Cisco Cisco Firepower Management Center 2000
13-34
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Managing Access Control Policies
Step 4
Depending on the comparison type you selected, you have the following choices:
•
If you are comparing two different policies, select the policies you want to compare from the Policy
A and Policy B drop-down lists.
A and Policy B drop-down lists.
•
If you are comparing the running configuration to another policy, select the second policy from the
Policy B drop-down list.
Policy B drop-down list.
Step 5
Click
OK
to display the policy comparison view.
The comparison view appears.
Step 6
Optionally, click
Comparison Report
to generate the access control policy comparison report.
The access control policy comparison report appears. Depending on your browser settings, the report
may appear in a pop-up window, or you may be prompted to save the report to your computer.
may appear in a pop-up window, or you may be prompted to save the report to your computer.
Applying an Access Control Policy
License:
Any
After making any changes to an access control policy, you must apply the policy to one or more devices
to implement the configuration changes on the networks monitored by the devices. You must target
devices where you want to apply the policy before you can apply the policy. See
to implement the configuration changes on the networks monitored by the devices. You must target
devices where you want to apply the policy before you can apply the policy. See
Keep the following points in mind when applying access control policies:
•
In special cases, applying an access control policy may cause a short pause in traffic flow and
processing, and may also cause a few packets to pass uninspected. This occurs when the Snort®
process restarts; for example, the process restarts when you apply an access control policy that
pushes a new version of Snort to a managed device following a Defense Center upgrade, when you
apply a policy for the first time after a rule import that includes shared object rules, and, in some
cases, when you install a VDB update. If you are using FireSIGHT Software for X-Series deployed
inline and you configure a multi-VAP VAP group for load-balancing and redundancy, you can avoid
processing pauses by removing the affected VAP from the load-balanced list until the device restarts,
then reinstate it. For more information, see
processing, and may also cause a few packets to pass uninspected. This occurs when the Snort®
process restarts; for example, the process restarts when you apply an access control policy that
pushes a new version of Snort to a managed device following a Defense Center upgrade, when you
apply a policy for the first time after a rule import that includes shared object rules, and, in some
cases, when you install a VDB update. If you are using FireSIGHT Software for X-Series deployed
inline and you configure a multi-VAP VAP group for load-balancing and redundancy, you can avoid
processing pauses by removing the affected VAP from the load-balanced list until the device restarts,
then reinstate it. For more information, see
,
, and
the FireSIGHT Software for X-Series Installation Guide.
•
On 3D7010, 3D7020, and 3D7030 managed devices, applying an access control policy takes up to
five minutes. To minimize inconvenience, apply access control policies during a change window.
five minutes. To minimize inconvenience, apply access control policies during a change window.
•
If you apply an access control policy with many FireSIGHT features enabled (such as security
intelligence, file capture, intrusion policies with many rules, or URL filtering), some lower-end
ASA FirePOWER devices may generate intermittent memory usage warnings, as the device’s
memory allocation is being used to the fullest extent possible.
intelligence, file capture, intrusion policies with many rules, or URL filtering), some lower-end
ASA FirePOWER devices may generate intermittent memory usage warnings, as the device’s
memory allocation is being used to the fullest extent possible.
•
If an access control policy requires licenses enabled through recently applied device configurations,
the system queues the access control policy apply until the device configurations finish applying.
the system queues the access control policy apply until the device configurations finish applying.
•
Intrusion rules that are set to Drop and Generate Events in an associated intrusion policy where
Drop
when Inline
is selected will generate events but will not drop any packets or block any attacks when
you apply the intrusion policy to a device that uses a passive interface set or an inline interface set
in tap mode. See
in tap mode. See
for more information.