Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Unified Threat Defense

This article provides procedures for configuring Unified Threat Defense (UTD) security mechanisms on IOS XE routers. You can configure the following UTD security mechanisms:

  • Intrusion prevention and detection (IPS/IDS)
  • Umbrella DNS security
  • URL filtering

You provision zone-based firewall policies to define the data traffic that is subject to the UTD security mechanisms.

In vManage NMS, you configure UTD from the Configuration ► Security screen, using a policy configuration wizard.

Configuration Components

UTD security policy components consist of the following:

  • Zone-based firewall—Allows you to filter data packets, to match allows data traffic and drop unwanted traffic. You must configure one or more zone-based firewalls for any type of security policy. Zone configuration consists of the following components:
    • Source zone—A grouping of VPNs where the data traffic flows originate. A VPN can be part of only one zone.
    • Destination zone—A grouping of VPNs where the data traffic flows terminate. A VPN can be part of only one zone.
    • Zone pair—A container that associates a source zone with a destination zone and that applies a zone-based firewall policy to the traffic that flows between the two zones.
    • Zone-based firewall policy—A data policy, similar to a localized data policy, that defines the conditions that the data traffic flow from the source zone must match to allow the flow to continue to the destination zone. Zone-based firewalls can match IP prefixes, IP ports, and the protocols TCP, UDP, and ICMP. Matching flows can be accepted or dropped, and the packet headers can be logged. Nonmatching flows are dropped by default.
    • Zone pair—A container that associates a source zone with a destination zone and that applies a zone-based firewall policy to the traffic that flows between the two zones.
  • Intrusion prevention policy—Protects against malicious attacks on data traffic by using signature sets and inspection mode. Intrusion detection passes all packets flowing between service-side and transport-side (WAN or internet) interfaces, and between VLANs, through an intrusion detection engine, generating alerts for traffic that is identified as malicious, and logging these alerts via syslog. Intrusion prevention blocks traffic that is identified as malicious.
  • URL filtering policy—Allows and disallows access to specific URLs and webpage categories. URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on whitelists, blacklists, categories, and reputations. For example, when a client sends a HTTP or HTTPS request, the router inspects the traffic. If, for example, the request matches the blacklist, either it is blocked by a blocked page response or it is redirected to a different URL. If, for example, the HTTP or HTTPS request matches the whitelist, the traffic is allowed without further URL filtering inspection.
  • DNS security policy—Directs traffic from your network to the cloud-based Cisco Umbrella secure internet gateway. Umbrella using DNS to stop threads over all ports and protocols and over direct-to-IP connections.

Configure Compliance Security

A compliance security policy implements both intrusion prevention and intrusion detection. Intrusion prevention policy protects against malicious attacks on data traffic by using signature sets and inspection mode. Intrusion detection passes all packets flowing between service-side and transport-side (WAN or internet) interfaces, and between VLANs, through an intrusion detection engine, generating alerts for traffic that is identified as malicious, and logging these alerts via syslog. Intrusion prevention blocks traffic that is identified as malicious.

To configure intrusion prevention and detection, you use the Compliance policy option of the security policy configuration wizard.

Step 1: Start the Security Policy Wizard

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.
  3. From the Add Security Policy popup, select Compliance Policy.
  4. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays.

Step 2: Configure Application Firewall Policy

To create a new application firewall policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Create New. The Add Firewall Policy screen displays.
  3. In the Name field, enter a name for the firewall policy. The name can be up to 128 characters and can contain only alphanumeric characters.
  4. In the Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  5. Create a zone pair or apply an existing zone pair to the firewall policy:
    1. Click Apply Zone Pairs. The Apply Zone Pairs popup displays.
    2. In Source Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
    3. In Destination Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
  6. Create one or more security policy sequence rules to apply to the traffic that flows from the source zones to the destination zones:
    1. Click Add Sequence Rule.
    2. Click Match to add a match condition. You can match the following:
      - Application/Application Family List
      - Destination Data Prefix
      - Destination Port
      - Protocol
      - Source Data Prefix
      - Source Port
    3. Click Actions to define the actions to take when a match occurs. By default, the packet is dropped. You can take these other actions:
      - Inspect: Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
      - Log: Log the packet headers.
      - Pass: Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
    4. Click Save Match and Actions.
    5. Add additional sequence rules as needed.
    6. Drag and drop the rules to arrange them in the desired sequence. Rules are applied to data packets in the order in which that are defined in the policy.
  7. Click Save Firewall Policy.
  8. Click Next.

To copy an existing firewall policy into the compliance security policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Firewall popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. Depending on the security policy type you are configuring, one of the following screens displays:
  • Intrusion prevention policy
  • Umbrella DNS policy
  • URL-filtering policy

Step 3: Configure Intrusion Prevention and Detection

To create a new intrusion prevention and detection policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Click Create New. The Add Intrusion Prevention Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Signature Set field, select the desired signature set:
  • Balanced (default)—Contains rules that are from the current year and the previous two years, are for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9 or greater, and are in one of the following categories:
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  • Connectivity—Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Security—Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • App-detect—Rules that look for and control the traffic of certain applications that generate network activity.
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  1. In the Inspection Mode field, select the desired inspection mode:
  • Detection—In intrusion detection mode, traffic is accepted or blocked based on the rules defined by the signature set that you choose.
  • Protection—In intrusion prevention mode, malicious traffic is automatically blocked, based on the intrusion prevention policy rules.
  1. In the Advanced ► Signature Whitelist field, select the desired signature list.
  2. In the Advanced ► Alerts Log Level field, select the desired log level for alerts. The level can be Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. The default is Error.
  3. Configure the VPNs to which to apply the intrusion prevention policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  4. Click Save Intrusion Prevention Policy. The intrusion prevention policy is then listed in the policy table.
  5. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Intrusion Prevention Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 4: Configure Additional Policy Settings

In the Policy Summary screen:

  1. In the Security Policy Name field, enter the name of the security policy. The name can be up to 32 characters and can contain only alphanumeric characters, hyphens (-), and underscores (_).
  2. In the Security Policy Description field,
  3. In the Description field, enter a description of the security policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  4. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To disallow this traffic, uncheck the Firewall ► Direct Internet Applications box.
  5. To configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection, move the Firewall ► TCP SYN Flood Limit slider to Enabled. Then enter a limit value from 1 through 2147483647 packets. The default limit is 2000 SYN packets.
  6. By default, system logging (syslog) in enabled for intrusion detection. To disable syslog messages, move the Intrusion Prevention and/or URL Filtering ► Syslog slider to Disabled.
  7. In the Intrusion Prevention and/or URL Filtering ► External Server field, configure an external syslog server. In the VPN field, specify the VPN through which the server can be reached. In the Server IP field, specify the IP address of the syslog server.
  8. In the Intrusion Prevention and/or URL Filtering ► Failure Mode field, configure how the router handles traffic when the URL database update from the cloud fails. When you configure category-based or reputation-based URL filtering, as described above, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. For the Failure Mode field, the default is Close, which drops all traffic destined for URL filtering when cloud connectivity is lost. To not drop traffic destined for URL filter, select Open.
  9. To view the CLI commands that correspond to the compliance security policy configuration, click Preview.
  10. Click Save Policy. The policy is listed in the table on the Configuration ► Policy screen.

Step 5: Apply the Security Policy to an IOS XE Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

Configure Guest Access

A guest access security policy uses URL filtering policy, which allows and disallows access to specific URLs and webpage categories. URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on whitelists, blacklists, categories, and reputations. For example, when a client sends a HTTP or HTTPS request, the router inspects the traffic. If, for example, the request matches the blacklist, either it is blocked by a blocked page response or it is redirected to a different URL. If, for example, the HTTP or HTTPS request matches the whitelist, the traffic is allowed without further URL filtering inspection.

To configure URL filter, you use the Guest Access policy option of the security policy configuration wizard.

Step 1: Start the Security Policy Wizard

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.
  3. From the Add Security Policy popup, select Guest Access Policy.
  4. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays.

Step 2: Configure Application Firewall Policy

To create a new application firewall policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Create New. The Add Firewall Policy screen displays.
  3. In the Name field, enter a name for the firewall policy. The name can be up to 128 characters and can contain only alphanumeric characters.
  4. In the Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  5. Create a zone pair or apply an existing zone pair to the firewall policy:
    1. Click Apply Zone Pairs. The Apply Zone Pairs popup displays.
    2. In Source Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
    3. In Destination Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
  6. Create one or more security policy sequence rules to apply to the traffic that flows from the source zones to the destination zones:
    1. Click Add Sequence Rule.
    2. Click Match to add a match condition. You can match the following:
      - Application/Application Family List
      - Destination Data Prefix
      - Destination Port
      - Protocol
      - Source Data Prefix
      - Source Port
    3. Click Actions to define the actions to take when a match occurs. By default, the packet is dropped. You can take these other actions:
      - Inspect: Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
      - Log: Log the packet headers.
      - Pass: Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
    4. Click Save Match and Actions.
    5. Add additional sequence rules as needed.
    6. Drag and drop the rules to arrange them in the desired sequence. Rules are applied to data packets in the order in which that are defined in the policy.
  7. Click Save Firewall Policy.
  8. Click Next.

To copy an existing firewall policy into the compliance security policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Firewall popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. Depending on the security policy type you are configuring, one of the following screens displays:
  • Intrusion prevention policy
  • Umbrella DNS policy
  • URL-filtering policy

Step 3: Configure URL Filtering

To create a new URL-filtering policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Click Create New. The Add URL Filtering Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Web Categories field:
    1. In the Block drop-down, define the action to take if a URL matches a website category. Select Block (the default) to block access to the website category, or select Allow to allow access to the website category.
    2. In the Web Category field, select one or more webpage categories to block or accept. A category defines websites that contain a certain type of content.
      When you configure category-based or reputation-based URL filtering, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. To check a website's reputation, use the Webroot BrightCloud URL/IP Lookup tool.
  5. In the Web Reputation field, select the reputation level of the website to block or accept. Each URL has a reputation score associated with it. The score ranges from 0 through 100 and is labeled as follows:
  • High Risk—Reputation score 0 through 20
  • Suspicious—Reputation score 0 through 40
  • Moderate Risk—Reputation score 0 through 60. This is the default reputation setting.
  • Low Risk—Reputation score 0 through 80.
  • Trustworthy—Reputation score 0 through 100.
  1. In the Advanced ► Whitelist URL List field, select a URL list to include in the URL filtering policy. A URL whitelist allows the specified URLs and blocks URLs not included in the list. For each URL filtering policy, you can configure only one whitelist URL list. To create a new list of URLs to whitelist:
    1. Click in he Advanced ► Whitelist URL List field.
    2. Click Add New Whitelist URL List.
    3. In the Whitelist URL List Name field, enter a name for the whitelist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  2. In the Advanced ► Blacklist URL List field, select one or more URL blacklists to include in the URL filtering policy. A URL blacklist blocks the specified URLs and allows URLs not included in the list. For each URL filtering policy, you can configure only one blacklist URL list. To create a new list of URLs to blacklist:
    1. Click in the Advanced ► Blacklist URL List field.
    2. Click Add New Blacklist URL List.
    3. In the Blacklist URL List Name field, enter a name for the blacklist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  3. In the Advanced ► Block Page Server section, configure how to handle blocked HTTP URLs. For blocked HTTPS websites, no blocking or redirection is performed. Instead, all traffic is dropped.
    1. To block and not display the content of a webpage, click Block Page Content. Then, type the message to display to the user indicated why the webpage is not displayed. This is the default method for handling blocked URLs. In the Default Content Header field, type the title of the message, which is displayed in bold letters. The default header is, "Access to the requested page has been denied." In the Content Body field, type the content of the blocked page message. The default message is, "Please contact your network administrator".
    2. To redirect to another URL, click Redirect URL. Then, enter the URL to which to redirect the user.
  4. In the Advanced ► Alerts and Logs section, configure when to send alerts and syslog messages:
    1. Click Blacklist to send alerts when a blacklisted URL is blocked.
    2. Click Whitelist to send alerts when a whitelisted URL is allowed.
    3. Click Reputation/Category to send alerts when a URL is blocked because of its category or reputation.
  5. Configure the VPNs to which to apply the URL filtering policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the URL filtering policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  6. Click Save URL Filtering Policy. The URL filtering policy is then listed in the policy table.
  7. Click Next. The Policy Summary screen displays.

To copy an existing URL filtering policy into the guest access policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing URL Filtering Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the URL Filtering table.
  4. Click Next. The Policy Summary screen displays.

Step 4: Configure Additional Policy Settings

In the Policy Summary screen:

  1. In the Security Policy Name field, enter the name of the security policy. The name can be up to 32 characters and can contain only alphanumeric characters, hyphens (-), and underscores (_).
  2. In the Security Policy Description field,
  3. In the Description field, enter a description of the security policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  4. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To disallow this traffic, uncheck the Firewall ► Direct Internet Applications box.
  5. To configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection, move the Firewall ► TCP SYN Flood Limit slider to Enabled. Then enter a limit value from 1 through 2147483647 packets. The default limit is 2000 SYN packets.
  6. By default, system logging (syslog) in enabled for intrusion detection. To disable syslog messages, move the Intrusion Prevention and/or URL Filtering ► Syslog slider to Disabled.
  7. In the Intrusion Prevention and/or URL Filtering ► External Server field, configure an external syslog server. In the VPN field, specify the VPN through which the server can be reached. In the Server IP field, specify the IP address of the syslog server.
  8. In the Intrusion Prevention and/or URL Filtering ► Failure Mode field, configure how the router handles traffic when the URL database update from the cloud fails. When you configure category-based or reputation-based URL filtering, as described above, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. For the Failure Mode field, the default is Close, which drops all traffic destined for URL filtering when cloud connectivity is lost. To not drop traffic destined for URL filter, select Open.
  9. To view the CLI commands that correspond to the compliance security policy configuration, click Preview.
  10. Click Save Policy. The policy is listed in the table on the Configuration ► Policy screen.

Step 5: Apply the Security Policy to an IOS XE Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

Configure Direct Cloud Access

A direct cloud access policy uses intrusion prevention and detection and Umbrella DNS security to control access from the local device the cloud devices.

Intrusion prevention policy protects against malicious attacks on data traffic by using signature sets and inspection mode. Intrusion detection passes all packets flowing between service-side and transport-side (WAN or internet) interfaces, and between VLANs, through an intrusion detection engine, generating alerts for traffic that is identified as malicious, and logging these alerts via syslog. Intrusion prevention blocks traffic that is identified as malicious.

DNS security policy directs traffic from your network to the cloud-based Cisco Umbrella secure internet gateway. Umbrella using DNS to stop threads over all ports and protocols and over direct-to-IP connections.

To configure this, you use the Direct Cloud Access option of the security policy configuration wizard.

Step 1: Start the Security Policy Wizard

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.
  3. From the Add Security Policy popup, select Guest Access Policy.
  4. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays.

Step 2: Configure Application Firewall Policy

To create a new application firewall policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Create New. The Add Firewall Policy screen displays.
  3. In the Name field, enter a name for the firewall policy. The name can be up to 128 characters and can contain only alphanumeric characters.
  4. In the Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  5. Create a zone pair or apply an existing zone pair to the firewall policy:
    1. Click Apply Zone Pairs. The Apply Zone Pairs popup displays.
    2. In Source Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
    3. In Destination Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
  6. Create one or more security policy sequence rules to apply to the traffic that flows from the source zones to the destination zones:
    1. Click Add Sequence Rule.
    2. Click Match to add a match condition. You can match the following:
      - Application/Application Family List
      - Destination Data Prefix
      - Destination Port
      - Protocol
      - Source Data Prefix
      - Source Port
    3. Click Actions to define the actions to take when a match occurs. By default, the packet is dropped. You can take these other actions:
      - Inspect: Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
      - Log: Log the packet headers.
      - Pass: Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
    4. Click Save Match and Actions.
    5. Add additional sequence rules as needed.
    6. Drag and drop the rules to arrange them in the desired sequence. Rules are applied to data packets in the order in which that are defined in the policy.
  7. Click Save Firewall Policy.
  8. Click Next.

To copy an existing firewall policy into the compliance security policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Firewall popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. Depending on the security policy type you are configuring, one of the following screens displays:
  • Intrusion prevention policy
  • Umbrella DNS policy
  • URL-filtering policy

Step 3: Configure Intrusion Prevention and Detection

To create a new intrusion prevention and detection policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Click Create New. The Add Intrusion Prevention Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Signature Set field, select the desired signature set:
  • Balanced (default)—Contains rules that are from the current year and the previous two years, are for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9 or greater, and are in one of the following categories:
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  • Connectivity—Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Security—Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • App-detect—Rules that look for and control the traffic of certain applications that generate network activity.
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  1. In the Inspection Mode field, select the desired inspection mode:
  • Detection—In intrusion detection mode, traffic is accepted or blocked based on the rules defined by the signature set that you choose.
  • Protection—In intrusion prevention mode, malicious traffic is automatically blocked, based on the intrusion prevention policy rules.
  1. In the Advanced ► Signature Whitelist field, select the desired signature list.
  2. In the Advanced ► Alerts Log Level field, select the desired log level for alerts. The level can be Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. The default is Error.
  3. Configure the VPNs to which to apply the intrusion prevention policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  4. Click Save Intrusion Prevention Policy. The intrusion prevention policy is then listed in the policy table.
  5. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Intrusion Prevention Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 4: Configure Umbrella DNS

To create a new Umbrella DNS policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Click Create New. The Add DNS Security Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Umbrella Registration Status field:
    1. Click Manage Umbrella Registration.
    2. In the Manage Umbrella Registration pop-up, enter your Umbrella registration token.
    3. Click Save Changes.
  5. By default, the DNS security policy applies to all VPNs, so the Match All VPN field is selected. To apply the DNS security policy to a custom set of VPNs:
    1. Select the Custom VPN Configuration field.
    2. In the Target field, click Add Target VPNs.
    3. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    4. Click Save Changes.
  6. In the Local Domain Bypass List field, select the web domain list that lists the websites domains that are allowed by bypass DNS lookups. To create a domain list:
    1. Click in the Local Domain Bypass List field and then click Add New Domain List.
    2. In the Domain List Name field, enter a name for the domain list.
    3. In the Domain field, enter one or more web domains. Examples of website domains are cisco.com and *.cisco.com. Separate lists with a comma. The first item in the list cannot start with an asterisk (*).
    4. Click Save.
  7. In the DNS Server IP field, select the IP address of the DNS server. By default, traffic using Umbrella as the DNS server. To use a different DNS server, select Custom DNS and enter the IP address of the DNS server.
  1. In the Advanced ► DNSCrypt field, configure the encryption of DNS traffic. By default, encryption is enabled. To disable DNS traffic encryption, move the slider to the left.
  2. Click Save DNS Security Policy. The intrusion prevention policy is then listed in the policy table.
  3. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing DNS Security Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 5: Configure Additional Policy Settings

In the Policy Summary screen:

  1. In the Security Policy Name field, enter the name of the security policy. The name can be up to 32 characters and can contain only alphanumeric characters, hyphens (-), and underscores (_).
  2. In the Security Policy Description field,
  3. In the Description field, enter a description of the security policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  4. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To disallow this traffic, uncheck the Firewall ► Direct Internet Applications box.
  5. To configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection, move the Firewall ► TCP SYN Flood Limit slider to Enabled. Then enter a limit value from 1 through 2147483647 packets. The default limit is 2000 SYN packets.
  6. By default, system logging (syslog) in enabled for intrusion detection. To disable syslog messages, move the Intrusion Prevention and/or URL Filtering ► Syslog slider to Disabled.
  7. In the Intrusion Prevention and/or URL Filtering ► External Server field, configure an external syslog server. In the VPN field, specify the VPN through which the server can be reached. In the Server IP field, specify the IP address of the syslog server.
  8. In the Intrusion Prevention and/or URL Filtering ► Failure Mode field, configure how the router handles traffic when the URL database update from the cloud fails. When you configure category-based or reputation-based URL filtering, as described above, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. For the Failure Mode field, the default is Close, which drops all traffic destined for URL filtering when cloud connectivity is lost. To not drop traffic destined for URL filter, select Open.
  9. To view the CLI commands that correspond to the compliance security policy configuration, click Preview.
  10. Click Save Policy. The policy is listed in the table on the Configuration ► Policy screen.

Step 6: Apply the Security Policy to an IOS XE Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

Configure Direct Internet Access

A direct internet access policy uses intrusion prevention and detection, URL filtering, and Umbrella DNS security to control access from the local device the internet.

Intrusion prevention policy protects against malicious attacks on data traffic by using signature sets and inspection mode. Intrusion detection passes all packets flowing between service-side and transport-side (WAN or internet) interfaces, and between VLANs, through an intrusion detection engine, generating alerts for traffic that is identified as malicious, and logging these alerts via syslog. Intrusion prevention blocks traffic that is identified as malicious.

URL filtering policy allows and disallows access to specific URLs and webpage categories. URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on whitelists, blacklists, categories, and reputations. For example, when a client sends a HTTP or HTTPS request, the router inspects the traffic. If, for example, the request matches the blacklist, either it is blocked by a blocked page response or it is redirected to a different URL. If, for example, the HTTP or HTTPS request matches the whitelist, the traffic is allowed without further URL filtering inspection.

DNS security policy directs traffic from your network to the cloud-based Cisco Umbrella secure internet gateway. Umbrella using DNS to stop threads over all ports and protocols and over direct-to-IP connections.

To configure this, you use the Direct Cloud Access option of the security policy configuration wizard.

Step 1: Start the Security Policy Wizard

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.
  3. From the Add Security Policy popup, select Guest Access Policy.
  4. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays.

Step 2: Configure Application Firewall Policy

To create a new application firewall policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Create New. The Add Firewall Policy screen displays.
  3. In the Name field, enter a name for the firewall policy. The name can be up to 128 characters and can contain only alphanumeric characters.
  4. In the Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  5. Create a zone pair or apply an existing zone pair to the firewall policy:
    1. Click Apply Zone Pairs. The Apply Zone Pairs popup displays.
    2. In Source Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
    3. In Destination Zone, select an existing zone. Or to create a new zone, click Create New Zone List. Then enter a name for the list and the VPNs in the zone, and click Save.
  6. Create one or more security policy sequence rules to apply to the traffic that flows from the source zones to the destination zones:
    1. Click Add Sequence Rule.
    2. Click Match to add a match condition. You can match the following:
      - Application/Application Family List
      - Destination Data Prefix
      - Destination Port
      - Protocol
      - Source Data Prefix
      - Source Port
    3. Click Actions to define the actions to take when a match occurs. By default, the packet is dropped. You can take these other actions:
      - Inspect: Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
      - Log: Log the packet headers.
      - Pass: Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
    4. Click Save Match and Actions.
    5. Add additional sequence rules as needed.
    6. Drag and drop the rules to arrange them in the desired sequence. Rules are applied to data packets in the order in which that are defined in the policy.
  7. Click Save Firewall Policy.
  8. Click Next.

To copy an existing firewall policy into the compliance security policy:

  1. In the Firewall screen, click the Add Firewall Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Firewall popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. Depending on the security policy type you are configuring, one of the following screens displays:
  • Intrusion prevention policy
  • Umbrella DNS policy
  • URL-filtering policy

Step 3: Configure Intrusion Prevention and Detection

To create a new intrusion prevention and detection policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Click Create New. The Add Intrusion Prevention Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Signature Set field, select the desired signature set:
  • Balanced (default)—Contains rules that are from the current year and the previous two years, are for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 9 or greater, and are in one of the following categories:
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  • Connectivity—Contains rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10.
  • Security—Contains rules that are from the current year and the previous three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of the following categories:
    • App-detect—Rules that look for and control the traffic of certain applications that generate network activity.
    • Blacklist—Rules for URIs, user agents, DNS hostnames, and IP addresses that have been determined to be indicators of malicious activity.
    • Exploit-kit—Rules that are designed to detect exploit kit activity.
    • Malware-CNC—Rules for known malicious command and control activity for identified botnet traffic. These include call home, downloading of dropped files, and ex-filtration of data.
    • SQL Injection—Rules that are designed to detect SQL Injection attempts.
  1. In the Inspection Mode field, select the desired inspection mode:
  • Detection—In intrusion detection mode, traffic is accepted or blocked based on the rules defined by the signature set that you choose.
  • Protection—In intrusion prevention mode, malicious traffic is automatically blocked, based on the intrusion prevention policy rules.
  1. In the Advanced ► Signature Whitelist field, select the desired signature list.
  2. In the Advanced ► Alerts Log Level field, select the desired log level for alerts. The level can be Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. The default is Error.
  3. Configure the VPNs to which to apply the intrusion prevention policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  4. Click Save Intrusion Prevention Policy. The intrusion prevention policy is then listed in the policy table.
  5. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Intrusion Prevention screen, click the Add Intrusion Prevention Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing Intrusion Prevention Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 4: Configure URL Filtering

To create a new URL-filtering policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Click Create New. The Add URL Filtering Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Web Categories field:
    1. In the Block drop-down, define the action to take if a URL matches a website category. Select Block (the default) to block access to the website category, or select Allow to allow access to the website category.
    2. In the Web Category field, select one or more webpage categories to block or accept. A category defines websites that contain a certain type of content.
      When you configure category-based or reputation-based URL filtering, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. To check a website's reputation, use the Webroot BrightCloud URL/IP Lookup tool.
  5. In the Web Reputation field, select the reputation level of the website to block or accept. Each URL has a reputation score associated with it. The score ranges from 0 through 100 and is labeled as follows:
  • High Risk—Reputation score 0 through 20
  • Suspicious—Reputation score 0 through 40
  • Moderate Risk—Reputation score 0 through 60. This is the default reputation setting.
  • Low Risk—Reputation score 0 through 80.
  • Trustworthy—Reputation score 0 through 100.
  1. In the Advanced ► Whitelist URL List field, select a URL list to include in the URL filtering policy. A URL whitelist allows the specified URLs and blocks URLs not included in the list. For each URL filtering policy, you can configure only one whitelist URL list. To create a new list of URLs to whitelist:
    1. Click in he Advanced ► Whitelist URL List field.
    2. Click Add New Whitelist URL List.
    3. In the Whitelist URL List Name field, enter a name for the whitelist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  2. In the Advanced ► Blacklist URL List field, select one or more URL blacklists to include in the URL filtering policy. A URL blacklist blocks the specified URLs and allows URLs not included in the list. For each URL filtering policy, you can configure only one blacklist URL list. To create a new list of URLs to blacklist:
    1. Click in the Advanced ► Blacklist URL List field.
    2. Click Add New Blacklist URL List.
    3. In the Blacklist URL List Name field, enter a name for the blacklist.
    4. In the Add Whitelist URL field, enter one or more URLs to whitelist. You can specify the full URL, or you can use regular expressions, such as .*\.cisco\.com.
    5. To import a list of URL into the whitelist, click the Upload arrow and then select the file to import.
    6. Click Save.
  3. In the Advanced ► Block Page Server section, configure how to handle blocked HTTP URLs. For blocked HTTPS websites, no blocking or redirection is performed. Instead, all traffic is dropped.
    1. To block and not display the content of a webpage, click Block Page Content. Then, type the message to display to the user indicated why the webpage is not displayed. This is the default method for handling blocked URLs. In the Default Content Header field, type the title of the message, which is displayed in bold letters. The default header is, "Access to the requested page has been denied." In the Content Body field, type the content of the blocked page message. The default message is, "Please contact your network administrator".
    2. To redirect to another URL, click Redirect URL. Then, enter the URL to which to redirect the user.
  4. In the Advanced ► Alerts and Logs section, configure when to send alerts and syslog messages:
    1. Click Blacklist to send alerts when a blacklisted URL is blocked.
    2. Click Whitelist to send alerts when a whitelisted URL is allowed.
    3. Click Reputation/Category to send alerts when a URL is blocked because of its category or reputation.
  5. Configure the VPNs to which to apply the URL filtering policy:
    1. In the Target field, click Add Target VPNs.
    2. Enter the VPN numbers to which to apply the URL filtering policy. To specify multiple VPNs, separate the numbers with commas.
    3. Click Save Changes.
  6. Click Save URL Filtering Policy. The URL filtering policy is then listed in the policy table.
  7. Click Next. The Policy Summary screen displays.

To copy an existing URL filtering policy into the guest access policy:

  1. In the URL Filtering screen, click the Add URL Filtering Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing URL Filtering Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. In the Policy Description field, enter a description of the firewall policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
    4. Click Copy. The copied policy is listed in the URL Filtering table.
  4. Click Next. The Policy Summary screen displays.

Step 5: Configure Umbrella DNS

To create a new Umbrella DNS policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Click Create New. The Add DNS Security Policy screen displays.
  3. In the Policy Name field, enter a name for the firewall policy. The name can be up to 32 characters and can contain only alphanumeric characters.
  4. In the Umbrella Registration Status field:
    1. Click Manage Umbrella Registration.
    2. In the Manage Umbrella Registration pop-up, enter your Umbrella registration token.
    3. Click Save Changes.
  5. By default, the DNS security policy applies to all VPNs, so the Match All VPN field is selected. To apply the DNS security policy to a custom set of VPNs:
    1. Select the Custom VPN Configuration field.
    2. In the Target field, click Add Target VPNs.
    3. Enter the VPN numbers to which to apply the intrusion prevention policy. To specify multiple VPNs, separate the numbers with commas.
    4. Click Save Changes.
  6. In the Local Domain Bypass List field, select the web domain list that lists the websites domains that are allowed by bypass DNS lookups. To create a domain list:
    1. Click in the Local Domain Bypass List field and then click Add New Domain List.
    2. In the Domain List Name field, enter a name for the domain list.
    3. In the Domain field, enter one or more web domains. Examples of website domains are cisco.com and *.cisco.com. Separate lists with a comma. The first item in the list cannot start with an asterisk (*).
    4. Click Save.
  7. In the DNS Server IP field, select the IP address of the DNS server. By default, traffic using Umbrella as the DNS server. To use a different DNS server, select Custom DNS and enter the IP address of the DNS server.
  1. In the Advanced ► DNSCrypt field, configure the encryption of DNS traffic. By default, encryption is enabled. To disable DNS traffic encryption, move the slider to the left.
  2. Click Save DNS Security Policy. The intrusion prevention policy is then listed in the policy table.
  3. Click Next. The Policy Summary screen displays.

To copy an existing intrusion prevention policy into the compliance security policy:

  1. In the Add Security Policy screen, click the Add DNS Security Policy drop-down.
  2. Select Copy from Existing.
  3. In the Copy from Existing DNS Security Policy popup:
    1. In the Policy field, select a policy.
    2. In the Policy Name field, select a policy name.
    3. Click Copy. The copied policy is listed in the Security Policy Firewall table.
  4. Click Next. The Policy Summary screen displays.

Step 6: Configure Additional Policy Settings

In the Policy Summary screen:

  1. In the Security Policy Name field, enter the name of the security policy. The name can be up to 32 characters and can contain only alphanumeric characters, hyphens (-), and underscores (_).
  2. In the Security Policy Description field,
  3. In the Description field, enter a description of the security policy. The description can be up to 2048 characters and can contain only alphanumeric characters.
  4. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To disallow this traffic, uncheck the Firewall ► Direct Internet Applications box.
  5. To configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection, move the Firewall ► TCP SYN Flood Limit slider to Enabled. Then enter a limit value from 1 through 2147483647 packets. The default limit is 2000 SYN packets.
  6. By default, system logging (syslog) in enabled for intrusion detection. To disable syslog messages, move the Intrusion Prevention and/or URL Filtering ► Syslog slider to Disabled.
  7. In the Intrusion Prevention and/or URL Filtering ► External Server field, configure an external syslog server. In the VPN field, specify the VPN through which the server can be reached. In the Server IP field, specify the IP address of the syslog server.
  8. In the Intrusion Prevention and/or URL Filtering ► Failure Mode field, configure how the router handles traffic when the URL database update from the cloud fails. When you configure category-based or reputation-based URL filtering, as described above, a URL database is downloaded from the cloud. Incremental updates are automatically downloaded every 15 minutes. If connectivity to the cloud is lost for more than 24 hours, the database is invalidated. For the Failure Mode field, the default is Close, which drops all traffic destined for URL filtering when cloud connectivity is lost. To not drop traffic destined for URL filter, select Open.
  9. To view the CLI commands that correspond to the compliance security policy configuration, click Preview.
  10. Click Save Policy. The policy is listed in the table on the Configuration ► Policy screen.

Step 7: Apply the Security Policy to an IOS XE Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

Configure a Custom UTD Security Policy

You can create a custom UTD security policy consisting of any of the standard UTD policy components.

To start the security policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.
  3. From the Add Security Policy popup, select the Custom option.
  4. Click Proceed.

The security policy configuration wizard opens, and the Firewall screen displays. Configure the desired security policy components.

 

This article describes how to configure zone-base firewalls.
  • Was this article helpful?