Cisco Cisco Firepower Management Center 4000
14-7
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Actions
Trust
The Trust action allows traffic to pass without further inspection. You cannot inspect trusted traffic with
a file, intrusion, or network discovery policy.
a file, intrusion, or network discovery policy.
You can log trusted network traffic at both the beginning and end of connections. Note that the system
logs TCP connections detected by a trust rule differently depending on the appliance:
logs TCP connections detected by a trust rule differently depending on the appliance:
•
On Series 2, virtual appliances, and FireSIGHT Software for X-Series, TCP connections detected
by a trust rule on the first packet only generate an end-of-connection event. The system generates
the event one hour after the final session packet.
by a trust rule on the first packet only generate an end-of-connection event. The system generates
the event one hour after the final session packet.
•
On Series 3 appliances, TCP connections detected by a trust rule on the first packet generate
different events depending on the presence of a monitor rule. If the monitor rule is active, the system
evaluates the packet and generates both a beginning and end-of-connection event. If no monitor rule
is active, the system only generates an end-of-connection event.
different events depending on the presence of a monitor rule. If the monitor rule is active, the system
evaluates the packet and generates both a beginning and end-of-connection event. If no monitor rule
is active, the system only generates an end-of-connection event.
Monitor
The
Monitor
action does not affect traffic flow; matching traffic is neither immediately permitted nor
denied. Rather, traffic is matched against additional rules, if present, to determine whether to permit or
deny it. The first non-Monitor rule matched determines traffic flow and any further inspection. If there
are no additional matching rules, the system uses the default action.
deny it. The first non-Monitor rule matched determines traffic flow and any further inspection. If there
are no additional matching rules, the system uses the default action.
Because the primary purpose of Monitor rules is to track network traffic, the system automatically logs
end-of connection events for monitored traffic. That is, connections are logged even if the traffic matches
no other rules and you do not enable logging on the default action. The action associated with a logged
connection is either that of the first non-Monitor rule triggered by the connection, or the default action.
end-of connection events for monitored traffic. That is, connections are logged even if the traffic matches
no other rules and you do not enable logging on the default action. The action associated with a logged
connection is either that of the first non-Monitor rule triggered by the connection, or the default action.
If locally-bound traffic matches a monitor rule in a Layer 3 deployment, that traffic may bypass
inspection. To ensure inspection of the traffic, enable
inspection. To ensure inspection of the traffic, enable
Inspect Local Router Traffic
in the advanced device
settings for the managed device routing the traffic.
Block and Block with Reset
The
Block
and
Block with reset
actions deny traffic without further inspection. Block with reset rules also
reset the connection. You cannot inspect blocked traffic with a file, intrusion, or network discovery
policy.
policy.