Describe the integrated security features available on the Catalyst 8000 edge.
Explain how the platform participates in a Cisco SASE architecture.
Configure enterprise firewall, IPS, and secure internet access policies.
The Catalyst 8000 edge platforms are not just routers that happen to forward packets quickly. A single box at the WAN edge can also be the security checkpoint, the encryptor, and the on-ramp to a cloud-delivered security stack. Think of an airport terminal that collapses ticketing, customs, baggage screening, and the departure gate into one building: traffic entering or leaving the branch passes through firewall inspection, intrusion prevention, malware analysis, encryption, and policy-based steering toward cloud security, all without leaving the device. This chapter walks through three layers of that terminal: security functions that run on the box, connectivity features that protect traffic in transit, and the cloud integration that extends enforcement into Cisco's SASE architecture.
Pre-Quiz: On-Box Security
1. In SD-WAN mode, where do engineers normally author the Catalyst 8000 firewall and IPS policy, and what role does the device CLI play?
2. After you attach zones to a Catalyst 8000 ZBFW, why does traffic between two VPNs that previously worked suddenly fail?
3. What distinguishes the job of the zone-based firewall from the job of Snort IPS on the same flow?
4. A branch turns on Snort IPS but the inspection counters stay at zero despite heavy traffic. What is the most likely cause?
5. Why would an organization start Snort IPS in detect-only mode before switching to prevent mode?
On-Box Security
Key Points
The Catalyst 8200/8300/8500 run Catalyst SD-WAN with a full on-box stack: zone-based application-aware firewall, Snort IPS (via the UTD container), URL filtering, and AMP/Cisco Malware Defense.
In SD-WAN mode you author policy centrally in vManage, which translates it into native IOS XE zones, zone-pairs, class-maps, and policy-maps; the CLI is for verification and troubleshooting.
A zone-based firewall groups interfaces/VPNs into named zones and writes policy between zone-pairs with actions inspect, pass, or drop.
The single most dangerous behavior: any unconfigured zone-pair is dropped by default once zones are attached, and the self-zone must be explicitly permitted or you can lock yourself out.
The firewall decides whether a flow is allowed; Snort IPS then inspects allowed flows for attack signatures (detect-only or prevent), while AMP analyzes files and URL filtering enforces web categories.
The first layer of protection happens inside the router itself. A crucial point about SD-WAN mode: you rarely hand-write the firewall and IPS configuration. Instead you author policy centrally in Cisco SD-WAN Manager (vManage), which translates that policy into native IOS XE constructs and pushes them to the router. The device CLI becomes your tool for verification rather than authoring.
Zone-Based Firewall
A zone-based firewall (ZBFW) is a stateful model where interfaces (or, in SD-WAN, VPN segments) are grouped into named zones, and policy is written between pairs of zones rather than per-interface. On the Catalyst 8000 this is the application-aware enterprise firewall, matching not only Layer 3/4 criteria but also Layer 7 application signatures with deep packet inspection.
The mental model is a building with security doors between rooms. Each room is a zone (LAN, WAN, Data Center, the router's own control plane). You never write a rule about "this door"; you write a rule that says "traffic going from the lobby room to the vault room is allowed only if it is a verified employee." That from-zone-to-zone rule is a zone-pair, and its action is one of inspect, pass, or drop.
Figure 7.1: Zone-based firewall zone-pair model
graph TD
LAN["LAN Zone<br/>VPN 10 - Trusted inside"]
WAN["WAN Zone<br/>VPN 0 - Untrusted outside"]
DC["DC Zone<br/>VPN 20 - Semi-trusted services"]
SELF["SELF Zone<br/>Router control plane / mgmt"]
LAN -->|"Zone-pair: inspect HTTP/HTTPS/DNS"| WAN
LAN -->|"Zone-pair: inspect"| DC
WAN -.->|"No zone-pair = DROP by default"| LAN
LAN -->|"Zone-pair: permit mgmt"| SELF
classDef trusted fill:#1f6feb,stroke:#58a6ff,color:#fff
classDef untrusted fill:#762020,stroke:#f85149,color:#fff
classDef control fill:#3d2a6b,stroke:#a371f7,color:#fff
class LAN,DC trusted
class WAN untrusted
class SELF control
Figure 7.1a (animated): Zones reveal, configured zone-pairs permit traffic (green / purple), a flow passes LAN to WAN, and the unconfigured WAN to LAN pair drops by default.
Zone
Maps to
Role
LAN
VPN 10 (user VLANs)
Trusted inside
WAN
VPN 0 (Internet/MPLS)
Untrusted outside
DC
VPN 20 (data-center/services)
Semi-trusted services
SELF
The router itself
Control plane and management
The single most important rule of ZBFW behavior: any zone-pair you do not explicitly configure is denied by default once zones are attached. This causes most "everything broke after I turned on the firewall" incidents. A second classic trap is the self-zone: if you do not write a policy permitting traffic to the router's own control plane, you can lock yourself out of management.
Worked example — LAN-to-WAN with default-drop. Suppose a branch needs LAN users to reach the web and DNS, but nothing inbound from the Internet should reach the LAN. In vManage you create the LAN and WAN zones, then build the inter-zone rules:
LAN to WAN: match HTTP, HTTPS, DNS (ports 80, 443, 53) → action allow/inspect, with logging.
LAN to WAN default: match any → action drop.
WAN to LAN default: match any → action drop.
After attaching the Enterprise Application-Aware Firewall policy and pushing it, vManage generates native ZBFW configuration. You verify on the device with:
! See the security policy that was pushed
show sdwan running-config security
! See the generated zone-based firewall constructs
show running-config | section zone
show zone security
! Inspect active firewall sessions and drops in the data plane
show policy-map type inspect zone-pair sessions
show platform hardware qfp active feature firewall
Snort IPS / IDS
Where the firewall decides whether a flow is allowed, an intrusion prevention system (IPS) decides whether an allowed flow is actually carrying an attack. The Catalyst 8000 integrates Snort IPS (Snort3) with the appropriate SD-WAN security licenses. If the firewall is the guard who checks your badge, the IPS is the screening machine that opens your bag and looks for contraband even though your badge is valid.
Figure 7.2: Packet inspection flow through ZBFW, Snort IPS, and AMP
Figure 7.2a (animated): A packet travels ZBFW to Snort IPS to AMP to URL filtering, each stage lighting up as it inspects; the red labels show the allow/drop branch available at every stage.
On IOS XE, Snort runs inside the UTD (Unified Threat Defense) engine, a container installed on the router. The IPS supports two operating modes and a choice of base rulesets:
Choice
Options
Guidance
Mode
Detect-only (alert) / Prevent (drop)
Start in detect-only to find false positives, then move to prevent
Base ruleset
Connectivity / Balanced / Security
Trade coverage against throughput; pick by hardware and traffic volume
The vManage workflow: upload the UTD Snort image and signatures to the software repository; create an IPS profile (mode, base policy, categories); bind the profile to the LAN-to-WAN zone-pair so allowed flows are handed to Snort; then attach and push the combined firewall+IPS policy. Verify on the device:
! Confirm the UTD/Snort engine is installed and running
show platform software utd status
show utd engine standard status
! Inspection counters and active sessions
show utd statistics
show utd active-sessions
Three diagnostics to memorize: not installed/running means the container image failed to download (check repository and device disk/memory); license errors at UTD start mean the security/IPS license is missing; and counters stuck at zero mean the IPS is not bound to the right zone-pair, or traffic is not matching the firewall rules that invoke it.
URL Filtering and AMP
Two more on-box capabilities round out content security. URL filtering enforces policy on web destinations by category — blocking, allowing, or warning. AMP (Advanced Malware Protection), branded Cisco Malware Defense, performs file and malware analysis at the WAN edge so a malicious download is identified and blocked before it reaches an endpoint. If IPS is the bag scanner looking for known attack patterns, AMP is the lab that takes a suspicious file and analyzes its reputation. Both require higher-tier DNA/SD-WAN security licenses.
Key Takeaway: The Catalyst 8000 delivers a full on-box security stack — zone-based application-aware firewall, Snort IPS via the UTD engine, URL filtering, and AMP/Malware Defense. Author policy centrally in vManage and use the CLI to verify; remember any unconfigured zone-pair drops by default and the self-zone must be explicitly permitted.
Post-Quiz: On-Box Security
1. In SD-WAN mode, where do engineers normally author the Catalyst 8000 firewall and IPS policy, and what role does the device CLI play?
2. After you attach zones to a Catalyst 8000 ZBFW, why does traffic between two VPNs that previously worked suddenly fail?
3. What distinguishes the job of the zone-based firewall from the job of Snort IPS on the same flow?
4. A branch turns on Snort IPS but the inspection counters stay at zero despite heavy traffic. What is the most likely cause?
5. Why would an organization start Snort IPS in detect-only mode before switching to prevent mode?
Pre-Quiz: Secure Connectivity
1. Why does dedicated crypto offload hardware matter so much on a Catalyst 8000 that also builds SIG tunnels?
2. What problem does the TLS/SSL proxy on the Catalyst 8000 solve?
3. Why is Umbrella DNS-layer security often the first phase of a SASE rollout?
4. A user reports that a domain resolves fine but the web page still fails to load through Umbrella. What is a likely cause?
5. A branch sees intermittent SIG/IPsec tunnel flaps and degraded app performance rather than a hard failure. What should you suspect first?
Secure Connectivity
Key Points
Every SD-WAN tunnel is an encrypted IPsec tunnel; dedicated crypto offload hardware does the encryption math so the CPU stays free for routing and policy — vital when the box also maintains several IPsec SIG tunnels.
IPsec depends on a healthy underlay; degraded public-IP reachability, MTU, or NAT timeouts show up as intermittent tunnel flaps, not a clean failure.
The TLS/SSL proxy terminates and decrypts encrypted sessions so the on-box firewall, IPS, AMP, and URL filtering can inspect them, then re-encrypts before forwarding — a controlled man-in-the-middle by the trusted edge.
Umbrella DNS-layer security blocks resolution of malicious domains before any connection is attempted; it needs no tunnels and is a natural first phase of a SASE rollout.
DNS policy and full Secure Web Gateway policy are configured independently — inconsistent settings cause confusing results (DNS allows a domain but the SWG blocks the HTTP request). TLS proxy, AMP, and URL filtering are license-gated advanced functions.
On-box inspection protects traffic at the branch. The next layer protects traffic as it moves: encryption in flight, the ability to inspect encrypted traffic, and a lightweight control at the DNS layer.
IPsec and Crypto Offload
Every SD-WAN tunnel in the Catalyst SD-WAN fabric is an encrypted IPsec tunnel, and the Catalyst 8000 platforms encrypt and decrypt at line rate. The heavy mathematical work is handled by dedicated crypto offload hardware rather than the general-purpose CPU — a dedicated mail-room that seals and unseals every envelope so the executives (the CPU doing routing and policy) are not slowed down. This matters when the same box also builds IPsec tunnels to cloud security gateways, maintaining several per WAN transport. IPsec depends on a healthy underlay: when public-IP reachability, MTU, or NAT timeouts degrade, the symptom is intermittent tunnel flaps rather than an obvious hard failure.
TLS/SSL Proxy
The overwhelming majority of web traffic is now encrypted with TLS. A firewall or IPS that can only read the outside of the envelope cannot see the threat inside. The TLS/SSL proxy terminates the encrypted session on the router, decrypts the traffic for inspection by the firewall, IPS, AMP, and URL filtering engines, then re-encrypts before forwarding — a controlled man-in-the-middle by the trusted edge device. This is the customs officer authorized to open sealed diplomatic pouches, inspect the contents, and reseal them. Because it is computationally expensive and security-sensitive, it is gated behind higher-tier DNA licenses.
The cheapest, earliest place to stop a threat is the moment a device asks "what is the IP address for this domain?" Cisco Umbrella provides DNS-layer security: branch DNS requests resolve through Umbrella, which can block resolution of domains associated with malware, phishing, or command-and-control before any connection is attempted. It requires no IPsec tunnels, making it a natural first phase of a SASE rollout; many organizations begin here and later migrate to full SIG tunnels. One caution: DNS policies and full Secure Web Gateway (SWG) policies are configured independently, and inconsistent settings cause confusing results — DNS allows a domain but the SWG later blocks the HTTP request.
Key Takeaway: Secure connectivity combines hardware crypto offload for line-rate IPsec, a TLS/SSL proxy that lets on-box engines inspect encrypted traffic, and Umbrella DNS-layer security as a tunnel-free first line of defense and natural entry point into SASE.
Post-Quiz: Secure Connectivity
1. Why does dedicated crypto offload hardware matter so much on a Catalyst 8000 that also builds SIG tunnels?
2. What problem does the TLS/SSL proxy on the Catalyst 8000 solve?
3. Why is Umbrella DNS-layer security often the first phase of a SASE rollout?
4. A user reports that a domain resolves fine but the web page still fails to load through Umbrella. What is a likely cause?
5. A branch sees intermittent SIG/IPsec tunnel flaps and degraded app performance rather than a hard failure. What should you suspect first?
Pre-Quiz: SASE Integration
1. What is the defining idea of a SASE architecture?
2. What is genuinely valuable about how the Catalyst SD-WAN edge builds SIG tunnels to Umbrella?
3. Why is sending everything through a distant SIG POP sometimes the wrong choice, and what does Cloud OnRamp for SaaS do about it?
4. How does the Catalyst 8000 preserve VPN segmentation when steering traffic to Umbrella?
5. From the Catalyst 8000's perspective, how does integrating Cisco Secure Access (SSE) differ from integrating Umbrella SIG?
SASE Integration
Key Points
SASE converges WAN-edge functions (SD-WAN, routing) with cloud-delivered security (SWG, CASB, ZTNA, FWaaS) into a single, identity-aware service. Cisco's three pillars: Catalyst SD-WAN edge, cloud security (Umbrella SIG / Secure Access SSE), and identity (Cisco ISE).
A Secure Internet Gateway (SIG) is a cloud security stack reached over an automatically built IPsec tunnel; the branch steers Internet-bound traffic into it for inspection before exit.
vManage SIG templates automate IKE/IPsec setup and redundancy (commonly one tunnel per circuit) — no per-router hand-building. The same framework supports third-party SSE (Zscaler, Prisma Access, Netskope).
Cloud OnRamp for SaaS probes direct, data-center, and SIG paths and ranks them by latency/loss/jitter/HTTP response to pick the best secure path; Cloud OnRamp for IaaS extends the fabric into AWS/Azure. SD-WAN VPNs map to separate Umbrella identities to preserve segmentation.
Cisco Secure Access (SSE) uses the same tunnel mechanics as Umbrella; enforcement is driven by identity, device posture, and app context. The key design decision is choosing which enforcement lives on-box versus in the cloud to avoid conflicting rules.
The third and outermost layer extends enforcement beyond the branch into the cloud. SASE (Secure Access Service Edge) converges WAN-edge functions with cloud-delivered security into a single, identity-aware service model. Cisco's SASE has three pillars: Catalyst SD-WAN at the WAN edge, Cisco cloud security in the middle (Umbrella SIG / Cisco Secure Access SSE), and identity and policy (Cisco ISE). The result is an "identity-first" model in which a user's traffic is consistently inspected and controlled in the cloud security layer regardless of how they connect. The end-to-end path is:
User → Branch LAN → Catalyst SD-WAN edge → SIG IPsec tunnel → Umbrella POP → Internet/SaaS — all under SASE policies.
Figure 7.4: Cisco SASE three-pillar architecture and end-to-end path
flowchart LR
subgraph EDGE["Pillar 1: WAN Edge"]
USER["User / Branch LAN"] --> C8K["Catalyst 8000<br/>SD-WAN edge"]
end
subgraph CLOUD["Pillar 2: Cloud Security"]
POP["Umbrella SIG /<br/>Cisco Secure Access SSE<br/>POP"]
end
subgraph ID["Pillar 3: Identity"]
ISE["Cisco ISE<br/>identity + policy"]
end
C8K -->|"SIG IPsec tunnel"| POP
ISE -.->|"identity-first policy"| POP
POP --> NET["Internet / SaaS"]
classDef edge fill:#1f6feb,stroke:#58a6ff,color:#fff
classDef cloud fill:#3d2a6b,stroke:#a371f7,color:#fff
classDef ident fill:#1a5c3a,stroke:#3fb950,color:#fff
class USER,C8K edge
class POP cloud
class ISE ident
Figure 7.4a (animated): The Catalyst 8000 steers branch traffic into an IPsec tunnel to a cloud Secure Internet Gateway instead of backhauling it to the data center.
Secure Internet Gateway (SIG) Tunnels
A Secure Internet Gateway (SIG) is a cloud-delivered security stack — Cisco Umbrella SIG / Cisco Secure Edge — deployed as globally distributed security POPs, typically including DNS-layer security, an SWG, a cloud-delivered firewall (FWaaS), and CASB controls. The connection between the Catalyst 8000 and the SIG is an automatically built IPsec tunnel into which Internet-bound traffic is sent. The genuinely valuable part: you do not build these tunnels by hand. vManage provides SIG templates that automate the entire process.
Worked example — full Internet breakout via Umbrella SIG. For a branch with dual Internet circuits: (1) define the SIG provider profile in vManage (type, region/POP list, API credentials); (2) configure a SIG policy/config group specifying which edges and transports carry tunnels and how VPNs map to POPs; (3) attach to the device template — each edge then initiates IKE/IPsec, commonly one tunnel per circuit for redundancy; (4) define data/centralized policies to steer traffic, e.g. a default route into the SIG with app-aware routing choosing the best circuit-and-POP tunnel. This automation generates the IKE/IPsec parameters and crypto maps and provisions redundancy automatically.
A powerful refinement is segmentation preservation: SD-WAN VPNs (Corp, Guest, IoT) map to separate Umbrella identities and policies, so guest Wi-Fi can be forced through SIG-only with stricter filtering while corporate traffic gets its own policy. The same template framework also supports third-party SSE providers — Zscaler, Palo Alto Prisma Access, and Netskope.
Cloud OnRamp for SaaS and IaaS
Sending everything through a cloud gateway is simple but not always optimal — backhauling a low-latency SaaS app through a distant POP hurts user experience. Cloud OnRamp optimizes and secures access to cloud services. Cloud OnRamp for SaaS continuously measures performance to apps like Microsoft 365 across multiple paths and selects the best one; Cloud OnRamp for IaaS extends the fabric into AWS/Azure. For each app the edge probes three candidate paths — direct breakout, DC backhaul, and SIG tunnels — ranked by latency, loss, jitter, and HTTP response time.
Figure 7.5: Cloud OnRamp for SaaS path probing and selection
flowchart TD
APP["SaaS app traffic<br/>(e.g. Microsoft 365)"] --> PROBE["Edge probes candidate paths<br/>latency / loss / jitter / HTTP response"]
PROBE --> P1["Direct Internet breakout<br/>local on-box inspection"]
PROBE --> P2["Data-center backhaul<br/>DC security stack"]
PROBE --> P3["SIG tunnel<br/>full Umbrella SIG"]
P1 --> RANK{"Controller ranks paths"}
P2 --> RANK
P3 --> RANK
RANK -->|"Best-performing path wins"| BEST["Selected path to SaaS"]
classDef path fill:#1f6feb,stroke:#58a6ff,color:#fff
classDef best fill:#1a5c3a,stroke:#3fb950,color:#fff
class P1,P2,P3 path
class BEST best
With Cloud OnRamp for SaaS over SIG tunnels, the probes run across the SIG tunnels too, so the best path might be a specific Umbrella POP over a specific circuit — optimization and security together.
Path candidate
Optimized for
Security posture
Direct Internet breakout
Lowest latency to trusted SaaS
Local on-box inspection
Data-center backhaul
Centralized inspection/legacy DLP
DC security stack
SIG tunnel
Cloud inspection for everything else
Full Umbrella SIG (SWG/FWaaS/CASB)
Cisco Secure Access Integration
The newest pillar is Cisco Secure Access, Cisco's Security Service Edge (SSE) offering that unifies SWG, CASB, FWaaS, and ZTNA behind a single identity-aware policy plane alongside identity sources like Cisco ISE. From the Catalyst 8000's perspective the integration mechanics are familiar: the SD-WAN edge builds SIG/SSE tunnels and steers traffic exactly as it does for Umbrella, using the same vManage SIG template framework. The difference is where enforcement decisions are made: once traffic reaches the SSE, user identity, device posture, and application context drive the SWG, firewall, and CASB policies — completing the identity-first story where the same user gets the same policy at the branch or remote.
This raises the key design question of any SASE deployment: which enforcement lives where? L3/L4 filtering can happen at the SIG or the local firewall; app-aware routing lives in SD-WAN while web app controls live in the SWG. Deciding deliberately avoids duplicate or conflicting rules between on-box and cloud layers.
Key Takeaway: In Cisco SASE the Catalyst 8000 is the WAN-edge pillar that builds automated IPsec SIG tunnels (Umbrella, Secure Access, or third-party SSE) via vManage templates, preserves VPN segmentation as cloud identities, and uses Cloud OnRamp to send each application over the best-performing secure path — while identity-aware policy is enforced in the cloud security layer.
Post-Quiz: SASE Integration
1. What is the defining idea of a SASE architecture?
2. What is genuinely valuable about how the Catalyst SD-WAN edge builds SIG tunnels to Umbrella?
3. Why is sending everything through a distant SIG POP sometimes the wrong choice, and what does Cloud OnRamp for SaaS do about it?
4. How does the Catalyst 8000 preserve VPN segmentation when steering traffic to Umbrella?
5. From the Catalyst 8000's perspective, how does integrating Cisco Secure Access (SSE) differ from integrating Umbrella SIG?