SD-WAN Security UTD and URL Filtering

Introduction

As organizations adopt SD-WAN to connect their branch offices, data centers, and cloud environments, security becomes a critical concern. Traditional architectures forced all traffic through a centralized security stack at the data center, adding latency and creating bottlenecks. With Catalyst SD-WAN, security features can be deployed directly on the WAN edge routers, bringing protection as close to the users and clients as possible.

This lesson covers the embedded security capabilities within Catalyst SD-WAN, focusing on Unified Threat Defense (UTD), which includes Intrusion Prevention System (IPS) functionality, URL filtering, and integration with cloud-based Security Service Edge (SSE) providers. By the end of this lesson, you will understand how SD-WAN delivers on-box security through firewall, IPS, URL filtering, and malware protection, as well as how traffic can be redirected to external cloud security providers for additional inspection.

You will learn the key security components available in the Catalyst SD-WAN fabric, how they work together to protect branch internet and SaaS traffic, and how cloud security integration extends that protection beyond the edge router.

Key Concepts

Catalyst SD-WAN provides a layered security architecture that combines embedded on-box security features with cloud-based security services. Understanding each layer is essential before diving into configuration and deployment.

Embedded Security Features

The following security features are built directly into the Catalyst SD-WAN edge routers:

Security Feature	Description
Stateful Zone-Based Firewall (ZBFW)	Provides stateful packet inspection and zone-based segmentation at the branch
Segmentation with Multi-Topology	Enables network segmentation across the WAN fabric using VPNs and topologies
IPS (Intrusion Prevention System)	Snort-based protection against complex threats, inspecting traffic for known attack signatures
URL Filtering	Categorizes and controls web access across 82+ web categories
AMP (Advanced Malware Protection)	File reputation and sandboxing powered by Talos threat intelligence
Unified Policy and Logging	Centralized policy creation and log management through the SD-WAN Manager

Fabric Security

Beyond the application-layer security features, the SD-WAN fabric itself is secured at multiple levels:

Encrypted Control Plane: All control plane communications between WAN edge routers and controllers run inside authenticated TLS or DTLS connections
Encrypted Data Plane: IPsec tunnels protect all data plane traffic traversing the WAN
Enhanced Security with Pairwise Keys: Each pair of WAN edge routers can use unique encryption keys, preventing one compromised device from decrypting traffic between other devices
Hardware-Based Device Authentication (SUDI): Secure Unique Device Identifiers embedded in hardware ensure that only authorized devices can join the SD-WAN fabric

SecOps Monitoring and Visibility

The SD-WAN Manager provides a SecOps Dashboard for end-to-end monitoring and visibility. This dashboard gives security operations teams a centralized view of security events, threat detections, and policy enforcement across the entire SD-WAN fabric.

How It Works

On-Box Security with UTD

The Unified Threat Defense engine on Catalyst SD-WAN edge routers brings next-generation firewall capabilities directly to the branch. Rather than backhauling all internet-bound traffic to a centralized firewall, the edge router can inspect traffic locally. This approach delivers security for local internet breakout and direct SaaS access at the branch.

The UTD engine integrates several security functions into a single inspection pipeline:

Firewall (ZBFW): Traffic entering or leaving a zone is evaluated against zone-based firewall policies. This is the first line of defense, providing stateful inspection and access control.
IPS with Snort: The Snort-based IPS engine inspects traffic flows for signatures matching known attacks and complex threats. This provides deep packet inspection beyond what a stateful firewall offers.
URL Filtering: Web traffic is categorized against 82+ web categories. Administrators can permit, block, or monitor access to specific categories. This allows granular control over which websites branch users can access.
AMP File Reputation and Sandboxing: Files traversing the network are checked against Talos threat intelligence for known malicious file hashes. Suspicious files can be sent to a sandbox for dynamic analysis.

All of these features are managed through guided workflows in the SD-WAN Manager, providing unified management and simplified configuration. Policies and logging are centralized, so administrators do not need to configure each edge router individually.

Branch Internet and SaaS Security Flow

When a branch user accesses an internet application or SaaS service, the traffic flow through the on-box security stack follows this general path:

The user's traffic originates in a service-side VPN on the edge router
The ZBFW evaluates the traffic against zone-based policies
If permitted, the UTD engine performs IPS inspection using Snort signatures
URL filtering checks the destination against configured web categories
AMP evaluates any file transfers for malicious content
Clean traffic is forwarded out toward the internet or SaaS destination

This entire inspection happens locally at the branch, eliminating the need to backhaul traffic to a central site for security processing.

Cloud Security Integration with SSE

For organizations that require additional cloud-delivered security, Catalyst SD-WAN supports integration with Security Service Edge (SSE) providers. This model redirects branch internet and SaaS traffic to a cloud security provider for inspection before it reaches its destination.

The SD-WAN Manager provides automation for connecting to SSE providers. Traffic is redirected using IPsec or GRE tunnels from the edge router to the SSE provider's point of presence.

The following SSE providers are supported with various levels of automation:

SSE Provider	Tunnel Encapsulation	Automation Type
Cisco Secure Access	IPsec Auto-Tunnel, GRE Auto-Tunnel	SSE (API-based)
Zscaler	IPsec Auto-Tunnel, GRE Auto-Tunnel	SIG (API-based)
Palo Alto (Prisma Access)	IPsec Auto-Tunnel	SIG Generic (API-based)
Netskope	IPsec Auto-Tunnel, GRE Auto-Tunnel	SIG Generic
Cloudflare	IPsec Auto-Tunnel	SIG Generic
Skyhigh	IPsec Auto-Tunnel	SIG Generic
Microsoft Entra	IPsec Auto-Tunnel	SIG Generic

Important: The SIG and SSE automation in the SD-WAN Manager is currently used for the Secure Internet Access (SIA) use case only. It cannot be used for the Secure Private Access (SPA) use case, as there is no routing protocol support for that scenario. For connecting to any SSE provider for any use case, IPsec or GRE templates and config groups can be configured manually.

DNS Security

In addition to UTD and SSE integration, DNS Security provides another layer of protection. DNS-based security inspects DNS queries from branch users and can block access to known malicious domains before a connection is ever established. This lightweight inspection method catches threats early in the connection process.

Sub-Location Guidelines for Cloud Security

When integrating with cloud security providers, organizations can define sub-locations to apply different policies to different groups of users or IP address ranges within a single branch location:

When a sub-location is added, the service automatically creates an "Other" sub-location for all IP addresses sent to the cloud from that location that are not already defined in a sub-location
The "Other" sub-location cannot be renamed
While IP addresses within a single location cannot overlap, the same IP address can exist in multiple locations
Sub-locations can use different bandwidth controls or inherit the parent location's settings
Any unused bandwidth remains available to the parent location

Configuration Example

Security features in Catalyst SD-WAN are configured through the SD-WAN Manager using guided workflows and templates. The NGFW security policy is applied to edge routers to enable on-box inspection for branch internet and SaaS traffic.

Enabling UTD Security Policy on the Edge Router

The security policy is configured in the SD-WAN Manager and pushed to edge routers. The policy defines which security features are active:

security
 unified-threat-defense
  utd-engine standard
   threat-inspection
    threat protection
   web-filtering
    url-filtering

Verifying UTD Status

To verify that the UTD engine is operational on a WAN edge router:

show utd engine standard status

Verifying URL Filtering Categories

URL filtering leverages 82+ web categories. To check the URL filtering configuration:

show utd engine standard web-filter url-profile

Verifying IPS Signatures

The Snort-based IPS engine uses signature sets for threat detection. To verify IPS operation:

show utd engine standard threat-inspection profile

Best Practice: Use the SD-WAN Manager guided workflows to configure security policies rather than applying CLI commands directly. The Manager ensures consistent policy deployment across all edge routers and provides centralized logging and monitoring through the SecOps Dashboard.

SSE Tunnel Verification

When traffic is being redirected to a cloud security provider, verify the tunnel status:

show sdwan secure-internet-gateway tunnels

Real-World Application

Common Deployment Scenarios

Direct Internet Access at the Branch: The most common use case for UTD and URL filtering is enabling secure direct internet access (DIA) at branch offices. Instead of backhauling all internet traffic to the data center, the branch edge router inspects traffic locally using the ZBFW, IPS, URL filtering, and AMP. This reduces latency for SaaS applications and offloads bandwidth from expensive WAN links.

Hybrid Security with SSE: Many organizations deploy a combination of on-box security and cloud-delivered security. Critical traffic that requires deep inspection is sent to an SSE provider, while trusted SaaS traffic is broken out directly at the branch with on-box inspection. This approach balances security requirements with application performance.

Segmentation Across the WAN: Using multi-topology segmentation, organizations can isolate different traffic types (guest, corporate, IoT) into separate VPNs. Each segment can have its own security policy, ensuring that a compromise in one segment does not affect others.

Identity-Based NGFW: The next-generation firewall capabilities support identity-based policies for least-privileged access. This means security policies can be applied based on user identity rather than just IP addresses, providing more granular control.

Design Considerations

Deploy security features as close to users and clients as possible to minimize latency and maximize protection effectiveness
Use the SD-WAN Manager for centralized policy management rather than configuring each router individually
Leverage the SecOps Dashboard for end-to-end visibility into security events across the entire fabric
When using SSE integration, note that not all use cases with all SSE providers have been tested — verify compatibility for your specific deployment
Consider bandwidth requirements when enabling multiple UTD features, as deep packet inspection consumes router resources

Note: The encrypted control plane (TLS/DTLS) and encrypted data plane (IPsec) provide foundational security for all SD-WAN traffic. UTD and URL filtering add application-layer security on top of this already-secured transport.

Summary

Catalyst SD-WAN embeds security directly on edge routers through UTD, which includes stateful ZBFW, Snort-based IPS, URL filtering with 82+ categories, and AMP file reputation powered by Talos
The SD-WAN fabric itself is secured with encrypted control and data planes, pairwise keys, and hardware-based device authentication (SUDI)
Cloud security integration with SSE providers extends protection beyond the edge router, with automated tunnel setup supported for providers including Cisco Secure Access, Zscaler, and Palo Alto Prisma Access
Centralized management through the SD-WAN Manager provides guided workflows for security policy configuration and a SecOps Dashboard for monitoring and visibility
Deploying security at the branch enables secure direct internet access and improves SaaS application performance by eliminating the need to backhaul traffic to a central security stack

In the next lesson, we will explore SD-WAN application routing and traffic steering policies, examining how the SD-WAN fabric makes intelligent path selection decisions based on application requirements and real-time network performance.