Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Manage Firewall Policies

Overview

The Cisco+ Secure Connect cloud-delivered firewall (CDFW) provides firewall services without the need to deploy, maintain, and upgrade additional physical or virtual appliances at a site. The CDFW supports visibility and control of internet traffic across branch offices. It helps you to improve security efficacy and ensure consistent enforcement everywhere. In addition, the firewall logs all network activity and blocks unwanted traffic using IP, port, and protocol rule criteria, giving centralized visibility, and alerting.

      

Prerequisites

Please complete prerequisites based on your own architecture.

1. Connect Meraki site to Secure Connect

If you are using Cisco+ Secure Connect for branch-to-branch connectivity, you will enjoy automatic tunnel establishment with a simple few clicks. Click document for more details.

2. Non-Meraki site connected via IPSEC

Please go through below checklist before moving to the firewall policy configuration.

  • An internet connection that allows outbound IPsec traffic.
  • A network device capable of establishing an IPsec IKEv2 tunnel. For supported network devices, see Supported IPsec Parameters.
  • Tunnel passphrase obtained from the Umbrella dashboard.
  • At least one tunnel added. For more information about adding tunnels, see Network Tunnel Configuration.

Adding Firewall Policies

Presently Firewall policies are being configured on the Cisco Umbrella dashboard. You need to navigate to Umbrella dashboard from Cisco+ Secure Connect.  

1. In Secure Connect dashboard, click on the firewall link under the Policy count area in Overview page or go to the menu and click on Secure Connect -> Policies -> Firewall to get to the Umbrella Firewall Policies page.

Policy Menu - FW.png

 

2. Now you are in the Umbrella dashboard. Navigate to Policies > Management > Firewall Policy and click the Add button in the top right corner. You can always click "RETURN TO SECURE CONNECT" to swivel back.

1.png​​​​

3. Choose the Rule Type

2.png

In this doc, we will only discuss how to setup rule for Internet Traffic. If you want to learn more on how to setup firewall rules for Private Applications And Networks, please click this link.

4. Define the basic characteristics of your firewall rule.

  • Choose a descriptive Name and Description.
  • Choose a Priority Order. Priority Order positions rules in the Firewall Policy in the order in that rules are evaluated and then applied. Rules are applied sequentially, with the Default Rule always in the last position.
  • Enable or Disable your firewall rule.

3.png

5. Under Rule Action, choose Allow or Block.

4.png

6. Choose the rule's criteria.

  • Protocol - The protocols to which the rule applies. Options are TCP, UDP, ICMP, or any.
  • Source Tunnels - The source tunnel to which the rule applies. Search for tunnels to add them. Up to three tunnels are displayed dynamically as you begin entering text.
  • Source CIDR IP Addresses - The tunnel's source addresses (IP or CIDR) to which the rule applies. You can choose Specify IP and add each CIDR IP address, or choose Any.
  • Source Ports - The tunnel's source ports to which the rule applies. You can choose Specify Port and enter ports or port ranges in a comma-delimited plain-text list, or choose Any.
  • Identities (optional) - Specify the identities to be added in the rule.

5.png

  • Destination CIDR IP Addresses - The tunnel's destination addresses (IP or CIDR) to which the rule applies. You can choose Specify IP and add each CIDR IP address, or choose Any.
  • Destination Ports - The tunnel's destination ports to which the rule applies. You can choose Specify Port and enter ports or port ranges in a comma-delimited plain-text list, or choose Any.
  • Application - The applications and application categories to which the rule applies. For more information, see Application Categories.

12.png

7. Choose a Time Zone and configure Start and Expiration dates and times. Optionally, check Does Not Expire so that your rule will not expire.

9.png

8. Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter will also be disabled. For more information, see Monitor Hit Count.

10.png

9. Enable or Disable logging.
Note: Logging is disabled by default. If you disable logging, the hit counter will also be disabled.

11.png

10. Click Save.

Resources

The Cisco Umbrella sites has detailed information on configuring and testing policies.  Below are links to the key CDFW guides.

Add a Firewall Rule

Configure IPS Settings for Firewall Policy

Monitor Hit Count

Review Firewall Logs in Reports

Check Protocol of Web Traffic

 

 

 

 

 

  • Was this article helpful?