Cisco Cisco Firepower Management Center 4000
13-7
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Logging Connections for the Default Action
License:
Any
You must decide whether you want to log connection data for the traffic that is handled by the default
action. The options for logging connections handled by the policy default action largely parallel the
options for logging connection handled by individual access control rules. However, there are some
differences:
action. The options for logging connections handled by the policy default action largely parallel the
options for logging connection handled by individual access control rules. However, there are some
differences:
•
The default action has no file logging options because you cannot perform file control or malware
protection using the default action.
protection using the default action.
•
When an intrusion policy associated with the access control default action generates an intrusion
event, the system does not automatically log the end of the associated connection. This is useful for
intrusion detection and prevention-only deployments, where you do not want to log any connection
data.
event, the system does not automatically log the end of the associated connection. This is useful for
intrusion detection and prevention-only deployments, where you do not want to log any connection
data.
An exception to this rule occurs if you enable beginning-of-connection logging for the default
action. In that case, the system does log the end of the connection when an associated intrusion
policy triggers, in addition to logging the beginning of the connection.
action. In that case, the system does log the end of the connection when an associated intrusion
policy triggers, in addition to logging the beginning of the connection.
For a comprehensive discussion of connection logging, see
In general, if you want to perform any kind of detailed analysis on connection data, you should log the
end of connections. If you want to view connection summaries in custom workflows, view connection
data in graphical format, or create and use traffic profiles, you must log connection events at the end of
connections. Note that for the
end of connections. If you want to view connection summaries in custom workflows, view connection
data in graphical format, or create and use traffic profiles, you must log connection events at the end of
connections. Note that for the
Block All Traffic
default action, you can log only beginning-of-connection
events, because traffic is denied without further inspection.
Logging connection events to the Defense Center database allows you to take advantage of the analysis,
reporting, and correlation features in the FireSIGHT System. Optionally, you can send most connection
events to the syslog or an SNMP trap server.
reporting, and correlation features in the FireSIGHT System. Optionally, you can send most connection
events to the syslog or an SNMP trap server.
The following procedure explains how to configure an access control policy to log connections. See
for the complete procedure for editing an access control
policy.
To log connections in traffic handled by the default action:
Access:
Admin/Access Admin/Network Admin
Step 1
Select
Policies > Access Control
.
The Access Control page appears.
Step 2
Click the edit icon (
) next to the access control policy you want to configure.
The policy Edit page appears.
Step 3
Click the logging icon (
) next to the
Default Action
drop-down list.
The Logging pop-up window appears.
Step 4
Specify whether you want to
Log at Beginning of Connection
or
Log at End of Connection
.
You cannot log end-of-connection events for blocked traffic.
Step 5
Specify where to send connection events. You have the following choices:
•
To send connection events to the Defense Center, select
Defense Center.