Choose the name of the device in the menu, then click View Configuration in the Smart License group.

For example, an enabled Threat license should look like the following:

If you wired other interfaces, choose the name of the device in the menu, then click the link in the Interfaces summary.

Click the edit icon () for each interface to define the IP address and other settings.

The following example configures an interface to be used as a “demilitarized zone” (DMZ), where you place publically-accessible assets such as your web server. Click Save when you are finished.

If you configured new interfaces, choose Objects, then select Security Zones from the table of contents.

Edit or create new zones as appropriate. Each interface must belong to a zone, because you configure policies based on security zones, not interfaces. You cannot put the interfaces in zones when configuring them, so you must always edit the zone objects after creating new interfaces or changing the purpose of existing interfaces.

The following example shows how to create a new dmz-zone for the dmz interface.

If you want internal clients to use DHCP to obtain an IP address from the device, choose the name of the device in the menu, then System Settings > DHCP Server.

There is already a DHCP server configured for the inside interface, but you can edit the address pool or even delete it. If you configured other inside interfaces, it is very typical to set up a DHCP server on those interfaces. Click + to configure the server and address pool for each inside interface.

You can also fine-tune the WINS and DNS list supplied to clients.

The following example shows how to set up a DHCP server on the inside2 interface with the address pool 192.168.4.50-192.168.4.240.

Choose the name of the device in the menu, then click View Configuration (or Create First Static Route) in the Routing group and configure a default route.

The default route normally points to the upstream or ISP router that resides off the outside interface. A default IPv4 route is for any-ipv4 (0.0.0.0/0), whereas a default IPv6 route is for any-ipv6 (::0/0). Create routes for each IP version you use. If you use DHCP to obtain an address for the outside interface, you might already have the default routes that you need.

The routes you define on this page are for the data interfaces only. They do not impact the management interface. Set the management gateway on System Settings > Device Management IP.

The following example shows a default route for IPv4. In this example, isp-gateway is a network object that identifies the IP address of the ISP gateway (you must obtain the address from your ISP). You can create this object by clicking Create New Network at the bottom of the Gateway drop-down list.

Choose Policies and configure the security policies for the network.

The device setup wizard enables traffic flow between the inside-zone and outside-zone, and interface NAT for all interfaces when going to the outside interface. Even if you configure new interfaces, if you add them to the inside-zone object, the access control rule automatically applies to them.

However, if you have multiple inside interfaces, you need an access control rule to allow traffic flow from inside-zone to inside-zone. If you add other security zones, you need rules to allow traffic to and from those zones. These would be your minimum changes.

In addition, you can configure other policies to provide additional services, and fine-tune NAT and access rules to get the results that your organization requires. You can configure the following policies:

• Identity—If you want to correlate network activity to individual users, or control network access based on user or user group membership, use the identity policy to determine the user associated with a given source IP address.

• NAT (Network Address Translation)—Use the NAT policy to convert internal IP addresses to externally routeable addresses.

• Access Control—Use the access control policy to determine which connections are allowed on the network. You can filter by security zone, IP address, protocol, port, application, URL, user or user group. You also apply intrusion and file (malware) policies using access control rules. Use this policy to implement URL filtering.

The following example shows how to allow traffic between the inside-zone and dmz-zone in the access control policy. In this example, no options are set on any of the other tabs except for Logging, where At End of Connection is selected.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

To gain insight into user behavior, you need to configure an identity policy to ensure that the user associated with a connection is identified.

1. Click Policies in the main menu, then click Identity.

   The identity policy is initially disabled. The identity policy uses your Active Directory server to authenticate users and associate them with the IP address of the workstation they are using. Subsequently, the system will identify traffic for that IP address as being the user's traffic.

   
   

   

   
   

2. Click the Get Started button to start the wizard to configure the needed elements.

3. Identify your Active Directory server.

   Fill in the following information.

   • Name—A name for the directory realm.

   • Type—The type of directory server. Active Directory is the only supported type, and you cannot change this field.

   • Directory Username, Directory Password—The distinguished username and password for a user with appropriate rights to the user information you want to retrieve. For Active Directory, the user does not need elevated privileges. You can specify any user in the domain. The username must be fully qualified; for example, Administrator@example.com (not simply Administrator).

   • Base DN—The directory tree for searching or querying user and group information, that is, the common parent for users and groups. For example, dc=example,dc=com. For information on finding the base DN, see Determining the Directory Base DN.

   • AD Primary Domain— The fully qualified Active Directory domain name that the device should join. For example, example.com.

   • Hostname/IP Address—The hostname or IP address of the directory server. If you use an encrypted connection to the server, you must enter the fully-qualified domain name, not the IP address.

   • Port—The port number used for communications with the server. The default is 389. Use port 636 if you select LDAPS as the encryption method.

   • Encryption—To use an encrypted connection for downloading user and group information, select the desired method, STARTTLS or LDAPS. The default is None, which means that user and group information is downloaded in clear text.

     • STARTTLS negotiates the encryption method, and uses the strongest method supported by the directory server. Use port 389.

     • LDAPS requires LDAP over SSL. Use port 636.

   • SSL Certificate—If you select an encryption method, upload a CA certificate to enable a trusted connection between the system and the directory server. If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.

   Example:

   For example, the following image shows how to create an unencrypted connection for the ad.example.com server. The primary domain is example.com, and the directory username is Administrator@ad.example.com. All user and group information is under the Distinguished Name (DN) ou=user,dc=example,dc=com.

   
   

   

   
   

4. Click Next.

5. Configure the active authentication captive portal.

   The simplest option is to leave all fields as is and click Save. You would configure the default port for active authentication, and users get a self-signed certificate that they need to trust in order to provide their username and password. Tell users to expect this and that they should accept the certificate.

   However, you would ideally upload a certificate that their browsers already trust. If you have one, fill in the following fields to use it.

   • Server Certificate—The CA certificate to present to users during active authentication. The certificate must be an X509 certificate in PEM or DER format. Paste in the certificate, or click Upload Certificate and select the certificate file. The default is to present a self-signed certificate during user authentication.

   • Certificate Key—The key for the server certificate. Paste in the key, or click Upload Key and select the key file.

   • Port—The captive portal port. The default is 885 (TCP). If you configure a different port, it must be in the range 1025-65535.

6. Click Save.

   This completes the setup wizard. Now, create an identity rule to require active authentication.

7. Click the Create Identity Rule button, or the + button.

8. Fill in the identity rule properties.

   Assuming you want to require everyone to authenticate, you could use the following settings:

   • Name—Anything you choose, for example, Require_Authentication.

   • User Authentication—Active should already be selected; keep it.

   • Type—Select HTTP Negotiate. This allows the browser and directory server to negotiate the strongest authentication protocol, in order, NTLM, then HTTP basic.

     Note

     For the HTTP Basic, HTTP Response Page, and NTLM authentication methods, the user is redirected to the captive portal using the IP address of the interface. However, for HTTP Negotiate, the user is redirected using the fully-qualified DNS name firewall-hostname.AD-domain-name . If you want to use HTTP Negotiate, you must also update your DNS server to map this name to the IP addresses of all inside interfaces where you are requiring active authentication. Otherwise, the redirection cannot complete, and users cannot authenticate. If you cannot, or do not want to, update the DNS server, select one of the other authentication methods.

   • Source/Destination—Leave all fields to default to Any.

   You can constrain the policy as you see fit to a more limited set of traffic. However, active authentication will only be attempted for HTTP traffic, so it does not matter that non-HTTP traffic matches the source/destination criteria. For more details about identity policy properties, see Configure Identity Rules.

   
   

   

   
   

9. Click OK to add the rule.

   If you look in the upper right of the window, you can see that the Deploy icon button now has a dot, which indicates that there are undeployed changes. Making changes in the user interface is not sufficient for getting the changes configured on the device, you must deploy changes. Thus, you can make a set of related changes before you deploy them, so that you do not face the potential problems of having a partially-configured set of changes running on the device. You will deploy changes later in this procedure.

   
   

   

   
   

Change the action on the Inside_Outside_Rule access control rule to Allow.

1. Click Access Control on the Policies page.

2. Hover over the Actions cell on the right side of the Inside_Outside_Rule row to expose the edit and delete icons, and click the edit icon () to open the rule.

3. Select Allow for the Action.

   
   

   

   
   

4. Click OK to save the change.

Enable logging on the access control policy default action.

1. Click anywhere in the default action at the bottom of the access control policy page.

   
   

   

   
   

2. Select Select Log Action > At Beginning and End of Connection.

3. Click OK.

Set an update schedule for the vulnerability database (VDB).

1. Click the name of the device in the menu.

2. Click View Configuration in the Updates group.

   
   

   

   
   

3. Click Configure in the VDB group.

   
   

   

   
   

4. Define the update schedule.

   Choose a time and frequency that will not be disruptive to your network. Also, please understand that the system will do an automatic deployment after downloading the update. This is necessary to activate the new detectors. Thus, any configuration changes that you have made and saved but have not yet deployed will also be deployed.

   For example, the following schedule updates the VDB once a week on Sunday at 12:00 AM (using the 24-hour clock notation).

   
   

   

   
   

5. Click Save.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button and wait for deployment to finish.

   The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

   
   

   

   
   

If you have not already done so, enable the Threat license.

1. Click the name of the device in the menu.

   The menu includes a device icon labeled with your device's hostname. For example, the following link opens the Device Dashboard for the device named “5516-x-1.”

   

2. Click View Configuration in the Smart License group.

   
   

   

   
   

3. Click Enable in the Threat group.

   The system registers the license with your account, or activates the evaluation license, as appropriate. The group should indicate that the license is enabled, and the button changes to a Disable button.

   
   

   

   
   

Select an intrusion policy for one or more access rules.

1. Click Policies in the main menu.

   Ensure that the Access Control policy is displayed.

2. Hover over the Actions cell on the right side of the Inside_Outside_Rule row to expose the edit and delete icons, and click the edit icon () to open the rule.

3. If you have not already done so, select Allow for the Action.

   
   

   

   
   

4. Click the Intrusion Policy tab.

5. Click the Intrusion Policy toggle to enable it, then select the intrusion policy.

   The Balanced Security and Connectivity policy is appropriate for most networks. It provides a good intrusion defense without being overly aggressive, which has the potential of dropping traffic that you might not want to be dropped. If you determine that too much traffic is getting dropped, you can ease up on intrusion inspection by selecting the Connectivity over Security policy.

   If you need to be aggressive about security, try the Security over Connectivity policy. The Maximum Detection policy offers even more emphasis on network infrastructure security with the potential for even greater operational impact.

   
   

   

   
   

6. Click OK to save the change.

Set an update schedule for the intrusion rule database.

1. Click the name of the device in the menu.

2. Click View Configuration in the Updates group.

   
   

   

   
   

3. Click Configure in the Rule group.

   
   

   

   
   

4. Define the update schedule.

   Choose a time and frequency that will not be disruptive to your network. Also, please understand that the system will do an automatic deployment after downloading the update. This is necessary to activate the new rules. Thus, any configuration changes that you have made and saved but have not yet deployed will also be deployed.

   For example, the following schedule updates the rule database once a week on Monday at 12:00 AM (using the 24-hour clock notation).

   
   

   

   
   

5. Click Save.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

If you have not already done so, enable the Malware and Threat licenses.

1. Click the name of the device in the menu.

   The menu includes a device icon labeled with your device's hostname. For example, the following link opens the Device Dashboard for the device named “5516-x-1.”

   

2. Click View Configuration in the Smart License group.

   
   

   

   
   

3. Click Enable in the Malware group, and if not already enabled, the Threat group.

   The system registers the license with your account, or activates the evaluation license, as appropriate. The group should indicate that the license is enabled, and the button changes to a Disable button.

   
   

   

   
   

Select a file policy for one or more access rules.

1. Click Policies in the main menu.

   Ensure that the Access Control policy is displayed.

2. Hover over the Actions cell on the right side of the Inside_Outside_Rule row to expose the edit and delete icons, and click the edit icon () to open the rule.

3. If you have not already done so, select Allow for the Action.

   
   

   

   
   

4. Click the File Policy tab.

5. Click the file policy you want to use.

   Your main choice is between Block Malware All, which drops any files that are considered malware, or Cloud Lookup All, which queries the AMP Cloud to determine the file's disposition, but does no blocking. If you want to first see how files are being evaluated, use cloud lookup. You can switch to the blocking policy later if you are satisfied with how files are being evaluated.

   There are other policies available that block malware. These policies are coupled with file control, blocking the upload of Microsoft Office, or Office and PDF, documents. That is, these policies prevent users from sending these file types to other networks in addition to blocking malware. You can select these policies if they fit your needs.

   For this example, select Block Malware All.

   

   
   

   

   
   

6. Click the Logging tab and verify that Log Files under File Events is selected.

   By default, file logging is enabled whenever you select a file policy. You must enable file logging to get file and malware information in events and dashboards.

   
   

   

   
   

7. Click OK to save the change.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

If you have not already done so, enable the URL license.

1. Click the name of the device in the menu.

   The menu includes a device icon labeled with your device's hostname. For example, the following link opens the Device Dashboard for the device named “5516-x-1.”

   

2. Click View Configuration in the Smart License group.

   
   

   

   
   

3. Click Enable in the URL License group.

   The system registers the license with your account, or activates the evaluation license, as appropriate. The group should indicate that the license is enabled, and the button changes to a Disable button.

   
   

   

   
   

Create a URL filtering access control rule.

1. Click Policies in the main menu.

   Ensure that the Access Control policy is displayed.

2. Click + to add a new rule.

3. Configure the order, title, and action.

   • Order—The default is to add new rules to the end of the access control policy. However, you must place this rule ahead of (above) any rule that would match the same Source/Destination and other criteria, or the rule will never be matched (a connection matches one rule only, and that is the first rule it matches in the table). For this rule, we will use the same Source/Destination as the Inside_Outside_Rule created during initial device configuration. You might have created other rules as well. To maximize access control efficiency, it is best to have specific rules early, to ensure the quickest decision on whether a connection is allowed or dropped. For the purposes of this example, select 1 as the rule order.

   • Title—Give the rule a meaningful name, such as Block_Web_Sites.

   • Action—Select Block.

   
   

   

   
   

4. On the Source/Destination tab, click + for Source > Zones, select inside_zone, then click OK in the zones dialog box.

   Adding any of the criteria works the same way. Clicking + opens a little dialog box, where you click the items you want to add. You can click multiple items, and clicking a selected item de-selects it; the check marks indicate the selected items. But nothing is added to the policy until you click the OK button; simply selecting the items is not sufficient.

   
   

   

   
   

5. Using the same technique, select outside_zone for Destination > Zones.

   
   

   

   
   

6. Click the URLs tab.

7. Click the + for Categories, and select the categories you want to fully or partially block.

   For purposes of this example, select Adult and Pornography, Bot Nets, Confirmed SPAM Sources, and Social Network. There are additional categories that you would most likely want to block.

   
   

   

   
   

8. To implement reputation-sensitive blocking for the Social Network category, click Reputation: Risk Any for that category, deselect Any, then move the slider to Benign sites with security risks. Click away from the slider to close it.

   
   

   

   
   

   The left of the reputation slider indicates sites that will be allowed, the right side are sites that will be blocked. In this case, only Social Networking sites with reputations in the Suspicious Sites and High Risk ranges will be blocked. Thus, your users should be able to get to commonly-used Social Networking sites, where there are fewer risks.

   Using reputation, you can selectively block sites within a category you otherwise want to allow.

9. Click the + next to the URLS list to the left of the categories list.

10. At the bottom of the popup dialog box, click the Create New URL link.

11. Enter badsite.example.com for both the name and URL, then click Add to create the object.

    You can name the object the same as the URL or give the object a different name. For the URL, do not include the protocol portion of the URL, just add the server name.

    
    

    

    
    

12. Select the new object, then click OK.

    Adding new objects while editing policies simply adds the object to the list. The new object is not automatically selected.

    
    

    

    
    

13. Click the Logging tab and select Select Log Action > At Beginning and End of Connection.

    You must enable logging to get category and reputation information into the web category dashboard and connection events.

14. Click OK to save the rule.

(Optional.) Set preferences for URL filtering.

1. Click the name of the device in the menu.

2. Click System Settings > Traffic Settings > Cloud Preferences.

3. Select Query Cisco CSI for Unknown URLs.

4. Click Save.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

Create the application-based access control rule.

1. Click Policies in the main menu.

   Ensure that the Access Control policy is displayed.

2. Click + to add a new rule.

3. Configure the order, title, and action.

   • Order—The default is to add new rules to the end of the access control policy. However, you must place this rule ahead of (above) any rule that would match the same Source/Destination and other criteria, or the rule will never be matched (a connection matches one rule only, and that is the first rule it matches in the table). For this rule, we will use the same Source/Destination as the Inside_Outside_Rule created during initial device configuration. You might have created other rules as well. To maximize access control efficiency, it is best to have specific rules early, to ensure the quickest decision on whether a connection is allowed or dropped. For the purposes of this example, select 1 as the rule order.

   • Title—Give the rule a meaningful name, such as Block_Anonymizers.

   • Action—Select Block.

   
   

   

   
   

4. On the Source/Destination tab, click + for Source > Zones, select inside_zone, then click OK in the zones dialog box.

   
   

   

   
   

5. Using the same technique, select outside_zone for Destination > Zones.

   
   

   

   
   

6. Click the Applications tab.

7. Click the + for Applications, and then click the Advanced Filter link at the bottom of the popup dialog box.

   Although you can create application filter objects beforehand and select them on the Application Filters list here, you can also specify criteria directly in the access control rule, and optionally save the criteria as a filter object. Unless you are writing a rule for a single application, it is easier to use the Advanced Filter dialog box to find applications and construct appropriate criteria.

   As you select criteria, the Applications list at the bottom of the dialog box updates to show exactly which applications match the criteria. The rule you are writing applies to these applications.

   Look at this list carefully. For example, you might be tempted to block all very high risk applications. However, as of this writing, TFPT is classified as very high risk. Most organizations would not want to block this application. Take the time to experiment with various filter criteria to see which applications match your selections. Keep in mind that these lists can change with every VDB update.

   For purposes of this example, select anonymizers/proxies from the Categories list.

   
   

   

   
   

8. Click Add in the Advanced Filters dialog box.

   The filter is added and shown on the Applications tab.

   
   

   

   
   

9. Click the Logging tab and select Select Log Action > At Beginning and End of Connection.

   You must enable logging to get information about any connections blocked by this rule.

10. Click OK to save the rule.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.

Click Monitoring and evaluate the results.

Configure the interface.

1. Click the name of the device in the menu, then click the link in the Interfaces summary.

   The menu includes a device icon labeled with your device's hostname. For example, the following link opens the Device Dashboard for the device named “5516-x-1.”

   

2. Hover over the Actions cell on the right side of the row for the interface you wired, and click the edit icon ().

3. Configure the basic interface properties.

   • Name—A unique name for the interface. For this example, inside_2.

   • Status—Click the status toggle to enable the interface.

   • IPv4 Address tab—Select Static for Type, then enter 192.168.2.1/24.

   
   

   

   
   

4. Click Save.

   The interface list shows the updated interface status and the configured IP address.

   
   

   

   
   

Configure the DHCP server for the interface.

1. Click the name of the device in the menu.

2. Click System Settings > DHCP Server.

3. Scroll down to the DHCP server table and click + above the table.

4. Configure the server properties.

   • Enable DHCP Server—Click this toggle to enable the server.

   • Interface—Select the interface on which you are providing DHCP services. In this example, select inside_2.

   • Address Pool—The addresses the server can supply to devices on the network. Enter 192.168.2.2-192.168.2.254. Make sure you do not include the network address (.0), the interface address (.1), or the broadcast address (.255). Also, if you need static addresses for any devices on the network, exclude those addresses from the pool. The pool must be a single continuous series of addresses, so choose static addresses from the beginning or ending of the range.

   
   

   

   
   

5. Click Add.

   
   

   

   
   

Add the interface to the inside security zone.

1. Click Objects in the main menu.

2. Select Security Zones from the objects table of contents.

3. Hover over the Actions cell on the right side of the row for the inside_zone object, and click the edit icon ().

4. Click + under Interfaces, select the inside_2 interface, and click OK in the interfaces list.

   
   

   

   
   

5. Click Save.

   
   

   

   
   

Create an access control rule that allows traffic between the inside networks.

1. Click Policies in the main menu.

   Ensure that the Access Control policy is displayed.

2. Click + to add a new rule.

3. Configure the order, title, and action.

   • Order—The default is to add new rules to the end of the access control policy. However, you must place this rule ahead of (above) any rule that would match the same Source/Destination and other criteria, or the rule will never be matched (a connection matches one rule only, and that is the first rule it matches in the table). For this rule, we will use unique Source/Destination criteria, so adding the rule to the end of the list is acceptable.

   • Title—Give the rule a meaningful name, such as Allow_Inside_Inside.

   • Action—Select Allow.

   
   

   

   
   

4. On the Source/Destination tab, click + for Source > Zones, select inside_zone, then click OK in the zones dialog box.

   
   

   

   
   

5. Using the same technique, select inside_zone for Destination > Zones.

   A security zone must contain at least two interfaces to select the same zone for source and destination.

   
   

   

   
   

6. (Optional.) Configure intrusion and malware inspection.

   Although the inside interfaces are in a trusted zone, it is typical for users to connect laptops to the network. Thus, a user might unknowingly bring a threat inside your network from an outside network or a Wi-Fi hot spot. Thus, you might want to scan for intrusions and malware in traffic that goes between your inside networks.

   Consider doing the following.

   • Click the Intrusion Policy tab, enable the intrusion policy, and use the slider to select the Balanced Security and Connectivity policy.

   • Click the File Policy tab, then select the Block Malware All policy.

7. Click the Logging tab and select Select Log Action > At Beginning and End of Connection.

   You must enable logging to get information about any connections that match this rule. Logging adds statistics to the dashboard as well as showing events in the event viewer.

8. Click OK to save the rule.

Verify that required policies are defined for the new subnet.

Commit your changes.

1. Click the Deploy Changes icon in the upper right of the web page.

   

2. Click the Deploy Now button.

   Wait for deployment to finish. The deployment summary should indicate that you have successfully deployed your changes, and the task status for the job should be Deployed.