Chapter 7: Integrated Security and SASE

Learning Objectives

The Catalyst 8000 edge platforms are not just routers that happen to forward packets quickly. A single box at the WAN edge can also be the security checkpoint, the encryptor, and the on-ramp to a cloud-delivered security stack. Think of an airport terminal that collapses ticketing, customs, baggage screening, and the departure gate into one building: traffic entering or leaving the branch passes through firewall inspection, intrusion prevention, malware analysis, encryption, and policy-based steering toward cloud security, all without leaving the device. This chapter walks through three layers of that terminal: security functions that run on the box, connectivity features that protect traffic in transit, and the cloud integration that extends enforcement into Cisco's SASE architecture.

Pre-Quiz: On-Box Security

1. In SD-WAN mode, where do engineers normally author the Catalyst 8000 firewall and IPS policy, and what role does the device CLI play?

2. After you attach zones to a Catalyst 8000 ZBFW, why does traffic between two VPNs that previously worked suddenly fail?

3. What distinguishes the job of the zone-based firewall from the job of Snort IPS on the same flow?

4. A branch turns on Snort IPS but the inspection counters stay at zero despite heavy traffic. What is the most likely cause?

5. Why would an organization start Snort IPS in detect-only mode before switching to prevent mode?

On-Box Security

Key Points

The first layer of protection happens inside the router itself. A crucial point about SD-WAN mode: you rarely hand-write the firewall and IPS configuration. Instead you author policy centrally in Cisco SD-WAN Manager (vManage), which translates that policy into native IOS XE constructs and pushes them to the router. The device CLI becomes your tool for verification rather than authoring.

Zone-Based Firewall

A zone-based firewall (ZBFW) is a stateful model where interfaces (or, in SD-WAN, VPN segments) are grouped into named zones, and policy is written between pairs of zones rather than per-interface. On the Catalyst 8000 this is the application-aware enterprise firewall, matching not only Layer 3/4 criteria but also Layer 7 application signatures with deep packet inspection.

The mental model is a building with security doors between rooms. Each room is a zone (LAN, WAN, Data Center, the router's own control plane). You never write a rule about "this door"; you write a rule that says "traffic going from the lobby room to the vault room is allowed only if it is a verified employee." That from-zone-to-zone rule is a zone-pair, and its action is one of inspect, pass, or drop.

Figure 7.1: Zone-based firewall zone-pair model

graph TD LAN["LAN Zone<br/>VPN 10 - Trusted inside"] WAN["WAN Zone<br/>VPN 0 - Untrusted outside"] DC["DC Zone<br/>VPN 20 - Semi-trusted services"] SELF["SELF Zone<br/>Router control plane / mgmt"] LAN -->|"Zone-pair: inspect HTTP/HTTPS/DNS"| WAN LAN -->|"Zone-pair: inspect"| DC WAN -.->|"No zone-pair = DROP by default"| LAN LAN -->|"Zone-pair: permit mgmt"| SELF classDef trusted fill:#1f6feb,stroke:#58a6ff,color:#fff classDef untrusted fill:#762020,stroke:#f85149,color:#fff classDef control fill:#3d2a6b,stroke:#a371f7,color:#fff class LAN,DC trusted class WAN untrusted class SELF control
LAN zone VPN 10 - trusted WAN zone VPN 0 - untrusted DC zone VPN 20 - services SELF zone control plane / mgmt zone-pair: inspect HTTP/HTTPS/DNS zone-pair: inspect zone-pair: permit mgmt WAN to LAN: no zone-pair = DROP by default Unconfigured pairs are denied implicitly once zones attach.
Figure 7.1a (animated): Zones reveal, configured zone-pairs permit traffic (green / purple), a flow passes LAN to WAN, and the unconfigured WAN to LAN pair drops by default.
ZoneMaps toRole
LANVPN 10 (user VLANs)Trusted inside
WANVPN 0 (Internet/MPLS)Untrusted outside
DCVPN 20 (data-center/services)Semi-trusted services
SELFThe router itselfControl plane and management

The single most important rule of ZBFW behavior: any zone-pair you do not explicitly configure is denied by default once zones are attached. This causes most "everything broke after I turned on the firewall" incidents. A second classic trap is the self-zone: if you do not write a policy permitting traffic to the router's own control plane, you can lock yourself out of management.

Worked example — LAN-to-WAN with default-drop. Suppose a branch needs LAN users to reach the web and DNS, but nothing inbound from the Internet should reach the LAN. In vManage you create the LAN and WAN zones, then build the inter-zone rules:

After attaching the Enterprise Application-Aware Firewall policy and pushing it, vManage generates native ZBFW configuration. You verify on the device with:

! See the security policy that was pushed
show sdwan running-config security
! See the generated zone-based firewall constructs
show running-config | section zone
show zone security
! Inspect active firewall sessions and drops in the data plane
show policy-map type inspect zone-pair sessions
show platform hardware qfp active feature firewall

Snort IPS / IDS

Where the firewall decides whether a flow is allowed, an intrusion prevention system (IPS) decides whether an allowed flow is actually carrying an attack. The Catalyst 8000 integrates Snort IPS (Snort3) with the appropriate SD-WAN security licenses. If the firewall is the guard who checks your badge, the IPS is the screening machine that opens your bag and looks for contraband even though your badge is valid.

Figure 7.2: Packet inspection flow through ZBFW, Snort IPS, and AMP

flowchart TD PKT["Inbound flow<br/>(LAN to WAN zone-pair)"] --> ZBFW{"ZBFW: zone-pair<br/>match L3/L4 + L7 app?"} ZBFW -->|"No matching rule"| DROP1["Drop<br/>(default-deny)"] ZBFW -->|"Allowed / inspect"| IPS{"Snort IPS<br/>signature match?"} IPS -->|"Match - Prevent mode"| DROP2["Block + alert"] IPS -->|"Match - Detect-only"| ALERT["Alert, allow"] IPS -->|"Clean"| AMP{"AMP / Malware Defense<br/>file reputation?"} AMP -->|"Malicious file"| DROP3["Block download"] AMP -->|"Clean"| URL{"URL filtering<br/>category allowed?"} URL -->|"Blocked category"| DROP4["Block / warn"] URL -->|"Permitted"| FWD["Forward to destination"] classDef deny fill:#762020,stroke:#f85149,color:#fff classDef allow fill:#1f6feb,stroke:#58a6ff,color:#fff class DROP1,DROP2,DROP3,DROP4 deny class FWD,ALERT allow
ZBFW zone-pair L3/L4 + L7 Snort IPS signature match? AMP file reputation URL filter category allowed? Forward PKT no rule = drop prevent = block malicious = block blocked category Clean traffic passes every stage and is forwarded.
Figure 7.2a (animated): A packet travels ZBFW to Snort IPS to AMP to URL filtering, each stage lighting up as it inspects; the red labels show the allow/drop branch available at every stage.

On IOS XE, Snort runs inside the UTD (Unified Threat Defense) engine, a container installed on the router. The IPS supports two operating modes and a choice of base rulesets:

ChoiceOptionsGuidance
ModeDetect-only (alert) / Prevent (drop)Start in detect-only to find false positives, then move to prevent
Base rulesetConnectivity / Balanced / SecurityTrade coverage against throughput; pick by hardware and traffic volume

The vManage workflow: upload the UTD Snort image and signatures to the software repository; create an IPS profile (mode, base policy, categories); bind the profile to the LAN-to-WAN zone-pair so allowed flows are handed to Snort; then attach and push the combined firewall+IPS policy. Verify on the device:

! Confirm the UTD/Snort engine is installed and running
show platform software utd status
show utd engine standard status
! Inspection counters and active sessions
show utd statistics
show utd active-sessions

Three diagnostics to memorize: not installed/running means the container image failed to download (check repository and device disk/memory); license errors at UTD start mean the security/IPS license is missing; and counters stuck at zero mean the IPS is not bound to the right zone-pair, or traffic is not matching the firewall rules that invoke it.

URL Filtering and AMP

Two more on-box capabilities round out content security. URL filtering enforces policy on web destinations by category — blocking, allowing, or warning. AMP (Advanced Malware Protection), branded Cisco Malware Defense, performs file and malware analysis at the WAN edge so a malicious download is identified and blocked before it reaches an endpoint. If IPS is the bag scanner looking for known attack patterns, AMP is the lab that takes a suspicious file and analyzes its reputation. Both require higher-tier DNA/SD-WAN security licenses.

Key Takeaway: The Catalyst 8000 delivers a full on-box security stack — zone-based application-aware firewall, Snort IPS via the UTD engine, URL filtering, and AMP/Malware Defense. Author policy centrally in vManage and use the CLI to verify; remember any unconfigured zone-pair drops by default and the self-zone must be explicitly permitted.

Post-Quiz: On-Box Security

1. In SD-WAN mode, where do engineers normally author the Catalyst 8000 firewall and IPS policy, and what role does the device CLI play?

2. After you attach zones to a Catalyst 8000 ZBFW, why does traffic between two VPNs that previously worked suddenly fail?

3. What distinguishes the job of the zone-based firewall from the job of Snort IPS on the same flow?

4. A branch turns on Snort IPS but the inspection counters stay at zero despite heavy traffic. What is the most likely cause?

5. Why would an organization start Snort IPS in detect-only mode before switching to prevent mode?

Pre-Quiz: Secure Connectivity

1. Why does dedicated crypto offload hardware matter so much on a Catalyst 8000 that also builds SIG tunnels?

2. What problem does the TLS/SSL proxy on the Catalyst 8000 solve?

3. Why is Umbrella DNS-layer security often the first phase of a SASE rollout?

4. A user reports that a domain resolves fine but the web page still fails to load through Umbrella. What is a likely cause?

5. A branch sees intermittent SIG/IPsec tunnel flaps and degraded app performance rather than a hard failure. What should you suspect first?

Secure Connectivity

Key Points

On-box inspection protects traffic at the branch. The next layer protects traffic as it moves: encryption in flight, the ability to inspect encrypted traffic, and a lightweight control at the DNS layer.

IPsec and Crypto Offload

Every SD-WAN tunnel in the Catalyst SD-WAN fabric is an encrypted IPsec tunnel, and the Catalyst 8000 platforms encrypt and decrypt at line rate. The heavy mathematical work is handled by dedicated crypto offload hardware rather than the general-purpose CPU — a dedicated mail-room that seals and unseals every envelope so the executives (the CPU doing routing and policy) are not slowed down. This matters when the same box also builds IPsec tunnels to cloud security gateways, maintaining several per WAN transport. IPsec depends on a healthy underlay: when public-IP reachability, MTU, or NAT timeouts degrade, the symptom is intermittent tunnel flaps rather than an obvious hard failure.

TLS/SSL Proxy

The overwhelming majority of web traffic is now encrypted with TLS. A firewall or IPS that can only read the outside of the envelope cannot see the threat inside. The TLS/SSL proxy terminates the encrypted session on the router, decrypts the traffic for inspection by the firewall, IPS, AMP, and URL filtering engines, then re-encrypts before forwarding — a controlled man-in-the-middle by the trusted edge device. This is the customs officer authorized to open sealed diplomatic pouches, inspect the contents, and reseal them. Because it is computationally expensive and security-sensitive, it is gated behind higher-tier DNA licenses.

Figure 7.3: TLS/SSL proxy decrypt-inspect-re-encrypt flow

flowchart LR CLIENT["Branch client<br/>(encrypted TLS)"] --> TERM["TLS proxy<br/>terminate + decrypt"] TERM --> INSPECT["On-box engines inspect<br/>ZBFW / IPS / AMP / URL filter"] INSPECT --> REENC["Re-encrypt<br/>(new TLS session)"] REENC --> SERVER["Internet / SaaS server"] classDef proxy fill:#3d2a6b,stroke:#a371f7,color:#fff classDef edge fill:#1f6feb,stroke:#58a6ff,color:#fff class TERM,REENC proxy class INSPECT edge

DNS-Layer Security (Umbrella)

The cheapest, earliest place to stop a threat is the moment a device asks "what is the IP address for this domain?" Cisco Umbrella provides DNS-layer security: branch DNS requests resolve through Umbrella, which can block resolution of domains associated with malware, phishing, or command-and-control before any connection is attempted. It requires no IPsec tunnels, making it a natural first phase of a SASE rollout; many organizations begin here and later migrate to full SIG tunnels. One caution: DNS policies and full Secure Web Gateway (SWG) policies are configured independently, and inconsistent settings cause confusing results — DNS allows a domain but the SWG later blocks the HTTP request.

Key Takeaway: Secure connectivity combines hardware crypto offload for line-rate IPsec, a TLS/SSL proxy that lets on-box engines inspect encrypted traffic, and Umbrella DNS-layer security as a tunnel-free first line of defense and natural entry point into SASE.

Post-Quiz: Secure Connectivity

1. Why does dedicated crypto offload hardware matter so much on a Catalyst 8000 that also builds SIG tunnels?

2. What problem does the TLS/SSL proxy on the Catalyst 8000 solve?

3. Why is Umbrella DNS-layer security often the first phase of a SASE rollout?

4. A user reports that a domain resolves fine but the web page still fails to load through Umbrella. What is a likely cause?

5. A branch sees intermittent SIG/IPsec tunnel flaps and degraded app performance rather than a hard failure. What should you suspect first?

Pre-Quiz: SASE Integration

1. What is the defining idea of a SASE architecture?

2. What is genuinely valuable about how the Catalyst SD-WAN edge builds SIG tunnels to Umbrella?

3. Why is sending everything through a distant SIG POP sometimes the wrong choice, and what does Cloud OnRamp for SaaS do about it?

4. How does the Catalyst 8000 preserve VPN segmentation when steering traffic to Umbrella?

5. From the Catalyst 8000's perspective, how does integrating Cisco Secure Access (SSE) differ from integrating Umbrella SIG?

SASE Integration

Key Points

The third and outermost layer extends enforcement beyond the branch into the cloud. SASE (Secure Access Service Edge) converges WAN-edge functions with cloud-delivered security into a single, identity-aware service model. Cisco's SASE has three pillars: Catalyst SD-WAN at the WAN edge, Cisco cloud security in the middle (Umbrella SIG / Cisco Secure Access SSE), and identity and policy (Cisco ISE). The result is an "identity-first" model in which a user's traffic is consistently inspected and controlled in the cloud security layer regardless of how they connect. The end-to-end path is:

User → Branch LAN → Catalyst SD-WAN edge → SIG IPsec tunnel → Umbrella POP → Internet/SaaS — all under SASE policies.

Figure 7.4: Cisco SASE three-pillar architecture and end-to-end path

flowchart LR subgraph EDGE["Pillar 1: WAN Edge"] USER["User / Branch LAN"] --> C8K["Catalyst 8000<br/>SD-WAN edge"] end subgraph CLOUD["Pillar 2: Cloud Security"] POP["Umbrella SIG /<br/>Cisco Secure Access SSE<br/>POP"] end subgraph ID["Pillar 3: Identity"] ISE["Cisco ISE<br/>identity + policy"] end C8K -->|"SIG IPsec tunnel"| POP ISE -.->|"identity-first policy"| POP POP --> NET["Internet / SaaS"] classDef edge fill:#1f6feb,stroke:#58a6ff,color:#fff classDef cloud fill:#3d2a6b,stroke:#a371f7,color:#fff classDef ident fill:#1a5c3a,stroke:#3fb950,color:#fff class USER,C8K edge class POP cloud class ISE ident
Branch LAN user traffic C8000 edge Cloud SIG / Umbrella SWG / FWaaS / CASB POP Internet / SaaS DC backhaul (avoided) no backhaul IPsec SIG tunnel PKT Internet-bound traffic is steered into the SIG tunnel for cloud inspection, not backhauled to the DC.
Figure 7.4a (animated): The Catalyst 8000 steers branch traffic into an IPsec tunnel to a cloud Secure Internet Gateway instead of backhauling it to the data center.

Secure Internet Gateway (SIG) Tunnels

A Secure Internet Gateway (SIG) is a cloud-delivered security stack — Cisco Umbrella SIG / Cisco Secure Edge — deployed as globally distributed security POPs, typically including DNS-layer security, an SWG, a cloud-delivered firewall (FWaaS), and CASB controls. The connection between the Catalyst 8000 and the SIG is an automatically built IPsec tunnel into which Internet-bound traffic is sent. The genuinely valuable part: you do not build these tunnels by hand. vManage provides SIG templates that automate the entire process.

Worked example — full Internet breakout via Umbrella SIG. For a branch with dual Internet circuits: (1) define the SIG provider profile in vManage (type, region/POP list, API credentials); (2) configure a SIG policy/config group specifying which edges and transports carry tunnels and how VPNs map to POPs; (3) attach to the device template — each edge then initiates IKE/IPsec, commonly one tunnel per circuit for redundancy; (4) define data/centralized policies to steer traffic, e.g. a default route into the SIG with app-aware routing choosing the best circuit-and-POP tunnel. This automation generates the IKE/IPsec parameters and crypto maps and provisions redundancy automatically.

A powerful refinement is segmentation preservation: SD-WAN VPNs (Corp, Guest, IoT) map to separate Umbrella identities and policies, so guest Wi-Fi can be forced through SIG-only with stricter filtering while corporate traffic gets its own policy. The same template framework also supports third-party SSE providers — Zscaler, Palo Alto Prisma Access, and Netskope.

Cloud OnRamp for SaaS and IaaS

Sending everything through a cloud gateway is simple but not always optimal — backhauling a low-latency SaaS app through a distant POP hurts user experience. Cloud OnRamp optimizes and secures access to cloud services. Cloud OnRamp for SaaS continuously measures performance to apps like Microsoft 365 across multiple paths and selects the best one; Cloud OnRamp for IaaS extends the fabric into AWS/Azure. For each app the edge probes three candidate paths — direct breakout, DC backhaul, and SIG tunnels — ranked by latency, loss, jitter, and HTTP response time.

Figure 7.5: Cloud OnRamp for SaaS path probing and selection

flowchart TD APP["SaaS app traffic<br/>(e.g. Microsoft 365)"] --> PROBE["Edge probes candidate paths<br/>latency / loss / jitter / HTTP response"] PROBE --> P1["Direct Internet breakout<br/>local on-box inspection"] PROBE --> P2["Data-center backhaul<br/>DC security stack"] PROBE --> P3["SIG tunnel<br/>full Umbrella SIG"] P1 --> RANK{"Controller ranks paths"} P2 --> RANK P3 --> RANK RANK -->|"Best-performing path wins"| BEST["Selected path to SaaS"] classDef path fill:#1f6feb,stroke:#58a6ff,color:#fff classDef best fill:#1a5c3a,stroke:#3fb950,color:#fff class P1,P2,P3 path class BEST best

With Cloud OnRamp for SaaS over SIG tunnels, the probes run across the SIG tunnels too, so the best path might be a specific Umbrella POP over a specific circuit — optimization and security together.

Path candidateOptimized forSecurity posture
Direct Internet breakoutLowest latency to trusted SaaSLocal on-box inspection
Data-center backhaulCentralized inspection/legacy DLPDC security stack
SIG tunnelCloud inspection for everything elseFull Umbrella SIG (SWG/FWaaS/CASB)

Cisco Secure Access Integration

The newest pillar is Cisco Secure Access, Cisco's Security Service Edge (SSE) offering that unifies SWG, CASB, FWaaS, and ZTNA behind a single identity-aware policy plane alongside identity sources like Cisco ISE. From the Catalyst 8000's perspective the integration mechanics are familiar: the SD-WAN edge builds SIG/SSE tunnels and steers traffic exactly as it does for Umbrella, using the same vManage SIG template framework. The difference is where enforcement decisions are made: once traffic reaches the SSE, user identity, device posture, and application context drive the SWG, firewall, and CASB policies — completing the identity-first story where the same user gets the same policy at the branch or remote.

This raises the key design question of any SASE deployment: which enforcement lives where? L3/L4 filtering can happen at the SIG or the local firewall; app-aware routing lives in SD-WAN while web app controls live in the SWG. Deciding deliberately avoids duplicate or conflicting rules between on-box and cloud layers.

Key Takeaway: In Cisco SASE the Catalyst 8000 is the WAN-edge pillar that builds automated IPsec SIG tunnels (Umbrella, Secure Access, or third-party SSE) via vManage templates, preserves VPN segmentation as cloud identities, and uses Cloud OnRamp to send each application over the best-performing secure path — while identity-aware policy is enforced in the cloud security layer.

Post-Quiz: SASE Integration

1. What is the defining idea of a SASE architecture?

2. What is genuinely valuable about how the Catalyst SD-WAN edge builds SIG tunnels to Umbrella?

3. Why is sending everything through a distant SIG POP sometimes the wrong choice, and what does Cloud OnRamp for SaaS do about it?

4. How does the Catalyst 8000 preserve VPN segmentation when steering traffic to Umbrella?

5. From the Catalyst 8000's perspective, how does integrating Cisco Secure Access (SSE) differ from integrating Umbrella SIG?

Your Progress

Answer Explanations