Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Security

  1. Last updated
  2. Save as PDF

Use the Security screen to create security policies to implement the Cisco SD-WAN security solution on IOS XE SD-WAN routers in the overlay network. The Cisco SD-WAN security solution provides an integrated security solution that address all key enterprise security profiles: Compliance, Guest Access, Direct Cloud Access (DCA), and Direct Internet Access (DIA).

You can configure the following Cisco SD-WAN security mechanisms:

  • Application-Aware Enterprise Firewall
  • Intrusion prevention and detection (IPS/IDS)
  • URL filtering
  • Umbrella DNS security

Screen Elements

  • Top bar—On the left are the menu icon, for expanding and collapsing the vManage menu, and the vManage product name. On the right are a number of icons and the user profile drop-down.
  • Title bar—Includes the title of the screen, Security, and the following:
    • Custom Options—Click to display, create, and edit a components for use in security policy. These components are Lists, which include signatures, whitelist URLs, blacklist URLs, and zones; zone-based firewall policies; intrusion prevention policies; URL-filtering policies, and Umbrella DNS policies.
  • Security wizard—When you have not yet configured any security policies, the Security pages displays a security configuration wizard, which consists a security icon and an Add Security Policy button. Click this button to start the security policy wizard.
  • Add Security Policy—When you have configured one or more security policies, the Add Security Policy button is displayed. Click to create a firewall policy using the security policy configuration wizard.
  • Search box—Includes the Search Options drop-down, for a Contains or Match string.
  • Refresh icon—Click to refresh data in the policies table with the most current data.
  • Show Table Columns icon—Click to display or hide columns from the security policies table. By default, all columns are displayed.
  • Security policy table—To re-arrange the columns, drag the column title to the desired position.

G00469.png

Configure Security Policies

You configure security policies with a configuration wizard. The wizard is a UI policy builder than consists of screens to guide you through the creation and modification of the following security policy components:

  • Enterprise firewall—Allows you to filter data packets, to match allowed data traffic and drop unwanted traffic. You enable enterprise firewalls by configuring zones. Zone configuration consists of the following components:
    • Source zone—A grouping of VPNs where the data traffic flows originate. A VPN can be part of only one zone.
    • Destination zone—A grouping of VPNs where the data traffic flows terminate. A VPN can be part of only one zone.
    • Firewall policy—A security policy, similar to a localized security policy, that defines the conditions that the data traffic flow from the source zone must match to allow the flow to continue to the destination zone. Firewall policies can match IP prefixes, IP ports, the protocols TCP, UDP, and ICMP, and applications. Matching flows for prefixes, ports, and protocols can be accepted or dropped, and the packet headers can be logged. Nonmatching flows are dropped by default. Matching applications are denied.
    • Zone pair—A container that associates a source zone with a destination zone and that applies a firewall policy to the traffic that flows between the two zones.
  • Intrusion prevention policy—Protects against malicious attacks on data traffic by using signature sets and inspection mode. Intrusion detection passes all packets flowing between service-side and transport-side (WAN or internet) interfaces, and between VLANs, through an intrusion detection engine, generating alerts for traffic that is identified as malicious, and logging these alerts via syslog. Intrusion prevention blocks traffic that is identified as malicious.
  • URL filtering policy—Allows and disallows access to specific URLs and webpage categories. URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on whitelists, blacklists, categories, and reputations. For example, when a client sends a HTTP or HTTPS request, the router inspects the traffic. If, for example, the request matches the blacklist, either it is blocked by a blocked page response or it is redirected to a different URL. If, for example, the HTTP or HTTPS request matches the whitelist, the traffic is allowed without further URL filtering inspection.
  • DNS security policy—Directs traffic from your network to the cloud-based Cisco Umbrella secure internet gateway. Umbrella uses DNS to stop threats over all ports and protocols and over direct-to-IP connections.

Step 1: Start the Security Policy Wizard

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Security Policy.
  3. From the Add Security Policy popup, select the desired security policy type:
  • Compliance policy—Consists of an application firewall policy and an intrusion prevention policy.
  • Guest access policy—Consists of an application firewall policy and a URL-filtering policy.
  • Direct cloud access policy—Consists of an application firewall policy, an intrusion prevention policy, and an Umbrella DNS security policy.
  • Direct internet access policy—Consists of an application firewall policy, an intrusion prevention policy, a URL-filtering policy, and an Umbrella DNS security policy.
  • Custom security policy—Consists of an application firewall policy and your choice of the remaining security policy components (intrusion prevention, Umbrella DNS, and URL filtering).
  1. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays.

Step 2: Configure Application Firewall Policy

To create a new application firewall policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Create New. The Add Firewall Policy screen displays.
  3. In the Name field, enter a name for the firewall policy. The name can be up to 128 characters and can contain only alphanumeric characters.
  4. In the Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  5. Create a zone pair or apply an existing zone pair to the firewall policy:
    1. Click Apply Zone Pairs. The Apply Zone Pairs popup displays.
    2. In Source Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
    3. In Destination Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
  6. Create one or more security policy sequence rules to apply to the traffic that flows from the source zones to the destination zones:
    • Click Add Sequence Rule.
    • Click Match to add a match condition. You can match the following:
      - Source Data Prefix
      - Source Port
      - Destination Data Prefix
      - Destination Port
      - Protocol
      - Application/Application Family List
    • Click Actions to define the actions to take when a match occurs. By default, the packet is dropped. You can take these other actions:
      - Inspect: Inspect the packet's header to determine its source address and port.
      - Log: Log the packet headers.
      - Pass: Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
    • Click Save Match and Actions.
    • Add additional sequence rules as needed.
    • Drag and drop the rules to arrange them in the desired sequence. Rules are applied to data packets in the order in which that are defined in the policy.
  7. Click Save Firewall Policy.
  8. Click Next.

To copy an existing firewall policy into the compliance security policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Firewall popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. Depending on the security policy type you are configuring, one of the following screens displays:
  • Intrusion prevention policy
  • Umbrella DNS policy
  • URL-filtering policy

Step 3: Configure Security Policy Components

Step 3a: Configure Intrusion Prevention

To create a new intrusion prevention policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Click Create New. The Add Intrusion Prevention Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Signature Set field, select the desired signature set:
  • Balanced (default)—Contains rules that are from the current year and the previous two years, are for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9 or greater, and are in one of the following categories:
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  • Connectivity—Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Security—Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • App-detect—Rules that look for and control the traffic of certain applications that generate network activity.
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  1. In the Inspection Mode field, select the desired inspection mode:
  • Detection—In intrusion detection mode, traffic is accepted or blocked based on the rules defined by the signature set that you choose.
  • Protection—In intrusion prevention mode, malicious traffic is automatically blocked, based on the intrusion prevention policy rules.
  1. In the Advanced ► Signature Whitelist field, select the desired signature list.
  2. In the Advanced ► Alerts Log Level field, select the desired log level for alerts. The level can be Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. The default is Error.
  3. Configure the VPNs to which to apply the intrusion prevention policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  4. Click Save Intrusion Prevention Policy. The intrusion prevention policy is then listed in the policy table.
  5. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Intrusion Prevention Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 3b: Configure Umbrella DNS

To create a new Umbrella DNS policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Click Create New. The Add DNS Security Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Umbrella Registration Status field:
    1. Click Manage Umbrella Registration.
    2. In the Manage Umbrella Registration pop-up, enter your Umbrella registration token.
    3. Click Save Changes.
  5. By default, the DNS security policy applies to all VPNs, so the Match All VPN field is selected. To apply the DNS security policy to a custom set of VPNs:
    1. Select the Custom VPN Configuration field.
    2. In the Target field, click Add Target VPNs.
    3. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    4. Click Save Changes.
  6. In the Local Domain Bypass List field, select the web domain list that lists the websites domains that are allowed by bypass DNS lookups. To create a domain list:
    1. Click in the Local Domain Bypass List field and then click Add New Domain List.
    2. In the Domain List Name field, enter a name for the domain list.
    3. In the Domain field, enter one or more web domains. Examples of website domains are cisco.com and *.cisco.com. Separate lists with a comma. The first item in the list cannot start with an asterisk (*).
    4. Click Save.
  7. In the DNS Server IP field, select the IP address of the DNS server. By default, traffic using Umbrella as the DNS server. To use a different DNS server, select Custom DNS and enter the IP address of the DNS server.
  8. In the Advanced ► DNSCrypt field, configure the encryption of DNS traffic. By default, encryption is enabled. To disable DNS traffic encryption, move the slider to the left.
  9. Click Save DNS Security Policy. The intrusion prevention policy is then listed in the policy table.
  10. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing DNS Security Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 3c: Configure URL Filtering

To create a new URL-filtering policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Click Create New. The Add URL Filtering Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Web Categories field:
    1. In the Block drop-down, define the action to take if a URL matches a website category. Select Block (the default) to block access to the website category, or select Allow to allow access to the website category.
    2. In the Web Category field, select one or more webpage categories to block or accept. A category defines websites that contain a certain type of content.
      When you configure category-based or reputation-based URL filtering, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. To check a website's reputation, use the Webroot BrightCloud URL/IP Lookup tool.
  5. In the Web Reputation field, select the reputation level of the website to block or accept. Each URL has a reputation score associated with it. The score ranges from 0 through 100 and is labeled as follows:
  • High Risk—Reputation score 0 through 20
  • Suspicious—Reputation score 0 through 40
  • Moderate Risk—Reputation score 0 through 60. This is the default reputation setting.
  • Low Risk—Reputation score 0 through 80.
  • Trustworthy—Reputation score 0 through 100.
  1. In the Advanced ► Whitelist URL List field, select a URL list to include in the URL filtering policy. A URL whitelist allows the specified URLs and blocks URLs not included in the list. For each URL filtering policy, you can configure only one whitelist URL list. To create a new list of URLs to whitelist:
    1. Click in he Advanced ► Whitelist URL List field.
    2. Click Add New Whitelist URL List.
    3. In the Whitelist URL List Name field, enter a name for the whitelist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  2. In the Advanced ► Blacklist URL List field, select one or more URL blacklists to include in the URL filtering policy. A URL blacklist blocks the specified URLs and allows URLs not included in the list. For each URL filtering policy, you can configure only one blacklist URL list. To create a new list of URLs to blacklist:
    1. Click in the Advanced ► Blacklist URL List field.
    2. Click Add New Blacklist URL List.
    3. In the Blacklist URL List Name field, enter a name for the blacklist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  3. In the Advanced ► Block Page Server section, configure how to handle blocked HTTP URLs. For blocked HTTPS websites, no blocking or redirection is performed. Instead, all traffic is dropped.
    1. To block and not display the content of a webpage, click Block Page Content. Then, type the message to display to the user indicated why the webpage is not displayed. This is the default method for handling blocked URLs. In the Default Content Header field, type the title of the message, which is displayed in bold letters. The default header is, "Access to the requested page has been denied." In the Content Body field, type the content of the blocked page message. The default message is, "Please contact your network administrator".
    2. To redirect to another URL, click Redirect URL. Then, enter the URL to which to redirect the user.
  4. In the Advanced ► Alerts and Logs section, configure when to send alerts and syslog messages:
    1. Click Blacklist to send alerts when a blacklisted URL is blocked.
    2. Click Whitelist to send alerts when a whitelisted URL is allowed.
    3. Click Reputation/Category to send alerts when a URL is blocked because of its category or reputation.
  5. Configure the VPNs to which to apply the URL filtering policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the URL filtering policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  6. Click Save URL Filtering Policy. The URL filtering policy is then listed in the policy table.
  7. Click Next. The Policy Summary screen displays.

To copy an existing URL filtering policy into the guest access policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing URL Filtering Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the URL Filtering table.
  4. Click Next. The Policy Summary screen displays.

Step 4: Configure Additional Policy Settings

In the Policy Summary screen:

  1. In the Security Policy Name field, enter the name of the security policy. The name can be up to 32 characters and can contain only alphanumeric characters, hyphens (-), and underscores (_).
  2. In the Security Policy Description field,
  3. In the Description field, enter a description of the security policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  4. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To disallow this traffic, uncheck the Firewall ► Direct Internet Applications box.
  5. To configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection, move the Firewall ► TCP SYN Flood Limit slider to Enabled. Then enter a limit value from 1 through 2147483647 packets. The default limit is 2000 SYN packets.
  6. By default, system logging (syslog) in enabled for intrusion detection. To disable syslog messages, move the Intrusion Prevention and/or URL Filtering ► Syslog slider to Disabled.
  7. In the Intrusion Prevention and/or URL Filtering ► External Server field, configure an external syslog server. In the VPN field, specify the VPN through which the server can be reached. In the Server IP field, specify the IP address of the syslog server.
  8. In the Intrusion Prevention and/or URL Filtering ► Failure Mode field, configure how the router handles traffic when the URL database update from the cloud fails. When you configure category-based or reputation-based URL filtering, as described above, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. For the Failure Mode field, the default is Close, which drops all traffic destined for URL filtering when cloud connectivity is lost. To not drop traffic destined for URL filter, select Open.
  9. To view the CLI commands that correspond to the compliance security policy configuration, click Preview.
  10. Click Save Policy. The policy is listed in the table on the Configuration ► Policy screen.

Step 5: Apply the Security Policy to an IOS XE SD-WAN Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

View a Security Policy

  1. In the security policy table, select a policy. Or, click the Custom Options drop-down and select the security policy component.
  2. Click the More Actions icon to the right of the column and click View.
  3. Click Cancel to return to the policies table.

For a policy created using the security policy configuration wizard, you can view the policy in graphical format:

  1. In the security policy table, select a policy. Or, click the Custom Options drop-down and select the security policy component.
  2. Click the More Actions icon to the right of the column and click Graphical Preview.
  3. Click Dismiss to return to the policies table.

Edit a Security Policy

  1. In the security policy table, select a policy. Or, click the Custom Options drop-down and select the security policy component.
  2. Click the More Actions icon to the right of the column and click Edit.
  3. Edit the policy as needed.
  4. Click Save Policy Changes.

Edit or Create a Security Policy Component

You can create individual zone-based firewall components directly and then use them or import them when you are using the security policy configuration wizard:

  1. In the Title bar, click the Custom Options drop-down.
  2. Select the security policy component:
  • Lists, which include signatures, whitelist URLs, blacklist URLs, and zones; zone-based firewall policies
  • Intrusion prevention policies
  • URL-filtering policies
  • Umbrella DNS policies.

Delete a Security Policy

  1. In the security policy table, select a policy.
  2. Click the More Actions icon to the right of the column and click Delete.
  3. Click OK to confirm deletion of the policy.

Additional Information

Configure Policies
Localized Data Policy
Enterprise Firewall with Application Awareness

     

    1. Back to top
    • Was this article helpful?

    Recommended articles

    1. Article type
      Guide
    2. Tags
      1. 18.4
      2. 18.4 Security features
      3. configuration 18.4