Cisco release 18.4 supports intrusion prevention/intrusion detection systems (IPS/IDS) and URL filtering (URL-F) for IOS XE and IOS XE SD-WAN devices. These features enable application hosting, real-time traffic analysis, and packet logging on IP networks. Once the image file is uploaded to the vManage Software Repository, you can create policy, profile, and device templates that will push the policies and updates to the correct devices automatically.
Supported Platforms for the 18.4 Security Virtual Image
The following router platforms support the 18.4 security virtual image:
- Cisco Integrated Service Router 4351 (ISR-4351)
- Cisco Integrated Service Router 4331 (ISR-4331)
- Cisco Integrated Service Router 4321 (ISR-4321)
- Cisco Integrated Service Router 4221X (ISR-4221X)
- Cisco Integrated Service Router 1111X-8P (ISR-1111X-8P)
- Cisco Cloud Services Router 1000v series (CSR-1000v)
IPS/IDS and URL filtering is not supported on ASR platforms for this release.
Recommended Configuration Workflow
Cisco recommends the following workflow to install and configure IPS/IDS and URL-F security policies for release 18.4:
- Find the recommended Security Virtual Image for Your Device.
- Upload a Cisco Security Virtual Image to vManage.
- Create a security policy template for IPS/IDS or URL filtering.
- Create a feature profile template for IPS/IDS or URL filtering.
- Create a device template.
- Attach devices to the device template.
- Upgrade a Security Virtual Image (when you update a router's image software).
Find the Recommended Security Virtual Image for a Device
Each router image supports a specific range of versions for a hosted application. For IPS/IDS and URL-Filtering, you can find the range of supported versions (and the recommended version) for a device on its Device Options page.
- From the vManage dashboard, select Monitor ► Network.
- Choose WAN – Edge.
- Select an applicable device. The System Status page displays.
- Scroll to the bottom of the device menu, and click Real Time. The System Information page displays.
- Click the Device Options field, and select UTD Version Status from the menu list.
- Note the image name in the Recommended Version column. You will use this later, when selecting the correct Security virtual image from the Cisco downloads website.
Upload the Cisco Security Virtual Image to vManage
The IPS/IDS and URL-F feature set is contained within a TAR file, which can be downloaded from the Cisco website, and uploaded to your vManage software repository as a virtual image.
To download the security virtual image to your vManage software repository:
- Go to https://software.cisco.com/download/home and sign on. The Software Download page displays.
- In the Select a Product search field, enter Software-Defined WAN (SD-WAN) and click Browse all.
- From the available options, select Routers ► Software-Defined WAN (SD-WAN) ► XE SD-WAN Routers ► [Your router series]. The Software Download page displays for your selected router.
- From the list on the left-hand side, select Latest Release, or 18.4.x. A list of available images display.
- Select the Security Virtual Image file for your platform. Look for the Recommended Version you noted from the System Information page.
|TAR File Name||Applicable Platform|
- Click the icon on the right-hand side of the window to download the image file.
- From the vManage dashboard, select Maintenance ► Software Repository.
- Select Virtual Images from the top options.
- Click Upload Virtual Image, and select either vManage or Remote Server – vManage. The Upload Virtual Image to vManage window opens.
- Drag and drop, or browse to the image file and select it (your image file will be different).
- Click Upload. When the upload completes, a confirmation message displays. The new virtual image displays in the Virtual Images Software Repository.
Create a Security Policy Template for IPS/IDS or URL-F
Once the Security Virtual Image is uploaded, use the Add Security Policy configuration wizard to build your IPS/IDS or URL‑F policies. For a complete description of this task, see Intrusion Prevention Configuration on SD-WAN or URL Filtering Configuration on vManage.
- From the vManage dashboard, select Configuration ► Security.
- Click Add Security Policy. The Add Security Policy wizard displays.
Create a Feature Profile Template for IPS/IDS or URL-F
The feature profile template configures two functions:
- NAT – Enable or disable network address translation, which protects internal IP addresses when outside the firewall.
- Resource Profile – Allocate default or high resources to different subnets or devices.
A feature profile template, while not strictly required, is recommended.
To configure a security profile template for IPS/IDS or URL-F:
- From the vManage dashboard, select Configuration ► Templates.
- Click Feature.
- Click Add Template. The add feature template page displays.
- From the Select Devices list on the left, select the device(s) you want to associate with the template.
- In the Select Template ► Basic Information section, click Security App Hosting. The Security App Hosting template page displays.
- Enter a name for the template in the Template Name field. Make it as descriptive as possible. The name can be up to 128 characters and can contain only alphanumeric characters.
- Optionally, enter a description of the template in the Description field. The description can be up to 2048 characters and can contain only alphanumeric characters. Scroll to the Security Policy Parameters section.
- NAT – Click On to enable network address translation (NAT), or Off to disable it. By default, NAT is on.
- Click the Resource Profile drop-down menu to set boundaries for the policy. The default is Default.
- Global – Select default or high from the drop-down, to configure the global resource priority for the policy traffic. CORRECT?
- Device Specific – Enable the profile only for specified devices. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco SD-WAN device to a device template. For a full description, see Attach Devices to the Device Template.
Enter Key – When you click Device Specific, the Enter Key field opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a SD-WAN device to a device template. For more information, see Create a Template Variables Spreadsheet. To change the default key, type a new string and move the cursor out of the Enter Key box. Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.
- Default – Enable normal resource priority for devices attached to the template.
- When you have finished, click Save. The Feature Profile template displays in the Configuration ► Templates ► Feature page table.
Create a Device Template
To activate the policies you want to apply, you can create a device template that pushes the policies to the devices that need them. The available options vary with the device type. Some feature templates are mandatory, indicated with an asterisk (*), and some are optional. Each mandatory feature template, and some of the optional ones too, have an available factory-default template. For software features that have a factory-default template, you can use either the factory-default template (named Factory_Default_feature-name_Template) or you can create a custom feature template. For full information about device templates, see Templates.
To create a security device template for IPS/IDS and URL Filtering, follow this example for vEdge 2000 model routers:
- From the vManage dashboard, select Configuration ► Templates ► Device. The device configuration table displays.
- Click Create Template ► From Feature Template. The add device template page displays.
- Click the Device Model drop-down menu and select the device model (in this example, a vEdge 2000 router).
The device template page displays.
- Enter the following information:
|Template Name (required)||Enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.|
|Description (optional)||Describe the template. The description can be up to 2048 characters and can contain only alphanumeric characters.|
- Scroll down the page to the configuration sub-menus. Parameters that have a factory-default template will be selected by default (named Factory_Default_feature-name_Template). Click the parameter field to open the options menu for that parameter. From here, you can:
- Select an existing template
- Create a new template
- View the existing template
For example, to create a new System template, click Create Template. To view the selected template, click View Template.
Fields with an asterisk are required.
- Select templates for the following parameters and protocols:
|System (required)||Use a System template for all Cisco SD-WAN devices, to configure system-wide parameters using vManage templates. For a full description, see System.|
|Logging (required)||Use the Logging template for all SD-WAN devices, to configure logging to either the local hard drive or a remote host. For a full description, see Logging.|
|Additional System Templates (optional)||Select templates stored in an archive or NTP system. Click Archive or NTP to open a menu field where you can browse to the template file.|
|AAA (required)||Authentication, Authorization, and Accounting - For AAA support, in combination with RADIUS and TACACS+. For a full description, see AAA.|
|BFD (required)||Bidirectional Forwarding Detection - The BFD protocol, which detects link failures as part of the Cisco high availability solution, is enabled by default on all vEdge routers, and you cannot disable it. For a full description, see BFD.|
|OMP (required)||Edge Overlay Management Protocol - Use OMP to establish and maintain the SD-WAN control plane. OMP is enabled by default on all SD-WAN vEdge routers, vManage NMSs, and vSmart controllers, so there is no need to explicitly configure or enable OMP. OMP must be operational for the Viptela overlay network to function. If you disable it, you disable the overlay network. For a full description, see OMP.|
|Security (required)||On vEdge Cloud and vEdge routers and on vBond orchestrators, use this template to configure IPsec for data plane security. On vManage NMSs and vSmart controllers, use this template to configure DTLS or TLS for control plane security. For a full description, see Security.|
Transport and Management VPN
Use the virtual private network VPN template for all Cisco SD-WAN devices, to configure VPNs for network segmentation using vManage templates. For a full description of transport and management VPN options, see VPN.
- Select templates for the following parameters and protocols from the drop-down menus, or leave the defaults:
|VPN 0 (required)||
Use with all Cisco SD-WAN devices to apply policies on the transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
|VPN Interface (required)||
Use to apply a vEdge DHCP tunnel interface on transport VPN interfaces.
|Additional VPN 0 Templates (optional)||
Attach additional transport VPN templates:
|VPN 512 (required)||Use to apply policies on the Management VPN, which carries out-of-band network management traffic among the SD-WAN devices in the overlay network. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.|
|Additional VPN 512 Templates (optional)||
Attach additional management VPN templates:
Use the optional Service VPN template for VPNs on vEdge routers for service-side data traffic.For a full description of Service VPN options, see VPN.
- Optionally, from the Service VPN section, click the + icon and select the number of service VPNs you need. No factory-default template is available. Select your custom template from the list.
- Optionally, select templates for the following parameters and protocols:
|VPN (optional)||Select a custom template for service-side data traffic.|
|Additional VPN Templates (optional)||
Attach additional service VPN templates:
The NAT pool defines a range of IP addresses that the firewall can use to translate the source address of connections from VPN clients. The NAT pool translates the addresses in the same way as NAT rules do. Connections that use the NAT Pool must not match any NAT rules.
- Optionally, you can create or apply templates for the following additional network elements.
For IPS/IDS or URL-F policies to apply correctly, you must populate the Security Policy and Container Profile parameters with the templates you created earlier.
|Banner||You can configure two different banner text strings, one to be displayed before the CLI login prompt on a Cisco SD-WAN device and the other to be displayed after a successful login to the device. For a full description, see Banner.|
|Policy||If you have configured a Local policy (Configuration > Policies > Localized Policies), you have the option to attach it to the template (see Configure Localized Policy).|
|SNMP||Use the Simple Network Management Protocol (SNMP) template to configure SNMP parameters for all Cisco SD-WAN devices and Cisco IOS XE routers running the SD-WAN software. For a full description, see SNMP.|
|Security Policy||Select the IPS/IDS or URL-F Security Policy template you created (see Create a Security Policy Template for IPS/IDS or URL-F. Once you select a Security Policy template, the Container Profile option displays.|
|Container Profile||Select the IPS/IDS or URL-F Feature Profile template you created (see Create a Feature Profile Template for IPS/IDS or URL-F).|
- Optionally, from the Bridge section, click the + icon to select the number of bridge profiles you need. Then choose the profile and an ID range between 1-63.For a full description, see VPN Interface Bridge.
Create the Device Template
- When you have finished assigning templates, click Create. The new template will display in the Configuration ► Templates ► Device table.
Attach Devices to the Device Template
When all the templates have been configured, you can attach individual devices to the device template you created.
- From the vManage dashboard, select Configuration ► Templates.
- Click Feature. The feature template table displays.
- Locate a device template, and click the three-dot additional options menu in the far right column of the selected template.
- Select Attach Devices. The Attach Devices selection window displays. The list of Available Devices are limited to only those that are compatible with the selected template.
Use the arrow buttons between the device lists to add or remove devices.
- When you have finished, click Attach. The attachment/uploading process begins. The process may take some time. When the process completes, a confirmation message displays.
Once devices are attached to a template, a Detach Devices option will display in the additional options menu.
Upgrade a Security Virtual Image
When a Cisco SE SDWAN router is upgraded to a new software image, the security virtual image must also be upgraded to match.
The matching signature file is automatically updated as a part of the upgrade.
Upgrade the Security Virtual Image
To upgrade the application hosting virtual image for a device, follow these steps:
- Follow the steps in Find the Recommended Security Virtual Image for a Device to find the recommended version of the Security Virtual Image for your router. Note the version name.
- From the vManage menu, select Maintenance ► Software Repository ► Virtual Images to verify that the image version listed under the Recommended Version column matches a virtual image listed in the Virtual Images table.
- Then select Maintenance ► Software Upgrade. The WAN Edge Software upgrade page displays.
- Select the devices you want to upgrade by clicking the boxes in the leftmost column. When you have selected one or more devices, a row of options display, as well as the number of rows you selected.
- When you are satisfied with your choices, select Upgrade Virtual Image from the options menu. The Virtual Image Upgrade dialog box opens.
- For each device you selected, select the correct upgrade version from the Upgrade to Version drop-down list.
- When you have selected an upgrade version for each device, click Upgrade. When the update completes, a confirmation message displays.
For each image type, you have the choice whether to upgrade every base image separately, or as a group.
Verify Your Upgrade
- From the vManage menu, select Maintenance ► Software Upgrade.
- Locate an upgraded device in the device table.
- Scroll to the Available Services column on the far right of the device table.
- Click the linked number in the Available Services column. The Container Details popup displays.
- Verify that the device is running the updated image.