Cisco Cisco Firepower Management Center 4000
13-2
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
This chapter contains information on creating a basic access control policy (including Security
Intelligence filtering) and adding rules to that policy. For detailed information on associated components
of the FireSIGHT System, see the following documentation:
Intelligence filtering) and adding rules to that policy. For detailed information on associated components
of the FireSIGHT System, see the following documentation:
•
•
•
•
•
Although you can create access control policies regardless of the licenses on your Defense Center,
certain aspects of access control require that you enable specific licensed capabilities on target devices
before you can apply the policy. Additionally, some features are only available on certain appliance
models. The Defense Center uses warning icons (
certain aspects of access control require that you enable specific licensed capabilities on target devices
before you can apply the policy. Additionally, some features are only available on certain appliance
models. The Defense Center uses warning icons (
) and confirmation dialog boxes to designate
unsupported features for your deployment. For details, hover your pointer over a warning icon.
The following table explains the license and appliance model requirements to apply access control
policies. Note that Series 2 devices automatically have most Protection capabilities; you do not have to
explicitly enable Protection on those devices.
policies. Note that Series 2 devices automatically have most Protection capabilities; you do not have to
explicitly enable Protection on those devices.
Table 13-1
License and Appliance Requirements for Access Control
To apply a policy that...
Add this license...
To one of these Defense
Centers...
Centers...
And enable it on one of
these devices...
these devices...
performs access control based on zone,
network, VLAN, or port, or that performs URL
filtering using literal URLs and URL objects
network, VLAN, or port, or that performs URL
filtering using literal URLs and URL objects
Any
Any
Any, except Series 2
devices cannot perform
URL filtering using literal
URLs and URL objects and
ASA FirePOWER devices
cannot identify traffic
using VLAN tag conditions
devices cannot perform
URL filtering using literal
URLs and URL objects and
ASA FirePOWER devices
cannot identify traffic
using VLAN tag conditions
performs intrusion detection and prevention,
file control, or Security Intelligence filtering
file control, or Security Intelligence filtering
Protection
Any
Any, except Series 2
devices cannot perform
Security Intelligence
filtering
devices cannot perform
Security Intelligence
filtering
performs advanced malware protection, that is,
network-based malware detection and blocking
network-based malware detection and blocking
Malware
Any except DC500
Series 3, Virtual, X-Series,
ASA FirePOWER
ASA FirePOWER