Cisco Secure Access - Unmanaged device SWG behavior through SD-WAN

svenus · ‎03-16-2025

Hi team,

This may be dumb but I can't find a good deployment type of guide to explain this with customer.

I have a SD-WAN and the routers are having tunnels going to CSA using the Network Tunnel Group. Use case is using SIA with SWG.

What is the behavior for the following devices? Will they got dropped or still applicable to policies configured for SWG? Authenticated?

1. Unmanaged devices but user has the capability to provide authentication credentials through browsers.

2. Unmanaged devices and user are guests, e.g. visitors.

3. Devices not installing Secure Client, e.g. printers, IoT devices, servers.

If there are pointers to where I can find docs on these will be much appreciated. Thanks.

nbogdaje · ‎03-20-2025

When going over a tunnel all traffic will go through the CDFW and then all web traffic will be sent to the proxy (excluding any bypassed domains/IPs). Any traffic going through the CDFW and the proxy will be subject to policy enforcement based on their Identity.

1. If users are logging in via SAML this will provide the AD user info to Secure Access. So they will either hit and AD group/user policy, the policy applied to the tunnel ID or the default if neither exists.

2. This traffic will be applied to the Tunnel ID policy or the default if none exist.

3. This will be the same as #2.

The above is assuming all the traffic is going over the tunnel. The default behavior if no policy is hit is to allow all traffic (Besides sites considered a threat by cisco Talos).