I will lab up how to setup AMP using Cisco’s built in SD-WAN Security.
Cisco SD-WAN Advanced Malware Protection (AMP) is a security feature integrated into the Cisco SD-WAN solution to enhance network security by providing protection against malware and other threats.
AMP is designed to detect, analyse, and prevent malware from entering the network through various entry points, including endpoints, branch offices, and the cloud.
URL Filtering with Cisco Catalyst SD-WAN!
Cisco Catalyst SD-WAN URL filtering is a security feature that helps control and monitor web access in a network. It allows Organisations to block or permit access to specific websites or categories of websites based on their URLs.
You can actually utilise Cisco’s built-in Security features such firewall, IPS, TLS Proxy, Advance Malware Protection if you prefer not to use SSE. With remote smaller branches that doesn’t justify a fully fledged SSE solution, you can utilise built in security.
I’ve included a few screenshots in how to configure URL Filtering.
Cisco Catalyst SD-WAN with 3rd Party SASE Integrations!
Did you know that with Cisco Catalyst SD-WAN you can integrate with other SSE Providers?
With Catalyst SD-WAN you can have the flexibility with choosing your own SSE Provider.
Zscaler – SD-WAN Version 20.6 or above
Netskope – SD-WAN Version 20.9 or above
PaloAlto – SD-WAN Version 20.9 or above
Cloudflare – SD-WAN Version 20.9 or above
I am sure many who have experienced labbing with Catalyst SD-WAN is familiar with Templates, Cisco recently added a new feature called Configuration Groups too!
Now, I have learnt there is another method in creating Templates via Network Design!
Network Design allows you to build your Topology in SD-WAN Manager and then configure Parameters such as WAN, LAN and Management.
In a nutshell, you can create/modify Templates underNetwork Design as well as Templates.
With airgap environments or where you’re unable to download the configuration for the WAN Edge device to establish DTLS tunnels back to SD-WAN Controllers you could use the Bootstrap option!
With the Bootstrap method, you can configure on SD-WAN Manager the pre-configuration and save this onto a USB Drive. When the WAN Edge is powered on it will then look for the Bootstrap file (ciscosdwan.cfg) with the initial configs to begin onboarding!
Warning: The configuration database administrator username and password is default and less secure.
Familiar when you login to Cisco Catalyst SD-WAN Manager?
You can disable this by changing the DB username and password.
1 – request nms application-server stop
Stop application servers on all the Cisco SD-WAN Manager
2 – request nms configuration-db update-admin-user
Default username and password is – neo4j and password
3 – Enter your new username and password
When I onboard any vEdge or cEdge devices with Cisco Catalyst SD-WAN, I’d look under Manager>Devices and then copy the Chassis Number as well as the Token ID. This can sometimes be time consuming with clicking back and forth.
I’ve recently figured out how to view the Chassis Number and Token ID by just logging into the Validator.
show orchestrator valid-vedges | tab
If you encounter error logs that constantly appears on the CLI along the lines of:
%SMART_LIC-2-PLATFORM_ERROR: Smart Licensing has encountered an internal software error.
SOLUTION:
config-transaction
license smart transport off
commit
Or
CLI Add on Template
!
logging discriminator ERROR mnemonic drops PLATFORM_ERROR
!
logging console discriminatorERROR
!
