Cisco Cisco Firepower Management Center 2000
14-17
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
Conditions you select are highlighted.
The warning icon (
) next to a zone indicates that the rule will not take effect because the zone does
not include an interface. See
Step 4
You have the following choices:
•
To filter traffic by source zone, click
Add to Source
.
•
To filter traffic by destination zone, click
Add to Destination
.
Optionally, you can drag and drop selected conditions into the
Source Zones
or
Destination Zones
list.
Selected conditions are added. Note that you can add the same condition as both a source zone and a
destination zone.
destination zone.
Step 5
Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see
.
Adding Network Conditions
License:
Any
You can add any of the following kinds of network conditions to an access control rule:
•
individual and group network objects that you have created using the object manager
See
for information on creating individual and group
network objects using the object manager.
•
individual network objects that you add from the Network conditions page, and can then add to your
rule and to other existing and future rules
rule and to other existing and future rules
See
for more information.
•
literal, single IP addresses or address blocks
See
for more information.
Note
In a Layer 2 deployment, you cannot block egress traffic based on destination network or destination
security zone. You must instead write access control rules that block ingress traffic based on source
network or source security zone. For more information on Layer 2 deployments, see
security zone. You must instead write access control rules that block ingress traffic based on source
network or source security zone. For more information on Layer 2 deployments, see
If you add rules to an access control policy that contain conditions matching source or destination IPv6
traffic, add an Allow rule with port conditions specifying traffic using the IPv6 Neighbor Discovery
Protocol (ICMPv6 types 135 and 136) before those rules. For more information on port conditions, see
traffic, add an Allow rule with port conditions specifying traffic using the IPv6 Neighbor Discovery
Protocol (ICMPv6 types 135 and 136) before those rules. For more information on port conditions, see
.
Although they appear under the Networks tab, geolocation rule conditions require a FireSIGHT license
and use different objects. For information on adding geolocation conditions, see
and use different objects. For information on adding geolocation conditions, see
.
The following procedure explains how to add source and destination network conditions while adding
or editing an access control rule. See
or editing an access control rule. See
for more detailed information.