How Security Cloud Control Firewall Management Manages Catalyst SD-WAN NGFW Capabilities

When the Catalyst SD-WAN Manager is integrated with Security Cloud Control Firewall Management, the existing NGFW policies, security objects, and security profiles from the Catalyst SD-WAN Manager are automatically imported into the Security Cloud Control Firewall Management . Users can modify these NGFW parameters or create new ones directly from Security Cloud Control Firewall Management . All the changes made in Security Cloud Control Firewall Management are synchronized and saved within the Catalyst SD-WAN Manager.

After the Catalyst SD-WAN Manager is onboarded to Security Cloud Control Firewall Management , the management of policies, objects, and profile can no longer be performed through the Catalyst SD-WAN Manager. Instead, these management tasks must be carried out exclusively from Security Cloud Control Firewall Management .

A "Managed by Security Cloud Control (SCC)" banner will be displayed on the Catalyst SD-WAN Manager that is onboarded to Security Cloud Control Firewall Management , indicating the integration. This message can be viewed in the Catalyst SD-WAN Manager by navigating to the relevant configuration sections:

• For Security Objects and Profiles: Configuration > Policy Groups > Objects and Profiles > Security Objects

• For NGFW Policies: Configuration > Policy Groups > NGFW

Restrictions for Security Cloud Control Firewall Management and Catalyst SD-WAN Manager Integration

• Cloud connectivity is essential

  Catalyst SD-WAN Manager can be deployed either on-premises or hosted in the Cisco cloud. To function properly, it must have cloud connectivity. If Catalyst SD-WAN Manager is placed behind a NAT device, it is supported, but with restrictions. Specifically, only port 443 (HTTPS) needs to be open to enable cloud connectivity.

• Deboard Catalyst SD-WAN Manager to edit NGFW policies, objects, and profiles

  To make changes in the NGFW policies, objects, and profiles from the Catalyst SD-WAN Manager, you have to deboard it from the Security Cloud Control Firewall Management .

• Customized IPS profiles not supported

  Security profiles do not support IPS policies (Signature set objects) that are editable or customized.

• Live logs unavailable with SAL

  Live logs cannot be viewed on Security Cloud Control Firewall Management using Cisco Security Analytics and Logging. You can only view historical events.

• Modify user role privileges for Security Cloud Control Firewall Management users with caution

  Exercise caution when changing user role privileges on Catalyst SD-WAN Manager for users who are part of Security Cloud Control Firewall Management . Modifying privileges for Security Cloud Control Firewall Management -associated users can result in configuration failures.

• On-Prem multitenant Catalyst SD-WAN Manager not supported

  On-premises multitenant deployments of Catalyst SD-WAN Manager are not supported in Security Cloud Control Firewall Management for version 20.18.1. Only single-tenant Catalyst SD-WAN Manager deployments are compatible with Security Cloud Control Firewall Management in this release.

• Dark mode not supported

  It is recommended not to enable dark mode in Security Cloud Control Firewall Management when Catalyst SD-WAN Manager is integrated.

Note	Changes can be made to the NGFW policies, objects, and profiles from the Catalyst SD-WAN Manager after it has been deboarded from Security Cloud Control Firewall Management .

Security Cloud Control Firewall Management allows you to perform the following operations:

• Create, modify, or delete NGFW policies, security objects, and security profiles.

• Search security objects across devices using global search functionality.

• Associate a policy group to a Catalyst SD-WAN NFGW policy.

Policy deployment to Secure Router devices

Changes made to the NGFW policies, security objects, and security profiles in Security Cloud Control Firewall Management will automatically be saved to the Catalyst SD-WAN Manager. However, the updated configuration must be manually deployed to Secure Router devices using the Catalyst SD-WAN Manager. Note that changes cannot be directly pushed to devices from Security Cloud Control Firewall Management .