Object Management

This chapter describes how to manage reusable objects.

Introduction to Objects

For increased flexibility and web interface ease-of-use, the system uses named objects, which are reusable configurations that associate a name with a value. When you want to use that value, use the named object instead. The system supports object use in various places in the web interface, including many policies and rules, event searches, reports, dashboards, and so on. The system provides many predefined objects that represent frequently used configurations.

Use the object manager to create and manage objects. Many configurations that use objects also allow you to create objects on the fly, as needed. You can also use the object manager to:

After you edit an object used in an active policy, you must redeploy the changed configuration for your changes to take effect. You cannot delete an object that is in use by an active policy.


Note


An object is configured on a managed device if, and only if, the object is used in a policy that is assigned to that device. If you remove an object from all policies assigned to a given device, the object is also removed from the device configuration on the next deployment, and subsequent changes to the object are not reflected in the device configuration.


Object Types

The following table lists the objects you can create in the system, and indicates whether each object type can be grouped or configured to allow overrides.

Object Type

Groupable?

Allows Overrides?

Network

yes

yes

Port

yes

yes

Interface:

  • Security Zone

  • Interface Group

no

no

Tunnel Zone

no

no

Application Filter

no

no

VLAN Tag

yes

yes

External Attribute: Security Group Tag (SGT) and Dynamic Object

no

no

URL

yes

yes

Geolocation

no

no

Time Range

no

no

Variable Set

no

no

Security Intelligence: Network, DNS, and URL lists and feeds

no

no

Sinkhole

no

no

File List

no

no

Cipher Suite List

no

no

Distinguished Name

yes

no

Public Key Infrastructure (PKI):

  • Internal and Trusted CA

  • Internal and External Certs

yes

no

Key Chain no yes

DNS Server Group

no

no

SLA Monitor

no

no

Prefix List: IPv4 and IPv6

no

yes

Route Map

no

yes

Access List: Standard and Extended

no

yes

AS Path

no

yes

Community List

no

yes

Policy List

no

yes

FlexConfig: Text and FlexConfig objects

no

yes

Objects and Multitenancy

In a multidomain deployment, you can create objects in Global and descendant domains with the exception of Security Group Tag (SGT) objects, which you can create only in the Global domain. The system displays objects created in the current domain, which you can edit. It also displays objects created in ancestor domains, which you cannot edit, with the exception of security zones and interface groups.


Note


Because security zones and interface groups are tied to device interfaces, which you configure at the leaf level, administrators in descendant domains can view and edit and groups created in ancestor domains. Subdomain users can add and delete interfaces from ancestor zones and groups, but cannot delete or rename the zones/groups.


Object names must be unique within the domain hierarchy. The system may identify a conflict with the name of an object you cannot view in your current domain.

For objects that support grouping, you can group objects in the current domain with objects inherited from ancestor domains.

Object overrides allow you to define device-specific or domain-specific values for certain types of object, including network, port, VLAN tag, and URL. In a multidomain deployment, you can define a default value for an object in an ancestor domain, but allow administrators in descendant domains to add override values for that object.

The Object Manager

You can use the object manager to create and manage objects and object groups.

The object manager displays 20 objects or groups per page. If you have more than 20 of any type of object or group, use the navigation links at the bottom of the page to view additional pages. You can also go to a specific page or click Refresh (refresh icon) to refresh your view.

By default, the page lists objects and groups alphabetically by name. You can filter the objects on the page by name or value.

Importing Objects

Objects can be imported from a comma-separated values file. Up to 1000 objects can be imported in one attempt. The contents of the comma-separated values file should follow a specific format. The format is different for each object type. Only a few types of objects can be imported. See the following table to know the supported object types and the corresponding rules.

Object Type

Rules

Individual object

  • The column header must be mentioned in capital letters.

  • The file must have the following columns headers:

    • NAME

    • DN

  • Both NAME and DN column entries are mandatory to import an entry.

  • You can import individual objects directly into an existing distinguished name object group.

Network object

  • The column header must be mentioned in capital letters.

  • The file must have the following columns headers:

    • NAME

    • DESCRIPTION

    • TYPE

    • VALUE

    • LOOKUP

  • The NAME and VALUE column entries are mandatory to import an entry of host, range, or network object type.

  • For an FQDN object, the TYPE column entry must mention 'fqdn,' and the LOOKUP column entry must be specified as 'ipv4,' 'ipv6,' or 'ipv4_ipv6.'

  • If no content is provided in the LOOKUP column entry for the FQDN object, then the object is saved with the ipv4_ipv6 field value.

Port

  • The column header must be mentioned in capital letters.

  • The file must have the following columns headers:

    • NAME

    • PROTOCOL

    • PORT

    • ICMPCODE

    • ICMPTYPE

  • The NAME column entry is mandatory.

  • For 'tcp' and 'udp' protocol types, the PORT column entry is mandatory.

  • For 'icmp' and 'icmp6' protocol types, the ICMPCODE and ICMPTYPE column entries are mandatory.

URL

  • The column header must be mentioned in capital letters.

  • The file must have the following columns headers:

    • NAME

    • DESCRIPTION

    • URL

  • The NAME and URL column entries are mandatory to import an entry.

VLAN Tag

  • The column header must be mentioned in capital letters.

  • The file must have the following columns headers:

    • NAME

    • DESCRIPTION

    • TAG

  • The NAME and TAG column entries are mandatory to import an entry.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose one of the following object types from the left pane:

  • Distinguished Name > Individual Objects >

  • Network Object

  • Port

  • URL

  • VLAN Tag

Step 3

Choose Import Object from the Add [Object Type] drop-down list.

Note

 

If you have selected Individual Objects in the previous step, click Import.

Step 4

Click Browse.

Step 5

Locate and select the comma-separated file on your system.

Step 6

Click Open.

Note

 

While importing Distinguished Name objects, you can optionally check the Add imported Distinguished Name objects to the below object group check box and select the group name from the drop-down box to import the objects directly to an existing distinguished name object group.

Step 7

Click Import.


Editing Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose an object type from the list; see Introduction to Objects.

Step 3

Click Edit (edit icon) next to the object you want to edit.

If View (View button) appears instead, the object belongs to an ancestor domain and has been configured not to allow overrides, or you do not have permission to modify the object.

Step 4

Modify the object settings as desired.

Step 5

If you are editing a variable set, manage the variables in the set; see Managing Variables.

Step 6

For objects that can be configured to allow overrides:

  • If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides. You can change this setting only for objects that belong to the current domain.
  • If you want to add override values to this object, expand the Override section and click Add; see Adding Object Overrides.

Step 7

Click Save.

Step 8

If you are editing a variable set, and that set is in use by an access control policy, click Yes to confirm that you want to save your changes.


What to do next

Viewing Objects and Their Usage

You can view usage details of objects on the Object Management page. Management Center provides this functionality for many object types. However, some object types are not supported.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose one of the following supported object types:

  • Access List > Extended

  • Access List > Standard

  • AS Path

  • Community List

  • Interface

  • Network

  • Policy List

  • Port

  • Prefix List > IPv4 Prefix List

  • Prefix List > IPv6 Prefix List

  • Route Map

  • SLA Monitor

  • URL

  • VLAN Tag

Step 3

Click the Find Usage (find usage icon) icon next to the object.

The Object Usage window displays a list of all the policies, objects, and other settings where the object is in use. Click any of the listed items to know more about the object usage. For policies and some other settings where the object is used, you can click the corresponding links to visit the respective UI pages.


Filtering Objects or Object Groups

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Enter your filter criteria in the Filter field.

The page updates as you type to display matching items.

You can use the following wildcards:

  • The asterisk (*) matches zero or more occurrences of a character.

  • The caret (^) matches content at the beginning of a string.

  • The dollar sign ($) matches content at the end of a string.

Step 3

Check the Show Unused Object check box to view the objects and the object groups that are unused anywhere in the system.

Note

 
  • In case an object is a part of an unused object group, the object is considered as used. However, the unused object group is displayed when the Show Unused Object check box is checked.

  • The Show Unused Object check box is available only for network, port, URL and VLAN tag object types.


Object Groups

Grouping objects allows you to reference multiple objects with a single configuration. The system allows you to use objects and object groups interchangeably in the web interface. For example, anywhere you would use a port object, you can also use a port object group.

You can group network, port, VLAN tag, URL, and PKI objects. Network object groups can be nested, that is, you can add a network object group to another network object group up to 10 levels.

Objects and object groups of the same type cannot have the same name.

When you edit an object group used in a policy (for example, a network object group used in an access control policy), you must re-deploy the changed configuration for your changes to take effect.

Deleting a group does not delete the objects in the group, just their association with each other. Additionally, you cannot delete a group that is in use in an active policy. For example, you cannot delete a VLAN tag group that you are using in a VLAN condition in a saved access control policy.

Grouping Reusable Objects

Procedure

Step 1

Choose Objects > Object Management.

Step 2

If the object type you want to group is Network, Port, URL, or VLAN Tag:

  1. Choose the object type from the list of object types.

  2. Choose Add Group from the Add [Object Type] drop-down list.

Step 3

If the object type you want to group is Distinguished Name:

  1. Expand the Distinguished Name node.

  2. Choose Object Groups.

  3. Click Add Distinguished Name Group.

Step 4

If the object type you want to group is PKI:

  1. Expand the PKI node.

  2. Choose one of the following:

    • Internal CA Groups

    • Trusted CA Groups

    • Internal Cert Groups

    • External Cert Groups

  3. Click Add [Object Type] Group.

Step 5

Enter a unique Name.

Step 6

Choose one or more objects from the list, and click Add.

You can also:

  • Use the filter field Search (search icon) to search for existing objects to include, which updates as you type to display matching items. Click Reload (reload icon) above the search field or click Clear (clear icon) in the search field to clear the search string.

  • Click Add (add icon) to create objects on the fly if no existing objects meet your needs.

Step 7

Optionally for Network, Port, URL, and VLAN Tag groups:

  • Enter a Description.
  • Check the Allow Overrides check box to allow overrides for this object group; see Allowing Object Overrides.

Step 8

Click Save.


What to do next

Object Overrides

An object override allows you to define an alternate value for an object, which the system uses for the devices you specify.

You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices.

For example, you might want to deny ICMP traffic to the different departments in your company, each of which is connected to a different network. You can do this by defining an access control policy with a rule that includes a network object called Departmental Network. By allowing overrides for this object, you can then create overrides on each relevant device that specifies the actual network where that device is connected.

You can target an object override to a specific domain. In this case, the system uses the object override value for all devices in the targeted domain unless you override it at the device level.

From the object manager, you can choose an object that can be overridden and define a list of device-level or domain-level overrides for that object.

You can use object overrides with the following object types only:

  • Network

  • Port

  • VLAN tag

  • URL

  • SLA Monitor

  • Prefix List

  • Route Map

  • Access List

  • AS Path

  • Community List

  • Policy List

  • Cert Enrollment (PKI)

  • Key Chain

If you can override an object, the Override column appears for the object type in the object manager. Possible values for this column include:

  • Green checkmark — indicates that you can create overrides for the object and no overrides have been added yet

  • Red X — indicates that you cannot create overrides for the object

  • Number — represents a count of the overrides that have been added to that object (for example, "2" indicates two overrides have been added)

Managing Object Overrides

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Choose from the list of object types; see Introduction to Objects.

Step 3

Click Edit (edit icon) next to the object you want to edit.

If View (View button) appears instead, the object belongs to an ancestor domain and has been configured not to allow overrides, or you do not have permission to modify the object.

Step 4

Manage the object overrides:


Allowing Object Overrides

Procedure

Step 1

In the object editor, check the Allow Overrides check box.

Step 2

Click Save.


What to do next

Add object override values; see Adding Object Overrides.

Adding Object Overrides

Before you begin

Allow object overrides; see Allowing Object Overrides.

Procedure

Step 1

In the object editor, expand the Override section.

Step 2

Click Add.

Step 3

On Targets, choose domains or devices in the Available Devices and Domains list and click Add.

Step 4

On the Override tab, enter a Name.

Step 5

Optionally, enter a Description.

Step 6

Enter an override value.

Example:

For a network object, enter a network value.

Step 7

Click Add.

Step 8

Click Save.


What to do next

Editing Object Overrides

You can modify the description and the value of an existing override, but you cannot modify the existing target list. Instead, you must add a new override with new targets, which replaces the existing override.

Procedure

Step 1

In the object editor, expand the Override section.

Step 2

Click Edit (edit icon) next to the override you want to modify.

Step 3

Optionally, modify the Description.

Step 4

Modify the override value.

Step 5

Click Save to save the override.

Step 6

Click Save to save the object.


What to do next

AAA Server

Add reusable AAA server objects.

Add a RADIUS Server Group

RADIUS Server Group objects contain one or more references to RADIUS servers. These servers are used to authenticate users logging in through Remote Access VPN connections.

You can use this object with threat defense devices.

Before you begin


Note


You cannot override RADIUS Server Group Objects.


Procedure


Step 1

Select Objects > Object Management > AAA Server > RADIUS Server Group.

All currently configured RADIUS Server Group objects will be listed. Use the filter to narrow down the list.

Step 2

Choose and edit a listed RADIUS Server Group object, or add a new one.

See RADIUS Server Options and RADIUS Server Group Options to configure this object.

Step 3

Click Save


RADIUS Server Group Options

Navigation Path

Objects > Object Management > AAA Server > RADIUS Server Group. Choose and edit a configured RADIUS Server Group object or add a new one.

Fields
  • Name and Description—Enter a name and optionally, a description to identify this RADIUS Server Group object.

  • Group Accounting Mode—The method for sending accounting messages to the RADIUS servers in the group. Choose Single, accounting messages are sent to a single server in the group, this is the default. Or, Multiple, accounting messages are sent to all servers in the group simultaneously.

  • Retry Interval—The interval between attempts to contact the RADIUS servers. Values range from 1 to 10 seconds.

  • Realms(Optional)—Specify or select the Active Directory (AD) realm this RADIUS server group is associated with. This realm is then selected in identity policies to access the associated RADIUS server group when determining the VPN authentication identity source for a traffic flow. This realm effectively provides a bridge from the identity policy to this Radius server group. If no realm is associated with this RADIUS server group, the RADIUS server group cannot be reached to determine the VPN authentication identity source for a traffic flow in an identity policy.


    Note


    This field is mandatory if you use remote access VPN with User Identity and RADIUS as the identity source.


  • Enable authorize only—If this RADIUS server group is not being used for authentication, but is being used for authorization or accounting, check this field to enable authorize-only mode for the RADIUS server group.

    Authorize only mode eliminates the need of including the RADIUS server password in the Access-Request. Thus, the password, configured for the individual RADIUS servers, is ignored.

  • Enable interim account update and Interval—Enables the generation of RADIUS interim-accounting-update messages in order to inform the RADIUS server of newly assigned IP addresses. Set the length, in hours, of the interval between periodic accounting updates in the Interval field. The valid range is 1 to 120 and the default value is 24.

  • Enable Dynamic Authorization and Port— Enables the RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group. Specify the listening port for RADIUS CoA requests in the Port field. The valid range is 1024 to 65535 and the default value is 1700. Once defined, the corresponding RADIUS server group will be registered for CoA notification and it listens to the port for the CoA policy updates from the Cisco Identity Services Engine (ISE).

  • Merge Downloadable ACL with Cisco AV Pair ACL—Enables merging a downloadable access control list (dACL) with a Cisco attribute-value (AV) pair ACL.

    A downloadable ACL defines and updates access control lists in CiscoISE and allows ACL download to all the applicable controllers. For more information about using dACLs in Cisco ISE, see the chapter on Segmentation, section on authorization policies, in the Cisco ISE Administrator Guide.

    A Cisco AV pair ACL can be utilized to define specific authentication, authorization, and accounting elements for each individual session. For more information about using dACLs in Cisco ISE, see the chapter on Segmentation, section on authorization profile settings, in the Cisco ISE Administrator Guide.

    If you select Merge Downloadable ACL with Cisco AV Pair ACL, you can choose the following options:

    • After Cisco AV Pair ACL means the downloadable ACL entries should be placed after the Cisco AV pair entries.

    • Before Cisco AV Pair ACL means the downloadable ACL entries should be placed before the Cisco AV pair entries.

  • RADIUS Servers—See RADIUS Server Options.

RADIUS Server Options

Navigation Path

Objects > Object Management > AAA Server > RADIUS Server Group. Choose and edit a listed RADIUS Server Group object or add a new one. Then, in the RADIUS Server Group dialog, choose and edit a listed RADIUS Server or add a new one.

Fields
  • IP Address/Hostname—The network object that identifies the hostname or IP address of the RADIUS server to which authentication requests will be sent. You may only select one, to add additional servers, add additional RADIUS Server to the RADIUS Server Group list.


    Note


    The device now supports IPv6 IP addresses for RADIUS authentication.


  • Authentication Port—The port on which RADIUS authentication and authorization are performed. The default is 1812.

  • Key and Confirm Key— The shared secret that is used to encrypt data between the managed device (client) and the RADIUS server.

    The key is a case-sensitive, alphanumeric string of up to 127 characters. Special characters are permitted.

    The key you define in this field must match the key on the RADIUS server. Enter the key again in the Confirm field.

  • Accounting Port—The port on which RADIUS accounting is performed. The default is 1813.

  • Timeout— Session timeout for authentication.


    Note


    The timeout value must be 60 seconds or more for RADIUS two factor authentication. The default timeout value is 10 seconds.


  • Connect Using —Establishes connectivity from the device to a RADIUS server using a route lookup or using a specific interface.

    • Click the Routing radio button to use the routing table.

    • Click the Specific Interface radio button and choose a security zone/interface group or the Management interface (the default) from the drop-down list. If you want to use Management, you must choose it specifically; it is not available when using a route lookup. You cannot specify any other management-only interface as the RADIUS source. You can also choose a loopback interface group.

  • Redirect ACL—Select the redirect ACL from the list or add a new one.


    Note


    This is the name of the ACL defined in the device to decide the traffic to be redirected. The Redirect ACL name here must be the same as the redirect-acl name in ISE server. When you configure the ACL object, ensure that you select Block action for ISE and DNS servers, and Allow action for the rest of the servers.


Add a Single Sign-on Server

Before you begin

Obtain the following from your SAML identity provider:

  • Identity Provider Entity ID URL

  • Sign-in URL

  • Sign-out URL

  • Identity provider certificate and enroll the certificate in threat defense using the management center web interface (Devices > Certificates)

For more information, see Configuring a SAML Single Sign-On Authentication.

Procedure


Step 1

Choose Object > Object Management > AAA Server > Single Sign-on Server.

Step 2

Click Add Single Sign-on Server and provide the following details:

  • Name—The name of the SAML single sign-on server object.

  • Identity Provider Entity ID—The URL that is defined in SAML IdP to identify a service provider uniquely.

    The URL for a page that serves a metadata XML that describes how the SAML Issuer is going to respond to requests.

  • SSO URL—The URL for signing into the SAML identity provider server.

  • Logout URL—The URL for signing out of the SAML identity provider server.

  • Base URL—URL that will redirect the user back to threat defense once the identity provider authentication is done. This is the URL of the access interface configured for the threat defense remote access VPN.

  • Identity Provider Certificate—Certificate of the IdP enrolled into the threat defense to verify the messages signed by the IdP.

    Select an identify provider certificate from the list or click Add to create a new certificate enrollment object.

    For more information, see Managing Threat Defense Certificates.

    You must enroll all of the Microsoft Azure registered application CA certificates as Trustpoints on the threat defense. The Microsoft Azure SAML identity provider is configured on threat defense for the initial application. All connection profiles are mapped to the configured MS Azure SAML identity provider. For each of the MS Azure applications (other than the default), you can choose the required trustpoint(CA certificate) in the connection profile configuration of the remote access VPN.

    For details, see Configure AAA Settings for Remote Access VPN.

  • Service Provider Certificatethreat defense certificate, which will be used to sign the requests and build circle of trust with IdP.

    If you have not enrolled internal threat defense certificates, click + to add and enroll a certificate. For more information, see Managing Threat Defense Certificates.

  • Request Signature—Select the encryption algorithm to sign the SAML single sign-on requests.

    The signatures are listed from weakest to strongest: SHA1,SHA256, SHA384, SHA512. Select None to disable encryption.

  • Request Timeout—Specify the SAML assertion validity duration for the users to complete the single sign-on request. The SAML IdP has two time outs: NotBefore and NotOnOrAfter. The threat defense validates if its current time is within the time range of (lower limit) NotBefore and (upper limit) the smaller of NotBefore plus timeout and NotOnOrAfter. Thus, if you set a timeout longer than the IdP's NotOnOrAfter timeout, the specified timeout is ignored and the NotOnOrAfter timeout is selected. If the sum of the specified timeout and the NotBefore timeout is less than the NotOnOrAfter time, threat defense timeout overrides the timeout.

    The timeout range is 1-7200 seconds; the default is 300 seconds.

  • Enable IdP only accessible on Internal Network—Select this option if the SAML IdP resides on the internal network. Threat Defense acts as a gateway and establishes communication between the users and IdP using an anonymous webvpn session.

  • Request IdP re-authentication on Login—Select this option to authenticate user at each login even if the previous IdP session is valid.

  • Allow Overrides—Select this check box to allow overrides for this single sign-on server object.

Step 3

Click Save.


Access List

An access list object, also known as an access control list (ACL), selects the traffic to which a service will apply. You use these objects when configuring particular features, such as route maps, for threat defense devices. Traffic identified as allowed by the ACL is provided the service, whereas “blocked” traffic is excluded from the service. Excluding traffic from a service does not necessarily mean that it is dropped altogether.

You can configure the following types of ACL:

  • Extended—Identifies traffic based on source and destination address and ports. Supports IPv4 and IPv6 addresses, which you can mix in a given rule.

  • Standard—Identifies traffic based on destination address only. Supports IPv4 only.

An ACL is composed of one or more access control entry (ACE), or rule. The order of ACEs is important. When the ACL is evaluated to determine if a packet matches an “allowed” ACE, the packet is tested against each ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you want to “allow” 10.100.10.1, but “block” the rest of 10.100.10.0/24, the allow entry must come before the block entry. In general, place more specific rules at the top of an ACL.

Packets that do not match an “allow” entry are considered to be blocked.

The following topics explain how to configure ACL objects.

Configure Extended ACL Objects

Use extended ACL objects when you want to match traffic based on source and destination addresses, protocol and port, application group or if the traffic is IPv6.

Procedure


Step 1

Select Objects > Object Management and choose Access List > Extended from the table of contents.

Step 2

Do one of the following:

  • Click Add Extended Access List to create a new object.

  • Click Edit (edit icon) to edit an existing object.

Step 3

In the New Extended Access List Object dialog box, enter a name for the object (no spaces allowed), and configure the access control entries:

  1. Do one of the following:

    • Click Add to create a new entry.

    • Click Edit (edit icon) to edit an existing entry.

  2. Select the Action, whether to Allow (match) or Block (not match) the traffic criteria.

    Note

     

    The Logging, Log Level, and Log Interval options are used for access rules only (ACLs attached to interfaces or applied globally). Because ACL objects are not used for access rules, leave these values at their defaults.

  3. Configure the source and destination addresses on the Network tab using any of the following techniques:

    • Select the desired network objects or groups from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. You can mix IPv4 and IPv6 addresses.

    • Type an address in the edit box below the source or destination list and click Add. You can specify a single host address (such as 10.100.10.5 or 2001:DB8::0DB8:800:200C:417A), or a subnet (in 10.100.10.0/24 or 10.100.10.0 255.255.255.0 format, or for IPv6, 2001:DB8:0:CD30::/60).

  4. Click the Port tab and configure the service using any of the following techniques.

    • Select the desired port objects from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. The object can specify TCP/UDP ports, ICMP/ICMPv6 message types, or other protocols (including “any”). However, the source port, which you typically would leave empty, accepts TCP/UDP only. You cannot select port groups.

      For TCP/UDP, note that you must use the same protocol in both the source and destination fields, if you specify both. For example, you cannot specify a UDP source port and a TCP destination port.

    • Type or select a port or protocol in the edit box below the source or destination list and click Add.

    Note

     

    To get an entry that applies to all IP traffic, select a destination port object that specifies “all” protocols.

  5. Click the Application tab and choose the applications that are to be grouped for the direct internet access policy.

    Important

     
    • You cannot configure applications for cluster devices. Hence, this tab is not applicable for cluster devices.

    • Use extended ACL with applications only in Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note

     
    • The Available Applications list displays a fixed set of pre-defined applications. This list is a subset of the applications that are available on the Access Control policy as only they can be detected by their first packet (FQDN end-points resolved to IP addresses and port). The application definitions are updated through the VDB updates and are pushed to threat defense during subsequent deployments.

    • User-defined custom applications or group of applications are not supported.

    • Currently, management center neither supports user-defined custom applications or group of applications nor allows you to modify the pre-defined applications list.

    • You can use the filter options provided under the Application Filters to refine this list.

  6. Click the Users tab and choose the users, user groups, or both that are to be classified for the Policy Based Routing (PBR).

    Important

     

    Use extended ACL with users, user groups, or both only for Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note

     
    • The Available Realms list displays the configured active directory/LDAP realms. For information on creation of realm and managing them, see Create an LDAP Realm or an Active Directory Realm and Realm Directory and Manage a Realm respectively.

      Note

       

      Local realms and Azure AD realms are not supported.

    • The Available Users list displays the downloaded users and user groups of the selected AD/LDAP realms. To download the users, user groups, or both, navigate to Integrations > Other Integrations > Realms, and then click Download against the relevant active directory/LDAP realms.

      Note

       

      Threat defense can support a maximum of 512 user groups and 64000 user-IP mappings.

    • The user to IP mapping and user group membership information are updated and pushed to the threat defense from the management center during the user login or logouts, and changes in the group memberships.

  7. Click the Security Group Tag tab and choose the source SGT tags to be classified for the direct internet access policy.

    Important

     

    Use extended ACL with SGTs only for Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note

     
  8. Select the required application, and click Add to Rule.

    Note

     
    • Do not configure destination networks and applications in the extended ACL object.

    • The selected applications (Nertwork Service objects) in each of the access control entries, form a Network Service Group (NSG) and this group is deployed on the threat defense. The NSG is used in direct internet access to classify traffic based on the match with the selected application group.

  9. Click Add to add the entry to the object.

  10. If necessary, click and drag the entry to move it up or down in the rule order to the desired location.

    Repeat the process to create or edit additional entries in the object.

Step 4

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 5

Click Save.


Configure Standard ACL Objects

Use standard ACL objects when you want to match traffic based on destination IPv4 address only. Otherwise, use extended ACLs.

Procedure


Step 1

Select Objects > Object Management and choose Access List > Standard from the table of contents.

Step 2

Do one of the following:

  • Click Add Standard Access List to create a new object.

  • Click Edit (edit icon) to edit an existing object.

Step 3

In the New Standard Access List Object dialog box, enter a name for the object (no spaces allowed), and configure the access control entries:

  1. Do one of the following:

    • Click Add to create a new entry.

    • Click Edit (edit icon) to edit an existing entry.

  2. For each access control entry, configure the following properties:

    • Action—Whether to Allow (match) or Block (not match) the traffic criteria.

    • Network—Add the IPv4 network objects or groups that identify the destination of the traffic.

  3. Click Add to add the entry to the object.

  4. If necessary, click and drag the entry to move it up or down in the rule order to the desired location.

    Repeat the process to create or edit additional entries in the object.

Step 4

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 5

Click Save.


Address Pools

You can configure IP address pools for both IPv4 and IPv6 that can be used for clustering or for VPN remote access profiles. For clustering in Individual interface mode, you can also configure MAC address pools.

Procedure


Step 1

Select Objects > Object Management > Address Pools.

Step 2

Click IPv4 Pools and then Add IPv4 Pools, and configure the following fields.

  • Name—Enter the name of the address pool. It can be up to 64 characters

  • Description—Add an optional description for this pool.

  • IP Address—Enter a range of addresses available in the pool. Use dotted decimal notation and a dash between the beginning and the end address, for example: 10.10.147.100-10.10.147.177.

  • Mask—Identifies the subnet on which this IP address pool resides.

  • Allow Overrides—Check this check box to enable object overrides. Click the expand arrow to show the Overrides table. You can add a new override by clicking Add. See Object Overrides for more information.

Step 3

Click Save.

Step 4

Click IPv6 Pools and then Add IPv6 Pools, and configure the following fields.

  • Name—Enter the name of the address pool. It can be up to 64 characters

  • Description—Add an optional description for this pool.

  • IPv6 Address—Enter the first IP address available in the configured pool and the prefix length in bits. For example: 2001:DB8::1/64.

  • Number of Addresses—Identifies the number of IPv6 addresses, starting at the Starting IP Address, that are in the pool.

  • Allow Overrides—Check this check box to enable overrides. Click the expand arrow to show the Overrides table. You can add a new override by clicking Add. See Object Overrides for more information.

Step 5

Click Save.

Step 6

Click MAC Address Pool and then Add MAC Address Pool, and configure the following fields.

For clustering in Individual interface mode, you can configure a MAC address pool for the interface. It is not common to manually configure MAC addresses for an interface, but if you have special needs to do so, then this pool is used to assign a unique MAC address to each interface. See Configure the MAC Address.

  • Name—Enter the name of the address pool. It can be up to 64 characters

  • Description—Add an optional description for this pool.

  • MAC Address Range—Enter a range of MAC addresses available in the pool. Use a dash between the beginning and the end address, for example: 000C.F142.4CD1-000C.F142.4CD7.

  • Allow Overrides—Check this check box to enable overrides. Click the expand arrow to show the Overrides table. You can add a new override by clicking Add. See Object Overrides for more information.


Application Filters

System-provided application filters help you perform application control by organizing applications according to basic characteristics: type, risk, business relevance, category, and tags. In the object manager, you can create and manage reuseable user-defined application filters based on combinations of the system-provided filters, or on custom combinations of applications. For detailed information, see Application Rule Conditions.

AS Path

An AS Path is a mandatory attribute to set up BGP. It is a sequence of AS numbers through which a network can be accessed. An AS-PATH is a sequence of intermediate AS numbers between source and destination routers that form a directed route for packets to travel. Neighboring autonomous systems (ASes ) use BGP to exchange and update messages about how to reach different AS prefixes. After each router makes a new local decision on the best route to a destination, it will send that route, or path information, along with the accompanying distance metrics and path attributes, to each of its peers. As this information travels through the network, each router along the path prepends its unique AS number to a list of ASes in the BGP message. This list is the route's AS-PATH. An AS-PATH along with an AS prefix, provides a specific handle for a one-way transit route through the network. Use the Configure AS Path page to create, copy and edit autonomous system (AS) path policy objects. You can create AS path objects to use when you are configuring route maps, policy maps, or BGP Neighbor Filtering. An AS path filter allows you to filter the routing update message by using regular expressions.

You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose AS Path from the table of contents.

Step 2

Click Add AS Path.

Step 3

Enter a name for the AS Path object in the Name field. Valid values are between 1 and 500.

Step 4

Click Add on the New AS Path Object window.

  1. Select the Allow or Block options from the Action drop-down list to indicate redistribution access.

  2. Specify the regular expression that defines the AS path filter in the Regular Expression field.

  3. Click Add.

Step 5

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 6

Click Save.


BFD Template

The BFD template specifies a set of BFD interval values. BFD interval values as configured in the BFD template are not specific to a single interface. You can also configure authentication for single-hop and multi-hop sessions. Echo mode is disabled by default. You can enable Echo mode on single-hop only.

Procedure


Step 1

Choose Objects > Object Management > BFD Template.

Step 2

Click Add BFD Template or Edit.

Note

 

If you are editing a template, you cannot modify its name and type.

Step 3

On the Template tab, configure the following:

  • Template Name—The name of this BFD template. You must assign a name in order to configure the rest of the parameters in the template. The template name cannot have spaces and cannot have only numbers.

  • Type—Click the Single-Hop or Multi-Hop radio button.

  • Enable Echo—(Optional) Enables Echo for the single-hop template.

If the Echo function is not negotiated, BFD control packets are sent at a high rate to meet the detection time. If the Echo function is negotiated, BFD control packets are sent at a slower, negotiated rate and self-directed echo packets are sent at a high rate. We recommend that you use Echo mode, if possible.

Step 4

On the Interval tab, configure the following:

  1. From the Interval Type drop-down list, select Microseconds or Milliseconds.

  2. In the Multiplier field, enter the value to be used for computing the hold down time. This value indicates the number of consecutive BFD control packets that must be missed from a BFD peer before BFD declares that the peer is unavailable and the Layer 3 BFD peer is informed of the failure. The range is 3 to 50. The default is 3.

  3. In the Minimum Transmit field, enter the minimum transmit interval capability. The range is 50 to 999 milliseconds or 50000 to 999000 microseconds.

  4. In the Minimum Receive field, enter the minimum receive interval capability. The range is 50 to 999 milliseconds or 50000 to 999000 microseconds.

Step 5

On the Authentication tab, configure the following:

  • Authentication Type—Select NONE, md5, meticulous-sha-1, meticulous-md5, or sha-1 from the drop-down list.

  • Encrypted Password—(Optional) Enables encryption of the authentication password.

  • Password—The authentication password that must be sent and received in the packets using the routing protocol being authenticated. The valid value is a string containing 1 to 29 uppercase and lowercase alphanumeric characters, except that the first character CANNOT be a digit or a digit followed by a whitespace. For example, '1password' or '0 password' is invalid.

  • Key ID—The shared key ID that matches the key value. The range is 0 to 255.

Step 6

Click OK.

Step 7

Click Apply to save the BFD template configuration.


Cipher Suite List

A cipher suite list is an object comprised of several cipher suites. Each predefined cipher suite value represents a cipher suite used to negotiate an SSL- or TLS-encrypted session. You can use cipher suites and cipher suite lists in SSL rules to control encrypted traffic based on whether the client and server negotiated the SSL session using that cipher suite. If you add a cipher suite list to an SSL rule, SSL sessions negotiated with any of the cipher suites in the list match the rule.


Note


Although you can use cipher suites in the web interface in the same places as cipher suite lists, you cannot add, modify, or delete cipher suites.


Creating Cipher Suite Lists

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose Cipher Suite List from the list of object types.

Step 3

Click Add Cipher Suites.

Step 4

Enter a Name.

Step 5

Choose one or more cipher suites from the Available Ciphers list.

Step 6

Click Add.

Step 7

Optionally, click Delete (delete icon) next to any cipher suites in the Selected Ciphers list that you want to remove.

Step 8

Click Save.


What to do next

Community List

A Community is an optional transitive BGP attribute. A community is a group of destinations that share some common attribute. It is used for route tagging. The BGP community attribute is a numerical value that can be assigned to a specific prefix and advertised to other neighbors. Communities can be used to mark a set of prefixes that share a common attribute. Upstream providers can use these markers to apply a common routing policy such as filtering or assigning a specific local preference or modifying other attributes. Use the Configure Community Lists page to create, copy and edit community list policy objects. You can create community list objects to use when you are configuring route maps or policy maps. You can use community lists to create groups of communities to use in a match clause of a route map. The community list is an ordered list of matching statements. Destinations are matched against the rules until a match is found.

You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose Community List from the table of contents.

Step 2

Click Add Community List.

Step 3

In the Name field, specify a name for the community list object.

Step 4

Click Add on the New Community List Object window.

Step 5

Select the Standard radio button to indicate the community rule type.

Standard community lists are used to specify well-known communities and community numbers.

Note

 
You cannot have entries using Standard and entries using Expanded community rule types in the same Community List object.
  1. Select the Allow or Block options from the Action drop-down list to indicate redistribution access.

  2. In the Communities field, specify a community number. Valid values can be from 1 to 4294967295 or from 0:1 to 65534:65535.

  3. Select the appropriate Route Type.

    • Internet — Select to specify the Internet well-known community. Routes with this community are advertised to all peers (internal and external).
    • No Advertise — Select to specify the no-advertise well-known community. Routes with this community are not advertised to any peer (internal or external).
    • No Export — Select to specify the no-export well-known community. Routes with this community are advertised to only peers in the same autonomous system or to only other sub-autonomous systems within a confederation. These routes are not advertised to external peers.

Step 6

Select the Expanded radio button to indicate the community rule type.

Expanded community lists are used to filter communities using a regular expression. Regular expressions are used to specify patterns to match COMMUNITIES attributes.
  1. Select the Allow or Block options from the Action drop-down list to indicate redistribution access.

  2. Specify the regular expression in the Expressions field.

Step 7

Click Add.

Step 8

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 9

Click Save.


Extended Community

An extended community is a larger group of destinations that share some common attribute. The BGP extended community list has attributes that can be used to mark a set of prefixes that share a common attribute. These markers are used in the match clause of a route map to filter the routes for implementing route leaks among virtual routers. You can also define policy list objects with the extended community list for filtering. The extended community list is an ordered list of matching statements. Routes are matched against the rules until a match is found with the specified route target (standard) or regular expression (expanded). Use the Extended Community page to create and edit extended community list policy objects.


Note


The extended community lists are applicable only for configuring import or export of routes.


You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose Community List > Extended Community from the table of contents.

Step 2

Click Add Extended Community List.

Step 3

In the Name field, specify a name for the extended community list object. The length of the name cannot exceed 80 characters.

Step 4

Select the extended community rule type:

  • Click the Standard radio button to specify one or more route targets.

  • Click the Expanded radio button to specify regular expressions.

Note

 
You cannot have entries using Standard and Expanded extended community rule type in the same Extended Community List object.

Step 5

Click Add.

Step 6

If you have selected Standard as the extended community rule type, specify the following:

  1. In the Sequence No field, enter the order in which you want the rule to be executed.

    The sequence number must be unique in the list.

  2. From the Action drop-down list, if you want to permit routes that have matching route target that is specified here, select Allow; if you want to deny routes that have matching route target that is specified here, select Block.

  3. In the Route Target field, specify a route target.

    • You can add a single route target or a set of route targets separated by commas in a single entry. For example, 1:2,1:4,1:6.

    • Valid values can be from 1:1 to 65534:65535.

    • You can have a maximum of 8 route targets in an entry.

    • You cannot have redundant route target set across multiple entries. For example, say you want to configure seq1 with 1:200,100:100,1:300 route targets, and seq2 with 1:300,100:100,1:200 route targets. This results in redundant route target set and cannot be deployed.

Step 7

If you have selected Expanded as the extended community rule type, specify the following:

  1. In the Sequence No field, enter the order in which you want the rule to be executed.

    The sequence number must be unique in the list.

  2. From the Action drop-down list, if you want to permit routes that have matching regular expression that is specified here, select Allow; if you want to deny routes that have matching regular expression that is specified here, select Block.

  3. Specify the regular expression in the Expressions field.

    • You can add a single route target or a set of route targets separated by a space in a single entry. For example, ^((16) | (18)):(.)$.

    • You can add a maximum of 16 regular expressions to an entry.

    • You cannot have redundant regular expression set across multiple entries. For example, say you want to configure seq1 with ^((16) | (18)):(.)$ ^4_[0-9]*$ route targets, and seq2 with ^4_[0-9]*$ ^((16) | (18)):(.)$ route targets. This results in redundant regular expression set and cannot be deployed.

    For details on BGP regular expressions, see here.

Step 8

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 9

Click Save.


The extended community list can be referenced in the match clause of the Route Map object or Policy List object:

  • In the Route Map object, the name of the extended community list is displayed in the Add Route Map Entry > Match Clause > BGP > Community List > Add Extended Community List dialog. For more details on configuring BGP settings in a route map, see Route Map.

  • In the Policy List object, the name of the extended community list is displayed in the Add Policy List > Community Rule > Add Extended Community List dialog. For more details on configuring BGP settings in a policy list, see Policy List.

DHCP IPv6 Pool

For clients that use StateLess Address Auto Configuration (SLAAC) in conjunction with the Prefix Delegation feature (Enable the IPv6 Prefix Delegation Client), you can configure the threat defense to provide information such as the DNS server or domain name when they send Information Request (IR) packets to the threat defense by defining a DHCP IPv6 Pool and assigning it to the DHCPv6 server. The threat defense only accepts IR packets and does not assign addresses to the clients. You will configure the client to generate its own IPv6 address by enabling IPv6 autoconfiguration on the client. Enabling stateless autoconfiguration on a client configures IPv6 addresses based on prefixes received in Router Advertisement messages; in other words, based on the prefix that the threat defense received using Prefix Delegation.

To add a pool, see Create the DHCP IPv6 Pool.

Distinguished Name

Each distinguished name object represents the distinguished name for a public key certificate’s subject or issuer. You can use distinguished name objects and groups in TLS/SSL rules to control encrypted traffic based on whether the client and server negotiated the TLS/SSL session using a server certificate with the distinguished name as subject or issuer.

(A distinguished name group is a named collection of existing distinguished name objects.)

The distinguished name can consist of country code, common name, organization, and organizational unit, but typically consists of a common name only. For example, the common name in the certificate for https://www.cisco.com is cisco.com. (However, it's not always this simple; Distinguished Name (DN) Rule Conditions shows how to find common names.) The certificate can contain multiple Subject Alternative Names (SANs) you can use as DNs in a rule condition. For detailed information about SANs, see RFC 5280, section 4.2.1.6.

The format of a distinguished name object that references a common name is CN=name. If you add a DN rule condition without CN=, the system prepends CN= before saving the object.

As discussed further in Distinguished Name (DN) Rule Conditions, the system uses Server Name Indication (SNI) to match the DN in the TLS/SSL rule whenever possible.

You can also add a distinguished name with one of each of the attributes listed in the following table, separated by commas.

Table 1. Distinguished name attributes

Attribute

Description

Allowed Values

C

Country Code

two alphabetic characters

CN

Common Name

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

O

Organization

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

OU

Organizational Unit

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

Important notes about DN rule conditions

  • The first time the system detects an encrypted session to a new server, DN data is not available for ClientHello processing, which might result in an undecrypted first session.

    If the server requests TLS 1.3, the setting for TLS server identity discovery can help by making sure the server certificate is known before making decryption policy decisions. For more information, see Access Control Policy Advanced Settings.

  • You cannot configure a distinguished name condition if you also choose the Decrypt - Known Key action. Because that action requires you to choose a server certificate to decrypt traffic, the certificate already matches the traffic.

Wildcard examples

You can define one or more asterisks (*) as wildcards in an attribute. In a common name attribute, you can define one or more asterisks per domain name label. wildcards match only in that label, but you can define multiple labels with wildcards. See the following table for examples.

Table 2. Common Name attribute wildcard examples

Attribute

Matches

Does Not Match

CN=*ample.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=exam*.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=*xamp*.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=*.example.com

mail.example.com

www.myhost.example.com

example.com

example.text.com

ampleexam.com


Note


The DN object CN=amp.cisco.com would not match a CN like CN=auth.amp.cisco.com, which is why we recommend wildcards in these cases.


For more information and examples, see Distinguished Name (DN) Rule Conditions.

Creating Distinguished Name Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Expand the Distinguished Name node, and choose Individual Objects.

Step 3

Click Add Distinguished Name.

Step 4

Enter a Name.

Step 5

In the DN field, enter a value for the distinguished name or common name. You have the following options:

  • If you add a distinguished name, you can include one of each attribute listed in Distinguished Name separated by commas.
  • If you add a common name, you can include multiple labels and wild cards.

Step 6

Click Save.


What to do next

DNS Server Group

Domain Name System (DNS) servers resolve fully-qualified domain names (FQDN), such as www.example.com, to IP addresses.

Creating DNS Server Group Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Click DNS Server Group from the network objects list.

Step 3

Click Add DNS Server Group.

Step 4

Enter a Name.

Step 5

Optionally, enter the Default Domain that will be used to append to the host names that are not fully-qualified.

This setting is only used for the default server group.

Step 6

The default Timeout and Retries values are pre-populated. Change these values if necessary.

  • Retries—The number of times, from 0 to 10, to retry the list of DNS servers when the system does not receive a response. The default is 2.

  • Timeout—The number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the system retries the list of servers, this timeout doubles.

Step 7

Enter the DNS Servers that will be a part of this group, either in IPv4 or IPv6 format as comma separated entries.

A maximum of 6 DNS servers can belong to one group.

Step 8

Click Save.


What to do next

The DNS servers configured in the DNS server group should be assigned to interface objects in the DNS platform settings. For more information, see DNS.

External Attributes

Dynamic Objects

A dynamic object is an object that specifies one or many IP addresses retrieved either using REST API calls or using the Cisco Secure Dynamic Attributes Connector, which is capable of updating IP addresses from cloud sources. These dynamic objects can be used in access control rules without the need to deploy the access control policy afterward.


Note


Unlike most other objects, dynamic objects do not have to be deployed to managed devices to take effect. Just add dynamic objects to the Dyamic Attributes tab page of your access control rule; the object values are automatically updated on the managed device as soon as possible after being pushed by the Cisco Secure Dynamic Attributes Connector.


There are the following kinds of dynamic objects:

  • Dynamic objects created using the dynamic attributes connector are pushed to the management center as soon as they're created and are updated at a regular interval.

  • API-created dynamic objects:

    • Are IP addresses, with or without or classless inter-domain routing (CIDR), that can be used in access control rules much like a network object.

    • Do not support fully-qualified domain names or address ranges.

    • Must be updated using an API.

    For more information about API-created dynamic objects, see About API-Created Dynamic Objects.

Create Dynamic Objects for the First Time

The page available at Objects > Object Management > External Attributes > Dynamic Object is displayed as follows if you have not configured any dynamic objects yet.

If you have already created some dynamic objects, see Work With Dynamic Objects.

Before you create any dynamic objects, an informational page is dsiplayed that explains the entire process. You can create dynamic objects using the dynamic attributes connector included in the secure firewall manager; you can create dynamic objects using an on-prem secure firewall manager; or you can create dynamic objects using an on-prem secure firewall manager and an on-prem dynamic attributes connector. Click one of the rectangles, then either click How it Works or Start to get started.

To use this page:

Create Dynamic Objects with the Embedded Cisco Secure Dynamic Attributes Connector

The following page is displayed if you indicated you're configuring the Cisco Secure Dynamic Attributes Connector provided with this Secure Firewall Management Center. This Secure Firewall Management Center already has the Cisco Secure Dynamic Attributes Connector integrated with it (Integration > Dynamic Attributes Connector).

To use the dynamic attributes connector included with the secure firewall manager, enable it (Integration > Dynamic Attributes Connector), configure connectors that receive dynamic objects, and set up dynamic attributes filters that determine what dynamic objects are sent to this secure firewall manager

To use this type of deployment:

  1. Enable the Cisco Secure Dynamic Attributes Connector as discussed in Enable the Cisco Secure Dynamic Attributes Connector.

  2. Configure connectors, which retrieve IP addresses from cloud services.

    For more information, see Create a Connector.

  3. Configure dynamic attributes filters, which determine what IP addresses to send to the management center.

    For more information, see Create Dynamic Attributes Filters.

  4. View your dynamic objects at Objects > Object Management > External Attributes > Dynamic Object.

  5. Use dynamic objects in access control rules (Policies > Access Control heading > Access Control, then click the Dynamic Attributes tab).

    You do not have to deploy access control rules with dynamic objects; they are updated on all targeted devices automatically.

Create Dynamic Objects with Cisco Defense Orchestrator

The following page is displayed if you indicated you're configuring the Cisco Secure Dynamic Attributes Connector provided with Cisco Defense Orchestrator.

To use an on-premises secure firewall manager with CDO, first onboard the firewall manager with CDO then, in CDO, create connectors that retrieve dynamic objects, create dynamic attributes filters to determine what objects are sent, and finally create an on-prem adapter to send those objects to the secure firewall manager

The preceding diagram has details about configuring Cisco Defense Orchestrator that are not discussed in this guide. For more detailed information, see Secure Device Connector (SDC) or SecureX and CDO.

To use this type of deployment:

  1. Configure connectors, which retrieve IP addresses from cloud services.

    For more information, see Create a Connector.

  2. Configure dynamic attributes filters, which determine what IP addresses to send to the management center.

    For more information, see Create Dynamic Attributes Filters.

  3. Configure adapters, which send IP addresses to a Secure Firewall Management Center or cloud-delivered Firewall Management Center.

    For more information, see the section on creating adapters in the Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

  4. Log in to the Secure Firewall Management Center you defined as an adapter.

    If the Secure Firewall Management Center is managed by Cisco Defense Orchestrator, click and choose Cloud-Delivered FMC.

  5. View your dynamic objects at Objects > Object Management > External Attributes > Dynamic Object.

  6. Use dynamic objects in access control rules (Policies > Access Control heading > Access Control, then click the Dynamic Attributes tab).

    You do not have to deploy access control rules with dynamic objects; they are updated on all targeted devices automatically.

Create Dynamic Objects with the On-Premises Cisco Secure Dynamic Attributes Connector

The following page is displayed if you indicated you're configuring the on-premises Cisco Secure Dynamic Attributes Connector to send dynamic objects to a Secure Firewall Management Center or cloud-delivered Firewall Management Center.

To configure a secure firewall manager to use the dynamic attributes connector, install the dynamic attributes connector on a Linux VM then configure it with connectors that receive dynamic objects, an adapter that communicates with the secure firewall manager, and dynamic attributes filters that determine which dynamic objects to send

To use this type of deployment:

  1. Install the Cisco Secure Dynamic Attributes Connector on a supported Linux virtual machine.

  2. Configure connectors, which retrieve IP addresses from cloud services.

    For more information, see the section on creating connectors in the Cisco Secure Dynamic Attributes Connector Configuration Guide.

  3. Configure adapters, which send IP addresses to a Secure Firewall Management Center or cloud-delivered Firewall Management Center.

    For more information, see the section on creating adapters in the Cisco Secure Dynamic Attributes Connector Configuration Guide.

  4. Configure dynamic attributes filters, which determine what IP addresses to send to the management center.

    For more information, see the section on configuring dynamic attributes filters in the Cisco Secure Dynamic Attributes Connector Configuration Guide.

  5. View your dynamic objects at Objects > Object Management > External Attributes > Dynamic Object.

  6. Use dynamic objects in access control rules (Policies > Access Control heading > Access Control, then click the Dynamic Attributes tab).

    You do not have to deploy access control rules with dynamic objects; they are updated on all targeted devices automatically.

For more information, see the Cisco Secure Dynamic Attributes Connector Configuration Guide.

Work With Dynamic Objects

The page available at Objects > Object Management > External Attributes > Dynamic Object is displayed similar to the following if you have already configured some dynamic objects.

The Dynamic Objects page displays all dynamic objects created using the API or using the Cisco Secure Dynamic Attributes Connector. You can edit, delete, or view IP address mappings on this page

This page displays information about each dynamic object and enables you to view or download IP addresses associated with that object. For more information, see Dynamic Object Mappings.

Dynamic Object Mappings

If you configured dynamic objects either using the API or using the dynamic attributes connector, your connectors send IPs matching dynamic attributes filters to the management center at regular intervals.

To view or download a current list of these IP addresses, click Show Mapped IDs as the following figure shows.

IP addresses are added dynamically with time so you should consider doing this on a regular basis, especially if your access control rules are not behaving as expected.

Related topics

About API-Created Dynamic Objects

A dynamic object is an object that specifies one or many IP addresses retrieved either using REST API calls or using the Cisco Secure Dynamic Attributes Connector, which is capable of updating IP addresses from cloud sources. These dynamic objects can be used in access control rules without the need to deploy the access control policy afterward.

For more information about the dynamic attributes connector, see the Cisco Secure Dynamic Attributes Configuration Guide (link to guide).

Differences between dynamic objects and network objects follow:

  • Dynamic objects created using the dynamic attributes connector are pushed to the management center as soon as they're created and are updated at a regular interval.

  • API-created dynamic objects:

    • Are IP addresses, with or without or classless inter-domain routing (CIDR), that can be used in access control rules much like a network object.

    • Do not support fully-qualified domain names or address ranges.

    • Must be updated using an API.

Add or Edit an API-Created Dynamic Object

This procedure discusses how to add or edit a dynamic object, which is a group of IP addresses using the API, with or without or classless inter-domain routing (CIDR), that can be used in access control rules much like a network object.


Note


This procedure is not necessary if you use the Cisco Secure Dynamic Attributes Connector because it automatically creates dynamic objects for you.


Before you begin

Consult the Firepower Management Center REST API Quick Start Guide for information about using the object services REST API to populate the IP object with an address. Dynamic objects do not require deployment.

Procedure

Step 1

Click Objects > Object Management.

Step 2

Click External Attributes > Dynamic Objects.

Step 3

Click Add Dynamic Object or Edit (edit icon).

Step 4

Enter a Name for the object and an optional Description.

Step 5

From the Type list, click IP.


What to do next

If necessary, update the dynamic object using the API. Deployment is not required.

Security Group Tag

A Security Group Tag (SGT) object specifies a single SGT value. You can use SGT objects in rules to control traffic with SGT attributes that were not assigned by Cisco ISE. You cannot group or override SGT objects.

Creating Security Group Tag Objects

You can create these objects in the global domain only. To use the object on Classic devices, you must have the Control license. For Smart Licensed devices, any license will do.

Before you begin
  • Disable ISE/ISE-PIC connections. You cannot create custom SGT objects if you use ISE/ISE-PIC as an identity source.

Procedure

Step 1

Click Objects > Object Management.

Step 2

Click External Attributes > Security Group Tag.

Step 3

Click Add Security Group Tag.

Step 4

Enter a Name.

Step 5

Optionally, enter a Description.

Step 6

In the Tag field, enter a single SGT.

Step 7

Click Save.


What to do next

File List

If you use malware defense, and the AMP cloud incorrectly identifies a file’s disposition, you can add the file to a file list to better detect the file in the future. These files are specified using SHA-256 hash values. Each file list can contain up to 10000 unique SHA-256 values.

There are two predefined categories of file lists:

Clean List

If you add a file to this list, the system treats it as if the AMP cloud assigned a clean disposition.

Custom Detection List

If you add a file to this list, the system treats it as if the AMP cloud assigned a malware disposition.

Because you manually specify the blocking behavior for the files included in these lists, the system does not query the AMP cloud for these files’ dispositions. You must configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.


Caution


Do not include malware on the clean list. The clean list overrides both the AMP cloud and the custom detection list.


Source Files for File Lists

You can add multiple SHA-256 values to a file list by uploading a comma-separated value (CSV) source file containing a list of SHA-256 values and descriptions. The management center validates the contents and populates the file list with valid SHA-256 values.

The source file must be a simple text file with a .csv file name extension. Any header must start with a pound sign (#); it is treated as a comment and not uploaded. Each entry should contain a single SHA-256 value followed by a description and end with either the LF or CR+LF Newline character. The system ignores any additional information in the entry.

Note the following:

  • Deleting a source file from the file list also removes all associated SHA-256 hashes from the file list.

  • You cannot upload multiple files to a file list if the successful source file upload results in the file list containing more than 10000 distinct SHA-256 values.

  • The system truncates descriptions exceeding 256 characters to the first 256 characters on upload. If the description contains commas, you must use an escape character (\,). If no description is included, the source file name is used instead.

  • All non-duplicate SHA-256 values are added to the file list. If a file list contains a SHA-256 value, and you upload a source file containing that value, the newly uploaded value does not modify the existing SHA-256 value. When viewing captured files, file events, or malware events related to the SHA-256 value, any threat name or description is derived from the individual SHA-256 value.

  • The system does not upload invalid SHA-256 values in a source file.

  • If multiple uploaded source files contain an entry for the same SHA-256 value, the system uses the most recent value.

  • If a source file contains multiple entries for the same SHA-256 value, the system uses the last one.

  • You cannot directly edit a source file within the object manager. To make changes, you must first modify your source file directly, delete the copy on the system, then upload the modified source file.

  • The number of entries associated with a source file refers to the number of distinct SHA-256 values. If you delete a source file from a file list, the total number of SHA-256 entries the file list contains decreases by the number of valid entries in the source file.

Adding Individual SHA-256 Values to File Lists

You must have the Malware Defense license for this procedure.

You can submit a file’s SHA-256 value to add it to a file list. You cannot add duplicate SHA-256 values.

Before you begin

  • Right-click a file or malware event from the event view, choose Show Full Text in the context menu, and copy the full SHA-256 value for pasting into the file list.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose File List from the list of object types.

Step 3

Click Edit (edit icon) next to the clean list or custom detection list where you want to add a file.

If View (View button) appears instead, the object belongs to an ancestor domain, or you do not have permission to modify the object.

Step 4

Choose Enter SHA Value from the Add by drop-down list.

Step 5

Enter a description of the source file in the Description field.

Step 6

Enter or paste the file’s entire value in the SHA-256 field. The system does not support matching partial values.

Step 7

Click Add.

Step 8

Click Save.


What to do next


Note


After configuration changes are deployed, the system no longer queries the AMP cloud for files on the list.


Uploading Individual Files to File Lists

You must have the Malware Defense license for this procedure.

If you have a copy of the file you want to add to a file list, you can upload the file to the Secure Firewall Management Center for analysis; the system calculates the file’s SHA-256 value and adds the file to the list. The system does not enforce a limit on the size of files for SHA-256 calculation.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose File List from the list of object types.

Step 3

Click Edit (edit icon) next to the clean list or custom detection list where you want to add a file.

If View (View button) appears instead, the object belongs to an ancestor domain, or you do not have permission to modify the object.

Step 4

From the Add by drop-down list, choose Calculate SHA.

Step 5

Optionally, enter a description of the file in the Description field. If you do not enter a description, the file name is used for the description on upload.

Step 6

Click Browse, and choose a file to upload.

Step 7

Click Calculate and Add SHA.

Step 8

Click Save.


What to do next


Note


After you deploy configuration changes, the system no longer queries the AMP cloud for files on the list.


Uploading Source Files to File Lists

You must have the Malware Defense license for this procedure.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Click File List.

Step 3

Click Edit (edit icon) next to the file list where you want to add values from a source file.

If View (View button) appears instead, the object belongs to an ancestor domain, or you do not have permission to modify the object.

Step 4

In the Add by drop-down list, choose List of SHAs.

Step 5

Optionally, enter a description of the source file in the Description field. If you do not enter a description, the system uses the file name.

Step 6

Click Browse to browse to the source file, then click Upload and Add List.

Step 7

Click Save.


What to do next


Note


After you deploy the policies, the system no longer queries the AMP cloud for files on the list.


Editing SHA-256 Values in File Lists

You must have the Malware Defense license for this procedure.

You can edit or delete individual SHA-256 values on a file list. Note that you cannot directly edit a source file within the object manager. To make changes, you must first modify your source file directly, delete the copy on the system, then upload the modified source file.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Click File List.

Step 3

Click Edit (edit icon) next to the clean list or custom detection list where you want to modify a file.

If View (View button) appears instead, the object belongs to an ancestor domain, or you do not have permission to modify the object.

Step 4

You can:

  • Click Edit (edit icon) next to the SHA-256 value you want to change, and modify the SHA-256 or Description values as desired.
  • Click Delete (delete icon) next to the SHA-256 value you want to delete.

Step 5

Click Save to update the file entry in the list.

Step 6

Click Save to save the file list.


What to do next


Note


After configuration changes are deployed, the system no longer queries the AMP cloud for files on the list.


Downloading Source Files from File Lists

You must have the Malware Defense license for this procedure.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose File List from the list of object types.

Step 3

Click Edit (edit icon) next to the clean list or custom detection list where you want to download a source file.

If View (View button) appears instead, the object belongs to an ancestor domain, or you do not have permission to modify the object.

Step 4

Next to the source file you want to download, click View (View button).

Step 5

Click Download SHA List and follow the prompts to save the source file.

Step 6

Click Close.


FlexConfig

Use FlexConfig policy objects in FlexConfig policies to provide customized configuration of features on threat defense devices that you cannot otherwise configure using Secure Firewall Management Center. For more information on FlexConfig policies, see FlexConfig Policy Overview.

You can configure the following types of objects for FlexConfig.

Text Objects

Text objects define free-form text strings that you use as variables in a FlexConfig object. These objects can have single values or be a list of multiple values.

There are several predefined text objects that are used in the predefined FlexConfig objects. If you use the associated FlexConfig object, you simply need to edit the contents of the text object to customize how the FlexConfig object configures a given device. When editing a predefined object, it is in general a better option to create device overrides for each device you are configuring, rather than directly change the default values of these objects. This helps avoid unintended consequences if another user wants to use the same FlexConfig object for a different set of devices.

For information on configuring text objects, see Configure FlexConfig Text Objects.

FlexConfig Objects

FlexConfig Objects include device configuration commands, variables, and scripting language instructions. During configuration deployment, these instructions are processed to create a sequence of configuration commands with customized parameters to configure specific features on the target devices.

These instructions are either configured before (prepended) the system configures features defined in regular management center policies and settings, or after (appended). Any FlexConfig that depends on Secure Firewall Management Center-configured objects (for example, a network object) must be appended to the configuration deployment, or the needed objects would not be configured before the FlexConfig needed to refer to the objects.

For more information on configuring FlexConfig objects, see Configure FlexConfig Objects.

Geolocation

Each geolocation object you configure represents one or more countries or continents that the system has identified as the source or destination of traffic on your monitored network. You can use geolocation objects in various places in the system’s web interface, including access control policies, SSL policies, remote access VPN, and event searches. For example, you could write an access control rule that blocks traffic to or from certain countries.

To ensure that you are using up-to-date information to filter your network traffic, Cisco strongly recommends that you regularly update your Geolocation Database (GeoDB).

Creating Geolocation Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose Geolocation from the list of object types.

Step 3

Click Add Geolocation.

Step 4

Enter a Name.

Step 5

Check the check boxes for the countries and continents you want to include in your geolocation object. Checking a continent chooses all countries within that continent, as well as any countries that GeoDB updates may add under that continent in the future. Unchecking any country under a continent unchecks the continent. You can choose any combination of countries and continents.

Step 6

Click Save.


What to do next

Interface

Each interface can be assigned to a security zone and/or interface group. You then apply your security policy based on zones or groups. For example, you can assign the "inside" interface to the "inside" zone; and the "outside" interface to the "outside" zone. You can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside, for example. Some policies only support security zones, while other policies support zones and groups.

For more information about interface objects, see Security Zones and Interface Groups.

To add interface objects, see Create Security Zone and Interface Group Objects.

Key Chain

To enhance data security and protection of devices, rotating keys for authenticating IGP peers that have a duration of 180 days or less is introduced. The rotating keys prevent any malicious user from guessing the keys used for routing protocol authentication and thereby protecting the network from advertising incorrect routes and redirecting traffic. Changing the keys frequently reduces the risk of them eventually being guessed. When configuring authentication for routing protocols that provide key chains, configure the keys in a key chain to have overlapping lifetimes. This helps to prevent loss of key-secured communication due to absence of an active key. The rotating keys are applicable only for OSPFv2 protocol. If the key lifetime expires and no active keys are found, OSPF uses the last valid key to maintain the adjacency with peers.


Note


Only MD5 cryptographic algorithm is used for authentication.


Lifetime of a Key

To maintain stable communications, each device stores key chain authentication keys and uses more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, key chain management provides a secured mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a key chain are active.

Each key in a key chain has two lifetimes:

  • Accept lifetime—The time interval within which the device accepts the key during key exchange with another device.

  • Send lifetime—The time interval within which the device sends the key during key exchange with another device.

During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.

If lifetimes are not configured then it is equivalent to configuring MD5 authentication key without timelines.

Key Selection

  • When key chain has more than one valid key, OSPF selects the key that has the maximum life time.

  • Key having an infinite lifetime is preferred.

  • If keys have the same lifetime, then key with the higher key ID is preferred.

Creating Key Chain Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose Key Chain from the list of object types.

Step 3

Click Add Key Chain.

Step 4

In the Add Key Chain Object dialog box, enter a name for the key chain in the Name field.

The name must start with an underscore or alphabet, followed by alphanumeric characters or special characters( -, _, +, .).

Step 5

To add a key to the key chain, click Add.

Step 6

Specify the key identifier in the Key ID field.

The key id value can be between 0 and 255. Use the value 0 only when you want to signal an invalid key.

Step 7

The Algorithm field and the Crypto Encryption Type field displays the supported algorithm and the encryption type, namely MD5 and Plain Text respectively.

Step 8

Enter the password in the Crypto Key String field, and re-enter the password in the Confirm Crypto Key String field.

  • The password can be of a maximum length of 80 characters.

  • The passwords cannot be a single digit nor those starting with a digit followed by a white space. For example, "0 pass" or "1" are invalid.

Step 9

To set the time interval for a device to accept/send the key during key exchange with another device, provide the lifetime values in the Accept Lifetime and Send Lifetime fields:

Note

 

The Date Time values default to UTC timezones.

The end time can be the duration, the absolute time when the accept/send lifetime ends, or never expires. The default end time is DateTime.

Following are the validation rules for the start and end values:

  • Start lifetime cannot be null when the end lifetime is specified.

  • The start lifetime for accept or send lifetime must be earlier than the respective end lifetime.

Step 10

Click Add.

Repeat steps 5 to 10 to create keys. Create a minimum of two keys for a key chain with overlapping lifetimes. This helps to prevent loss of key-secured communication due to absence of an active key.

Step 11

Manage overrides for the object:

  • If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.
  • If you want to add override values to this object, expand the Override section and click Add; see Adding Object Overrides.

Step 12

Click Save.


What to do next

Network

A network object represents one or more IP addresses. You can use network objects and groups in various places, including access control policies, network variables, identity rules, network discovery rules, event searches, reports, identity policies, and so on.

When you configure an option that requires a network object, the list is automatically filtered to show only those objects that are valid for the option. For example, some options require host objects, while other options require subnets.

A network object can be one of the following types:

Host

A single IP address.

IPv4 example:

209.165.200.225

IPv6 example:

2001:DB8::0DB8:800:200C:417A or 2001:DB8:0:0:0DB8:800:200C:417A

Range

A range of IP addresses.

IPv4 example:

209.165.200.225-209.165.200.250

IPv6 example:

2001:db8:0:cd30::1-2001:db8:0:cd30::1000

Network

An address block, also known as a subnet.

IPv4 example:

209.165.200.224/27

IPv6 example:

2001:DB8:0:CD30::/60


Note


Security Intelligence ignores IP address blocks using a /0 netmask.


FQDN

A single fully-qualified domain name (FQDN). You can limit FQDN resolution to IPv4 address only, IPv6 address only, or both IPv4 and IPv6 addresses. FQDNs must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters in an FQDN.

For example:

  • www.example.com

Note


You can use FQDN objects in access control rules and prefilter rules, or manual NAT rules, only. The rules match the IP address obtained for the FQDN through a DNS lookup. To use an FQDN network object, ensure you have configured the DNS server settings in DNS Server Group and the DNS platform settings in DNS.

You cannot use FDQN network objects in identity rules.


Group

A group of network objects or other network object groups. You can create nested groups by adding one network object group to another network object group. You can nest up to 10 levels of groups.


Note


You can add up to 100 network literals in a network object. Additionally, each nested network object group can contain a maximum of 100 network literals.


Network Wildcard Mask

You can create and manage wildcard mask objects from the Object Management page.

You can create network objects with expanded subnet IP address. The existing network object is extended to support both Network and Network Wildcard object. The network object using wildcard mask is listed as Network Wildcard against the Type column in the network object listing page.

A wildcard mask is an IP address that is a discontinuous mask of bits. You can use contiguous masks to create standard network objects and discontinuous masks for wildcard network objects.

Example IP Address

Network Wildcard?

Object Type

192.0.0.0/8

No

Network

10.10.0.0/255.255.0.0

No

Network

10.10.0.10/255.255.0.255

Yes

Network Wildcard

72.0.240.10/255.255.240.255

Yes

Network Wildcard


Note


Network wildcard object and object group, which contains network wildcard objects, are allowed only while configuring the following policies:

  • Prefilter policy

  • Access control policy

  • NAT policy


Guidelines and Limitations

  • To create network wildcard objects, in the management center UI, choose Objects > Object Management > Network and click Add Network and then Add Object. Select the Network option and enter the value as expanded subnet mask. Example: 10.0.10.10/255.255.0.255.

  • Object override, group object support, group object override, wildcard literals, and wildcard object import are supported.

  • The network wildcard object is supported only for IPv4 addresses.

  • The network wildcard object is supported from management center and Threat Defense 7.1 version onwards.

  • Network wildcard objects are supported only for Snort-3.

Creating Network Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose Network from the list of object types.

Step 3

Choose Add Object from the Add Network drop-down menu.

Step 4

Alternatively, you can clone an existing network object and edit the parameters to create a new network object. Click the Clone icon on the existing network object that you want to clone.

Step 5

Enter a Name.

Step 6

Optionally, enter a Description.

Step 7

In the Network field, select the required option and enter an appropriate value; see Network.

Note

 

You can add up to 100 network literals in a network object. Additionally, each nested network object group can contain a maximum of 100 network literals.

Step 8

(FQDN objects only) Select the DNS resolution from the Lookup drop-down menu to determine whether you want the IPv4, IPv6, or both IPv4 and IPv6 addresses associated with the FQDN.

Step 9

Manage overrides for the object:

  • If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.
  • If you want to add override values to this object, expand the Override section and click Add; see Adding Object Overrides.

Step 10

Click Save.


What to do next

Importing Network Objects

For details on importing network objects, see Importing Objects.

PKI

PKI Objects for SSL Application

PKI objects represent the public key certificates and paired private keys required to support your deployment. Internal and trusted CA objects consist of certificate authority (CA) certificates; internal CA objects also contain the private key paired with the certificate. Internal and external certificate objects consist of server certificates; internal certificate objects also contain the private key paired with the certificate.

If you use trusted certificate authority objects and internal certificate objects to configure a connection to ISE/ISE-PIC, you can use ISE/ISE-PIC as an identity source.

If you use internal certificate objects to configure captive portal, the system can authenticate the identity of your captive portal device when connecting to users' web browsers.

If you use trusted certificate authority objects to configure realms, you can configure secure connections to LDAP or AD servers.

If you use PKI objects in SSL rules, you can match traffic encrypted with:

  • the certificate in an external certificate object

  • a certificate either signed by the CA in a trusted CA object, or within the CA’s chain of trust

If you use PKI objects in SSL rules, you can decrypt:

  • outgoing traffic by re-signing the server certificate with an internal CA object

  • incoming traffic using the known private key in an internal certificate object

You can manually input certificate and key information, upload a file containing that information, or in some cases, generate a new CA certificate and private key.

When you view a list of PKI objects in the object manager, the system displays the certificate’s Subject distinguished name as the object value. Hover your pointer over the value to view the full certificate Subject distinguished name. To view other certificate details, edit the PKI object.


Note


The management center and managed devices encrypt all private keys stored in internal CA objects and internal certificate objects with a randomly generated key before saving them. If you upload private keys that are password protected, the appliance decrypts the key using the user-supplied password, then reencrypts it with the randomly generated key before saving it.


PKI Objects for Certificate Enrollment

A certificate enrollment object contains the Certification Authority (CA) server information and enrollment parameters that are required for creating Certificate Signing Requests (CSRs) and obtaining Identity Certificates from the specified CA. These activities occur in your Private Key Infrastructure (PKI).

The certificate enrollment object may also includes certificate revocation information. For more information on PKI, digital certificates, and certificate enrollment see PKI Infrastructure and Digital Certificates.

Internal Certificate Authority Objects

Each internal certificate authority (CA) object you configure represents the CA public key certificate of a CA your organization controls. The object consists of the object name, CA certificate, and paired private key. You can use internal CA objects and groups in SSL rules to decrypt outgoing encrypted traffic by re-signing the server certificate with the internal CA.


Note


If you reference an internal CA object in a Decrypt - Resign SSL rule and the rule matches an encrypted session, the user’s browser may warn that the certificate is not trusted while negotiating the SSL handshake. To avoid this, add the internal CA object certificate to either the client or domain list of trusted root certificates.


You can create an internal CA object in the following ways:

  • import an existing RSA-based or elliptic curve-based CA certificate and private key

  • generate a new self-signed RSA-based CA certificate and private key

  • generate an unsigned RSA-based CA certificate and private key. You must submit a certificate signing request (CSR) to another CA to sign the certificate before using the internal CA object.

After you create an internal CA object containing a signed certificate, you can download the CA certificate and private key. The system encrypts downloaded certificates and private keys with a user-provided password.

Whether system-generated or user-created, you can modify the internal CA object name, but cannot modify other object properties.

You cannot delete an internal CA object that is in use. Additionally, after you edit an internal CA object used in an SSL policy, the associated access control policy goes out-of-date. You must re-deploy the access control policy for your changes to take effect.

CA Certificate and Private Key Import

You can configure an internal CA object by importing an X.509 v3 CA certificate and private key. You can upload files encoded in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

If the private key file is password-protected, you can supply the decryption password. If the certificate and key are encoded in the PEM format, you can also copy and paste the information.

You can upload only files that contain proper certificate or key information, and that are paired with each other. The system validates the pair before saving the object.


Note


If you configure a rule with the Decrypt - Resign action, the rule matches traffic based on the referenced internal CA certificate’s encryption algorithm type, in addition to any configured rule conditions. You must upload an elliptic curve-based CA certificate to decrypt outgoing traffic encrypted with an elliptic curve-based algorithm, for example.


Importing a CA Certificate and Private Key

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal CAs.

Step 3

Click Import CA.

Step 4

Enter a Name.

Step 5

Above the Certificate Data field, click Browse to upload a DER or PEM-encoded X.509 v3 CA certificate file.

Step 6

Above the Key field, click Browse to upload a DER or PEM-encoded paired private key file.

Step 7

If the uploaded file is password-protected, check the Encrypted, and the password is: check box, and enter the password.

Step 8

Click Save.


What to do next

Generating a New CA Certificate and Private Key

You can configure an internal CA object by providing identification information to generate a self-signed RSA-based CA certificate and private key.

The generated CA certificate is valid for ten years. The Valid From date is a week before generation.

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal CAs.

Step 3

Click Generate CA.

Step 4

Enter a Name.

Step 5

Enter the identification attributes.

Step 6

Click Generate self-signed CA.


New Signed Certificates

You can configure an internal CA object by obtaining a signed certificate from a CA. This involves two steps:

  • Provide identification information to configure the internal CA object. This generates an unsigned certificate and paired private key, and creates a certificate signing request (CSR) to a CA you specify.

  • After the CA issues the signed certificate, upload it to the internal CA object, replacing the unsigned certificate.

You can only reference an internal CA object in an SSL rule if it contains a signed certificate.

Creating an Unsigned CA Certificate and CSR

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal CAs.

Step 3

Click Generate CA.

Step 4

Enter a Name.

Step 5

Enter the identification attributes.

Step 6

Click Generate CSR.

Step 7

Copy the CSR to submit to a CA.

Step 8

Click OK.


What to do next

Uploading a Signed Certificate Issued in Response to a CSR

Once uploaded, the signed certificate can be referenced in SSL rules.

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal CAs.

Step 3

Click Edit (edit icon) next to the CA object containing the unsigned certificate awaiting the CSR.

Step 4

Click Install Certificate.

Step 5

Click Browse to upload a DER or PEM-encoded X.509 v3 CA certificate file.

Step 6

If the uploaded file is password protected, check the Encrypted, and the password is: check box, and enter the password.

Step 7

Click Save to upload a signed certificate to the CA object.


What to do next

CA Certificate and Private Key Downloads

You can back up or transfer a CA certificate and paired private key by downloading a file containing the certificate and key information from an internal CA object.


Caution


Always store downloaded key information in a secure location.


The system encrypts the private key stored in an internal CA object with a randomly generated key before saving it to disk. If you download a certificate and private key from an internal CA object, the system first decrypts the information before creating a file containing the certificate and private key information. You must then provide a password the system uses to encrypt the downloaded file.


Caution


Private keys downloaded as part of a system backup are decrypted, then stored in the unencrypted backup file.


Downloading a CA Certificate and Private Key

You can download CA certificates for both the current domain and ancestor domains.

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal CAs.

Step 3

Next to the internal CA object whose certificate and private key you want to download, click Edit (edit icon).

Step 4

Click Download.

Step 5

Enter an encryption password in the Password and Confirm Password fields.

Step 6

Click OK.


Trusted Certificate Authority Objects

Each trusted certificate authority (CA) object you configure represents a CA public key certificate belonging to a trusted CA. The object consists of the object name and CA public key certificate. You can use external CA objects and groups in:

  • your SSL policy to control traffic encrypted with a certificate signed either by the trusted CA, or any CA within the chain of trust.

  • your realm configurations to establish secure connections to LDAP or AD servers.

  • your ISE/ISE-PIC connection. Select trusted certificate authority objects for the pxGrid Server CA and MNT Server CA fields.

After you create the trusted CA object, you can modify the name and add certificate revocation lists (CRL), but cannot modify other object properties. There is no limit on the number of CRLs you can add to an object. If you want to modify a CRL you have uploaded to an object, you must delete the object and recreate it.


Note


Adding a CRL to an object has no effect when the object is used in your ISE/ISE-PIC integration configuration.


You cannot delete a trusted CA object that is in use. Additionally, after you edit a trusted CA object that is in use, the associated access control policy goes out-of-date. You must re-deploy the access control policy for your changes to take effect.

Trusted CA Object

You can configure an external CA object by uploading an X.509 v3 CA certificate. You can upload a file encoded in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

If the file is password-protected, you must supply the decryption password. If the certificate is encoded in the PEM format, you can also copy and paste the information.

You can upload a CA certificate only if the file contains proper certificate information; the system validates the certificate before saving the object.

Adding a Trusted CA Object

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Trusted CAs.

Step 3

Click Add Trusted CAs.

Step 4

Enter a Name.

Step 5

Click Browse to upload a DER or PEM-encoded X.509 v3 CA certificate file.

Step 6

If the file is password-protected, check the Encrypted, and the password is: check box, and enter the password.

Step 7

Click Save.


What to do next

Certificate Revocation Lists in Trusted CA Objects

You can upload CRLs to a trusted CA object. If you reference that trusted CA object in an SSL policy, you can control encrypted traffic based on whether the CA that issued the session encryption certificate subsequently revoked the certificate. You can upload files encoded in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

After you add the CRL, you can view the list of revoked certificates. If you want to modify a CRL you have uploaded to an object, you must delete the object and recreate it.

You can upload only files that contain a proper CRL. There is no limit to the number of CRLs you can add to a trusted CA object. However, you must save the object each time you upload a CRL, before adding another CRL.


Note


Adding a CRL to an object has no effect when the object is used in your ISE/ISE-PIC integration configuration.


Adding a Certificate Revocation List to a Trusted CA Object


Note


Adding a CRL to an object has no effect when the object is used in your ISE/ISE-PIC integration configuration.


Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Trusted CAs.

Step 3

Click Edit (edit icon) next to a trusted CA object.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Add CRL to upload a DER or PEM-encoded CRL file.

Step 5

Click OK.


What to do next

External Certificate Objects

Each external certificate object you configure represents a server public key certificate that does not belong to your organization. The object consists of the object name and certificate. You can use external certificate objects and groups in SSL rules to control traffic encrypted with the server certificate. For example, you can upload a self-signed server certificate that you trust, but cannot verify with a trusted CA certificate.

You can configure an external certificate object by uploading an X.509 v3 server certificate. You can upload a file in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

You can upload only files that contains proper server certificate information; the system validates the file before saving the object. If the certificate is encoded in the PEM format, you can also copy and paste the information.

Adding External Certificate Objects

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose External Certs.

Step 3

Click Add External Cert.

Step 4

Enter a Name.

Step 5

Above the Certificate Data field, click Browse to upload a DER or PEM-encoded X.509 v3 server certificate file.

Step 6

Click Save.


What to do next

Internal Certificate Objects

Each internal certificate object you configure represents a server public key certificate belonging to your organization. The object consists of the object name, public key certificate, and paired private key. You can use internal certificate objects and groups in:

  • your SSL rules to decrypt traffic incoming to one of your organization’s servers using the known private key.

  • your ISE/ISE-PIC connection. Select an internal certificate object for the MC Server Certificate field.

  • your captive portal configuration to authenticate the identity of your captive portal device when connecting to users' web browsers. Select an internal certificate object for the Server Certificate field.

You can configure an internal certificate object by uploading an X.509 v3 RSA-based or elliptic curve-based server certificate and paired private key. You can upload a file in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

If the file is password-protected, you must supply the decryption password. If the certificate and key are encoded in the PEM format, you can also copy and paste the information.

You can upload only files that contain proper certificate or key information, and that are paired with each other. The system validates the pair before saving the object.

After you create the internal certificate object, you can modify the name, but cannot modify other object properties.

You cannot delete an internal certificate object that is in use. Additionally, after you edit an internal certificate object that is in use, the associated access control policy goes out-of-date. You must re-deploy the access control policy for your changes to take effect.

Adding Internal Certificate Objects

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Expand the PKI node, and choose Internal Certs.

Step 3

Click Add Internal Cert.

Step 4

Enter a Name.

Step 5

Above the Certificate Data field, click Browse to upload a DER or PEM-encoded X.509 v3 server certificate file.

Step 6

Above the Key field, or click Browse to upload a DER or PEM-encoded paired private key file.

Step 7

If the uploaded private key file is password-protected, check the Encrypted, and the password is: check box, and enter the password.

Step 8

Click Save.


Certificate Enrollment Objects

Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint includes the identity of the CA, CA-specific configuration parameters, and an association with one, enrolled identity certificate.

A certificate enrollment object contains the Certification Authority (CA) server information and enrollment parameters that are required for creating Certificate Signing Requests (CSRs) and obtaining Identity Certificates from the specified CA. These activities occur in your Private Key Infrastructure (PKI).

The certificate enrollment object may also includes certificate revocation information. For more information on PKI, digital certificates, and certificate enrollment see PKI Infrastructure and Digital Certificates.

How to Use Certificate Enrollment Objects

Certificate Enrollment Objects are used to enroll your managed devices into your PKI infrastructure, and create trustpoints (CA objects) on devices that support VPN connections by doing the following:

  1. Define parameters for CA authentication and enrollment in a Certificate Enrollment Object. Specify shared parameters and use the override facility to specify unique object setting for different devices.

  2. Associate and install this object on each managed device that requires the identity certificate. On the device, it becomes a trustpoint.

    When a certificate enrollment object is associated with and then installed on a device, the process of certificate enrollment starts immediately. The process is automatic for self-signed, SCEP, EST, and PKCS12 file enrollment types, meaning it does not require any additional administrator action. Manual certificate enrollment requires extra administrator action.

  3. Specify the created trustpoint in your VPN configuration.

Managing Certificate Enrollment Objects

To manage certificate enrollment objects, go to Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. The following information is shown:

  • Existing certificate enrollment objects are listed in the Name column.

    Use the search field (the magnifying glass) to filter the list.

  • The enrollment type of each object is shown in the Type column. The following enrollment methods can be used:

    • Self Signed—The managed device generates its own self signed root certificate.

    • EST—Enrollment over Secure Transport is used by the device to obtain an identity certificate from the CA.

    • SCEP—(Default) Simple Certificate Enrollment Protocol is used by the device to obtain an identity certificate from the CA.

    • Manual—The process of enrolling is carried out manually by the administrator.

    • PKCS12 File—Import a PKCS12 file on a threat defense managed device that supports VPN connectivity. A PKCS#12, or PFX or P12 file holds the server certificate, any intermediate certificates, and the private key in one encrypted file. Enter the Passphrase value for decryption.

  • The Override column indicates whether the object allows overrides (a green check mark) or not (a red X). If a number is displayed, it is the number of overrides in place.

    Use the Override option to customize the object settings for each device that is part of the VPN configuration. Overriding makes each device's trustpoint details unique. Typically the Common Name or Subject is overridden for each device in the VPN configuration.

    See Object Overrides for details and procedures on overriding objects of any type.

  • Edit a previously created certificate enrollment object by clicking on the edit icon (a pencil). Editing can only be done if the enrollment object is not associated with any managed devices. Refer to the adding instructions for editing a certificate enrollment object. Failed enrollment objects can be edited.

  • Delete a previously created certificate enrollment object by clicking on the delete icon (a trash can). You cannot delete a certificate enrollment object if it is associated with any managed device.

Press (add icon)Add Cert Enrollment to open the Add Cert Enrollment dialog and configure a Certificate Enrollment Object, see Adding Certificate Enrollment Objects. Then install the certificate on each managed, headend device.

Adding Certificate Enrollment Objects

You can use these objects with threat defense devices. You must have Admin or Network Admin privileges to do this task.

Procedure

Step 1

Open the Add Cert Enrollment dialog:

  • Directly from Object Management: In the Objects > Object Management screen, choose PKI > Cert Enrollment from the navigation pane, and press Add Cert Enrollment.
  • While configuring a managed device: In the Devices > Certificates screen, choose Add > Add New Certificate and click (add icon) for the Certificate Enrollment field.

Step 2

Enter the Name, and optionally, a Description of this enrollment object.

When enrollment is complete, this name is the name of the trustpoint on the managed devices with which it is associated.

Step 3

Open the CA Information tab and choose the Enrollment Type.

  • Self-Signed Certificate—The managed device, acting as a CA, generates its own self-signed root certificate. No other information is needed in this pane.

    Note

     

    When enrolling a self-signed certificate you must specify the Common Name (CN) in the certificate parameters.

  • EST—Enrollment over Secure Transport protocol. Specify the EST information. See Certificate Enrollment Object EST Options.
  • SCEP—(Default) Simple Certificate Enrollment Protocol. Specify the SCEP information. See Certificate Enrollment Object SCEP Options.
  • Manual
    • CA Only—Check this check box to create only the CA certificate from the selected CA. An identity certificate will not be created for this certificate.

      If you do not select this check box, a CA certificate is not mandatory. You can generate the CSR without having a CA certificate and obtain the identity certificate.

    • CA Certificate—Paste the CA certificate in the PEM format in the box. You can also obtain a CA certificate by copying it from another device.

      You can leave this box empty if you choose to generate a CSR without the CA certificate.

  • PKCS12 File—Import a PKCS12 file on a threat defense managed device that supports VPN connectivity. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.
  • Skip Check for CA flag in basic constraints of the CA Certificate—Check this check box if you want to skip checking the basic constraints extension and the CA flag in a trustpoint certificate.
  • Validation Usage—Choose from the options to validate the certificate during a VPN connection:
    • IPsec Client—Validate an IPsec client certificate for a site-to-site VPN connection.

    • SSL Client—Validate an SSL client certificate during a remote access VPN connection attempt.

    • SSL Server—Select to validate an SSL server certificate, like as a Cisco Umbrella server certificate.

Step 4

(Optional) Open the Certificate Parameters tab and specify the certificate contents. See Certificate Enrollment Object Certificate Parameters.

This information is placed in the certificate and is readable by any party who receives the certificate from the router.

Step 5

(Optional) Open the Key tab and specify the Key information. See Certificate Enrollment Object Key Options.

Step 6

(Optional) Click the Revocation tab, and specify the revocation options: See Certificate Enrollment Object Revocation Options.

Step 7

Allow Overrides of this object if desired. See Object Overrides for a full description of object overrides.

Step 8

Click Save.


What to do next

Associate and install the enrollment object on a device to create a trustpoint on that device.

Add Certificate Enrollment

Procedure

Step 1

Enter the Name.

Step 2

Paste the certificate information in the IdP Certificate field in PEM format.

Note

 
If the certificate is dependent on a root or intermediate certificate, you must install the dependant certificates. See Certificates.

Step 3

Click Save.


Certificate Enrollment Object EST Options

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Click (add icon) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the CA Information tab.

Fields

Enrollment Type—set to EST.


Note


  • EST enrollment type does not support EdDSA key.

  • EST's ability to auto-enroll a device when its certificate expires is not supported.


Enrollment URL—The URL of the CA server to which devices should attempt to enroll.

Use an HTTPS URL in the form of https://CA_name:port, where CA_name is the host DNS name or IP address of the CA server. The port number is mandatory.

Username—The username to access the CA server.

Password / Confirm Password—The password to access the CA server.

Fingerprint—When retrieving the CA certificate using EST, you may enter the fingerprint for the CA server. Using the fingerprint to verify the authenticity of the CA server’s certificate helps prevent an unauthorized party from substituting a fake certificate in place of the real one. Enter the Fingerprint for the CA server in hexadecimal format. If the value you enter does not match the fingerprint on the certificate, the certificate is rejected. Obtain the CA’s fingerprint by contacting the server directly.

Source Interface—The interface that interacts with the CA server. By default, the diagnostic interface is displayed. To configure a data interface as the source interface, choose the respective security zone or interface group object.

Ignore EST Server Certificate Validations—The EST server certificate validation is done by default. Check the check box if you want to ignore threat defense validating EST server certificate.

Certificate Enrollment Object SCEP Options

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Click (add icon) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the CA Information tab.

Fields

Enrollment Type—set to SCEP.

Enrollment URL—The URL of the CA server to which devices should attempt to enroll.

Use an HTTP URL in the form of http://CA_name:port, where CA_name is the host DNS name or IP address of the CA server. The port number is mandatory.


Note


If the SCEP Server is referred with hostname/FQDN, configure DNS Server using FlexConfig object.

If the CA cgi-bin script location at the CA is not the default (/cgi-bin/pkiclient.exe), you must also include the nonstandard script location in the URL, in the form of http://CA_name:port/script_location, where script_location is the full path to the CA scripts.

Challenge Password / Confirm Password—The password used by the CA server to validate the identity of the device. You can obtain the password by contacting the CA server directly or by entering the following address in a web browser: http://URLHostName/certsrv/mscep/mscep.dll. The password is good for 60 minutes from the time you obtain it from the CA server. Therefore, it is important that you deploy the password as soon as possible after you create it.

Retry Period—The interval between certificate request attempts, in minutes. Value can be 1 to 60 minutes. The default is 1 minute.

Retry Count—The number of retries that should be made if no certificate is issued upon the first request. Value can be 1 to 100. The default is 10.

CA Certificate Source—Specify how the CA certificate will be obtained.

  • Retrieve Using SCEP (Default, and only supported option)—Retrieve the certificate from the CA server using the Simple Certificate Enrollment Process (SCEP). Using SCEP requires a connection between your device and the CA server. Ensure there is a route from your device to the CA server before beginning the enrollment process.

Fingerprint—When retrieving the CA certificate using SCEP, you may enter the fingerprint for the CA server. Using the fingerprint to verify the authenticity of the CA server’s certificate helps prevent an unauthorized party from substituting a fake certificate in place of the real one. Enter the Fingerprint for the CA server in hexadecimal format. If the value you enter does not match the fingerprint on the certificate, the certificate is rejected. Obtain the CA’s fingerprint by contacting the server directly, or by entering the following address in a web browser: http://<URLHostName>/certsrv/mscep/mscep.dll.

Certificate Enrollment Object Certificate Parameters

Specify additional information in certificate requests sent to the CA server. This information is placed in the certificate and can be viewed by any party who receives the certificate from the router.

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Press (add icon) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the Certificate Parameters tab.

Fields

Enter all information using the standard LDAP X.500 format.

  • Include FQDN—Whether to include the device’s fully qualified domain name (FQDN) in the certificate request. Choices are:

    • Use Device Hostname as FQDN

    • Don't use FQDN in certificate

    • Custom FQDN—Select this and then specify it in the Custom FQDN field that displays.

  • Include Device's IP Address—The interface whose IP address is included in the certificate request.

  • Common Name (CN)—The X.500 common name to include in the certificate.


    Note


    When enrolling a self-signed certificate you must specify the Common Name (CN) in the certificate parameters.


  • Organization Unit (OU)—The name of the organization unit (for example, a department name) to include in the certificate.

  • Organization (O)—The organization or company name to include in the certificate.

  • Locality (L)—The locality to include in the certificate.

  • State (ST)—The state or province to include in the certificate.

  • County Code (C)—The country to include in the certificate. These codes conform to ISO 3166 country abbreviations, for example "US" for the United States of America.

  • Email (E)—The email address to include in the certificate.

  • Include Device's Serial Number—Whether to include the serial number of the device in the certificate. The CA uses the serial number to either authenticate certificates or to later associate a certificate with a particular device. If you are in doubt, include the serial number, as it is useful for debugging purposes.

Certificate Enrollment Object Key Options

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Press (add icon) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the Key tab.

Fields
  • Key Type—RSA, ECDSA, EdDSA.


    Note


    • For EST enrollment type, do not select EdDSA key as it is not supported.

    • EdDSA is supported only in Site-to-Site VPN topologies.

    • EdDSA is not supported as an identity certificate for the Remote Access VPN.


  • Key Name—If the key pair you want to associate with the certificate already exists, this field specifies the name of that key pair. If the key pair does not exist, this field specifies the name to assign to the key pair that will be generated during enrollment. If you do not specify a name, the fully qualified domain name (FQDN) key pair is used instead.

  • Key Size—If the key pair does not exist, defines the desired key size (modulus), in bits. The recommended size is 2048 bits. The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged.


    Important


    • On management center and threat defense Versions 7.0 and higher, you cannot enroll certificates with RSA key sizes smaller than 2048 bits and keys using SHA-1 with the RSA Encryption algorithm. However, you can use PKI Enrollment of Certificates with Weak-Crypto to allow certificates that use SHA-1 with RSA Encryption algorithm and smaller key size.

    • You cannot generate RSA keys with sizes smaller than 2048 bits for threat defense 7.0, even when you enable the weak-crypto option.


  • Advanced Settings—Select Ignore IPsec Key Usage if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default this option is not enabled.


    Note


    For site-to-site VPN connection, if you use a Windows Certificate Authority (CA), the default Application Policies extension is IP security IKE intermediate. If you are using this default setting, you must select the Ignore IPsec Key Usage option for the object you select. Otherwise, the endpoints cannot complete the site-to-site VPN connection.


PKI Enrollment of Certificates with Weak-Crypto

SHA-1 hashing signature algorithm, and RSA key sizes that are smaller than 2048 bits for certification are not supported on management center and threat defense Version 7.0 and higher. You cannot enroll certificates with RSA key sizes that are smaller than 2048 bits.

To override these restrictions on management center 7.0 managing threat defenses running Versions lesser than 7.0, you can use the enable weak-crypto option on the threat defense. We do not recommend you to permit weak-crypto keys, because, such keys are not as secure as the ones with higher key sizes.


Note


Threat Defense 7.0 or higher does not support generating RSA keys with sizes smaller than 2048 bits even when you permit weak-crypto.


To enable weak-crypto on the device, navigate to the Devices > Certificates page. Click the Enable Weak-Crypto () button provided against the threat defense device. When the weak-crypto option is enabled, the button changes to . By default, the weak-crypto option is disabled.


Note


When a certificate enrollment fails due to weak cipher usage, the management center displays a warning message prompting you to enable the weak-crypto option. Similarly, when you turn on the enable weak-crypto button, the management center displays a warning message before enabling weak-crypto configuration on the device.


Upgrading Earlier Versions to Threat Defense 7.0

When you are upgrading to threat defense 7.0, the existing certificate configurations are retained. However, if those certificates have RSA keys smaller than 2048 bits and use SHA-1 encryption algorithm, they cannot be used to establish VPN connections. You must either procure a certificate with RSA key sizes bigger than 2048 bits or enable the permit weak-crypto option for VPN connections.

Certificate Enrollment Object Revocation Options

Specify whether to check the revocation status of a certificate by choosing and configuring the method. Revocation checking is off by default, neither method (CRL or OCSP) is checked.

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Cert Enrollment. Press (add icon) Add Cert Enrollment to open the Add Cert Enrollment dialog, and select the Revocation tab.

Fields
  • Enable Certificate Revocation Lists—Check to enable CRL checking.

    • Use CRL distribution point from the certificate—Check to obtain the revocation lists distribution URL from the certificate.

    • Use static URL configured—Check this to add a static, pre-defined distribution URL for revocation lists. Then add the URLs.

      CRL Server URLs—The URL of the LDAP server from which the CRL can be downloaded.

      URLs must start with http://. Include a port number in the URL. Enclose IPv6 addresses in square brackets, for example: http://[0:0:0:0:0.18:0a01:7c16].

  • Enable Online Certificate Status Protocol (OCSP)—Check to enable OCSP checking.

    OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks.

    URLs must start with http://. Enclose IPv6 addresses in square brackets, for example: http://[0:0:0:0:0.18:0a01:7c16].

  • Consider the certificate valid if revocation information cannot be reached—Checked by default. Uncheck if you do not want to allow this.

Policy List

Use the Configure Policy List page to create, copy, and edit policy list policy objects. You can create policy list objects to use when you are configuring route maps. When a policy list is referenced within a route map, all of the match statements within the policy list are evaluated and processed. Two or more policy lists can be configured with a route map. A policy list can also coexist with any other preexisting match and set statements that are configured within the same route map but outside of the policy list. When multiple policy lists perform matching within a route map entry, all policy lists match on the incoming attribute only.

You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose Policy List from the table of contents.

Step 2

Click Add Policy List.

Step 3

Enter a name for the policy list object in the Name field. Object names are not case-sensitive.

Step 4

Select whether to allow or block access for matching conditions from the Action drop-down list.

Step 5

Click the Interface tab to distribute routes that have their next hop out of one of the interfaces specified.

In the Zones/Interfaces list, add the zones that contain the interfaces through which the device communicates with the management station. For interfaces not in a zone, you can type the interface name into the field below the Selected Zone/Interface list and click Add. The host will be configured on a device only if the device includes the selected interfaces or zones.

Step 6

Click the Address tab to redistribute any routes that have a destination address that is permitted by a standard access list or prefix list.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 7

Click the Next Hop tab to redistribute any routes that have a next hop router address passed by one of the access lists or prefix lists specified.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 8

Click the Route Source tab to redistribute routes that have been advertised by routers and access servers at the address specified by the access lists or prefix list.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 9

Click the AS Path tab to match a BGP autonomous system path. If you specify more than one AS path, then the route can match either AS path.

Step 10

Click the Community Rule tab to enable matching of the BGP community or extended community with the specified community list objects or the extended community list objects respectively. If you specify more than one rule, the routes are verified against the rules until a matching permit or deny is met.

  1. To specify a community list to the rule, click Edit (edit icon) given in the Selected Community List field. The community lists appear under Available Community List. Select the required list, click Add, and then click Ok.

    To enable matching the BGP community exactly with the specified community, check the Match the specified community exactly check box.

  2. To add the extended community list, click Edit (edit icon) given in the Selected Extended Community List field. The extended community lists appear under the Available Extended Community List. Select the required list, click Add, and then click Ok.

    Note

     

    The extended community lists are applicable only for configuring import or export of routes.

Step 11

Click the Metric & tag tab to match the metric and security group tag of a route.

  1. Enter the metric values to use for matching in the Metric field. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified metric. The metric values can range from 0 to 4294967295.

  2. Enter the tag values to use for matching in the Tag field. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified security group tag. The tag values can range from 0 to 4294967295.

Step 12

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 13

Click Save.


Port

Port objects represent different protocols in slightly different ways:

TCP and UDP

A port object represents the transport layer protocol, with the protocol number in parentheses, plus an optional associated port or port range. For example: TCP(6)/22.

ICMP and ICMPv6 (IPv6-ICMP)

A port object represents the Internet layer protocol plus an optional type and code. For example: ICMP(1):3:3.

You can restrict an ICMP or IPV6-ICMP port object by type and, if applicable, code. For more information on ICMP types and codes, see:

Other

A port object can represent other protocols that do not use ports.

The system provides default port objects for well-known ports. You cannot modify or delete these default objects. You can create custom port objects in addition to the default objects.

You can use port objects and groups in various places in the system’s web interface, including access control policies, identity rules, network discovery rules, port variables, and event searches. For example, if your organization uses a custom client that uses a specific range of ports and causes the system to generate excessive and misleading events, you can configure your network discovery policy to exclude monitoring those ports.

When using port objects, observe the following guidelines:

  • You cannot add any protocol other than TCP or UDP for source port conditions in access control rules. Also, you cannot mix transport protocols when setting both source and destination port conditions in a rule.

  • If you add an unsupported protocol to a port object group used in a source port condition, the rule where it is used does not take affect on the managed device when the configuration is deployed.

  • If you create a port object containing both TCP and UDP ports, then add it as a source port condition in a rule, you cannot add a destination port, and vice versa.

Creating Port Objects

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose Port from the list of object types.

Step 3

Choose Add Object from the Add Port drop-down list.

Alternatively, you can clone an existing port object and edit the parameters to create a new port object. Click the Clone icon on the existing port object that you want to clone.

Step 4

Enter a Name.

Step 5

Choose a Protocol.

Step 6

Depending on the protocol you chose, constrain by Port, or choose an ICMP Type and Code.

You can enter ports from 1 to 65535. Use a hyphen to specify a port range. You must constrain the object by port if you chose to match All protocols, using the Other drop-down list.

Step 7

Manage overrides for the object:

  • If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.
  • If you want to add override values to this object, expand the Override section and click Add; see Adding Object Overrides.

Step 8

Click Save.


What to do next

Importing Port Objects

For details on importing port objects, see Importing Objects.

Prefix List

You can create prefix list objects for IPv4 and IPv6 to use when you are configuring route maps, policy maps, OSPF Filtering, or BGP Neighbor Filtering.

Configure IPv6 Prefix List

Use the Configure IPv6 Prefix list page to create, copy and edit prefix list objects. You can create prefix list objects to use when you are configuring route maps, policy maps, OSPF Filtering, or BGP Neighbor Filtering.

You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose Prefix Lists > IPv6 Prefix List from the table of contents.

Step 2

Click Add Prefix List.

Step 3

Enter a name for the prefix list object in the Name field on the New Prefix List Object window.

Step 4

Click Add on the New Prefix List Object window.

Step 5

Select the appropriate action, Allow or Block from the Action drop-down list, to indicate the redistribution access.

Step 6

Enter a unique number that indicates the position a new prefix list entry will have in the list of prefix list entries already configured for this object, in the Sequence No. field. If left blank, the sequence number will default to five more than the largest sequence number currently in use.

Step 7

Specify the IPv6 address in the IP address/mask length format in the IP address field. The mask length must be a valid value between 1-128.

Step 8

Enter the minimum prefix length in the Minimum Prefix Length field. The value must be greater than the mask length and less than or equal to the Maximum Prefix Length, if specified.

Step 9

Enter the maximum prefix length in the Maximum Prefix Length field. The value must be greater than or equal to the Minimum Prefix Length, if present, or greater than the mask length if the Minimum Prefix Length is not specified.

Step 10

Click Add.

Step 11

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 12

Click Save.


Configure IPv4 Prefix List

Use the Configure IPv4 Prefix list page to create, copy and edit prefix list objects. You can create prefix list objects to use when you are configuring route maps, policy maps, OSPF Filtering, or BGP Neighbor Filtering.

You can use this object with threat defense devices.

Procedure


Step 1

Select Objects > Object Management and choose Prefix Lists > IPv4 Prefix List from the table of contents.

Step 2

Click Add Prefix List.

Step 3

Enter a name for the prefix list object in the Name field on the New Prefix List Object window.

Step 4

Click Add.

Step 5

Select the appropriate action, Allow or Block from the Action drop-down list, to indicate the redistribution access.

Step 6

Enter a unique number that indicates the position a new prefix list entry will have in the list of prefix list entries already configured for this object, in the Sequence No. field. If left blank, the sequence number will default to five more than the largest sequence number currently in use.

Step 7

Specify the IPv4 address in the IP address/mask length format in the IP address field. The mask length must be a valid value between 1- 32.

Step 8

Enter the minimum prefix length in the Minimum Prefix Length field. The value must be greater than the mask length and less than or equal to the Maximum Prefix Length, if specified.

Step 9

Enter the maximum prefix length in the Maximum Prefix Length field. The value must be greater than or equal to the Minimum Prefix Length, if present, or greater than the mask length if the Minimum Prefix Length is not specified.

Step 10

Click Add.

Step 11

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 12

Click Save.


Route Map

Route maps are used when redistributing routes into any routing process. They are also used when generating a default route into routing process. A route map defines which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. Configure a route map, to create a new route map entry for a Route Map object or to edit an existing one.

You can use this object with threat defense devices.

Before you begin

A Route Map may use one or mores of these objects; it is not mandatory to add all these objects. Create and use any of these objects as required, to configure your route map.

  • Add ACLs.

  • Add Prefix Lists.

  • Add AS Path.

  • Add Community Lists.

  • Add Extended Community Lists.


    Note


    The extended community lists are applicable only for configuring import or export of routes.


  • Add Policy Lists.

Procedure


Step 1

Select Objects > Object Management and choose Route Map from the table of contents.

Step 2

Click Add Route Map.

Step 3

Click Add on the New Route Map Object window.

Step 4

In the Sequence No. field, enter a number, from 0 through 65535, that indicates the position a new route map entry has in the list of route maps entries already configured for this route map object.

Note

 
We recommend that you number clauses in intervals of at least 10 to reserve numbering space in case you want to insert clauses in the future.

Step 5

Select the appropriate action, Allow or Block, from the Redistribution drop-down list, to indicate the redistribution access.

Step 6

Click the Match Clauses tab to match (routes/traffic) based on the following criteria, which you select in the table of contents:

  • Security Zones —Match traffic based on the (ingress/egress) interfaces. You can select zones and add them, or type in interface names and add them.

  • IPv4 — Match IPv4 (routes/traffic) based on the following criteria; select the tab to define the criteria.

    1. Click the Address tab to match routes based on the route address. For IPv4 addresses, choose whether to use an Access list or Prefix list for matching from the drop-down list and then enter or select the ACL objects or Prefix list objects you want to use for matching.

    2. Click the Next Hop tab to match routes based on the next hop address of a route. For IPv4 addresses, choose whether to use an access list or Prefix list for matching from the drop-down list and then enter or select the ACL objects or Prefix list objects you want to use for matching.

    3. Click the Route Source tab to match routes based on the advertising source address of the route. For IPv4 addresses, choose whether to use an access list or Prefix list for matching from the drop-down list and then enter or select the ACL objects or Prefix list objects you want to use for matching.

  • IPv6 —Match IPv6 (routes/traffic) based on the route address, next-hop address or advertising source address of route.

  • BGP —Match BGP (routes/traffic) based on the following criteria; select the tab to define the criteria.

    1. Click the AS Path tab to enable matching the BGP autonomous system path access list with the specified path access list. If you specify more than one path access list, then the route can match either path access list.

    2. Click the Community List tab to enable matching of the BGP community or extended community with the specified community list objects or the extended community list objects respectively.

      • To specify a community list to the rule, click Edit (edit icon) given in the Selected Community List field. The community lists appears under Available Community List. Select the required list, click Add, and then click Ok. For information on how to create community list objects, see Community List

      • To add the extended community list, click Edit (edit icon) given in the Selected Extended Community List field. The extended community lists appears under the Available Extended Community List. Select the required list, click Add, and then click Ok. For information on how to create extended community list objects, see Extended Community.

      To enable matching the BGP community exactly with the specified community list objects, check the Match the specified community exactly check box. This option is not applicable for the extended community list.

      Note

       

      If you specify more than one rule, the routes are verified against the rules until a matching permit or deny condition is met. Any route that does not match at least one Match community will not be advertised for outbound route maps.

    3. Click the Policy List tab to configure a route map to evaluate and process a BGP policy. When multiple policy lists perform matching within a route map entry, all policy lists match on the incoming attribute only.

  • Others —Match routes or traffic based on the following criteria.

    1. Enter the metric values to use for matching in the Metric Route Value field, to enable matching the metric of a route. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified metric. The metric values can range from 0 to 4294967295.

    2. Enter the tag values to use for matching in the Tag Values field. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified security group tag. The tag values can range from 0 to 4294967295.

    3. Check the appropriate Route Type option to enable matching of the route type. Valid route types are External1, External2, Internal, Local, NSSA-External1, and NSSA-External2. You can choose more than one route type from the list.

Step 7

Click the Set Clauses tab to set routes/traffic based on the following criteria, which you select in the table of contents:

  • Metric Values—Set either Bandwidth, all of the values or none of the values.

    1. Enter a metric value or bandwidth in Kbits per second in the Bandwidth field. Valid values are an integer value in the range from 0 to 4294967295.

    2. Select to specify the type of metric for the destination routing protocol, from the Metric Type drop-down list. Valid values are : internal, type-1, or type-2.

  • BGP Clauses —Set BGP routes based on the following criteria; select the tab to define the criteria.

    1. Click the AS Path tab to modify an autonomous system path for BGP routes.

      1. Enter an AS path number in the Prepend AS Path field to prepend an arbitrary autonomous system path string to BGP routes. Usually the local AS number is prepended multiple times, increasing the autonomous system path length. If you specify more than one AS path number then the route can prepend either AS number.

      2. Enter an AS path number in the Prepend Last AS to AS Path field to prepend the AS path with the last AS number. Enter a value for the AS number from 1 to 10.

      3. Check the Convert route tag into AS path check box to convert the tag of a route into an autonomous system path.

    2. Click the Community List tab to set the community attributes:

      Under Specific Community: