Tecsec 2355 PDF

Implementing SD-WAN
Branch Security with

Cisco Routers
Haitham Jaradat, Technical Leader, TAC
Olivier Pelerin, Technical Leader, TAC
Eugene Khabarov, Technical Consulting Engineer, TAC
TECSEC-2355
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
TECSEC-2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Schedule
14:30 - 16:30 (2h)

16:30 - 16:45 Break
16:45 – 18:45 (2h)
Agenda
• URL-Filtering
• Packet flow
• SDWAN infrastructure refresher • Configuration
• Secure Infrastructure • Troubleshooting
• Secure Control Plane
• DNS/web-layer security
• Secure Data Plane
• Packet flow
• Device Identity
• Configuration
• Direct Internet Access • Troubleshooting
• Device lock-down • AMP/ Threadgrid integration

• Packet flow
• DIA configuration (NAT)
• Configuration
• Secure Internet Gateway
• Troubleshooting
• Ent. Firewall Application Aware
• Positioning
• Policy Summary
• Packet flow • Device Template
• Configuration
• Troubleshooting
• Netflow
• Intrusion Prevention • Platform Support

• Packet flow
• Roadmap
• Configuration
• Troubleshooting • Wrap up
About us
About Us
Session objectives Reminder
• Understand each SD-WAN security • IOS XE SD-WAN is NOT full IOS XE

component image + SD-WAN
• Develop a layered security approach
• Focus on IOS XE SD-WAN • IOS XE SD-WAN is IOS XE Dataplane
with a selection of features + Viptela
• Troubleshoot security issues SD-WAN Control-plane
• This is not about Meraki • SDWAN basics are not covered
SD-WAN refresher
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes list of vSmarts/
vManage to all vEdge routers
MPLS 4G
• Facilitates NAT traversal
INET • Requires public IP Address
vEdge Routers
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Center Campus Branch SOHO
Control Plane
Control Plane
vManage
Cisco vSmart
APIs
3rd Party • Facilitates fabric discovery

vAnalytics
Automation • Dissimilates control plane
information between Edges
vBond
• Distributes data plane and app-
vSmart Controllers aware routing policies to the
Edge routers
MPLS 4G • Implements control plane
policies, such as service chaining,
INET
vEdge Routers multi-topology and multi-hop
• Dramatically reduces control
plane complexity
Cloud Data Center Campus Branch SOHO • Highly resilient
Data Plane
Data Plane
Physical/Virtual
vManage Cisco vEdge / cEdge
APIs
• WAN edge router
• Provides secure data plane with
3rd Party remote Edge routers
vAnalytics
Automation • Establishes secure control plane
with vSmart controllers (OMP)
vBond
• Implements data plane and
vSmart Controllers application aware routing policies
• Exports performance statistics
• Leverages traditional routing
MPLS 4G
protocols like OSPF, BGP and
INET VRRP
vEdge Routers
• Support Zero Touch Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Cloud Data Center Campus Branch SOHO
Secure Infrastructure:
Secure Control Plane
Overlay Management Protocol (OMP)
vSmart • TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside DTLS connections
DTLS
• Leverages address families to advertise
reachability for TLOCs, unicast/multicast
vSmart vSmart
destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD
up/down stats (TE node) and Cloud onRamp for
SaaS probe stats (gateway)
- Uses attributes
WAN Edge WAN Edge

• Distributes IPSec encryption keys, and data and
app-aware policies (embedded NETCONF)
Note: WAN Edge routers need not connect to all vSmart Controllers
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)
Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge
Local TLOCs
(System IP, Color, Encap)
WAN Edge WAN Edge
WAN Edge WAN Edge

* Can be influenced by the control policies
Transport Locator (TLOC) OMP IPSec Tunnel
Over
DTLS
Secure Dataplane
Fabric Operation Walk-Through
OMP Update:
vSmart ▪ Reachability – IP Subnets, TLOCs
OMP
▪ Security – Encryption Keys
DTLS/TLS Tunnel
▪ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
WAN WAN
Edge Transport1 Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Data Plane: 1 shared ingress SPI per TLOC (1)
▪ Each WAN Edge advertises its inbound IPSec
vSmart ▪ Can be rapidly rotated
encryption key as OMP TLOC attribute Controller
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are specific per-transport
Local (generated) Local (generated)
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
Encr-Key3
Local (generated) Encr-Key1
Local (generated)
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
Encr-Key3
Local (generated) Encr-Key1
Local (generated)
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
▪ Encryption keys are specific per-transport Encr-Key1 Encr-Key3
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
OMP OMP
Encr-Key2 Encr-Key4
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
OMP OMP
Encr-Key4 Encr-Key2
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
OMP OMP
Encr-Key4 Encr-Key2
Update Update
Transport
1
Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
Transport
1
Remote (received) Remote (received)

Transport
WAN Edge 2 WAN Edge
AES256-GCM/CBC
Control Plane
Data Plane: 1 shared ingress SPI per TLOC– BFD up
Transport
1
Remote (received) Remote (received)

Transport
WAN Edge 2 WAN Edge
IP UDP ESP MPLS Original Packet AES256-GCM/CBC

Control Plane
Encrypted
Data Plane:
Data Plane: Pair-
Pair-wise keying (1)
wise keying (1)
For simplicity
§▪ For simplicity let’s
let’s consider
consider one
one TLOC
TLOC only
only
vSmart
vSmart 16.12+
Controller
Controller
Similar to
§▪ Similar to previous
previous scenario,
scenario, each
each transport
transport
will initiate
will initiate their
their own
own keying
keying material
material
Transport
Transport
1
1
WAN Edge
WAN Edge WAN Edge
WAN Edge
WAN Edge
WAN Edge AES256-GCM/CBC
AES256- GCM/CBC
Control
Control Plane
Plane
TECSEC- 2355 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Data Plane: Pair-wise keying (2)
vSmart
▪ Each WAN Edge creates:
Controller
▪ ECDH key pair
▪ Nonce
▪ ECDH Key ID [ SPI ]
▪ Blue = public value
▪ Red = private value
ECDH pub key “C”
ECDH priv key “C”

Transport
1 Nonce “B”
ECDH key ID [SPI]
ECDH pub key “A” WAN Edge “A” WAN Edge “C”
ECDH pub key “B”
ECDH priv key “A”
ECDH priv key “B”
Nonce “A”
Nonce “B”
ECDH key ID [SPI] WAN Edge “B” AES256-GCM/CBC
ECDH key ID [SPI] Control Plane
vSmart
▪ Each WAN Edge sends to vsmart:
Controller
▪ ECDH pub key
▪ Nonce
pub key “A” pub key “C”
Nonce “A” Nonce “C”
SPI “A” Transport SPI “C”

1
WAN Edge “A” WAN Edge “C”

pub key “B”
Nonce “B”
SPI “B”
WAN Edge “B” AES256-GCM/CBC

Control Plane
vSmart
▪ Each WAN Edge sends to vsmart: ▪ vSmart replicate the relevant info towards
Controller
▪ ECDH pub key every Edge
▪ Nonce
SPI “A” Transport SPI “C”

1

pub key “B”
Nonce “B”
SPI “B”

Control Plane
vSmart
Each Edge device forms a shared secret
Controller
between its local TLOC and this remote
TLOC by ECDH shared secret computation
pub key “A” pub key “B”
Transport Nonce “A” Nonce “B”

1 SPI “A” SPI “B”

pub key “B” pub key “C”
Nonce “B” Nonce “C”

SPI “B” SPI “C”
SPI “A” SPI “C”
Control Plane
vSmart
HKDF [HMAC-based Extract-and-Expand Key Derivation
Controller
Function (HKDF) RFC5869 ] function is run [ reusing
the shared secret / combined nonce and SPI
as parameters



Control Plane
vSmart
Controller
as parameters

priv key “A”
priv key “C”
Nonce “A”
Nonce “C”
SPI “A”
SPI “C”
priv key “B”
Nonce “B” pub key “A” pub key “C”
SPI “B” Nonce “A” Nonce “C”
Control Plane
vSmart
Controller
as parameters

HKDF keyingpriv key “A”
material 1 SPI “A” SPI “B”
priv key “C”
creation between
Nonce “A”
Peer A and Peer Nonce “C”
SPI “A”
B for inbound
and outbound SPI “C”
SA’s WAN Edge “A” WAN Edge “C”
priv key “B”
HKDF keying material pub key “A” pub key “C”
Nonce “B”
SPI “B” SPI “C” creation between Peer A and Peer B
for inbound
SPI “B” and outbound SA’s“A”
Nonce Nonce “C”
Control Plane
vSmart
In the context of the tunnel between Edge A
Controller
and B, BFD comes up, being encrypted by
IPSEC using the key 1 and 2 as derived from
the pair wise keying creation in step 8
Transport
1

Control Plane
vSmart
Following the same keying logic, pairwise
Controller
keys will be derived and IPSEC will come up
and BFD will be transported over IPSEC
Transport
1

Control Plane
IOS-XE has additional configuration setting for PWK rekey method:
• pwk-sym-rekey (default):
Rekey local inbound SA, which triggers peer outbound and inbound SA rekey.
Then after receiving first packet with new SPI from peer, do local outbound SA rekey.
This method requires higher control plane CPU usage, resulting in lower session scaling.
• no pwk-sym-rekey
Rekey local inbound SA, which triggers peer outbound SA rekey
cEdge1#show sdwan running-config | sec security

security
ipsec
rekey 3600
replay-window 1024
authentication-type sha1-hmac
pairwise-keying
pwk-sym-rekey
Change PWK setting on cEdge requires device reload!
cEdge1#show sdwan security-info

security-info authentication-type SHA1_HMAC
security-info rekey 3600
security-info replay-window 1024
security-info encryption-supported "AES_GCM_256 (and AES_256_CBC for multicast)"
security-info fips-mode Disabled
security-info pairwise-keying Enabled
security-info pwk-sym-rekey Enabled
cEdge1#config-transaction
admin connected from 127.0.0.1 using console on cEdge1
cEdge1(config)# no security ipsec pairwise-keying
cEdge1(config)# no security ipsec pwk-sym-rekey
cEdge1(config)# commit
Commit complete.
cEdge1(config)# end
Dec 2 12:39:14.179: %IOSXE-5-PLATFORM: R0/0: VDAEMON: New pairwise key setting will take effect
after reboot!
Dec 2 12:39:14.180: %IOSXE-5-PLATFORM: R0/0: TTMD: New pairwise key setting will take effect
after reboot!
Dec 2 12:39:14.181: %IOSXE-5-PLATFORM: R0/0: FTMD: New pairwise key setting will take effect
after reboot!
cEdge1#show sdwan ipsec pwk inbound-connections
SOURCE DEST LOCAL LOCAL REMOTE REMOTE SA PKEY NONCE PKEY
SS D-KEY AH
SOURCE IP PORT DEST IP PORT TLOC ADDRESS TLOC COLOR TLOC ADDRESS TLOC COLOR PWK-SPI INDEX ID HASH
HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
192.168.70.9 12346 192.168.70.6 12346 3.1.0.3 gold 3.1.0.1 lte 0005B2 11 5 ADC3 38B5 3DD1 5715
true
192.168.70.3 12346 192.168.70.6 12346 3.1.0.3 gold 3.1.0.4 green 000000 12 0
false
cEdge1#show sdwan ipsec pwk outbound-connections

SOURCE DEST LOCAL LOCAL REMOTE REMOTE SA PKEY NONCE PKEY
SS E-KEY AH
SOURCE IP PORT DEST IP PORT TLOC ADDRESS TLOC COLOR TLOC ADDRESS TLOC COLOR PWK-SPI INDEX ID HASH
HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
192.168.70.6 12346 192.168.70.3 12346 3.1.0.3 gold 3.1.0.4 green 000000 13 0 bcd2 false
192.168.70.6 12346 192.168.70.9 12346 3.1.0.3 gold 3.1.0.1 lte 00B205 12 178 53C4 8D6C 3DD1 D09C
true
cEdge1#show sdwan ipsec pwk local-sa

SOURCE SA PKEY NONCE PKEY
TLOC-ADDRESS TLOC-COLOR SOURCE-IP PORT SPI INDEX ID HASH HASH
---------------+---------------+---------------------------------------+-------+-------+-----+-----+-----+-----
3.1.0.3 gold 192.168.70.6 12346 264 1 5 ADC3 38B5
cEdge1#show plat hard qfp act feat ipsec data spi
Debugs
cEdge1#debug plat soft sdwan ftm pwk [dump | log]
cEdge1#debug plat soft sdwan ttm pwk [dump | log]
cEdge1#debug plat soft sdwan vdaemon pwk [dump | log]
Sample log after manual trigger of local rekey below.

Debug prints log generation of ECDH keypair, ipsec_key, inbound rekey, and outbound rekey.
cEdge1#request platform software sdwan security ipsec-rekey

cEdge1#show logging
…
*Jul 22 08:39:19.245: %IOSXE-7-PLATFORM: R0/0: VDAEMON: vdaemon_pwk_security_key_gen: vdaemon_security_ipsec_rekey
requests to generate full ECDH
keypair for wan_if=GigabitEthernet2, color=11
…
*Jul 22 08:39:19.251: %IOSXE-7-PLATFORM: R0/0: FTMD: ftm_pwk_sa_ipsec_key_update: SS computed for in_pwk_key_id=20,
outbound_sa->pwk_key_id=245. LTLOC:
3.1.0.3 : gold, RTLOC: 3.1.0.1 : lte
…
*Jul 22 08:39:19.251: %IOSXE-7-PLATFORM: R0/0: FTMD: ftm_iosd_ipsec_tunnel_rekey: Enter: rekey (type=1)
inbound: tunnel_id=144, ifindex=8, flow_id=0x2400005C
…
*Jul 22 08:39:20.855: %IOSXE-7-PLATFORM: R0/0: FTMD: ftm_iosd_ipsec_tunnel_rekey: Enter: rekey (type=2)
outbound: tunnel_id=144, ifindex=8, flow_id=0x2400005C
Anti-Replay Protection
▪ Encrypted packets are assigned ▪ Upon receipt of a packet with higher
sequence numbers. WAN Edge routers sequence number than received thus far,
drop packets with duplicate sequence WAN Edge router will advance the sliding
numbers window
- Replayed packet
▪ Sliding window is COS aware to prevent
▪ WAN Edge routers drop packets with low priority traffic from “slowing down”
sequence numbers lower than the high priority traffic (8 queues)
minimal number of the sliding window
- Maliciously injected packet
Drop Accept Range Advance Window
Sliding Window
Packet
Sequence
Numbers
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
WAN Edge WAN
Edge
IP UDP ESP VPN Data

20 8 36 4 …
• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• WAN Edge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
Device Identity
WAN Edge Router Identity All platforms except
ASR1002-X / ENCS / CSR1000v
During Manufacturing
ACT2 • Each physical WAN Edge router is uniquely

Chip identified by the chassis ID and certificate serial
number [ SUDI certificate ]
• Certificate is stored in on-board Anti Counterfeit
Trusted Chip (ACT2)
- Installed during manufacturing process
Device
Certificate
- Unique private key embedded in ACT2
• Certificate is signed by Cisco root CA
- Trusted by Control Plane elements
Key Use Cases
• Verifying the integrity of a device’s identity

• Onboarding a new device – Secure Zero Touch
Provisioning
• Secure enrollment within an organization's PKI
WAN Edge Router Identity: OTP based
• No manufactured SUDI certificate ASR1002-X / ENCS / CSR1000v
• Trust will be based on OTP [ One Time Password]
• vManage will create a bootstrap file that is linked to

the edge serial number
• File will have to installed on bootflash: or mounted

as cdrom
Key Use Cases
• Verifying the integrity of a device’s identity

• Onboarding a new device – [Almost] Secure Zero Touch
Provisioning
• Secure enrollment within an organization's PKI
Onsite bootstrap process
Create Upload ciscoSD-

Reset SD-WAN
bootstrapping WAN.cfg to WAN
config and reload
config Edge
Onsite bootstrap process: Create bootstrap
config

Reset SD-WAN
config and reload
config Edge
On-Site bootstrap process

Reset SD-WAN
config and reload
config Edge
Modify manually remove default

from false to true
config

Reset SD-WAN
config and reload
config Edge
config
scp ISR4331-<serialnumber>.cfg admin@wanedge:ciscosdwan.cfg

Password: Upload Upload
Create<… Reset SD-
ciscoSD- Enterprise
ciscosdwan.cfg
bootstrapping
WAN.cfg to RootCA to
WAN config
100% config
23KB 2.2MB/s WAN
00:00Edge WAN Edge
and reload
Connection to WAN Edge6 closed by remote host.
config

Reset SD-WAN
config and reload
config Edge
Onsite bootstrap process: Reset and activate
wanedge# request platform software sdwan software reset
Wait for the device to boot. Skip auto install
Wait a minute or so…..
wanedge# show sdwan control connections

PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------
--
vsmart dtls 172.16.255.3 200 1 192.168.8.13 12646 192.168.8.13 12646 biz-internet up 0:00:00:16 0
vsmart dtls 172.16.255.3 200 1 192.168.8.13 12646 192.168.8.13 12646 mpls up 0:00:00:13 0
vbond dtls - 0 0 192.168.8.12 12346 192.168.8.12 12346 biz-internet up 0:00:00:16 0
vbond dtls - 0 0 192.168.8.12 12346 192.168.8.12 12346 mpls up 0:00:00:16 0
vmanage dtls 172.16.255.1 200 0 192.168.8.11 12646 192.168.8.11 12646 mpls up 0:00:00:16 0
Cisco PKI
certificates
authorization
Cisco PKI certificates authorization
▪ Starting from 19.1.0 software we also introduced Cisco Public Key Infrastructure
(PKI) to sign SD-WAN controller certificates
▪ Two options possible:

▪ Cisco-Automated controller certificate authorization
▪ Manual (suitable for software-based devices as well with no SUDI)
vmanage-mt-01# show certificate root-ca-cert | b "Issuer: OU=Arcturus,

O=Cisco, CN=Internal Customer Root CA" | more
Issuer: OU=Arcturus, O=Cisco, CN=Internal Customer Root CA
Validity
Not Before: Aug 24 17:58:48 2018 GMT
Not After : Aug 20 14:59:39 2050 GMT
Subject: O=Cisco, OU=Albireo, CN=Viptela SubCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Cisco PKI certificates authorization - manual (1)
▪ Manual Certificate Authorization: vManage > Administration > Settings
• vManage > Configuration > Certificates > Controllers
▪ Manual Certificate Authorization: PnP portal
Cisco PKI certificates authorization – automatic (1)
Automatic Certificate Authorization - verify the following conditions are met:
1. vManage version 19.1.0 or higher

2. vManage is configured to use Cisco-Automated controller certificates.
Administration> Settings> Controller Certificate Authorization > Cisco-Automated
3. vManage has connectivity to apx.cisco.com on TCP port 443 via VPN 0.
4. Verify the Organization Name has been configured on vManage
5. SA/VA has been set up and defined the vBond controller profile on PnP portal.
6. CCO account associated to the SA/VA is configured in vManage:
Administration> Settings> Smart Account Credentials.
Optional: configure a shorter Retrieve Interval, so that vManage checks more often for
available certificates:
Administration> Settings> Controller Certificate Authorization > Certificate Retrieve
Interval
Cisco PKI certificates authorization – automatic (2)
▪ Automatic Certificate Authorization: vManage > Administration > Settings
Cisco PKI certificates authorization – troubleshooting (1)
Monitor the following file /var/log/nms/vmanage-server.log (tail –f …, show log … tail )
1. Generate the Certificate Signing Request (CSR)
08-Aug-2019 17:23:11,503 UTC INFO [vManage01] [ControllerCertificateHandler] (default task-20)

|default| Request CSR Gen successful for <uuid: ef6c60ae-7ae5-44d9-964b-15efa6f1d406, deviceType:
vManage>
08-Aug-2019 17:23:11,512 UTC INFO [vmanage] [AlarmsDAO] (vManage-akka.actor.default-dispatcher-5)
|default| AlarmsDAO::addAlarm() - Adding alarm {"devices":[{"system-
ip":"1.1.1.1"}],"eventname":"security-new-csr-generated","type":"security-new-csr-
generated","rulename":"security-new-csr-
generated","component":"Security","entry_time":1565284991000,"statcycletime":1565284991000,"message
":"Root cert chain installed","severity":"Critical","severity_number":1,"uuid":"86770494-dac1-4c60-
8de8-757e06f96afe","values":[{"system-ip":"1.1.1.1","host-
name":"vManage01"}],"rule_name_display":"New_CSR_Generated","receive_time":1565284991488,"values_sh
ort_display":[{"host-name":"vManage01","system-ip":"1.1.1.1"}],"acknowledged":false,"active":true}
2. vManage should query the PnP portal to retrieve the SA/VA. SA/VA cannot contain special
characters, otherwise the API calls will fail
08-Aug-2019 17:23:11,590 UTC INFO [vManage01] [SmartAccountClientService] (default task-20)
|default| Query Smart Account:
as/token.oauth2?grant_type=password&client_id=01f0c6f5204248969b2125cf6c79fec2&client_secret=cFCB6A
39E12A476D97dDd877f342F738&username=sampleuser&password=*******
08-Aug-2019 17:23:12,599 UTC INFO [vManage01] [SmartAccountClientService] (default task-20)
|default| Query network: services/api/software/dms/v2/networks?organizationName=CALO - 100589
08-Aug-2019 17:23:12,599 UTC INFO [vManage01] [RestAPIClient] (default task-20) |default| GET API
call to - https://apx.cisco.com:443/services/api/software/dms/v2/networks?organizationName= CALO -
100589
08-Aug-2019 17:23:14,312 UTC INFO [vManage01] [SmartAccountProcessor] (default task-20) |default|
Returning pkiParams as CiscoPKIParams{accessToken='MGd7rrROIXdUctuORvBidKixDatc',
virtualAccountName=EMEAR-SDWAN', domain=‘tac.cisco.com’}
3. vManage will do POST of the CSR to cisco.com via API:
https://apx.cisco.com/services/api/software/dms/v2/smartaccounts/<SmartAccount>/virtualaccounts/<VirtualAccount>/certificates
08-Aug-2019 17:23:14,312 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager] (default task-20)

|default| URL Content for sending new enrollment req to
Cisco:services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-SDWAN
/certificates 08-Aug-2019 17:23:14,320 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager]
(default task-20) |default| Enrollment payload is: {"type":"SD-WAN","description":"Enrollment
Request!","name":"vmanage_67f2b5c0-8759-48c3-ac9b-7616eb68d138.pem","csr":"-----BEGIN CERTIFICATE
REQUEST-----\nMIIDTTCCAjUCAQAwgcwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh---snipped-full-cert-
----END CERTIFICATE REQUEST-----\n","validityPeriod":"one_year"}, uri:
services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-SDWAN/certificates
4. PnP portal will respond with the location of the certificate
https://apx.cisco.com/services/api/software/dms/v2/smartaccounts/<SmartAccount>/virtualaccounts/<Vir...
222b1f0d1e808ae99bcc7b1bec730ae7
|default| Enrollment response from Cisco pnp server is: {"status":"ACCEPTED","message":"The request
has been submitted for processing","messageCode":"DMS-ASYNC-
ACCEPTED","data":{"location":"apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.co
m/virtualaccounts/EMEAR-SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7"}}
|default| Cisco enrollment response: {"status":"ACCEPTED","message":"The request has been submitted
for processing","messageCode":"DMS-ASYNC-
ACCEPTED","data":{"location":"apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.co
m/virtualaccounts/EMEAR-SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7"}} status: ACCEPTED
|default| Location received from PNP server:
apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-
SDWAN/certificates/222b1f0d1e808ae99bcc7b1bec730ae7
5. vManage will pick up the controller when the Retrieve Interval is due
NOTE: the certificate will NOT be picked up immediately after receiving the location, we must wait until the next pickup thread starts
08-Aug-2019 18:00:00,005 UTC INFO [vManage01] [CertificatePickUpManager] (CertificatePickUp Sync Timer) ||

Scheduling certificate pickup Sync timer for retrievalInterval 60 mins 08-Aug-2019 18:00:00,011 UTC INFO
[vManage01] [DeviceAdminTechDAO] (admintech-purge-1) || vManageIP:N/A, request IDs list:[] 08-Aug-2019
18:00:00,035 UTC INFO [vManage01] [CiscoCertificateEnrollmentManager] (certificate-pickup) || Certificate
info picked up for TransactionId:
apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-
SDWAN/certificates/7da8e9198da389b83d53846ebf0a05d4, device: bootstrapDeviceInfo [uuid=ef6c60ae-7ae5-44d9-
964b-15efa6f1d406, deviceIP=1.1.1.1, deviceType=vmanage, auditLogId=2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89]
08-Aug-2019 18:00:00,053 UTC INFO [vManage01] [SmartAccountProcessor] (certificate-pickup) || Returning
pkiParams as CiscoPKIParams{accessToken='wUB66bewC4q2SCmuL708Szhl20qx', virtualAccountName='EMEAR-SDWAN',
domain='tac.cisco.com’}
08-Aug-2019 18:00:00,137 UTC INFO [vManage01] [RestAPIClient] (certificate-pickup) || GET API call to -
https://apx.cisco.com/services/api/software/dms/v2/smartaccounts/tac.cisco.com/virtualaccounts/EMEAR-
SDWAN/certificates/7da8e9198da389b83d53846ebf0a05d4 08-Aug-2019 18:00:02,549 UTC INFO [vManage01]
[CiscoCertificateEnrollmentManager] (certificate-pickup) || Pick Up response from Cisco pnp server is:
{"status":"COMPLETE","message":"SUCCESS","messageCode":"DMS-
SUCCESS","totalRows":1,"pageSize":1,"startIdx":0,"data":[{"certificate":"MIIFozCCA4ug--snipped-full-
cert=="}]}
08-Aug-2019 18:00:02,759 UTC INFO [vManage01] [ControllerLifeCycleDAO] (certificate-pickup) || CERTIFICATE
VALIDITY START TIME=Thu Aug 08 17:48:01 UTC 2019, DEVICE CURRENT TIME=Thu Aug 08 18:00:02 UTC 2019 08-Aug-
2019 18:00:02,759 UTC INFO [vManage01] [CertificateEnrollmentManager] (certificate-pickup) || SignedPEM pick
up done .. ALL Ready to install certificate for bootstrapDeviceInfo [uuid=ef6c60ae-7ae5-44d9-964b-
15efa6f1d406, deviceIP=1.1.1.1, deviceType=vmanage, auditLogId=2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89]
6. The certificate is installed finally
08-Aug-2019 18:00:03,014 UTC INFO [vManage01] [CertificateRequestHandler] (certificate-pickup) || Processing
Install Cert Request <requestToken: 2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89, certSerialNumber:
244473F1EC4FAE909CAC881542E3A9153A90EB12, deviceUUID: ef6c60ae-7ae5-44d9-964b-15efa6f1d406, commonName:
vmanage-ef6c60ae-7ae5-44d9-964b-15efa6f1d406-10.viptela.com, deviceTenantComponent:
com.viptela.vmanage.server.di.DaggerApplicationComponent$TenantComponentImpl@d59a29e>
08-Aug-2019 18:00:03,099 UTC INFO [vManage01] [DeviceLifeCycleTaskHandlerDAO] (certificate-pickup) ||
starting task install_certificate for requestUUID 2e5e62cd-cf5b-4c9c-88c3-e9477a24ff89
…
08-Aug-2019 18:00:03,979 UTC INFO [vManage01] [SendDeviceListWorker] (send-device-list-0) || For controller
<uuid: ef6c60ae-7ae5-44d9-964b-15efa6f1d406, deviceType: vManage>, Command to be executed=<request
xmlns="http://viptela.com/actions">
<vsmart-upload xmlns="http://viptela.com/actions">
<serial-file xmlns="http://viptela.com/actions">
<file
xmlns="http://viptela.com/actions">H4sIAAAAAAAAADMyMTExN3YzdHU2cXN0tTSwdHZ0trAwNDUxcjV2tDQ0BRIGrk6GRjpliTmZKT
rBIS66Po5OusEu4Y5+XAA0Lx8VPQAAAA==</file>
<version xmlns="http://viptela.com/actions">9223372036854775807</version>
</serial-file>
</vsmart-upload>
</request>
…
08-Aug-2019 18:00:04,524 UTC INFO [vManage01] [SendDeviceListWorker] (send-device-list-0) ||
push_vsmart_list successfully done on device (vManage-ef6c60ae-7ae5-44d9-964b-15efa6f1d406)
SDWAN security
SD-WAN Security
Manage in Provisioning Managing

Cloud or
On-Prem Monitoring Reporting Troubleshooting
Branch Edge (Embedded) Branch Edge (Cloud)

Full Edge
Enterprise FW App Aware DNS/web-layer security
Security
IPS URL filter AMP / Threatgrid
Edge ISR 4000 ENCS w/ISRv

vManage ISR 1000
Branch
Router
Edge
Flexibility ASR1K WAN vEdges
Only App Aware FW and DNS/web-layer security Only FW and DNS/web-layer security
locking down edge
access
Lock down edge access
Internet
Gig1
Enable only what is required

to be open on VPN0 interface
Lock down edge access
Modify local user admin

password ( AAA template)
Internet
Gig1
password change
enforcement
Password change enforcement (1)
Starting from IOS-XE SDWAN software 16.10.3/16.12.1, Default user
admin was set as 'one-time'. When user logs in the first time (e.g. new
router, config reset), the username admin was removed.
Example of fresh new router login:
User Access Verification
Username: admin
Password:
Router#
Jan 22 07:42:50.193: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source:
LOCAL] [localport: 0] at 07:42:50 UTC Wed Jan 22 2020
Jan 22 07:42:50.193: SDWAN INFO: WARNING: Please configure a new username and
password; one-time user admin is removed.
Jan 22 07:42:50.472: %SYS-5-CONFIG_P: Configured programmatically by process
iosp_vty_100001_dmi_nesd from console as NETCONF on vty31266
Jan 22 07:42:50.473: %DMI-5-CONFIG_I: R0/0: nesd: Configured from NETCONF/RESTCONF by
system, transaction-id 6
16.12.2
User is prompted for new admin password on first login to
console or through ssh.
Username: admin
Password:
Default admin password needs to be changed.
Enter new password:

Confirm password:
Router>
What does it mean? Don’t get screwed!
Continuation of the example, 10 minutes passed since admin was IDLE and no user was
configured (16.12.1e software):
Router con0 is now available
Press RETURN to get started.
Jan 22 07:52:50.363: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 0 (0.0.0.0)),

user admin
Jan 22 07:52:50.364: %SYS-6-LOGOUT: User admin has exited tty session 0()
Username: admin
Password:
% Login invalid
What if I screwed?
IOS-XE SD-WAN uses bit more trickier password recovery method than ordinary IOS-XE
due to the nature of CDB presence:
• Power cycle and force into the ROMmon with break sequence (ctrl+break,
ctrl+c).
• Change the config register to 0xA102 or 0x8000
• Reset the router
• Login with default credentials (admin:admin)
• Change the configuration register back to 0x2102 and execute request
platform sdwan software reset (this also wipes out all the
configuration that exists)
• The router reboots with software specified in the packages.conf
• Login again with default credentials and don’t forget to change it finally!
Direct Internet
Access
Direct Internet Access Basics
Hybrid WAN
Transport
MPLS
Private
Cloud
BRANCH
Public
Direct Internet Internet Cloud
Access
DIA Advantages DIA Security Challenges

• Better Application Performance • Traffic bypasses security tools at the HQ
• Reduced bandwidth usage • Added security needs at branch for each DIA
• Lower bandwidth cost use case
Direct Internet
Access( NAT)
Configuring DIA – Enable NAT on Internet interface template
Configuring DIA – Add leaked default route to VPN0 on service VPN template
Configuring DIA – Add a leaking default route to VPN0
DIA translation into IOS-XE SDWAN config
interface GigabitEthernet3
description Internet Link
<....>
ip nat outside
!
New command to leak from VPN 1 to VPN 0
ip nat route vrf 1 0.0.0.0 0.0.0.0 global
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet3 overload
ESP
FIA’s Applied on Packet by PPE thread

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
X-ConnectReset / Pwr L2
Ctrl Switch IPv4 IPv6 Packet Buffer
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
Input FIA Output FIA

EEPROM
QFP Complex
DDRAM Netflow PPE2Packet Processor Engine ... BQS
Input ACL OUTPUT_NAT

Boot Flash
FECP
INPUT_VFR
PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
…
IP Unicast
PBR
Dispatcher
URD Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
RPs RPs ESP RPs SIPs

ESP
NAT In → Out – OUTPUT_NAT FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor Miss Hit
Input In → Out Check Session Lookup Child Session Lookup
EEPROM Hit
QFP Complex
PPE2
Miss
Netflow
DDRAM Packet Processor Engine ... BQS
Input ACL
OUTPUT_NAT
NBAR Classify Door
PPE DB
Boot Flash
FECP PPE1 PPE2 PPE3 PPE
4 5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl … PPE6 IP PPE7… PPE8 PPEN
NAT
Unicas
PBR
t Packet
Dispatcher
Buffer
Allocate Addr Drop
Dialer IDLE Rst

PPE2
URD
Output Crypto
L7 Translation Alg
SPI Mux L3/L4 Translation Session Thread
Create 3
Reset / Pwr Ctrl
SA table
Interconnect IPV4 OUTPUT
DRAM
NAT
Glimpse in the future:
(17.2.1)
Secure Internet Gateway (SIG)
SD-WAN (Viptela) Integration
Secure direct internet access (DIA) locations
Today: Send DNS requests to Umbrella
• Deploy to hundreds of devices in minutes,
within a single dashboard
• Gain DNS-layer protection at branch office Internet/SaaS
locations
• Create policies and view reports on a per- Umbrella
VPN basis
Today: Deploy tunnels to forward DIA traffic

Apply additional inspection/security
DIA
(firewall, proxy)
Next: Automated provisioning to Umbrella

MPLS
Scale security with future SaaS/web traffic
growth via minimal-touch provisioning in single Data Center SD-WAN fabric Branch
dashboard
SD-WAN Update – Viptela cEdge and vEdge
DNS-Layer Integration Device & Feature Support
As of June
Features Planned
2019
DNS Redirection (Can be to Google DNS server or Umbrella DNS server)
Auto-Registration
(Device Registration via APIs)
DNS Security (DNSCrypt & EDNS)
Policy Alignment via Viptela VPN

(Network Devices in Umbrella)
Local Domain bypass
SD-WAN Update – Viptela cEdge
Features As of June 2019 Plan for March 2020
Manual Tunnels to Umbrella
Auto Org On-boarding
Automated Tunnels
Cisco DNA Packages for SD-WAN
DNA Premier
DNA Advantage Umbrella Insights | File Analysis (TG)
URL Filtering* | AMP* | SSL Inspection | flexible Netflow and ETA

DNA Essentials vAnalytics | WAAS | AppQoE (web-caching & DRE)* | Unlimited segmentation
Integrated Voice*| Cross-Domain Policy* | Advanced SLA policy
IOS Stateful Firewall | Intrusion Prevention System (IPS) | Umbrella DNS Monitoring
Dynamic Routing – BGP & OSPF | App & Basic SLA-based policy
Dynamic Multi-Path with FEC & Packet Duplication | TCP Optimization | ZTP
IPv4 and IPv6 support | Cisco Cube Connector | VNF Lifecycle Management
Hub & Spoke Topologies | Full Mesh Topologies (less than 50 sites in DNA Essentials)
Cloud Management of SD-WAN solution through vManage
Enterprise App
Aware Firewall
SDWAN Security: Enterprise App aware Firewall
Enterprise Firewall
+1400 layer 7 apps classified
Intrusion Protection System

Most widely deployed IPS engine in the world
URL-Filtering Phase 1 ( 16.10 )

Cisco Web reputation score using 82+ web
Security categories
Simplified Cloud Security

Easy Deployment for Cisco Umbrella
Adv. Malware Protection Phase 2 ( 16.12 )

With File Reputation and Sandboxing
Cisco SD-WAN
Hours instead of weeks and months
Enterprise App Aware SaaS
Firewall Internet
• Zone Policies
Inspect policy allows
only return traffic to Outside Zone
• Application Visibility and Granular be allowed and drops
control any new connections
• 1400+ layer 7 applications classified

Edge Device
• Allow or block traffic by application

category or specific application
Inside Guest
Users Zone Zone Devices
• Segmentation
• PCI compliance Service-VPN 1 Service-VPN 2
Enterprise App Aware
Firewall: Scenarios
Ent. Firewall App Aware: Intra-Zone Security
WAN Edge WAN Edge
Zone Zone
SD-WAN
VPN1 VPN1
Fabric
Default Action: D I P
Note:
Optional 5-tuple matching
Host Host Host Host
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware : Inter-Zone Security
WAN Edge WAN Edge
VPN1-VPN2
Route Leaking
Zone Zone Zone
SD-WAN VPN1
VPN1 VPN2
Fabric
Note:
Host Host Host Host
SD-WAN Site A SD-WAN Site B
Ent. Firewall App Aware :DIA / DCA
WAN Edge VPN1-VPN0
Route Leaking
Zone Zone
VPN1 VPN0
Internet
NAT
Web Server
Note:
Host
SD-WAN Site A
Enterprise App Aware Firewall:
packet processing
ESP
App aware Enterprise Firewall: Packet Flow

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
Reset / Pwr Ctrl Packet Buffer Part Len / BW

TCAM Resource DRAM
DRAM SRAM
Temp Sensor
EEPROM
QFP Complex
DDRAM Packet Processor Engine BQS
Boot Flash
(OBFL,…) FECP PPE1 PPE2 PPE3 PPE4 PPE5
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect

ESP
FIA’s Applied on Packet by PPE thread

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor

EEPROM
QFP Complex
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS
OUTPUT_INSPECT
NBAR Classify
Boot Flash
FECP PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
URD
Crypto
PPE2
SPI Mux Thread 3
Reset / Pwr Ctrl
SA table
DRAM Interconnect

ESP
Inside Output Threat Inspect

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
TCAM Resource DRAM TCAM
DRAM SRAM
Temp Sensor Session Lookup Miss Classify Traffic
Input Policy Selection (precise + imprecise) NBAR classification
Input FIA Output FIA NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
NBAR Classify Create Session
Boot Flash
FECP Session DB PPE1 PPE2 PPE3 PPE4 PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN L4 Inspection

NAT IP Unicast NBAR classification
PBR
Pass Dispatcher
Dialer IDLE Rst Packet Buffer L7 Parse
PPE2
URD
Crypto Imprecise Channel Thread 3
SPI Mux L7 Inspection
Creation
Reset / Pwr Ctrl
SA table
Output DRAM Interconnect

ESP

FECP
QFP
Crypto
Assist. PPE BQS
Using Session DB in DRAM

Imprecise lookup only for Match each class-map in intercon.
µIDB input+output ➔ Zone Pair ➔ Policy
X-ConnectReset / Pwr L2 initial packets (syn…) policy (ACL’s in TCAM)
MPLS Part Len / BW
DRAM SRAM
Input Policy Selection (precise + imprecise) IncludingTraffic
Classify NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
If Action = Inspect, create
session flow in DB
OUTPUT_INSPECT
Boot Flash
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl … PPE6 IP PPE7… PPE8 PPEN
L4 Inspection
NAT
Unicas PDU reassembly, parsing
PBR
t Packet
Dispatcher
Pass
Buffer L7 Parse
(HTTP GET, POST,…)
Dialer IDLE Rst
PPE2
URD
Creation
Reset / Pwr Ctrl
Output SA table IPV4 OUTPUT
DRAM Interconnect Action Mapping
INSPECT
Child session creation (data flow
RPs RPs ESP RPs from FTP, RTP flow from SIP,…)
SIPs
ESP

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
DRAM SRAM
Input
Temp Sensor
Policy Selection Session Lookup Miss
Classify Traffic
(precise + imprecise)
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
OUTPUT_INSPECT
Boot Flash
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl …
show policy-firewall IP
session platform
PPE6 PPE7 PPE8 … PPEN
L4 Inspection
--show platform
Unicas
NAT hardware qfp active feature firewall datapath scb any any any any any all any --
[s=session i=imprecise channel c=control channel d=data channel]
PBR58513 10.0.0.1 1967 proto 6 (0:0)[sc]
172.18.25.66
Pass
172.18.25.66 59869 10.0.0.1 1967 proto 17 (0:0)[sc]
tDispatcher
Packet Buffer L7 Parse
Dialer IDLE Rst
172.18.25.66 59824 10.2.6.254 1967 proto 6 (0:0)[sc] PPE2
172.18.25.66 56338 10.11.32.15 6665 proto 17 (0:0)[sd]
…
URD
Creation
Reset / Pwr Ctrl
Output SA table
Interconnect
IPV4 OUTPUT
DRAM
INSPECT
ESP

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
DRAM SRAM
Classify NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
PPE2 Packet Processor Engine ... BQS Drop Inspect
OUTPUT_INSPECT
Boot Flash
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl
show policy-firewall
… IP
sessionPPEplatform
PPE PPE
tcp…destination-port
PPE 6
80 detail
7 8 N
L4 Inspection
--show platform
Unicas
NAT hardware qfp active feature firewall datapath scb any any any 80 6 all any detail--
172.18.25.66
…
PBR53471 213.94.72.66 80 proto 6 (0:0)[sc]
Pass t Dispatcher
Packet Buffer L7 Parse
Dialer IDLE Rst
nxt_timeout: 100, refcnt: 1, ha nak cnt: 0, rg: 0, sess id: 32584
…
PPE2
URD
ingress/egressCrypto Imprecise
intf: GigabitEthernet0/0/2 (1021), GigabitEthernet0/0/3 (65526)Channel Thread 3
current time 1384744571498 create SPI tstamp:
Mux 1384690046997 last access: 1384690179236 L7 Inspection
…
Creation
Reset / Pwr Ctrl
Output syncookie fixup: 0x0
SA table
Interconnect
IPV4 OUTPUT
… DRAM
INSPECT
ESP

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
DRAM SRAM
Classify NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
OUTPUT_INSPECT
Boot Flash
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
show policy-firewall statistics platform
# of sessions freed
JTAG Ctrl … … IP
PPE6 …
PPE7 PPE8 PPEN
through the lifetime
==FW memory info== # of sessions active L4 Inspection
NAT …
Unicas of the FW
PBR
t Dispatcher
------------Total History----------
Pass # of memory
L7 failures…
Parse
DialerChunk-Pool
IDLE Rst Inuse |Allocated Freed Packet
Alloc_Fail|
Buffer allocation
FW Sessions ------------------------------------------------------------ PPE2
URD scb 33 32851 32818 0
Imprecise Channel
Synflood protect Crypto
hostdb 0 11747 11747 0 Thread 3
L7 Inspection
SPI Mux
ICMP Error 0 0 0 0 Creation
Reset / Pwr Ctrl dst pool 0 0 0 0
Output SA table
… Interconnect IPV4 OUTPUT
DRAM # of sessions
allocated through the INSPECT
lifetime of the FW
ESP

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
DRAM SRAM
Session Lookup Miss Classify Traffic
Input Policy
Temp Selection
Sensor Classify Traffic
Input FIA
(precise + imprecise)
Output FIA Including NBAR
NBAR
EEPROM Hit
QFP Complex Pass
DDRAM
Netflow
Input ACL
Drop
Inspect
OUTPUT_INSPECT Create Session

NBAR Classify Session DB
Boot Flash
FECP PPE1 PPE2 PPE3 PPE4
Drop
PPE5
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify

L4 Inspection
NAT IP Unicast
PBR Pass
Dispatcher L7 Parse
Imprecise Channel PPE2
URD
Crypto L7 Inspection
Thread 3
SPI Mux Creation
Reset / PwrOutput
Ctrl
SA table
Interconnect
IPV4 OUTPUT
DRAM
INSPECT
ESP
Post ZBF FIA Continuation

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
MPLSPart Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor

EEPROM
QFP Complex
DDRAM
Netflow
Input ACL
OUTPUT_INSPECT
NBAR Classify
Boot Flash
FECP PPE1 PPE2 PPE3 PPE4 PPE5
…
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
VFR_REFRAG
L2_REWRITE
NAT IP Unicast
PBR
Dispatcher
PPE2
URD
Crypto
SPI Mux Thread 3
Reset / Pwr Ctrl
SA table
DRAM Interconnect

ESP
ZBF Packet Flow (cont.)

FECP
QFP
Crypto
Assist. PPE BQS
intercon.
Reset / Pwr Ctrl Packet Buffer Part Len / BW

TCAM Resource DRAM
DRAM SRAM
Temp Sensor
EEPROM
QFP Complex
DDRAM Packet Processor Engine BQS
Boot Flash
(OBFL,…) FECP PPE1 PPE2 PPE3 PPE4 PPE5
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect

Configuration
Enterprise App Aware Firewall Configuration
vManage >> Security >> Add Security Policy
Create zones and zone-pairs by clicking on ‘Apply Zone-Pairs’
Create zones by selecting ’New Zone List’ or select the existing zones
When you click on ‘New Zone List’ , you

would see this dialog coming up.
• Next step is to configure sequence rules for zone-pairs.

• Options available:
• Source Port / Destination Port
• Source Data Prefix / Destination Data Prefix
• Protocol
• Application/ Application-family list (AppFw)
• You must choose one of the above in order to configure an application list.
Create a sequence rule by configuring Match condition. For example, protocol tcp is configured with port 8002 here
Choose Actions for the match condition – It can be Pass, Inspect , Drop.
You can create multiple sequences. Lets create a sequence with Source Data Prefix. You can create a new one by
clicking on ‘New Data Prefix List’
After creating the list , you can see prefix list displayed in options and you can choose the same.
At the end , your screen should look like this
If you want to match traffic based on applications , you should create a list and add them to the policy. You should
Choose one of the L4 attributes and then apply application list on it.
Ent. Firewall App Aware: Configuration
Your can create a list of application/application-family. Then select the same list in the previous dialog
We will
drop
this
apps!
Once you select the Match conditions , switch on to Actions. For App Firewall , only Inspect is supported.
• DNS… A protocol that is overlooked by many

• Privacy vs Need for control in Enterprise
• DNS-over-(D)TLS
• DNS-over-HTTPS
• DNS over (D)TLS can be blocked easily by Enterprise App Aware Firewall
TLS New Port: TCP/853 Middleboxes need to have this port
Existing Implementations blocked
DTLS UDP based: UDP/853 Middleboxes need to have this port
Not widely used blocked
Self zone
What is the self zone?
• The WAN edge ”itself”

• Any interfaces IP addresses are part of the self-zone
• Any traffic going to be punted [ to RP] will be subjected to the self-zone policy
• Any traffic from the RP [inject] will be subjected to the self-zone policy
• By default [ if unconfigured], the self-zone policy has a “permit all” policy
? • Is intransit SDWAN traffic subjected to self-zone?
No! In-transit traffic will be evaluated against

traditional zone-pairs policies.
Configure Self-Zone Through vManage
Self-zone configuration translated in CLI
zone security inet_zone

vpn 0
zone-pair security inet_to_self source inet_zone destination self

service-policy type inspect self_zone_policy
zone-pair security self_to_inet source self destination inet_zone

service-policy type inspect self_zone_policy
Self-zone configuration best practices
• BFD sessions are not subjected to Firewall self-zone policy.

• On VPN 0, always configure a bi-directional policy to avoid self returning
traffic to be dropped as “Zone pair without policy”
• Always configure a proper bi-directional policy for the dtls control-
connections!
• By default, the traffic from service VPN to self zone is always allowed. If
router need to be locked down, a bi-directional policy need to be
configured for every service VPN
• GRE can’t be inspected, it must use pass
Self-zone: What management protocol/ports to allow?
Source Protocol/Port(s) Destination
Outside to self
internet Router
self zone
NOC subnet SSH (TCP/22) VPN 0 outside IPv4/v6
Internet ICMP VPN 0 outside IPv4/v6

internet
Router
self zone Self to Outside
VPN 0 outside IPv4/v6 ICMP Internet
Self-zone: Which services to allow?
internet
Outside to self
Router
Self zone
Internet DTLS/IPSECoUDP VPN 0 outside IPv4/v6
Neighboring router IPv4/v6 OSPF or BGP VPN 0 outside IPv4/v6
internet
Router Self to Outside
self zone
VPN 0 outside IPv4/v6 DTLS/IPSECoUDP Internet
VPN 0 outside IPv4/v6 OSPF or BGP Neighboring router IPv4/v6
Self-zone: Which services to allow?
internet
Outside to self
Router
Self zone
Internet DTLS/IPSECoUDP VPN 0 outside IPv4/v6
Neighboring router IPv4/v6 OSPF or BGP VPN 0 outside IPv4/v6
internet
Router Self to Outside
self zone
VPN 0 outside IPv4/v6 DTLS/IPSECoUDP Internet
VPN 0 outside IPv4/v6 OSPF or BGP Neighboring router IPv4/v6
SDWAN Port Handling and Firewall
• By default, all Viptela devices use base port 12346 for establishing the connections that handle
control and traffic in the overlay network. Each device uses this port when establishing
connections with other Viptela devices
• Port Offset
• When multiple Viptela devices are installed behind a single NAT device. For NAT devices that can differentiate among the
devices behind the NAT, you do not need to configure the port offset.
• Different port numbers used for each device so that the NAT can properly identify each individual device.
• Port offset from the base port 12346. For example, device with a port offset of 1, that device uses port 12347. The port offset
can be a value from 0 through 19. The default port offset is 0.
• Port Hopping
• Devices try different ports when attempting to establish connections with each other in the event that a connection attempt on
the first port fails.
• After such a failure, the port value is incremented and the connection attempt is retried. The software rotates though a total of
five base ports, waiting longer and longer between each connection attempt.
• If you have not configured a port offset, the default base port is 12346, and port hopping is done sequentially among ports
12346, 12366, 12386, 12406, and 12426, and then returning to port 12346.
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Edge Routers – Base Ports
vBond vManage vSmart • When a vEdge router joins the overlay

network, it establishes DTLS control plane
connections with the controller devices—the
vBond orchestrator, the vManage NMS, and
DTLS DTLS
UDP
the vSmart controller
UDP
DTLS
UDP
• When initially establishing these DTLS
connections, the vEdge router uses the base
INET MPLS port 12346. If it is unable to establish a
connection using this base port, it port-hops
through ports 12366, 12386, 12406, and
12426, returning, if necessary, to 12346
• This same port number is used to establish
12346
12366 UDP
12386
12406 the IPsec connections and BFD sessions to
12426 12346
12366 the other vEdge routers in the overlay
12386
12406
network.
• Command: show control local-properties
12426
Controllers – Base Ports
• The vManage NMSs and vSmart controllers

vBond UDP vManage UDP vSmart UDP can run on a virtual machine (VM) with up
to eight virtual CPUs (vCPUs). The vCPUs
12346 Core0 - 12346 Core0 - 12346
Core1 - 12446 Core1 - 12446
are designated as Core0 through Core7.

Core2 - 12546 Core2 - 12546
Core3 - 12646 Core3 - 12646
Core4 - 12746 Core4 - 12746
Core5 - 12846
Core6 - 12946
Core5 - 12846
Core6 - 12946
• Each core is allocated separate base ports
DTLS
UDP
DTLS
UDP
Core7 – 13046 Core7 – 13046 for control connections. The base ports
DTLS differ, depending on whether the
UDP
connection is over a DTLS tunnel (which
INET MPLS
uses UDP) or a TLS tunnel (which uses
TCP).
• vBond orchestrators do not support
multiple cores. vBond orchestrators always
UDP use DTLS tunnels to establish control
connections with other Viptela devices, so
they always use UDP. The UDP port is
12346.
Firewall Ports for Viptela Deployments
Default – No Port Offset
Configured and DTLS
vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346
vBond – IP2 vSmart – IP2 Core3 - 12646 Core1 - 12446
Core4 - 12746 Core2 - 12546
Core5 - 12846 Core3 - 12646
vBond orchestrators do not Core6 - 12946 Core4 - 12746
support multiple cores. vBond Core7 – 13046 Core5 - 12846
orchestrators always use DTLS 12346 UDP UDP Core6 - 12946
tunnels to establish control UDP Core7 – 13046
connections with other Viptela
devices, so they always use The vManage NMSs and vSmart controllers can
run on a virtual machine (VM) with up to eight
UDP. The UDP port is 12346 virtual CPUs (vCPUs). The vCPUs are designated
as Core0 through Core7.
Each core is allocated separate base ports for
Firewall control connections
Red signifies primary protocol or first port used

UDP
• vBond IP’s are not Elastic, its recommended to
permit UDP/12346 to/from any from the vEdge.
12346
Edge 12366 Edge • Edge’s can port hop to establish a connection, its
12386
12406 recommended to permit all 5 UDP ports inbound
12426 to all Edges
High speed logging
High Speed Logging [ HSL] for Zone based firewall
?
• Why not using IOS syslog as logger?
• IOS logger is text based [slow since strings need to be formatted]
• QFP to IOS messages are rate-limited by the system in order to protect the RP
• IOSd syslogs will show only part of the messages and it’s not suitable for production
• Zone-Based Firewall (ZBFW) High Speed Logging (HSL) is handled

from datapath itself
• Netflow v9 based
• https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_data_zbf/configuration/xe-16/sec-data-zbf-xe-16-
book/sec-data-fw-hsl.html
• collectors: Splunk
High Speed Logging in a nutshell
• Traffic flows across firewall WAN Edge
• Some sessions are allowed

• Some sessions are dropped Collector
High Speed Logging in a nuttshell
QFP Complex
Packet Processor Engine BQS
PPE1 PPE2 PPE3 PPE4 PPE5
…
PPE6 PPE7 PPE8 PPEN
WAN Edge
• Traffic flows Packet

across
Dispatcher
firewall
Buffer
• Some sessions are alllowed
• Some sessions are dropped
High Speed Logging in a nuttshell
QFP Complex
Packet Processor Engine BQS
PPE1 PPE2 Per session

PPE3 PPE 4 PPE5
statistics
Processing
…
PPE6 PPE7 PPE8 PPEN
WAN Edge
Dispatcher
• Traffic flows Packet
across Bufferfirewall
• Some sessions are alllowed

• Some sessions are dropped Collector
Collector
Configuring HSL: Template configuration
Audit Trail – off: logging dropped packets only

Audit Trail – on: logging every session
Configuring HSL: CLI configuration
cEdge(config)# parameter-map type inspect-global
cEdge(config-profile)# log flow-export v9 udp destination <dst ipaddr> <dst port> vrf <VRF label>
Where <dst ipaddr> = destination IP address of data collector
<dst port> = destination port
<vrf> = VRF label/VPN #
Configuring HSL: CLI configuration example
parameter-map type inspect-global

log flow-export v9 udp destination 10.20.25.18 2055 vrf 1
log flow-export template timeout-rate 60
log dropped-packets
vpn zone security
HSL best practices and limitations
• Source Interface provision is not supported by vManage.

• IPv6 address is not yet supported.
• Only one HSL destination is possible
• High-Speed Logging and System Logging are mutually
exclusive.
• HSL records are only generated when the following is
configured:
• “log dropped-packets” is configured (default), or
• “audit-trail on” is configured, or
• “drop log” or “pass log” is configured.
Troubleshooting and
monitoring
Enterprise App Aware Firewall Monitoring
• Firewall Traffic Profiling:

• Inspected Traffic
• Dropped Traffic
• Device and Policy Specific Traffic Analytics
Overall Dashboard – Firewall Enforcement Device Dashboard - Firewall
User can check ‘Inspected’ and ‘Dropped’ traffic in here
Device & Policy Specific Data
Enterprise App Aware Firewall Commands
One can reach access real time commands in vManage by Monitor->Network->SelectDevice->Real Time
This translates to “show sdwan zonebfwdp sessions” in CLI
This translates to ”show sdwan zbfw drop-statistics” in CLI
This translates to “show sdwab zbfw zonepair-statistics” in CLI
Enterprise App Aware Firewall Debug Commands
pm5#show policy-firewall sessions platform
14.38.112.250 41392 14.36.1.206 23 proto 6 (0:0) [sc]
pm5#show platform hardware qfp active feature firewall drop all

-------------------------------------------------------------------------------
Drop Reason Packets
-------------------------------------------------------------------------------
Invalid L4 header 0
Invalid ACK flag 0
Invalid ACK number 0
...
pm5#show platform hardware qfp active statistics drop

-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
SD-WANImplicitAclDrop 39 6240
UnconfiguredIpv4Fia 1 171
UnconfiguredIpv6Fia 192 21454
Enterprise App Aware Firewall: Demo
pm5#show platform hardware qfp active feature firewall datapath zonepair 0 0
idx:66 zp:(1 inet_to_zone_1) key(1->2)
flag: 0x1
Policy Valid (0x00000001)
tcam region: 0xea1411b0 tcam cmd: 0x20000000
pm5#show platform software firewall FP active zones

Forwarding Manager Firewall Zone Configurations
Zone Name: inet_zone, parameter-map: (null), Obj-id 1

Zone Name: zone1, parameter-map: (null), Obj-id 2
Zone Name: zone2, parameter-map: (null), Obj-id 3
Zone Name: service, parameter-map: (null), Obj-id 65534
Zone Name: self, parameter-map: (null), Obj-id 65535
pm5#show platform packet-trace summary

Pkt Input Output State Reason
0 Gi0/0/2 Gi0/0/0 DROP 183 (FirewallPolicy)
1 Gi0/0/2 Gi0/0/0 DROP 183 (FirewallPolicy)
pm5#show platform packet-trace packet 0
Packet: 0 CBUG ID: 2980
Summary
Input : GigabitEthernet0/0/2
Output : GigabitEthernet0/0/0
State : DROP 183 (FirewallPolicy)
Timestamp
Start : 1207843476722162 ns (04/15/2014 12:37:01.103864 UTC)
Stop : 1207843477247782 ns (04/15/2014 12:37:01.104390 UTC)
Path Trace
Feature: IPV4
Source : 10.1.1.1
Destination : 192.168.1.1
Protocol : 1 (ICMP)
Feature: ZBFW
Action : Drop
Reason : ICMP policy drop:classify result
Zone-pair name : INSIDE_OUTSIDE_ZP
Class-map name : class-default
Packet Copy In
c89c1d51 5702000c 29f9d528 08004500 00540000 40004001 ac640e26 70fa0e24
01010800 172a2741 00016459 4d5310e4 0c000809 0a0b0c0d 0e0f1011 12131415
Packet Copy Out
c89c1d51 5702000c 29f9d528 08004500 00540000 40003f01 ad640e26 70fa0e24
01010800 172a2741 00016459 4d5310e4 0c000809 0a0b0c0d 0e0f1011 12131415
Intrusion
Prevention
SDWAN Security: Intrusion Prevention
Enterprise Firewall

URL-Filtering Phase 1
Security categories

Adv. Malware Protection Phase 2

Cisco SD-WAN
Intrusion Prevention
• Snort is the most widely deployed IPS

engine in the world
• Backed by global Threat Intelligence

(TALOS) signatures updated
automatically
• Signature whitelist support

IPS
• Real-time traffic analysis
On-site Services
• PCI compliance
Intrusion
Prevention:
packet flow
Intrusion Prevention – Packet flow
Input
UTD container
features Output
features
Ingress interface QFP Packet processing
Intrusion Prevention – Packet Flow
Input
UTD container
features Output
features
Input
UTD container
features Output
features
Forwarding
Decision
Input
UTD container
features Output
features
Forwarding NBAR
Decision Classification
Input
UTD container
features Output
features
Forwarding NBAR App aware

Decision Classification Firewall
Input
UTD container
features Output
features
Forwarding NBAR App aware UTD

Decision Classification Firewall redirect
Input
UTD container
features Output
GRE over VPG1 interface features

Ingress interface QFP Packet processing Redirect?

YES!
Processing
Input
UTD container
features Output


YES!
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established;
content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http;
classtype:misc-activity; sid:5808; rev:9;)
Snort
inspection
100101000101000111010011000101100011100011001111001
IPS container Processing
Input Flow Diversion

MAC IP TCP HTTP UTD container
HTTP_CLIENT_
BODY Flow Insertion
features Output
features
Signature
Snort Engine rules

Alerts,
Packet Decision Classification Firewall redirect
Logs
Ingress interface Pkt Preprocessors
Detection Output Egress interface
Decoder Engine Module
Input output
features features
Redirect?
L3 – 7, Verdict: YES!
L2/3 sessions, • Forward
File, AppId • Drop
• Reset
Intrusion Prevention – From container to outside
Processing
UTD container
Output
“Built-in” GRE Tunnel600001 features
Ingress interface
Input
features
QFP Packet processing
Processing
UTD container
Output
“Built-in” GRE Tunnel600001 features
Ingress interface
Forwarding
Decision
Input
features
Processing
UTD container
Action: Output
“Built-in” GRE Tunnel600001 Reinject features
Ingress interface
Forwarding UTD
Decision inspection
Input
features
Processing
UTD container
Action: Output
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
Processing
UTD container
Action: Output
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
Intrusion Prevention – Diversion control by the
container
Snort decides if a flow need further inspection.
If inspection is not required anymore , snort is
going to request the datapath to stop
redirecting to the container
Input
UTD container
features Output


YES!
container
Input
UTD container
features Output


No
container
Input
UTD container
features Output


No
• UTD consists of two FIAs entries,
Intrusion Prevention - Overview

a policy FIA and a divert FIA.
• If Ent. Firewall App Aware is

Packet Flow configured, UTD will be invoked
after Ent. Firewall App Aware,
Control
Service
plane
allowing Ent. Firewall App Aware
Plane
IOSd
Container to protect IDS/IPS.
IOS Snort Engine • If UTD is enabled on an interface,

Configuration
policy FIA will mark it for UTD
inspect and pass on to the UTD
DAQ divert FIA.
• Packets which are marked for

inspection will be diverted from
dataplane to Snort via UTD divert
FIA
• When packets are re-injected by

AppNAV, they are sent to the
egress FIA using the extended FIA
Data Plane
path. When the re-injected
AppNAV packet reaches UTD divert, it is
Egress FIA
placed on normal FIA path for final
processing and transmission.
Ext FIA Ext FIA Ext FIA
• Based on the status reported by
ZBF
UTD UTD AppNAV health monitor and fail-
Policy Divert
open/fail-close configuration,
packets are either forwarded to
Snort or sent to egress without
any diversion.
Intrusion
Prevention:
configuration
Intrusion Prevention – Configuration Workflow
• Find the compatible App Hosting Image Version

• Upload App Hosting images to the Software Repository
• Create a Security Policy template
• Create a App Hosting Profile template
• Create a Device Template (specifying the security policy and App Hosting profile
templates)
• Attach the device template to one or more devices
Intrusion Prevention – Compatible Image Version
Download App Hosting TAR file from CCO
TAR file name Applicable platform
secapp-*.x86_64.tar x86_64 - ISR-4300/ISR4400/

ISR-4221X/CSR1000v/iSRv
secapp-*.aarch64_be.tar ARM-based - C1111X-8P,

C1161X-8P, C1127X-8PMLTEP,
C1126X-8PLTEP, C1127X-
8PLTEP, C1121X-8PLTEP,
C1161X-8PLTEP, C1121X-8P)
Note: Each router image version (16.10.1, 16.11.1 etc.) has its own range of supported app versions.
Find the compatible range of application versions for the device (Monitor -> Network)
Find the compatible range of application versions for the device type (Select the device – CSR in example below)
Find the compatible range of application versions for the device type (Click on Real Time)
Find the compatible range of application versions for the device type (Type in UTD Version Status in the search box)
https://software.cisco.com/download/home/286321991/type/286321980/release/16.9.3
Intrusion Prevention - Upload App Hosting Image
Intrusion
Prevention – Policy
Configuration
Intrusion Prevention –
Policy Template Configuration
• Choose signature set (Connectivity/Balanced/Security)
• Choose mode of operation (Detection/Protection)
• Choose an existing whitelist profile or create a new one
• Choose alert level for syslogs
• Attach VPNs
• Configure logging (External)
• Configure fail-open/fail-close
IPS – Policy Configuration
vManage >> Security >> Add Security Policy (choose IPS from custom)
Choose signature set (Connectivity/Balanced/Security)
Connectivity:
CVSS Score = 10
CVE year is current - 2 (So, for example, 2020, 2019, 2018)
Balanced:
CVSS Score >= 9

CVE year is current - 2 (For example, 2020, 2019, 2018)
MALWARE-CNC rules
EXPLOIT-KIT rules
SQL Injection rules
Blacklist rules
Includes the rules in the Connectivity over Security policy.
Security
CVSS Score >= 8

CVE year is current -3 (For example, 2020, 2019, 2018, 2017)
MALWARE-CNC rules
EXPLOIT-KIT rules
SQL Injection rules
Blacklist rules
App-detect rules
Includes the rules in the Connectivity over Security and Balanced policies.
Choose mode of operation (Detection/Protection)
Choose signature whitelist profile (optional)
Choose alert level for syslogs
Configuration – Policy Configuration
Specify the VPNs for which this Intrusion Prevention Policy is applicable
IPS – App Hosting Profile
Determines the number of CPU cores, amount of memory and disk reserved for Service plane (IPS/IDS)
Configuration -> Templates
Click on Feature Template tab
Click on Add template (or you can edit an existing Feature Template – not shown)
Click on one or more devices on the left (CSR selected here)
Select UTD Security Policy Template from Basic Information Section to arrive at this page
Select Resource Profile for IPS/IDS application
IPS – Policy configuration
IPS/IDS Signature update
Administration -> Settings
IPS – Policy configuration
IPS/IDS Signature update
Scroll down to IPS Signature update section and click on Edit
• Specify the username and password to use for signature package download from CCO
• Specify how often vManage should download and check the signature packages inorder to push down devices
IPS – Container upgrade
• Upgrade Container (Two possible scenarios)

• Upgrade container image for an existing router image
• Upgrade container image after a router image upgrade
Upgrade container image for an existing router image:
Maintenance -> Software Upgrade
Select one or more devices for which the IPS/IDS application needs to be upgraded and click on Upgrade Container
Choose the Upgrade to Version from the drop-down list and click on Upgrade
Upgrade container image after a router image upgrade:
After the router image is upgraded, find out the compatible range of app versions for the new router image from Real
Time page as described earlier in Container installation
Upload the application image file with a compatible version to Virtual Images Software Repository
Upgrade the application image file from Maintenance -> Software Upgrade -> Upgrade Container as described
previously
Intrusion
Prevention:
Automatic
provisioning
Snort IPS – Configuration steps by vmanage
Copy Snort tar to

flash and install
Generic Container
configuration
Configure and
activate Snort VM
Configure IPS
policies Snort IPS Specific
configuration
Enable IPS, global
per VPN
Intrusion
Prevention –
Troubleshooting
Intrusion Prevention - Troubleshooting
Top Signature Violations dashboard
Signatures seen by the devices running IPS in the network.
Two Views:
• Threats by severity (over time)
• Total threat count (for the selected time period)
Real time data of a device
Monitor -> Network -> Select a Device -> Real Time
IPS not inspecting traffic(vManage side)
• Check top signature violations for the entire network in the dashboard as described earlier
• Check device level alerts in the Device events page
Verify IPS inspection (vManage side) Contd
• Check engine is GREEN
Verify IPS inspection (Device side)
• show utd eng standard logging events – To view alert messages from Snort for malicious traffic
• show platform hardware qfp active feature utd stats divert – To view number of packets sent to/received from
container. The counts should match up
Signature package updates not working
Device level events screen – Monitor -> Network -> Select Device -> Events -> Search for utd-update-type-ips
notification type
Demo
packet-tracer output and conditional debugs
cedge6#show platform packet-trace packet 14
Summary
Input : GigabitEthernet2
Output : internal0/0/svc_eng:0
State : PUNT 64 (Service Engine packet)
Timestamp
Start : 1196238208743284 ns (05/08/2019 10:50:36.836575 UTC)
Stop : 1196238208842625 ns (05/08/2019 10:50:36.836675 UTC)
Path Trace
Feature: IPV4(Input)
Output : <unknown>
Source : 192.168.16.254
Destination : 151.101.129.67
Protocol : 6 (TCP)
SrcPort : 35568
DstPort : 443
Feature: DEBUG_COND_INPUT_PKT
Entry : Input - 0x8177c67c
Output : <unknown>
Lapsed time : 2933 ns
<removed>
Packet from LAN to container
packet-tracer output and conditional debugs (2)
Feature: UTD Policy (First FIA)

Action : Divert
Input interface : GigabitEthernet2
Egress interface: GigabitEthernet3
Feature: OUTPUT_UTD_FIRST_INSPECT
Entry : Output - 0x817cc5b8
Output : GigabitEthernet3
Feature: UTD Inspection Action: Divert to container
Action : Divert
Feature: OUTPUT_UTD_FINAL_INSPECT
Entry : Output - 0x817cc5e8
<removed>
<removed>
Feature: IPV4_OUTPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x81781bb4
Output : Tunnel6000001
<removed>
Feature: IPV4_INPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x8177c698
Input : Tunnel6000001
Output : VirtualPortGroup1
<removed>
Feature: OUTPUT_SERVICE_ENGINE
Entry : Output - 0x817c6b10
<removed>
Feature: INTERNAL_TRANSMIT_PKT_EXT
Output : internal0/0/svc_eng:0 Transmitting internally to the container
Summary
Output : GigabitEthernet3 Tunnel600001 is the container egress interface
State : FWD
<removed>
Feature: UTD Inspection
Action : Reinject
Feature: OUTPUT_UTD_FINAL_INSPECT_EXT
<removed>
Feature: NAT
Direction : IN to OUT
Traffic is translated on VPN 0 interface
Action : Translate Source
Steps :
Match id : 1
Old Address : 192.168.16.254 35568
New Address : 172.16.16.254 05062
Feature: MARMOT_SPA_D_TRANSMIT_PKT
.
Packet from container to WAN

Conditional debugging
Debug platform condition <client address>/32 both

Debug platform condition feature utd control-plane submode serviceplane-daq level verbose
Debug platfom condition start
cedge6#app-hosting move appid utd log to bootflash:

Successfully moved tracelog to bootflash: Rotate the container file to bootflash
iox_utd_R0-0_R0-0.18629_0.20190501005829.bin.gz
cedge6# more /compressed iox_utd_R0-0_R0-0.18629_0.20190501005829.bin.gz Display the file
URL - Filtering
SDWAN Security: URL Filtering
Enterprise Firewall

Security categories


Cisco SD-WAN
URL Filtering Requests for “risky” domain requests
URL Filtering
• 82+ Web Categories with dynamic
updates
White/Black lists of
custom URLs
• Block based on Web Reputation score
• Create custom Black and White Lists

Block/Allow based on
Categories,
• Customizable End-user notifications Reputation
URL – Filtering - Overview
• Uses Snort preprocessors to extract the URLs from HTTP/HTTPS traffic

(Snort runs in a container!!)
• Container installation necessary (steps described in IPS/IDS section)
• Container upgrade workflow same as for IPS/IDS
• Supported platforms (same as for IPS/IDS solution)
• ISR-4300 series
• ISR-4400 series
• ISR-4221X
• C1111X-8P, C1161X-8P, C1127X-8PMLTEP, C1126X-8PLTEP, C1127X-8PLTEP,
C1121X-8PLTEP, C1161X-8PLTEP, C1121X-8P
• ISRv / CSR1000v
URL-Filtering
Packet flow
Leveraging Snort pre-processors to

gather URL information:
• HTTP preprocessor
• HTTPS preprocessor
Input
UTD container
features Output


YES!
Intrusion Prevention – Packet architecture
High level Container Flow WebR
oot
gather URL information: Snort Preprocessors
• HTTP preprocessor
• HTTPS preprocessor
Input DAQ UTD containerURL
DB Output
features
Edge Data Plane HTTP GRE over VPG1 interface features
OpenAppID Loadable
Preprocessor
Config Forwarding NBAR SSL
App aware URL
UTD Filtering
Snort
Ingress interface
Snort QFP Packet processing
Detection Logging/Alert
Redirect?
YES! Modules
Output
Signature Engine
UTD container
Action: Output
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
URL level
Filtering
Intrusion Prevention
High Data architecture
– Packet
Container Flow WebR
Snort Loadable Preprocessors
oot
URL inspection
leveraging
Webroot preprocessors
IPS/URL
Http/Https containerBackend
Snort DB/SDK
PKT Whitelist
Snort Preprocessors
(Thread)
URL
DAQ
Preprocessor
Flow Diversion Flow Insertion
Blacklist DB
Edge Data Plane HTTP
Request
WebRoot
URL SDK Front
Lookup
OpenAppID End
Loadable
Preprocessor
Config SSL
PKT
Snort
Session
Verdict
Verdict URL Filtering
Handling
Ingress interface Block IOS XE Packet processing
URL Receive
Egress interface
Server
Input
URLF
output
Snort
Thread
features Action Engine features
Snort Logging/Alert
Snort Detection
Policy Log/Aler
Output Modules
Signature PKT Mangement
Engine
t
URL Filtering Logic
URL HTTP/S
Normalization Receive Pkt
yes
White Release
List Pkt
• URL Normalization includes only basic sanity checks and URI start
point check. More check can be implemented there. no
• The code for URLF warm restart has been implemented, but not fully
tested. There are 2 utm_persona tables that store the policies/config.
One is active and another is shadow. The 2 persona table will switch
at the time of warm restart.
yes Respond with
Black
• Webroot SDK can be integrated into URLF engine. The reason we did List
Block Page or
not do so was because Cisco Beaker uses Socket communication Redirect URL
between URLF engine and Beaker database, we implement the no
Webroot SDK the same way as Beaker for future compatibility.
Prepare URL
Query Web URL DB &
• URLF handles multiple categories for one URL. Lookup
SDK Client
Request
• Packet will be dropped if verdict does not arrive in time.

verdict
• URLF does not delete Snort sessions.
Poor
Reputation
• Webroot SDK Client handles up to 4 instances of URLF engines.
Good
• In case the verdict cannot be reached due to database limitation or
due to software failure, URLF Failopen and Failclose policy can kick in. Block
Failopen means leting packet go through in case of any failure. Category
Failclose means blocking traffic.
Allow
URL-Filtering
configuration
URL-Filtering Policy Configuration
Security Policy Template (URL Filtering)

• Web categories
• Allow / Block
• Web Reputation
• Whitelist / Blacklist URLs
• Block Page
• Local block page
• Redirect URL
• Alerts
• VPNs
URL Filtering Security Policy Template
vManage >> Security >> Add Security Policy (choose one that includes URL-Filtering)
URL Filtering Security Policy Configuration
Security Policy template (URL-Filtering)
Specify Web Categories to Block (or) Allow
abortion hunting-and-fishing questionable

abused-drugs
adult-and-pornography
illegal
image-and-video-search
real-estate
recreation-and-hobbies
alcohol-and-tobacco individual-stock-advice-and-tools reference-and-research
auctions internet-communications religion
bot-nets internet-portals search-engines
business-and-economy job-search sex-education
cdns keyloggers-and-monitoring shareware-and-freeware
cheating kids shopping
computer-and-internet-info legal social-network
computer-and-internet-security local-information society
confirmed-spam-sources malware-sites spam-urls
cult-and-occult marijuana sports
dating military spyware-and-adware
dead-sites motor-vehicles streaming-media
dynamic-content music swimsuits-and-intimate-apparel
educational-institutions news-and-media training-and-tools
entertainment-and-arts nudity translation
fashion-and-beauty online-greeting-cards travel
financial-services online-personal-storage uncategorized
gambling open-http-proxies unconfirmed-spam-sources
games p2p violence
government parked-sites weapons
gross pay-to-surf web-advertisements
hacking personal-sites-and-blogs web-based-email
hate-and-racism phishing-and-other-frauds web-hosting
health-and-medicine private-ip-addresses
home proxy-avoid-and-anonymizers
• bot-nets

• confirmed-spam-sources
• keyloggers-and-monitoring
• malware-sites
proxy-avoid-and-anonymizers:
• open-http-proxies
• phishing-and-other-frauds
• DoH
• proxy-avoid-and-anonymizers
• Public proxies
TOR
•• spam-urls
• spyware-and-adware
• Uncategorized
• unconfirmed-spam-sources
URL-Filtering
Practical example
URL Filtering Security Policy Configuration: DNS
policy avoidance
• DNS… A protocol that is overlooked by many
• Privacy vs Need for control in Enterprise
• DNS-over-(D)TLS
• DNS-over-HTTPS
• DNS over HTTPS can be blocked by URL Filtering
Supported Recursive Resolvers for DoT
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
Android Support:
https://www.xda-
developers.com/
android-dns-
over-tls-website-
privacy/amp/
DNS-over-HTTPS (DoH) – what has happened…
Client Recursive Resolver
Browser
tcp/443
DoH
Will not be
OS DNS involved in the
DNS Requests
DNS-over-HTTPS (DoH) and URL filtering…
Client Recursive Resolver

Blocking proxy-avoid-
and-anonymizers:
Browser
tcp/443
DoH
Will not be
OS DNS involved in the
DNS Requests
Specify permissible lower threshold of Reputation score of Web sites
URL Filtering Policy Configuration
(Optional) Click on Advanced and specify the list of URLs to be whitelisted
(Optional) Click on Advanced and specify the list of URLs to be blacklisted
(Optional) Specify the Block page server details (Block page message)
(Optional) Specify the Block page server details (Redirect URL)
(Optional) Specify when alerts should be generated (Whitelist/Blacklist/Reputation/Category)
(Optional) Specify the target VPNs for which this Policy Template is applicable by clicking on Target VPNs and
specifying the VPN IDs
URL-Filtering
troubleshooting
URL Filtering Troubleshooting
Is URL-Filtering inspecting traffic?
Click on Dashboard and check the data for URLs getting blocked/allowed (Note: this is for the entire network)
Go to device level page (Monitor -> Network -> Select Device -> URL-Filtering) for URL-Filtering stats
Do a show command on the device
show utd engine standard statistics url-filtering
URL Filtering database updates not working
Check device level events for utd-update-type-urlf type notifications (Monitor -> network -> Select Device -> Events)
packet-tracer output and conditional debugs
Summary
State : PUNT 64 (Service Engine packet)
Timestamp
Start : 1196238208743284 ns (05/08/2019 10:50:36.836575 UTC)
Stop : 1196238208842625 ns (05/08/2019 10:50:36.836675 UTC)
Path Trace
Feature: IPV4(Input)
Output : <unknown>
Source : 192.168.16.254
Destination : 151.101.129.67
Protocol : 6 (TCP)
SrcPort : 35568
DstPort : 443
Feature: DEBUG_COND_INPUT_PKT
Entry : Input - 0x8177c67c
Output : <unknown>
<removed>
Demo
Feature: UTD Policy (First FIA)

Action : Divert
Feature: OUTPUT_UTD_FIRST_INSPECT
Entry : Output - 0x817cc5b8
Feature: UTD Inspection Action: Divert to container
Action : Divert
Feature: OUTPUT_UTD_FINAL_INSPECT
<removed>
<removed>
Feature: IPV4_OUTPUT_LOOKUP_PROCESS_EXT
Entry : Output - 0x81781bb4
Output : Tunnel6000001
<removed>
Feature: IPV4_INPUT_LOOKUP_PROCESS_EXT
Output : VirtualPortGroup1
<removed>
Feature: OUTPUT_SERVICE_ENGINE
Entry : Output - 0x817c6b10
<removed>
Feature: INTERNAL_TRANSMIT_PKT_EXT
Output : internal0/0/svc_eng:0 Transmitting internally to the container
Summary
Output : GigabitEthernet3 Tunnel600001 is the container egress interface
State : FWD
<removed>
Feature: UTD Inspection
Action : Reinject
Feature: OUTPUT_UTD_FINAL_INSPECT_EXT
<removed>
Feature: NAT
Direction : IN to OUT
Traffic is translated on VPN 0 interface
Action : Translate Source
Steps :
Match id : 1
Old Address : 192.168.16.254 35568
New Address : 172.16.16.254 05062
Feature: MARMOT_SPA_D_TRANSMIT_PKT
.
Packet from container to WAN

cedge6#app-hosting move appid utd log to bootflash:

Successfully moved tracelog to bootflash:
Rotate the container file to bootflash
iox_utd_R0-0_R0-0.18629_0.20190501005829.bin.gz
cedge6# more /compressed iox_utd_R0-0_R0-0.18629_0.20190501005829.bin.gz
Display the file

2019-04-29 16:12:12 ERROR: Cannot resolve host api.bcti.brightcloud.com: Temporary failure in name resolution
URL not categorized as expected
• If a URL is not being categorized as expected, the URL in question should be validated in the following link:
https://www.brightcloud.com/tools/url-ip-lookup.php
This link will provide the details for the URL in question - what its current category and reputation is, if any. If it is not
categorized, a request can be made to categorize it or to have its category updated.
DNS / Web
Security
SDWAN Security: Intrusion Prevention
Enterprise Firewall

Security categories


Cisco SD-WAN
Cisco Umbrella
DNS/web-layer
security
Safe Blocked
requests
• Leading Security Efficacy for requests
malware, phishing, and

unacceptable requests by
blocking based on DNS requests
• Supports DNScrypt
• Local Domain-bypass
• TLS decryption Users and Devices
• Intelligent Proxy
DNS / Web Security:
packet flow
DNS/web-layer Security - Solution Overview
Safe Blocked
request request
ISR4K
DNS Request (1) Cisco Umbrella
DNS Response (4) Internet

Approved Content (5)
Martha
Web Servers
DNS / Web Security:
configuration
DNS Layer Security - Configuration
• Create a security policy template for Umbrella DNS Security

• Create a device template that includes security policy template
• Attach to the device
DNS Layer Security – Bypass Domain List
Configuration ► Security tab ► Custom Options ► Lists
Create new or modify existing
DNS Layer Security - Template
vManage >> Security >> Add Security Policy (choose one that includes DNS Layer Security)
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy
Umbrella Registration API token can be entered first time here and managed later from global settings
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy Per VPN DNS
resolver and local-domain match criteria
Configuration ► Security ► Add Security Policy ► DCA/DIA ► Add/Modify DNS Security Policy Per VPN DNS
resolver and local-domain match criteria
DNS Layer Security: Umbrella Portal
Umbrella marked DoH Resolvers as Anonymizers
https://support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default
DNS Security:
Monitoring
DNS Layer Security - Monitoring
Monitor ► Network ► select WAN Edge device Umbrella monitoring is available only on device dashboard
DNS Layer Security - Monitoring
Monitor ► Network ► select WAN Edge device ► Security Monitoring ► Umbrella DNS Re-direct Two tabs: DNS
Redirect count and Local Domain Bypass count for device level
DNS Layer Security - Troubleshooting
Router#show sdwan umbrella overview

umbrella-ios-oper-data umbrella-overview registrations-completed 2
umbrella-ios-oper-data umbrella-overview registrations-requested 2
umbrella-ios-oper-data umbrella-overview dnscrypt false
umbrella-ios-oper-data umbrella-overview last-success-attempt 1970-01-
01T00:00:00+00:00
Router#show sdwan umbrella device-registration

NAME STATUS TAG DEVICE ID DESCRIPTION
----------------------------------------------------------------------------
1 200 SUCCESS vpn1 010aef92e77c2774 Device Id recieved successfully
Router#show sdwan umbrella dp-stats

umbrella-oper-dp stats redirect-pkts 28
umbrella-oper-dp stats local-domain-bypass-pkts 0
umbrella-oper-dp stats parser-unknown-pkts 85
umbrella-oper-dp stats parser-errors 8
umbrella-oper-dp stats flow-create-requests 28
umbrella-oper-dp stats matching-flow-found 0
umbrella-oper-dp stats flow-create-failures 0
umbrella-oper-dp stats flow-lookup-requests 28
umbrella-oper-dp stats flow-lookup-failures 0
umbrella-oper-dp stats flow-detach-requests 28
umbrella-oper-dp stats flow-detach-failures 0
umbrella-oper-dp stats flow-ageout-count 0
umbrella-oper-dp stats flow-update-requests 28
umbrella-oper-dp stats flow-update-failures 0
umbrella-oper-dp stats dnscrypt-enc-sent 0
umbrella-oper-dp stats dnscrypt-dec-rcvd 0
umbrella-oper-dp stats dnscrypt-clear-sent 0
umbrella-oper-dp stats dnscrypt-clear-rcvd 0
umbrella-oper-dp stats dnscrypt-errors 0
Make sure that api.opendns.com is getting resolved from router
Confirm that Umbrella Root CA Certificate is installed on device
Router#show crypto pki trustpool

...
...
CA Certificate
Status: Available
Certificate Serial Number (hex): 083BE056904246B1A1756AC95991C74A
Certificate Usage: Signature
Issuer:
cn=DigiCert Global Root CA
ou=www.digicert.com
o=DigiCert Inc
c=US
Subject:
cn=DigiCert Global Root CA
ou=www.digicert.com
o=DigiCert Inc
c=US
Validity Date:
start date: 00:00:00 UTC Nov 10 2006
end date: 00:00:00 UTC Nov 10 2031
Associated Trustpoints: Trustpool
Trustpool: Downloaded
...
...
• At least one WAN interface MUST be “ip nat outside” enabled

• NAT overload config is present:
• Sample:
access-list 101 permit ip any any
ip nat inside source list 101 interface GigabitEthernet1 overload
Note: GigabitEthernet1 is the WAN interface that has “ip nat outside” configured
• Make sure dns-resolver is configured as Umbrella for a VRF
• Sample:
parameter-map type umbrella global

token 648BF6139C379DCCFFBA637FD1E22755001CE241
local-domain dns_bypass
dnscrypt
udp-timeout 5
vrf 9
dns-resolver 8.8.8.8
match-local-domain-to-bypass
vrf 19
dns-resolver 8.8.8.8
no match-local-domain-to-bypass
vrf 29
dns-resolver umbrella
match-local-domain-to-bypass
vrf 39
dns-resolver umbrella
no match-local-domain-to-bypass
DNS Layer Security –
Troubleshooting Registration
• Every registration is tied to VRF 65528. So, there must be NAT translation to
api.opendns.com for every registration sent. You can check via “show ip nat
translation"
DNS Layer Security – Show Commands
#show umbrella deviceid detailed

Device registration details
1.29
Tag : vpn29
Device-id : 010a9b2b0d5cb21f
Description : Device Id recieved successfully
WAN interface : None
2.39
Tag : vpn39
Device-id : 010a1a2e1989da19
Description : Device Id recieved successfully
WAN interface : None
DNS Layer Security – Show Commands
# show platform software umbrella f0 config
+++ Umbrella Config +++
Umbrella feature:
------------------
Init: Enabled
Dnscrypt: Enabled
…
…
Dnscrypt Info:
public_key:
A5:BA:18:C5:59:70:67:94:E5:37:38:33:06:F9:63:83:39:86:82:E4:00:F5:D8:BE:C1:AA:77:4A:4C:BA:64:00
magic_key: 71 4E 7A 69 6D 65 75 55
serial number: 1517943461
ProfileID DeviceID Mode Resolver Local-Domain Tag

------------------------------------------------------------------------------
0 OUT False
4 IN 8.8.8.8 True vpn9
1 IN 8.8.8.8 False vpn19
2 010a9b2b0d5cb21f IN 208.67.220.220 True vpn29
3 010a1a2e1989da19 IN 208.67.220.220 False vpn39
DNS Layer Security – Debug Commands
#debug umbrella ?
• config Umbrella Configuration -------> Config related debugs
• device-registration Umbrella Device Registration -------> Registration related debugs
• dnscrypt Umbrella DNSCrypt -------> DNSCrypt related debugs
AMP & Threatgrid
SDWAN Security: Advanced Malware Protection
Enterprise Firewall

Security categories


Cisco SD-WAN
AMP & Threatgrid
Packet flow
AMP inspection– Packet Flow
scan files transferred by:
• HTTP
• FTP
• SMTP
Input
• POP3 UTD container
• IMAP Output
features
• SMB features
GRE over VPG1 interface


YES!
UTD container
File capture
UTD container
Calculate SHA256
File capture
UTD container
Querying cache
Calculate SHA256
File capture
database
UTD container
Cloud lookup
Querying cache
Calculate SHA256
File capture
database
UTD container
Cloud response
Querying cache
Calculate SHA256
File capture
database
UTD container
Cloud response
SH256 is known!
Action:cache
Querying Drop
Calculate SHA256
File capture
What if the SHA256 is unknown
database
UTD container
Cloud response
SH256 is unknown!
Querying cache
Calculate SHA256
File capture
database
UTD container
Preprocessing file
Querying cache
Calculate SHA256
File capture
database
UTD container
Thread Grid API

Uploading file to
Thread Grid
Preprocessing file
Querying cache
Calculate SHA256
File capture
Analyzing file in VM
database Virtual Machine

UTD container
Thread Grid API
Preprocessing file
Querying cache
Calculate SHA256
File capture
Analyzing file in VM

UTD container
Thread Grid API
Verify completion
Preprocessing file
Querying cache
Calculate SHA256
File capture
Update Malware Analyse completed
Database
UTD container
Thread Grid API
Preprocessing file
Querying cache
Calculate SHA256
File capture
Database Virtual Machine

Updated UTD container
Thread Grid API

• Cloud lookup for change
• Heartbeat for retrospective changes
Preprocessing file
Querying cache
Calculate SHA256
File capture
Amp inspection– From container to outside
UTD container
Action: Output
Ingress interface
Forwarding UTD
NAT
Decision inspection
Input
features
AMP & Threatgrid – Packet Flow
URL inspection
leveraging
preprocessors
IPS/URL container
Flow Diversion Flow Insertion
Ingress interface IOS XE Packet processing Egress interface

Input output
features features
Advanced Malware Protection
AMP
➢ Integration with AMP
➢ File reputation Internet Check Signature

➢ File retrospection
➢ Integration with ThreatGrid
➢ File Analysis Check file
➢ Backed with valuable Threat Malware

Intelligence Sandbox
ThreatGrid
AMP terminologies
• File Reputation
File Reputation is the process in which a SHA256 is looked up against the AMP cloud to access
threat intelligence information. The cloud server may respond with a disposition of DISP_CLEAN,
DISP_UNKNOWN, DISP_MALICIOUS, or DISP_FAILED. If the file is DISP_UNKNOWN, part of the
response from the cloud may include an action of ACTION_SEND to suggest sending the file to File
Analysis.
• File Analysis
File Analysis is the process of submitting a file that the AMP cloud has determined is
DISP_UNKNOWN and ACTION_SEND to the Threat Grid cloud for detonation in a sandbox. During the
detonation, the sandbox will capture artifacts, observe behaviors, and give the sample an overall score
of abnormal behaviors. Based on the sandbox observations, Threat Grid may change the disposition in
the AMP Cloud to DISP_MALICIOUS.
• Retrospection
Retrospection is the process of receiving a change in file reputation intelligence from Threat Grid or
from TALOS from DISP_UNKNOWN to DISP_MALICIOUS, DISP_CLEAN to DISP_MALICIOUS, or
DISP_MALICIOUS to DISP_CLEAN and then notifying all Connector GUIDs about that change when
they check into the cloud on their Heartbeat.
Supported file transfer protocols
• HTTP
• FTP
• SMTP
• POP3
• IMAP
• SMB
HTTPS will be supported in 17.2 with TLS proxy.[ End Q1 2020]
Supported file types
• MOV, FLIC, SWF, EXE, PDF, RTF, RIFF, ZIP, RAR, MSOLE2, MSCAB, MSCHM, BZ, GZ, ARJ,
PDF, JPEF, MP4, MACHO, MACHO UNIBIN, PCAP, MP3, PST, SIT, WMF, DICM, NEW-OFFICE
• This list of AMP file types will be a superset of files Threat Grid may consider for file analysis
after evaluating the file submission criteria.
• No support for Zipped files in phase 1.
• PDF, MS-EXE, NEW-OFFICE, RTF, MDB, MSCAB, MSOLE2, WRI, XLW, FLV, SWF
AMP Cache
• Container will maintain a local cache of Hashes, dispositions and other meta data based on prior
AMP disposition lookups. Cache lookup is done prior to making disposition requests to the AMP
Cloud. Cache TTL for each entry is 2 hours.
• Cloud lookup timeout is 2s. If no cloud response within lookup timer expiry, default action
is to allow the file and no cache entry will be added.
Sample configuration
vm5#show running-config | sec utd file-reputation profile FILE-REP-PROFILE1
utd multi-tenancy alert level warning
utd engine standard multi-tenancy file-inspection profile FILE-INS-PROFILE1
utd global reputation profile FILE-REP-PROFILE1
file-analysis analysis profile FILE-ANA-PROFILE1
apikey 0 abcdefgh5qe230bni7u3f5950f policy POLICY1
cloud-server isr.api.threatgrid.com vrf 1
file-reputation all-interfaces
cloud-server cloud-isr-asn.amp.cisco.com file-inspection profile FILE-INS-PROFILE1
est-server cloud-isr-est.amp.cisco.com
query-interval 300
file-analysis profile FILE-ANA-PROFILE1
alert level warning
file-types
pdf
ms-exe
new-office
rtf
mdb
mscab
msole2
AMP & Threatgrid
configuration
Intend based configuration
Configuration – vManage – Admin-key
Configuration – vManage – AMP - Policy
AMP Regions: NAM / EU / APJC
TG Regions: NAM / EU
AMP & Threatgrid
Monitoring
Monitoring
Monitoring – Device view – Files statistics
Monitoring – Device view – Files Analysis
Monitoring – Device view – File Retrospection
Troubleshooting
To check file reputation status
vm5#show sdwan utd file reputation

utd-oper-data utd-file-reputation-status version 1.12.4.999
utd-oper-data utd-file-reputation-status status utd-file-repu-stat-connected
utd-oper-data utd-file-reputation-status message "Connected to AMP Cloud!"
vm5#show utd engine standard status file-reputation

File Reputation Status:
Process: Running
Last known status: 2019-02-28 00:28:32.569917+0000 [info] AMP module version 1.12.4.999
Troubleshooting
To check file analysis status
vm5#show sdwan utd file analysis

utd-oper-data utd-file-analysis-status status tg-client-stat-up
utd-oper-data utd-file-analysis-status backoff-interval 0
utd-oper-data utd-file-analysis-status message "TG Process Up"
vm5#show utd engine standard status file-analysis

File Analysis Status:
Process: Running
Last Upload Status: File upload successful
Last Upload Time: 2019-03-13 18:53:1552503200
Troubleshooting
To check stats
vm5#show utd engine standard statistics file-reputation
File Reputation Statistics
--------------------------
File Reputation Clean Count: 32
File Reputation Malicious Count: 10
File Reputation Unknown Count: 22
File Reputation Requests Error: 0
File Reputation File Block: 0
File Reputation File Log: 64
vm5#show utd engine standard statistics file-analysis

File Analysis Statistics
------------------------
File Analysis Request Received: 12
File Analysis Success Submissions: 12
File Analysis File Not Interesting: 2
File Analysis File Whitelisted: 0
File Analysis File Not Supported: 0
File Analysis Limit Exceeding: 0
File Analysis Failed Submissions: 0
File Analysis System Errors: 0
Troubleshooting
To check AMP Cache
vm5#show utd engine standard cache file-inspection
File Name| SHA256| File Type| Disposition| action|
-----------------------------------------------------------------------------------------
sample1_doc.doc 9E5046F28FCE4054 27 1 1
sample2_docx.docx 269329FC7AE54B3F 120 1 1
sample3_wav.wav 5F8722542D14F9BC 166 1 1
vm5#show utd engine standard cache file-inspection detail

SHA256: 9E5046F28FCE4054D8902A99988487926F1760774D1AC6DE05BFA7AAEBC28365
amp verdict: unknown
amp action: 1
amp disposition: 1
reputation score: 0
retrospective disposition: 0
amp malware name:
file verdict: 1
TG status: 5
file name: sample1_doc.doc
filetype: 27
create_ts: 1552611270
sig_state: 3
Troubleshooting
Additional show commands
show utd engine standard statistics file-reputation vrf global internal
show utd engine standard statistics file-reputation vrf name 1 internal
To enable debug logs

debug utd engine standard file-reputation level info
debug utd engine standard file-analysis level info
debug utd engine standard climgr level info
Logs will be stored in /tmp/rp/trace/vman_utd_R0-0.bin
Policy Summary
Policy summary configuration – Enterprise Firewall
Make sure “Bypass firewall policy and allow all internet traffic to/from VPN0 “ is unchecked when you configure firewall.
Policy summary configuration – Intrusion Prevention
Configure logging (External) server IP and VPN
Policy summary configuration – Intrusion Prevention
Configure fail-open/fail-close and click on Save Policy Changes
Device Template
Configuration – Device Template
Select Create Template -> From Feature template
Select Device from Device Model drop-down (CSR1000v shown here)
Scroll down to (or Click on) Additional templates section and choose the Security Policy Template created earlier
Choose the Container profile template (aka UTD Security Policy Feature Template) created earlier and click on Create
Click on the three dots to the right of the Device template and Select Attach Devices
Select the devices to which you want to push the Device template.
NetFlow Support
Effective security depends on total visibility
KNOW SEE Understand what Be alerted to Respond to

every host every conversation is NORMAL CHANGE THREATS quickly
HQ
Network
Branch Cloud Users
Data Center
Roaming Users
Admin
The network is a valuable data source
What it provides: Flow

Packets
Information
• A trace of every conversation 10.1.8.3 SOURCE ADDRESS 10.1.8.3
in your network
DESTINATION
• Collection of records all across the 172.168.134.2
ADDRESS
network (routers, switches, firewalls) SOURCE PORT 47321
• Network usage metrics Switches DESTINATION PORT 443
• Ability to view north-south as well as INTERFACE Gi0/0/0
east-west communication IP TOS 0x00
• Lightweight visibility compared to Routers
IP PROTOCOL 6
Switched Port Analyzer (SPAN)-based NEXT HOP 172.168.25.1
traffic analysis TCP FLAGS 0x1A
• Indications of compromise (IOC) SOURCE SGT 100
• Security group information Internet
: :
172.168.134.2
APPLICATION NAME NBAR SECURE-HTTP
Enriched with data from other sources
Cisco Identity
User Device Server Switch Router WAN Router Firewall Server Services Engine
Router Switch Firewall Data Center

Catalyst ASA
ISR ASR Nexus switch
IE FTD
CSR WLC Tetration
ETA enabled Catalyst Meraki
Web Endpoint Policy and User Info Other
Web Security Appliance Identity Services Engine Stealthwatch Flow

AnyConnect
(WSA) (ISE) Sensor
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Security Analytics with Stealthwatch Enterprise
Global threat
intelligence
Multilayered machine learning (powered by Talos)
Combination of supervised and unsupervised Intelligence of global threat campaigns
techniques to convict advanced threats with high
fidelity
mapped to local alarms for faster mitigation
Data collection
Behavioral modeling Rich telemetry from the existing
network infrastructure
Behavioral analysis of every activity within
the network to pinpoint anomalies
Stealthwatch
Encrypted Traffic Analytics

Malware detection without any decryption using
enhanced telemetry from the new Cisco
devices
Scaling and optimization: deduplication
Router A: 10.1.1.1:80 → 10.2.2.2:1024
10.1.1.1 port 80
Router B: 10.2.2.2:1024 → 10.1.1.1:80
Duplicates
Router B
Router C: 10.2.2.2:1024 → 10.1.1.1:80
Router A
Router C Deduplication
• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
10.2.2.2 port 240
Alarms tied to specific entities
Quick
snapshot of
malicious
activity
Suspicious
behavior
linked to
logical alarms
Risks
prioritized to
take
immediate
action
Investigating a host
Host Summary
Traffic by Alarms by Type
Peer Host Group
Flows History
User Name:
Device Name:
Device Type:
Host Group:
Location:
10.201.3.149
Last Active Status: 12-Jan 13-Jan 14-Jan 15-Jan 16-Jan
Session Information:
Policies: Data Hoarding Packet Flood
Within Outside
organization organization High Traffic Data Exfiltration
Quarantine Unquarantine
Summary of aggregated Observed communication

Historical alarming behavior
host information patterns
Investigating a host
Top security events
Easily determine if the

Understand why the Drill down into associated host is the source or
alarm was triggered telemetry with just one click target of an attack
Apply machine learning to investigate threats
Malware behavior detected in encrypted

traffic
Threats ranked by overall severity to environment
Correlation
of global
threat
behaviors
Threat propagation details
Investigating: Audit trails
Filter telemetry search results in Control what you see

place without running a new query
Analyze network
telemetry Export search results
retroactively
NetFlow Policy Template Creation
• Configuration -> Policies

-> Centralized Policies
-> Add Policy
• Policy Application TAB:
• Topology & App-Aware
Routing = Unconfigured
• Traffic Data should apply to
”All-Sites” (as needed)
• Topology TAB
configuration is optional
NetFlow Policy Template (Policy Application TAB)
• Create Traffic Data “New Site and VPN List” and Cflowd “New Site List”:
NetFlow Policy Template (Traffic Rules TAB)
• Create Traffic Data Policy:
NetFlow Policy Template (Traffic Rules TAB)
• Create Cflowd Policy to specify NetFlow Collector information:
• Add Collector(s). Cflowd timeouts to defaults.
Platform Support
SD-WAN Security Support on vEdges – 18.3.1
DNS/web-
Platforms/Features Ent FW DPI layer
Monitoring *
vEdge(100, 1000, 2000 and 5000)
Y Qosmos Y
ISR1100-4G/ISR1100-6G
* Need Umbrella Subscription for enforcement
SD-WAN Sec Support on IOS-XE Routers
Ent FW with DNS/web-

URL
Platforms/Features App IPS/IDS layer
Filtering
Awareness Monitoring *
ENCS (ISRv) – CSR1000v
Y Y Y Y
ISR4K (4461,4451, 4431, 4351,
4331, 4321, 4221-X) Y Y Y Y
ISR1K (1111X-8P. C1161X-8P,

C1127X-8PMLTEP, C1126X-
8PLTEP, C1127X-8PLTEP, C1121X- Y Y Y Y
8PLTEP, C1161X-8PLTEP, C1121X-
8P)
ASR1K 1001-HX, 1002-HX, 1001-X,
1002-X) Y N N Y
• Need Umbrella Subscription for enforcement

• Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Security App Hosting Profile & Resources
4431 / 4451 4331 / 4351 4321 / 4221 / 1K
Data Plane Control Plane Data Plane Control Plane Control Plane
(4 cores) (4 cores) (4 cores) IOS SVC
(10 core) (2 cores)
PPE1 PPE2 IOS SVC1

PPE1 PPE2 PPE3 PPE4 PPE5 IOS SVC1 PPE I/O Data Plane
(2 cores)
Crypto
I/O
PPE3 SVC2 SVC3
PPE7 PPE8 PPE9 !/O Crypto
PPE6 SVC2 SVC3
Crypto
Linux
CPP Code Linux Linux
Total No of Total No of CP
Platforms Default Profile High Profile
CP Cores Cores for Security
4321/4221/1K 2 1 1 -
4331 4 2 2 2
4351 4 2 2 2
4431 4 2 2 2
4451 4 2 2 2
Security App Hosting Profile & Resources
IPS / URL- Security Profile Features Memory requirement Platform

Filtering App Supported
Hosting Profile
IPS + URLF (Cloud Lookup only) 8GB Bootflash 8GB Memory ISR1K/4221/4321
Default 4/8 vCPU CSR/ISRv
4331/4351/44xx
IPS + URLF (On-box DB + Cloud 16GB Bootflash & 16GB 4/8 vCPU CSR/ISRv
High Lookup) Memory 4331/4351/44xx
Ent FW App Aware and DNS/web-layer security will work with default 4 GB DRAM
Resources
Release Notes and Image Download Links For Your
Reference
Release Notes for both 16.10.1 and 18.4:

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-WAN_Release_18.4
16.10.1 Software Download Link for ISR 1K/4K and ASR:

ISR 1K: https://software.cisco.com/download/home/286321996/type/286321980/release/16.10.1
ISR 4K: https://software.cisco.com/download/home/286321991/type/286321980/release/16.10.1
ASR1K: https://software.cisco.com/download/home/286321999/type/286321980/release/16.10.1
ISRv: https://software.cisco.com/download/home/286308662/type/286321980/release/16.10.1
18.4 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/18.4.0
18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/18.4.0
https://sdwan-
docs.cisco.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/Software_Installation_and_Upgrade_for_Cisco
_IOS_XE_Routers
SD-WAN Security – External Resources For Your
Reference
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_

Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-p/3735301
Snort FAQ Ruleset: https://www.snort.org/faq/why-are-rules-commented-out-by-default
Cisco Validated Design: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf
Troubleshooting TechNotes: https://www.cisco.com/c/en/us/support/routers/sd-wan/products-tech-notes-list.html
Configuration Examples and TechNotes: https://www.cisco.com/c/en/us/support/routers/sd-wan/products-configuration-examples-list.html
SD-WAN Security – External Resources For Your
Reference
Cisco SD-WAN - http://www.cisco.com/go/sdwan
Network World - https://tinyurl.com/yabey6f2
WSJ - https://tinyurl.com/yb75loxn
Lightreading - https://tinyurl.com/yba9zb4s
FB: https://tinyurl.com/y9u375hk
YouTube Network Field Day (demo): https://tinyurl.com/y955ufde
Before we part
Cisco DNA SD-WAN Licensing
Detail Cisco DNA Premier
Cisco DNA Advantage Security
Cisco Umbrella Insights

Cisco DNA Essentials Cloud/Analytics • Transactional
• Nominal Mbps per tier = Number of users
• Cloud OnRamp for IaaS and SaaS • Exceptions
Connectivity/Mgmt • Automated Service Stitching • 1 Gbps = 750 users
• Encrypted Traffic Analytics
• 2.5, 5, 10 Gbps = 1000 users
• Cloud or On-Prem Management • vAnalytics
• Enterprise Agreement
• Flexible Topology
• Tier1: 25 users
• Hub and Spoke Security • Tier 2: 250 users
• Full Mesh/Partial Mesh
• Tier 3: 1000 users
• App and SLA based policy • Segmentation (Unlimited VPNs)
• Dynamic Routing (BGP, OSPF) • Cisco AMP and SSL proxy
Cisco Threat Grid
• VNF Lifecycle Management • URL filtering
• Provides entitlement for 200 files per day
• Cisco Umbrella app discovery
per customer account
Security
• Files sent to Threat Grid cloud for
X-domain Innovations sandboxing
• Enterprise Firewall with Talos-powered
(File Analysis)
IPS and application controls • Integrated Border for Campus (SD-Access)
• Global entitlement across all customer sites
• Cisco Umbrella DNS Monitoring (visibility only) • Integration with ACI for Application SLA
• For customers looking to submit file
samples beyond 200 files per day,
SD-WAN Services Services additional Threat Grid licenses can be
purchased separately.
• Basic Path optimization with FEC and • Web Caching, DRE (incl. SSL proxy)
Packet Duplication • Voice Module and SRST Integration
• TCP Optimization
Up to 50 • Multicast Cisco DNA Advantage
Device
overlay Cisco DNA Essentials Cisco DNA Essentials
For Your
SD-WAN Security Roadmap Reference
17.2.1
• SSL proxy for AMP
• Container / AppQoE optimization
• Secure Internet Gateway Umbrella SIG)
• Unified image
• FQDN Support for App Aware enterprise firewall
March / April 2020
• BRKARC-3147
For More on IOS XE SD-WAN Datapath

Troubleshooting
• BRKARC-3147 Advanced Troubleshooting of ASR1K and ISR
• Olivier Pelerin – Technical Leader @Cisco Customer eXperience
TECCRS-2014
SD-WAN Technical Deep Dive 8 Hours
TECRST – 2191
SD-WAN design, deploy and best 4 Hours
practices
TECCRS-3006
ENFV Deep Dive and Hands on Lab 8 Hours
TECSEC-2355
Implementing SD-WAN Branch 4 Hours
Security with Cisco Routers
Cisco SD-WAN
#CLEMEA
Tectorials
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Umbrella session
• BRKSEC-2023 What's new in Umbrella, Cisco's Secure Internet Gateway

• Tuesday 2:30
• Hall 8.0 Session Room A108
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

Tecsec 2355 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tecsec 2355 PDF

Uploaded by

Copyright:

Available Formats

Implementing SD-WAN

Branch Security with

14:30 - 16:30 (2h)

• Direct Internet Access • Troubleshooting

• Device lock-down • AMP/ Threadgrid integration

• Intrusion Prevention • Platform Support

• Understand each SD-WAN security • IOS XE SD-WAN is NOT full IOS XE

Cloud Data Center Campus Branch SOHO

3rd Party • Facilitates fabric discovery

vManage Cisco vEdge / cEdge

WAN Edge WAN Edge

WAN Edge WAN Edge

WAN Edge WAN Edge

Local (generated) Local (generated)

Local (generated) Local (generated)

Local (generated) Local (generated)

Local (generated) Local (generated)

Local (generated) Local (generated)

Local (generated) Local (generated)

Remote (received) Remote (received)

Local (generated) Local (generated)

Remote (received) Remote (received)

IP UDP ESP MPLS Original Packet AES256-GCM/CBC

ECDH priv key “C”

ECDH key ID [SPI]

pub key “A” pub key “C”

Nonce “A” Nonce “C”

SPI “A” Transport SPI “C”

WAN Edge “A” WAN Edge “C”

WAN Edge “B” AES256-GCM/CBC

pub key “A” pub key “C”

Nonce “A” Nonce “C”

SPI “A” Transport SPI “C”

WAN Edge “A” WAN Edge “C”

WAN Edge “B” AES256-GCM/CBC

pub key “A” pub key “B”

Transport Nonce “A” Nonce “B”

WAN Edge “A” WAN Edge “C”

Nonce “B” Nonce “C”

pub key “A” pub key “B”

Transport Nonce “A” Nonce “B”

WAN Edge “A” WAN Edge “C”

Nonce “B” Nonce “C”

pub key “A” pub key “B”

Transport Nonce “A” Nonce “B”

pub key “A” pub key “B”

Transport Nonce “A” Nonce “B”

WAN Edge “A” WAN Edge “C”

WAN Edge “B” AES256-GCM/CBC

WAN Edge “A” WAN Edge “C”

WAN Edge “B” AES256-GCM/CBC

cEdge1#show sdwan running-config | sec security

cEdge1#show sdwan security-info

cEdge1#show sdwan ipsec pwk outbound-connections

cEdge1#show sdwan ipsec pwk local-sa

cEdge1#show plat hard qfp act feat ipsec data spi

Sample log after manual trigger of local rekey below.

cEdge1#request platform software sdwan security ipsec-rekey

IP UDP ESP VPN Data

ACT2 • Each physical WAN Edge router is uniquely

• Verifying the integrity of a device’s identity

• Trust will be based on OTP [ One Time Password]

• vManage will create a bootstrap file that is linked to