CISCO SD-WAN Catalyst Security Configuration User Guide
- June 15, 2024
- Cisco
Table of Contents
- Security Virtual Image
- Install and Configure IPS/IDS, URL-F, or AMP Security Policies
- Identify the Recommended Security Virtual Image Version
- Upload the Cisco Security Virtual Image to Cisco SD-WAN Manager
- Upgrade a Security Virtual Image
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
Security Virtual Image
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.
Cisco SD-WAN Manager uses a Security Virtual Image to enable security features
such as Intrusion Prevention System (IPS), Intrusion Detection System (IDS),
URL Filtering (URL-F), and Advanced Malware Protection (AMP) on Cisco IOS XE
Catalyst SD-WAN Devices. These features enable application hosting, real-time
traffic analysis, and packet logging on IP networks. Once the image file is
uploaded to the Cisco SD-WAN Manager Software Repository, you can create
policy, profile, and device templates that will push the policies and updates
to the correct devices automatically.
Before you use these features, you must first install and configure IPS/IDS,
URL-F, or AMP security policies, and then upload the relevant Security Virtual
Image to Cisco SD-WAN Manager. After upgrading the software on the device,
you must also upgrade the Security Virtual Image.
This chapter describes how to perform these tasks.
- Install and Configure IPS/IDS, URL-F, or AMP Security Policies, on page 1
- Identify the Recommended Security Virtual Image Version, on page 4
- Upload the Cisco Security Virtual Image to Cisco SD-WAN Manager, on page 4
- Upgrade a Security Virtual Image, on page 5
Install and Configure IPS/IDS, URL-F, or AMP Security Policies
Installing and configuring IPS/IDS, URL-F, or AMP security policies require
the following workflow:
Task 1: Create a Security Policy Template for IPS/IDS, URL-F, or AMP Filtering
Task 2: Create a Feature Template for Security App Hosting
Task 3: Create a Device Template
Task 4: Attach Devices to the Device Template
Create a Security Policy Template
- From the Cisco SD-WAN Manager menu, choose Configuration > Security.
- Click Add Security Policy.
- In the Add Security Policy window, select your security scenario from the list of options.
- Click Proceed.
Create a Feature Template for Security App Hosting
The feature profile template configures two functions:
- NAT: Enables or disables Network Address Translation (NAT), which protects internal IP addresses when outside the firewall.
- Resource Profile: Allocates default or high resources to different subnets or devices.
A feature profile template, while not strictly required, is recommended.
To create a feature profile template, follow these steps:
-
From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
-
Click Feature Templates and then click Add Template.
In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature. -
From the Select Devices list, choose the devices that you want to associate with the template.
-
Under Basic Information, click Security App Hosting.
-
Enter Template Name and Description.
-
Under Security Policy Parameters, customize the security policy parameters if required.
• Enable or disable the Network Address Translation (NAT) feature, based on your use case. By default, NAT is on.
• Click the drop-down arrow to set boundaries for the policy. The default is Default.
Global: Enables NAT for all devices attached to the template.
Device Specific: Enables NAT only for specified devices. If you select Device Specific, enter the name of a device key.
Default: Enables the default NAT policy for devices attached to the template.
• Set Resource Profile. This option sets the number of snort instances to be used on a router. The default is Low that indicates one snort instance. Medium indicates two instances and High indicates three instances.
• Click the drop-down arrow to set boundaries for the resource profile. The default is Global.
Global: Enables the selected resource profile for all devices attached to the template.
Device Specific: Enables the profile only for specified devices. If you select Device Specific, enter the name of a device key.
Default: Enables the default resource profile for devices attached to the template. -
Set Download URL Database on Device to Yes if you want to download the URL-F database on the device. In this case, the device looks up in the local database before trying the cloud lookup.
-
Click Save.
Create a Device Template
To activate the policies you want to apply, you can create a device template
that will push the policies to the devices that need them. The available
options vary with the device type. For example, Cisco SD-WAN Manager devices
require a more limited subset of the larger device template. You will see
only valid options for that device model.
To create a security device template, follow this example for vEdge 2000 model
routers:
-
From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
-
Click Device Templates, and then choose Create Template > From Feature Template.
In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device. -
From the Device Model drop-down list, choose the device model.
-
From the Device Role drop-down list, choose the device role.
-
Enter Template Name and Description.
-
Scroll down the page to the configuration submenus that let you select an existing template, create a new template, or view the existing template. For example, to create a new System template, click Create Template.
Attach Devices to the Device Template
-
From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
-
Click Device Templates, and then choose Create Template > From Feature Template.
In Cisco vManage Release 20.7.1 and earlier releases, Device Templates is called Device. -
In the row of the desired device template, click … and choose Attach Devices.
-
In the Attach Devices window, select the desired devices from the Available Devices list, and click the right-pointing arrow to move them to the Selected Devices list.
-
Click Attach.
Identify the Recommended Security Virtual Image Version
At times, you may want to check the recommended Security Virtual Image (SVI)
release number for a given device. To check this using Cisco SD-WAN Manager:
Step 1
From the Cisco SD-WAN Manager menu, choose Monitor > Devices.
Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu,
choose Monitor > Network.
Step 2
Choose WAN – Edge.
Step 3
Choose the device that will run the SVI.
The System Status page displays.
Step 4
Scroll to the end of the device menu, and click Real Time.
The System Information page displays.
Step 5
Click the Device Options field, and choose Security App Version Status from
the menu.
Step 6
The image name is displayed in the Recommended Version column. It should match
the available SVI for your router from the Cisco downloads website.
Upload the Cisco Security Virtual Image to Cisco SD-WAN Manager
Each router image supports a specific range of versions for a hosted
application. For IPS/IDS and URL-Filtering, you can find the range of
supported versions (and the recommended version) for a device on its Device
Options page.
When a security policy is removed from Cisco IOS XE Catalyst SD-WAN devices,
the Virtual Image or Snort engine is also removed from the devices.
Step 1 From the Software Download page for your router, locate the image UTD
Engine for IOS XE SD-WAN.
Step 2 Click download to download the image file.
Step 3 From the Cisco SD-WAN Manager menu, choose Maintenance > Software
Repository
Step 4 Choose Virtual Images.
Step 5 Click Upload Virtual Image, and choose either vManage or Remote Server
– vManage. The Upload Virtual Image to vManage window opens.
Step 6 Drag and drop, or browse to the image file.
Step 7 Click Upload. When the upload completes, a confirmation message
displays. The new virtual image displays in the Virtual Images Software
Repository.
Upgrade a Security Virtual Image
When a Cisco IOS XE Catalyst SD-WAN device is upgraded to a new software
image, the security virtual image must also be upgraded so that they match. If
there is a mismatch in the software images, a VPN template push to the device
will fail.
If the IPS Signature Update option is enabled, the matching IPS signature
package is automatically updated as a part of the upgrade. You can enable the
setting from Administration > Settings > IPS Signature Update.
To upgrade the application hosting virtual image for a device, follow these
steps:
Step 1 Follow the steps in Upload the Correct Cisco Security Virtual Image to
vManage to download the recommended version of the SVI for your router. Note
the version name.
Step 2 From the Cisco SD-WAN Manager menu, choose Maintenance > Software
Repository > Virtual Images to verify that the image version listed under the
Recommended Version column matches a virtual image listed in the Virtual
Images table.
Step 3 From the Cisco SD-WAN Manager menu, choose Maintenance > Software
Upgrade. The WAN Edge Software upgrade page displays.
Step 4 Choose the devices you want to upgrade, and check the check boxes in
the leftmost column. When you have chosen one or more devices, a row of
options display, as well as the number of rows you chose.
Step 5 When you are satisfied with your choices, choose Upgrade Virtual Image
from the options menu. The Virtual Image Upgrade dialog box displays.
Step 6 For each device you have chosen, choose the correct upgrade version
from the Upgrade to Version drop-down menu.
Step 7 When you have chosen an upgrade version for each device, click Upgrade.
When the update completes, a confirmation message displays.
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>