This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_Security_Virtual_Image_for_IPS%2F%2FIDS_and_URL_Filtering
Upload the image for virtual service if you intent to test IPS/IPS and/or URL-F
Click Maintenance >> Software Repository then choose the "Virtual Images" tab and upload the App Hosting tar file to the software repository.
Under Deployments >> Network Devices >> Choose the API token on the far right corner and copy the long string of numbers to clip board.
This token needs to be populated (pasted from clip board) under the vManage settings like shown below under "Umbrella API Token":
Release Notes for both 16.10.1 and 18.4:
16.10.1 Software Download Link for ISR 1K/4K and ASR:
18.4 vManage New Deployment Download Link: https://software.cisco.com/download/home/286320995/type/286321039/release/18.4.0
18.4 vManage upgrade image download Link: https://software.cisco.com/download/home/286320995/type/286321394/release/18.4.0
Click under Configuration >> Security and click "Add Security Policy" and pick one of the features that you like to implement or if you need more than one choose the "custom" option and proceed.
Click on "Add Firewall Policy" choose "Create New" and proceed. Give the policy a name and description as shown below and start creating sequence rule. If you need to configure permission for DIA (Direct Internet Access) for example only allow http, https, dns follow the screen shots for below:
Moving on to IPS, click on "Add Intrusion Prevention policy".
Give the policy a name and proceed with choosing a Signature Set, Inspection Mode.
Optionally one could under configure a Signature Whitelist by importing or creating a new file on the local computer and set the "Alerts Log Level".
Once done make sure to apply the policy to all or only selected Target VPNs.
Click "Add URL Filtering Policy" and choose "create new". Give it a policy name and proceed with choosing the categories using the down arrow.
Under Advanced choose create a new URL list for White or Black List. Eg. whitelisted URLs bypass all URL filtering policy. Blacklisted URL's are immediately dropped without further processing the URL filtering policy. Under the Block Page Content the "Default Content Header" cannot be changed (we will hide/remove this from the UI for FCS). Under "Content Body" you can type a message or add the help desk number that the users could call if needed.
Start configuring DNS/web-layer security feature "Add DNS security Policy" and choose "create new" give it a policy name and proceed.
Since we have already keyed in the Umbrella Token ID under settings, Umbrella Registration Status shows "green" configured.
Now create an optional domain bypass list for DNS requests (for internal company only websites) that do not need to be re-directed to Umbrella. DNScrypt is enabled by default which will encrypt the DNS packets with the EDNS headers of client IP etc. and be sent to the umbrella cloud.
Make sure to apply the policy to all or only selected target VPNs.
Make sure to apply the policy to all or only selected VPNs. Then, go next and review the policy summary page:
Make sure to uncheck the box that says 'Allow Internet Traffic to VPN 0 if VPN 0 is not in a zone'. Checking this will allow all traffic without being inspected by the firewall.
Before attaching the security policy to the device template, since the IPS and URL-F features are container based, we need to upload the image for App Hosting. If you haven't done this already, now is the time to do this.
Click Maintenance >> Software Repository then choose the "Virtual Images" tab and upload the App Hosting tar file to the repository.
Next, go to the Configuration >> Templates choose the template that is attached to the device then click on the far left ... and choose edit. Now, scroll all the way down choose the security policy that we just configured and also choose the UTD "Factory Default_UTD_Template" if you are deploying IPS or URL-F.
Now, attach the device(s) to the template as shown below.
This process takes a few minutes (up to 10 minutes) so, please be patient and watch the progress by clicking on the "Tasks".
Toggle between Inspected VS Dropped, click on 1h, 3h, 6h and click at any point on the trend for further drilling down.
Toggle between "By Severity" or "By Count" to further drill-down by signature name on the bottom that will show more details about the 5-tuples responsible for triggering the signature.
Toggle between "Blocked" VS "Allowed" and click on certain color band to get more details about the number of sessions processed by all the devices in the enterprise for the particular category.
Click under Monitor >> Network and choose the device in question and choose one feature at a time under "Security Monitoring"
Choose all different options and drill downs. This dashboard has "Umbrella DNS re-direct" as well.
Under the device specific dashboard, you can get some real time stats on the security features. For example if you click under Monitor >> Network >> Choose the device >> Real Time (very bottom on the left pane).
You can type "Policy Zone" and get FW statics real time as shown below:
You can type "UTD" and get IPS statics real time as shown below:
You can type "Umbrella" and get Umbrella (DNS/web-layer security) statics real time outputs as shown below: