Security Certifications Compliance Recommendations

Cisco recommends that you observe the following best practices when using a system with security certifications compliance enabled:

  • To enable security certifications compliance in your deployment, enable it first on the Cloud-Delivered Firewall Management Center, then enable it in the same mode on all managed devices.

    Caution
    The Cloud-Delivered Firewall Management Center will not receive event data from a managed device unless both are operating in the same security certifications compliance mode.

  • For all users, enable password strength checking and set the minimum password length to the value required by the certifying agency.

  • To use Cloud-Delivered Firewall Management Centers in a high-availability configuration, configure them both to use the same security certifications compliance mode before forming the high availability pair.

  • When you configure Secure Firewall Threat Defense on a Firepower 4100/9300 to operate in CC or UCAPL mode, you should also configure the Firepower 4100/9300 to operate in CC mode. For more information, see the Cisco Firepower 4100/9300 FXOS Chassis Manager Configuration Guide.

  • Do not configure the system to use any of the following features:

    • Email reports, alerts, or data pruning notifications.

    • Nmap Scan, Cisco IOS Null Route, Set Attribute Value, or ISE EPS remediations.

    • Third-party client access to the system database.

    • External notifications or alerts transmitted via email (SMTP), SNMP trap, or syslog.

    • Audit log messages transmitted to an HTTP server or to a syslog server without using SSL certificates to secure the channel between the appliance and the server.

  • Do not enable external authentication using LDAP or RADIUS in deployments using CC mode.

  • Do not enable CACs in deployments using CC mode.

  • Disable access to the Cloud-Delivered Firewall Management Center and managed devices via the Secure Firewall REST API in deployments using CC or UCAPL mode.

  • Enable CACs in deployments using UCAPL mode.

  • Do not configure SSO in deployments using CC mode.

Note

The system does not support CC or UCAPL mode for

  • Secure Firewall Threat Defense devices in clusters

  • Secure Firewall Threat Defense container instances on the Firepower 4100/9300

  • Exporting event data to an external client using eStreamer.