Security Policy Using Policy Groups
Security Policy Using Policy Groups
Information About Security Policy
Enable RBAC for Security Policy
Restrictions for Security Policy
Configure a Security Policy Using a Policy Group
Configure a Group of Interest for a Security Policy
Configure Embedded Security
Configure an Embedded Security Sub-Policy
Configure Embedded Security Additional Settings
Configure a Secure Service Edge
Configure DNS Security

Security Policy Using Policy Groups

Table 1. Feature History
Feature Name	Release Information	Description
Security Policy Using Policy Groups		This feature provides a simple, reusable, and structured approach for configuring security policies . You can create a security policy, that is, a logical grouping of policies that is applied to one or more sites or a single device at a site in the network. The Deploy Policy Group workflow provides a guided method to choose previously created policy groups and deploy them to sites or a single device at a site that is managed by configuration groups.

Information About Security Policy

Configuring security policies using policy groups simplifies the experience of configuring and deploying policies on SD-Routing devices. Use a workflow to configure policies and associate them with devices in the network.

The Policy Groups page includes the following:

Policy Group
Embedded Security Configuration
DNS Security Configuration

Enable RBAC for Security Policy

To create a policy group and security feature profiles using configuration groups, role-based access control (RBAC) must provide read and write permissions on the following profiles to access each feature. Set the permissions of the user group to enable access to policy groups from Configuration > Policy Groups.

From the Cisco SD-WAN Manager menu, choose Administration > Manage Users > User Groups.
Click Add User Group.
Enter User Group Name.
Check a Read or Write check box for the Policy Group, Device and Deploy feature that you want to assign to a user group.
Check a Read or Write check box for the following features that you want to assign to a user group:
- Feature Profile > Embedded Security > Legacy Policy
- Feature Profile > Embedded Security > NGFirewall
- Feature Profile > Embedded Security > Policy
- Feature Profile > Policy Object > Advanced Inspection Profile
  
  The Advanced Inspection Profile has the following subfeature profiles:
  - Advanced Malware Protection
  - Intrusion Prevention
  - SSL Decryption
  - SSL Decryption Profile
  - URL Filtering
Click Add.

Restrictions for Security Policy

Security policy does not support matching traffic using a custom application in a custom-defined application list.

Configure a Security Policy Using a Policy Group

Using the Create Security Policy workflow, you can create a security policy, add sub-policy, add rules to existing sub-policies, and so on.

From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library > Create Security Policy. Alternatively, choose Configuration > Policy Groups.
Click Embedded Security.
On the Embedded Security page, click Add Security Policy. This launches the Security Policy workflow.
Enter Policy Name and Description and click Next.
On the Select the optional Configuration Group to associate with the security policy page, choose the configuration groups and click Next.
Click Add Sub-Policy.
Click Submit.You can view the new security policy in the Embedded Security tab.

Configure a Group of Interest for a Security Policy

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > Group of Interest.
Click the Security tab. The list of security objects and profiles appears.

Use the following tables to configure a different group of lists for security policy:

Application


Field	Description
Application List Name	Name of the application list.
Applications	Choose one or more application types from the drop-down list. For example, Third Party Control, ABC News, Microsoft Teams, and so on. Choose one or more application family types from the drop-down list. For example, application-service, audio_video, authentication, behavioral, compression, database, encrypted, and so on.

Data Prefix


Field	Description
Data Prefix List Name	Name of the prefix list.
Data Prefix	The data prefix value.

Local Domain


Field	Description
Local Domain List Name	Name of the local domain list.
Local Domain	The local domain values separated by comma. For example, cisco.com.

FQDN (Fully Qualified Domain Name)

The FQDN is intended to be used for matching standalone servers in data centers or a private cloud. When matching public URLs, the recommended match action is drop. If you use inspect for public URLs, you must define all related sub URLs and redirect URLs.


Field	Description
FQDN List Name	Name of the FQDN list.
FQDN	The URL names separated by comma. For example, cisco.com.

Signature

The signature set blocks vulnerability with a Common Vulnerability Scoring System (CVSS) score that is greater than or equal to 9. It also blocks Common Vulnerabilities and Exposures (CVEs) published in the last two years and that have the rule categories: Malware CNC, Exploit Kits, SQL Injection or blocked list.


Field	Description
IPS Signature List Name	Name of the IPS signature list.
IPS Signature	The signatures in the format `Generator ID:Signature ID`, separated with commas. For example, 1234:5678. Range is 0 to 4294967295

URL Allow

List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists. Here are some important points to note about these lists:

URLs that are allowed are not subjected to any category-based filtering.
If the same item is configured under both the allowed and blocked list, the traffic is allowed.
If the traffic does not match either the allowed or blocked lists, then it is subjected to category-based and reputation-based filtering.


Field	Description
Allow URL List Name	Name of the Allow URL list.
Allow URL	The URLs to allow.

URL Block

List-based filtering allows the user to control access by permitting or denying access based on allowed or blocked lists.


Field	Description
Block URL List Name	Name of the Block URL list.
Block URL	The URLs to block.

Zone


Field	Description
Zone List Name	Name of the zone list.
VPN	Choose to configure zones with zone type as VPN. Add the VPNs to the zones from the drop-down list. The options are: Payment Processing Network Corporate Users Local Internet for Guests Physical Security Devices
Interface	Choose to configure zones with zone type as Interface. Add the interfaces to the zones from the Add Interface drop-down list. The options are: Ethernet FastEthernet FiveGigabitEthernet FortyGigabitEthernet GigabitEthernet HundredGigE

Port


Field	Description
Port List Name	Name of the port list.
Port	The port values separated by comma. The range is 0 to 65530.

Protocol


Field	Description
Protocol List Name	Name of the protocol list.
Protocols	Select one or more protocol names from the drop-down list. For example, snmp, tcp, udp, icmp, echo, telnet, and so on.

Geo Location


Field	Description
Geo Location List Name	Name of the geolocation list.
Geo Location	Select one or more geo locations from the drop-down list. For example, Africa, Antartic, Asia, Europe, and so on.

The security group of interest has the following profiles:

Advanced Inspection Profile
Intrusion Prevention Policy
URL Filtering
Advanced Malware Protection
TLS/SSL Profile
TLS/SSL Decryption

Advanced Inspection Profile


Field	Description
Profile Name	Name of the advanced inspection profile.
Description	The description of the profile.
Select an Intrusion Prevention	Choose an intrusion prevention option from the drop-down list.
Select an URL Filter	Choose a URL filter from the drop-down list.
Select an Advanced Malware Protection	Choose an advanced malware protection.
TLS Action	Choose the TLS action. The options are: Decrypt Pass Through Do not Decrypt

Intrusion Prevention Policy


Field	Description
Profile Name	Name of the intrusion prevention policy.
Signature Set	Choose a signature set that defines the rules for an evaluating traffic from the Signature Set drop-down list. The following options are available. Balanced: Provides protection without significant effect on system performance. Connectivity: Less restrictive and provide better performance by imposing fewer rules. Security: Provides more protection than Balanced but with an impact on performance.
Inspection Mode	Choose the inspection mode. The following options are available: Detection: Choose this option for intrusion detection mode. Protection: Choose this option for intrusion protection mode.
Custom Signature Set	Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.
Select an Signature Allow List	Select a signature allow list.
Alerts Log Level	Choose the alert log level: Error Emergency Alert Critical Warning Notice Info Debug

URL Filtering Policy


Field	Description
Profile Name	Name of the URL filtering policy.
Web Category	Choose the web category. The options are Block and Allow.
Web Reputation	Choose the web reputation from the drop-down list. The reputation options are: High Risk Suspicious Moderate Risk Low Risk Trustworthy
Select one or more web categories	Select one or more web categories from the drop-down list. The categories are: abortion, abused-drugs, auctions, and so on.
Select allow URL list	Select an allow URL list.
Select block URL list	Select a block URL list.
Block Page Server	Choose one of the options: Block Page Content: Enter the default content header and content body. Redirect URL: Enter the redirect URL.
Alerts and Logs	Choose the alert and log type: Blocklist Allowlist Reputation/Category

Advanced Malware Protection Policy


Field	Description
Profile Name	Name of the advanced malware protection policy name.
Select AMP Cloud Region	Select AMT Cloud region. The options are: NAM EU APJC
Alert Log Level	Choose the alert log level. The options are: Critical Warning Info
File Analysis	Enable file analysis.
Select TG Cloud Region	Select TG Cloud region. The options are NAM and EU.
Select one or more file types	Select one or more file types. The options are, pdf, ms-exe, new-office, rtf, mdb, mscab, msole2, wri, xlw, flv, and swf.

TLS/SSL Profile


Field	Description
Profile Name	Name of the TLS/SSL profile.
Select Categories to assign action	Set the categories between the actions—Decrypt, No Decrypt, and Pass Through URL Categories. Alternatively, choose multiple categories and set the action.
Reputation	Enable reputation to choose the Decrypt Threshold. The decrypt threshold options are: High Risk Suspicious Moderate Risk Low Risk Trustworthy
Advanced Options
Select a Decrypt Domain list	Choose the decrypt domain list or click Create New to create a new decrypt domain list. Enter Decrypt Domain List Name. Enter Decrypt Domain Click Add.
Select a No Decrypt Domain list	Choose the no decrypt domain list or click Create New to create a new no decrypt domain list. Enter No Decrypt Domain List Name. Enter No Decrypt Domain Click Add.
Fail Decrypt	Enable the fail decrypt option, if decryption fails.

TLS/SSL Decryption


Field Name	Description
Policy Name	Name of the policy. The name can contain a maximum of 32 characters.
Server Certificate Checks
Expired Certificate	Defines what the policy should do if the server certificate has expired. The options are: Drop: Drop traffic Decrypt: Decrypt traffic
Untrusted Certificate	Defines what the policy should do if the server certificate is not trusted. The options are: Drop: Drop traffic Decrypt: Decrypt traffic
Certificate Revocation Status	Defines whether the Online Certificate Status Protocol (OCSP) should be used to check the revocation status of the server certificate. The options are Enabled or Disabled.
Unknown Revocation Status	Defines what the policy does, if the OCSP revocation status is unknown. Drop: Drop traffic Decrypt: Decrypt traffic
Unsupported Mode Checks
Unsupported Protocol Versions	Defines the unsupported protocol versions. Drop: Drop the unsupported protocol versions. Decrypt: Decrypt the unsupported protocol versions.
Unsupported Cipher Suites	Defines the unsupported cipher suites. Drop: Drop the unsupported cipher suites. Decrypt: Decrypt the unsupported cipher suites.
Failure Mode	Defines the failure mode. The options are close and open.
Certificate Bundle	Check the Use default CA certificate bundle checkbox to use the default CA.
Minimum TLS Version	Sets the minimum version of TLS that the proxy should support. The options are: TLS 1.0 TLS 1.1 TLS 1.2
Proxy Certificate Attributes
RSA Keypair Modules	Defines the Proxy Certificate RSA Key modules. The options are: 1024 bit RSA 2048 bit RSA 4096 bit RSA
Ec Key Type	Defines the key type. The options are: P256 P384 P521
Certificate Lifetime (in Days)	Sets the lifetime of the proxy certificate, in days.

Configure Embedded Security

Security is a critical element of today's networking infrastructure. Network administrators and security officers are hard pressed to defend their networks against attacks and breaches. Due to hybrid clouds and remote employee connectivity, the security perimeter around networks is disappearing.

The Enterprise Firewall with Application Awareness uses a flexible and easily understood zone-based model for traffic inspection, compared to the older interface-based model.

A firewall policy is a type of localized security policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows. Traffic flows that originate in a given zone are allowed to proceed to another zone based on the policy between the two zones. A zone is a grouping of one or more VPNs. Grouping VPNs into zones allows you to establish security boundaries in your overlay network so that you can control all data traffic that passes between zones. For more information on Embedded Security, see Enterprise Firewall with Application Awareness.

From the Cisco SD-WAN Manager olicy Groups > Embedded Security.
Choose a security policy and click Edit.
Click Add Rule.


Field	Description
Rule Name	The name of the rule.
Sequence	Specify the sequence.
Destination Zone	In the Destination Zone drop-down list, choose the zone to which data traffic is sent. The options are: No-Zone Corporate_Users Local_Internet_for_Guests Payment_Processing_Network Physical_Security_Devices Self Untrusted Zones are created based on the VPNs in the configuration group selected in the create security policy workflow.
Match	Choose the desired match conditions from the Add Conditions drop-down list. The options are: Applications Protocol Source Geo Location IPv4 Prefix Port Destination FQDN Geo Location IPv4 Prefix Port When ISE is enabled, then SGT option is available in the Source and Destination. Identity User or User group is only supported for Source.
Action	Choose the desired action conditions. The options are: Pass Drop Inspect Log Events: Unified Logging for Inspect Action. Select Advanced Inspection Profile from the drop-down list.

Configure an Embedded Security Sub-Policy

From the Configuration > Policy Groups, choose Embedded Security.
Choose a security policy from the list and click Edit. and enter the following details.
Click Add Sub-Policy to add sub-policies for a security policy.


Field	Description
VPN / Interface	Specify the VPN or the interface.
Source Zone	Choose the zone that is the source of the data packets.
Zone List Name	The name of a zone list.
VPN	Choose to configure zones with zone type as VPN. Add the VPNs to the zones from the drop-down list. The options are: Payment Processing Network Corporate Users Local Internet for Guests Physical Security Devices
Interface	Choose to configure zones with zone type as Interface. Add the interfaces to the zones from the Add Interface drop-down list.
Rule Name	The name of the rule.
Sequence	Specify the sequence.
Destination Zone	Choose the zone to which data traffic is sent. The options are: Any Corporate_Users Local_Internet_for_Guests Payment_Processing_Network Physical_Security_Devices Self Untrusted (VPN 0)
Match	Choose the desired match conditions from the Add Conditions drop-down list. The options are: Applications Protocol Source Geo Location IPv4 Prefix Port Destination FQDN Geo Location IPv4 Prefix Port
Action	Choose the desired action conditions. The options are: Pass Drop Inspect Log Events - Unified Logging for Inspect Action. Select Advanced Inspection Profile from the drop-down list.
User / User Group	An identity service engine has to be enabled to configure User / User Group sub policies. You can configure using Administration > Integration Management > Identity Service Engine.

Configure Embedded Security Additional Settings

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups, choose Embedded Security.
Choose a security policy from the list and click Edit and enter the following details.

Click Additional Settings to configure additional settings for a security policy.


Field	Description
TCP SYN Flood Limit	Specify the threshold of SYN flood packets per second for each destination address.
Max Incomplete	Specify the timeout limits for the firewall policy. A Max Incomplete timeout limit protects firewall resources and keeps these resources from being used up.
TCP Limit	Specify the maximum TCP half-open sessions allowed on a device.
UDP Limit	Specify the maximum UDP half-open sessions allowed on a device.
ICMP Limit	Specify the maximum ICMP half-open sessions allowed on a device.
Audit Trail	Enable the Audit Trail option. This option is only applicable for rules with an inspect action.
Unified Logging	Enable the unified logging feature.
Optimized Policy	Enable the optimized policy option.
Session Reclassify Allow	Allow re-classification of traffic on policy change.
ICMP Unreachable Allow	Allow ICMP unreachable packets to pass through.
Advanced Inspection Profile	Attach a global advanced inspection profile (AIP) at a device level. All the rules in the device that match the traffic to be inspected are inspected using the advance inspection profile.

Choose the profile from the Advanced Inspection Profile drop-down list or click Create New.


Field	Description
Profile Name	The name of the profile.
Description	The description of the profile.
Select an Intrusion Prevention	Specify the maximum TCP half-open sessions allowed on a device.
UDP Limit	Specify the maximum UDP half-open sessions allowed on a device.
ICMP Limit	Specify the maximum ICMP half-open sessions allowed on a device.
Audit Trail	Enable the Audit Trail option. This option is only applicable for rules with an inspect action.
Unified Logging	Enable the unified logging feature.
Optimized Policy	Enable the optimized policy option.
Session Reclassify Allow	Allow re-classification of traffic on policy change.
ICMP Unreachable Allow	Allow ICMP unreachable packets to pass through.

Choose the intrusion prevention from the Select an Intrusion Prevention drop-down list or click Create New.


Field	Description
Profile Name	The name of the profile. The name can have a maximum of 32 characters.
Signature Set	Specify the signature set. The options are: Balanced Connectivity Security
Inspection Mode	Specify the inspection mode. The options are: Detection Protection
Advanced
Customer Signature Set	Enable customer signature set to add a new global custom signature. In the Add New Global Custom Signature window, choose Download From the following options: Remote Server Local Server (Not Recommended)
Select an Signature Allow List	Select an allowed signature list or Create New to create a new IPS signature list.
Alert Log Level	Choose the alert log level: Error Emergency Alert Critical Warning Notice Info Debug

Click Add.

Choose the advanced malware protection profile from the Select an Advanced Malware Protection drop-down list or click Create New.


Field	Description
Profile Name	The name of the profile. The name can have a maximum of 32 characters.
Select AMP Cloud Region	Choose the AMP cloud region. The options are: NAM EU APJC
Inspection Mode	Specify the inspection mode. The options are: Detection Protection
Alert Log Level	Choose the alert log level: Critical Warning Info
File Analaysis	Enable file analysis.
Select TG Cloud Region	Choose the cloud region from the drop-down list. The options are: NAM EU
Alert Log Level	Choose the alert log level: Critical Warning Info
Select one or more file types	Choose one or more file type from the drop-down list: All pdf ms-exe new-office rtf mdb mscab msole2 wri xlw flv swf

Click Add.

Choose a URL filter from the URL Filter drop-down list or Create New.


Field	Description
Profile Name	The name of the profile. The name can have a maximum of 32 characters.
Web Category	Choose the web category from the drop-down list. The options are: Block Allow
Select one or more web categories	Choose one or more web categories from the drop-down list. The options are: abortion, abused-drugs and so on.
Web Reputation	Choose the web reputation from the drop-down list. The reputation options are: High Risk Suspicious Moderate Risk Low Risk Trustworthy
Advanced
Select allow url list	Select an allowed URL list or Create New to create a new allow URL list.
Select block url list	Select a blocked URL list or Create New to create a new block URL list.
Block Page Server	Choose the block page server from the drop-down list. The options are: Block Page Content Redirect URL: Specify the redirect URL
Alerts And Logs	Choose one or more file type from the drop-down list: Blocklist Allowlist Reputation/Category

Click Add.

Choose TLS Action.


Field	Description
TLS Action	Choose the web category from the drop-down list. The options are: Decrypt Pass Through Do not Decrypt
Select an TLS/SSL Decryption	Choose the TLS/SSL decryption profile from the drop-down list or Create New profile.

Configure a Secure Service Edge

Before You Begin

Create the Cisco SSE credentials from Administration > Settings > Cloud Credentials.

Configure a Secure Service Edge

Choose the SSE Provider. The options are:

Cisco Secure Access

Configure a Tracker

While creating automatic tunnels, Cisco SD-WAN Manager creates and attaches a default tracker endpoint with default values for failover parameters. However, you can also create customized trackers with failover parameters that suit your requirements.

In the Source IP Address field, enter a source IP address without a subnet mask.
Click Add Tracker.

In the Add Tracker pop-up window, configure the following:

Table 2. Tracker Parameters
Field	Description
Name	Name of the tracker. The name can be up to 128 alphanumeric characters.
API url of endpoint	Specify the API URL for the Secure Service Edge endpoint of the tunnel. Default: service.sig.umbrella.com
Threshold	Enter the wait time for the probe to return a response before declaring that the configured endpoint is down. Range: 100 to 1000 milliseconds Default: 300 milliseconds
Probe Interval	Enter the time interval between probes to determine the status of the configured endpoint. Range: 20 to 600 seconds Default: 60 seconds
Multiplier	Enter the number of times to resend probes before determining that a tunnel is up or down. Range: 1 to 10 Default: 3

Click Add.

Configure Tunnels

To create tunnels, click Configuration and do the following:

Click Add Tunnel.

In the Add Tunnel pop-up window, under Basic Settings, configure the following:

Table 3. Basic Settings
Field	Description
Tunnel Type	Cisco Secure Access: (Read only) ipsec
Interface Name (1..255)	Name of the interface.
Description	Enter a description for the interface.
Tracker	By default, a tracker is attached to monitor the health of tunnels.
Tunnel Source Interface	Name of the source interface of the tunnel. This interface should be an egress interface and is typically the internet-facing interface. The tunnel source interface supports loopback.
Data-Center	For a primary data center, click Primary, or for a secondary data center, click Secondary. Tunnels to the primary data center serve as active tunnels, and tunnels to the secondary data center serve as back-up tunnels.
Advanced Options (Optional)
Shutdown	Click the radio button to enable this option. Default: Disabled
Enable Tracker	Click the radio button to enable this option.
IP MTU	Specify the maximum MTU size of packets on the interface. Range: 576 to 2000 bytes Default: 1400 bytes
TCP MSS	Specify the maximum segment size (MSS) of TPC SYN packets. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 500 to 1460 bytes Default: None
DPD Interval	Specify the interval for Internet Key Exchange (IKE) to send Hello packets on the connection. Range: 10 to 3600 seconds Default: 10
DPD Retries	Specify the number of seconds between Dead Peer Detection (DPD) retry messages if the DPD retry message is missed by the peer. If a peer misses a DPD message, the router changes the state and sends a DPD retry message. The message is sent at a faster retry interval, which is the number of seconds between DPD retries. The default DPD retry message is sent every 2 seconds. The tunnel is marked as down after five DPD retry messages are missed. Range: 2 to 60 seconds Default: 3
IKE
IKE Rekey Interval	Specify the interval for refreshing IKE keys. Range: 3600 to 1209600 seconds (1 hour to 14 days) Default: 14400 seconds
IKE Cipher Suite	Specify the type of authentication and encryption to use during IKE key exchange. Choose one of the following: AES 256 CBC SHA1 AES 256 CBC SHA2 AES 128 CBC SHA1 AES 128 CBC SHA2 Default: AES 256 CBC SHA1
IKE Diffie-Hellman Group	Specify the Diffie-Hellman group to use in IKE key exchange, whether IKEv1 or IKEv2.
IPSec
IPsec Rekey Interval	Specify the interval for refreshing IPsec keys. Range: 3600 to 1209600 seconds (1 hour to 14 days) Default: 3600 seconds
IPsec Replay Window	Specify the replay window size for the IPsec tunnel. Options: 64, 128, 256, 512, 1024, 2048, or 4096 packets. Default: 512
IPsec Cipher Suite	Specify the authentication and encryption to use on the IPsec tunnel. Options: AES 256 CBC SHA1 AES 256 CBC SHA 384 AES 256 CBC SHA 256 AES 256 CBC SHA 512 AES 256 GCM Default: AEM 256 GCM
Perfect Forward Secrecy	Specify the Perfect Forward Secrecy (PFS) settings to use on the IPsec tunnel. Choose one of the following Diffie-Hellman prime modulus groups: Group-2 1024-bit modulus Group-14 2048-bit modulus Group-15 3072-bit modulus Group-16 4096-bit modulus None: disable PFS

Click Add.

Applicable only to Cisco Secure Access:

Region: When you choose the region, a pair of primary and secondary region is selected. Choose the primary region that Cisco Secure Service Edge provides from the drop-down list and the secondary region is auto-selected in Cisco SD-WAN Manager. If the primary region with a unicast IP address is not reachable then the secondary region with a unicast IP address is reachable and vice versa. Cisco Secure Access ensures that both the regions are reachable at all times.

Note

You can configure any DNS server on the device which connects to HTTPS to get the public IP address. To configure a source interface for HTTPS, use the ip http client source-interface command on Cisco SD-WAN Manager.

Configure High Availability

To designate active and back-up tunnels and distribute traffic among tunnels, click High Availability and do the following:

Click Add Interface Pair.

In the Add Interface Pair pop-up window, configure the following:


Field	Description
Active Interface	Choose a tunnel that connects to the primary data center.
Active Interface Weight	Enter weight (weight range 1 to 255) for load balancing. Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights to both the tunnels, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow. For example, if you set up two active tunnels, where the first tunnel is configured with weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.
Backup Interface	To designate a back-up tunnel, choose a tunnel that connects to the secondary data center. To omit designating a back-up tunnel, choose None.
Backup Interface Weight	Enter weight (weight range 1 to 255) for load balancing. Load balancing helps in distributing traffic over multiple tunnels and this helps increase the network bandwidth. If you enter the same weights, you can achieve ECMP load balancing across the tunnels. However, if you enter a higher weight for a tunnel, that tunnel has higher priority for traffic flow. For example, if you set up two back-up tunnels, where the first tunnel is configured with weight of 10, and the second tunnel with weight configured as 20, then the traffic is load-balanced between the tunnels in a 10:20 ratio.

Click Add.

Configure DNS Security

The Umbrella Integration feature enables the cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the DNS server through the device. The security administrator configures policies on the Umbrella portal to either allow or deny traffic toward the fully qualified domain name (FQDN). The router acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Umbrella cloud.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > DNS Security.
Click Add DNS Security Policy.


Field	Description
Add DNS Security Policy	From the Add DNS Security Policy drop-down list, select Create New to create a new DNS Security Policy policy.
Create New	Displays the DNS Security Policy wizard.
Policy Name	Enter a name for the policy.
Umbrella Registration Status	Displays the status of the API Token configuration.
Manage Umbrella Registration	Click Manage Umbrella Registration to add Cisco Umbrella Registration Key and Secret. Specific network-devices keys are used in DNS. Enter Organization ID. Enter Registration Key. Enter Secret. You can edit the umbrella credentials from Administration > Settings > Cloud Provider.
Match All VPN	Click Match All VPN to keep the same configuration for all the available VPNs.
Custom VPN Configuration	choose Custom VPN Configuration to input the specific VPNs.
Local Domain Bypass List	Choose the domain bypass.
DNS Server IP	Configure DNS Server IP from the following options: Umbrella Default Custom DNS
DNSCrypt	Enable or disable the DNSCrypt.

Using Policy Groups for SD-Routing Devices

Bias-Free Language

Results

Chapter: Security Policy Using Policy Groups

Security Policy Using Policy Groups