Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring the Security Virtual Image for IPS/IDS and URL Filtering

This section describes how to install, configure, activate, and update the Cisco SD-WAN Release 18.4 IPS/IDS and URL-F Security Policy Virtual Image.

Cisco release 18.4 supports intrusion prevention/intrusion detection systems (IPS/IDS) and URL filtering (URL-F) for IOS XE and IOS XE SD-WAN devices. These features enable application hosting and real-time traffic analysis on IP networks. Once the image file is uploaded to the vManage Software Repository, you can create policy, profile, and device templates that will push the policies and updates to the correct devices automatically.

Supported Platforms for the 18.4 Security Virtual Image

The following router platforms support the 18.4 security virtual image:

  • Cisco Integrated Service Router 4351 (ISR-4351)
  • Cisco Integrated Service Router 4331 (ISR-4331)
  • Cisco Integrated Service Router 4321 (ISR-4321)
  • Cisco Integrated Service Router 4221X (ISR-4221X)
  • Cisco Integrated Service Router 1111X-8P (ISR-1111X-8P)
  • Cisco Cloud Services Router 1000v series (CSR-1000v)

IPS/IDS and URL filtering is not supported on ASR platforms for this release.

Recommended Configuration Workflow 

Cisco recommends the following workflow to install the Security Virtual Image (SVI) and configure IPS/IDS and URL-F security policies for release 18.4:

  1. Upload the correct Cisco Security Virtual Image to vManage.
  2. Create a security policy template for IPS/IDS or URL filtering.
  3. Create a feature profile template for IPS/IDS or URL filtering.
  4. Create a device template.
  5. Attach devices to the device template.
  6. Upgrade a Security Virtual Image (when you update a router's image software).

Upload the Correct Cisco Security Virtual Image to vManage

Each router image supports a specific range of versions for a hosted application. The IPS/IDS and URL-F feature set is contained within a TAR file, which can be downloaded from the Cisco website, and uploaded to your vManage software repository as a virtual image. 

  1. From the Software Download page for your router, locate the image "UTD Engine for IOS XE SD-WAN."
  2. Click the download icon on the right-hand side of the window to download the image file.

sec_virtual_image_dwnld_website.png

  1. From the vManage dashboard, select Maintenance ► Software Repository.
  1. Select Virtual Images from the top options.

upload_virtual_image_menu.png

  1. Click Upload Virtual Image, and select either vManage or Remote Server – vManage. The Upload Virtual Image to vManage window opens.
  2. Drag and drop, or browse to the image file and select it.
  3. Click Upload. When the upload completes, a confirmation message displays. The new virtual image displays in the Virtual Images Software Repository.

Create a Security Policy for IPS/IDS or URL-F

Once the Security Virtual Image is uploaded, use the Add Security Policy configuration wizard to build your IPS/IDS or URL‑F policies. For a complete description of this task, see Intrusion Prevention Configuration on SD-WAN or URL Filtering Configuration on vManage.

  1. From the vManage dashboard, select Configuration ► Security.
  2. Click Add Security Policy. The Add Security Policy wizard displays.

security_policy_wizard.png

  1. Select the scenario that most closely fits your needs, and click Proceed
  2. Follow the instructions for IPS/IDS or URL-F.

Create a Security App Hosting Profile

The security app hosting profile configures two functions:

  • NAT – Enable or disable network address translation, which protects internal IP addresses when outside the firewall.
  • Resource Profile – Allocate default or high resources to different subnets or devices.

The security app hosting profile template includes default values that allow you to use it without a lot of customization. If you need further customization, follow the steps below.

  1. From the vManage dashboard, select Configuration ► Templates.
  2. Click Feature.
  3. Click Add Template. The add feature template page displays.
  4. From the Select Devices list on the left, select the device(s) you want to associate with the template.
  5. In the Select Template ► Basic Information section, click Security App Hosting. The Security App Hosting template page displays.
  6. Enter a name for the template in the Template Name field. Make it as descriptive as possible. The name can be up to 128 characters and can contain only alphanumeric characters.
  7. Optionally, enter a description of the template in the Description field. The description can be up to 2048 characters and can contain only alphanumeric characters.
  8. Scroll to the Security Policy Parameters section.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (a blue check), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Enter Security Policy Parameters

  1. NAT – Click On to enable network address translation (NAT), or Off to disable it. By default, NAT is on.
  1. Click the Resource Profile drop-down menu to set boundaries for the policy. The default is normal priority. To change the global resource profile for the device, select Global, then click high
  2. When you have finished, click Save. The Feature Profile template displays in the Configuration ► Templates ► Feature page table.

Create a Device Template

To activate the policies you want to apply, you can create a device template that pushes the policies to the devices that need them. The available options vary with the device type. Some feature templates are mandatory, indicated with an asterisk (*), and some are optional. Each mandatory feature template, and some of the optional ones too, have an available factory-default template. For software features that have a factory-default template, you can use either the factory-default template (named Factory_Default_feature-name_Template) or you can create a custom feature template. For full information about device templates, see Create a Device Template.

To create a device template for IPS/IDS and URL Filtering, follow this example:

  1. From the vManage dashboard, select Configuration ► Templates ► Device. The device configuration table displays.
  2. Click Create Template ► From Feature Template. The add device template page displays.
  3. Click the Device Model drop-down menu and select the device model (in this example, an ISR4221x router). The device template page displays.

device_template_cEdge_basic_info.png

  1. Enter the following information:
Field Action
Template Name * Enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
Description Describe the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

Scroll down the page to the configuration sub-menus. When you first open a feature template, for each parameter that has a default value, the scope is set to Default (a blue check), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Fields with an asterisk are required.

Basic Information

Select templates for the following parameters and protocols:

Parameter Action
System * Use a System template for all Cisco SD-WAN devices, to configure system-wide parameters using vManage templates. For a full description, see System.
Logging * Use the Logging template for all SD-WAN devices, to configure logging to either the local hard drive or a remote host. For a full description, see Logging.
AAA * Authentication, Authorization, and Accounting - For AAA support, in combination with RADIUS and TACACS+. For a full description, see AAA.
BFD * Bidirectional Forwarding Detection - The BFD protocol, which detects link failures as part of the Cisco high availability solution, is enabled by default on all vEdge routers, and you cannot disable it. For a full description, see BFD.
OMP * Edge Overlay Management Protocol - Use OMP to establish and maintain the SD-WAN control plane. OMP is enabled by default on all SD-WAN vEdge routers, vManage NMSs, and vSmart controllers, so there is no need to explicitly configure or enable OMP. OMP must be operational for the Viptela overlay network to function. If you disable it, you disable the overlay network. For a full description, see OMP.
Security * On vEdge Cloud and vEdge routers and on vBond orchestrators, use this template to configure IPsec for data plane security. On vManage NMSs and vSmart controllers, use this template to configure DTLS or TLS for control plane security. For a full description, see Security.
Additional System Templates
NTP

Network Time Protocol (NTP) - Click NTP to open a menu field where you can browse to the template file in an NTP system.

Transport and Management VPN

For a full description of transport and management VPN options, see VPN.

Select policies for the following parameters and protocols from the drop-down menus, or leave the defaults:

Policy Type Action
VPN 0 *

Apply policies on the transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.

VPN 512 *  
Additional VPN 0 Templates
BGP

Border Gateway Protocol. For a full description, see BGP.

OSPF Open Shortest Path First. For a full description, see OSPF.
VPN Interface Cellular Configure cellular module parameters. For a full description, see VPN Interface Cellular.
VPN Interface Multilink Controller

Multilink Point-to-Point Protocol (MLP). For a full description, see VPN Interface Multilink.

VPN Interface DSL IPoE

Internet protocol over Ethernet (IPoE). 

VPN Interface DSL PPPoA PPP-over-ATM interfaces on routers with DSL NIM modules. For a full description, see VPN Interface DSL PPPoA.
VPN Interface DSL PPPoE Point-to-Point Protocol (PPP)-over-Ethernet (oE) interfaces on routers with digital subscriber line (DSL) network interface modules (NIM). For a full description, see VPN Interface DSL PPPoE.
VPN Interface SVI Switch Virtual Interface. For a full description, see VPN Interface SVI.
VPN Interface T1-E1

Configure T1/E1 interfaces in a VPN. For a full description, see VPN Interface T1/E1.

VPN Interface  Create additional interfaces. For a full description, see VPN Interface Ethernet.
Additional VPN 512 Templates
VPN Interface SVI Switch Virtual Interface. For a full description, see VPN Interface SVI.
VPN Interface Optionally, create additional policies for VPNs 1 through 511, and 513 through 65530. For a full description, see VPN Interface Ethernet.

Service VPN

Use the optional Service VPN template for VPNs on IOS XE routers for service-side data traffic. For a full description of Service VPN options, see VPN. Optionally, select policies for the following parameters and protocols:

Parameter Action
VPN * Select a custom policy for service-side data traffic.
Additional VPN Templates (optional)
BGP Border Gateway Protocol. For a full description, see BGP.
EIGRP Enhanced Interior Gateway Routing Protocol (EIGRP). For a full description, see EIGRP.
OSPF Open Shortest Path First. For a full description, see OSPF.
VPN Interface Multilink Controller

Multilink Point-to-Point Protocol (MLP). For a full description, see VPN Interface Multilink.

VPN Interface SVI Switch Virtual Interface. For a full description, see VPN Interface SVI.
VPN Interface  Create additional interfaces. For a full description, see VPN Interface Ethernet.
VPN Interface IPsec Configure IPsec tunnels. For a full description, see VPN Interface IPsec.

Cellular

Optionally, you can add a cellular controller by applying a cellular template.

 

Parameter Action
Cellular Controller Select a Cellular Controler policy, or create a new one. For a full description, see Cellular Controller.
Additional Cellular Controller Templates
GPS Global Positioning System. For a full description, see GPS.
Cellular Profile Configure cellular modem profiles. For a full description, see Cellular Profile.

Additional Templates

Optionally, you can create or apply templates for the following additional network elements.

For IPS/IDS or URL-F policies to apply correctly, you must populate the Security Policy and Container Profile parameters with the templates you created earlier.

Parameter Action
AppQoE Application Quality of Experience (AppQoE). 
Banner You can configure two different banner text strings, one to be displayed before the CLI login prompt on a Cisco SD-WAN device and the other to be displayed after a successful login to the device. For a full description, see Banner.
Policy If you have configured a Local policy (Configuration > Policies > Localized Policies), you have the option to attach it to the template (see Configure Localized Policy).
SNMP Use the Simple Network Management Protocol (SNMP) template to configure SNMP parameters for all Cisco SD-WAN devices and Cisco IOS XE routers running the SD-WAN software. For a full description, see SNMP.
Security Policy Select the IPS/IDS or URL-F Security Policy template you created. For a full description, see Create a Security App Hosting Profile
Switch Portxxx
Switch Port Select a policy template to apply to switched ports. For a full description, see Switch Port.

Create the Device Template

When you have finished assigning templates, click Create. The new template will display in the Configuration ► Templates ► Device table.

Attach Devices to the Device Template

When all the templates have been configured, you can attach individual devices to the device template you created.

  1. From the vManage dashboard, select Configuration  ► Templates.
  2. Click Feature. The feature template table displays.
  3. Locate a device template, and click the three-dot Three-dot_menu.png additional options menu in the far right column of the selected template.

select_attach_devices.png

  1. Select Attach Devices. The Attach Devices selection window displays. The list of Available Devices are limited to only those that are compatible with the selected template.

Use the arrow buttons between the device lists to add or remove devices.

attach_devices_page.png

  1. When you have finished, click Attach. The attachment/uploading process begins. The process may take some time. When the process completes, a confirmation message displays.

Once devices are attached to a template, a Detach Devices option will display in the additional options menu.

Upgrade a Security Virtual Image

When a Cisco SE SDWAN router is upgraded to a new software image, the security virtual image must also be upgraded to match.

The matching signature file is automatically updated as a part of the upgrade.

Upgrade the Security Virtual Image

To upgrade the application hosting virtual image for a device, follow these steps:

  1. Follow the steps in Upload the Correct Cisco Security Virtual Image to vManage to download the recommended version of the Security Virtual Image for your router. Note the version name.
  2. From the vManage menu, select Maintenance ► Software Repository ► Virtual Images to verify that the image version listed under the Recommended Version column matches a virtual image listed in the Virtual Images table.
  3. Then select Maintenance ► Software Upgrade. The WAN Edge Software upgrade page displays.
  4. Select the devices you want to upgrade by clicking the boxes in the leftmost column. When you have selected one or more devices, a row of options display, as well as the number of rows you selected.

upgrade_select_devices_check.png

  1. When you are satisfied with your choices, select Upgrade Virtual Image from the options menu. The Virtual Image Upgrade dialog box opens.
  2. For each device you selected, select the correct upgrade version from the Upgrade to Version drop-down list.

container_upgrade_select.png

  1. When you have selected an upgrade version for each device, click Upgrade. When the update completes, a confirmation message displays.

 Verify Your Upgrade

  1. From the vManage menu, select Maintenance ► Software Upgrade.
  2. Locate an upgraded device in the device table.
  3. Scroll to the Available Services column on the far right of the device table.

verify_available_services.png

  1. Click the linked number in the Available Services column. The Container Details popup displays.

verify_upgrade_details.png

  1. Verify that the device is running the updated image.

Check the Correct Security Image for Your Router 

  1. From the vManage dashboard, select Monitor  ► Network.
  2. Choose WAN – Edge.
  3. Select the device that will run the SVI. The System Status page displays.
  4. Scroll to the bottom of the device menu, and click Real Time.  The System Information page displays.
  5. Click the Device Options field, and select Security App Version Status from the menu list.

sec_virtual_image_app_version_status.png

  1. Note the image name in the Recommended Version column. It should match the available SVI for your router from the Cisco downloads website.

recommended_image_for_device.png