Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.
With business applications moving to the cloud and the increased use of direct internet access, branch locations require a wide range of security services. Protecting branch offices with the appropriate security capabilities is critical in today’s shifting IT landscape. Cisco Catalyst SD-WAN (formerly Cisco SD-WAN) brings the necessary security capabilities natively across the Catalyst SD-WAN solution with the well-established single pane of glass management for both the Catalyst SD-WAN and security services.
Catalyst SD-WAN offers these integrated security services:
Application-aware enterprise firewall
Intrusion detection and prevention based on the Snort processing engine and backed by Cisco Talos signature updates
Cisco URL filtering with Webroot BrightCloud and URL categorization and reputation
Domain Name System (DNS) and web-layer security with Cisco Umbrella
Cisco Secure Endpoint (formerly Cisco Advanced Malware Protection [AMP]) with Secure Malware Analytics (formerly Threat Grid) and Malware Analytics Cloud
Transport Layer Security (TLS) decryption with TLS proxy
In addition to the integrated security services, Catalyst SD-WAN supports Cisco Umbrella integration for cloud-delivered enterprise network security, thanks to the Cisco Umbrella Secure Internet Gateway (SIG).
The intrusion detection and prevention in Catalyst SD-WAN is based on a well-proven Snort engine and backed by Cisco Talos signatures. Talos signatures update automatically.
The intrusion detection and prevention systems work in either the detection or prevention mode, based on the configured policy.
The intrusion prevention system (IPS) engine performs these tasks:
It monitors the network traffic and performs analysis based on a defined IPS signature set.
It performs attack classification.
It performs actions based on the matched policy rules.
When you enable Snort in the intrusion detection system (IDS) mode, it monitors the traffic and generates alerts. It does not take any action to prevent attacks. In IPS mode, in addition to the detection, the Snort engine enforces actions to prevent attacks.
The IDS or IPS system will analyze the traffic and report events to Cisco Catalyst SD-WAN Manager (formerly Cisco vManage) or an external log server. You can use external third-party monitoring tools supporting Snort logs for log collection and analysis.
The IPS engine is deployed by using a security virtual image, and only Cisco IOS XE SD-WAN devices support the feature. The Snort engine runs on a Linux container (LXC) by using control plane resources. Using the virtual port group (VPG) interfaces, the IPS engine redirects the traffic that you want to inspect to the container.
There are two types of VPG interfaces:
Management VPG: Used for logging and downloading signature updates from Cisco.com
Traffic VPG: Used for data traffic between the data plane and the Snort virtual container
By using Cisco Catalyst SD-WAN 17.5 or 20.5 and onward, you can enable multiple instances of the Snort engine to provide reduced latency and improved performance.
Note: The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference. Feel free to follow along with the provided outputs.
In this tutorial, you will design and deploy an interzone firewall policy for Direct Internet Access (DIA). You will use a classic security policy by using the Custom workflow. You will ensure that any internal traffic is not inspected by the firewall, and you will only inspect HTTP or HTTPS internet traffic. The firewall should also allow any DNS traffic and block any other internet-bound traffic from leaving branch sites. Based on company policy, social networking websites—including Facebook and Instagram—should be blocked at all branch sites.
Note: Although Cisco vManage is now called Cisco Catalyst SD-WAN Manager, the screenshots shown in this tutorial still display the previous name.
From the jump host, access SD-WAN Manager and start the wizard to add a classic security policy by using the Custom policy workflow.
Create a new firewall policy within your new security policy. Provide a name and description for the new firewall policy (example: Lab1_Task2_Branch_DIA_FW_v1).
Create a new firewall rule by using rule sets. Rule sets are used to group similar rules with the same action to optimize the firewall policy.
Create two rules within the rule set, and add the rule set to your firewall rule. The first rule in the rule set should include HTTP and HTTPS, and the second rule should include DNS traffic.
You have created a new rule set with multiple match conditions. Keep in mind that the rule set uses a common action for all the match conditions that are configured within the rule set.
Choose the newly created rule set to add it to the firewall rule, and click the Save button.
You have now configured the match conditions for the firewall rule by using a rule set and have set the Action field to Inspect.
The requirements also stated that social networking should be blocked at branch offices. Create an application list to filter the applications that you wish to block.
The firewall rule contains a rule set and an application list under its match conditions, and it is configured for stateful packet inspection.
Now that the firewall rule is created, you must apply a zone pair. You must create two VPN-based zones, INSIDE (VPN 100) and OUTSIDE (VPN 0), and apply them to the traffic flows from the INSIDE to the OUTSIDE zone.
Verify the zone pair and rule configuration. You will notice that the INSIDE zone is configured as the source, and the OUTSIDE zone is configured as the destination. Under the rules section, you will notice a single rule containing the rule set that you created. Although the rule set has multiple entries, it is treated as a single rule within the firewall policy.
Do not add any other policies to the security policy. Provide a name for the security policy, enable the firewall policy, and save the security policy.
You have now created a classic security policy with an application-aware firewall.
The next step is to attach the newly created security policy to a device template and deploy the policy to the Catalyst SD-WAN Edge devices.
Attach the created security policy to the device templates for branch sites. There are multiple device templates for branch sites, based on specific site requirements. You must attach the new security policy to all branch device templates. Analyze the configuration changes to the device before deploying.
In SD-WAN Manager, navigate to Configuration > Templates.
Additions to the configuration are colored in green, and any removals are colored in red. Look at the class maps and policy maps configured based on the created firewall policy.
Click the Configure Devices button to deploy the configuration.
Note: Cisco Catalyst SD-WAN Manager can run multiple jobs in parallel. You do not have to wait for this deployment to complete. You can proceed to update the remaining branch device templates and attach the security policy while this deployment is in progress.
Verify that the firewall policy is functioning as expected. You can try accessing the internet from a branch PC. Verify that social networking sites in your application list are blocked. Also verify that only DNS, HTTP, and HTTPS traffic is allowed. Other traffic, such as FTP, is blocked.
From SD-WAN Manager, verify that the firewall enforcement inspection and drop statistics are showing both inspected and dropped connections within the last 1 hour.
Access Windows PC1 (Win-PC1) from the lab portal.
Open a web browser and browse a couple of social network sites, such as Facebook or Instagram. Access to Facebook and Instagram should be blocked.
Try another website, something not in the Social_Networking application list (example: www.ietf.org). Accessing any other website that is not on the blocked applications list should be allowed.
It is important to note that it takes 10 to 15 minutes for the statistics monitoring pane to be populated after creating and deploying the policy.
This completes the interzone firewall policy deployment for securing DIA with the application-aware enterprise firewall.
You’ve completed this tutorial, advancing in your CCNP journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.
Don’t forget to click Exit Tutorial to log your completed content.