Cisco Secure Access — Architecture & Configuration Reference

Interactive High-Level Design and Low-Level Configuration guide for Cisco Secure Access SSE.

↕ Auth / SAML

Endpoints & Sites

→

Cisco Secure Access — SSE Cloud (sse.cisco.com)

→

Resurser

Trafikflöden

Internet Användare → Secure Client → CSA Cloud (DNS → SWG → CASB → FWaaS → DLP) → Internet

ZTNA Användare → Secure Client → CSA Cloud (Policy Engine → Posture) → Resource Connector → Privat App

RA-VPN Användare → Secure Client → SAML 2.0 auth (via IdP) → CSA VPN Headend → Privat nät (full/split tunnel)

IPsec Site/DC → IKEv2 IPsec-tunnel (UDP 500/4500) → CSA Cloud → Internet eller cross-site routing

DNS Alla DNS-queries → Umbrella resolver (anycast) → Talos threat-check → Block / Allow → Svar till klient

Component Reference

Identity & SAML

Two enterprise apps required. SCIM provisioning via Entra ID, Okta, or AD Connector. SAML 2.0.

Resource Connectors

Outbound HTTPS 443 only. 2 vCPU / 4GB RAM minimum. Docker or OVA. HA = 2 per site.

IPsec Tunnels

IKEv2, AES-256-GCM, SHA-256, DH Group 20/19. Static routing or BGP. Per-site or per-DC.

RA-VPN

Cloud-hosted headend. No on-prem hardware. Full / Split-Include / Split-Exclude / Dynamic.

ZTNA

Client-based per-app micro-tunnel + browser-based. Always-on. Trust = user + device + posture.

Private Resources

Name, domain/IP, ports, protocol, access method (ZTNA/VPN/Browser). Wildcard support.

SWG / FWaaS / Policy

103 URL categories, 3000+ controllable apps (30,000+ discovery). L3-L7 cloud firewall. Allow/Block/Warn/Isolate.

CASB

SaaS visibility and control. Inline inspection + API integration for M365, Salesforce, Google Workspace.

Security Profiles

Threat Protection (Talos), Content Analysis, DLP, RBI, DNS Security. Per-profile config.

DLP

Built-in PII/CCN/personnummer detectors. Custom regex. Block/Warn/Log. Up to 50MB file scan.

RBI

Risky and uncategorized sites rendered in isolated cloud browser (Menlo Security). Zero endpoint risk.

Posture Profiles

OS, AV/EDR, disk encryption, firewall, MDM, TPM 2.0. Three example profiles included.

Experience Insights

User Health Score, app performance, network path, endpoint diagnostics. HTTP/DNS/Synthetic monitors.

Logs & SIEM

Web, DNS, Firewall, Private Access, DLP, Auth, Admin Audit logs. CEF/LEEF, S3, REST API export.

AI Assistant

Built-in chatbot. Creates and optimizes policies, troubleshoots connections, best practice recommendations.

Low Level Design — Configuration Reference

Detailed configuration, parameters, and dashboard paths for every component.

Identity & SAML

Resource Connectors

IPsec Tunnels

RA-VPN

ZTNA

Private Resources

SWG / FWaaS / Policy

TLS Inspection

CASB

Security Profiles

DLP

RBI

Posture Profiles

Experience Insights

Logs & SIEM

AI Assistant

Dashboard Path: Connect > Users > Identity Provider

SAML Enterprise Apps — Two Apps Required

Parameter	SAML App 1 — Zero Trust Access	SAML App 2 — VPN
Purpose	ZTNA + SWG + Internet Access	Remote Access VPN (AnyConnect)
Entity ID (IdP side)	`saml.fg.id.sse.cisco.com`	`https://<orgname>.vpn.sse.cisco.com/saml/sp/metadata/<profile>`
ACS URL	`https://fg.id.sse.cisco.com/gw/auth/acs/response`	`https://<orgname>.vpn.sse.cisco.com/+CSCOE+/saml/sp/acs?tgname=<profile>`
Sign On URL	From IdP metadata XML	From IdP metadata XML
Name ID Format	emailAddress	emailAddress
Attribute: email	`user.mail`	`user.mail`
Attribute: groups	`user.groups` (optional)	`user.groups` (optional)
SCIM required	Yes — for group sync	Optional

SCIM Provisioning — Steps by Provider

Entra ID (Azure AD)

1. Go to Enterprise Application > App 1
2. Provisioning > Automatic
3. Tenant URL: from CSA dashboard
4. Secret Token: from CSA dashboard
5. Test Connection → Save
6. Map attributes: email, displayName, groups
7. Set scope: Assigned users only or All

Okta

1. Applications > App 1 > Provisioning
2. Enable SCIM 2.0
3. Base URL: from CSA dashboard
4. API Token: from CSA dashboard
5. Push Groups: enable
6. Import Groups from CSA
7. Assign users/groups to app

AD Connector (on-prem AD)

1. Deploy AD Connector VM
2. Requirements: Windows Server 2012+ (2012/2012R2/2016/2019/2022/2025), domain-joined
3. Service account: Read + Replicating Directory Changes permission
4. Configure sync: OUs, groups
5. Sync interval: default 5 min
6. LDAP port 389 / LDAPS 636
7. No inbound firewall rules required

Cisco Duo — MFA

Cisco Duo ingår automatiskt via Cisco Security Cloud Sign On (SCSO). Du behöver inte skaffa ett separat Duo-konto eller konfigurera det manuellt — det aktiveras när du aktiverar Cisco Secure Access.

Duo skyddar admin-inloggningen till CSA-dashboarden (sse.cisco.com) med MFA direkt. Slutanvändarautentisering (ZTNA, VPN) hanteras via din IdP (Entra ID / Okta) med deras egna MFA-mekanismer (Entra MFA, Okta Verify, etc.).

Scenario	MFA-metod	Konfiguration krävs
Admin-login till sse.cisco.com	Cisco Duo (via SCSO)	Ingår — ingen setup
Slutanvändare ZTNA / SWG	IdP MFA (Entra / Okta)	Konfigureras i IdP (Conditional Access / Okta policies)
Slutanvändare VPN	IdP MFA via SAML	Konfigureras i IdP
Cisco Secure Client enrollment	SAML + IdP MFA	Sker automatiskt vid första inloggning

Demo-tips:

Logga in på sse.cisco.com live — visa Duo Push-notifikationen automatiskt utan extra konfiguration
Påpeka: "MFA för admins ingår från dag ett — ingen extra licens, ingen setup"
För slutanvändare: MFA styr du via din befintliga IdP — Cisco lägger sig inte i det flödet

Configuration Notes

Both apps must be created in the IdP before configuring CSA. Upload the IdP metadata XML into CSA for each app separately.

SCIM is required for group-based access policies. Without SCIM, only user-level policies are possible.

For Entra ID: ensure the enterprise app has User.Read and GroupMember.Read.All API permissions if using group attribute mapping.

Dashboard Path: Connect > Network Connections > Connector Groups

What It Is

Resource Connectors are lightweight VMs or containers deployed inside your datacenter or private cloud. They establish an outbound-only HTTPS connection (port 443) to the Cisco Secure Access cloud. No inbound firewall rules are required. Private apps are then accessible through ZTNA without exposing them to the internet.

Requirements

Parameter	Minimum	Recommended
vCPU	2	4
RAM	4 GB	8 GB
Disk	8 GB	20 GB
OS	Linux (auto-managed)	—
Network	Outbound HTTPS 443	Dedicated NIC
DNS	Must resolve internal hostnames	Internal DNS server
HA	1 connector	Minimum 2 per site

Deployment Options

VMware OVA

Download OVA from CSA dashboard. Deploy in vCenter/vSphere. Requires VM network with internet access. Auto-registers to CSA on first boot using provisioning key.

Docker Container

Runs on any Docker host. Requires Docker 20.10+. See command below. Enrollment token from CSA dashboard.

Cloud (AWS/Azure/GCP)

Deploy as EC2/Azure VM. Use provided AMI or install script. Outbound security group: allow HTTPS 443 to 0.0.0.0/0. No inbound rules needed.

Docker Deployment (Ubuntu 22.04 LTS x64)

# 1. Download setup script from CSA dashboard:
#    Connect > Network Connections > Connector Groups > Add Connector
# 2. Copy provisioning key from the dashboard

# Run Cisco's setup script
sudo ./setup_connector.sh

# Launch connector with provisioning key
sudo /opt/connector/install/connector.sh launch \
  --name dc-connector-01 \
  --key YOUR_PROVISIONING_KEY

# Verify connector is online
sudo /opt/connector/install/connector.sh status
# Status "Connected" should appear within 60 seconds

HA Considerations

Deploy minimum 2 connectors per site. CSA automatically load-balances and failovers between connectors in the same Connector Group.

Connector Groups are logical groupings — one group per datacenter or network segment is the recommended design. Assign each Private Resource to a specific Connector Group.

Dashboard Path: Connect > Network Connections > Network Tunnel Groups

IKEv2 Phase 1 Parameters

Parameter	Value	Notes
IKE Version	IKEv2	IKEv1 not supported
Encryption	AES-256-GCM	Or AES-256-CBC as fallback
Integrity (PRF)	SHA-256	SHA-1 also supported
DH Group	Group 20 (P-384) — default	Group 19 (P-256), 15, 14 also supported
Lifetime	86400 seconds (24h)	Default, configurable
Auth Method	Pre-Shared Key (PSK)	Certificates also supported
Dead Peer Detection	Enabled	Interval: 10s, Retry: 3

IPsec Phase 2 Parameters

Parameter	Value	Notes
Protocol	ESP	Encapsulating Security Payload
Encryption	AES-256-GCM	AEAD — no separate integrity needed
Lifetime	3600 seconds (1h)	Default
PFS	Group 20	Perfect Forward Secrecy enabled
Mode	Tunnel	Transport mode not used

Cisco IOS-XE Configuration Example

! IKEv2 Proposal
crypto ikev2 proposal CSA-PROPOSAL
 encryption aes-cbc-256
 integrity sha384
 group 20

! IKEv2 Policy
crypto ikev2 policy CSA-POLICY
 proposal CSA-PROPOSAL

! IKEv2 Keyring (PSK)
crypto ikev2 keyring CSA-KEYRING
 peer CSA-PEER
  address CISCO_SSE_CLOUD_IP
  pre-shared-key YOUR_PSK_HERE

! IKEv2 Profile
crypto ikev2 profile CSA-PROFILE
 match identity remote address CISCO_SSE_CLOUD_IP 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local CSA-KEYRING

! IPsec Transform Set
crypto ipsec transform-set CSA-TS esp-aes 256 esp-sha-hmac
 mode tunnel

! Crypto Map
crypto map CSA-MAP 10 ipsec-isakmp
 set peer CISCO_SSE_CLOUD_IP
 set transform-set CSA-TS
 set ikev2-profile CSA-PROFILE
 match address CSA-ACL

! ACL for interesting traffic
ip access-list extended CSA-ACL
 permit ip 10.0.0.0 0.255.255.255 any

! Apply to WAN interface
interface GigabitEthernet0/0/0
 crypto map CSA-MAP

Routing Options

Method	Use Case	Notes
Static Routes	Simple single-site	Add static route pointing to tunnel interface
BGP	Multi-site, dynamic failover	CSA supports BGP over IPsec. ASN range: private 64512-65534
Policy-Based	Selective traffic steering	Use crypto ACL to define interesting traffic

Dashboard Path: Connect > Users > Virtual Private Network

Architecture

The RA-VPN headend is fully cloud-hosted in Cisco's SSE infrastructure. No on-prem ASA, FTD, or VPN concentrator required. Users connect using Cisco Secure Client (AnyConnect) to <orgname>.vpn.sse.cisco.com.

Authentication is via SAML App 2. User experience is identical to classic AnyConnect — same client, same UX — but the headend is in the cloud.

Split Tunnel Options

Mode	Behavior	Use Case	Internet via
Full Tunnel	All traffic through VPN	High-security environments	VPN / CSA Cloud
Split Include	Only specified subnets via VPN	Performance-conscious, defined resources	Local breakout
Split Exclude	All traffic via VPN except listed	Exclude cloud/SaaS traffic	Local breakout
Dynamic Split	Decision per-domain/app (FQDN-based)	Modern, SaaS-aware deployment	Dynamic per destination

Key Configuration Parameters

Parameter	Value / Notes
VPN FQDN	`<orgname>.vpn.sse.cisco.com` (auto-assigned by Cisco)
Protocol	SSL/TLS (443) primary, IPsec/IKEv2 (4500) fallback
IP Pool	Configured in CSA — RFC1918 ranges, non-overlapping with internal subnets
DNS Servers	Push internal DNS for split DNS, or CSA resolver for full tunnel
Auth Method	SAML App 2 (mandatory for cloud headend)
MFA	Enforced via IdP (Entra Conditional Access / Okta MFA)
OS Support	Windows, macOS, Linux, iOS, Android
Client Version	Cisco Secure Client 5.x (formerly AnyConnect)

Dashboard Path: Connect > Users > Zero Trust Access

VPN vs ZTNA — Side-by-Side Comparison

Dimension	Traditional VPN	ZTNA (CSA)
Access Model	Network-level access (broad subnet)	Per-application micro-tunnel
Tunnel	Full network tunnel — all traffic	Per-app tunnel — only authorized apps
Authentication	Username + password (often)	SAML + MFA + device posture
Posture Enforcement	Optional, often add-on	Built-in, continuous, per-session
Lateral Movement Risk	High — full network access post-auth	None — isolated per-app sessions
User Experience	Manual connect, full-tunnel overhead	Always-on, transparent, fast

Access Methods

Client-Based ZTNA

Cisco Secure Client on endpoint. Always-on — auto-connects when accessing private apps. Creates per-app encrypted micro-tunnel.

Supports: TCP/UDP, SSH, RDP, databases, thick clients, any port.

Trust evaluated: user identity (SAML) + device posture (real-time).

Browser-Based ZTNA

No client agent required. Access via standard web browser. Suitable for BYOD, contractors, unmanaged devices.

Supports: HTTP/HTTPS web apps, plus browser-based SSH and RDP (intranet portals, web GUIs, Kibana, Grafana, remote servers).

Trust evaluated: user identity (SAML). No device posture (unmanaged).

Trust Assessment Model

Access is granted only when all three trust signals pass:

1. User Identity — authenticated via SAML IdP with MFA. Group membership verified.

2. Device Posture — matched against assigned Posture Profile. Fails = deny or limited access.

3. Continuous Re-evaluation — posture is checked throughout the session, not only at login.

Dashboard Path: Resources > Private Resources

Private Resource Configuration Fields

Field	Example	Notes
Name	`ERP-Internal`	Display name in CSA
Domain / IP	`erp.corp.local` or `10.10.1.50`	FQDN preferred. Wildcard: `*.corp.local`
Ports	`443`, `8080-8090`, `22,3389`	Ranges and comma-separated supported
Protocol	TCP / UDP / Both	Select based on app requirements
Access Method	Client ZTNA / Browser ZTNA / VPN / All	Controls which clients can access
Connector Group	`DC-Stockholm`	Assign to site-specific connector group
Tags	`production`, `finance`	Used for policy grouping

Access Method Reference

Method	Protocol	Agent Required	Best For
Client ZTNA	Any TCP/UDP	Yes (Secure Client)	Managed devices, any app type
Browser ZTNA	HTTP/HTTPS + SSH/RDP	No	BYOD, contractors, web apps
VPN	Any TCP/UDP	Yes (Secure Client)	Legacy apps, full subnet access needed
All	Any	Depends	Maximum flexibility

Notes on Wildcards and Multi-Port

Wildcard domains: *.corp.local matches all subdomains. Useful for covering entire internal DNS zones.

Multi-port: Specify as comma-separated (22,80,443) or ranges (8000-8999). Combining both is supported.

IP ranges: CIDR notation (10.10.1.0/24) is supported for covering subnets without enumerating hosts.

Dashboard Path: Secure > Access Policy > Internet Access

Denna panel täcker SWG (Secure Web Gateway) och FWaaS (Firewall as a Service). Båda konfigureras under Internet Access Policy i CSA-dashboarden.

Policy Capabilities

URL Categories

103 pre-defined Talos categories: Social Media, Adult Content, Gambling, Malware, Phishing, P2P, Streaming, News, Finance, etc. Custom categories supported.

Application Control

3,000+ controllable applications (30,000+ visible for Shadow IT discovery). Identify and control: Dropbox, OneDrive, Slack, Teams, TikTok, BitTorrent, Tor, and more — even over HTTPS.

TLS Inspection

Decrypt and inspect HTTPS. Deploy Cisco root CA to endpoints. Bypass lists for cert-pinned apps (banking, MDM, etc.). GDPR exclusion lists supported.

Policy Actions

Action	Behavior	Use Case
Allow	Traffic permitted, optionally logged	Trusted sites, business applications
Block	Traffic denied, block page shown	Malware, adult content, prohibited categories
Warn	Warning page — user can proceed	Social media, streaming — policy awareness
Isolate (RBI)	Rendered in cloud browser, no local execution	Risky/uncategorized sites, contractors

Example Policy Rule Order (Priority-Based — First Match Wins)

#	Name	Source	Destination	Action
1	Block Malware	All users	Category: Malware, Phishing, C2	Block
2	Security Team Bypass	Group: SecOps	Any	Allow
3	Isolate Uncategorized	All users	Category: Uncategorized	Isolate
4	Block Adult Content	All users	Category: Adult, Gambling	Block
5	Warn Social Media	Group: Employees	Category: Social Media	Warn
6	Allow Business Apps	All users	App: M365, Salesforce, Slack	Allow
7	Default Allow	All users	Any	Allow

Policy evaluation is top-to-bottom. The first matching rule applies. Always place most-specific rules at the top. The default rule (last) should be explicit — either Allow or Block-all.

Dashboard Path: Secure > TLS Decryption

Vad är TLS-inspektion?

TLS-inspektion (SSL Inspection / HTTPS Decryption) innebär att CSA bryter upp den krypterade TLS-sessionen, inspekterar trafiken för hot, DLP och policy — och återkrypterar den innan den skickas vidare. Utan TLS-inspektion är ~90% av webbtrafiken en blind fläck.

CSA agerar som en transparent man-in-the-middle proxy. Endpoint trust etableras via ett Root CA-certifikat som pushas till endpoints via MDM eller GPO.

Konfigurationssteg

Steg	Åtgärd	Detaljer
1	Aktivera TLS Decryption	Secure > TLS Decryption > Enable. Välj Inspect mode.
2	Välj Root CA	Använd Ciscos inbyggda CA eller ladda upp eget Root CA (rekommenderat för enterprise)
3	Distribuera Root CA-cert	Via Intune / GPO / MDM till alla managed endpoints. Utan detta visas cert-varning.
4	Konfigurera bypass-lista	Lägg till cert-pinnade appar, banktjänster, MDM-agenter, OS-uppdateringar
5	Koppla till Security Profile	TLS Decryption aktiveras per Security Profile — gäller sedan i Internet Access Policy

Bypass — vad ska inte inspekteras

Alltid bypassas (Cisco pre-built)

Cisco underhåller en lista med kända cert-pinnade appar som automatiskt bypassas:

Microsoft services (delar av M365)
Apple APNs / OS-uppdateringar
Antivirus update channels
MDM-agenter (Intune, Jamf)

Lägg till manuellt

Anpassade bypass-regler per domän, kategori eller applikation:

Banktjänster (e.g. *.handelsbanken.se)
HR/lönesystem med strikt cert-pinning
Custom business apps
Specifika URL-kategorier (Financial, Health)

Inspektion vs Bypass — beslutstabell

Trafiktyp	Rekommendation	Anledning
Generell webbtrafik	Inspektera	Maximal hotsynlighet och DLP-täckning
SaaS-appar (M365, Google)	Selektivt	Använd CASB API-mode för M365/Google för bättre täckning utan TLS-brott
Cert-pinnade appar	Bypass	Teknisk nödvändighet — bryt ej
Banktjänster / finans	Bypass	Regulatoriskt + cert-pinning vanligt
MDM / AV / OS-updates	Bypass	Funktionskritiskt — aldrig inspektera

Eget Root CA vs Cisco CA

Cisco Inbyggt CA

Fördelar: Noll setup, aktiveras direkt.

Nackdelar: Måste distribuera Ciscos Root CA-cert till alla endpoints. Fungerar inte för BYOD utan MDM.

Bäst för: Snabb PoC / pilot.

Eget Enterprise CA

Fördelar: Endpoints litar redan på ditt CA via Active Directory. Noll extra cert-distribution.

Nackdelar: Kräver access till intern CA-infrastruktur för att generera signeringscert.

Bäst för: Produktion, enterprise-miljöer med AD.

Dashboard Path: Secure > Application Settings > CASB

Vad är CASB?

CASB (Cloud Access Security Broker) ger synlighet och kontroll över SaaS-appanvändning. Två lägen: Inline (realtidsinspektion av trafik) och API (direktintegration med SaaS-API:er utan att trafiken proxyas).

Inline vs API

Läge	Hur	Styrkor	Begränsningar
Inline	Trafik proxyas via CSA cloud	Realtidsblock/warn, DLP vid upload/download	Inspekterar enbart proxyadtrafik
API	Direktintegration med SaaS-API	Retroaktiv skanning, historisk data, hittar delade filer	Ingen realtidsblock

Nyckelkapabiliteter

Shadow IT Discovery

Identifierar alla SaaS-appar i bruk — databas med 30 000+ appar. Filtrera per kategori, riskvärde, antal användare. Klassificera: Sanktionerad / Osanktionerad / Begränsad.

Tenant Restrictions

Blockera personliga Microsoft/Google-konton — tillåt enbart företagets tenant. T.ex. blockera @gmail.com-inloggning till Google Workspace, tillåt enbart @foretaget.se.

DLP-integration

Skanna filer som laddas upp till sanktionerade appar. Triggar DLP-regler vid känslig data i SharePoint, Google Drive, Salesforce, etc.

Aktivitetsloggning

Vem använde vilken SaaS-app, när, varifrån. Fullständig audit trail för compliance och incident response.

Generative AI Access

Synlighet och kontroll av 720+ generativa AI-appar och 1 300+ LLM-modeller. Policyer per AI-app: tillåt/blockera/begränsa datadelning. Skydda mot dataläckage till ChatGPT, Copilot, Gemini etc.

Shadow IT-arbetsflöde

Steg	Plats	Åtgärd
1	Secure > Application Discovery	Visa alla detekterade appar sorterade per riskvärde
2	Filtrera	Filtrera per kategori (File Sharing, Social Media, AI Tools), riskvärde, antal användare
3	Klassificera	Markera appar som Sanctioned / Unsanctioned / Restricted
4	Policy	Skapa regel: Unsanctioned apps → Block eller Warn

Tenant Restrictions — Microsoft 365-exempel

Gå till Secure > Application Settings > Tenant Restrictions
Lägg till tillåtna tenant-ID:n (företagets M365-tenant)
Aktivera "Block personal accounts"
Resultat: @personal.com-konton blockeras från M365 — enbart @foretaget.com fungerar

Demo-tips

Visa Shadow IT-discovery live — "Vi ser att era användare använder 340 osanktionerade appar, inklusive Dropbox och WhatsApp Web"
Visa tenant restrictions live — försök logga in med personligt Google-konto → blockerat
Visa DLP som triggas vid filuppladdning till Google Drive med känslig data

Dashboard Path: Secure > Security Profiles

Security Profile Components

Component	Function	Key Settings
Threat Protection	Talos-powered malware / IPS scanning of all traffic	Block / Alert / Monitor. AV scanning, IPS rules, sandboxing
Content Analysis	File type filtering, archive inspection, executables	Block file types (EXE, SCR, etc.), max file size
DLP	Inline data loss prevention on uploads/downloads	Select DLP policies (see DLP tab)
RBI	Remote Browser Isolation trigger	Enable for specific categories (Uncategorized, Risky, etc.)
DNS Security	Umbrella-powered DNS filtering	Block DNS requests to malicious/C2 domains

Profile Design Recommendations

Corporate-Strict

All components enabled. Threat Protection: Block mode. Content Analysis: strict file type list. DLP: all policies. RBI: Uncategorized + Risky. DNS: Block + Alert. For managed corporate devices.

BYOD-Moderate

Threat Protection: enabled. Content Analysis: moderate. No DLP (privacy). RBI: Uncategorized only. DNS: Block known malicious. For personal devices with business access.

Guest / Contractor

Threat Protection: enabled. No Content Analysis. No DLP. RBI: all non-business categories. DNS: strict. Internet-only access. No private resource access.

Dashboard Path: Secure > Data Loss Prevention

Built-in DLP Detectors

Detector	Covers	Example Pattern
PII — Personal Information	Names, addresses, date of birth	Structured personal data combinations
Credit Card Numbers (PCI)	Visa, Mastercard, Amex, Discover	Luhn-validated 16-digit sequences
Social Security Numbers	US SSN format	`XXX-XX-XXXX`
Swedish Personnummer	Swedish personal identity number	`YYYYMMDD-XXXX`
IBAN / Bank Account	European bank account numbers	ISO 13616 format
Healthcare (PHI/HIPAA)	Medical record identifiers, diagnoses	HL7/FHIR patterns
Source Code	Code files, IP protection	Language-specific signatures
Custom Regex	Any pattern (internal IDs, contracts)	User-defined regular expression

Actions and Configuration

Action	Behavior	Notes
Block	Upload/download stopped, user notified	Hard enforcement — use for critical data
Warn	Warning shown — user can override with justification	Awareness + audit trail
Log Only	Permitted but event recorded	Visibility first, before enforcement

File inspection: DLP inspects files up to 50MB. Archives (ZIP, RAR) are decompressed for inspection. Password-protected archives can be blocked.

Channels inspected: HTTP/HTTPS uploads (web, email, cloud storage), API uploads, and downloads based on policy direction setting.

Dashboard Path: Secure > Security Profiles > [Profile] > RBI

How RBI Works

Remote Browser Isolation renders risky or uncategorized websites inside a cloud-hosted browser powered by Menlo Security's Isolation Platform (MSIP). The user sees a live visual stream — no web content actually executes locally on the endpoint.

This eliminates drive-by downloads, malicious scripts, and zero-day browser exploits from affecting the endpoint, regardless of what the site contains.

RBI is triggered by policy based on URL category. It is transparent to the user — the site still loads and is fully interactive.

RBI Use Cases

Trigger Category	Rationale
Uncategorized	Unknown sites — cannot assess risk, isolate by default
Newly Registered Domains	High risk — often used for phishing and malware delivery
Personal Email (Gmail, Yahoo)	Exfiltration risk — isolate and disable upload/download
File Sharing (WeTransfer, etc.)	DLP bypass risk — control with isolated browser
Contractor / BYOD access	Unmanaged devices — full isolation for web apps

RBI Controls

Within an isolated session, you can configure:

- Upload/Download: Block file transfers to/from the isolated site

- Copy/Paste: Restrict clipboard between isolated site and local device

- Print: Block printing from isolated sessions

- Watermarking: Overlay user identity watermark on isolated content

Dashboard Path: Secure > Posture Profiles

Available Posture Checks

Check	What It Verifies	Platform
OS Version	Minimum OS version (e.g. Windows 11 22H2+, macOS 14+)	Win, Mac, Linux
Antivirus / EDR	AV present, running, definitions current (e.g. CrowdStrike, Defender)	Win, Mac
Disk Encryption	BitLocker (Windows), FileVault (Mac) enabled and active	Win, Mac
Firewall	Host-based firewall enabled and active	Win, Mac, Linux
System Password	System password / screen lock configured	Win, Mac
Certificate	Specific machine certificate present in cert store	Win, Mac
Browser	Browser version and security settings check	Win, Mac
Registry / File / Process	Windows Registry key, file exists, process running	Win, Mac, Linux
Obs: Jailbreak/root-detektion och MDM-compliance är ej nativa CSA-posture-attribut. Kräver ISE eller IdP-integration (Entra Conditional Access / Intune compliance).

Example Profile Configurations

Corporate-Strict

- OS: min Windows 11 21H2 / macOS 13

- AV/EDR: required (any major vendor)

- Disk encryption: required

- Firewall: required

- MDM compliance: required

- TPM 2.0: required

Fail action: Deny access entirely

BYOD-Moderate

- OS: min Windows 10 / macOS 12

- AV: recommended, warn if missing

- Disk encryption: recommended

- Firewall: required

- MDM: not required

- Screen lock: required

Fail action: Restrict to browser ZTNA only

Contractor-Minimal

- OS: any supported version

- AV: not checked

- Disk encryption: not checked

- No MDM check

- Certificate check: machine cert required

- Screen lock: required

Fail action: Internet-only, no private resources

Dashboard Path: Monitor > Experience Insights

DEM Capabilities Overview

Feature	What It Measures	Data Source
User Health Score	Composite score (0-100) per user: network, endpoint, app health	Secure Client telemetry
Application Performance	Latency, jitter, packet loss to SaaS apps (M365, Salesforce, Zoom)	Synthetic probes from client
Network Path Analysis	Hop-by-hop visibility from client to app. Identifies bottleneck (ISP, CSA, app)	Traceroute + latency probes
Endpoint Diagnostics	CPU, RAM, NIC utilization on endpoint. Isolates device vs network issues	Secure Client system metrics
ISP Performance	Measures ISP quality from user location	Aggregate client telemetry

Monitor Types

HTTP Monitor

Measure response time and availability of specific HTTP/HTTPS endpoints. Trigger from client periodically. Shows: DNS resolution time, TCP connect, TLS handshake, first byte, total load time.

DNS Monitor

Measure DNS resolution latency and correctness for specific FQDNs. Verifies correct resolver is used and response is correct IP. Useful for split-DNS troubleshooting.

Synthetic Monitor

Active probe from client or CSA cloud PoP toward target. Measures TCP/ICMP latency and packet loss. Runs at configurable interval (1-60 min).

Common Troubleshooting Scenarios

Symptom	Check in DEM	Likely Cause
"App is slow for one user"	User Health Score > Network Path Analysis	ISP latency, endpoint resource exhaustion, local Wi-Fi
"All users slow to M365"	App Performance > Microsoft 365 metrics	CSA PoP congestion, M365 service degradation, DNS issue
"User can't connect to private app"	Network Path Analysis > private app path	Resource Connector offline, DNS resolution failure, firewall
"VPN connection drops"	User Health Score > connectivity events	ISP instability, DPD timeout, MTU mismatch

Dashboard Path: Monitor > Logs

Log Types

Log Type	Contains	Key Fields
Web Activity	All HTTP/HTTPS requests from all users	user, URL, category, action, bytes, app, policy
DNS Activity	All DNS queries processed by CSA	user, query, response, category, action, resolver
Firewall	L3/L4 traffic from IPsec tunnels and VPN	src IP, dst IP, port, protocol, bytes, action
Private Access	ZTNA and VPN session events	user, resource, connector, duration, bytes, status
DLP Events	DLP policy matches and actions	user, file, detector, action, destination, bytes
Auth Events	User login, logout, SAML events	user, event, IdP, timestamp, IP, result
Admin Audit	All changes made in CSA dashboard	admin, action, object, before/after, timestamp

Export Methods

Method	Format	Use Case	Notes
CSV Export	CSV	Ad-hoc analysis, incident investigation	From dashboard UI, filtered time range
Syslog CEF	CEF (Common Event Format)	Splunk, QRadar, ArcSight	Real-time, TCP/UDP 514 or 6514 (TLS)
Syslog LEEF	LEEF (Log Event Extended Format)	IBM QRadar primary format	Real-time stream
Amazon S3	CSV gzip	Long-term archive, data lake, Athena	Batch export, configurable interval
REST API	JSON	Custom SIEM, automation, scripting	Paginated, requires API key

Log retention: Configurable in dashboard. Up to 30 days searchable in-platform. For longer retention, export to S3 or SIEM. Logs are immutable once written.

Dashboard Path: Chatbot icon — bottom-right corner of any CSA dashboard page

Vad är AI Assistant?

Inbyggd AI-assistent driven av Cisco AI. Tillgänglig överallt i dashboarden — ingen separat aktivering krävs. AI:n har kontext om just din miljö: dina användare, grupper, appar och befintliga policies. Det är inte en generisk chatbot.

Funktioner

Funktion	Beskrivning	Exempel-prompt
Regelförslag	Skapar access policies från naturligt språk	"Block social media for all users except Marketing"
Policygranskning	Analyserar befintliga regler, hittar luckor	"Review my internet access policies for gaps"
Felsökning	Diagnostiserar varför en användare inte når en app	"Why can't user john.doe access app SAP?"
Best practice	Rekommenderar konfiguration baserat på bransch	"What DLP rules do you recommend for a healthcare company?"
Konfigguide	Steg-för-steg för specifika integrationer	"How do I set up IPsec tunnel with Fortinet FortiGate?"
Loganalys	Analyserar loggdata och ger insikter	"Summarize security events from the last 7 days"

Hur du använder det i en demo

Öppna valfri dashboardsida
Klicka på chatbot-ikonen (nere till höger)
Skriv på engelska (enda språket som stöds för närvarande)
AI skapar policy-utkast → klicka "Apply" för att driftsätta direkt

Demo-sekvens

Öppning

Starta med: "What policies should I create for a new deployment?"

Visar proaktiv vägledning — AI:n ger en fullständig checklista för en ny driftsättning.

Policy-skapande

Sedan: "Create a policy blocking gambling and adult content for all users"

Visar omedelbar policyskapning — regeln visas färdig att appliceras.

Felsökning

Sedan: "Why was user [name] blocked from [app]?"

Visar AI-assisterad felsökning med exakt policyträff och rekommendation.

Policy-audit

Avsluta med: "Are there any security gaps in my current configuration?"

Visar AI-driven säkerhetsanalys av hela konfigurationen.

Viktigt att notera

AI-assistenten har kontext om just din specifika miljö — den känner till dina användare, grupper, appar och nuvarande policies. Det är inte en generisk chatbot — det är en kontextmedveten copilot för din CSA-miljö.

Demo Flow — Cisco Secure Access

Guided walkthrough. Check off steps as you complete them. Total duration: ~90 minutes.

0 / 18 steps completed ~90 min remaining

Step 1

Dashboard Overview and Navigation

5 min

Show: Main dashboard — Summary tiles, left nav structure (Connect, Secure, Resources, Monitor, Admin)

Walk through each nav section and what lives there
Point out the AI Assistant icon bottom-right
Show the global search and recent alerts
Note that all config changes are logged in Admin Audit

Pro tip: Start here to orient the customer. The UI is clean — that's a selling point vs older SASE platforms. Don't rush through it.

Step 2

SAML Configuration — The Two Enterprise Apps

6 min

Show: Connect > Users > Identity Provider — Create or show existing SAML App 1 (ZTNA) and App 2 (VPN)

Explain why two apps are needed — different endpoints/use cases
Show the metadata XML import process
Point out the Entity ID and ACS URL values
Note that this integrates with Entra ID, Okta, or on-prem AD

Pro tip: Customers often underestimate SAML setup time. Confirm their IdP choice upfront and note Cisco has step-by-step guides for Entra and Okta in the docs.

Step 3

User Provisioning via SCIM

4 min

Show: Connect > Users > Identity Provider > SCIM configuration tab. Show synced users and groups.

Show the SCIM endpoint URL and secret token
Show a list of synced groups — these are used in policies
Explain that without SCIM you can still do user-based policies, not group-based

Pro tip: If customer uses Entra ID, SCIM setup is 10 minutes. Okta is similar. Groups sync automatically — no manual user management.

Step 4

Resource Connector — Deployment and Status

5 min

Show: Connect > Network Connections > Resource Connectors — A live connector showing "Connected" status. Show the connector group config.

Explain outbound-only connectivity — no inbound firewall rules
Show the provisioning key generation process
Show Docker deployment command or OVA download
Show HA: two connectors in same group, auto load-balance
Point to the green "Connected" status indicator

Pro tip: The "no inbound ports" message resonates strongly with security teams. Emphasize it. This is a significant architecture advantage over traditional VPN headends.

Step 5

IPsec Tunnel Configuration and Status

8 min

Show: Connect > Network Connections > Network Tunnel Groups — A configured tunnel showing "Connected" / "UP" status. Show IKEv2 parameters.

Show tunnel configuration wizard — point out IKEv2 defaults
Show the cloud-side IP/FQDN for the tunnel endpoint (provided by Cisco)
Explain that any router/firewall supporting IKEv2 can connect
Show "Connected" status with uptime counter
Note BGP peering option for dynamic routing

Pro tip: Fortinet and Cisco IOS-XE configs are well-documented. If the customer has specific hardware, you can pull up the exact CLI config on the spot.

Step 6

Routing and Traffic Verification

7 min

Show: Monitor > Logs > Firewall — Traffic from the IPsec tunnel appearing in logs. Show source IP, action, policy match.

Browse to a website from a device behind the tunnel — show it in logs
Show that the source is the tunnel's subnet, not the cloud egress IP
Demonstrate policy applied (Allow/Block) based on category
Explain that site traffic now benefits from full CSA security stack

Pro tip: Real-time traffic logs are a visual win in a demo. Pre-position a browser hitting some test URLs so traffic appears in logs instantly during the demo.

Step 7

Private Resources — Create an Internal App

5 min

Show: Resources > Private Resources — Create a new resource: name, FQDN/IP, port, protocol, access method, connector group.

Use a real-looking example: "ERP-Internal" at erp.corp.local, port 443, ZTNA
Show that the resource is linked to a connector group (DC connector)
Show wildcard support: *.internal.corp.com
Point out Browser ZTNA vs Client ZTNA options

Pro tip: Create the resource live during the demo — it takes under 60 seconds and shows how simple it is vs traditional VPN ACL management.

Step 8

VPN Connection Demo

5 min

Show: Cisco Secure Client — connect via VPN to <orgname>.vpn.sse.cisco.com. Show SAML auth flow, connection established.

Open Secure Client, select VPN profile, click Connect
Browser opens for SAML auth — show IdP login and MFA
Show "Connected" status in client
Show IP address assigned from VPN pool
Show resulting connection in Monitor > Logs > Private Access

Pro tip: Have the VPN profile pre-configured in Secure Client before the demo. SAML auth is the most reliable part — the IdP pop-up browser window is visually clear and familiar to customers.

Step 9

ZTNA — Always-On, Transparent Access

5 min

Show: Secure Client — ZTNA module active. Access a private resource transparently without manual VPN connection. Show per-app tunnel in client.

Disconnect VPN — access private app — it still works (ZTNA)
Show the per-app tunnel created automatically in Secure Client
Show that only that specific app is accessible — no broad network
Show posture status in client — green check marks

Pro tip: This moment — accessing an internal app without VPN — is the "wow" moment for most customers. Let it land. Don't rush to explain. Let them ask "how does that work?"

Step 10

VPN vs ZTNA — Side-by-Side Comparison

5 min

Show: The LLD ZTNA comparison table. Use it to anchor the conversation about why ZTNA is better for most use cases.

VPN = network access. ZTNA = application access. That's the core difference.
Lateral movement with VPN: compromised device = full network. ZTNA: compromised device = one app, one session.
Posture is continuous in ZTNA. VPN checks once at connect and then trusts indefinitely.
Recommend: ZTNA as default, VPN as fallback for legacy apps needing full subnet

Pro tip: Position VPN and ZTNA as complementary, not competing. Cisco gives you both in one platform. You don't have to rip-and-replace on day one.

Step 11

URL Categories — Block and Show Block Page

5 min

Show: Secure > Access Policy > Internet Access — Create a rule blocking "Gambling" category. Test: browse to betsson.com. Show block page.

Create rule: Source = All Users, Category = Gambling, Action = Block
Save and immediately test from browser
Show the Cisco block page — customizable with company logo and message
Show the block event in Monitor > Logs > Web Activity

Pro tip: Policy changes take effect in under 60 seconds. Demonstrate this speed — create the rule, wait 30 seconds, test. This impresses customers used to firewall change windows.

Step 12

DLP Test with Fake Data

5 min

Show: Secure > Data Loss Prevention — enable Credit Card detector. Upload a test file to a cloud service (Google Drive/Dropbox) with fake CCN data. Show DLP block/log.

Pre-create a test file: "test-data.txt" with fake Visa numbers (use known-invalid test CCNs)
Configure DLP rule: Credit Card Numbers, Block, upload to Cloud Storage
Try to upload via browser — upload blocked, user sees notification
Show DLP event in Monitor > Logs > DLP Events — user, file, detector, action

Pro tip: Use Luhn-valid but clearly fake test CCNs (like 4111111111111111 — this is a standard test number). Make it visually obvious it's test data, not real card data.

Step 13

Posture Profiles — Check and Fail Scenario

5 min

Show: Secure > Posture Profiles — Show an existing profile. Show posture status in Secure Client. Optionally: trigger a fail by disabling the local firewall.

Show posture profile config: OS version, AV, disk encryption, firewall requirements
Show the "Compliant" status in Secure Client
Disable Windows Firewall — show client detects violation in real-time
Show that private app access is blocked or restricted as per fail action

Pro tip: Pre-configure two profiles — Corporate-Strict and BYOD-Moderate. Assign to different user groups. Show the difference in what each gets access to.

Step 14

Create Internet + Private Access Policies Live

5 min

Show: Secure > Access Policy — Create both an Internet Access rule and a Private Access rule in real time. Show rule ordering, group assignment, security profile linkage.

Internet rule: Finance group, block Streaming and Social Media, apply Security Profile: Corporate-Strict
Private access rule: HR group, allow ERPInternal resource, require posture: Corporate-Strict
Drag-and-drop rule reordering — show priority

Pro tip: The unified policy interface covering both internet and private access in one place is a differentiator vs platforms with separate consoles. Point this out explicitly.

Step 15

Experience Insights — Network Path Analysis

5 min

Show: Monitor > Experience Insights — User Health Score dashboard. Click a user, show Network Path Analysis with hop-by-hop latency.

Show User Health Score — overall and per-dimension
Click on a specific user — show their path to M365 or another SaaS app
Identify where latency is: ISP, CSA PoP, or destination
Show endpoint diagnostics — CPU, RAM, NIC at time of issue

Pro tip: DEM is a huge differentiator. Most SASE platforms don't have this level of endpoint visibility. "Your helpdesk can now see exactly where a user's problem is without a remote session."

Step 16

Logs — Filtering, Details, Export

4 min

Show: Monitor > Logs — Filter by user, show Web Activity + DLP Events. Export to CSV. Show syslog config.

Filter: specific user, last 24 hours — show their full web activity
Click a log entry — show all fields (URL, category, action, bytes, app, policy name)
Export: show CSV download and S3 export config option
Show syslog/CEF config — server IP, port, format, log types to stream

Pro tip: Security teams love the log detail level. "Can you show me what sites user X visited last Tuesday?" Answer: yes, in 10 seconds. That's powerful for incident response.

Step 17

AI Assistant — Create a Policy with AI

4 min

Show: AI Assistant chatbot (bottom-right) — type a natural language request. Watch it generate and propose the policy config.

Use prompt: "Create a policy that blocks social media for all employees and warns about streaming sites"
AI generates the rule config — review with customer
Apply directly from chat or copy the config
Ask for a policy review: "Are there any gaps in my current internet policy?"

Pro tip: This is a strong closing moment. Natural language policy creation reduces the expertise barrier significantly. "Your junior admins can manage this platform."

Step 18

Q&A — Open Floor

2 min

Open Q&A. Have the LLD reference and Objection Handling sections ready for quick answers.

Summarize: "One platform — ZTNA, VPN, SWG, DLP, posture, DEM. All managed from one dashboard."
Confirm next steps: POC scope, environment details, timeline
Offer a POC: 30-day evaluation with Cisco SE support

Pro tip: Use the Objections tab if any pushback comes up. Have it open in another tab during the demo. Stay calm — the platform speaks for itself.

Onboarding-checklista — Ny kundleverans

Fas 1 — Förberedelse (Pre-deployment)

Bekräfta IdP-val (Entra ID / Okta / AD on-prem)

Samla in: tenant ID, admin-access till IdP, AD-struktur (OUs, grupper)

Identifiera pilotgrupp (10-50 användare)

Inventera privata appar som ska skyddas (namn, FQDN/IP, portar)

Bekräfta datacenter-plattform för Resource Connectors (VMware/Docker/cloud)

Verifiera utgående TCP 443 från DC till *.sse.cisco.com

Fas 2 — Dag 1 — Grundkonfiguration

Logga in på sse.cisco.com — bekräfta Duo-autentisering fungerar

Konfigurera SAML App 1 (ZTA) i IdP + CSA dashboard

Konfigurera SAML App 2 (VPN) i IdP + CSA dashboard

Starta SCIM-provisioning — verifiera att användare/grupper synkroniseras

Deploya minst 2 Resource Connectors i DC (HA)

Verifiera connector-status "Active" i dashboard

Fas 3 — Dag 2 — Access-konfiguration

Lägg in privata resurser (Private Resources) med korrekt connector-grupp

Installera Cisco Secure Client på pilotenheter

Testa klientbaserad ZTNA mot 1-2 interna appar

Testa RA-VPN-anslutning

Konfigurera IPsec-tunnel mot DC om nätverkssegment behövs

Fas 4 — Dag 3 — Säkerhetspolicies

Skapa säkerhetsprofil (Threat Protection + DLP)

Konfigurera Internet Access Policy (block malware, phishing, adult)

Konfigurera Private Access Policy (grupp-baserad åtkomst)

Konfigurera posture-profil för managed devices

Testa blockering live (besök testsajt, ladda upp DLP-testfil)

Fas 5 — Dag 4-5 — Breddutrullning & Operations

Rulla ut Secure Client till alla användare (Intune/SCCM/GPO)

Konfigurera Experience Insights (HTTP/DNS-monitorer)

Sätt upp SIEM-integration (syslog CEF/LEEF)

Dokumentera IP-pooler, VPN FQDN, connector-grupper

Genomför knowledge transfer med kundens IT-team

Schemalägg uppföljning efter 30 dagar

Quick Reference

All dashboard navigation paths and key platform facts.

Connect Section

Identity Provider (SAML)Connect > End User Connectivity > Identity Provider

SCIM ConfigurationConnect > End User Connectivity > Identity Provider > SCIM

Remote Access VPNConnect > End User Connectivity > Virtual Private Network

Zero Trust AccessConnect > End User Connectivity > Zero Trust Access

Resource ConnectorsConnect > Network Connections > Connector Groups

IPsec / Network TunnelsConnect > Network Connections > Network Tunnel Groups

Connector GroupsConnect > Network Connections > Connector Groups

Secure Section

Internet Access PolicySecure > Access Policy > Internet Access

Private Access PolicySecure > Access Policy > Private Access

Security ProfilesSecure > Security Profiles

Posture ProfilesSecure > Posture Profiles

Data Loss PreventionSecure > Data Loss Prevention

Custom URL CategoriesSecure > Custom URL Categories

TLS InspectionSecure > TLS Decryption

Resources Section

Private ResourcesResources > Private Resources

Resource GroupsResources > Resource Groups

Secure Client ProfileResources > Secure Client

Monitor Section

Web Activity LogsMonitor > Logs > Web Activity

DNS LogsMonitor > Logs > DNS Activity

Firewall LogsMonitor > Logs > Firewall

Private Access LogsMonitor > Logs > Private Access

DLP EventsMonitor > Logs > DLP Events

Auth EventsMonitor > Logs > Auth Events

Experience Insights (DEM)Monitor > Experience Insights

ReportsMonitor > Reports

Admin Section

Admin Users & RBACAdmin > Users

Audit LogsAdmin > Audit Logs

SIEM / Log ExportAdmin > Log Management

API KeysAdmin > API

Notifications / AlertsAdmin > Notifications

LicensingAdmin > Licensing

Organization SettingsAdmin > Organization

Portar & Protokoll

Port/Protokoll	Riktning	Syfte	Komponent
`TCP 443 (HTTPS)`	Outbound från endpoint	Secure Client tunnel, Resource Connector registrering	Alla komponenter
`UDP 500`	Outbound från site/DC	IKEv2 IPsec phase 1	IPsec-tunnlar
`UDP 4500`	Outbound från site/DC	IKEv2 IPsec NAT-T, phase 2	IPsec-tunnlar
`TCP 443`	Outbound från Resource Connector	Connector → CSA cloud (utgående, ingen inbound krävs)	Resource Connectors
`TCP/UDP 53`	Outbound från endpoint	DNS-queries till Umbrella resolver	DNS Security
`TCP 389`	DC → AD	LDAP — AD Connector läser AD	AD Connector
`TCP 636`	DC → AD	LDAPS (krypterad) — AD Connector	AD Connector
`TCP 443`	Outbound	SCIM-provisioning (Entra ID → CSA)	Identity/SCIM
`TCP 443`	Outbound	Secure Client → SAML IdP-autentisering	Identity/SAML

Notera: Alla utgående anslutningar går mot Ciscos globala PoP-nät. Inga inbound-regler behövs utom för IPsec-tunnlar (UDP 500/4500 mot Ciscos headend-IPs).

Quick Facts

VPN Headend FQDN<orgname>.vpn.sse.cisco.com

SAML App 1 Entity IDsaml.fg.id.sse.cisco.com

SAML App 1 ACS URLhttps://fg.id.sse.cisco.com/gw/auth/acs/response

SAML App 2 ACS URLhttps://<orgname>.vpn.sse.cisco.com/+CSCOE+/saml/sp/acs

Resource Connector connectivityOutbound HTTPS 443 only — no inbound rules required

Resource Connector minimum spec2 vCPU, 4 GB RAM, 8 GB disk

HA recommendationMinimum 2 Resource Connectors per Connector Group per site

IPsec IKE versionIKEv2 only (IKEv1 not supported)

IPsec encryptionAES-256-GCM

IPsec DH groupGroup 20 (ECDH P-384) — default. 19/15/14 stöds.

Policy evaluation orderTop-to-bottom — first match wins

DLP max file size (inline scanning)50 MB — filer över 50 MB kan ej inspekteras

Log retention (in-platform)Configurable — up to 30 days searchable in dashboard

SCIM providers supportedEntra ID (Azure AD), Okta, AD Connector (on-prem)

Supported client OSWindows, macOS, Linux, iOS, Android

SWG URL categories103 pre-defined Talos categories

App visibility (DPI)30,000+ app visibility / 3,000+ controllable

Policy change propagationUnder 60 seconds globally

Objection Handling

Top 15 customer objections with sharp, confident responses. Click to expand.

01 "We already have VPN — why change?"

VPN gives network access. That's the problem, not the solution.

When a user VPNs in, they get access to your entire network — or a large subnet of it. If that device is compromised, the attacker gets the same access. Lateral movement is trivial.

ZTNA flips this: users get access to one specific app per authenticated session. No broader network. No lateral movement. Posture is verified before every session and continuously during it.

VPN and ZTNA aren't mutually exclusive. Cisco Secure Access gives you both — VPN for legacy apps that need full subnet, ZTNA for everything else. You migrate at your own pace. Zero disruption.

02 "ZTNA is too complex to deploy"

Complexity lives in the planning, not the platform.

The typical ZTNA pilot — 10 private resources, 50 users — takes 2-3 days end to end. Resource Connectors deploy in under an hour (Docker pull, provisioning key, done). Private resource definitions take under a minute each. The SAML setup with Entra ID or Okta is guided and well-documented.

The real complexity is IP access control lists and firewall rules in your current VPN setup. CSA eliminates that entirely — apps, not subnets.

03 "Cisco SSE is too expensive"

Compare the full stack, not the license line item.

Price CSA against what you're currently running: VPN hardware + maintenance + support + web proxy + DNS filtering + DLP tools + a separate RBI solution. Add staff time to manage five separate consoles. Add the cost of a single security incident caused by lateral movement that ZTNA would have prevented.

CSA is a consolidation play. Most customers eliminate 3-5 separate products. The license cost is usually offset entirely by what they retire — and the security posture improves significantly.

04 "We're not ready to move to cloud security"

You don't have to move everything. Start where the value is highest.

CSA doesn't require replacing your existing firewall or on-prem security stack. Add it alongside. Start with remote user protection — the highest-risk surface — and grow from there. Resource Connectors bridge your existing on-prem apps to the cloud security layer without touching your datacenter architecture.

The question isn't "are we ready?" It's "which users are highest risk today?" Start there. One deployment, 50 users, 30 days. Then decide.

05 "What about performance? Cloud adds latency"

Cloud security done right is faster than on-prem done badly.

Cisco operates global PoPs with anycast routing — user traffic goes to the nearest PoP, not across the globe. For most enterprise users, latency through CSA is lower than backhauling traffic to a central on-prem proxy through an MPLS network.

For internet-bound traffic specifically: local breakout through CSA is consistently faster than hairpinning through corporate DC. DEM (Experience Insights) gives you the proof — per-user latency data, ISP vs CSA vs destination breakdown.

If a customer has specific latency concerns, point them to the DEM capabilities and offer to run a measurement during the POC.

06 "We need to inspect TLS traffic but can't break cert-pinned apps"

TLS inspection bypass lists are exactly what they're for.

CSA's TLS decryption policy includes a bypass list. Certificate-pinned applications — banking apps, MDM agents, Microsoft services (some), antivirus update channels — are added to the bypass list and their traffic flows through uninspected.

Cisco maintains a pre-built list of known cert-pinned apps to bypass. You can also add custom entries. TLS inspection is selective — not all-or-nothing. You get visibility where it matters and compatibility where it doesn't.

07 "We have Zscaler / Palo Alto already"

Then you're already sold on cloud-delivered SSE. The question is which platform delivers better value.

Zscaler: strong SWG, but no integrated VPN headend. ZTNA (ZPA) is a separate product, separate agent, separate console. DEM is limited. No built-in DEM for private app paths.

Palo Alto Prisma Access: good security, but complexity is high. Licensing is byzantine. Onboarding is long. Support can be slow.

CSA differentiators: single agent (Secure Client), single console, VPN + ZTNA in one platform, Talos threat intel (largest threat research team in the world), DEM built-in, AI Assistant, and a Cisco TAC that actually answers the phone. Ask them what their current support experience is like.

08 "What happens if Cisco's cloud goes down?"

The same thing that happens when your on-prem VPN hardware fails — except Cisco's SLA is likely better than your hardware uptime.

Cisco Secure Access is built on a distributed, multi-region architecture. No single PoP or data center failure takes the service down. Cisco publishes a 99.999% uptime SLA for the SSE platform. That's under 6 minutes of downtime per year.

Compare that to your current VPN hardware: one device failure, one misconfigured upgrade, one power event — and you're down. With CSA, Cisco's operations team handles redundancy, patching, and failover automatically.

09 "We need on-prem for compliance reasons"

Which compliance requirement specifically? Most don't mandate on-prem infrastructure — they mandate controls.

CSA is compliant with SOC 2 Type II, ISO 27001, GDPR (EU data residency options available), PCI DSS (as a security control), and HIPAA. Data residency is configurable — traffic can be processed in EU-region PoPs only if required.

On-prem is an implementation choice, not a compliance requirement in most frameworks. The frameworks mandate encryption, access control, logging, and audit trails — all of which CSA provides, often more robustly than on-prem equivalents. Ask them to name the specific regulation or clause.

10 "Our users travel internationally — will this work?"

That's exactly the use case cloud SSE was designed for.

Cisco operates PoPs across North America, Europe, Asia-Pacific, and the Middle East. A user in Tokyo routes to the Tokyo PoP. A user in São Paulo routes to the nearest Brazilian PoP. Policy and security are identical regardless of location — no VPN backhauling to headquarters required.

VPN access in restrictive countries (China, UAE, Russia) requires specific configuration — UDP ports may be blocked. CSA supports SSL/TLS (port 443) fallback for VPN, which works in most restrictive environments. For ZTNA, port 443 is always used.

11 "How does it integrate with our existing SIEM?"

It integrates with all major SIEMs — out of the box.

CSA exports logs in CEF (Common Event Format) and LEEF (Log Event Extended Format) via real-time syslog stream. This is the native format for Splunk, IBM QRadar, Microsoft Sentinel, ArcSight, and most other enterprise SIEMs.

Additionally: S3 bucket export for data lake or batch ingestion, REST API for custom integrations, and Cisco also publishes pre-built Splunk dashboards and Sentinel workbooks. Whichever SIEM they're using, integration is a known, documented process — not a custom project.

12 "Resource Connectors — another agent we need to manage?"

Two VMs per datacenter. No maintenance overhead. Cisco manages the software.

Resource Connectors are containerized and self-updating. You deploy them (Docker or OVA, 30 minutes), they auto-register to CSA, and then Cisco manages the software lifecycle. You don't patch them. You don't update them. You just monitor their status in the dashboard — green means running.

Compare this to managing a traditional VPN concentrator: hardware refreshes, IOS upgrades, certificate renewals, HA failover testing. Connectors are a significant reduction in operational overhead, not an addition.

13 "Cisco licensing is complicated and expensive"

CSA is a per-user SaaS subscription — simpler than most.

Cisco Secure Access is licensed per user per year. There are typically two tiers — Essentials (SWG, CASB, ZTNA, RA-VPN) and Advantage (adds DLP, RBI, advanced DEM). No per-device licensing. No throughput tiers. No PoP fees. No connector licensing.

If they're thinking of Cisco's legacy product licensing complexity — EAs, SMARTnet, per-device registration — that's not CSA. This is a SaaS model. One SKU per tier, per user, per year. Clear, predictable, budgetable.

14 "We just renewed our Fortinet / Palo Alto investment"

Good. CSA works alongside it. This isn't a replacement conversation — yet.

CSA doesn't replace your perimeter firewall. It secures your remote users and provides cloud-delivered access control — use cases where Fortinet and Palo Alto on-prem hardware isn't the right tool regardless of investment size.

The conversation to have now: protect your remote users and provide ZTNA for private apps. Your FortiGate/NGFW stays in place for datacenter perimeter and site-to-site traffic. When renewal comes up, you'll have real-world CSA data and a clearer picture of what you actually need from on-prem vs cloud.

15 "IT is too understaffed to manage another platform"

CSA is designed to reduce management overhead, not add to it.

Unified dashboard: internet policy, private access, posture, DEM, logs — all in one place. No tool-switching. AI Assistant creates policies from natural language. Policy changes propagate globally in under 60 seconds — no deployment pipeline. Connectors self-update. SCIM keeps users in sync automatically.

The average CSA administrator spends 30-60 minutes per week on platform management after initial setup. If they're understaffed, the answer isn't "don't deploy better tools" — it's "deploy tools that do more with less manual effort." That's exactly what CSA is built for.

Sizing & Dimensionering

Skalningsgränser, kapacitetsplanering och referensarkitekturer.

Plattformsgränser

Parameter	Gräns	Källa
IPsec-tunnel throughput	1 Gbps per tunnel (per riktning)	docs.sse.cisco.com
MTU	Max 1390 bytes (TCP MSS clampas till ≤1350)	docs.sse.cisco.com
RBI concurrent sessions	25 per användare	Product Description 5.3(C)
RBI dataöverföring	2 GB per användare per dag	Product Description 5.3(C)
SIA/SPA dataöverföring	20 GB per användare per månad	Product Description 5.3(A)
DLP filskanning	Första 50 MB av varje fil	docs.sse.cisco.com
Malware Sandbox (Essentials)	500 samples/dag	Ordering Guide
Malware Sandbox (Advantage)	Obegränsat	Ordering Guide
Multi-org deployments	Max 10 per kund	Product Description 5.3(D)
Browser SSH/RDP-sessioner	Begränsat till antal Advantage SPA-licenser	Ordering Guide
Investigate API (inkluderad)	2 000 frågor/dag	Ordering Guide
RBI max filnedladdning	5 GB	docs.sse.cisco.com
Tillgänglighets-SLA	99.999%	Cisco SLA-dokument
Provisioneringstid	Upp till 72 timmar	Ordering Guide
Reserved IP-provisionering	4–6 veckor	Ordering Guide

Resource Connector — Krav

Komponent	Specifikation
RAM per CPU-kärna	Minimum 512 MB
AD-integration	Max 400 AD-events/sek per domänkontrollant
Redundans	Minst 2 connectors per grupp rekommenderat
Protokoll	DTLS (primärt), TLS (fallback om UDP blockeras)
Deployment	AWS, Azure, VMware, Docker, Kubernetes
Skala	Lägg till fler connectors efter behov — ingen publicerad maxgräns

Dimensioneringsguide

Storlek	Användare	IPsec-tunnlar	Connectors	Rekommendation
S	50–500	1–2	2 per sajt	Essentials räcker
M	500–2 000	2–4	2–4 per sajt	Advantage rekommenderas
L	2 000–10 000	4–8	4+ per sajt	Advantage + DLP + IPS
XL	10 000+	8+ (multipla regioner)	6+ per sajt	Advantage + Reserved IP + Multi-org

OBS: Cisco publicerar inte exakta max-användargränser. För deployments >5 000 användare — begär formell sizing assessment. IPsec 1 Gbps per tunnel innebär att sajter med >1 Gbps-behov kräver multipla tunnlar.

API Rate Limits

Tier	Gräns	Licens
Base (inkluderad)	2 000 frågor/dag	Alla paket
Small (SA-INV-API-S)	3 req/sek	Tilläggsköp
Medium (SA-INV-API-M)	12 req/sek	Tilläggsköp
Large (SA-INV-API-L)	48 req/sek	Tilläggsköp

Licensmodell — Essentials vs Advantage

Fullständig feature-matris, SKU-referens och vanliga licensing-fallor.

Feature-matris

Funktion	Essentials	Advantage	Notering
ZTNA (klient + clientless HTTP/S)	Inkluderad	Inkluderad	Grundfunktion
ZTNA SSH/RDP (clientless)	Nej	Inkluderad	Advantage-exklusivt
SWG (proxy, URL-filtrering)	Grundläggande	Full L7	Advantage har L7 appkontroll
CASB	Begränsad	Full + GenAI-kontroll	Advantage har AI-appkontroller
FWaaS L3/L4	Inkluderad	Inkluderad	Grundnivå
FWaaS L7 + IPS	Nej	Inkluderad	Med TLS-inspektion
DLP	Tillägg (SA-DLP)	Inkluderad	Vanlig gotcha
RBI (riskfyllda sajter)	Tillägg (SA-RBIR)	Inkluderad	Borttagen 2026
RBI (alla sajter)	Tillägg (SA-RBIA-ESS)	Inkluderad	Full isolation
DNS Security	Inkluderad	Inkluderad	Alla tiers
DEM / Experience Insights	Inkluderad	Inkluderad	ThousandEyes-baserad
Malware Sandbox	500 samples/dag	Obegränsat + SMA	Essentials hårdkappad
VPNaaS	Inkluderad	Inkluderad	Cloud RA-VPN
IPS (Intrusion Prevention)	Nej	Inkluderad	Med TLS-inspektion
Talos Threat Intel	Inkluderad	Inkluderad	Alla tiers
AI Assistant	Inkluderad	Inkluderad	Policyautomation

DNS Defense (separat tier)

Funktion	DNS Essentials	DNS Advantage
DNS-lagersäkerhet	Inkluderad	Inkluderad
SaaS API DLP	Inkluderad	Avancerad
Cloud malware-skanning	Inkluderad	Inkluderad

DNS Defense kan inte kombineras med SIA (ömsesidigt uteslutande). Kan kombineras med SPA.

Licensmodell

Prismodell

Per "Covered User" (anställda, konsulter, auktoriserade).
Minimum: 50 användare per tier (SIA/SPA). DNS Defense: 1 användare.
Perioder: 12, 36 eller 60 månader.
Tiered pricing: Lägre pris vid högre volym (100, 1K, 5K, 10K, 25K+).

Regler

SIA + SPA måste vara samma tier (båda Essentials eller båda Advantage).
Auto-renewal: 12 månader om inte avbrutet 60 dagar före.
Secure Client: Inkluderad utan separat licens.
ThousandEyes endpoint agent: Inkluderad i SIA/SPA.

7 Vanliga Licensing-fallor

1. DLP saknas i Essentials — Trots "all core SSE" kräver DLP separat tillägg (SA-DLP). Kunder antar ofta att det ingår.

2. RBI borttagen från Essentials — Sedan 2026 är RBI för riskfyllda sajter ett tillägg (SA-RBIR), inte längre inkluderat.

3. Ingen IPS i Essentials — L7-brandvägg och IPS med dekryptering kräver Advantage.

4. SSH/RDP-sessioner begränsade — Antal tillgängliga sessioner = antal Advantage SPA-licenser köpta.

5. 500 sandbox-samples/dag — Essentials har hårt tak. Advantage obegränsat med full SMA-konsol.

6. DNS Defense ej kombinerbar med SIA — Måste välja ett av dem. DNS Defense kan dock kombineras med SPA.

7. Premium Support kräver $30K/år — SWSS Enhanced ingår. Premium med prioriterad hantering kräver minimum $30 000 USD årligen.

SKU-referens

SKU	Beskrivning
`SA-SIA-ESS`	Secure Internet Access Essentials
`SA-SIA-ADV-K9`	Secure Internet Access Advantage
`SA-SPA-ESS-K9`	Secure Private Access Essentials
`SA-SPA-ADV-K9`	Secure Private Access Advantage
`SA-DNS-ESS-K9`	DNS Defense Essentials
`SA-DNS-ADV-K9`	DNS Defense Advantage
`SA-DLP`	DLP-tillägg (Essentials)
`SA-RBIR`	RBI Risky-tillägg (Essentials)
`SA-RBIA-ESS`	RBI Advanced-tillägg (Essentials)
`SA-MWARE`	Extended Malware Analytics
`SA-THRT`	Threat Defense-tillägg

Källa: Cisco Secure Access Subscription Ordering Guide, uppdaterad 2026-02-23

Migrationsguider

Steg-för-steg-scenarier: ASA/AnyConnect, Umbrella, Meraki MX och tredjepartsleverantörer.

ASA/FTD + AnyConnect → Cisco Secure Access

Fas 1 — Assessment

Exportera ASA-konfiguration (show running-config). Dokumentera group policies, auth-metoder (SAML/RADIUS/LDAP), split-tunnel-inställningar. Exportera AnyConnect XML-profiler och certifikatkonfiguration. Identifiera IP-pool-överlappningar.

Fas 2 — Förbered Secure Access

Skapa VPN IP-pooler (utanför befintlig ASA CIDR). Konfigurera IdP-integration (Entra ID, Okta, RADIUS). Skapa VPN-profiler som matchar befintliga group policies. Sätt upp posture-krav.

Fas 3 — Klient-deployment

Distribuera Cisco Secure Client (unified — ersätter AnyConnect). Pre-deploya VPN-profiler via XML: C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile. Aktivera Always-On VPN (ny kapabilitet vs legacy AnyConnect).

Fas 4 — Dual-Run (samkörning)

Behåll ASA RA-VPN under transitionen — ingen tvingad cutover. Kör båda klienterna parallellt. Använd split DNS för att rutta interna domäner via legacy VPN under pilot. Monitorera Remote Access-loggar i Secure Access-dashboard.

Fas 5 — Cutover

Inaktivera legacy group policies på ASA. Ta bort AnyConnect-profiler från endpoints. Avveckla ASA RA-VPN.

Vad ändras för användare?

• Enrollment krävs (profil-URL eller pre-deployad XML)
• Always-On VPN med machine tunnel (certifikatbaserat)
• Samma auth-metoder men konfigurerade i Secure Access-portal
• Split tunnel per VPN Profile (mer granulärt än ASA group policy)

Umbrella → Cisco Secure Access

Path A: DNS → DNS Defense (~1 timme)

1. Begär inbjudan: Umbrella Admin → Licensing → "Upgrade"
2. Vänta 3–4 arbetsdagar på claim code
3. Logga in på Security Cloud Control (SCC)
4. Länka Umbrella org via claim code
5. Kör Upgrade Manager — policyer migreras automatiskt
6. Verifiera, stäng sedan Umbrella-org (OÅTERKALLELIGT)

Path B: SIG → Full SSE (1+ år)

SWG-regler migreras inte automatiskt — annan policymodell. Kräver manuell återuppbyggnad. Cisco ger 1 extra prenumerationsår för planering. Fasad migrering: DNS Defense → SIA → SPA (ZTNA). Dual-run stöds.

Klientmigrering

Umbrella Roaming Client → Cisco Secure Client med Umbrella-modul → slutmål: Secure Client med Secure Internet Access-modul. För mobil: Intune eller Workspace ONE för konfigurations-XML.

Meraki MX → Secure Access + Meraki

1. Secure Access — Skapa tunnel

Connect → Network Connections → Network Tunnel Groups → Add. Välj region, device type "Meraki MX". Sätt Tunnel ID (e-postformat), passphrase (16–64 tecken). Kritiskt: Lägg till monitoring probe IP 192.0.2.3/32. Ladda ner CSV med tunnelkonfiguration.

2. Meraki MX — Konfigurera IPsec

Security & SD-WAN → Site-to-site VPN → Non-Meraki VPN Peers → Add Peer.
IKE Version: IKEv2. Public IP: Primary DC IP från CSV. IPsec Policy: "Umbrella"-preset. Health Check: http://service.sig.umbrella.com. Lägg till sekundär tunnel för HA.

Funktion	Stannar på MX	Flyttar till Cloud
Brandvägg L3/L4	Site-to-site-regler	Internet/app-regler
URL/App-filtrering	—	SWG
DLP	—	Secure Access DLP
SD-WAN/Routing	AutoVPN, routing	—
Hotskydd	Anti-malware (valfritt)	Cloud threat feeds

Begränsningar: Bara 1 tunnel group med health checks per Meraki-sajt (Private Access). ECMP/lastbalansering stöds ej. MTU 1280 bytes för SIA.

Tredjepartsleverantör → Cisco Secure Access

Inget automatiskt policyimportverktyg. Policyer måste återskapas manuellt — olika policymodeller gör automation opraktisk.

Aspekt	Zscaler ZPA/ZIA	Netskope	Palo Alto Prisma
Policymodell	URL-centrisk	Riskbaserad + regler	App-baserade regler
Migreringssvårighet	Medel	Svår (unik riskmodell)	Medel
IdP-migrering	Direkt (SAML)	Direkt (SAML)	Direkt (SAML)
DLP-migrering	Manuell	Manuell (ML-modell unik)	Manuell

Tidsuppskattning

Storlek	Tidsram
Liten (50–100 användare, <20 appar)	2–3 månader
Medium (500+ användare, 50–100 appar)	4–6 månader
Enterprise (10K+ användare, 200+ appar)	9–12 månader + professional services

Fasad migrering (rekommenderad)

Vecka 1–2: 10–20 användare, båda SSE:er aktiva. Vecka 3–6: Expandera till avdelningar (100–500). Vecka 7–12: Produktionsmigrering, avveckla legacy SSE.

Day 2 Operations

Troubleshooting, monitorering, SIEM-integration och TAC-eskalering.

ZTNA — Användare kan inte nå privat app

1. Verifiera access policy — Matchar regeln användare/grupp → resurs → åtgärd?

2. Kolla private resource config — Är resursen kopplad till rätt tunnel group/resource connector?

3. Kontrollera posture — Klarar enheten posture-kraven? (OS, AV, kryptering)

4. Verifiera Resource Connector — Är RC uppe? Dashboard: Connect → Network Connections

5. "Validate Application Certificate" — Kan orsaka TLS-fel om resursen har otillförlitligt cert

6. Samla DART-bundle — Secure Client → Statistics → Details → Create bundle

7. Aktivera debug: Skapa logconfig.json med {"global": "DBG_TRACE"}
Windows: C:\ProgramData\Cisco\Cisco Secure Client\ZTA
macOS: /opt/cisco/secureclient/zta

Vanliga felkoder

Fel	Orsak	Lösning
`NoActiveDHA`	Device Health Agent posture-registrering misslyckades	Verifiera DHA-status, omregistrera enhet
`PostureRegistrationError`	Posture-validering misslyckades	Kontrollera posture-krav mot enhetens status
`TLS_error 268435703`	"Wrong version number" — otillförlitligt cert	Installera Cisco Secure Access root cert
`268435581`	CERTIFICATE_VERIFY_FAILED	Inaktivera "Validate App Certificate" eller installera CA cert

IPsec-tunnel — Diagnostik

      show crypto ikev2 sa
show crypto ipsec sa
show crypto session
show bgp summary
show crypto ipsec sa | i peer|caps  # verifiera encaps/decaps ökar
    

Policy-verifiering

Navigera till https://policy.test.sse.cisco.com/ från skyddad endpoint. Visar: Organisation ID, deployment type, proxy-info, publik/privat IP.

Experience Insights (DEM) — ThousandEyes-baserat

Endpoint

CPU, minne, disk, Wi-Fi signalstyrka (RSSI)

Nätverk

Latens, paketförlust, jitter, VPN-tunnelhälsa

Applikation

SaaS-prestanda (M365, Webex, Slack etc.)

Dashboard-navigation

        Experience Insights → Insights Management

          ├── Endpoint Performance Map (geografisk vy)

          ├── Endpoints Summary Table

          ├── Network Test Results (latens, förlust, jitter)

          ├── SaaS Application Performance

          └── User Dashboard (enskild enhet deep-dive)

AI Assistant

Naturliga språkfrågor om enhetsprestanda. Automatisk undersökning av nätverkstrafik. Proaktiv problemidentifiering.

SIEM-integration

Splunk

Cisco Secure Access Add-on (Splunkbase #7569). Förbyggda dashboards och parsers.

Google SecOps

Inbyggd parser för Secure Access-loggar. Native integration.

Syslog

Valfri syslog-server. Port 514 UDP/TCP. CEF-format (Common Event Format).

Loggformat

Loggtyp	Format	Innehåll
VPN-loggar	CSV	anyConnectVersion, eventType, userId, assignedIp, timestamp
Activity Search	REST API + Dashboard	Realtidshändelser, policy, källa, destination, hot
Syslog	CEF	Event type, user, resource, action, threat intel

REST API: Bearer token auth (utgår efter 1 timme). Endpoint: GET /api/v2/activity-search

TAC-eskalering

Öppna ärende

1. Navigera till mycase.cloudapps.cisco.com
2. Öppna nytt ärende → Produkt: "Cisco Secure Access"
3. Krävs: Organisation ID (från dashboard-URL)

Diagnostikdata att samla

Typ	Metod
DART Bundle	Secure Client → Statistics → Details → Create bundle
ZTNA debug	`logconfig.json` med `{"global": "DBG_TRACE"}`
SWG debug	`SWGConfigOverride.json` med `{"logLevel": "1"}`
Resource Connector	`rc-cli> diagnostic` och `rc-cli> techsupport`
HAR-captures	Browser DevTools → Network → Save as HAR
Paketfångst	Wireshark / tcpdump

Severity-nivåer

Severity	Beskrivning
1	Produktion nere, ingen workaround
2	Produktion påverkad, delvis workaround
3	Mindre problem, workaround finns
4	Förbättringsförslag

Certifikatrotation

Certifikat	Rotationsintervall	Åtgärd
S3 Bucket Keys (AWS)	Var 90:e dag (OBLIGATORISKT)	Settings → AWS Integration → Rotate
SAML-certifikat	Årligen	Förnya före utgångsdatum, uppdatera IdP
TLS Inspection-cert	Vid behov	Generera nytt, ladda upp i dashboard

Resource Connector CLI

      rc-cli> diagnostic    # Fullständigt anslutningstest

      rc-cli> techsupport   # Version, tunnelstatus, CPU/minne/disk

      rc-cli> tcpdump <host> # Paketfångst på RC-interface

Secure Client

Aktuell version: 5.1.14.145 (MR14)
Automatiska uppdateringar: Aktiverade som standard (stagad utrullning)
Resource Connectors: Over-the-air auto-update (sedan oktober 2025)
Plattformar: Windows 10+, macOS 10.15+, Linux, iOS, Android

Cisco Stack Integration

Cisco ISE

pxGrid realtidsdelning av enhetsdata. SGT-baserad segmentering. RADIUS dynamisk policyapplikation. ISE posture → Secure Access policybeslut.

Catalyst SD-WAN

Automatisk IPsec/GRE-tunnelprovisionering. Krav: IOS-XE 17.13.1a+. Policy groups för trafikstyrning. show sse all för verifiering.

Cisco XDR

Automatisk detektionsinsamling från DNS, SWG, DLP, FWaaS, ZTNA. Incidentkorrelation endpoints + nätverk + identitet. AI-driven triage.

Cisco Duo

SAML/OIDC SSO med kontinuerlig riskbevakning. Trust Monitor: patchnivå, kryptering, ägandeskap. Beteendeanalys: omöjlig resa, ny enhet.

Cisco Talos

Driver DNS Security, SWG, FWaaS. 800+ miljarder DNS-frågor dagligen. DGA-detektering, C2-identifiering, phishing-klassificering. ML för zero-day.

ThousandEyes

DEM inbakad utan extrakostnad. End-to-end: användare → ISP → Secure Access → app. Rotorsaksanalys för prestanda.

Meraki

Statiska IPsec-tunnlar som Non-Meraki VPN Peers. Health check med failover. Kritiskt: inkludera 192.0.2.3/32.

Security Cloud Control

Enad hanteringsplattform. Single pane of glass: Secure Access, Umbrella, Duo, XDR. Centraliserad policy och compliance.