspect zone-pair sessions command used
for verifying inspected and dropped traffic:
show policy-map type inspect zone-pair sessions
Zone-pair: ZP_Zone1_Zone0_Zone1_to_Zone1
Service-policy inspect : Zone1_to_Zone1
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
138
Configure Geolocation-Based Firewall Rules for Network Access
Verify Geolocation-Based Firewall Rules Using the CLI
Inspect
Established Sessions
Session ID 0x0000000A (192.168.11.10:8)=>(2.10.1.1:14780) icmp SIS_OPEN.
Created 00:00:03, Last heard 00
Bytes sent (initiator:responder) [224:168]
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
139
Configure Geolocation-Based Firewall Rules for Network Access
Verify Geolocation-Based Firewall Rules Using the CLI
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
140
CHAPTER 7
Intrusion Prevention System
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Snort Engine Version Upgrade Cisco IOS XE Catalyst SD-WAN This feature adds support for Snort
Release 17.12.1a engine version 3, which is an
upgrade from version 2.
Cisco Catalyst SD-WAN Manager
Release 20.12.1
This feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices
on Cisco Catalyst SD-WAN. It is delivered using a virtual image on Cisco IOS XE Catalyst SD-WAN devices.
This feature uses the Snort engine to provide IPS and IDS functionalities.
Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threats
are detected on IP networks. It can also perform protocol analysis, content searching or matching, and detect
a variety of attacks and probes (such as buffer overflows).
• Overview of Intrusion Prevention System, on page 142
• Cisco Catalyst SD-WAN IPS Solution, on page 142
• Configure and Apply IPS or IDS, on page 143
• Modify an Intrusion Prevention or Detection Policy, on page 146
• Delete an Intrusion Prevention or Detection Policy , on page 146
• Monitor Intrusion Prevention Policy, on page 146
• Update IPS Signatures, on page 147
• Update IPS Signatures and Custom Signature Rules, on page 148
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
141
Intrusion Prevention System
Overview of Intrusion Prevention System
• Process Single Stream Large Session (Elephant Flow) by UTD, on page 153
• Configure Intrusion Prevention System for Unified Security Policy, on page 155
Based on your requirements, you can enable Snort either in IPS or IDS mode. In IDS mode, the engine inspects
the traffic and reports alerts, but does not take any action to prevent attacks. In IPS mode, in addition to
intrusion detection, actions are taken to prevent attacks.
IPS the traffic and reports events to Cisco SD-WAN Manager or an external log server (if configured). External
third party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Note Options for downloading UTD signature packages out of band from Cisco.com
and uploading them to Cisco SD-WAN Manager or a remote server and options
for custom signatures are available from Cisco vManage Release 20.10.1 and
Cisco IOS XE Catalyst SD-WAN Release 17.10.1a.
• Alert/Reporting server: Receives alert events from the Snort sensor. Alert events generated by the Snort
sensor can either be sent to Cisco SD-WAN Manager or an external syslog server or to both Cisco
SD-WAN Manager and an external syslog server. Cisco SD-WAN Manager events can be viewed in
Monitor > Events. No external log servers are bundled with the IPS solution.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
142
Intrusion Prevention System
Configure and Apply IPS or IDS
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
143
Intrusion Prevention System
Configure Intrusion Prevention or Detection
• Security: Designed to provide more protection than Balanced but with an impact on performance.
This signature set blocks vulnerabilities with a CVSS score that is greater than or equal to 8. It also
blocks CVEs published in the last three years and that have the following rule categories: Malware
CNC, Exploit Kits, SQL Injection, blocked list, and App Detect Rules.
10. Choose mode of operation from the Inspection Mode drop-down menu. The following options are
available:
• Detection: Choose this option for intrusion detection mode
• Protection: Choose this option for intrusion protection mode
11. (Optional) From Advanced, choose one or more existing IPS signature lists or create new ones as needed
from the Signature Whitelist drop-down menu.
Choosing an IPS signature list allows the designated IPS signatures to pass through.
To create a new signature list, do the following:
a. Click New Signature List at the bottom of the drop-down. In IPS Signature List Name, enter a
list name consisting of up to 32 characters (letters, numbers, hyphens and underscores only).
b. In IPS Signature, enter signatures in the format Generator ID:Signature ID, separated with
commas. You also can use Import to add a list from an accessible storage location.
c. Click Save.
You also can create or manage IPS Signature lists by choosing Configuration > Security, and then
choosing Lists from Custom Options, and then choosing Signatures.
To remove an IPS Signature list from the Signature Whitelist field, click the X next to the list name
in the field.
12. (Optional) Choose an alert level for syslogs from the Alert Log Level drop-down menu. The options
are:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Info
• Debug
You must configure the address of the external log server in the Policy Summary page.
13. Click Save Intrusion Prevention Policy to add an Intrusion Prevention policy.
14. Click Next until the Policy Summary page is displayed
15. Enter Security Policy Name and Security Policy Description in the respective fields.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
144
Intrusion Prevention System
Apply a Security Policy to a Device
16. If you set an alert level when configuring the Intrusion Prevention policy, in the Additional Policy
Settings section, you must specify the following:
• External Syslog Server VPN: The syslog server should be reachable from this VPN.
• Server IP: IP address of the server.
• Failure Mode: Open or Close
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Create Template drop-down list, choose From Feature Template.
4. From the Device Model drop-down list, choose one of the devices.
5. Click Additional Templates.
The Additional Templates section is displayed.
6. From the Security Policy drop-down list, choose the name of the policy you configured previously.
7. Click Create to apply the security policy to a device.
8. Click … next to the device template that you created.
9. Click Attach Devices.
10. Choose the devices to which you want to attach the device template.
11. Click Attach.
Note If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the
zone-based firewall that is configured in Cisco SD-WAN Manager, you must first remove the security template
from the base template and push the base template. Thereafter, reattach the security template and then push
the template to the device.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
145
Intrusion Prevention System
Modify an Intrusion Prevention or Detection Policy
Note When a Zone based firewall template in attached to a Cisco IOS XE Catalyst SD-WAN device running on
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a or later, there may be an increase in time for completion
of tasks. This is due to the updates in the software version of Cisco vManage Release 20.6.1.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
146
Intrusion Prevention System
Update IPS Signatures
To monitor the Signatures of IPS Configuration on Cisco IOS XE Catalyst SD-WAN device:
1. From the Cisco SD-WAN Manager menu, choose Monitor > Devices.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose Monitor >
Network.
2. In the left panel, under Security Monitoring, Click Intrusion Prevention. The Intrusion Prevention
wizard displays.
3. Click By Severity or By Count to designate how you want to display intrusion prevention information.
Note To download the signatures, Cisco Catalyst SD-WAN Manager requires access to the following domains
using port 443:
• api.cisco.com
• cloudsso.cisco.com
• dl.cisco.com
• dl1.cisco.com
• dl2.cisco.com
• dl3.cisco.com
• download-ssc.cisco.com
1. From the Cisco SD-WAN Manager menu, choose Administration > Settings to configure IPS Signature
Update.
2. Click on Edit to Enable/Disable and provide your Cisco.com Username and Password details to save
the Policy details.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
147
Intrusion Prevention System
Update IPS Signatures and Custom Signature Rules
IPS Custom Signature and Offline Cisco IOS XE Catalyst SD-WAN This feature lets you download IPS
Updates Release 17.10.1a signature packages for the Intrusion
Prevention System (IPS)
Cisco vManage Release 20.10.1
out-of-band from Cisco SD-WAN
Manager and upload these packages
to Cisco SD-WAN Manager or a
remote server. Cisco SD-WAN
Manager then distributes these IPS
signature packages to the devices
on your network. This feature also
lets you upload a custom signature
rules file to Cisco SD-WAN
Manager or a remote server, which
Cisco SD-WAN Manager then
distributes and appends to the
existing IPS signature package
rules.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
148
Intrusion Prevention System
Configure IPS Custom Signature and Offline Updates
• dl.cisco.com
• dl1.cisco.com
• dl2.cisco.com
• dl3.cisco.com
• download-ssc.cisco.com
• If you enable IPS Signatures and choose the Remote Server or Local option, you must download a
separate IPS signature package for each Snort engine version that is used in your network.
You can download the latest IPS signature packages for your Snort engines from the following page.
The latest IPS signature package for each Snort engine is shown at the top left corner of this page.
https://software.cisco.com/download/home/284389362/type/286285292/release/
To determine the version of the Snort engine or engines that you are using, you can use the show utd
engine standard version command or check the UTD package filename.
For example, in the following output of the show utd engine standard version command, the Snort
engine version number is 2.9.18.1, so you should use the latest 29181 IPS signature package release:
Device# show utd engine standard version
IOS-XE Recommended UTD Version: 1.0.6_SV2.9.18.1_XE17.9
IOS-XE Supported UTD Regex: ^1\.0\.([0-9]+)_SV(.*)_XE17.9$
Similarly, in the following UTD package filename, the Snort engine version number is 2.9.18.1, so again
you should use the latest 29181 IPS signature package release:
secapp-utd.17.09.01a.1.0.6_SV2.9.18.1_XE17.9.x86_64.tar
• The IPS signature packages are updated approximately every 24 to 72 hours. If you enable IPS Signatures
and choose the Remote Server or Local option, we recommend that you check for new IPS signature
packages daily to ensure that the IPS signature packages that you are using are up to date.
• If you use an IPS signature package file on a remote sever and the filename that Cisco SD-WAN Manager
points to includes the IPS signature package version, you must update the filename that Cisco SD-WAN
Manager points to each time a new IPS signature package is uploaded to the remote server, for each
Snort engine version used.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
149
Intrusion Prevention System
Configure IPS Custom Signature and Offline Updates
1. From the Cisco SD-WAN Manager menu, choose Administration > Settings.
2. Click Edit in the UTD Snort Subscriber Signature row.
3. In the IPS Signature Download Interval Hours and Minute fields, enter how often Cisco SD-WAN
Manager attempts to download new IPS signature packages from Cisco.com.
This interval is also used for how often Cisco SD-WAN Manager has the devices attempt to download
the latest IPS signature package or packages and custom signature rules file from Cisco SD-WAN Manager
or the remote server or servers.
You can enter an interval from 2 hours to 24 hours. The default interval is 24 hours.
4. To enable the IPS signature package update, enable the IPS Signatures option, then click one of the
following radio buttons to specify how the IPS signature packages are distributed by Cisco SD-WAN
Manager:
• Cisco.com: Downloads IPS signature packages to Cisco SD-WAN Manager from Cisco.com, then
causes the devices to download the IPS signature packages from Cisco SD-WAN Manager. This
option requires that Cisco SD-WAN Manager has an internet connection.
In the Username and Password fields, enter your Cisco Connection Online username and password.
• Remote Server: Devices download the IPS signature packages from one or more remote servers
over a local network connection, not from Cisco SD-WAN Manager. We recommend that you use
this option to avoid Cisco SD-WAN Manager scaling issues.
From the Select Remote Server drop-down list, choose a remote server (you can use the Search
field to find a server), or click Add Remote Server to configure a new remote server.
If you click Add Remote Server, perform these actions:
a. Enter information for this server in the following fields:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
150
Intrusion Prevention System
Configure IPS Custom Signature and Offline Updates
Field Description
Image location prefix: Path to the folder that contains the IPS signature
package
b. Click Add and choose the server from the Select Remote Server drop-down list.
c. Click the Remote Server Details box that appears.
d. In the IPS Signature Filename field, enter the filename of the IPS signature package or the
symbolic link to this IPS signature package that is on the remote server.
e. In the IPS Signature Snort Version field, enter the Snort engine version of the IPS signature
package.
f. Click Add.
• Local: Uploads IPS signature packages from a local computer to Cisco SD-WAN Manager, then
causes the devices to download the IPS signature packages from Cisco SD-WAN Manager.
In the field that appears, click Choose Files and choose the IPS signature package, or drag and drop
an IPS signature package. Then click Add.
5. (Optional) To change the IPS signature filename or Snort engine version for an IPS signature package on
a remote server, perform the following actions.
Note If you are overwriting the filename or using a symbolic link for the file that Cisco SD-WAN Manager points
to, you do not need to perform this step each time a new IPS signature package is uploaded to the remote
server.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
151
Intrusion Prevention System
Configure IPS Custom Signature and Offline Updates
c. Click the server in the Remote Server Details box that appears.
d. In the IPS Signature Filename field, enter the name of the IPS signature package file that is on the
remote server.
e. In the IPS Signature Snort Version field, enter the Snort engine version of the IPS signature package.
f. Click Add.
6. To append custom signature rules to the current IPS signature package, enable Custom Signature, then
click one of the following radio buttons to specify the location of the custom signature rules file.
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Manager
Release 20.12.1, the Snort engine version has been upgraded from version 2 to version 3.
The custom signature rules file must be a text file that contains rules in the appropriate Snort engine
version rule format, be no larger than 1 MB, and have the .txt or .rules extension. Each rule should use
the generator ID 1 or no generator ID (which defaults to 1), and the signature ID should be unique and
greater than 1000000.
Note Cisco does not provide support for writing custom signatures or resolving issues with custom signatures and
may request that you disable custom signatures before troubleshooting an issue.
Note Snort 2 and Snort 3 supported UTD versions cannot be used in combination with custom signatures since the
custom signatures rules must either be in Snort 2 or Snort 3 format.
• Remote Server: Devices download the custom signature rules file from one or more remote servers
over a local network connection, not from Cisco SD-WAN Manager. We recommend that you use
this option to avoid Cisco SD-WAN Manager scaling issues.
From the Select Remote Server drop-down list, choose a remote server(you can use the Search
field to find a server), or click Add Remote Server to configure a new remote server.
If you click Add Remote Server, perform these actions:
a. Enter information for this server in the configuration fields. These fields are the same as the ones
that are described for Add Remote Server in Step 4.
b. Click Add and choose the server from the Select Remote Server drop-down list.
c. Click the Remote Server Details box that appears.
d. In the Custom Signature Filename field, enter the name of the custom signature rules file that
is on the remote server.
e. Click Add.
• Local: Uploads a custom signature rules file from a local computer to Cisco SD-WAN Manager,
then causes the devices to download the custom signature rules file from Cisco SD-WAN Manager.
In the field that appears, click Choose Files and choose the custom signature rules file, or drag and
drop the custom signature rules file. Then click Add.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
152
Intrusion Prevention System
Process Single Stream Large Session (Elephant Flow) by UTD
7. (Optional) To change the name of the custom signature rules file that is on a remote server, perform the
following actions.
Note If you are overwriting the filename or using a symbolic link for the file that Cisco SD-WAN Manager points
to, you do not need to perform this step each time a new custom signature rules file is uploaded to the remote
server.
8. If you are appending custom signature rules to the current IPS signature package, perform these actions
to enable custom signatures for a security policy:
a. From the Cisco SD-WAN Manager window, choose Configuration > Security.
b. Choose Custom Options > Policies/Profiles.
c. In the left panel, click Intrusion Prevention.
d. For the desired policy, click ... and choose Edit.
e. Under the Advanced options, enable Custom Signature Set for the custom rules to be appended.
Background Information
The result of any bandwidth speed testing website, or the output of any bandwidth measurement tool (for
example, iperf) might not exhibit the advertised throughput rating of a Cisco UTD deployment. Similarly, the
transfer of a very large file over any transport protocol does not demonstrate the advertised throughput rating
of a Cisco UTD deployment. It occurs because the UTD service does not use a single network flow in order
to determine its maximum throughput.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
153
Intrusion Prevention System
Process Single Stream Large Session (Elephant Flow) by UTD
through the UTD container. It is expected that the routers with UTD are deployed on a Corporate network,
usually near the border edge and works with thousands of connections.
Depending on the UTD resource profile used, UTD uses load balancing of traffic to a number of different
Snort processes. Ideally, the system load balances traffic evenly across all of the Snort processes. Snort needs
to be able to provide proper contextual analysis for Next-Generation Firewall (NGFW), Intrusion Prevention
System (IPS) and Advanced Malware Protection (AMP) inspection. In order to ensure Snort is most effective,
all the traffic from a single flow is load balanced to one Snort instance. If all the traffic from a single flow
was not balanced to a single Snort instance, the system could be evaded and the traffic would spilt in such a
way that a Snort rule might be less likely to match or pieces of a file are not contiguous for AMP inspection.
Therefore, the load balancing algorithm is based on the connection information that can uniquely identify a
given connection.
Traffic is load balanced to Snort using a 3-tuple algorithm. The datapoints for this algorithm are:
• Source IP
• Destination IP
• VRF
Any traffic with the same source, destination, and VRF are load balanced to the same instance of Snort.
Total Throughput
The total throughput of a UTD deployment is measured based on the aggregate throughput of all the Snort
instances that work to their fullest potential. Industry standard practices in order to measure the throughput
are for multiple HTTP connections with various object sizes. For example, the Network Security Services
(NSS) NGFW test methodology measures total throughput of the device with 44k, 21k, 10k, 4.4k, and 1.7k
objects. These translate to a range of average packet sizes from around 1k bytes to 128 bytes because of the
other packets involved in the HTTP connection.
Different types of traffic, network protocols, sizes of the packets along with differences in the overall security
policy can all impact the observed throughput of the device.
Remediations
Configure a unified security policy so that trusted traffic can be exempted from UTD inspection to avoid any
latency during data transfer. For more information about configuring a unified security policy, see Unified
Security Policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
154
Intrusion Prevention System
Configure Intrusion Prevention System for Unified Security Policy
Note Target VPNs are not applicable for the intrusion prevention system used in a unified security policy. The
Policy Mode can only be set at time of creation and cannot be modified after the policy has been saved.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
155
Intrusion Prevention System
Configure Intrusion Prevention System for Unified Security Policy
10. (Optional) From Advanced, choose one or more existing IPS signature lists or create new ones, as
needed, from the Signature Whitelist drop-down list.
Choosing an IPS signature list allows the designated IPS signatures to pass through.
To create a new signature list, do the following:
a. Click New Signature List at the bottom of the drop-down list.
b. In the IPS Signature List Name field, enter a list name of up to 32 characters (letters, numbers,
hyphens, and underscores only).
c. In the IPS Signature, enter signatures in the format Generator ID:Signature ID, separated by
commas. You also can click Import to add a list from an accessible storage location.
d. Click Save.
You also can create or manage IPS Signature lists by choosing Configuration > Security in the left
pane, choosing Lists from Custom Options at the top-right corner of the window, and then choosing
Signatures in the left pane.
To remove an IPS Signature list from the Signature Whitelist field, click X next to the corresponding
list name.
11. (Optional) Click Alert Log Level, and choose one of the following options:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Info
• Debug
You configure the address of the external log server in the Policy Summary page.
12. Click Save Intrusion Prevention Policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
156
CHAPTER 8
URL Filtering
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
The URL Filtering feature enables the user to provide controlled access to Internet websites or Intranet sites
by configuring the URL-based policies and filters on the device. The user can configure the URL Filtering
profiles to manage the web access. The URL Filtering feature is implemented using the security virtual image
similar to the IPS feature.
Note A NAT direct internet access route is necessary to implement URL Filtering.
URL Filtering can either allow or deny access to a specific URL based on:
• Allowed list and blocked list: These are static rules, which helps the user to either allow or deny URLs.
If the same pattern is configured under both the allowed and blocked lists, the traffic is allowed.
• Category: URLs can be classified into multiple categories such as News, Social Media, Education, Adult
and so on. Based on the requirements, user has the option to block or allow one or more categories.
• Reputation: Each URL has a reputation score associated with it. The reputation score range is from 0-100,
and it is categorized as: high-risk (reputation score (0-20), suspicious (21-40), moderate-risk (41-60),
low-risk (61-80), and trustworthy (81-100). Based on the reputation score of a URL and the configuration,
a URL is either blocked or allowed.
When there is no allowed list or blocked list configured on the device, based on the category and reputation
of the URL, traffic is allowed or blocked using a block page. For HTTP(s), a block page is not displayed and
the traffic is dropped.
This section contains the following topics:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
157
URL Filtering
Overview of URL Filtering
Database Overview
By default, WAN Edge routers do not download the URL database from the cloud.
To enable the URL database download:
• prior to Cisco vManage Release 20.5, you must set the Resource Profile to High in the App-hosting
Security Feature Template.
• from Cisco vManage Release 20.5 onwards, you must enable Download URL Database on Device in
the App-hosting Security Feature Template.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
158
URL Filtering
Filtering Options
Note The URL Filtering database is periodically updated from the cloud in every 15 minutes.
Filtering Options
The URL Filtering allows you to filter traffic using the following options:
Category-Based Filtering
URLs can be classified into multiple categories such as News, Social Media, Education, Adult and so on.
Based on the requirements, user has the option to block or allow one or more categories.
A URL may be associated with up to five different categories. If any of these categories match a configured
blocked category, then the request will be blocked.
Reputation-Based Filtering
In addition to category-based filtering, you can also filter based on the reputation of the URL. Each URL has
a reputation score associated with it. The reputation score range is from 0-100 and it is categorized as:
• High risk: Reputation score of 0 to 20
• Suspicious: Reputation score of 21 to 40
• Moderate risk: Reputation score of 41 to 60
• Low risk: Reputation score of 61 to 80
• Trustworthy: Reputation score of 81 to 100
When you configure a web reputation in Cisco SD-WAN Manager, you are setting a reputation threshold.
Any URL that is below the threshold is blocked by URL filtering. For example, if you set the web reputation
to Moderate Risk in Cisco SD-WAN Manager, any URL that has a reputation score below than and equal
to 60 is blocked.
Based on the reputation score of a URL and the configuration, a URL is either blocked or allowed.
List-based Filtering
List-based filtering allows the user to control access by permitting or denying access based on allowed or
blocked lists. Here are some important points to note regarding these lists:
• URLs that are allowed are not subjected to any category-based filtering (even if they are configured).
• If the same item is configured under both the allowed and blocked list, the traffic is allowed.
• If the traffic does not match either the allowed or blocked lists, then it is subjected to category-based and
reputation-based filtering (if configured).
• You can consider using a combination of allowed and blocked pattern lists to design the filters. For
example, if you want to allow www\.foo\.com but also want to block other URLs such as www\.foo\.abc
and www\.foo\.xyz, you can configure www\.foo\.com in the allowed list and www\.foo\. in the blocked
list.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
159
URL Filtering
Cloud-Lookup
Note If you are using the www prefix in the allowed or blocked regex pattern, it can create a problem if the Server
Name Indicator (SNI) returned in the client message doesn't match. For example, if you want to allow
www./foo./com and SNI returns as foo.com only. We recommend not to include the www in the regex match.
For more information, see Regular Expression for URL Filtering and DNS Security, on page 395.
Cloud-Lookup
The Cloud-Lookup feature is enabled by default and is used to retrieve the category and reputation score of
URLs that are not available in the local database.
The category and reputation score of unknown URLs are returned as follows:
Name based URLs:
• Valid URL — corresponding category and reputation score is received.
• Unknown URL (new URL or unknown to the cloud) — category is 'uncategorized' and reputation score
is 40
• Internal URLs with proper domain name (for example, internal.abc.com) — category and reputation
score is based on the base domain name (abc.com from the example above).
• Completely internal URLs (for example, abc.xyz) — category is 'uncategorized' and reputation score is
40
IP based URLs:
• Public hosted IP — corresponding category and reputation score is received.
• Private IP like 10.<>, 192.168.<> — category is 'uncategorized' and reputation score is 100
• Non-hosted/Non-routable IP — category is 'uncategorized' and reputation score is 40
The Cloud-Lookup score is different from the on-box database for these URLs
(Unknown/Non-hosted/Non-routable/Internal URLs).
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
160
URL Filtering
Configure URL Filtering
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Add Security Policy. The Add Security Policy wizard opens, and various use-case scenarios are
displayed.
3. In Add Security Policy, choose a scenario that supports URL filtering (Guest Access, Direct Internet
Access, or Custom).
4. Click Proceed to add a URL filtering policy in the wizard.
5. In the Add Security Policy wizard, click Next until the URL Filtering window is displayed.
6. Click the Add URL Filtering Policy drop-down menu and choose Create New to create a new URL
filtering policy. The URL filtering - Policy Rule Configuration wizard appears.
7. Click Target VPNs to add the required number of target service VPNs in the Add Target VPNs wizard.
8. Enter a policy name in the Policy Name field.
9. Choose one of the following options from the Web Categories drop-down:
• Block: Block websites that match the categories that you choose.
• Allow: Allow websites that match the categories that you choose.
10. Choose one or more categories to block or allow from the Web Categories list.
11. Choose a Web Reputation from the drop-down menu. The options are:
• High Risk: Reputation score of 0 to 20.
• Suspicious: Reputation score of 21 to 40.
• Moderate Risk: Reputation score of 41 to 60.
• Low Risk: Reputation score of 61 to 80.
• Trustworthy: Reputation score of 81 to 100.
12. (Optional) From Advanced, choose one or more existing lists or create new ones as needed from the
Whitelist URL List or Blacklist URL List drop-down menu.
Note Items on the allowed lists are not subject to category-based filtering. However, items on the blocked lists are
subject to category-based filtering. If the same item is configured under both the allowed and blocked lists,
the traffic is allowed.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
161
URL Filtering
Configure URL Filtering
To remove a URL list from the URL List field, click the X next to the list name in the field.
13. (Optional) In the Block Page Server pane, choose an option to designate what happens when a user
visits a URL that is blocked. Choose Block Page Content to display a message that access to the page
has been denied, or choose Redirect URL to display another page.
If you choose Block Page Content, users see the content header Access to the requested
page has been denied. in the Content Body field, enter text to display under this content
header. The default content body text is Please contact your Network Administrator.
If you choose Redirect URL, enter a URL to which users are redirected.
14. (Optional) In the Alerts and Logs pane, choose the alert types from the following options:
• Blacklist: Exports an alert as a Syslog message if a user tries to access a URL that is configured
in the blocked URL List.
• Whitelist: Exports an alert as a Syslog message if a user tries to access a URL that is configured
in the allowed URL List.
• Reputation/Category: Exports an alert as a Syslog message if a user tries to access a URL that
has a reputation that is configured as blocked in the Web Reputation field or that matches a blocked
web category.
Alerts for allowed reputations or allowed categories are not exported as Syslog messages.
You can use Look up URL or IP tool to validate how a website is classified using URL-Filtering
feature. It only shows the output for the configured URL filtering alerts or events.
15. You must configure the address of the external log server in the Policy Summary page.
16. Click Save URL filtering Policy to add an URL filtering policy.
17. Click Next until the Policy Summary page is displayed.
18. Enter Security Policy Name and Security Policy Description in the respective fields.
19. If you enabled Alerts and Logs, in the Additional Policy Settings section you must specify the following:
• External Syslog Server VPN: The syslog server should be reachable from this VPN.
• Server IP: IP address of the server.
• Failure Mode: Open or Close.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
162
URL Filtering
Apply a Security Policy to a Device
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Create Template drop-down list, choose From Feature Template.
4. From the Device Model drop-down list, choose one of the devices.
5. Click Additional Templates.
The Additional Templates section is displayed.
6. From the Security Policy drop-down list, choose the name of the policy you configured previously.
7. Click Create to apply the security policy to a device.
8. Click … next to the device template that you created.
9. Click Attach Devices.
10. Choose the devices to which you want to attach the device template.
11. Click Attach.
Note If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the
zone-based firewall that is configured in Cisco SD-WAN Manager, you must first remove the security template
from the base template and push the base template. Thereafter, reattach the security template and then push
the template to the device.
Note When a Zone based firewall template in attached to a Cisco IOS XE Catalyst SD-WAN device running on
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a or later, there may be an increase in time for completion
of tasks. This is due to the updates in the software version of Cisco vManage Release 20.6.1.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
163
URL Filtering
Delete URL Filtering
3. For the desired policy you want to modify, click ... and choose Edit.
4. Modify the policy as required and click Save URL Filtering Policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
164
URL Filtering
Configure URL Filtering for Unified Security Policy
Note • Target VPNs are not applicable for the advanced malware protection used in a unified security policy.
• You can enable Policy Mode only when creating advanced malware protection policies. You cannot
configure the unified mode once the policy is saved.
9. Choose one or more categories to block or allow from the Web Categories drop-down list.
10. Choose the Web Reputation from the drop-down list. The options are:
• High Risk: The Reputation score is between 0 to 20.
• Suspicious: The Reputation score is between 21 to 40.
• Moderate Risk: The Reputation score is between 41 to 60.
• Low Risk: The Reputation score is between 61 to 80.
• Trustworthy: The Reputation score is between 81 to 100.
11. (Optional) From Advanced, choose one or more existing lists or create new ones, as needed, from the
Whitelist URL List or Blacklist URL List drop-down lists.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
165
URL Filtering
Configure URL Filtering for Unified Security Policy
Note Items in the allowed lists are not subject to category-based filtering. However, items in the blocked lists are
subject to category-based filtering. If the same item is configured under both the allowed and blocked lists,
traffic is allowed.
You also can create or manage URL lists by choosing Configuration > Security, and then choosing
Lists from Custom Options top-right corner of the window, and then clicking Whitelist URLs or
Blacklist URLs in the left pane.
To remove a URL list from the URL List field, click X next to the list name.
12. (Optional) In the Block Page Server pane, choose an option to designate what happens when a user
visits a URL that is blocked.
If you click Block Page Content, users see the content header Access to the requested
page has been denied. In the Content Body field, enter text to display under this content
header. The default content body text is Please contact your Network Administrator.
If you click Redirect URL, enter a URL to which users are redirected.
13. (Optional) In the Alerts and Logs pane, choose alert type option:
• Blacklist: Exports an alert as a syslog message if a user tries to access a URL that is configured
in the blocked URL List.
• Whitelist: Exports an alert as a syslog message if a user tries to access a URL that is configured
in the Allowed URL List.
• Reputation/Category: Exports an alert as a syslog message if a user tries to access a URL that is
configured as blocked in the Web Reputation field or that matches a blocked web category.
Alerts for allowed reputations or allowed categories are not exported as syslog messages.
14. Configure the address of the external log server in the Policy Summary page.
15. Click Save URL filtering Policy to add an URL filtering policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
166
CHAPTER 9
Advanced Malware Protection
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
The Cisco Advanced Malware Protection (AMP) integration equips routing and Cisco Catalyst SD-WAN
platforms to provide protection and visibility to cover all stages of the malware lifecycle:
• Before: Hardening the network border with firewall rules
• During: Blocking malware based on File Reputation and IPS Signatures
• After:
• Using File Notifications to represent breaches that occurred;
• Retrospectively detecting malware and providing automatic reporting;
• During: Blocking malware based on File Reputation and IPS Signatures
• Using advanced file analysis capabilities for detection and deeper insight into unknown files in a
network
Release Description
Cisco SD-WAN 19.1 Feature introduced. The Cisco Advanced Malware Protection (AMP) integration equips
routing and Cisco Catalyst SD-WAN platforms to provide protection and visibility to
cover all stages of the malware lifecycle.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
167
Advanced Malware Protection
Overview of Advanced Malware Protection
Note The maximum file size that will be inspected by AMP is 10 MB.
Note File Reputation supports the following file types: ACCDB, ALZ, AMF, AMR,
ARJ, ASF, AUTORUN, BINARY_DATA, BINHEX, BMP, BZ, CPIO_CRC,
CPIO_NEWC, CPIO_ODC, DICM, DMG, DMP, EGG, EICAR, ELF, EPS,
FFMPEG, FLAC, FLIC, FLV, GIF, GZ, HLP, HWP, ICO, IMG_PCT,
ISHIELD_MSI, ISO, IVR, JAR, JARPACK, JPEG, LHA, M3U, MACHO, MAIL,
MAYA, MDB, MDI, MIDI, MKV, MNY, MOV, MP3, MP4, MPEG, MSCAB,
MSCHM, MSOLE2, MSWORD_MAC5, MSZDD, MWL, NEW_OFFICE,
NTHIVE, OGG, OLD_TAR, ONE, PCAP, PDF, PGD, PLS, PNG, POSIX_TAR,
PSD, PST, RA, RAR, REC, REG, RIFF, RIFX, RIM, RMF, RPM, RTF, S3M,
SAMI, SCRENC, SIS, SIT, SMIL, SWF, SYLKc, SYMANTEC, TIFF, TNEF,
TORRENT, UUENCODED, VMDK, WAV, WEBM, WMF, WP, WRI, XLW,
XPS, ZIP, ZIP_ENC, 7Z, 9XHIVE.
• File Analysis: The process of submitting an Unknown file to the Threat Grid (TG) cloud for detonation
in a sandbox environment. During detonation, the sandbox captures artifacts and observes behaviors of
the file, then gives the file an overall score. Based on the observations and score, Threat Grid may change
the threat response to Clean or Malicious. Threat Grid’s findings are reported back to the AMP cloud,
so that all AMP customers will be protected against newly discovered malware. File Analysis supports
a maximum file size of 10MB.
Note File analysis requires a separate Threat Grid account. For information about
purchasing a Threat Grid account, contact your Cisco representative.
• Retrospective: By maintaining information about files even after they are downloaded, we can report on
files that were determined to be malicious after they were downloaded. The disposition of the files could
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
168
Advanced Malware Protection
Configure and Apply an Advanced Malware Policy
change based on the new threat intelligence gained by the AMP cloud. This re-classification will generate
automatic retrospective notifications.
Note A NAT direct internet access route is necessary to apply Advanced Malware Protection Policy.
Step 1 Log into your Cisco AMP Threat Grid dashboard, and choose your account details.
Step 2 Under your Account Details, an API key may already be visible if you've created one already. If you have not, click
Generate New API Key.
Your API key should then be visible under User Details > API Key.
Step 3 From the Cisco SD-WAN Manager menu, choose Configuration > Security.
Step 4 In the Security screen, click the Custom Options drop-down menu and choose Threat Grid API Key.
Step 5 In the Manage Threat Grid API key dialog box, perform these steos:
a) Choose a region from the Region drop-down menu.
b) Enter the API key in the Key field.
c) Click Add.
d) Click Save Changes.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
169
Advanced Malware Protection
Configuring an Advanced Malware Protection Policy
Step 1 From the Cisco SD-WAN Manager menu, choose Configuration > Security.
Step 2 Click Add Security Policy. The Add Security Policy wizard opens and various use-case scenarios display.
Step 3 In Add Security Policy, choose Direct Internet Access and then click Proceed.
Step 4 In the Add Security Policy wizard, click Next as needed to choose Advanced Malware Protection.
Step 5 From Advanced Malware Protection, click Add Advanced Malware Protection Policy in the drop-down menu.
Step 6 Choose Create New. The Add Advanced Malware Protection screen displays.
Step 7 In the Policy Name field, enter a name for the malware policy. The name can be up to 128 characters and can contain
only alphanumeric characters.
Step 8 Ensure Match All VPN is chosen. Choose Match All VPN if you want to apply the policy to all the VPNs, or choose
Custom VPN Configuration to input the specific VPNs.
Step 9 From the AMP Cloud Region drop down menu, choose a global region.
Step 10 From the Alerts Log Level drop down menu, choose a severity level (Critical, Warning, or Info).
Note: Because the Info severity level generates multiple notifications and can affect system performance, this level
should be configured only for testing or debugging and not for real-time traffic.
Step 11 Click File Analysis to enable Threat Grid (TG) file analysis.
Note Before you can perform this step, configure a threat grid API key as described in Configure Threat Grid
API Key.
Step 12 From the TG Cloud Region drop down menu, choose a global region.
Note Configure the Threat Grid API Key by clicking on Manage API Key or as described in Configure Threat
Grid API Key
Step 13 From the File Types List drop down menu, choose the file types that you want to be analyzed.
Step 14 From the Alerts Log Level drop down menu, choose a severity level (Critical, Warning, or Info).
Step 15 Click Target VPNs to choose the target service VPNs or all VPNs, and then click Add VPN.
Step 16 Click Save Changes. The Policy Summary screen displays.
Step 17 Click Next.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
170
Advanced Malware Protection
Modify an Advanced Malware Protection Policy
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Create Template drop-down list, choose From Feature Template.
4. From the Device Model drop-down list, choose one of the devices.
5. Click Additional Templates.
The Additional Templates section is displayed.
6. From the Security Policy drop-down list, choose the name of the policy you configured previously.
7. Click Create to apply the security policy to a device.
8. Click … next to the device template that you created.
9. Click Attach Devices.
10. Choose the devices to which you want to attach the device template.
11. Click Attach.
Note If you are migrating from older releases to Cisco IOS XE Release 17.2 or later with Application lists and the
zone-based firewall that is configured in Cisco SD-WAN Manager, you must first remove the security template
from the base template and push the base template. Thereafter, reattach the security template and then push
the template to the device.
Note When a Zone based firewall template in attached to a Cisco IOS XE Catalyst SD-WAN device running on
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a or later, there may be an increase in time for completion
of tasks. This is due to the updates in the software version of Cisco vManage Release 20.6.1.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
171
Advanced Malware Protection
Delete an Advanced Malware Protection Policy
Step 1 From the Cisco SD-WAN Manager menu, choose Monitor > Devices, and choose a device.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose Monitor > Network, and
choose a device.
Step 2 Under Security Monitoring, click Advanced Malware Protection in the left pane.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
172
Advanced Malware Protection
Rekey the Device Threat Grid API Key
To resolve this, an administrator must remove the file(s) identified as malware from the server, to enable a
new session between the server and client.
Step 1 From the Cisco SD-WAN Manager menu, choose Maintenance > Security.
Step 2 Click Advanced Malware Protection.
Step 3 Choose the device or devices that you want to rekey.
Step 4 Choose Action > API Rekey.
Note • Target VPNs are not applicable for the advanced malware protection used in a unified security policy.
• You can enable Policy Mode only when creating advanced malware protection policies. You cannot
configure the unified mode once the policy is saved.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
173
Advanced Malware Protection
Configure Advanced Malware Protection for Unified Security Policy
Note Because the Info severity level generates multiple notifications and can affect system performance, this level
should be configured only for testing or debugging, and not for real-time traffic.
Note Before you can perform Step 10, configure a threat grid API key as described in Configure Threat Grid API
Key.
File Analysis requires a separate Threat Grid license.
11. From the TG Cloud Region drop-down list, choose a global region.
Note Configure the Threat Grid API Key by clicking Manage API Key or as described in Configure Threat Grid
API Key.
From the File Types List drop-down list, choose the file types that you want to be analyzed.
12. From the Alerts Log Level drop-down list, choose a severity level (Critical, Warning, or Info).
13. Click Save Advanced Malware Protection Policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
174
CHAPTER 10
SSL/TLS Proxy for Decryption of TLS Traffic
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
SSL/TLS Proxy Cisco IOS XE Catalyst The SSL/TLS Proxy feature allows you to configure an edge
SD-WAN Release device as a transparent SSL/TLS proxy. Such proxy devices
17.2.1r can then decrypt incoming and outgoing TLS traffic to
enable their inspection by Unified Threat Defense (UTD)
and identify risks that are hidden by end-to-end encryption.
This feature is part of the Cisco Catalyst SD-WAN
Application Quality of Experience (AppQoE) and UTD
solutions.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
175
SSL/TLS Proxy for Decryption of TLS Traffic
Information about SSL/TLS Proxy
Note TLS is the successor of SSL. This document uses the term TLS to refer to both SSL and TLS.
Today more and more apps and data reside in the cloud. As a result, majority of internet traffic is encrypted.
This may lead to malware remaining hidden and lack of control over security. The TLS proxy feature allows
you to configure edge devices as transparent TLS proxy. This feature has been integrated with Cisco Unified
Threat Defense (UTD).
TLS proxy devices act as man-in-the-middle (MitM) to decrypt encrypted TLS traffic traveling across WAN,
and send it to (UTD) for inspection. TLS Proxy thus allows devices to identify risks that are hidden by
end-to-end encryption over TLS channels. The data is re-encrypted post inspection before being sent to its
final destination.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
176
SSL/TLS Proxy for Decryption of TLS Traffic
Role of Certificate Authorities in TLS Proxy
Note If there is a delay in determining the decrypt status of the flow, the UTD configuration for fail-decrypt is
exercised.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
177
SSL/TLS Proxy for Decryption of TLS Traffic
Role of Certificate Authorities in TLS Proxy
In the subsequent sections, we have listed the benefits and limitations of each of the supported CA options to
help you make an informed decision about choosing the CA for TLS proxy.
Enterprise CA
Use this option to manage issuing certificates through an Enterprise CA or your own internal CA. For Enterprise
CA that does not support Simple Certificate Enrollment Protocol (SCEP), manual enrollment is required.
Manual enrollment involves downloading a Certificate Signing Request (CSR) for your device, getting it
signed by your CA, and then uploading the signed certificate to the device through Cisco SD-WAN Manager.
Benefits Limitations
• Can use your existing enterprise CA and • Maintenance creates an administrative overload.
certificate management infrastructure for
monitoring the usage, expiry, and validity of • Manual certificate deployment is required for
certificates TLS proxy
• The client trust-store need not be updated • Out-of-band management is required for tracking
the usage and expiry of certificates
• Provides a single location for managing all
certificates issued • Requires manual re-issuance of expired proxy
certificates
• Certificates can be revoked and tracked through
your own CA • If an enterprise CA certificate is revoked or
compromised, all certificates it issued are
invalidated
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
178
SSL/TLS Proxy for Decryption of TLS Traffic
Role of Certificate Authorities in TLS Proxy
Benefits Limitations
• Can use your existing enterprise CA and • Maintenance creates an administrative overload.
certificate management infrastructure for
monitoring the usage, expiry, and validity of • If an enterprise CA certificate is revoked or
certificates compromised, all certificates it issued are
invalidated
• The client trust-store need not be updated
• Offers limited visibility through Cisco SD-WAN
• Provides a single location for managing all Manager
certificates issued
• Enterprise CA have limited support for SCEP
• Certificates can be revoked and tracked through
your own CA
• Certificate deployment to TLS Proxy can be
automated
Benefits Limitations
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
179
SSL/TLS Proxy for Decryption of TLS Traffic
Supported Devices and Device Requirements
Table 32: Cisco SD-WAN Manager as Intermediate CA: Benefits and Limitations
Benefits Limitations
Cisco IOS XE Catalyst SD-WAN Release 17.2.1r • Cisco 4331 Integrated Services Router (ISR
4331)
• Cisco 4351 Integrated Services Router (ISR
4351)
• Cisco 4431 Integrated Services Router (ISR
4431)
• Cisco 4451 Integrated Services Router (ISR
4451)
• Cisco 4461 Integrated Services Router (ISR
4461)
• Cisco CSR 1000v Cloud Services Router
(CSR1000v)
Cisco IOS XE Catalyst SD-WAN Release 17.3.2 • Cisco Catalyst 8300 Series Edge Platforms
Cisco IOS XE Catalyst SD-WAN Release 17.4.1a • Cisco Catalyst 8000V Edge Software
• Cisco Catalyst 8200 Series Edge Platforms
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
180
SSL/TLS Proxy for Decryption of TLS Traffic
Supported Cipher Suites
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
181
SSL/TLS Proxy for Decryption of TLS Traffic
Prerequisites for TLS Proxy
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
182
SSL/TLS Proxy for Decryption of TLS Traffic
Configure Cisco IOS XE Catalyst SD-WAN Devices as TLS Proxy
Task Flow: of Set Up TLS Proxy with Cisco SD-WAN Manager as CA or Cisco SD-WAN Manager as Intermediate
CA
If you configure up Cisco SD-WAN Manager as CA or Cisco SD-WAN Manager as Intermediate CA to
enable TLS proxy on your devices, go through the following steps to complete the TLS proxy setup.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
183
SSL/TLS Proxy for Decryption of TLS Traffic
Configure CA for TLS Proxy
Figure 6: Use Cisco SD-WAN Manager (vManage) as CA or Cisco SD-WAN Manager (vManage) as Intermediate CA to Configure TLS
Proxy on a Device
The subsequent topics provide a step-by-step procedure to complete the configuration of a Cisco IOS XE
Catalyst SD-WAN device as SSL/TLS Proxy.
Configure Enterprise CA
Configure Enterprise CA to issue subordinate CA certificates to the proxy device at the edge of the network.
Configure Enterprise CA
Note When configuring TLS/SSL proxy feature, trust point allows only two certificates; root certificate and certificate
signed by root certificate. You cannot upload cert chain.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
184
SSL/TLS Proxy for Decryption of TLS Traffic
Configure Cisco SD-WAN Manager as CA
Note If Enterprise CA is configured with SCEP, the Enterprise SCEP CA server should be reachable from transport
VPN (VPN 0).
Note This step concludes configuring enterprise CA. However, you must complete steps 8, 9, and 10 to complete
setting up the device as TLS proxy.
Note Leave the Set vManage as Intermediate CA check box not checked if you want to set vManage as CA.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
185
SSL/TLS Proxy for Decryption of TLS Traffic
Configure Cisco SD-WAN Manager as Intermediate CA
3. Enter the requested details: Common Name, Organization, Organizational Unit, Locality, State/Province,
Country Code, and Email.
4. Choose the certificate validity period from the drop-down list.
5. Click Save Certificate Authority.
6. Click the Download option on the vManage as CA page to download the root certificate generated.
7. Import the downloaded certificate into your client's trustStore as a trusted root CA.
Note This step concludes configuring Cisco SD-WAN Manager as CA. However, you must complete steps 8, 9,
and 10 to complete setting up a device as TLS proxy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
186
SSL/TLS Proxy for Decryption of TLS Traffic
Configure SSL Decryption
Note The process to get a CSR signed by a CA server may differ from one CA to another. Follow your standard
procedure to get a CSR signed by your CA.
8. Click Next.
9. In the Intermediate Certificate text box, paste the content of the signed Cisco SD-WAN Manager
certificate, and click Upload.
OR
Click Select a file and upload the CSR generated in the previous step, and click Upload.
10. Verify that the finger print, which auto-populates after you upload the CSR, matches your CA certificate.
11. Click Save Certificate Authority.
Note This step concludes configuring Cisco SD-WAN Manager as intermediate CA. However, you must complete
steps 12 and 13 to complete the configuration for setting up a device as TLS proxy.
To configure SSL decryption through a security policy, use the Cisco SD-WAN Manager security configuration
wizard:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
187
SSL/TLS Proxy for Decryption of TLS Traffic
Configure SSL Decryption
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Add Security Policy. The Add Security Policy wizard opens, and various use-case scenarios are
displayed.
3. In Add Security Policy, choose a scenario that supports the TLS/SSL Decryption feature (Compliance,
Guest Access, Direct Cloud Access, Direct Internet Access, or Custom).
4. Click Proceed to add an SSL decryption policy in the wizard.
5. • If this is the first time you're creating a TLS/SSL decryption policy, then you must create and apply
a policy to the device before creating security policies that can use a security policy (such as
Intrusion Prevention, URL Filtering, or Advanced Malware Protection). In the Add Security Policy
wizard, click Next until the TLS/SSL Decryption screen is displayed.
• If you want to use TLS/SSL decryption along with other security features such as Intrusion
Prevention, URL Filtering, or Advanced Malware Protection, add those features as described in
this book. Once you've configured those features, click Next until the TLS/SSL Decryption screen
is displayed.
6. Click the Add TLS/SSL Decryption Policy drop-down menu and choose Create New to create a new
SSL decryption policy. The TLS/SSL Decryption Policy Configuration wizard appears.
7. Ensure that SSL Decryption is Enabled.
8. In the Policy Name field, enter the name of the policy.
9. Click Add Rule to create a rule.
The New Decryption Rule window is displayed.
Note For branch-to-branch and branch-to-data center traffic scenarios that support service nodes, the SSL decryption
security policy must be applied in a way that prevents the SSL flow from being inspected on both the devices.
10. Choose the order for the rule that you want to create.
11. In the Name field, enter the name of the rule.
12. You can choose to decrypt traffic based on source / destination which is similar to the firewall rules or
applications which is similar to URL-Filtering rules.
• If you choose Source / Destination, enter any of the following conditions:
• Source VPNs
• Source Networks
• Source Ports
• Destination VPNs
• Destination Networks
• Destination Port
• Application/Application Family List
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
188
SSL/TLS Proxy for Decryption of TLS Traffic
Configure SSL Decryption
13. (Optional) To configure advanced settings such as server certificate checks, minimum TLS version,
and so on, expand Advanced Settings
Note By default, Cisco SD-WAN Manager configures the default values for each advanced setting. If you change
any of these settings, it may affect the behaviour of the decryption security policies.
• Under the Server Certificate Checks section, you can configure the following:
Expired Certificate Defines what the policy should • Drop the traffic
do if the server certificate is
expired • Decrypt the traffic
Untrusted Certificate Defines what the policy should • Drop the traffic
do if the server certificate is not
trusted • Decrypt the traffic
Unknown Revocation Status Defines what the policy should • Drop the traffic
do, if the OCSP revocation
status is unknown • Decrypt the traffic
• Under the Proxy Certificate Attributes section, you can configure the following:
RSA Keypair Modules Defines the Proxy Certificate • 1024 bit RSA
RSA Key modulus
• 2048 bit RSA
• 4096 bit RSA
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
189
SSL/TLS Proxy for Decryption of TLS Traffic
Configure SSL Decryption
• Under the Unsupported Mode Checks section, you can configure the following:
Unsupported Protocol Versions Defines what the policy should • Drop the traffic
do if an unsupported protocol
version is detected. • No Decrypt: The proxy
does not decrypt this
traffic.
Unsupported Cipher Suites Defines what the policy should • Drop the traffic
do if unsupported cipher suites
are detected. • No Decrypt: The proxy
does not decrypt this
traffic.
Failure Mode Defines what the policy should • Close: Sets the mode as
do in the case of a failure. fail-close
• Open: Sets the mode as
fail-open.
Certificate Bundle Defines whether the policy You can choose or not choose
should use the default CA this option. If you do not
certificate bundle or not choose this option, the Custom
Certificate Bundle option
appears and you must upload a
certificate by clicking Select a
file.
Note If you choose to
use or update a
custom certificate
bundle for SSL
decryption, ensure
that the same
certificate bundle
is used across all
devices in the
network that have
SSL decryption
enabled.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
190
SSL/TLS Proxy for Decryption of TLS Traffic
Apply a Security Policy to an Cisco IOS XE Catalyst SD-WAN Device
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
b. From the Create Template drop-down menu, choose From Feature Template.
c. From the Device Model drop-down menu, choose one of the devices.
d. In the Template Name field, enter a name for the device template. This field is mandatory and can
contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores
(_). It cannot contain spaces or any other characters.
e. In the Description field, enter a description for the device template. This field is mandatory, and it
can contain any characters and spaces.
f. Continue with Step 4.
4. Click Additional Templates located directly beneath the Description field. The screen scrolls to the
Additional Templates section.
5. From the Security Policy drop-down menu, choose the name of the security policy you configured in the
above procedure.
6. Click Create (for a new template) or Update (for an existing template).
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
191
SSL/TLS Proxy for Decryption of TLS Traffic
Upload a Subordinate CA Certificate to TLS Proxy
Note This procedure is applicable only if you configure the Enterprise CA for TLS proxy.
Important Ensure that the certificate you generate is a subordinate or an intermediate CA certificate. The procedure to
generate a subordinate CA certificate may differ from one enterprise CA to another. The certificate generated
in this step must have its constraint set as CA: TRUE.
Cisco IOS CA can’t be used for the TLS proxy feature as it doesn’t support generating a certificate with the
constraint set as CA: TRUE.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
192
SSL/TLS Proxy for Decryption of TLS Traffic
Verify Configuration
Verify Configuration
Use the following commands to verify the configuration for TLS proxy.
• show sdwanrunning: In Cisco SD-WAN Manager, run this command in CLI mode to verify if your
configuration is applied.
• show sdwan running-config: In Cisco SD-WAN Manager, run this command by connecting to the
device CLI through SSH.
• show crypto pki status: On your device CLI, run this command to verify that the PROXY-SIGNING-CA
is present and configured correctly on the device.
• show sslproxy statistics: On your device CLI, run this command to view TLS proxy statistics.
• show sslproxy status : On your device CLI, run this command to verify whether TLS proxy was
successfully configured and is enabled on Cisco SD-WAN Manager.
In the output below, Clear Mode: FALSE denotes that TLS proxy was successfully configured and
enabled on Cisco SD-WAN Manager
Configuration
-------------
CA Cert Bundle : /bootflash/vmanage-admin/sslProxyDefaultCAbundle.pem
CA TP Label : PROXY-SIGNING-CA
Cert Lifetime : 730
EC Key type : P256
RSA Key Modulus : 2048
Cert Revocation : NONE
Expired Cert : drop
Untrusted Cert : drop
Unknown Status : drop
Unsupported Protocol Ver : drop
Unsupported Cipher Suites : drop
Failure Mode Action : close
Min TLS Ver : TLS Version 1.1
Status
------
SSL Proxy Operational State : RUNNING
TCP Proxy Operational State : RUNNING
Clear Mode : FALSE
• show platform hardware qfp active feature utd config: On your device CLI, run this command to
verify the UTD data plane configuration. For more information on this command, see the Qualifed
Command Reference.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
193
SSL/TLS Proxy for Decryption of TLS Traffic
Monitor TLS Proxy Performance
• show sdwan running-configuration | section utd-tls-decrypt : On your device CLI, run this command
to verify the UTD data plane configuration.
• show utd engine standard config: On your device CLI, run this command to verify the UTD service
plane configuration.
• show utd engine standard status: On your device CLI, run this command to verify the UTD service
plane configuration.
5. Based on your choice, the information displays. Additional information is displayed in tabular format.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
194
SSL/TLS Proxy for Decryption of TLS Traffic
Revoke and Renew Certificates
• Network Policy: You can view the traffic information for an applied network policy.
• URL Policy: You can view the traffic information of a URL policy.
• Time Range: Choose to view the information for a specified time range (1h, 3h, 6h, and so on) or
click Custom to define a time range.
Note Revoking the certificate through Cisco SD-WAN Manager only removes the certificate from the device and
invalidates the private key. You also need to revoke this certificate from your Enterprise CA.
Revoke and Renew: To revoke the existing certificate and upload a new one to replace it, click the
Revoke and Renew. To renew a certificate after revoking it, see steps 6-11 in the Renew Certificate
section of this topic.
Renew Certificate
1. From the Cisco SD-WAN Manager menu, choose Configuration > Certificates.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
195
SSL/TLS Proxy for Decryption of TLS Traffic
Cisco SD-WAN Manager as CA or Cisco SD-WAN Manager as Intermediate CA
Important Ensure that the certificate you generate is a subordinate or an intermediate CA certificate. The procedure to
generate a subordinate CA certificate may differ from one enterprise CA to another. The certificate generated
in this step must have its constraint set as CA: TRUE.
Cisco IOS CA can’t be used for the TLS proxy feature as it doesn’t support generating a certificate with the
constraint set as CA: TRUE.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
196
SSL/TLS Proxy for Decryption of TLS Traffic
Configure TLS/SSL Decryption Policy for Unified Security Policy
Note Configuring a TLS/SSL Decryption policy is mandatory in a unified security policy, especially if you choose
to use the TLS action as Decrypt while creating an advanced inspection profile.
To configure TLS/SSL Decryption for a unified security policy, perform the following steps:
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Custom Options.
3. Click Policies/Profiles.
4. Click TLS/SSL Decryption in the left pane.
5. Click Add TLS/SSL Decryption Policy, and choose Create New.
6. Ensure that SSL Decryption is set to Enabled.
7. Click Policy Mode to enable the unified mode. This implies that you are creating a TLS/SSL Decryption
policy for use in the unified security policy.
8. Enter a policy name in the Policy Name field.
9. (Optional) To configure advanced settings such as server certificate checks, minimum TLS version,
and so on, expand Advanced Settings
Note By default, Cisco SD-WAN Manager configures the default values for each advanced setting. If you change
any of these settings, it may affect the behaviour of the decryption security policies. The Policy Mode can
only be set at time of creation and cannot be modified after the policy has been saved.
Expired Certificate Defines what the policy should • Drop the traffic by
do if the server certificate has clicking Drop
expired
• Decrypt the traffic by
clicking Decrypt
Untrusted Certificate Defines what the policy should • Drop the traffic by
do if the server certificate is not clicking Drop
trusted
• Decrypt the traffic by
clicking Decrypt
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
197
SSL/TLS Proxy for Decryption of TLS Traffic
Configure TLS/SSL Decryption Policy for Unified Security Policy
Unknown Revocation Status Defines what the policy should • Drop the traffic by
do, if the OCSP revocation clicking Drop
status is unknown
• Decrypt the traffic by
clicking Decrypt
RSA Keypair Modules Defines the Proxy Certificate • 1024 bit RSA
RSA Key modulus
• 2048 bit RSA
• 4096 bit RSA
Unsupported Protocol Defines what the policy should • Drop the traffic by
Versions do if an unsupported protocol clicking Drop
version is detected.
• Click No Decrypt so that
the proxy does not decrypt
this traffic.
Unsupported Cipher Suites Defines what the policy should • Drop the traffic by
do if unsupported cipher suites clicking Drop
are detected.
• Click No Decrypt so that
the proxy does not decrypt
this traffic.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
198
SSL/TLS Proxy for Decryption of TLS Traffic
Configure TLS/SSL Profile for Unified Security Policy
Failure Mode Defines what the policy should • Close: Sets the mode as
do in case of a failure. fail-close
• Open: Sets the mode as
fail-open.
Certificate Bundle Defines whether the policy You can choose or not choose
should use the default CA this option. If you do not
certificate bundle or not choose this option, the Custom
Certificate Bundle option
appears and you must upload a
certificate by clicking Select a
file.
Note The Policy Mode can only be set at time of creation and cannot be modified after the policy has been saved.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
199
SSL/TLS Proxy for Decryption of TLS Traffic
Configure TLS/SSL Profile for Unified Security Policy
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
200
CHAPTER 11
Cisco Umbrella Integration
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
The Cisco Catalyst SD-WAN Umbrella Integration feature enables cloud-based security service by inspecting
the Domain Name System (DNS) query that is sent to the DNS server through the device. The security
administrator configures policies on the Umbrella portal to either allow or deny traffic towards the fully
qualified domain name (FQDN). The router acts as a DNS forwarder on the network edge, transparently
intercepts DNS traffic, and forwards the DNS queries to the Umbrella cloud.
• Overview of Cisco Catalyst SD-WAN Umbrella Integration, on page 201
• Restrictions for Umbrella Integration, on page 204
• Prerequisites for Umbrella Integration, on page 205
• Configure Umbrella API Token, on page 205
• Configure Cisco Umbrella Registration, on page 206
• Define Domain Lists, on page 206
• Configure Umbrella DNS Policy Using Cisco SD-WAN Manager, on page 207
• Attach DNS Umbrella Policy to Device Template, on page 208
• Upload Umbrella Root Certificates, on page 209
• Umbrella Integration Using CLI, on page 209
• DNS Security Policy Configuration, on page 221
• Monitor Umbrella Feature, on page 223
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
201
Cisco Umbrella Integration
Overview of Cisco Catalyst SD-WAN Umbrella Integration
is for a local domain, it forwards the query without changing the DNS packet to the DNS server in the enterprise
network. If it is for an external domain, it adds an Extended DNS (EDNS) record to the query and sends it to
Umbrella Resolver. An EDNS record includes the device identifier information, organization ID and client
IP. Based on this information, Umbrella Cloud applies different policies to the DNS query.
The Umbrella Integration cloud, based on the policies configured on the portal and the reputation of the DNS
Fully Qualified Domain Name (FQDN) may take one of the following actions:
• If FQDN is found to be malicious or blocked by the customized Enterprise Security policy, then the IP
address of the Umbrella Cloud's blocked landing page is returned in the DNS response. This is called a
blocked list action at Umbrella Cloud.
• If FQDN is found to be non-malicious, then the IP address of the content provider is returned in the DNS
response. This is called a allowed list action at Umbrella Cloud.
• If the FQDN is suspicious, then the intelligent proxy unicast IP addresses are returned in the DNS
response. This is referred to as grey list action at Umbrella Cloud.
When the DNS response is received, the device forwards the response back to the host. The host will extract
the IP address from the response and send the HTTP / HTTPS requests to this IP.
Note: The intelligent proxy option has to be enabled in the Umbrella dashboard for the Umbrella Resolver to
return the intelligent proxy unicast IP addresses in the DNS response when an attempt is made to access the
domains in the grey list.
Handling HTTP and HTTPs Traffic
With Cisco Catalyst SD-WAN Umbrella Integration, HTTP and HTTPs client requests are handled in the
following ways:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
202
Cisco Umbrella Integration
Overview of Cisco Catalyst SD-WAN Umbrella Integration
• If the Fully Qualified Domain Name (FQDN) in the DNS query is malicious (falls under blocked domains),
Umbrella Cloud returns the IP address of the blocked landing page in the DNS response. When the HTTP
client sends a request to this IP, Umbrella Cloud displays a page that informs the user that the requested
page was blocked and the reason for blocking the page.
• If the FQDN in the DNS query is non-malicious (falls under allowedlisted domains), Umbrella Cloud
returns the IP address of the content provider. The HTTP client sends the request to this IP address and
gets the desired content.
• If the FQDN in the DNS query falls under grey-listed domains, Umbrella Resolver returns the unicast
IP addresses of intelligent proxy in the DNS response. All HTTP traffic from the host to the grey domain
gets proxied through the intelligent proxy and undergo URL filtering.
One potential limitation in using intelligent proxy unicast IP addresses is the probability of the datacenter
going down when the client is trying to send the traffic to the intelligent proxy unicast IP address. This is a
scenario where a client has completed DNS resolution for a domain which falls under grey-listed domain and
client’s HTTP/(S) traffic is being sent to one of the obtained intelligent proxy unicast IP address. If that
datacenter is down, then the client has no way of knowing it.
The Umbrella Connector does not act on the HTTP and HTTPS traffic. The connector does not redirect any
web traffic or alter any HTTP/(S) packets.
Encrypting the DNS Packet
The DNS packet sent from the device to Umbrella Integration server must be encrypted if the EDNS information
in the packet contains information such as user IDs, internal network IP addresses, and so on. When the DNS
response is sent back from the DNS server, device decrypts the packet and forwards it to the host. You can
encrypt DNS packets only when the DNScrypt feature is enabled on the device.
The device uses the following Anycast recursive Umbrella Integration servers:
• 208.67.222.222
• 208.67.220.220
• 2620:119:53::53
• 2620:119:35::35
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
203
Cisco Umbrella Integration
Restrictions for Umbrella Integration
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
204
Cisco Umbrella Integration
Prerequisites for Umbrella Integration
• A maximum of 64 local domains can be configured under bypass list, and the allowed domain name
length is 100 characters.
• Data-policy based NAT and Umbrella DNS redirect interoperability is not supported. If NAT for internet
bound traffic is configured through a data policy instead of a default NAT route in service VPN, for
Umbrella DNS redirection, you must create a rule to match the DNS request and then set action as
umbrella redirect. The data policy rule created for DNS redirect must be configured before the NAT rule
in a sequence.
• Umbrella redirection does not work with DNS sent over TCP. Only UDP is supported.
• The Cisco Umbrella configuration may enforce IP address restrictions for the Service VPN configurations.
If you do not follow the guidelines, configuration may result in traffic loss. For additional information
about Cisco Umbrella configuration, see Cisco Umbrella SIG User Guide.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
205
Cisco Umbrella Integration
Configure Cisco Umbrella Registration
Auto-registration for Cisco IOS XE This feature adds the ability to register devices to Cisco Umbrella
Cisco Umbrella Catalyst SD-WAN using the Smart Account credentials to automatically retrieve
Cloud Services Release 17.2.1r Umbrella credentials (organization ID, registration key, and
secret). This offers a more automatic alternative to manually
copying a registration token from Umbrella.
Use this procedure to configure Cisco Umbrella registration globally for all devices. The procedure retrieves
the Umbrella registration parameters automatically.
When configuring individual policies, it is also possible to configure Umbrella registration, but it can be
managed more flexibly using the following procedure:
1. From the Cisco SD-WAN Manager menu, choose Configuration > Security.
2. Click Custom Options and choose Umbrella Registration.
3. In the Manage Umbrella Registration dialog box, use one of the following methods to register devices
to Umbrella. The registration details are used globally.
• Cisco Umbrella Registration Key and Secret
a. Click the Get Keys to retrieve Umbrella registration parameters automatically: Organization ID,
Registration Key, and Secret.
b. (Optional) If the Umbrella keys have been rotated and the details that are automatically retrieved
are incorrect, enter the details manually.
c. Click Save Changes.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
206
Cisco Umbrella Integration
Configure Umbrella DNS Policy Using Cisco SD-WAN Manager
7. If you are creating a new policy using the Create New option, the DNS Security - Policy Rule
Configuration wizard is displayed.
8. Enter a policy name in the Policy Name field.
9. The Umbrella Registration Status displays the status of the API Token configuration.
10. Click Manage Umbrella Registration to add a token, if you have not added one already.
11. Click Match All VPN to keep the same configuration for all the available VPNs and continue with Step
13.
Or click Custom VPN Configuration if you need to add target service VPNs to your policy. A Target
VPNs window appears, and continue with the next step.
12. To add target service VPNs, click Target VPNs at the top of the window.
13. Click Save Changes to add the VPN.
14. From the Local Domain Bypass List drop-down list, choose the domain bypass.
15. Configure DNS Server IP from the following options:
• Umbrella Default
• Custom DNS
16. Click Advanced to enable or disable the DNSCrypt. By default, the DNSCrypt is enabled.
17. Click Save DNS Security Policy.
The Configuration > Security window is displayed, and the DNS policy list table includes the newly
created DNS Security Policy.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
207
Cisco Umbrella Integration
Attach DNS Umbrella Policy to Device Template
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you
can select Child Org ID from the dropdown when a parent Org ID of a multi-org tenant is added to the SIG
Credentials.
Field Description
Add DNS Security Policy From the Add DNS Security Policy drop-down list,
select Create New to create a new DNS Security
Policy policy.
Copy from Existing: Choose a policy from the Policy
field, enter a policy name, and click Copy.
Umbrella Registration Status Displays the status of the API Token configuration.
Match All VPN Click Match All VPN to keep the same configuration
for all the available VPNs.
Custom VPN Configuration choose Custom VPN Configuration to input the
specific VPNs.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
208
Cisco Umbrella Integration
Upload Umbrella Root Certificates
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
4. Click Save.
Cisco SD-WAN Manager pushes the certificates to all devices that support an Umbrella root certificate.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
209
Cisco Umbrella Integration
Umbrella Integration Using CLI
• Local domain bypass list is global and each VRF can enable or disable the local domain bypass list.
If enabled, the DNS packet will be matched against the local domain list.
Sample configuration:
Device# config-transaction
Device(config)# parameter-map type umbrella global
Device(config-profile)#?
parameter-map commands:
dnscrypt Enable DNSCrypt
exit Exit from parameter-map
local-domain Local domain processing
no Negative or set default values of a command
public-key DNSCrypt provider public key
registration-vrf Cloud facing vrf
resolver Anycast address
token Config umbrella token
udp-timeout Config timeout value for UDP sessions
vrf Configure VRF
Per-VRF options are provided under VRF option:
Device(config)# parameter-map type umbrella global
Device(config-profile)#vrf 9
Device(config-profile-vrf)#?
vrf options:
dns-resolver DNS resolver address
exit Exit from vrf sub mode
match-local-domain Match local-domain list(if configured)
no Negate a command or set its defaults
The following table captures the per VRF DNS packet behavior:
9 8.8.8.8 Yes
19 8.8.8.8 No
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
210
Cisco Umbrella Integration
Umbrella Integration Using CLI
29 umbrella Yes
39 umbrella No
Note The VRFs must be preconfigured. For example, the VRFs 9,19, 29, 39 are preconfigured in the above example.
For more information, see Regular Expression for URL Filtering and DNS Security, on page 395.
Public-key
Public-key is used to download the DNSCrypt certificate from Umbrella Integration cloud. This value is
preconfigured to
B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
which is the public-key of Umbrella Integration Anycast servers. If there is a change in the public-key and if
you modify this command, then you have to remove the modified command to restore the default value. If
you modify the value, the DNSCrypt certificate download may fail.
DNSCrypt
DNSCrypt is an encryption protocol to authenticate communications between the device and the Umbrella
Integration. When the parameter-map type umbrella is configured and enabled by default on all WAN
interfaces. DNSCrypt gets triggered and a certificate is downloaded, validated, and parsed. A shared secret
key is then negotiated, which is used to encrypt the DNS queries. For every hour this certificate is automatically
downloaded and verified for an upgrade, a new shared secret key is negotiated to encrypt the DNS queries.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
211
Cisco Umbrella Integration
Umbrella Integration Using CLI
To disable DNSCrypt, use the no dnscrypt command and to re-enable DNSCrypt, use the dnscrypt command.
When the DNSCrypt is used, the DNS request packets size is more than 512 bytes. Ensure that these packets
are allowed through the intermediary devices; otherwise, the response may not reach the intended recipients.
Sample umbrella dnscrypt notifications:
Device# show sdwan umbrella dnscrypt
DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
Certificate Update Status:
Last Successfull Attempt: 08:46:32 IST May 21 2018
Certificate Details:
Certificate Magic : DNSC
Major Version : 0x0001
Minor Version : 0x0000
Query Magic : 0x714E7A696D657555
Serial Number : 1517943461
Start Time : 1517943461 (00:27:41 IST Feb 7 2018)
End Time : 1549479461 (00:27:41 IST Feb 7 2019)
Server Public Key : 240B:11B7:AD02:FAC0:6285:1E88:6EAA:44E7:AE5B:AD2F:921F:9577:514D:E226:D552:6836
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
212
Cisco Umbrella Integration
Umbrella Integration Using CLI
Router(config-ipv4)# exit-address-family
Router(config-vrf)# commitCommit complete.
Router(config-vrf)# exit
Router(config)# parameter-map type umbrella global
Router(config-profile)# vrf 2
Router(config-profile-vrf)# dns-resolver 8.8.8.8
Router(config-profile-vrf)# no match-local-domain-to-bypass
Router(config-profile-vrf)# commit
Commit complete.
Router(config-profile-vrf)# end
Router#sh umbrella config
Umbrella Configuration
========================
Token: AAC1A2555C11B2B798FFF3AF27C2FB8F001CB7B2
OrganizationID: 1882034
Local Domain Regex parameter-map name: NONE
DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
UDP Timeout: 5 seconds
Resolver address:
1. 208.67.220.220
2. 208.67.222.222
3. 2620:119:53::53
4. 2620:119:35::35
Registration VRF: default
VRF List:
1. VRF 1 (ID: 1)
DNS-Resolver: umbrella
Match local-domain-to-bypass: Yes
2. VRF 2 (ID: 3)
DNS-Resolver: 8.8.8.8
Match local-domain-to-bypass: No
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
213
Cisco Umbrella Integration
Umbrella Integration Using CLI
4. VRF 39 (ID: 3)
DNS-Resolver: umbrella
Match local-domain: No
The output of VRF will have name and ID. The ID here is VRF ID:
Device# show vrf detail | inc VRF Id
VRF 19 (VRF Id = 1); default RD <not set>; default VPNID <not set>
VRF 29 (VRF Id = 2); default RD <not set>; default VPNID <not set>
VRF 39 (VRF Id = 3); default RD <not set>; default VPNID <not set>
VRF 9 (VRF Id = 4); default RD <not set>; default VPNID <not set>
2.39
Tag : vpn39
Device-id : 010a1a2e1989da19
Description : De
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
214
Cisco Umbrella Integration
Umbrella Integration Using CLI
sdwan
interface Tunnel100001
tunnel-options tunnel-set secure-internet-gateway-umbrella tunnel-dc-preference primary-dc
source-interface GigabitEthernet0/0/0
exit
interface Tunnel100002
tunnel-options tunnel-set secure-internet-gateway-umbrella tunnel-dc-preference secondary-dc
source-interface GigabitEthernet0/0/0
exit
interface Tunnel100001
no shutdown
ip unnumbered GigabitEthernet0/0/0
no ip clear-dont-fragment
ip tcp adjust-mss 1300
ip mtu 1400
tunnel source GigabitEthernet<#/#/#>
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec1-ipsec-profile
tunnel vrf multiplexing
tunnel route-via GigabitEthernet<###> mandatory
exit
interface Tunnel100002
no shutdown
ip unnumbered GigabitEthernet0/0/0
no ip clear-dont-fragment
ip tcp adjust-mss 1300
ip mtu 1400
tunnel source GigabitEthernet<#/#/#>
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec2-ipsec-profile
tunnel vrf multiplexing
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
215
Cisco Umbrella Integration
Umbrella show commands at FP Layer
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
216
Cisco Umbrella Integration
Umbrella show commands at CPP Layer
208.67.222.222
2620:119:35::35
2620:119:53::53
Dnscrypt Info:
public_key:
A5:BA:18:C5:59:70:67:94:E5:37:38:33:06:F9:63:83:39:86:82:E4:00:F5:D8:BE:C1:AA:77:4A:4C:BA:64:00
magic_key: 71 4E 7A 69 6D 65 75 55
serial number: 1517943461
ProfileID DeviceID Mode Resolver Local-Domain Tag
------------------------------------------------------------------------------
0 OUT False
4 IN 8.8.8.8 True vpn9
1 IN 8.8.8.8 False vpn19
2 010a9b2b0d5cb21f IN 208.67.220.220 True vpn29
3 010a1a2e1989da19 IN 208.67.220.220 False vpn39
The show platform software umbrella f0 local-domain displays the local domain list.
Device# show platform software umbrella f0 local-domain
01. www.cisco.com
02. .*amazon.com
03. .*.salesforce.com
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
217
Cisco Umbrella Integration
Umbrella show commands at CPP Layer
Mode : OUT
06 VirtualPortGroup0 :
Mode : OUT
07 VirtualPortGroup1 :
Mode : OUT
08 GigabitEthernet1 :
Mode : OUT
09 GigabitEthernet2 :
Mode : OUT
12 GigabitEthernet5 :
Mode : OUT
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
218
Cisco Umbrella Integration
Umbrella Data-Plane show commands
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
219
Cisco Umbrella Integration
Umbrella Data-Plane show commands
padding err: 0
nonce err: 0
flow bypass: 0
disabled: 0
flow not enc: 0
DCA statistics:
dca match success: 0
dca match failure: 0
The show platform hardware qfp active feature umbrella datapath memory command displays CFT
information.
Device# show platform hardware qfp active feature umbrella datapath memory
==Umbrella Connector CFT Information==
CFT inst_id 0 feat id 0 fo id 0 chunk id 4
==Umbrella Connector Runtime Information==
umbrella init state 0x4
umbrella dsa client handler 0x2
The show platform hardware qfp active feature umbrella datapath runtime command displays internal
information. For example, key index used for DNSCrypt.
Device# show platform hardware qfp active feature umbrella datapath runtime
udpflow_ageout: 5
ipv4_count: 2
ipv6_count: 2
ipv4_index: 0
ipv6_index: 0
Umbrella IPv4 Anycast Address
IP Anycast Address0: 208.67.220.220
IP Anycast Address1: 208.67.222.222
Umbrella IPv6 Anycast Address
IP Anycast Address0: 2620:119:53:0:0:0:0:53
IP Anycast Address1: 2620:119:35:0:0:0:0:35
=DNSCrypt=
key index: 0
-key[0]-
sn: 1517943461
ref cnt: 0
magic: 714e7a696d657555
Client Public Key:
A5BA:18C5:5970:6794:E537:3833:06F9:6383:3986:82E4:00F5:D8BE:C1AA:774A:4CBA:6400
NM Key Hash :
16E6:DDC7:53BE:2929:1CDA:06AE:0BE2:C270:6E39:EAE7:F925:78FD:3599:2AB6:74C9:A59D
-key[1]-
sn: 0
ref cnt: 0
magic: 0000000000000000
Client Public Key:
0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000
NM Key Hash :
0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000
Local domain 1
VPN-DEVICEID TABLE d7f37410
Clear Command
The clear platform hardware qfp active feature umbrella datapath stats command clears the Umbrella
connector statistics in datapath.
Device# clear platform hardware qfp active feature umbrella datapath stats
Umbrella Connector Stats Cleared
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
220
Cisco Umbrella Integration
Troubleshooting the Umbrella Integration
Depending on the OS, run either of these two commands from the client device:
• The nslookup -type=txt debug.umbrella.com command from the command prompt of the Windows
machine
• The nslookup -type=txt debug.umbrella.com command from the terminal window or shell of the Linux
machine
Umbrella Registration
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
221
Cisco Umbrella Integration
DNS Security Policy Configuration
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
222
Cisco Umbrella Integration
Monitor Umbrella Feature
sequence 2
action accept
nat use-vpn 0
!
!
default-action drop
!
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
223
Cisco Umbrella Integration
Monitor Umbrella Feature
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
224
CHAPTER 12
Integrate Your Devices With Secure Internet
Gateways
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
IPSEC/GRE Tunnel Routing and Cisco IOS XE Catalyst SD-WAN This feature allows you to use the
Load-Balancing Using ECMP Release 17.4.1a SIG template to steer application
traffic to Cisco Umbrella or a Third
Cisco vManage Release 20.4.1
party SIG Provider. The application
traffic is steered to a SIG based on
a defined data policy and other
match criteria.
This feature also allows you to
configure weights for multiple
GRE/IPSEC tunnels for distribution
of traffic among multiple tunnels.
The traffic distribution enables you
to balance the load among the
tunnels. You can also configure the
weights to achieve Equal-cost
multi-path (ECMP) routing.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
225
Integrate Your Devices With Secure Internet Gateways
Support for Zscaler Automatic Cisco IOS XE Catalyst SD-WAN This feature automates the
IPSec Tunnel Provisioning Release 17.5.1a provisioning of tunnels from Cisco
Catalyst SD-WAN routers to
Cisco vManage Release 20.5.1
Zscaler. Using your Zscaler partner
API credentials, you can
automatically provisions tunnels to
Zscaler Internet Access (ZIA)
Public Service Edges. You can
choose Zscaler in the Cisco
Security Internet Gateway (SIG)
and SIG credentials feature
templates to automate tunnel
provisioning.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
226
Integrate Your Devices With Secure Internet Gateways
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
227
Integrate Your Devices With Secure Internet Gateways
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
228
Integrate Your Devices With Secure Internet Gateways
Layer 7 Health Check for Manual Cisco IOS XE Catalyst SD-WAN You can create and attach trackers
Tunnels Release 17.8.1a to manually created GRE or IPSec
tunnels to a SIG endpoint. Trackers
Cisco vManage Release 20.8.1
help failover traffic when a SIG
tunnel is down.
Automatic GRE Tunnels to Zscaler Cisco IOS XE Catalyst SD-WAN With this feature, use the Secure
Release 17.9.1a Internet Gateway (SIG) feature
template to provision automatic
Cisco vManage Release 20.9.1
GRE tunnels to Zscaler SIGs. In
earlier releases, the SIG template
only supported the provisioning of
automatic IPSec tunnels to Zscaler
SIGs.
Global SIG Credentials Template Cisco IOS XE Catalyst SD-WAN With this feature, create a single
Release 17.9.1a global Cisco SIG Credentials
template for each SIG provider
Cisco vManage Release 20.9.1
(Cisco Umbrella or Zscaler). When
you attach a Cisco SIG template to
a device template, Cisco SD-WAN
Manager automatically attaches the
applicable global Cisco SIG
Credentials template to the device
template.
Monitor Automatic SIG Tunnel Cisco IOS XE Catalyst SD-WAN Monitor security events related to
Status and Events Release 17.9.1a automatic SIG tunnels using the
Security Events pane on the
Cisco vManage Release 20.9.1
Monitor > Security page, and the
Events dashboard on the
Monitor > Logs page.
Monitor automatic SIG tunnel
status using the SIG Tunnel Status
pane on the Monitor > Security
page, and the SIG Tunnels
dashboard on the Monitor >
Tunnels page.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
229
Integrate Your Devices With Secure Internet Gateways
Options to Integrate Your Devices with Secure Internet Gateways
Configure SIG Tunnels in a Cisco IOS XE Catalyst SD-WAN With this feature, create a Security
Security Feature Profile Release 17.10.1a feature profile and associate it with
one or more configuration groups.
Cisco vManage Release 20.10.1
In the Security feature profile,
configure the Secure Internet
Gateway feature to create automatic
or manual SIG tunnels. After
configuring the feature, deploy the
configuration group on the desired
WAN edge devices to create SIG
tunnels from the devices to the
configured SIG endpoints.
Cisco Umbrella Multi-Org Support Cisco IOS XE Catalyst SD-WAN This feature supports management
Release 17.11.1a of multiple organizations through
a single parent organization. With
Cisco vManage Release 20.11.1
this feature, Cisco Catalyst
SD-WAN Umbrella for SIG
support security policy
requirements for different regions
of the SD-WAN network.
Cisco Catalyst SD-WAN edge devices support SD-WAN, routing, security, and other LAN access features
that can be managed centrally. On high-end devices, you can enable all these features while providing the
scale and performance required by large enterprises. However, on lower-end devices, enabling all the security
features simultaneously can degrade performance. To avoid the performance degradation, integrate lower-end
devices with Secure Internet Gateways (SIG) that do most of the processing to secure enterprise traffic. When
you integrate a Cisco Catalyst SD-WAN edge device with a SIG, all client internet traffic, based on routing
or policy, is forwarded to the SIG. In addition, the SIG can also protect roaming users, mobile users, and
BYOD users. The Multi-security association (SA) Virtual Tunnel Interface (VTI) is not supported on Cisco
Catalyst SD-WAN devices.
• Options to Integrate Your Devices with Secure Internet Gateways, on page 230
• Configure Tunnels, on page 235
• Configure SIG Tunnels in a Security Feature Profile, on page 262
• Monitor SIG Events, on page 276
• Monitor SIG/SSE Tunnels, on page 278
• Monitor Automatic SIG Tunnels Using CLI, on page 280
• Troubleshoot Integrating Your Devices With Secure Internet Gateways, on page 282
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
230
Integrate Your Devices With Secure Internet Gateways
Automatic Tunnels
Automatic Tunnels
Using the Cisco Secure Internet Gateway (SIG) feature template, you can provision automatic IPSec tunnels
to Cisco Umbrella SIGs, or automatic IPSec or GRE tunnels to Zscaler SIGs.
Provision an automatic tunnel as follows:
1. Complete the following prerequisites for the SIG:
a. Specify the address of one or more DNS servers.
b. Enable the DNS lookup feature by using the ip domain lookup command on the Cisco IOS XE
Catalyst SD-WAN device. For more information, see ip domain lookup.
c. Ping the configured DNS name server. The DNS must be reachable using the VRF 65528.
d. Automatic SIG tunnels use the first NAT outside WAN interface to connect to Umbrella or Zscaler.
The DNS and the internet must be accessible through the same interface.
2. Specify Cisco Umbrella or Zscaler credentials using the Cisco SIG Credentials feature template.
3. Specify the details for the tunnel to the SIGs using the Cisco Security Internet Gateway (SIG) feature
template.
In the template, define the parameters for the tunnels such as the interface name, the source interface, the
SIG provider, and so on.
4. Edit the Cisco VPN feature template that provides the service route for the devices to the internet. Add a
service route to the SIG in the Cisco VPN feature template.
5. Add feature templates to the device templates of the devices that should route traffic to the SIG.
6. Attach the device templates to the devices.
When you attach the device template, the device sets up tunnels to the SIGs and redirects traffic to it.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
231
Integrate Your Devices With Secure Internet Gateways
Manual Tunnels
Zscaler Integration
You can integrate Cisco Catalyst SD-WAN edge devices to Zscaler SIGs by provisioning automatic IPsec or
GRE tunnels between the edge devices and the SIGs.
Automatic IPSec Tunnels: From Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage
Release 20.5.1, you can provision automatic IPSec tunnels to Zscaler Internet Access (ZIA) Public Service
Edges using the Cisco Security Internet Gateway (SIG) feature template. ZIA Public Service Edges are secure
internet gateways that can inspect and secure traffic from Cisco Catalyst SD-WAN devices. The devices use
Zscaler APIs to create IPSec tunnels by doing the following:
1. Establish an authenticated session with ZIA.
2. Based on the IP address of the device, obtain a list of nearby data centres.
3. Provision the VPN credentials and location using ZIA APIs.
4. Using the VPN credentials and location, create an IPSec tunnel between the ZIA Public Service Edges
and the device.
Automatic GRE Tunnels: From Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco vManage Release
20.9.1, you can provision automatic GRE tunnels to Zscaler Internet Access (ZIA) Public Service Edges using
the Cisco Security Internet Gateway (SIG) feature template. The devices use Zscaler APIs to create the GRE
tunnels.
For information on configuring automatic tunnelling, see Configure Automatic Tunnels Using Cisco SD-WAN
Manager, on page 235.
Manual Tunnels
You can create a GRE or IPSec tunnel to a third-party SIG or a GRE tunnel to a Zscaler SIG by defining the
tunnel properties in the Cisco Secure Internet Gateway (SIG) feature template.
Provision manual tunnels as follows:
1. Specify the details for the tunnel to the SIG by using the Cisco Security Internet Gateway (SIG) feature
template.
In the template, define the parameters for the tunnels such as the interface name, the source interface, the
SIG provider, and so on.
2. Edit the Cisco VPN feature template that provides the service route for the devices to the internet. Add a
service route to the SIG in the Cisco VPN feature template.
3. Add feature templates to the device templates of the devices that should route traffic to the SIG.
4. Attach the device templates to the devices.
When you attach the device template, the device sets up the defined IPSec or GRE tunnels to the SIG and
redirects traffic to it.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
232
Integrate Your Devices With Secure Internet Gateways
Support for Layer 7 Health Check
Active Tunnels: You can provision up to four IPSec tunnels to the primary data center. These tunnels serve
as active tunnels, and when two or more active tunnels are provisioned, the traffic toward the SIG is distributed
among these tunnels, increasing the available bandwidth toward the SIG. From Cisco IOS XE Release 17.4.1
and Cisco vManage Release 20.4.1, you can distribute the traffic equally among the active tunnels to achieve
an equal-cost multi-path (ECMP) distribution, or assign different weights to the active tunnels so that some
tunnels carry more traffic toward the SIG than the others.
Back-up Tunnels: You can provision up to four IPSec tunnels to the secondary data center, one for each
active tunnel that you have provisioned to the primary data center. These tunnels to the secondary data center
serve as back-up tunnels. When an active tunnel fails, the traffic toward the SIG is sent through the
corresponding back-up tunnel. When you provision two or more back-up tunnels, the traffic toward the SIG
is distributed among these tunnels, increasing the available bandwidth toward the SIG. From Cisco IOS XE
Release 17.4.1 and Cisco vManage Release 20.4.1, you can distribute the traffic equally among the back-up
tunnels to achieve an ECMP distribution, or assign different weights to the back-up tunnels so that some
tunnels carry more traffic toward the SIG than the others.
By provisioning two or more active tunnels and distributing the traffic among them, while not provisioning
any back-up tunnels, you can create an active-active setup. By provisioning a back-up tunnel for each active
tunnel, you can create an active-back-up setup.
Note This configuration does not create a sticky mapping between source IP addresses and tunnels to the SIG. If
one or more of the tunnels are down, CEF maps source IP addresses to the remaining tunnels. During this
mapping, traffic from a particular source IP address may be sent to the SIG over a tunnel that is different from
the tunnel that was previously assigned.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
233
Integrate Your Devices With Secure Internet Gateways
Global SIG Credentials Template
Manual No Yes
Minimum releases: Cisco IOS XE Release 17.8.1a and Cisco
vManage Release 20.8.1
Related Topics
Create Automatic Tunnels Using a Cisco SIG Feature Template, on page 239
Create Manual Tunnels Using Cisco SIG Feature Template, on page 249
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
234
Integrate Your Devices With Secure Internet Gateways
Configure Tunnels
SIG tunnels to a device template, Cisco SD-WAN Manager automatically attaches the applicable global SIG
Credentials template to the device template.
The Cisco IOS XE Catalyst SD-WAN devices of your organization connect to Cisco Umbrella or Zscaler
using a common organization account with the SIG provider. As such, it is beneficial to configure the
organization account credentials on the devices through a global template. When you modify the Cisco
Umbrella or Zscaler credentials, update only one global template for the modified credentials to take effect
on the attached Cisco IOS XE Catalyst SD-WAN devices.
Note After you upgrade Cisco SD-WAN Manager software from Cisco vManage Release 20.8.x or earlier to Cisco
vManage Release 20.9.1 or later, the device-model-specific Cisco SIG Credentials templates created in Cisco
vManage Release 20.8.x or earlier become read-only. The read-only status allows you to only view the
configured credentials. To update the credentials configured in Cisco vManage Release 20.8.x or an earlier
release, create a Cisco SIG Credentials template for the SIG provider.
If you try to create or modify a Cisco SIG feature template, Cisco SD-WAN Manager prompts you to create
a global Cisco SIG Credentials template for the SIG provider.
Related Topics
Create Cisco Umbrella SIG Credentials Template, on page 236
Create Zscaler SIG Credentials Template, on page 237
Configure Tunnels
Configure Automatic Tunnels Using Cisco SD-WAN Manager
Prerequisites
To configure automatic tunneling to a SIG, complete the following requisites:
• Cisco Umbrella: To configure automatic tunnels to Cisco Umbrella, you can do one of the following
• For Cisco SD-WAN Manager to fetch the API keys, specify Smart Account credentials here:
Administration > Settings > Smart Account Credentials. Your Cisco Smart Account is the
account that you use to log in to the Cisco Smart Software Manager (CSSM) portal.
• To manually specify the API keys, generate Umbrella Management API keys. See Management
and Provisioning > Getting Started > Overview in the Cloud Security API documentation on the
Cisco DevNet portal.
Specify the generated keys in the Cisco SIG Credentials template.
• Zscaler Internet Access (ZIA): To configure automatic tunnels to Zscaler, do the following:
1. Create partner API keys on the ZIA Partner Integrations page.
2. Add the Partner Administrator role to the partner API keys.
3. Create a Partner Administrator.
4. Activate the changes.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
235
Integrate Your Devices With Secure Internet Gateways
Create Cisco Umbrella SIG Credentials Template
For more information, see Managing SD-WAN Partner Keys on the Zscaler Help Center.
Specify the generated keys in the Cisco SIG Credentials template.
Field Description
Field Description
Registration Key Enter the Umbrella Management API Key. It is part of DNS security
policy under unified security policy.
For more information, see Management and Provisioning > Getting
Started > Overview in the Cloud Security API documentation on the
Cisco DevNet portal.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
236
Integrate Your Devices With Secure Internet Gateways
Create Zscaler SIG Credentials Template
Field Description
Field Description
Partner base URI This is the base URI that Cisco SD-WAN Manager uses in REST API
calls.
To find this information on the Zscaler portal, see ZIA Help > ZIA API
> API Developer & Reference Guide > Getting Started.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
237
Integrate Your Devices With Secure Internet Gateways
Create Cisco SIG Credentials Template
Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you
can select Child Org ID from the dropdown when a parent Org ID of a multi-org tenant is added to the SIG
Credentials.
To fetch the parameters, Cisco SD-WAN Manager uses your Smart Account credentials to connect
to the Cisco Umbrella portal. To manually enter the parameters, generate the values in your Umbrella
account as described here.
c. For Zscaler, enter the following details:
Field Description
Organization The name of the organization in Zscaler cloud. To find this
information in Zscaler, see Administration > Company Profile.
Child Org Minimum releases: Cisco IOS XE Release 17.11.1a and Cisco
vManage Release 20.11.1
Enter the child organization information in the SIG template.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
238
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Child Org List Minimum releases: Cisco IOS XE Release 17.11.1a and Cisco
vManage Release 20.11.1
Select the child org from the Child Org List drop-down list.
Partner base URI This is the Zscaler Cloud API that Cisco SD-WAN Manager uses
to connect to Zscaler. To find this information in Zscaler, see
Administration > API Key Management.
Username Username of the SD-WAN partner account.
Password Password of the SD-WAN partner account.
Partner API key The partner API key. To find the key in Zscaler, see Zscaler Cloud
Administration > Partner Integrations > SD-WAN.
9. Click Save.
Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1, you
can select Child Org ID from the dropdown when a parent Org ID of a multi-org tenant is added to the SIG
Credentials.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
239
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
9. To create one or more trackers to monitor tunnel health, do the following in the Tracker section:
Note From Cisco IOS XE Release 17.6.2 and Cisco vManage Relase 20.6.2 , you can create customized trackers
to monitor the health of automatic tunnels. If you do not customize the SLA parameters, Cisco SD-WAN
Manager creates a default tracker for the tunnel.
Field Description
Name Enter a name for the tracker. The name can be up to 128
alphanumeric characters.
Threshold Enter the wait time for the probe to return a response before
declaring that the configured endpoint is down.
Range: 100 to 1000 milliseconds
Default: 300 milliseconds.
Interval Enter the time interval between probes to determine the status of
the configured endpoint.
Range: 20 to 600 seconds
Default: 60 seconds
Multiplier Enter the number of times the probes are resent before determining
that a tunnel is down.
Note When tunnel status changes continuously within a
short period of time, the tunnel goes to the flapping
state. Starting from Cisco IOS XE Catalyst
SD-WAN Release 17.11.1a, to avoid flapping of
tunnels, the tracker waits for the duration equal to
the product of multiplier * interval to declare the
status of the tunnel.
Range: 1 to 10
Default: 3
API url of endpoint Specify the API URL for the SIG endpoint of the tunnel.
Note The URL value passed to the endpoint-api-url
configuration must resolve through DNS to an IPv4
address. Domains which resolve to an IPv6 address
are currently not supported for the endpoint-api-url
configuration.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
240
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
d. Click Add.
e. To add more trackers, repeat sub-step b to sub-step d.
Field Description
Tunnel Type Click ipsec or gre.
Note Automatic GRE tunnels are supported from Cisco
IOS XE Release 17.9.1a and Cisco vManage
Release 20.9.1 and only to Zscaler ZIA.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
241
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Tunnel Source Interface Enter the name of the source interface of the tunnel. This interface
should be the egress interface and is typically the internet-facing
interface.
For releases before Cisco IOS XE Catalyst SD-WAN Release
17.14.1a and Cisco Catalyst SD-WAN Manager Release 20.14.1,
and you have a Cellular or Dialer interface as the tunnel's source
interface, the following workaround must be implemented.
If you use a cellular interface as a tunnel source interface, you
must modify your existing tunnel source interface configuration
with the following configuration:
interface <interface name>
no tunnel route-via <Interface> mandatory
Data-Center For a primary data center, click Primary, or for a secondary data
center, click Secondary. Tunnels to the primary data center serve
as active tunnels, and tunnels to the secondary data center serve
as back-up tunnels.
Source Public IP Minimum supported releases: Cisco IOS XE Release 17.9.1a and
Cisco vManage Release 20.9.1
Public IP address of the tunnel source interface that is required
to create the GRE tunnel to Zscaler.
Default: Auto.
We recommend that you use the default configuration. With the
default configuration, the Cisco IOS XE Catalyst SD-WAN device
finds the public IP address assigned to the tunnel source interface
using a DNS query. If the DNS query fails, the device notifies
Cisco SD-WAN Manager of the failure. Enter the public IP
address only if the DNS query fails.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
242
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Shutdown Click No to enable the interface; click Yes to disable.
Default: No.
Track this interface for SIG Enable or disable tracker for the tunnel. By default, Cisco
SD-WAN Manager enables a tracker for automatic tunnels.
Default: On.
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets.
By default, the MSS is dynamically adjusted based on the
interface or tunnel MTU such that TCP SYN packets are never
fragmented.
Range: 500 to 1460 bytes
Default: None
DPD Interval Specify the interval for IKE to send Hello packets on the
connection.
Range: 10 to 3600 seconds
Default: 10
DPD Retries Specify the number of seconds between DPD retry messages if
the DPD retry message is missed by the peer.
Once 1 DPD message is missed by the peer, the router moves to
a more aggressive state and sends the DPD retry message at the
faster retry interval, which is the number of seconds between
DPD retries if the DPD message is missed by the peer. The default
DPD retry message is sent every 2 seconds. Five aggressive DPD
retry messages can be missed before the tunnel is marked as down.
Range: 2 to 60 seconds
Default: 3
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
243
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
IKE Diffie-Hellman Group Specify the Diffie-Hellman group to use in IKE key exchange,
whether IKEv1 or IKEv2.
• 2 1024-bit modulus
• 14 2048-bit modulus
• 15 3072-bit modulus
• 16 4096-bit modulus
Field Description
IPsec Rekey Interval Specify the interval for refreshing IPSec keys.
Range: 300 to 1209600 seconds (1 hour to 14 days)
Default: 3600 seconds
IPsec Replay Window Specify the replay window size for the IPsec tunnel.
Options: 64, 128, 256, 512, 1024, 2048, 4096.
Default: 512
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
244
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
IPsec Cipher Suite Specify the authentication and encryption to use on the IPsec
tunnel.
Options:
• AES 256 CBC SHA1
• AES 256 CBC SHA 384
• AES 256 CBC SHA 256
• AES 256 CBC SHA 512
• AES 256 GCM
• NULL SHA1
• NULL SHA 384
• NULL SHA 256
• NULL SHA 512
Perfect Forward Secrecy • Specify the PFS settings to use on the IPsec tunnel.
• Choose one of the following Diffie-Hellman prime modulus
groups:
• Group-2 1024-bit modulus
• Group-14 2048-bit modulus
• Group-15 3072-bit modulus
• Group-16 4096-bit modulus
• None: disable PFS.
Default: None
e. Click Add.
f. To create more tunnels, repeat sub-step b to sub-step e.
11. To designate active and back-up tunnels and distribute traffic among tunnels, configure the following
in the High Availability section:
Field Description
Active Choose a tunnel that connects to the primary data center.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
245
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Active Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the same
weights, you can achieve ECMP load balancing across the tunnels.
However, if you enter a higher weight for a tunnel, that tunnel has
higher priority for traffic flow.
For example, if you set up two active tunnels, where the first tunnel
is configured with a weight of 10, and the second tunnel with weight
configured as 20, then the traffic is load-balanced between the
tunnels in a 10:20 ratio.
Backup Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the same
weights, you can achieve ECMP load balancing across the tunnels.
However, if you enter a higher weight for a tunnel, that tunnel has
higher priority for traffic flow.
For example, if you set up two back-up tunnels, where the first
tunnel is configured with a weight of 10, and the second tunnel with
weight configured as 20, then the traffic is load-balanced between
the tunnels in a 10:20 ratio.
12. (Optional) Modify the default configuration in the Advanced Settings section:
Field Description
Umbrella Primary Data-Center Cisco SD-WAN Manager automatically selects the primary data
center closest to the WAN edge device. If you wish to route traffic
to a specific Cisco Umbrella data center, choose the data center from
the drop-down list.
Umbrella Secondary Cisco SD-WAN Manager automatically selects the secondary data
Data-Center center closest to the WAN edge device. If you wish to route traffic
to a specific Cisco Umbrella data center, choose the data center from
the drop-down list.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
246
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Primary Data-Center Automatic IPSec tunnels: Cisco SD-WAN Manager automatically
selects the primary data center closest to the WAN edge device. If
you wish to route traffic to a specific Zscaler data center, choose
the data center from the drop-down list.
If you choose a data center that is not in the recommended list, the
Cisco IOS XE Catalyst SD-WAN device reverts to the automatically
selected data center.
If you choose a data center that is not in the recommended list, the
Cisco IOS XE Catalyst SD-WAN device reverts to the automatically
selected data center.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
247
Integrate Your Devices With Secure Internet Gateways
Create Automatic Tunnels Using a Cisco SIG Feature Template
Field Description
Zscaler Location Name Minimum supported releases: Cisco IOS XE Release 17.9.1a and
Cisco vManage Release 20.9.1
(Optional) Enter the name of a location that is configured on the
ZIA Admin Portal.
If you do not enter a location name, the Zscaler service detects the
location based on the received traffic.
For more information about locations, see ZIA Help > Traffic
Forwarding > Location Management > About Locations.
Authentication Required See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
XFF Forwarding See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable Firewall See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable IPS Control See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable Caution See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable Surrogate IP See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Display Time Unit See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Minute
Idle Time to Disassociation See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: 0
Enforce Surrogate IP for See ZIA Help > Traffic Forwarding > Location Management >
known browsers Configuring Locations.
Default: Off
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
248
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Field Description
Refresh Time Unit See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Minute
Refresh Time See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: 0
Enable AUP See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
First Time AUP Block Internet See ZIA Help > Traffic Forwarding > Location Management >
Access Configuring Locations.
Default: Off
Force SSL Inspection See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
AUP Frequency See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: 0
Note In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is called Feature.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
249
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Note The option to create trackers and monitor tunnel health is available from Cisco IOS XE Release 17.8.1a, Cisco
vManage Relase 20.8.1.
Field Description
Name Enter a name for the tracker. The name can be up to 128
alphanumeric characters.
Threshold Enter the wait time for the probe to return a response before
declaring that the configured endpoint is down.
Range: 100 to 1000 milliseconds
Default: 300 milliseconds
Interval Enter the time interval between probes to determine the status of
the configured endpoint.
Range: 20 to 600 seconds
Default: 60 seconds
API url of endpoint Specify the API URL for the SIG endpoint of the tunnel.
Note Both HTTP and HTTPS API URLs are supported.
SIG tunnel tracker configuration only supports
HTTP even though the HTTPS option is available.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
250
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
d. Click Add.
e. To add more trackers, repeat sub-step b to sub-step d.
Field Description
Tunnel Type Based on the type of tunnel you wish to create, click ipsec or gre.
Track this interface for SIG Enable or disable tracker for the tunnel. By default, Cisco
SD-WAN Manager enables a tracker for automatic tunnels.
Default: On.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
251
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Field Description
Tunnel Source Interface Enter the name of the source interface of the tunnel. This interface
should be the egress interface and is typically the internet-facing
interface.
For releases before Cisco IOS XE Catalyst SD-WAN Release
17.14.1a and Cisco Catalyst SD-WAN Manager Release 20.14.1,
and you have a Cellular or Dialer interface as the tunnel's source
interface, the following workaround must be implemented.
If you use a cellular interface as a tunnel source interface, you
must modify your existing tunnel source interface configuration
with the following configuration:
interface <interface name>
no tunnel route-via <Interface> mandatory
Field Description
Shutdown Click No to enable the interface; click Yes to disable.
Default: No.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
252
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Field Description
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets.
By default, the MSS is dynamically adjusted based on the
interface or tunnel MTU such that TCP SYN packets are never
fragmented.
Range: 500 to 1460 bytes
Default: None
Field Description
Shutdown Click No to enable the interface; click Yes to disable.
Default: No.
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets.
By default, the MSS is dynamically adjusted based on the
interface or tunnel MTU such that TCP SYN packets are never
fragmented.
Range: 500 to 1460 bytes
Default: None
DPD Interval Specify the interval for IKE to send Hello packets on the
connection.
Range: 0 to 65535 seconds
Default: 10
Field Description
IKE Rekey Interval Specify the interval for refreshing IKE keys
Range: 300 to 1209600 seconds (1 hour to 14 days)
Default: 14400 seconds
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
253
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Field Description
IKE Cipher Suite Specify the type of authentication and encryption to use during
IKE key exchange.
Choose one of the following:
• AES 256 CBC SHA1
• AES 256 CBC SHA2
• AES 128 CBC SHA1
• AES 128 CBC SHA2
IKE Diffie-Hellman Group Specify the Diffie-Hellman group to use in IKE key exchange,
whether IKEv1 or IKEv2.
Choose one of the following:
• 2 1024-bit modulus
• 14 2048-bit modulus
• 15 3072-bit modulus
• 16 4096-bit modulus
IKE ID for Local Endpoint If the remote IKE peer requires a local end point identifier, specify
the same.
Range: 1 to 64 characters
Default: Tunnel's source IP address
IKE ID for Remote Endpoint If the remote IKE peer requires a remote end point identifier,
specify the same.
Range: 1 to 64 characters
Default: Tunnel's destination IP address
Field Description
IPsec Rekey Interval Specify the interval for refreshing IPSec keys.
Range: 300 to 1209600 seconds (1 hour to 14 days)
Default: 3600 seconds
IPsec Replay Window Specify the replay window size for the IPsec tunnel.
Options: 64, 128, 256, 512, 1024, 2048, 4096.
Default: 512
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
254
Integrate Your Devices With Secure Internet Gateways
Create Manual Tunnels Using Cisco SIG Feature Template
Field Description
IPsec Cipher Suite Specify the authentication and encryption to use on the IPsec
tunnel.
Choose one of the following:
• AES 256 CBC SHA1
• AES 256 CBC SHA 384
• AES 256 CBC SHA 256
• AES 256 CBC SHA 512
• AES 256 GCM
• NULL SHA 384
• NULL SHA 256
• NULL SHA 512
Perfect Forward Secrecy Specify the PFS settings to use on the IPsec tunnel.
Choose one of the following Diffie-Hellman prime modulus
groups:
• Group-2 1024-bit modulus
• Group-14 2048-bit modulus
• Group-15 3072-bit modulus
• Group-16 4096-bit modulus
• None: disable PFS.
e. Click Add.
f. To create more tunnels, repeat sub-step b to sub-step e.
10. To designate active and back-up tunnels and distribute traffic among tunnels, configure the following
in the High Availability section:
Field Description
Active Choose a tunnel that connects to the primary data center.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
255
Integrate Your Devices With Secure Internet Gateways
Redirect Traffic to a SIG
Field Description
Active Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the same
weights, you can achieve ECMP load balancing across the tunnels.
However, if you enter a higher weight for a tunnel, that tunnel has
higher priority for traffic flow.
For example, if you set up two active tunnels, where the first tunnel
is configured with a weight of 10, and the second tunnel with weight
configured as 20, then the traffic is load-balanced between the
tunnels in a 10:20 ratio.
Backup Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the same
weights, you can achieve ECMP load balancing across the tunnels.
However, if you enter a higher weight for a tunnel, that tunnel has
higher priority for traffic flow.
For example, if you set up two back-up tunnels, where the first
tunnel is configured with a weight of 10, and the second tunnel with
weight configured as 20, then the traffic is load-balanced between
the tunnels in a 10:20 ratio.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
256
Integrate Your Devices With Secure Internet Gateways
Create Device Template
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
Note In Cisco vManage Release 20.7.x and earlier releases, Device Templates is called Device .
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
257
Integrate Your Devices With Secure Internet Gateways
Attach Template to Devices
10. From the Cisco Secure Internet Gateway drop-down list, choose the Cisco SIG feature template that
you created earlier.
11. Click Additional Templates.
12. In the Additional Templates section,
a. Automatic tunneling:
(Cisco vManage Release 20.8.x and earlier) From the Cisco SIG Credentials drop-down list, choose
the relevant Cisco SIG Credentials feature template.
(From Cisco vManage Release 20.9.1) Cisco SD-WAN Manager automatically chooses the applicable
global Cisco SIG Credentials feature template based on the Cisco SIG feature template configuration.
Note If there are any changes to the SIG credentials, for these changes to take effect, you must first remove the SIG
feature template from the device template and push the device template. Thereafter, re-attach the SIG feature
template and then push the template to the device. For information on pushing the device template, see Attach
the SIG Template to Devices.
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. For the desired template, click ... and click Attach Devices.
The Attach Devices dialog box displays.
4. In the Available Devices column, choose a group and search for one or more devices, choose a device
from the list, or click Select All.
5. Click the arrow pointing right to move the device to the Selected Devices column.
6. Click Attach.
7. If the template contains variables, enter the missing variable values for each device in one of the following
ways:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
258
Integrate Your Devices With Secure Internet Gateways
Configure Source-Only Load Sharing
• Enter the values manually for each device either in the table column or by clicking ... in the row and
clicking Edit Device Template. When you are using optional rows, if you do not want to include
the parameter for the specific device, do not specify a value.
• Click Import File to upload a CSV file that lists all the variables and defines each variable value for
each device.
8. Click Update.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
259
Integrate Your Devices With Secure Internet Gateways
Configuring a GRE Tunnel or IPsec Tunnel from Cisco SD-WAN Manager
Manual Configuration for GRE Cisco IOS XE Catalyst This feature lets you manually configure a
Tunnels and IPsec Tunnels SD-WAN Release 17.2.1r GRE tunnel by using the Cisco VPN
Interface GRE template or an IPSec tunnel
by using the Cisco VPN Interface IPSec
template. For example, use this feature to
manually configure a tunnel to a SIG.
Note From Cisco IOS XE Release 17.4.1, Cisco vManage Release 20.4.1, all SIG related workflows for Automatic
and Manual Tunnels have been consolidated into the SIG template. If you are using Cisco IOS XE Release
17.4.1, Cisco vManage Release 20.4.1, or later, configure GRE or IPSec tunnels to a generic SIG, or GRE
tunnels to a Zscaler SIG, using the SIG template.
Note To configure a GRE tunnel from Cisco SD-WAN Manager, use the SIG Feature Template. For more
information, see Create Manual Tunnels Using Cisco SIG Feature Template. The Cisco VPN Interface GRE
template is no longer used to configure a tunnel to a SIG.
For releases prior to Cisco vManage Release 20.8.1, use the Cisco VPN Interface GRE template.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
c. Choose the type of device for which you are creating the template.
d. Choose the Cisco VPN Interface GRE template from the group of VPN templates.
e. In Basic Configuration, configure parameters as desired and then click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
260
Integrate Your Devices With Secure Internet Gateways
Configure an IPsec Tunnel from Cisco SD-WAN Manager
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
b. Choose the type of device for which you are creating the template.
c. Choose the Cisco VPN template in the group of VPN templates.
d. Click GRE Route.
e. Click New GRE Route.
f. Configure parameters as desired, and then click Add.
3. Perform these actions to configure a device template for the GRE interface.
a. Click Device, and then click ...and click Edit for the device template that you want to configure.
b. Click Transport & Management VPN.
c. From the Additional Cisco VPN 0 Templates list, choose the Cisco VPN Interface GRE template.
d. From the Cisco VPN Interface GRE drop-down menu, click Create Template.
e. Configure the templates as desired, and then click Save.
Note To configure a IPSec tunnel from Cisco SD-WAN Manager, use the SIG Feature Template. For more
information, see Create Automatic Tunnels Using Cisco SIG Feature Template. The Cisco VPN Interface
IPSec template is no longer used to configure a tunnel to a SIG.
For releases prior to Cisco vManage Release 20.8.1, use the Cisco VPN Interface IPsec template.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
c. Choose the type of device for which you are creating the template.
d. Choose the Cisco VPN Interface IPsec template from the group of VPN templates.
e. In Basic Configuration, configure parameters as desired,
f. In Advanced, specify a name for your Tracker.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
261
Integrate Your Devices With Secure Internet Gateways
Configure SIG Tunnels in a Security Feature Profile
g. Click Save.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
b. Choose the type of device for which you are creating the template.
c. Choose the Cisco VPN template in the group of VPN templates.
d. Click IPSEC Route.
e. Click New IPSEC Route.
f. Configure parameters as desired, and then click Add.
3. Perform these actions to configure a device template for the IPsec interface.
a. Click Device, and click … and choose Edit for the device template that you want to configure.
b. Click Transport & Management VPN.
c. From the Additional Cisco VPN 0 Templates list, choose the Cisco VPN Interface IPsec template.
d. From the Cisco VPN Interface IPsec drop-down menu, click Create Template.
e. Configure the templates as desired, and then click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
262
Integrate Your Devices With Secure Internet Gateways
Configure SIG Credentials
Field Description
Organization ID Enter the Cisco Umbrella organization ID (Org ID) for your
organization.
For more information, see Find Your Organization ID in the Cisco
Umbrella SIG User Guide.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
263
Integrate Your Devices With Secure Internet Gateways
Associate Security Feature Profile with a Configuration Group
Field Description
Partner base URI This is the base URI that Cisco SD-WAN Manager uses in REST API
calls.
To find this information on the Zscaler portal, see ZIA Help > ZIA API
> API Developer & Reference Guide > Getting Started.
6. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
264
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Feature Name Enter a name for the feature. The name can be up to 128 characters
and can contain only alphanumeric characters.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
265
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Organization ID Enter the Cisco Umbrella organization ID (Org ID) for your
organization.
For more information, see Find Your Organization ID in the Cisco
Umbrella SIG User Guide.
Field Description
Partner base URI This is the base URI that Cisco SD-WAN Manager uses in REST API
calls.
To find this information on the Zscaler portal, see ZIA Help > ZIA API
> API Developer & Reference Guide > Getting Started.
Device Specific (indicated by a Use a device-specific value for the parameter. For device-specific
host icon) parameters, you cannot enter a value in the feature template. Enter
the value when you add a device to the configuration group.
To change the default key, type a new string and move the cursor
out of the Enter Key box.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
266
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Global (indicated by a globe icon) Enter a value for the parameter, and apply that value to all devices.
Field Description
Tunnel Type Umbrella: (Read only) ipsec
Zscaler: Click ipsec or gre.
Generic: Click ipsec or gre.
Tunnel Source Interface Enter the name of the source interface of the tunnel. This interface
should be the egress interface and is typically the internet-facing
interface.
For releases before Cisco IOS XE Catalyst SD-WAN Release
17.14.1a and Cisco Catalyst SD-WAN Manager Release 20.14.1,
and you have a Cellular or Dialer interface as the tunnel's source
interface, the following workaround must be implemented.
If you use a cellular interface as a tunnel source interface, you
must modify your existing tunnel source interface configuration
with the following configuration:
interface <interface name>
no tunnel route-via <Interface> mandatory
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
267
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Source Public IP (Automatic GRE tunnels to Zscaler only)
Public IP address of the tunnel source interface that is required
to create the GRE tunnel to Zscaler.
Default: Auto.
We recommend that you use the default configuration. With the
default configuration, the Cisco IOS XE Catalyst SD-WAN device
finds the public IP address assigned to the tunnel source interface
using a DNS query. If the DNS query fails, the device notifies
Cisco SD-WAN Manager of the failure. Enter the public IP
address only if the DNS query fails.
Data-Center For a primary data center, click Primary, or for a secondary data
center, click Secondary. Tunnels to the primary data center serve
as active tunnels, and tunnels to the secondary data center serve
as back-up tunnels.
Tunnel Destination IP (Manual tunnels only)
Address/FQDN
Enter the IP address of the SIG provider endpoint.
Field Description
Shutdown Click No to enable the interface; click Yes to disable.
Default: No.
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets.
By default, the MSS is dynamically adjusted based on the
interface or tunnel MTU such that TCP SYN packets are never
fragmented.
Range: 500 to 1460 bytes
Default: None
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
268
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Shutdown Click No to enable the interface; click Yes to disable.
Default: No.
Track this interface for SIG Enable or disable tracker for the tunnel. By default, Cisco
SD-WAN Manager enables a tracker for automatic tunnels.
Default: On.
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets.
By default, the MSS is dynamically adjusted based on the
interface or tunnel MTU such that TCP SYN packets are never
fragmented.
Range: 500 to 1460 bytes
Default: None
DPD Interval Specify the interval for IKE to send Hello packets on the
connection.
Range: 10 to 3600 seconds
Default: 10
DPD Retries Specify the number of seconds between DPD retry messages if
the DPD retry message is missed by the peer.
Once 1 DPD message is missed by the peer, the router moves to
a more aggressive state and sends the DPD retry message at the
faster retry interval, which is the number of seconds between
DPD retries if the DPD message is missed by the peer. The default
DPD retry message is sent every 2 seconds. Five aggressive DPD
retry messages can be missed before the tunnel is marked as down.
Range: 2 to 60 seconds
Default: 3
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
269
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
IKE Diffie-Hellman Group Specify the Diffie-Hellman group to use in IKE key exchange,
whether IKEv1 or IKEv2.
• 2 1024-bit modulus
• 14 2048-bit modulus
• 15 3072-bit modulus
• 16 4096-bit modulus
Field Description
IPsec Rekey Interval Specify the interval for refreshing IPSec keys.
Range: 300 to 1209600 seconds (1 hour to 14 days)
Default: 3600 seconds
IPsec Replay Window Specify the replay window size for the IPsec tunnel.
Options: 64, 128, 256, 512, 1024, 2048, 4096.
Default: 512
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
270
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
IPsec Cipher Suite Specify the authentication and encryption to use on the IPsec
tunnel.
Options:
• AES 256 CBC SHA1
• AES 256 CBC SHA 384
• AES 256 CBC SHA 256
• AES 256 CBC SHA 512
• AES 256 GCM
• NULL SHA1
• NULL SHA 384
• NULL SHA 256
• NULL SHA 512
Perfect Forward Secrecy • Specify the PFS settings to use on the IPsec tunnel.
• Choose one of the following Diffie-Hellman prime modulus
groups:
• Group-2 1024-bit modulus
• Group-14 2048-bit modulus
• Group-15 3072-bit modulus
• Group-16 4096-bit modulus
• None: disable PFS.
Default: None
d. Click Add.
8. To create one or more trackers to monitor tunnel health, click Tracker and do the following:
a. Source IP Address: Enter a source IP address for the probe packets.
b. Click Add Tracker.
c. In the Add Tracker dialog box, configure the following:
Field Description
Name Enter a name for the tracker. The name can be up to 128
alphanumeric characters.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
271
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
API url of endpoint Specify the API URL for the SIG endpoint of the tunnel.
Threshold Enter the wait time for the probe to return a response before
declaring that the configured endpoint is down.
Range: 100 to 1000 milliseconds
Default: 300 milliseconds.
Probe Interval Enter the time interval between probes to determine the status of
the configured endpoint.
Range: 20 to 600 seconds
Default: 60 seconds
d. Click Add.
e. To add more trackers, repeat sub-step b to sub-step d.
9. To designate active and back-up tunnels and distribute traffic among tunnels, click High Availability
and do the following:
a. Click Add Interface Pair.
b. In the Add Interface Pair dialog box, configure the following:
Field Description
Active Choose a tunnel that connects to the primary data center.
Active Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the
same weights, you can achieve ECMP load balancing across the
tunnels. However, if you enter a higher weight for a tunnel, that
tunnel has higher priority for traffic flow.
For example, if you set up two active tunnels, where the first
tunnel is configured with a weight of 10, and the second tunnel
with weight configured as 20, then the traffic is load-balanced
between the tunnels in a 10:20 ratio.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
272
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Backup Weight Enter a weight (weight range 1 to 255) for load balancing.
Load balancing helps in distributing traffic over multiple tunnels
and this helps increase the network bandwidth. If you enter the
same weights, you can achieve ECMP load balancing across the
tunnels. However, if you enter a higher weight for a tunnel, that
tunnel has higher priority for traffic flow.
For example, if you set up two back-up tunnels, where the first
tunnel is configured with a weight of 10, and the second tunnel
with weight configured as 20, then the traffic is load-balanced
between the tunnels in a 10:20 ratio.
c. Click Add.
d. To add more active and back-up tunnel pairs, repeat sub-step a to sub-step c.
10. (Optional) To configure advanced settings for Cisco Umbrella or Zscaler, click Advanced Settings and
configure the following:
Field Description
Umbrella Primary Data-Center Cisco SD-WAN Manager automatically selects the primary data
center closest to the WAN edge device. If you wish to route traffic
to a specific Cisco Umbrella data center, choose the data center from
the drop-down list.
Umbrella Secondary Cisco SD-WAN Manager automatically selects the secondary data
Data-Center center closest to the WAN edge device. If you wish to route traffic
to a specific Cisco Umbrella data center, choose the data center from
the drop-down list.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
273
Integrate Your Devices With Secure Internet Gateways
Configure Secure Internet Gateway Feature
Field Description
Primary Datacenter Automatic IPSec tunnels: Cisco SD-WAN Manager automatically
selects the primary data center closest to the WAN edge device. If
you wish to route traffic to a specific Zscaler data center, choose
the data center from the drop-down list.
If you choose a data center that is not in the recommended list, the
Cisco IOS XE Catalyst SD-WAN device reverts to the automatically
selected data center.
If you choose a data center that is not in the recommended list, the
Cisco IOS XE Catalyst SD-WAN device reverts to the automatically
selected data center.
Zscaler Location (Optional) Enter the name of a location that is configured on the
ZIA Admin Portal.
If you do not enter a location name, the Zscaler service detects the
location based on the received traffic.
For more information about locations, see ZIA Help > Traffic
Forwarding > Location Management > About Locations.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
274
Integrate Your Devices With Secure Internet Gateways
Redirect Traffic to SIG Using Service VPN Feature
Field Description
Authentication Required See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
XFF Forwarding See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable Firewall See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable IPS Control See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Enable Surrogate IP See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Off
Display Time Unit See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Minute
Idle Time to Disassociation See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: 0
Enforce Surrogate IP for See ZIA Help > Traffic Forwarding > Location Management >
known browsers Configuring Locations.
Default: Off
Refresh Time Unit See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: Minute
Refresh Time See ZIA Help > Traffic Forwarding > Location Management >
Configuring Locations.
Default: 0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
275
Integrate Your Devices With Secure Internet Gateways
Monitor SIG Events
Note Alternatively, you can also redirect traffic to SIG using Data Policy. For more information, see Action
Parameters in the Policies Configuration Guide.
1. From the Cisco SD-WAN Manager menu, choose Configuration > Templates > Configuration Groups.
2. For the desired configuration group, click … adjacent to the configuration group name and choose Edit.
3. Expand the Service Profile, and for the service VPN whose traffic you want to redirect traffic to SIG,
click ... and click Edit Parcel.
4. Remove any existing static IPv4 routes to the internet:
a. Click Route.
b. Under IPv4 Static Route, find any routes to the internet and click the delete icon to remove it.
Field Description
Network Address Enter the public IPv4 address.
Subnet Mask Enter the subnet for the IPv4 address.
Service Choose SIG from the drop-down list.
d. Click Add.
6. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
276
Integrate Your Devices With Secure Internet Gateways
Monitor SIG Events
Security Events
1. From the Cisco SD-WAN Manager menu, choose Monitor > Security.
The Security Events pane shows how many critical, major, and minor security events Cisco IOS XE
Catalyst SD-WAN devices have reported to Cisco SD-WAN Manager during a specified time period. The
information is displayed in a bar chart.
Cisco IOS XE Catalyst SD-WAN devices notify security events to Cisco SD-WAN Manager using
NETCONF. The security events include events related to automatic SIG tunnel creation.
2. (Optional) By default, the pane displays security event information for the past 24 hours. To modify the
time period, hover the mouse pointer over 24 Hours and choose a desired time period from the drop-down
list.
3. (Optional) View Details: Click View Details to display the Monitor > Logs > Events page, with
information filtered for the Security component.
Events Dashboard
1. From the Cisco SD-WAN Manager menu, choose Monitor > Logs.
2. Click Events.
Cisco SD-WAN Manager displays any events that WAN edge devices and controllers have notified in
the past three hours.
3. Click Filter and configure the following:
Field Description
Component Choose the Security component.
System IP To view events notified by specific WAN edge devices, choose the
system IP of the devices.
Event name To view information about one or more specific SIG tunnel events,
choose the corresponding event names.
Tip To view Cisco Umbrella SIG tunnel events, search for
events that have ftm-tunnel in the event name. To view
Zscaler SIG tunnel events, search for events that have
ftm-zia in the event name.
Click Apply.
If the target devices or controllers notified any of the chosen events, Cisco SD-WAN Manager displays
information about the same.
4. (Optional) To modify the time range, click 3 hours, select a time range, and click Apply.
Cisco SD-WAN Manager displays event information for the modified time range.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
277
Integrate Your Devices With Secure Internet Gateways
Monitor SIG/SSE Tunnels
5. (Optional) Click Export to download a CSV file containing the table data.
The file is downloaded to your browser's default download location.
6. (Optional) Click on the gear icon adjacent to Export to display the Table Settings slide-in pane. Toggle
the columns that you wish to display or hide and click Apply.
2. (Optional) Click a section of the donut chart to view detailed information about tunnels having a particular
status.
Cisco SD-WAN Manager displays detailed information about the tunnels in the SIG/SSE Tunnels
dashboard.
3. (Optional) Click All SIG/SSE Tunnels to view the SIG/SSE Tunnels dashboard.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
278
Integrate Your Devices With Secure Internet Gateways
Monitor SIG/SSE Tunnels
Field Description
Tunnel Name Unique name for the tunnel that can be used to
identify the tunnel at both the local and remote ends.
On the SIG provider portal, you can use the tunnel
name to find details about a particular tunnel.
Destination Data Center SIG/SSE provider data center to which the tunnel
is connected.
Note This feature is supported for Cisco
Umbrella SIG endpoints and it is yet
to be supported for Zscaler ZIA Public
Service Edges.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
279
Integrate Your Devices With Secure Internet Gateways
Monitor Automatic SIG Tunnels Using CLI
Field Description
3. (Optional) By default, the table displays information for the past 24 hours. To modify the time period,
hover the mouse pointer over 24 Hours and choose a desired time period from the drop-down list.
4. (Optional) To download a CSV file containing the table data, click Export.
The file is downloaded to your browser's default download location.
5. (Optional) Hide or display table columns: Click on the gear icon adjacent to Export to display the Table
Settings slide-in pane. Toggle the columns that you wish to display or hide and click Apply.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
280
Integrate Your Devices With Secure Internet Gateways
Monitor Automatic SIG Tunnels Using CLI
rekey-tunnel -
Tunnel22427 527398577 SITE10005SYS172x16x255x88IFTunnel22427 st-tun-create-notif 200
rekey-tunnel -
Tunnel22457 527398373 SITE10005SYS172x16x255x88IFTunnel22457 st-tun-create-notif 200
rekey-tunnel -
HTTP
TUNNEL IF TUNNEL
LOCATION
RESP
NAME TUNNEL NAME ID FQDN
TUNNEL FSM STATE ID LOCATION FSM
STATE LAST HTTP REQ CODE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tunnel100001 site1820851800sys172x16x255x15ifTunnel100001 52615809
[email protected] add-vpn-credential-info 52615819
location-init-state get-data-centers 200
Tunnel100002 site1820851800sys172x16x255x15ifTunnel100002 52615814
[email protected] add-vpn-credential-info 52615819
location-init-state get-data-centers 200
The following is a sample output of the show sdwan secure-internet-gateway zscaler tunnels command
for automatic GRE tunnels:
Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
Device# show sdwan secure-internet-gateway zscaler tunnels
HTTP
TUNNEL IF TUNNEL TUNNEL FSM LOCATION
LAST HTTP RESP
NAME TUNNEL NAME ID FQDN STATE ID LOCATION FSM
STATE REQ CODE
--------------------------------------------------------------------------------------------------------------------------
Tunnel100512 192.0.2.2_Tunnel100512 102489 n/a gre-add-tunnel 46206485
location-init-state activate-req 200
Tunnel100513 192.0.2.2_Tunnel100513 102489 n/a gre-add-tunnel 46206485
location-init-state activate-req 200
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
281
Integrate Your Devices With Secure Internet Gateways
Troubleshoot Integrating Your Devices With Secure Internet Gateways
Description
By default, a tunnel created using the SIG template pushes the tunnel vrf multiplexing command. For VPN
Interface IPSec templates, from the Application drop-down list, if you choose Secure Internet Gateway,
the command is pushed. However, after you upgrade to Cisco vManage Release 20.3.2, your feature templates
may remove the tunnel vrf multiplexing configuration. This causes your feature templates to fail when
connecting to SIG services or other external services such as cloud security services.
Workaround
Depending on which feature template you want to update, do one of the following:
Cisco VPN Interface Feature Templates
1. In Cisco SD-WAN Manager, edit the template.
2. From the Application drop-down menu, choose Secure Internet Gateway.
3. Save the template.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
282
Integrate Your Devices With Secure Internet Gateways
GRE Tunnel Creation Fails After You Restore Device Operation
1. Modify a field, such as the description, that does not affect the configuration.
2. Save the template.
3. Push the template to the device.
Verification
You can run the following command to verify that tunnel vrf multiplexing was added to your templates:
show sdwan running-config interface tunnel Number
Example:
Device#sh sdwan running-config interface | begin Tunnel100001
interface Tunnel100001
ip unnumbered GigabitEthernet1
ip mtu 1400
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel route-via GigabitEthernet1 mandatory
tunnel vrf multiplexing
tunnel protection ipsec profile if-ipsec2-ipsec-profile
exit
Alternatively, you can use the show sdwan secure-internet-gateway zscaler tunnels command to view the
status of the tunnel along with an error code which indicates the reason for the failure of the tunnel creation.
Possible Causes
Tunnel creation fails because the source public IP address may exist on the Zscaler portal. This event occurs
because the device didn’t clear the previous tunnels after becoming operational again.
Solution
Delete the existing source public IP address on the Zscaler portal by doing the following:
1. Remove the SIG feature template from the device in Cisco SD-WAN Manager.
2. From the Zscaler portal, choose Administration > Location Management and search for the location
that is associated with the tunnel in the Location tab.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
283
Integrate Your Devices With Secure Internet Gateways
IKE/IPsec Tunnel Failure with Cellular Interface
Problem
An IKE/IPsec tunnel cannot be established when a cellular interface is used as the source interface.
Possible Causes
IKE/IPsec packets may be routed through the incorrect source interface.
Solution
When configuring SIG tunnels, especially over cellular interfaces, it's recommended to set the tunnel routing
option to preferred rather than mandatory. Utilizing preferred avoids packet loss issues that have been
observed when mandatory is selected as the routing option for cellular interface-based tunnels.
Here are a few example scenarios to consider when setting up SIG tunnels, particularly with cellular interfaces
in the configuration:
1. Cisco IOS XE Catalyst SD-WAN Device with Single Cellular Interface.
When a cellular interface is active, SIG tunnels will be established as soon as the cellular interface is up.
2. Cisco IOS XE Catalyst SD-WAN Device with Both Broadband and Cellular Interfaces.
• If both Broadband and Cellular interfaces are active:
• SIG tunnels will be active for the broadband interface.
• SIG tunnels will also be active for the cellular interface; however, the cellular interface's IKE/
IPsec packets will be routed through the broadband interface.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
284
Integrate Your Devices With Secure Internet Gateways
IKE/IPsec Tunnel Failure with Cellular Interface
Here is a sample configuration to address the issue with the IKE/IPsec tunnel not establishing when using the
cellular interface as the source interface.
interface Tunnel16000001
no shutdown
ip unnumbered Cellular0/1/0
ip mtu 1400
tunnel source Cellular0/1/0
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec1-ipsec-profile
tunnel vrf multiplexing
tunnel route-via Cellular0/1/0 preferred
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
285
Integrate Your Devices With Secure Internet Gateways
IKE/IPsec Tunnel Failure with Cellular Interface
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
286
CHAPTER 13
Integrate Your Devices with Secure Service Edge
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Cisco Secure Access Integration Cisco IOS XE Catalyst SD-WAN Cisco Secure Access is a cloud
Release 17.13.1a Security Service Edge (SSE)
solution, that provides seamless,
Cisco Catalyst SD-WAN Manager
transparent, and secure Direct
Release 20.13.1
Internet Access (DIA).
This feature supports Cisco Secure
Access integration through policy
groups in Cisco SD-WAN
Manager.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
287
Integrate Your Devices with Secure Service Edge
Information About Cisco Secure Access Integration
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
288
Integrate Your Devices with Secure Service Edge
Create Cisco Secure Access Credentials
Workflow for Cisco Secure Access Integration with Cisco Catalyst SD-WAN:
1. Create Cisco Secure Access credentials in the Administrator > Settings page.
2. Create automatic tunnels to Cisco Secure Access using Configuration > Policy Groups.
3. Redirect traffic to Cisco Secure Access using service route or policy groups.
Field Description
Click Add.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
289
Integrate Your Devices with Secure Service Edge
Monitor Cisco Secure Access Tunnels using CLI
***************************************
SSE Instance Cisco-Secure-Access
***************************************
Tunnel name : Tunnel15000001
Site id: 2678135102
Tunnel id: 617865691
SSE tunnel name: C8K-63a9b72b-f1fa-4973-a323-c36861cf59ee
HA role: Active
Local state: Up
Tracker state: Up
Destination Data Center: 52.42.220.205
Tunnel type: IPSEC
Provider name: Cisco Secure Access
*******************************************
TUNNEL DB ALL
*******************************************
*******************************************
SERVICE ROUTE LIST ALL
*******************************************
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
290
Integrate Your Devices with Secure Service Edge
Monitor SIG/SSE Tunnels
2. (Optional) Click a section of the donut chart to view detailed information about tunnels having a particular
status.
Cisco SD-WAN Manager displays detailed information about the tunnels in the SIG/SSE Tunnels
dashboard.
3. (Optional) Click All SIG/SSE Tunnels to view the SIG/SSE Tunnels dashboard.
Field Description
Tunnel Name Unique name for the tunnel that can be used to
identify the tunnel at both the local and remote ends.
On the SIG provider portal, you can use the tunnel
name to find details about a particular tunnel.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
291
Integrate Your Devices with Secure Service Edge
Monitor SIG/SSE Tunnels
Field Description
Destination Data Center SIG/SSE provider data center to which the tunnel
is connected.
Note This feature is supported for Cisco
Umbrella SIG endpoints and it is yet
to be supported for Zscaler ZIA Public
Service Edges.
3. (Optional) By default, the table displays information for the past 24 hours. To modify the time period,
hover the mouse pointer over 24 Hours and choose a desired time period from the drop-down list.
4. (Optional) To download a CSV file containing the table data, click Export.
The file is downloaded to your browser's default download location.
5. (Optional) Hide or display table columns: Click on the gear icon adjacent to Export to display the Table
Settings slide-in pane. Toggle the columns that you wish to display or hide and click Apply.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
292
CHAPTER 14
GRE Over IPsec Tunnels
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN This feature allows you to set up
Cisco IOS XE Devices Release 17.7.1a GRE over IPsec tunnels with
IKEv2 RSA-SIG authentication on
Cisco vManage Release 20.7.1
Cisco IOS XE Catalyst SD-WAN
devices in the controller mode to
connect to Cisco IOS XE devices
in the autonomous mode. This set
up enables Cisco IOS XE Catalyst
SD-WAN devices to use OSPFv3
as the dynamic routing protocol and
multicast traffic across the WAN
network.
You can configure GRE over IPsec
tunnels using the CLI device
templates in Cisco SD-WAN
Manager for Cisco IOS XE Catalyst
SD-WAN devices.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
293
GRE Over IPsec Tunnels
GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices
IPv6 GRE or IPsec Tunnels Cisco IOS XE Catalyst SD-WAN This feature allows you to
Between Cisco IOS XE Catalyst Release 17.12.1a configure an IPv6 GRE or IPSEC
SD-WAN and Third-Party Devices tunnel from a Cisco IOS XE
Catalyst SD-WAN device to a
third-party device over a service
VPN.
• GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices, on page 294
• IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices,
on page 300
Prerequisites for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
To configure GRE over IPsec tunnels, use Internet Key Exchange Version 2 (IKEv2) protocol, and RSA
Signature as the authentication method.
Restrictions for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
• IPv6 addresses for IPsec tunnel source are not supported.
• You cannot configure GRE Over IPsec tunnels between Cisco IOS XE devices using Cisco SD-WAN
Manager GUI.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
294
GRE Over IPsec Tunnels
Use Case for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
Use Case for GRE Over IPsec Tunnels Between Cisco IOS XE Devices
In this sample topology, there are Cisco IOS XE devices that are located in different data centers and branches.
Two Cisco IOS XE devices in the controller mode are located in the Cisco Catalyst SD-WAN network, one
in a data center and another in a branch. The other two Cisco IOS XE devices in the autonomous mode are
located in a non-SD-WAN network. A GRE over IPsec tunnel is configured to connect the Cisco IOS XE
devices from the branch on the Cisco Catalyst SD-WAN network to the data center located in the non-SD-WAN
network.
Note Ensure that the tunnel source is configured with the global VPN for the WAN side and the tunnel VRF
configured with the service VPN for the Service side.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
295
GRE Over IPsec Tunnels
Configure GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices Using the CLI
Note Note: Add the crypto pki trustpoint configuration command explicitly in the Cisco SD-WAN Manager CLI
template.
Configure GRE Over IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN
Devices Using the CLI
This section provides example CLI configurations to configure GRE over IPsec tunnels for Cisco IOS XE
Catalyst SD-WAN devices in the controller mode.
Install Certification Authentication
Import the pkcs12 file on the Cisco IOS XE Catalyst SD-WAN device using the pki import command.
crypto pki import
Device# trustpoint_name pkcs12 bootflash:certificate_name
password cisco
Execute the crypto pki trustpoint command to reconfigure the Cisco IOS XE Catalyst SD-WAN device.
interface Tunnel100
no shutdown
vrf forwarding 11
ip address 10.10.100.1 255.255.255.0
ipv6 address 2001:DB8:0:ABCD::1
ipv6 enable
ospfv3 100 ipv4 area 0
ospfv3 100 ipv6 area 0
tunnel source GigabitEthernet4
tunnel destination 10.0.21.16
tunnel path-mtu-discovery
tunnel protection ipsec profile ikev2_TP
exit
!
crypto ikev2 policy policy1-global
proposal p1-global
!
crypto ikev2 profile cisco
authentication local rsa-sig
authentication remote rsa-sig
identity local dn
match address local 10.0.20.15
match fvrf any
match identity remote any
pki trustpoint TRUST_POINT_100
!
crypto ikev2 proposal p1-global
encryption aes-cbc-128 aes-cbc-256
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
296
GRE Over IPsec Tunnels
Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI
group 14 15 16
integrity sha1 sha256 sha384 sha512
!
crypto ipsec transform-set transform-set-v4 esp-gcm 256
mode transport/tunnel
!
crypto ipsec profile ikev2_TP
set ikev2-profile cisco
set pfs group16
set transform-set transform-set-v4
set security-association lifetime kilobytes disable
set security-association replay window-size 512
!
crypto pki trustpoint TRUST_POINT_100
enrollment pkcs12
revocation-check none
rsakeypair TRUST_POINT_100
Note The configurations for GRE over IPsec tunnels for Cisco IOS XE devices in the autonomous mode are the
same as in the controller mode shown above.
Furthermore, the steps to install certification authentication for Cisco IOS XE devices in the autonomous
mode is the same as in Cisco IOS XE Catalyst SD-WAN devices, and there is no requirement for you to
reconfigure crypto pki trustpoint explicitly on the Cisco IOS XE devices in the autonomous mode.
Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the
CLI
Example 1
The following is sample output from the show crypto pki certificates command using the optional
trustpoint-name argument and verbose keyword. The output shows the certificate of a device and the certificate
of the CA. In this example, general-purpose RSA key pairs are previously generated, and a certificate is
requested and received for the key pair.
Device# show crypto pki certificates verbose TRUST_POINT_100
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 31
Certificate Usage: General Purpose
Issuer:
o=CRDC
ou=CRDC-Lab
cn=vCisco-CA
Subject:
Name: ROUTER1
cn=ROUTER1
o=Internet Widgits Pty Ltd
st=Some-State
c=AU
Validity Date:
start date: 12:57:14 UTC Jul 24 2021
end date: 12:57:14 UTC Jul 22 2031
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
297
GRE Over IPsec Tunnels
Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
o=CRDC
ou=CRDC-Lab
cn=vCisco-CA
Subject:
o=CRDC
ou=CRDC-Lab
cn=vCisco-CA
Validity Date:
start date: 13:41:14 UTC Feb 9 2018
end date: 13:41:14 UTC Feb 9 2038
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 5ECA97DB 97FF1B95 DFEEB8FB DAB6656F
Fingerprint SHA1: 73A7E91E 3AB12ABE 746348E4 A0E21BE3 8413130C
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 91C2776C 651DF253 08FA9614 D2082F99 BEBF0B00
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 91C2776C 651DF253 08FA9614 D2082F99 BEBF0B00
Authority Info Access:
Cert install time: 08:29:23 UTC Oct 21 2021
Associated Trustpoints: TRUST_POINT_ex TRUST_POINT_100
Storage: nvram:CRDC#1CA.cer
Example 2
The following is sample output from the show crypto ipsec sa command to display the settings used by IPsec
security associations.
Device# show crypto ipsec sa
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 10.0.20.15
protected vrf: 11
local ident (addr/mask/prot/port): (10.0.20.15/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.0.21.16/255.255.255.255/47/0)
current_peer 10.0.21.16 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2674, #pkts encrypt: 2674, #pkts digest: 2674
#pkts decaps: 2677, #pkts decrypt: 2677, #pkts verify: 2677
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
298
GRE Over IPsec Tunnels
Monitor GRE Over IPsec Tunnels Between Cisco IOS XE Devices Using the CLI
inbound ah sas:
outbound ah sas:
Example 3
The following example shows the show crypto session detail command output that displays the status
information for active crypto sessions.
Device# show crypto session detail
Crypto session current status
Interface: Tunnel100
Profile: cisco
Uptime: 03:59:01
Session status: UP-ACTIVE
Peer: 10.0.21.16 port 500 fvrf: (none) ivrf: 11
Phase1_id: cn=ROUTER2,o=Internet Widgits Pty Ltd,st=Some-State,c=AU
Desc: (none)
Session ID: 1780
IKEv2 SA: local 10.0.20.15/500 remote 10.0.21.16/500 Active
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
299
GRE Over IPsec Tunnels
IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices
Example 4
The following is sample output from the show crypto key mypubkey rsa command that displays the RSA
public keys of your device.
Device# show crypto key mypubkey rsa
Key name: TRUST_POINT_100
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B4E83F ABAE87DC DB7ACBB2 844F5FD6 FF2E9E02 DE49A302 D3D7884F 0B26EE6A
D3D56275 4D733A4F 5D974061 CE8FB520 54276D6D 3B132C82 EB8A3C24 115F77F5
C38740CE 1BBD89DB 3F766728 649B63FC 2C40C3AD 251656A1 BAF8341E 1736F03D
0A0D15AF 0E9D3E94 4E2074C7 BA572CA3 95B3D664 916ADA74 281CDE07 B3DD0B42
13289610 32E611AB 2B3B4EB6 0A3573B1 F097AC2A 3720961C 97597201 3CE8171C
F02B99B4 3B7B718F 83E221E1 E172554D C2BEA127 93882766 A28C5E8C 4B83BDC5
A161597D 2C3D8E13 3BE00D8F 02D0AD55 962DF402 599580A6 F049DBF4 045D751B
A8932156 10B29D9F 037AB33F C1FC463D E59E014C 27660223 546A8B3A E6997713
CF020301 0001
% Key pair was generated at: 00:22:51 UTC Oct 27 2021
Restrictions for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst
SD-WAN Devices and Third-Party Devices
• This feature is configurable only through the device CLI template. Feature templates are not supported.
• Feature parcel is not supported.
• Dual stack is not supported for IPsec SVTI tunnels but supported for GRE tunnels.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
300
GRE Over IPsec Tunnels
Supported Devices for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices
• The interface name as loopback for tunnel source is not supported. When you use a loopback interface
as a tunnel source, you must provide either an IPv4 or IPv6 address as the tunnel source field. You can
provide an interface name as tunnel source field for the physical interface and sub-interface.
Supported Devices for IPv6 GRE or IPsec Tunnels Between Cisco IOS XE
Catalyst SD-WAN Devices and Third-Party Devices
Table 71: Supported Devices and Releases
Cisco IOS XE Catalyst SD-WAN Release 17.12.1a • Cisco Catalyst 8300 Series Edge Platforms
and later • Cisco Catalyst 8500 Series Edge Platforms
• Cisco Catalyst 8500L Edge Platforms
• Cisco Catalyst 8000V Edge Software
• Cisco ASR 1001-HX Router
• Cisco ASR 1002-HX Router
• Cisco ISR1100 Series Routers
• Cisco 4461 Integrated Services Router
Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN
Devices and Third-Party Devices Using a CLI Template
Configure a Common Source Interface
This section provides an example CLI configuration to configure a common source interface.
1. Enter the global configuration mode.
configure terminal
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
301
GRE Over IPsec Tunnels
Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices Using a CLI Template
exit
Here's the complete configuration example for configuring a common source interface.
interface GigabitEthernet5
no shutdown
ip address 209.165.202.129 255.255.255.0
ipv6 address 2001:DB8:202::129/64
exit
interface Loopback0
no shutdown
ip address 209.165.201.1 255.255.255.0
ipv6 address 2001:DB8:201::1/64
exit
4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration
mode.
vrf forwarding 1
5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
ipv6 address 2001:DB8:64::1/64
6. Set the source address for the tunnel interface in interface configuration mode.
tunnel source 209.165.202.129
7. Set the destination address for the GRE tunnel interface in interface configuration mode.
tunnel destination 209.165.202.158
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
302
GRE Over IPsec Tunnels
Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices Using a CLI Template
8. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the
mandatory keyword and if the route is not available, the traffic drops.
tunnel route-via GigabitEthernet5 mandatory
Here's the complete configuration example for configuring an IPv6 GRE tunnel over IPv4 underlay.
interface Tunnel64
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:64::1/64
tunnel source 209.165.202.129
tunnel destination 209.165.202.158
tunnel route-via GigabitEthernet5 mandatory
4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration
mode.
vrf forwarding 1
5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
ipv6 address 2001:DB8:166::1/64
6. Set the source address for the tunnel interface in interface configuration mode.
tunnel source 2001:DB8:15::15
7. Set the destination address for the GRE tunnel interface in interface configuration mode.
tunnel destination 2001:DB8:15::16
8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
tunnel mode gre ipv6
9. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the
mandatory keyword and if the route is not available, the traffic drops.
tunnel route-via GigabitEthernet5 mandatory
Here's the complete configuration example for configuring an IPv6 GRE tunnel over IPv6 underlay.
interface Tunnel66
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:66::1/64
tunnel source 2001:DB8:15::15
tunnel destination 2001:DB8:15::16
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
303
GRE Over IPsec Tunnels
Configure IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Devices and Third-Party Devices Using a CLI Template
4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration
mode.
vrf forwarding 1
5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
ipv6 address 2001:DB8:164::1/64
6. Set the source address for the tunnel interface in interface configuration mode.
tunnel source 209.165.202.129
7. Set the destination address for the IPsec tunnel interface in interface configuration mode.
tunnel destination 209.165.202.158
8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
tunnel mode ipsec ipv4 v6-overlay
10. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the
mandatory keyword and if the route is not available, the traffic drops.
tunnel route-via GigabitEthernet5 mandatory
Here's the complete configuration example for configuring an IPsec IPv6 tunnel over IPv4 underlay.
interface Tunnel164
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:164::1/64
tunnel source 209.165.202.129
tunnel destination 209.165.202.158
tunnel mode ipsec ipv4 v6-overlay
tunnel protection ipsec profile if-ipsec1-ipsec-profile164
tunnel route-via GigabitEthernet5 mandatory
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
304
GRE Over IPsec Tunnels
Verify IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Device Devices and Third-Party Devices
configure terminal
4. Associate a VRF instance or a virtual network with an interface or subinterface in interface configuration
mode.
vrf forwarding 1
5. Configure the IPv6 address and enable IPv6 processing on an interface in interface configuration mode.
ipv6 address 2001:DB8:166::1/64
6. Set the source address for the tunnel interface in interface configuration mode.
tunnel source 2001:DB8:15::15
7. Set the destination address for the IPsec tunnel interface in interface configuration mode.
tunnel destination 2001:DB8:15::16
8. Set the encapsulation mode for the tunnel interface, in interface configuration mode.
tunnel mode ipsec ipv6
10. Specify the outgoing interface of the tunnel transport in interface configuration mode. If you use the
mandatory keyword and if the route is not available, the traffic drops.
tunnel route-via GigabitEthernet5 mandatory
Here's the complete configuration example for configuring an IPsec IPv6 tunnel over IPv6 underlay.
interface Tunnel166
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:166::1/64
tunnel source 2001:DB8:15::15
tunnel destination 2001:DB8:15::16
tunnel mode ipsec ipv6
tunnel protection ipsec profile if-ipsec1-ipsec-profile166
tunnel route-via GigabitEthernet5 mandatory
Verify IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN
Device Devices and Third-Party Devices
The following is a sample output from the show run interface type/number command.
Device#show run interface tunnel 164
interface Tunnel164
no shutdown
vrf forwarding 1
ipv6 address 2001:DB8:164::1/64
tunnel source 209.165.202.129
tunnel destination 209.165.202.158
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
305
GRE Over IPsec Tunnels
Verify IPv6 GRE or IPsec Tunnels Between Cisco IOS XE Catalyst SD-WAN Device Devices and Third-Party Devices
The following is a sample output from the show adjacency tunnel164 internal command.
Device#show adjacency tunnel164 internal
Protocol Interface Address
IPV6 Tunnel164 point2point(7)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 14
empty encap string
P2P-ADJ
Next chain element:
IP adj out of GigabitEthernet5, addr 209.165.202.158
718424FDE3D8
parent oce 0x718424FDE498
frame originated locally (Null0)
L3 mtu 1500
Flags (0x5938C4)
Fixup enabled (0x400000)
IPSec tunnel
HWIDB/IDB pointers 0x71842EA25C50/0x71842EA30E90
IP redirect enabled
Switching vector: IPv6 midchain adjacency oce
Post encap features: IPSEC Post-encap output classification
Protocol Interface Address
Next-hop cannot be inferred
IOSXE-RP Inject sbublock:
pak transmitted 14
last inject at 00:00:02 ago
IP Tunnel stack to 209.165.202.158 in Default (0x0)
nh tracking enabled: 209.165.202.158/32
route-via enabled: GigabitEthernet5 (mandatory)
IP adj out of GigabitEthernet5, addr 209.165.202.158
Platform adj-id: 0xF80001D7, 0x0, tun_qos_dpidx:0
Adjacency pointer 0x718424FDD8E8
Next-hop unknown
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
306
CHAPTER 15
Security Virtual Image
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Cisco SD-WAN Manager uses a Security Virtual Image to enable security features such as Intrusion Prevention
System (IPS), Intrusion Detection System (IDS), URL Filtering (URL-F), and Advanced Malware Protection
(AMP) on Cisco IOS XE Catalyst SD-WAN Devices. These features enable application hosting, real-time
traffic analysis, and packet logging on IP networks. Once the image file is uploaded to the Cisco SD-WAN
Manager Software Repository, you can create policy, profile, and device templates that will push the policies
and updates to the correct devices automatically.
Before you use these features, you must first install and configure IPS/IDS, URL-F, or AMP security policies,
and then upload the relevant Security Virtual Image to Cisco SD-WAN Manager. After upgrading the software
on the device, you must also upgrade the Security Virtual Image.
This chapter describes how to perform these tasks.
• Install and Configure IPS/IDS, URL-F, or AMP Security Policies, on page 307
• Identify the Recommended Security Virtual Image Version, on page 310
• Upload the Cisco Security Virtual Image to Cisco SD-WAN Manager, on page 310
• Upgrade a Security Virtual Image, on page 311
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
307
Security Virtual Image
Install and Configure IPS/IDS, URL-F, or AMP Security Policies
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. From the Select Devices list, choose the devices that you want to associate with the template.
4. Under Basic Information, click Security App Hosting.
5. Enter Template Name and Description.
6. Under Security Policy Parameters, customize the security policy parameters if required.
• Enable or disable the Network Address Translation (NAT) feature, based on your use case. By default,
NAT is on.
• Click the drop-down arrow to set boundaries for the policy. The default is Default.
Global: Enables NAT for all devices attached to the template.
Device Specific: Enables NAT only for specified devices. If you select Device Specific, enter the
name of a device key.
Default: Enables the default NAT policy for devices attached to the template.
• Set Resource Profile. This option sets the number of snort instances to be used on a router. The
default is Low that indicates one snort instance. Medium indicates two instances and High indicates
three instances.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
308
Security Virtual Image
Install and Configure IPS/IDS, URL-F, or AMP Security Policies
• Click the drop-down arrow to set boundaries for the resource profile. The default is Global.
Global: Enables the selected resource profile for all devices attached to the template.
Device Specific: Enables the profile only for specified devices. If you select Device Specific, enter
the name of a device key.
Default: Enables the default resource profile for devices attached to the template.
7. Set Download URL Database on Device to Yes if you want to download the URL-F database on the
device. In this case, the device looks up in the local database before trying the cloud lookup.
8. Click Save.
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. From the Device Model drop-down list, choose the device model.
4. From the Device Role drop-down list, choose the device role.
5. Enter Template Name and Description.
6. Scroll down the page to the configuration submenus that let you select an existing template, create a new
template, or view the existing template. For example, to create a new System template, click Create
Template.
Note In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device.
3. In the row of the desired device template, click ... and choose Attach Devices.
4. In the Attach Devices window, select the desired devices from the Available Devices list, and click the
right-pointing arrow to move them to the Selected Devices list.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
309
Security Virtual Image
Identify the Recommended Security Virtual Image Version
5. Click Attach.
Step 1 From the Cisco SD-WAN Manager menu, choose Monitor > Devices.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose Monitor > Network.
Step 4 Scroll to the end of the device menu, and click Real Time.
The System Information page displays.
Step 5 Click the Device Options field, and choose Security App Version Status from the menu.
Step 6 The image name is displayed in the Recommended Version column. It should match the available SVI for your router
from the Cisco downloads website.
Step 1 From the Software Download page for your router, locate the image UTD Engine for IOS XE SD-WAN.
Step 2 Click download to download the image file.
Step 3 From the Cisco SD-WAN Manager menu, choose Maintenance > Software Repository
Step 4 Choose Virtual Images.
Step 5 Click Upload Virtual Image, and choose either vManage or Remote Server – vManage. The Upload Virtual Image
to vManage window opens.
Step 6 Drag and drop, or browse to the image file.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
310
Security Virtual Image
Upgrade a Security Virtual Image
Step 7 Click Upload. When the upload completes, a confirmation message displays. The new virtual image displays in the
Virtual Images Software Repository.
Note During the UTD Virtual image upgrade, the IPS signature file is installed with version 29.0C, which is the
default packaging within the UTD tar container. If the IPS Signature Update option is enabled, the matching
IPS signature package is automatically updated as a part of the upgrade. You can enable the setting from
Administration > Settings > IPS Signature Update.
To upgrade the application hosting virtual image for a device, follow these steps:
Step 1 Follow the steps in Upload the Correct Cisco Security Virtual Image to vManage to download the recommended
version of the SVI for your router. Note the version name.
Step 2 From the Cisco SD-WAN Manager menu, choose Maintenance > Software Repository > Virtual Images to verify that
the image version listed under the Recommended Version column matches a virtual image listed in the Virtual Images
table.
Step 3 From the Cisco SD-WAN Manager menu, choose Maintenance > Software Upgrade. The WAN Edge Software upgrade
page displays.
Step 4 Choose the devices you want to upgrade, and check the check boxes in the leftmost column. When you have chosen one
or more devices, a row of options display, as well as the number of rows you chose.
Step 5 When you are satisfied with your choices, choose Upgrade Virtual Image from the options menu. The Virtual Image
Upgrade dialog box displays.
Step 6 For each device you have chosen, choose the correct upgrade version from the Upgrade to Version drop-down menu.
Step 7 When you have chosen an upgrade version for each device, click Upgrade. When the update completes, a confirmation
message displays.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
311
Security Virtual Image
Upgrade a Security Virtual Image
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
312
CHAPTER 16
IPsec Pairwise Keys
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Secure Cisco IOS XE This feature allows you to create and install private pairwise IPsec
Communication Catalyst session keys for secure communication between an IPsec device and
Using Pairwise SD-WAN its peers.
IPsec Keys Release 16.12.1b
The IPsec pairwise keys feature implements controller-based key exchange protocol between a device and
controller.
Controller-based key exchange protocol is used to create a Gateway-to-Gateway VPN (RFC7018) in either
a full-mesh topology or dynamic full-mesh topology.
The network devices set up a protected control-plane connection to the controller. The controller distributes
policies to network devices. The network devices, in turn, communicate with each other through a secure data
plane.
A pair of IPsec session keys (one encryption key and one decryption key) are configured for each pair of local
and remote transport locations (TLOC).
• Supported Platforms, on page 314
• Pairwise Keys, on page 314
• IPsec Security Association Rekey, on page 314
• Configure IPSec Pairwise Keys, on page 315
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
313
IPsec Pairwise Keys
Supported Platforms
Supported Platforms
The following platforms are supported for IPSec Pairwise Keys feature:
• Cisco IOS XE Catalyst SD-WAN devices
• Cisco vEdge devices
Pairwise Keys
Key exchange method combined with authentication policies facilitate pairwise key creation between two
network devices. You use a controller to distribute keying material and policies between network devices.
The devices generate private pairwise keys with each other.
IPsec devices share public keys from the Diffie-Hellman (DH) algorithm with the controllers. The controllers
relay the DH public keys to authorized peers of the IPsec device as defined by the centralized policy.
Network devices create and install private pairwise IPsec session keys to secure communication with their
peers.
Note • A pairwise-key device can form IPsec sessions with both pairwise and nonpairwise devices.
• The rekeying process requires higher control plane CPU usage, resulting in lower session scaling.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
314
IPsec Pairwise Keys
Configure IPSec Pairwise Keys
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. From the Device Model drop-down menu, choose the type of device for which you are creating the
template.
4. From Basic Information, click Cisco Security feature template.
5. From Basic Configuration, click On or Off from the IPsec pairwise-keying field.
6. Alternatively, enter the pairwise key specific to the device in the Enter Key field.
7. Click Save.
Note You must reboot the Cisco IOS XE Catalyst SD-WAN device for the private-key configuration to take effect.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
315
IPsec Pairwise Keys
Verify IPsec Pairwise Keys on a Cisco IOS XE Catalyst SD-WAN Device
Use the following command to verify the inbound connections on IPsec pairwise keys:
Device# show sdwan ipsec pwk inbound-connections
SOURCE
DEST LOCAL LOCAL REMOTE REMOTE
SA PKEY NONCE PKEY SS D-KEY AH
SOURCE IP PORT DEST IP
PORT TLOC ADDRESS TLOC COLOR TLOC ADDRESS TLOC COLOR PWK-SPI
INDEX ID HASH HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
192.168.90.3 12346 10.168.11.3
12346 10.1.0.2 lte 10.1.0.1 private1 000000
2 1 5605 70C7 17B0 F5A5 true
192.168.92.6 12346 10.168.11.3
12346 10.1.0.2 lte 10.1.0.6 default 00100B
52 1 5605 70C7 CCC2 C9E1 true
192.168.90.3 12346 10.168.12.3
12346 10.1.0.2 blue 10.1.0.1 private1 000000
5 1 B9F9 5C75 17B0 F5A5 true
192.168.92.6 12346 10.168.12.3
12346 10.1.0.2 blue 10.1.0.6 default 00100B
55 1 B9F9 5C75 A0F8 7B6B true
SA
PKEY NONCE PKEY
TLOC-ADDRESS TLOC-COLOR SOURCE-IP SOURCE PORT SPI INDEX ID
---------------+---------------+---------------------------------------+-------+-------+-----+-----+-----+-----
10.1.0.2 lte 10.168.11.3 12346 257 6 1 5605
70C7
10.1.0.2 blue 10.168.12.3 12346 257 3 1 B9F9
5C75
Device# show platform hardware qfp active feature ipsec da spi
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
316
IPsec Pairwise Keys
Verify IPsec Pairwise Keys on a Cisco IOS XE Catalyst SD-WAN Device
0x0000000031fbe380/0x0000000031fbc9a0
7429 117 6 10.168.11.3 12346 192.168.92.6
12346 0x312b9300 0x0000b001/0x0000a001
0x0000000031fbd970/0x0000000031fbb580
Use the following command to display IPsec pairwise keys information on a Cisco IOS XE Catalyst SD-WAN
device:
Device# show sdwan security-info
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
317
IPsec Pairwise Keys
Verify IPsec Pairwise Keys on a Cisco IOS XE Catalyst SD-WAN Device
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
318
CHAPTER 17
Configure Single Sign-On
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Single Sign-On Using Azure Cisco vManage This feature adds support for Azure Active Directory
Active Directory (AD) Release 20.8.1 (AD) as an external identity provider (IdP) for single
sign-on of Cisco SD-WAN Manager users.
You can configure Azure AD as an external IdP using
Cisco SD-WAN Manager and the Azure AD
administration portal.
Configure Multiple IdPs for Cisco vManage With this feature, you can configure up to three IdPs
Single Sign-On Users of Cisco Release 20.10.1 for providing different levels of access for single
SD-WAN Manager sign-on users of Cisco SD-WAN Manager.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
319
Configure Single Sign-On
Information About Single Sign-On
Note Because Cisco SD-WAN Manager supports the SAML2.0 standard, if you deploy an IdP other than those
listed above and it does not work with Cisco SD-WAN Manager as expected, we recommend that you follow
up with the IdP provider to troubleshoot the issue.
Note For Cisco vManage Release 20.3.x through Cisco vManage Release 20.11.x, and for Cisco Catalyst SD-WAN
Manager Release 20.12.1 and later, use IdP SAML metadata with 2048-bit key signature certificate for SSO
authentication because metadata with 1024-bit key signature certificate is not supported.
SSO enables secured access to multiple applications or websites with a single set of credentials. SSO requires
the following components:
• Identity provider IdP: This system stores user data, maintains and supports the authentication mechanism,
for example, Okta, ADFS, PingID, and Azure AD.
• Service provider: This system hosts the website or application of interest, for example, Cisco SD-WAN
Manager.
• Users: People with a registered account with the IdP and the service provider.
To integrate IdPs with service providers, the SSO uses security assertion mark-up language (SAML). SAML
is an XML-based communication standard that allows you to share identities among multiple organizations
and applications.
The following steps describe the intergration of IdPs with service providers:
1. Whenever a network administrator tries to log in to a service provider using an IdP, the service provider
first sends an encrypted message to the IdP.
2. The IdP decrypts the message and validates the credentials of the network administrator by comparing
the information with the IdP's database.
3. After the validation, the IdP sends an encrypted message to the service provider. The service provider
decrypts the message from the IdP, and the administrator is allowed to access the service provider.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
320
Configure Single Sign-On
Benefits of Single Sign-On
4. In general, IdP and service provider exchange information based on predefined standards. This standard
is a set of certificates called SAML.
After completing the above process, the administrator is redirected to the IdP portal. The administrator must
enter IdP credentials to log in to Cisco SD-WAN Manager.
Note The privileges for a particular administrator are provided based on the information available about that
administrator in the IdP's database.
Note Beginning with Cisco vManage Release 20.3.1, Cisco SD-WAN Manager no longer supports MD5 or SHA-1.
All x.509 certificates handled by Cisco SD-WAN Manager need to use at least SHA-256 or a higher encryption
algorithm.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
321
Configure Single Sign-On
Enable an Identity Provider in Cisco SD-WAN Manager
Note Administrators can set up SSO using a single Entity ID only. Cisco SD-WAN Manager doesn't support more
than one Entity ID while setting up SSO.
6. In the Upload Identity Provider Metadata section, click Select a File to upload the IdP metadata file.
7. Click Save.
Note This procedure involves a third-party website. The details are subject to change.
Note Each IdP application gets a customized URL from Okta for logging in to the Okta website.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
322
Configure Single Sign-On
Configure SSO on the Okta Website
3. To add Cisco SD-WAN Manager as an SSO application, from the Cisco SD-WAN Manager menu,
click Admin.
4. Check the upper-left corner to ensure that it shows the Classic UI view on Okta.
5. If it shows Developer Console, click the down triangle to choose the Classic UI.
6. Click Add Application under Shortcuts to the right to go to the next window, and then click Create
New Application on the pop-up window.
7. Choose Web for the platform, and choose SAML 2.0 as the Sign on Method.
8. Click Create.
9. Enter a string as Application name.
10. (Optional): Upload a logo, and then click Next.
11. On the SAML Settings for Single sign on URL section, set the value to the samlLoginResponse URL
from the downloaded metadata from Cisco SD-WAN Manager.
12. Check the Use this for Recipient URL and Destination URL check box.
13. Copy the entityID string and paste it in the Audience URI (SP Entity ID) field.
The value can be an IP address or the name of the Cisco SD-WAN Manager site.
14. For Default RelayState, leave empty.
15. For Name ID format, choose EmailAddress.
16. For Application username, choose Okta username.
17. For Show Advanced Settings, enter the fields as indicated below.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
323
Configure Single Sign-On
Configure SSO on the Okta Website
Encryption Certificate Not applicable a. Copy the encryption certificate from the
metadata you downloaded.
b. Go to www.samltool.com and click X.509
CERTS, paste there. Click Format X.509
Certificate.
c. Ensure to remove the last empty line and
then save the output (X.509.cert with
header) into a text file encryption.cer.
d. Upload the file. Mozilla Firefox may not
allow you to do the upload. Instead, you
can use Google Chrome. You should see
the certificate information after uploading
to Okta.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
324
Configure Single Sign-On
Assign Users to the Application on the Okta Website
Note It is mandatory to use the two strings, Username and Groups, exactly as shown above. Otherwise, you may
be logged in with the default group of Basic.
Note This procedure involves a third-party website. The details are subject to change.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
325
Configure Single Sign-On
Import Metadata File into ADFS
Note There is no support for customized certificates for Cisco SD-WAN Manager SSO. If ADFS is configured,
the signature and signing certificates are generated from the Cisco SD-WAN Manager metadata.
For more information on configuring ADFS, see Enable an Identity Provider in Cisco vManage. The steps
are the same as for configuring Okta as an IdP.
Note This procedure involves a third-party website. The details are subject to change.
6. Edit the Cisco SD-WAN Manager metadata file by deleting everything from <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> to </ds:Signature>.
7. Edit the Cisco SD-WAN Manager metadata file by deleting everything from <md:KeyDescriptor
use="encryption"> to </md:KeyDescriptor>.
8. Import the new modified Cisco SD-WAN Manager metadata file into ADFS, and enter the entityID as
Display Name.
9. Click Next until the end.
10. Open Edit Claim Rule, and add the following four new custom rules in the exact sequence:
@RuleName = "sAMAccountName as Username" c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types
= ("Username"), query = ";sAMAccountName;{0}", param = c.Value);
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
326
Configure Single Sign-On
Add ADFS Relying Party Trust
Note If you are using different naming convention for the two security groups, then you have to modify the regular
expression value "(?i)^SSO-" in the step above.
Any active directory users who are not members of the two groups will only have Basic access to Cisco
SD-WAN Manager.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
327
Configure Single Sign-On
Add ADFS Relying Party Trust Manually
5. Navigate to https://www.samltool.com/format_x509cert.php.
6. For Signing certificate, copy Signing certificate from “metadata” [everything between
<ds:X509Certificate> and </ds:X509Certificate>].
7. Navigate to the www.samltool.com page, click X.509 CERTS > Format X.509 Certificate, and paste
the copied content.
8. Save the output (“X.509 cert with header”) into a text file “Signing.cer”. Remember to remove the last
empty line.
Note This procedure involves a third-party website. The details are subject to change.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
328
Configure Single Sign-On
Configure SSO for PingID
20. Open the Edit Claim Rules window, and verify that the rules display in Assurance Transform Rules.
21. Click Finish.
22. Open the Properties window of the newly created Relying Party Trust, and click Signature.
23. Click Add, and add the Signing.cer created in Step 6.
24. In the Active Directory, click General, and enter the following two security groups in the Group name
text box:
SSO-Netadmin
SSO-Operator
Note If you use a different naming convention for the two security groups, then you have to modify the Regular
expression value for (?i)^SSO- mentioned in Step 19.
Note Any active directory user who is NOT a member of these two groups, will only have Basic access to Cisco
SD-WAN Manager.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
329
Configure Single Sign-On
Configure SSO on the PingID Administration Portal
• Download the Cisco SD-WAN Manager SAML metadata file to export to PingID.
Prerequisites:
1. In Cisco SD-WAN Manager, ensure that identity provider settings (Administration Settings > Identity
Provider Settings) are set to Enabled.
2. Download the Cisco SD-WAN Manager SAML metadata file to export to PingID.
For more information on these procedures, see Enable an Identity Provider in Cisco SD-WAN Manager.
The steps are the same as for configuring Okta as an IdP.
Note This procedure involves a third-party website. The details are subject to change.
To configure PingID:
1. Log in to the PingID administration portal.
2. Create a username using your email address.
3. Click the Applications.
4. Click Add Application and choose New SAML Application.
In the Application Details section, Application Name, Application Description, and Category are
all required fields.
For logos and icons, PNG is the only accepted graphics format.
5. Click Continue to Next Step.
The Application Configuration section appears.
6. Make sure that you choose I have the SAML configuration.
7. Under the You will need to download this SAML metadata to configure the application section,
configure the following fields:
a. For Signing Certificate, use the drop-down menu, PingOne Account Origination Certificate.
b. Click Download next to SAML Metadata to save the PingOne IdP metadata into a file.
c. Later, you need to import the PingOne IdP metadata file into Cisco SD-WAN Manager to complete
the SSO configuration.
1. From the Cisco SD-WAN Manager menu, choose Administration > Settings.
2. Click Identity Provider Settings > Upload Identity Provider Metadata to import the saved
PingOne IdP metadata file into Cisco SD-WAN Manager.
3. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
330
Configure Single Sign-On
Configure SSO on the PingID Administration Portal
8. Under the Provide SAML details about the application you are connecting to section, configure the
following fields:
a. For Protocol Version, click SAMLv2.0.
b. On Upload Metadata, click Select File to upload the saved Cisco SD-WAN Manager SAML
metadata file to PingID.
PingID should be able to decode the metadata file and fill in the other fields.
c. Verify that the following fields and values are entered correctly.
Field Value
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
331
Configure Single Sign-On
Configure SSO for IDPs in Cisco SD-WAN Manager Cluster
b. Click Save.
When you log in to the Cisco SD-WAN Manager cluster now, the first instance of Cisco SD-WAN Manager
redirects SSO using an IDP. The second and third instances of the cluster also redirect SSO using IDP.
If the first instance of Cisco SD-WAN Manager cluster or the application server isn't available, the second
and third instances of the cluster try redirecting SSO using an IDP. However, the SSO login fails for the
second and third instances of the Cisco SD-WAN Manager cluster. The only option available for accessing
the second and third instances of the Cisco SD-WAN Manager cluster is by using the local device authentication,
which is "/login.html".
Note If you log in by using the local device authentication, the SAML Login page appears when you log out.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
332
Configure Single Sign-On
Export Cisco SD-WAN Manager Metadata to Azure AD
2. Configure SSO using Azure AD and import Azure AD metadata to Cisco SD-WAN Manager. For details,
see Configure Single Sign-On Using Azure AD and Import Azure AD Metadata to Cisco SD-WAN
Manager.
Note This procedure involves a third-party website. The details are subject to change.
Name emailaddress
Source Attribute
b. Create a new claim for the groups attribute, configuring the field values as follows:
Name Groups
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
333
Configure Single Sign-On
Verify Single Sign-On Using Azure AD
Source Attribute
c. Create a new claim for the username attribute, configuring the field values as follows:
Name Username
Source Attribute
d. Modify the existing “Unique User Identifier (Name ID)” claim, as follows:
Source Attribute
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
334
Configure Single Sign-On
Information About Integrating with Multiple IdPs
You can also edit or delete an IdP name and domain name.
For more information on configuring multiple IdPs, see Configure Multiple IdPs.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
335
Configure Single Sign-On
Configure Multiple IdPs
1. From the Cisco SD-WAN Manager menu, choose Administration > Settings.
2. Click Identity Provider Settings and choose Edit.
3. Click Add New IDP Settings.
Note After three IdPs are configured, the Add New IDP Settings option is no longer displayed.
4. Click the toggle button to switch between enabling and disabling IdP settings while retaining the existing
configuration.
5. Click IDP Name and enter a unique name for your IdP.
Examples:
• okta
• idp1
• provider
• msp
Note You cannot map the same domain to multiple IdPs, but you can use the same IdP for multiple domains.
6. Click Domain and enter a unique domain name for your IdP, for example, okta.com.
If the domain name already exists, Cisco SD-WAN Manager generates an error message.
Alternatively, you can enter a wildcard (*) in the domain name field making it the default domain. If a
default domain is configured, you can log in to a domain with your user ID without requiring you to
enter an user ID in the email address format ([email protected]).
7. In the Upload Identity Provider Metadata section, upload the SAML metadata file you downloaded
from your IdP.
8. Click Save.
9. After you configure a new IdP name, domain, and sign out of your current Cisco SD-WAN Manager
session, you are redirected to a unified SAML login page.
10. In the unified SAML login page, if you require local authentication, remove the login.html portion of
the URL. This redirects you to the local authentication page.
11. In the unified SAML login page, enter the SSO credentials for your IdP.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
336
Configure Single Sign-On
Verify Integration with Multiple IdPs
Note You are redirected to the unified SAML login page each time you access Cisco SD-WAN Manager after
configuring a new IdP name and domain.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
337
Configure Single Sign-On
Troubleshooting Integration with Multiple IdPs
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
338
CHAPTER 18
Configure Port Security
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Port Security Support for Cisco IOS XE Catalyst SD-WAN The feature allows you to configure
Switchports on Cisco IOS XE Release 17.3.1a switchports on Edge platforms with
Catalyst SD-WAN Devices switching modules to restrict input
Cisco vManage Release 20.3.1
to an interface by limiting and
identifying MAC addresses of the
workstations that are allowed to
access the port.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
339
Configure Port Security
Information About Port Security
• ISR4331
Cisco C8300 series Edge platforms with SM-X-16G4M2X, and SM-X-40G8M2X switching modules:
• C8300-1N1S-6T
• C8300-1N1S-4T2X
• C8300-2N2S-6T
• C8300-2N2S-4T2X
Note If the port shuts down, all dynamically learned addresses are removed.
• You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured,
stored in the address table, and added to the running configuration. If these addresses are saved in the
configuration file, the interface does not need to dynamically relearn them when the switch restarts.
Although sticky secure addresses can be manually configured, it is not recommended.
Enable sticky learning to configure an interface to convert the dynamic MAC addresses to sticky secure MAC
addresses and to add them to the running configuration. To enable sticky learning, enter the switchport
port-security mac-address sticky command. When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was
enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the
startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the
configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do
not save the configuration, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses
and are removed from the running configuration.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
340
Configure Port Security
Configure Port Security Using the CLI
Note switchport port-security and switchport port-security mac-address sticky configuration commands are
validated. There are other port-security commands available, but we recommend not to use them for Cisco
SD-WAN Release 20.3.1.
Configuration Example
The following example shows how to configure a secure MAC address on GigabitEthernet 1/0/1:
Device# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# switchport port-security
Device(config-if)# switchport port-security mac-address sticky
Device(config-if)# end
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
341
Configure Port Security
Configure Port Security Using the CLI
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
342
CHAPTER 19
Cisco TrustSec Integration
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Support for SGT Cisco IOS XE Catalyst This feature enables Cisco IOS XE Catalyst SD-WAN edge
Propagation with Cisco SD-WAN Release devices to propagate Security Group Tag (SGT) inline tags
TrustSec Integration 17.3.1a that are generated by Cisco TrustSec-enabled switches in
the branches to other edge devices in the Cisco Catalyst
Cisco vManage
SD-WAN network. While Cisco TrustSec-enabled switches
Release 20.3.1
does classification, propagation (inline SGT tagging) and
enforcement on the branches, Cisco IOS XE Catalyst
SD-WAN device devices carry the inline tags across the
edge devices.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
343
Cisco TrustSec Integration
Cisco TrustSec Integration
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Support for SGT Cisco IOS XE Catalyst This feature enables Cisco IOS XE Catalyst SD-WAN edge
Propagation with Cisco SD-WAN Release devices to propagate Security Group Tag (SGT) inline tags
TrustSec Integration 17.3.1a that are generated by Cisco TrustSec-enabled switches in
the branches to other edge devices in the Cisco Catalyst
Cisco vManage
SD-WAN network. While Cisco TrustSec-enabled switches
Release 20.3.1
does classification, propagation (inline SGT tagging) and
enforcement on the branches, Cisco IOS XE Catalyst
SD-WAN device devices carry the inline tags across the
edge devices.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
344
Cisco TrustSec Integration
SGT Propagation Using Inline Tagging
IP address to SGT binding, statically, in Cisco SD-WAN Manager. See SGT Propagation Using SXP, on page
352
Enforcement of SGT is achieved using Security Group Access Control Lists (SGACL) where policies can be
dynamically or statically configured and applied to the egress traffic on the network. See SGT Enforcement,
on page 364
Prerequisites
• Branches must be equipped with Cisco TrustSec-enabled switches that are capable of handling SGT
inline tagging.
• Cisco IOS XE Catalyst SD-WAN devices running on Cisco IOS XE Catalyst SD-WAN device and later.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
345
Cisco TrustSec Integration
SGT Propagation in Cisco Catalyst SD-WAN
In this illustration, Branch 1 and Branch 2 are equipped with Cisco TrustSec-enabled switches, and these
branches are connected to the Cisco IOS XE Catalyst SD-WAN devices. The Cisco TrustSec switch in Branch
1 performs SGT Inline tagging in the Ethernet CMD frame toward Edge Router 1. Edge Router 1 then
de-encapsulates the CMD frame, extracts the SGT, and propagates it over Cisco Catalyst SD-WAN IPSec or
GRE tunnels. The Edge Router 2 on Cisco Catalyst SD-WAN extracts the SGT from Cisco Catalyst SD-WAN,
generates the Ethernet CMD frame, and copies the that is SGT received. The Cisco TrustSec switch on Branch
2 inspects the SGT, and looks it up against the destination SGT to determine if the traffic must be allowed or
denied.
The following image is an illustration of SGT being carried through in an Cisco Catalyst SD-WAN packet
and an additional eight bytes of data is added to it.
Figure 10: SGT Propagation
The following table describes how SGT propagation between edge devices in the Cisco Catalyst SD-WAN
network varies based on the type of edge device and software release installed on the device.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
346
Cisco TrustSec Integration
Supported Platforms and NIMs
Table 78: SGT Propagation with Cisco IOS XE Catalyst SD-WAN Devices of Different Releases Interconnected in Cisco Catalyst SD-WAN
Cisco IOS XE Catalyst SD-WAN Cisco IOS XE Catalyst SD-WAN • Traffic with SGT is forwarded
Release 17.3.1a device with Cisco IOS XE Catalyst to the Cisco IOS XE Catalyst
SD-WAN Release 17.3.1a or later SD-WAN device.
• If Cisco TrustSec is enabled
on the Cisco IOS XE Catalyst
SD-WAN device, traffic with
SGT along with the CMD
header is forwarded to the
switch. If Cisco TrustSec is
not enabled on the Cisco IOS
XE Catalyst SD-WAN device,
traffic without the SGT and
CMD header is forwarded to
the switch.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
347
Cisco TrustSec Integration
Limitations for SGT Propagation
Supported NIMs
The following WAN NIMs are supported for Cisco 4000 Series Integrated Services Routers platforms:
• NIM-1GE-CU-SFP
• NIM-2GE-CU-SFP
• SM-X-4x1G-1x10G
• SM-X-6X1G
The following WAN NIMs are supported on Cisco Catalyst 8200 Router and Cisco Catalyst 8300 Router
platforms:
• C-NIM-2T
• C-NIM-1M
• C-NIM-1X
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
348
Cisco TrustSec Integration
Configure SGT Inline Tagging Using Cisco SD-WAN Manager
The following table displays the SGT propagation options, and the LAN to WAN and WAN to LAN
behavior based on the option you choose for SGT propagation. The options are displayed in the following
table and available to you only if you set the Enable SGT Propagation to On.
Propagate = On SGT is propagated from SGT is propagated from This is the most common
LAN to WAN. WAN to LAN. configuration. Usually,
Security Group Tag =
the SGT value is 2
<SGT Value>
defined for Cisco
Trusted = On TrustSec devices on
Cisco Identity Services
Engine (ISE).
Propagate = On SGT is propagated from SGT is propagated from Overrides the incoming
LAN to WAN with a WAN to LAN. No effect SGT from LAN to WAN
Security Group Tag =
configured SGT value. to the incoming SGT. because Trusted is set to
<SGT Value>
Off.
Trusted = Off
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
349
Cisco TrustSec Integration
Configure SGT Inline Tagging Using Cisco SD-WAN Manager
Propagate = Off SGT is propagated from SGT is not added to the Overrides the incoming
LAN to WAN with a LAN packets. SGT from LAN to WAN
Security Group Tag =
configured SGT value. because Trusted is set to
<SGT Value> SGT is not propagated to
Off.
LAN.
Trusted = Off
Propagate = On SGT propagated from SGT is propagated from This can be configured
LAN to WAN with SGT WAN to LAN with SGT only on a physical
value value 0. interface if there are
existing sub interfaces.
. 0
Note • Enterprise Network Compute System (ENCS) LAN and WAN ports allow propagation of SGT tags on
its physical ports. The LAN interfaces must be connected to the LAN side and the WAN interfaces must
be connected to the WAN side of the network. You must deploy Cisco Catalyst 8000V router or Integrated
Services Virtual router to process the tagging.
7. Click Save.
8. Configure the routing protocols using the Cisco SD-WAN Manager templates. You can choose to use
any of the routing protocols. For BGP template, see Configure BGP Using Cisco SD-WAN Manager
templates.
9. Attach the feature template to the device template.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
350
Cisco TrustSec Integration
Configure SGT Inline Tagging Using CLI
! VRF 1
vrf definition 1
rd 1:1
!
! VRF 2
vrf definition 2
rd 1:2
!
! sub-interface on VRF 1
interface GigabitEthernet0/0/2.2
encapsulation dot1Q 2
vrf forwarding 1
ip address 77.27.9.2 255.255.255.0
ip mtu 1500
cts manual
policy static sgt 2 trusted
!
! sub-interface on VRF 2
interface GigabitEthernet0/0/2.3
encapsulation dot1Q 3
vrf forwarding 2
ip address 77.27.19.2 255.255.255.0
ip mtu 1500
cts manual
policy static sgt 2 trusted
!
! BGP configuration
router bgp 64005
bgp log-neighbor-changes
distance bgp 20 200 20
!
! BGP neighbor VRF 1
address-family ipv4 vrf 1
network 77.27.9.0 mask 255.255.255.0
redistribute connected
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
351
Cisco TrustSec Integration
View SGT Propagation Configuration
redistribute static
redistribute omp
neighbor 77.27.9.1 remote-as 64006
neighbor 77.27.9.1 activate
neighbor 77.27.9.1 send-community both
exit-address-family
!
! BGP neighbor VRF 2
address-family ipv4 vrf 2
redistribute connected
redistribute static
redistribute omp
neighbor 77.27.19.1 remote-as 64006
neighbor 77.27.19.1 activate
neighbor 77.27.19.1 send-community both
exit-address-family
!
SGT Propagation Cisco IOS XE Catalyst With this feature, Cisco IOS XE Catalyst SD-WAN devices
Using SXP and SD-WAN Release can exchange SGT over the overlay network using SXP.
SGACL Enforcement 17.5.1a Use SXP when your hardware does not support Inline
propagation of SGTs.
Cisco vManage
Release 20.5.1 This feature also extends support for SGACL enforcement
on Cisco IOS XE Catalyst SD-WAN devices by configuring
SGACL policies.
You can use SXP to propagate SGTs across network devices if your hardware does not support inline tagging.
Using Cisco Identity Services Engine (ISE), you can create an IP-to-SGT binding (Dynamic IP-SGT) and
then download IP-SGT binding using SXP to a Cisco IOS XE Catalyst SD-WAN device for propagation of
the SGT over the Cisco Catalyst SD-WAN network. See Configure SXP for Dynamic IP-SGT Binding Using
Cisco SD-WAN Manager, on page 355.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
352
Cisco TrustSec Integration
SGT Propagation Using SXP
Alternatively, you have the option to manually configure IP-SGT binding (Static IP-SGT) and then push the
configuration to a Cisco IOS XE Catalyst SD-WAN device using a CLI Add-On template to propagate SGT
over the Cisco Catalyst SD-WAN network. See Configure Static IP-SGT Binding Using Cisco SD-WAN
Manager, on page 358.
Prerequisites
• You must enable Cisco TrustSec and propagation through SXP on the devices in a Cisco Catalyst
SD-WAN network.
• Cisco ISE version must be 2.6 or later.
Points to Consider
• Cisco ISE has a limit on the number of SXP sessions it can handle. Therefore, as an alternative, you can
use SXP reflector for horizontal scaling.
• Static IP-SGT configuration is based on the CLI Add-On template and not using a Feature template in
Cisco SD-WAN Manager.
• From Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, Cisco vManage Release 20.5.1, we recommend
that you use an SXP reflector to establish an SXP peering with Cisco IOS XE Catalyst SD-WAN devices.
This is because when you use an SXP Reflector, the SXP filtering option ensures that only relevant
IP-SGT bindings for the local service side networks are pushed down to the Cisco IOS XE Catalyst
SD-WAN device. Overlapping or remote entries coming though SXP can have an adverse effect on the
Overlay routing. See SXP Reflectors, on page 355
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
353
Cisco TrustSec Integration
Supported Platforms and NIMs
Supported NIMs
The following WAN NIMs are supported on Cisco 4000 Series Integrated Services Routers platforms:
• NIM-1GE-CU-SFP
• NIM-2GE-CU-SFP
• SM-X-4x1G-1x10G
• SM-X-6X1G
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
354
Cisco TrustSec Integration
SXP Reflectors
If a branch is equipped with Cisco TrustSec-enabled hardware, the branch is referred to as a TrustSec branch.
You can propagate SGTs to a TrustSec branch through inline tagging. For information about Inline Tagging,
see SGT Propagation in Cisco Catalyst SD-WAN, on page 345.
If a branch is not equipped with Cisco TrustSec-enabled hardware, the branch is referred to as a non-TrustSec
branch. You can propagate SGT to a non-TrustSec branch using SXP.
In the case of a non-TrustSec branch, for SD-WAN ingress, a Cisco IOS XE Catalyst SD-WAN device
performs SGT tagging based on source IP address of the packet and IP-SGT binding dynamically learned
from ISE using SXP or based on static IP-SGT binding configuration. For SD-WAN egress, the Cisco IOS
XE Catalyst SD-WAN device performs a destination SGT lookup based on the destination IP address using
IP-SGT bindings (received through SXP or static configuration), and the SGT is determined. Policies for the
SGT traffic on SD-WAN egress is enforced either by downloading SGACL policies from ISE or by configuring
static SGACL policies.
SXP Reflectors
SXP reflectors are used when you need to have multiple connections to communicate information about
IP-SGT bindings over a network. Because Cisco ISE has a limit on the number of SXP sessions it can handle,
as an alternative, you can use Cisco ASR1000 routers, with the SXP reflector functionality enabled for
horizontal scaling between ISE and the Cisco IOS XE Catalyst SD-WAN device.
You can configure an SXP connection to an SXP reflector the same way you configure an SXP connection
to ISE. For information about configuring SXP reflector, see Configure SXP Reflector Using the CLI, on
page 360.
We recommend an SXP reflector to establish SXP peering with Cisco IOS XE Catalyst SD-WAN devices.
When you use an SXP reflector, the SXP filtering configuration ensures that only relevant IP-SGT bindings
for the local service-side networks are pushed down to the Cisco IOS XE Catalyst SD-WAN devices.
Overlapping or remote entries coming through an SXP can have an adverse effect on overlay routing.
Configure SXP for Dynamic IP-SGT Binding Using Cisco SD-WAN Manager
You can configure an SXP connection for downloading the IP-SGT binding from Cisco ISE to a Cisco IOS
XE Catalyst SD-WAN device.
To configure an SXP connection in Cisco SD-WAN Manager:
1. From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
2. Click Feature Templates and then click Add Template.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under OTHER TEMPLATES section, choose TrustSec.
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can
contain only uppercase and lowercase letters, the digits 0 - 9, hyphens (-), and underscores (_). It cannot
contain spaces or any other characters.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
355
Cisco TrustSec Integration
Configure SXP for Dynamic IP-SGT Binding Using Cisco SD-WAN Manager
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any of the characters and spaces.
7. Enter the details for setting up an SXP connection:
Key Chain Name Enter a name to configure the key chain for SXP.
Log Binding Changes Click On to enable logging for IP-to-SGT binding changes.
Reconciliation Period (seconds) Enter a time (in seconds) to configure the SXP reconciliation period.
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer
reconnects before the internal hold-down timer expires, the SXP reconciliation period timer
starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains
the SGT mapping entries learned from the previous connection and removes the invalid
entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period
to 0 seconds disables the timer and causes all the entries from the previous connection to be
removed.
Retry Period (seconds) Enter a time (in seconds) to configure the retry period for SXP reconnection.
Speaker Hold Time (seconds) Enter time (in seconds) to configure the global hold-time period for a speaker device.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
356
Cisco TrustSec Integration
Configure SXP for Dynamic IP-SGT Binding on the CLI
Maximum Listener Hold Time Enter a time (in seconds) to configure the maximum allowed hold-time period for a listener
(seconds) device.
Node ID Enter a node ID. A node ID is used to identify the individual devices within the network.
Mode Choose a connection mode. Local refers to the local device, and Peer refers to a peer device.
Mode Type Choose a role for the device.
Minimum Hold Enter time (in seconds) to configure the minimum hold time for the SXP connection.
Time
Maximum Hold Enter time (in seconds) to configure the maximum hold time for the SXP connection.
Time
VPN ID Enter a VPN or VRF ID for the SXP connection.
Note Maximum Hold Time and Minimum Hold Time can be configured only when you choose Mode as Local
and Mode Type as Listener, or when Mode is Peer and Mode Type is Speaker.
Only Minimum Hold Time is configurable when Mode is Local and Mode Type is Speaker or when Mode
is Peer and Mode Type is Listener.
Hold time cannot be configured if you choose Mode Type as Both (that is Listener and Speaker).
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
357
Cisco TrustSec Integration
Configure Static IP-SGT Binding Using Cisco SD-WAN Manager
Device(config)# cts sxp connection peer 10.201.1.2 source 10.29.1.1 password key-chain mode
local both vrf 1
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under OTHER TEMPLATES section, choose CLI Add-On Template as the feature template.
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can contain
only uppercase and lowercase letters, the digits 0 - 9, hyphens (-), and underscores (_). It cannot contain
spaces or any other characters.
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any of the characters and spaces.
7. In the CLI Configuration area, enter the following configuration:
cts role-based sgt-map vrf instance_name {ipv4_netaddress|ipv4_netaddress/prefix} sgt
sgt-number
cts role-based sgt-map vrf instance_name host {ipv4_hostaddress} sgt sgt-number
8. Click Save to save this configuration. This configuration can now be pushed to a Cisco IOS XE Catalyst
SD-WAN device for propagation of the SGT over a Cisco Catalyst SD-WAN network.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
358
Cisco TrustSec Integration
Configure TCP-AO Support for SXP
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under BASIC INFORMATION section, choose Cisco Security as the feature template.
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can contain
only uppercase and lowercase letters, the digits 0 through 9, hyphens (-), and underscores (_). It cannot
contain spaces or any other characters.
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any of the characters and spaces.
7. Configure TCP-AO key chain and keys.
Send ID Specify the send identifier for the key. Range: 0 to 255.
Receiver ID Specify the receive identifier for the key. Range: 0 to 255.
Include TCP Options This field indicates whether TCP options other than TCP-AO must be used to calculate Message
Authentication Codes (MACs).
A MAC is computed for a TCP segment using a configured MAC algorithm, relevant traffic keys, and the
TCP segment data prefixed with a pseudoheader.
When options are included, the content of all options is included in the MAC with TCP-AO's MAC field
is filled with zeroed.
When the options are not included, all options other than TCP-AO are excluded from all MAC calculations.
Accept AO Mismatch This field indicates whether the receiver must accept the segments for which the MAC in the incoming
TCP-AO does not match the MAC that is generated on the receiver.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
359
Cisco TrustSec Integration
Configure TCP-AO Support for SXP on the CLI
Key String Specify the master key for deriving the traffic keys.
The master keys must be identical on both the peers. If the master keys do not match, authentication fails
and segments may be rejected by the receiver. Range: 0 to 80 characters.
Send Lifetime Local Specify the time in seconds that is entered in Cisco SD-WAN Manager for which the key to be used in
TCP-AO authentication is valid.
Specify the start time in the local time zone. By default, the start time corresponds to UTC time. The end
time can be specified in three ways—infinite (no expiry), duration (1 to 2147483646 sec), exact time –
(either UTC or local).
Accept Lifetime Specify the time in seconds that is entered in Cisco SD-WAN Manager for which the key to be accepted
Local for TCP-AO authentication is valid.
Specify the start time in the local time zone. By default, the start time corresponds to UTC time. The end
time can be specified in three ways—infinite (no expiry), duration (1 to 2147483646 sec), exact time –
(either UTC or local).
Note When you configure a key chain for an SXP connection, at least one key in the key chain must be configured
with the current time. All keys in the key chain cannot be configured completely with a future time.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
360
Cisco TrustSec Integration
SGACL for Cisco TrustSec
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under Basic Information, choose Cisco AAA as the feature template.
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can
contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (-), and underscores (_).
It cannot contain spaces or any other characters.
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any of the characters and spaces.
7. Click Radius to configure a connection to a RADIUS server. The followin fields are displayed:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
361
Cisco TrustSec Integration
Download SGACL Policies to Cisco IOS XE Catalyst SD-WAN devices
Authentication Enter the UDP destination port to use for authentication requests to the RADIUS server. If the server is not
Port used for authentication, configure the port number to be 0. Range: 0 to 65535.
Accounting Port Enter the UDP port that will be used to send 802.1X and 802.11i accounting information to the RADIUS
server. Range: 0 to 65535.
Timeout Specify how long to wait to receive a reply from the RADIUS server before retransmitting a request.
Range: 1 through 1000.
Retransmit Count Specify how many times to search through the list of RADIUS servers while attempting to locate a server.
Range: 1 through 1000.
Key Type Click PAC as key type.
Key Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the RADIUS server for authentication
and encryption. You can enter the key as a text string from—1 to 31 characters long,—and it is immediately
encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used
on the RADIUS server.
8. Click Radius Group to add a new RADIUS group. The following fields are displayed:
Parameter Description
Name
Group Name Displays the RADIUS group name. This field is automatically populated based on the VPN ID that you configure.
VPN ID Enter a VPN ID.
Source Set the interface that will be used to reach the RADIUS server.
Interface
Radius Server Choose an IP address for the RADIUS server.
9. Click Radius COA to configure the settings to accept change of authorization (CoA) requests from a
RADIUS or other authentication server, and to act on requests to a connection to the RADIUS server.
Updated policies are downloaded to the Cisco IOS XE Catalyst SD-WAN device when SGACL policies
are modified on ISE and a CoA is pushed to the Cisco IOS XE Catalyst SD-WAN device.
On clicking Radius COA, the following fields are displayed:
Domain Configure domain stripping at the server group level. The stripping keyword compares the incoming username
Stripping with the names oriented to the left of the @ domain delimiter.
10. Click TrustSec to configure more details for authorization. The following details are displayed:
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
362
Cisco TrustSec Integration
Download SGACL Policies using CLI
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under OTHER TEMPLATES section,, choose CLI Add-On Template as the feature template.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
363
Cisco TrustSec Integration
SGT Enforcement
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can contain
only uppercase and lowercase letters, the digits 0 through 9, hyphens (-), and underscores (_). It cannot
contain spaces or any other characters.
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any of any characters and spaces.
7. In the CLI configuration area, enter the following configuration:
interface gigabitethernet 1/1/3
cts role-based enforcement
cts role-based sgt-map sgt 2
interface gigabitethernet 1/1/4
no cts role-based enforcement[no] cts role-based permissions {[ default | from |
[source-sgt] | to | [dest-sgt]]}
[no] cts role-based permissions {[ default | from | [source-sgt] | to | [dest-sgt]]}
8. Click Save.
This configuration can now be pushed to the Cisco IOS XE Catalyst SD-WAN device for enforcement
of SGACL policies.
SGT Enforcement
SGACL policies configured on Cisco ISE, or configured using the CLI Add-On template can be applied and
SGT enforced on egress traffic both globally (on all the interfaces) or on a specific interface.
You can enforce SGT at a global level in the TrustSec feature template. See Configure SXP for Dynamic
IP-SGT Binding Using Cisco SD-WAN Manager, on page 355.
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
3. Choose the device for which you are creating the template.
4. Under Basic Information, choose Cisco VPN Interface Ethernet as the feature template.
5. In the Template Name field, enter a name for the feature template. This field is mandatory and can
contain only uppercase and lowercase letters, the digits 0 - 9, hyphens (-), and underscores (_). It cannot
contain spaces or any other characters.
6. In the Description field, enter a description for the feature template. This field is mandatory, and it can
contain any characters and spaces.
7. Click TrustSec.
8. In the Enable Enforcement field, click On to enable SGT enforcement on a particular interface.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
364
Cisco TrustSec Integration
Configuring SGT Enforcement at the Interface Level Using CLI
Note You can enable this configuration either at an interface level in this step, or a global level using the Enable
Enforcement field in Configuring SXP for Dynamic IP/SGT using vManage, but not both.
9. In the Enter a SGT value field, enter a value that can be used as a tag for enforcement .
10. Click Save.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
365
Cisco TrustSec Integration
Monitor SXP Connections and SGT Enforcement
Note You can re-arrange the columns to view SXP and SGT information as per your preference by dragging the
column title to the desired position. If you re-arrange the columns, we recommended the Source SGT and
Destination SGT columns are set to your left hand side so that you can understand the bindings of a traffic
flow.
Using CLI
Use the following commands to monitor SXP/SGT information using the CLI.
Commands Description
show cts role-based sgt-map Displays role-based access control information (per
VRF).
(Both static and dynamic entries are shown.)
show cts role-based permissions Displays the SGACL dynamic and static entries.
show cts role-based counters Displays Security Group access control list (ACL)
enforcement statistics.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
366
CHAPTER 20
OMP Prefixes for IP-SGT Binding
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
OMP Prefixes for IP-SGT Binding Cisco IOS XE Catalyst SD-WAN The OMP routes are typically
Release 17.12.1a present in the IOS RIB. The OMP
routes aren't present in the IOS FIB
Cisco Catalyst SD-WAN Manager
containing entries that map
Release 20.12.1
destination IP addresses to next-hop
IP addresses. The IOS FIB operates
independently of the control plane,
receiving the forwarding
instructions from a centralized
Cisco SD-WAN Controller instead
of consuming the OMP routes from
the IOS RIB. Starting from Cisco
IOS XE Catalyst SD-WAN Release
17.12.1a, the OMP prefixes get
added to the IOS FIB which
improves IP-SGT binding.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
367
OMP Prefixes for IP-SGT Binding
Information About OMP Prefixes for IP-SGT Binding
• Monitor OMP Prefixes for IP-SGT Binding Using the CLI, on page 370
Note Adding the OMP routes in IOS FIB is mandatory for SGT binding because it allows for the enforcement of
security policies based on SGTs in a network.
In the SD-WAN mode, the OMP routes are present in the Routing Information Base (IOS RIB). In Cisco IOS,
IOS RIB stands for a database residing in the memory of a Cisco router or switch. The IOS RIB contains
information about routes learned from different routing protocols, static routes, and directly connected networks.
In the SD-WAN mode, the control plane handles the packet forwarding. The IOS RIB stores all the routes
learned during packet transfer, while the control plane stores the packet forwarding information.
The OMP routes aren't downloaded directly into the IOS FIB from the IOS RIB because of the way Cisco
Catalyst SD-WAN architecture handles routing and forwarding. The IOS FIB is designed to work independently
of the control plane. It doesn't directly consume the routes from the IOS RIB. Instead, it receives forwarding
instructions from a centralized Cisco SD-WAN Controller. The Cisco IOS XE Catalyst SD-WAN devices
receive these forwarding instructions from the Cisco SD-WAN Controller and program their local forwarding
tables, which could include the IOS FIB. Therefore, while the OMP routes exist in the IOS RIB, they aren't
directly downloaded into the IOS FIB. Instead, the Cisco SD-WAN Controller determines the appropriate
forwarding paths and instructs the devices accordingly. Starting from Cisco IOS XE Catalyst SD-WAN
Release 17.12.1a, OMP prefixes get added to the IOS FIB. Cisco Catalyst SD-WAN considers the route with
OMP prefixes as a CTS route. The CTS route contains the OMP prefix, the length, and the associated SGT
value. When the OMP prefixes get added to the OMP routes, it means that the OMP routes are now associated
with specific IP address prefixes, further strengthening the IP-SGT binding.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
368
OMP Prefixes for IP-SGT Binding
Restrictions of OMP Prefixes for IP-SGT Binding
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
369
OMP Prefixes for IP-SGT Binding
Monitor OMP Prefixes for IP-SGT Binding Using the CLI
IP-SGT binding using SXP to a Cisco IOS XE Catalyst SD-WAN device for propagation of SGT over
the Cisco Catalyst SD-WAN network. See Configure SXP for Dynamic IP-SGT Binding Using Cisco
SD-WAN Manager.
• Alternatively, there's an option to manually configure IP-SGT binding (Static IP-SGT) and then push
the configuration to a Cisco IOS XE Catalyst SD-WAN device using a CLI Add-On template to propagate
SGT over the Cisco Catalyst SD-WAN network. See Configure Static IP-SGT Binding Using Cisco
SD-WAN Manager.
Note Ensure that you enter the right Peer IP address and Source IP while creating a
new SXP connection.
Note For more information on the SGT propagation options using Cisco SD-WAN
Manager , and the LAN to WAN and WAN to LAN behavior see, SGT
Propagation options.
• When the Cisco SD-WAN Controller establishes a connection to Cisco ISE, it obtains the IP-to-username
and user-to-user-group mappings from Cisco ISE and Cisco pxGrid. The Cisco SD-WAN Controller
subsequently pushes the identity mapping information containing IP-to-username to user-group mapping
to the Cisco IOS XE Catalyst SD-WAN devices. The identity mapping information is used when creating
firewall policies in Cisco SD-WAN Manager. For information on creating identity-based firewall policies,
see Configure Cisco SD-WAN Identity-Based Firewall Policy.
The example displays the OMP route containing the next-hop information attached with a remote system IP
along with a SD-WAN flag set. By flagging routes as SD-WAN routes, the network infrastructure can
distinguish them from other types of routes and treat them differently based on the requirements and policies
of the Cisco Catalyst SD-WAN deployment.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
370
OMP Prefixes for IP-SGT Binding
Monitor OMP Prefixes for IP-SGT Binding Using the CLI
Note The CTS routes that inherit OMP routes will have Internet Protocol Layer (IPL) as the source. This indicates
that the route information originates from the IP layer of the network protocol stack.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
371
OMP Prefixes for IP-SGT Binding
Monitor OMP Prefixes for IP-SGT Binding Using the CLI
Monitor the Prefix Sourced Both from OMP and CTS Routes
When an exact prefix is sourced from both the OMP and CTS routes, the resulting route will have the next-hop
information from OMP and SGT tag info from the CTS route.
The following is a sample output from the show ip route vrf
Device# show ip route vrf 1 10.2.2.0
Routing Table: 1
Routing entry for 10.2.2.0/24
Known via "omp", distance 251, metric 0, type omp
Redistributing via ospf 1
Advertised by ospf 1 subnets
Last update from 172.16.255.11 on Sdwan-system-intf, 00:39:49 ago
Routing Descriptor Blocks:
* 172.16.00 (default), from 172.16.255.11, 00:39:49 ago, via Sdwan-system-intf
Route metric is 0, traffic share count is 1
Device# show run | i cts
cts role-based sgt-map vrf 1 10.2.2.0/24 sgt 24
Device# sho ip cef vrf 1 10.2.2.0/24 detail
10.2.2.0/24, epoch 0, flags [cover dependents, subtree context, SDWAN]
Covered dependent prefixes: 1
notify cover updated: 1
SC owned,sourced: FIB_SC: RBAC - [SGT 24 S D]
1 IPL source [no flags]
nexthop 172.16.255.11 Sdwan-system-intf
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
372
CHAPTER 21
Unified Threat Defense Resource Profiles
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Configure Unified Threat Defense Cisco IOS XE Catalyst SD-WAN This feature lets you customize the
Resource Profiles Release 17.5.1a amount of resources that Unified
Threat Defense features use on a
Cisco vManage Release 20.5.1
router. You can use larger resource
profiles to process packets
simultaneously. Simultaneously
processing packets reduces the
latency that security features can
introduce to the packet processing
of the device.
Unified Threat Defense features use the Snort engine to process packets. Snort is an open source network
Intrusion Prevention System, capable of performing real-time traffic analysis and packet logging on IP
networks. Unified Threat Defense deploys Snort as a single instance on the device to process packets. To
improve performance, use the Security App Hosting feature template to allow Unified Threat Defense to use
more resources.
You can use the Security App Hosting feature template to modify the resource profile as follows:
• Deploy more instances of Snort: When you enable Unified Threat Defense, the device sends each packet
from the data plane to the service plane. Unified Threat Defense serially inspects each packet. Once
inspected, Unified Threat Defense returns the packet to the data plane. Unified Threat Defense holds
each packet to analyze it. These processes introduce latency to the flow of packets that affects the
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
373
Unified Threat Defense Resource Profiles
Supported Platforms
throughput of the device. To combat this latency, you can deploy more instances of Snort. With multiple
instances of Snort available, Unified Threat Defense can simultaneously process multiple packets to
reduce latency and increase throughput. This feature uses more systems resources.
• Download URL databases to the devices: This feature allows the URL Filtering feature of Unified Threat
Defense to use a downloaded URL database on the device to find a URL. If the device downloads the
database, Unified Threat Defense first uses the database on the device to find the URL. If a URL is not
in the downloaded database, Unified Threat Defense connects to the Cloud for the URL information.
This Cloud result is saved to a local cache for any subsequent requests to the same URL. This feature
requires at least 16 GB bootflash and 16 GB RAM.
Supported Platforms
Note To download the database, the device must have at least 16 GB bootflash and 16 GB RAM.
Cisco ISR4331, Cisco ISR4351, Cisco ISR4431 Cisco Yes low, medium, high
ISR4451, and Cisco ISR4461
Cisco Catalyst 8300 Series Edge Platforms Yes low, medium, high
Cisco Catalyst 8500 Series Edge Platform C8500L-8S4X Yes low, medium, high
Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.12.2, for all ISR1100 platforms, you must reboot
the device to change resource profiles.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
374
Unified Threat Defense Resource Profiles
Configure Unified Threat Defense Resource Profiles
Note In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
When you specify a larger resource profile, the device deploys more Snort instances to increase
throughput. The larger resource profiles also use more resources on the device. The number of Snort
instances deployed by the device differs by platform and software release.
9. Click Save.
10. Add this template to the device template.
11. Attach the device template to the device.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
375
Unified Threat Defense Resource Profiles
Verify Unified Threat Defense Resource Profiles
To view the resource usage between activated resource profiles, run the following commands:
show platform software status control-processor brief
show platform hardware qfp active datapath utilization
show utd engine standard utilization cpu
show utd engine standard utilization memory
show app-hosting resource
To view the health of one or more Snort instances and the memory usage of UTD, run the following command:
show utd engine standard status
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
376
CHAPTER 22
Enable MACsec Using Cisco Catalyst SD-WAN
Manager
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Enabling Cisco IOS XE With this feature, you can enable MACsec using Cisco Catalyst
MACsec using Catalyst SD-WAN Manager for Cisco Catalyst SD-WAN devices on the service
Cisco SD-WAN SD-WAN side.
Manager Release 17.12.1a
With MACsec enabled using Cisco Catalyst SD-WAN Manager,
Cisco Catalyst communication between devices in the service VPN is protected, thus
SD-WAN enhancing security for the service VPN.
Manager Release
20.12.1
• Information About Enabling MACsec Using Cisco SD-WAN Manager, on page 378
• Supported Devices for MACsec in Cisco Catalyst SD-WAN, on page 378
• Benefits of Enabling MACsec in Cisco Catalyst SD-WAN, on page 378
• Prerequisites for Enabling MACsec in Cisco Catalyst SD-WAN, on page 379
• Restrictions for Enabling MACsec in Cisco Catalyst SD-WAN, on page 379
• Configure MACsec Enablement in Cisco SD-WAN Manager Using a CLI Template, on page 379
• Verify MACsec Enablement in Cisco SD-WAN Manager, on page 380
• Configuration Example for MACsec Enablement in Cisco SD-WAN Manager, on page 390
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
377
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Information About Enabling MACsec Using Cisco SD-WAN Manager
Minimum supported releases: Cisco IOS XE Release 17.12.2 and Cisco Catalyst SD-WAN Manager Release
20.12.2
• Cisco 4461 Integrated Services Router (ISR4461) K9 with NIM-2GE-CU-SFP
• C8300-2N2S-4T2X built-in 10G ports, and also with C-NIM-1X
• C8300-1N1S-4T2X with C-NIM-1X
• C8300-1N1S-6T with C-NIM-2T
• C8200-1N-4T with C-NIM-2T
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
378
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Prerequisites for Enabling MACsec in Cisco Catalyst SD-WAN
• Support for 128- and 256-bit Advanced Encryption Standard-Cipher-based Message Authentication Code
(AEC-CMAC) encryption for control packets.
• Support for VLAN tag in the clear option to enable Carrier Ethernet Service Multiplexing.
• Support for coexisting of MACsec and Non-MACsec sub interfaces.
• Support for configurable Extensible Authentication Protocol over LAN (EAPoL) destination address.
• Support for configurable option to change the EAPoL Ethernet type.
• Support for configurable replay protection window size to accommodate packet reordering in the service
provider network.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
379
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
1. Enable MACsec feature from the global configuration mode in Cisco Catalyst SD-WAN Manager.
key chain key_chain_name macsec
key connectivity_association_key_name
key-string connectivity_association_key
2. Configure MKA.
The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the
required encryption keys.
mka policy policyname
Here's the complete configuration example for configuring and enabling MACsec in Cisco Catalyst SD-WAN
Manager:
key chain mka-keychain128 macsec
key 10
interface TenGigabitEthernet0/0/5
vrf forwarding 20
ip address 60.60.60.2 255.255.255.0
ip mtu 1468
speed 1000
mka pre-shared-key key-chain mka-keychain128
macsec
===============================================================================================
mka-keychain128 10 Te0/0/5
<HIDDEN>
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
380
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
Applied Interfaces...
The following is a sample output from the show mka default-policy sessions command.
Device# show mka default-policy sessions
Summary of All Active MKA Sessions with MKA Policy "*DEFAULT POLICY*"...
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
====================================================================================================
Te0/0/5 e8d3.22d3.2085/000d *DEFAULT POLICY* NO NO
13 a03d.6e5d.037f/0045 1 Secured 10
The following is a sample output from the show mka default-policy sessions detail command.
Device# show mka default-policy sessions detail
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
381
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
382
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
383
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
such as detail, interface TenGigabitEthernet offer more specific details about the sessions or sessions
associated with a particular interface.
Device# show mka sessions
Total MKA Sessions....... 1
Secured Sessions... 1
Pending Sessions... 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
====================================================================================================
Te0/0/5 e8d3.22d3.2085/000d MKA-128 NO NO
13 a03d.6e5d.037f/0045 1 Secured 10
The following is a sample output from the show mka sessions detail command.
Device# show mka sessions detail
MKA Detailed Status for MKA Session
===================================
Status: SECURED - Secured MKA Session with MACsec
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
384
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)
SAK Retire Time.......... 0s (No Old SAK to retire)
SAK Rekey Time........... 0s (SAK Rekey interval not applicable)
Confidentiality Offset... 0
Algorithm Agility........ 80C201
SAK Rekey On Live Peer Loss........ NO
Send Secure Announcement.. DISABLED
SCI Based SSCI Computation.... NO
SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)
MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)
MACsec Desired........... YES
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
385
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
---------------------------------------------------------------------------------------
CA Statistics
Pairwise CAKs Derived... 0
Pairwise CAK Rekeys..... 0
Group CAKs Generated.... 0
Group CAKs Received..... 0
SA Statistics
SAKs Generated.............. 0
SAKs Rekeyed................ 0
SAKs Received............... 1
SAK Responses Received...... 0
SAK Rekeyed as KN Mismatch.. 0
MKPDU Statistics
MKPDUs Validated & Rx... 229
"Distributed SAK".. 1
"Distributed CAK".. 0
MKPDUs Transmitted...... 231
"Distributed SAK".. 0
"Distributed CAK".. 0
====================================================================================================
Interface Local-TxSCI Policy-Name Inherited Key-Server
====================================================================================================
Te0/0/5 e8d3.22d3.2085/000d MKA-128 NO NO
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
386
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
13 a03d.6e5d.037f/0045 1 Secured 10
Deleted (Secured).......... 17
Keepalive Timeouts......... 0
CA Statistics
Pairwise CAKs Derived...... 0
Pairwise CAK Rekeys........ 0
Group CAKs Generated....... 0
Group CAKs Received........ 0
SA Statistics
SAKs Generated.............. 0
SAKs Rekeyed................ 0
SAKs Received............... 18
SAK Responses Received...... 0
SAK Rekeyed as KN Mismatch.. 0
MKPDU Statistics
MKPDUs Validated & Rx...... 374465
"Distributed SAK"..... 18
"Distributed CAK"..... 0
MKPDUs Transmitted......... 384191
"Distributed SAK"..... 0
"Distributed CAK"..... 0
SAK Failures
SAK Generation................... 0
Hash Key Generation.............. 0
SAK Encryption/Wrap.............. 0
SAK Decryption/Unwrap............ 0
SAK Cipher Mismatch.............. 0
CA Failures
Group CAK Generation............. 0
Group CAK Encryption/Wrap........ 0
Group CAK Decryption/Unwrap...... 0
Pairwise CAK Derivation.......... 0
CKN Derivation................... 0
ICK Derivation................... 0
KEK Derivation................... 0
Invalid Peer MACsec Capability... 0
MACsec Failures
Rx SC Creation................... 0
Tx SC Creation................... 0
Rx SA Installation............... 0
Tx SA Installation............... 0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
387
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
MKPDU Failures
MKPDU Tx............................... 0
MKPDU Rx ICV Verification.............. 0
MKPDU Rx Fallback ICV Verification..... 0
MKPDU Rx Validation.................... 0
MKPDU Rx Bad Peer MN................... 0
MKPDU Rx Non-recent Peerlist MN........ 0
SAK USE Failures
SAK USE Latest KN Mismatch............. 0
SAK USE Latest AN not in USE........... 0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
388
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Verify MACsec Enablement in Cisco SD-WAN Manager
The following is a sample output from the show macsec mka-request-notify command that displays
information about MACsec (Media Access Control Security) enabled interfaces, including the counts of
Control Plane (CR) transmit and delete Secure Channels (SC), transmit Security Associations (SA), receive
SC, and delete SAs, as well as the MKA (MACsec Key Agreement) notification count on the interface
"TenGigabitEthernet0/0/5.
Device# show macsec mka-request-notify
MACsec Enabled Interface CR_TX_SC DEL_TX_SC INST_TX_SA CR_RX_SC DEL_RX_SC
INST_RX_SA DEL_RX_SA MKA_NOTIFY
---------------------------------------------------------------------------------------------------------------------------
TenGigabitEthernet0/0/5 : 18 17 18 18 0
18 11 0
The following is a sample output from the show macsec post command.
Device# show macsec post
MACsec Capable Interface POST Result
--------------------------------------------------------------
TenGigabitEthernet0/0/0 NONE
TenGigabitEthernet0/0/1 NONE
TenGigabitEthernet0/0/2 NONE
TenGigabitEthernet0/0/3 NONE
TenGigabitEthernet0/0/4 NONE
TenGigabitEthernet0/0/5 NONE
TenGigabitEthernet0/0/6 NONE
TenGigabitEthernet0/0/7 NONE
TenGigabitEthernet0/1/0 NONE
TenGigabitEthernet0/1/1 NONE
TenGigabitEthernet0/1/2 NONE
TenGigabitEthernet0/1/3 NONE
FortyGigabitEthernet0/2/0 NONE
FortyGigabitEthernet0/2/4 NONE
FortyGigabitEthernet0/2/8 NONE
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
389
Enable MACsec Using Cisco Catalyst SD-WAN Manager
Configuration Example for MACsec Enablement in Cisco SD-WAN Manager
Transmit SC:
SCI: E8D322D32085000D
Transmitting: TRUE
Transmit SA:
Next PN: 10002
Delay Protect AN/nextPN: NA/0
Receive SC:
SCI: A03D6E5D037F0045
Receiving: TRUE
Receive SA:
Next PN: 10077
AN: 1
Delay Protect AN/LPN: 0/0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
390
CHAPTER 23
Security CLI Reference
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
391
Security CLI Reference
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
392
Security CLI Reference
11 permit object-group
fw-policy-seq-1-service-og_ object-group
subnet1 any
!
ip access-list extended utd-nat-acl
10 permit ip any any
!
class-map type inspect match-all
fw_policy-seq-1-cm_
match access-group name
fw_policy-seq-1-acl_
!
policy-map type inspect fw_policy
class fw_policy-seq-1-cm_
inspect
!
class class-default
pass
!
!
object-group service
fw_policy-seq-1-service-og_
ip
!
parameter-map type inspect-global
alert on
log dropped-packets
multi-tenancy
vpn zone security
!
parameter-map type umbrella global
token
A5EA676087BF66A42DC4F722C2AFD10D00256274
dnscrypt
vrf 1
dns-resolver umbrella
match-local-domain-to-bypass
!
!
zone security internet
vpn 0
!
zone security zone1
vpn 1
!
zone security zone2
vpn 2
!
zone-pair security
ZP_zone1_internet_fw_policy source zone1
destination internet
service-policy type inspect fw_policy
!
zone-pair security ZP_zone1_zone2_fw_policy
source zone1 destination zone2
service-policy type inspect fw_policy
!
app-hosting appid utd
app-resource package-profile cloud-low
app-vnic gateway0 virtualportgroup 0
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
393
Security CLI Reference
threat protection
policy connectivity
logging level err
!
utd global
!
policy utd-policy-vrf-1
all-interfaces
vrf 1
threat-inspection profile intrusion_policy
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
394
CHAPTER 24
Regular Expression for URL Filtering and DNS
Security
Regular Expressions
A regular expression is a pattern (a phrase, number, or more complex pattern) the CLI String Search feature
matches against show or more command output. Regular expressions are case-sensitive and allow for complex
matching requirements. Simple regular expressions include entries like Serial, misses, or 138. Complex regular
expressions include entries like 00210... , ( is ), or [Oo]utput.
A regular expression can be a single-character pattern or a multiple-character pattern. That is, a regular
expression can be a single character that matches the same single character in the command output or multiple
characters that match the same multiple characters in the command output. The pattern in the command output
is referred to as a string. This section describes creating both single-character patterns and multiple-character
patterns. It also discusses creating more complex regular expressions using multipliers, alternation, anchoring,
and parentheses.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in the command
output. You can use any letter (A-Z, a-z) or digit (0-9) as a single-character pattern. You can also use other
keyboard characters (such as ! or ~) as single-character patterns, but certain keyboard characters have special
meaning when used in regular expressions. The table below lists the keyboard characters that have special
meaning.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
395
Regular Expression for URL Filtering and DNS Security
_(underscore) Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right
parenthesis ( ) ), the beginning of the string, the end of the string, or a space.
To use these special characters as single-character patterns, remove the special meaning by preceding each
character with a backslash (\). The following examples are single-character patterns matching a dollar sign,
an underscore, and a plus sign, respectively.
\$ \_ \+
You can specify a range of single-character patterns to match against command output. For example, you can
create a regular expression that matches a string containing one of the following letters: a, e, i, o, or u. Only
one of these characters must exist in the string for pattern matching to succeed. To specify a range of
single-character patterns, enclose the single-character patterns in square brackets ([]). For example,
[aeiou]matches any one of the five vowels of the lowercase alphabet, while [abcdABCD] matches any one
of the first four letters of the lower- or uppercase alphabet.
You can simplify ranges by entering only the endpoints of the range separated by a dash (-). Simplify the
previous range as follows:
[a-dA-D]
To add a dash as a single-character pattern in your range, include another dash and precede it with a backslash:
[a-dA-D\-]
You can also include a right square bracket (]) as a single-character pattern in your range, as shown
here:[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or uppercase alphabet, a dash, or
a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of the range. The following
example matches any letter except the ones listed:
[^a-dqsv]
The following example matches anything except a right square bracket (]) or the letter d:
[^\]d]
Multiple-Character Patterns
When creating regular expressions, you can also specify a pattern containing multiple characters. You create
multiple-character regular expressions by joining letters, digits, or keyboard characters that do not have special
meaning. For example, a4% is a multiple-character regular expression. Insert a backslash before the keyboard
characters that have special meaning when you want to indicate that the character should be interpreted literally.
With multiple-character patterns, order is important. The regular expression a4% matches the character a
followed by a 4 followed by a % sign. If the string does not have a4%, in that order, pattern matching fails.
The multiple-character regular expression a.uses the special meaning of the period character to match the
letter a followed by any single character. With this example, the strings ab, a!, or a2 are all valid matches for
the regular expression.
You can remove the special meaning of the period character by inserting a backslash before it. For example,
when the expression a\. is used in the command syntax, only the string a. will be matched.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
396
Regular Expression for URL Filtering and DNS Security
You can create a multiple-character regular expression containing all letters, all digits, all keyboard characters,
or a combination of letters, digits, and other keyboard characters. For example, telebit3107v32bis is a valid
regular expression.
Multipliers
You can create more complex regular expressions that instruct Cisco IOS software to match multiple occurrences
of a specified regular expression. To do so, you use some special characters with your single-character and
multiple-character patterns. The table below lists the special characters that specify “multiples” of a regular
expression.
Character Description
The following example matches any number of occurrences of the letter a, including none:
a*
The following pattern requires that at least one letter a be in the string to be matched:
a+
The following pattern matches the string bb or bab:
ba?b
The following string matches any number of asterisks (*):
\**
To use multipliers with multiple-character patterns, you enclose the pattern in parentheses. In the following
example, the pattern matches any number of the multiple-character string ab:
(ab)*
As a more complex example, the following pattern matches one or more instances of alphanumeric pairs, but
not none (that is, an empty string is not a match):
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs are
matched from outside to inside. Concatenated constructs are matched beginning at the left side of the construct.
Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You separate the alternative
patterns with a vertical bar (|). Exactly one of the alternatives can match the string. For example, the regular
expression codex|telebit matches the string codex or the string telebit, but not both codex and telebit.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
397
Regular Expression for URL Filtering and DNS Security
Anchoring
You can instruct Cisco IOS software to match a regular expression pattern against the beginning or the end
of the string. That is, you can specify that the beginning or end of a string contain a specific pattern. You
“anchor” these regular expressions to a portion of the string using the special characters shown in the table
below.
Character Description
For example, the regular expression ^conmatches any string that starts with con, and $sole matches any string
that ends with sole.
In addition to indicating the beginning of a string, the ^ symbol can be used to indicate the logical function
“not” when used in a bracketed range. For example, the expression [^abcd] indicates a range that matches
any single letter, as long as it is not the letters a, b, c, or d.
Contrast these anchoring characters with the special character underscore (_). Underscore matches the beginning
of a string (^), the end of a string ($), parentheses (( )), space ( ), braces ({}), comma (,), or underscore (_).
With the underscore character, you can specify that a pattern exist anywhere in the string. For example,
_1300_ matches any string that has 1300 somewhere in the string. The string 1300 can be preceded by or end
with a space, brace, comma, or underscore. So, although {1300_matches the regular expression _1300_, 21300
and 13000 do not.
Using the underscore character, you can replace long regular expression lists. For example, instead of specifying
^1300()()1300${1300,,1300,{1300},1300,(1300 you can specify simply _1300_.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
398
CHAPTER 25
Troubleshoot Cisco Catalyst SD-WAN Security
Note To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst
SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release
20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN
Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst
SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component
brand name changes. While we transition to the new names, some inconsistencies might be present in the
documentation set because of a phased approach to the user interface updates of the software product.
Overview
This chapter provides links to documents authored by Cisco subject matter experts (SMEs). They aim to help
you resolve technical issues without requiring a support ticket. If these documents are unable to resolve your
issue, we recommend visiting the applicable Cisco Community. There is a wealth of information and advice
available from fellow Cisco customers who may have experienced this issue already and provided a solution.
If you are not able to find a resolution on the Community, it may be best that you raise a support ticket at
Cisco Support. In cases where a support ticket has to be raised, these documents provide guidance about the
data that should be collected and added to the support ticket. Specify the support document you referred, and
TAC can create an improvement request with the document owner.
Support Articles
The documents in this section were created using specific software and hardware listed in the Components
Used section of each article. However, this does not mean that they are limited to what is listed in Components
Used, and generally remain relevant for later versions of software and hardware. Note that there could be
some changes in the software or hardware that can cause commands to stop working, the syntax to change,
or GUIs and CLIs to look different from one release to another.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
399
Troubleshoot Cisco Catalyst SD-WAN Security
Support Articles
The following are the support articles associated with this technology:
Document Description
Install UTD Security Virtual Image on cEdge This document describes how to install Unified Threat
Routers Defense (UTD) Security Virtual Image to enable security
features on Cisco IOS XE Catalyst SD-WAN Devices.
Configure Cisco Catalyst SD-WAN This document describes how to configure, verify and
Zone-Based Firewall (ZBFW) and Route troubleshoot Zone-Based Firewall (ZBFW) with
Leaking Route-Leaking between Virtual Private Networks (VPN).
Configure Integration with Cisco Umbrella and This document describes Cisco SD-WAN Manager/Cisco
®
Troubleshooting Common Problems IOS -XE SDWAN software part of the integration with the
Cisco Umbrella DNS security solution.
Configure Cisco Catalyst SD-WAN Advanced This document describes how to configure and troubleshoot
Malware Protection (AMP) Integration and the Cisco Catalyst SD-WAN Advanced Malware Protection
®
Troubleshoot (AMP) integration on a cEdge device with Cisco IOS XE,
as an integral part of the Cisco Catalyst SD-WAN edge
security solution that aims visibility and protection for users
at a branch from Malware.
Troubleshoot Datapath Handling by UTD and This document describes how to troubleshoot Unified Threat
URL-Filtering Defense (UTD) also known as Snort and Uniform Resource
®
Locator (URL) Filtering on IOS XE WAN Edges routers.
Collect an Admin-Tech in Cisco Catalyst This document describes how to initiate an admin-tech in
SD-WAN Environment and Upload to TAC a Cisco Catalyst SD-WAN environment.
Case
Troubleshoot Cisco IOS XE Catalyst SD-WAN This document describes the IPsec Anti-Replay behavior in
Router IPsec Anti-Replay Failures SD-WAN IPsec for Cisco IOS XE SD-WAN routers and
how to troubleshoot Anti-Replay issues.
Install and Uninstall UTD Engine in Cisco This document describes the procedure to install and uninstall
Catalyst SD-WAN with CLI Unified Threat Defense (UTD) via CLI in Cisco Catalyst
SD-WAN routers.
SD-WAN Manager: How to Check and Verify This document describes the basics in order to enable Single
Single Sign On Sign On (SSO) on vManage and how to check/verify on
vManage, when this feature is enabled
Configure OKTA Single Sign-On (SSO) on This document describes how to integrate OKTA Single
Cisco Catalyst SD-WAN Sing-On (SSO) on Cisco Catalyst SD-WAN.
Configure Umbrella SIG Tunnels for This document describes how to configure Cisco Umbrella
Active/Backup or Active/Active Scenarios Secure Internet Gateway (SIG) tunnels with IPsec in both
Active/Active and Active/Standby
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
400
Troubleshoot Cisco Catalyst SD-WAN Security
Feedback Request
Feedback Request
Your input helps. A key aspect to improving these support documents is customer feedback. Note that these
documents are owned and maintained by multiple teams within Cisco. If you find an issue specific to the
document (unclear, confusing, information missing, etc):
• Provide feedback using the Feedback button located at the right panel of the corresponding article. The
document owner will be notified, and will either update the article, or flag it for removal.
• Include information regarding the section, area, or issue you had with the document and what could be
improved. Provide as much detail as possible.
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
401
Troubleshoot Cisco Catalyst SD-WAN Security
Disclaimer and Caution
Cisco Catalyst SD-WAN Security Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x
402