Cisco Cisco Firepower Management Center 4000
50-9
FireSIGHT System User Guide
Chapter 50 Managing System Policies
Configuring a System Policy
The Access List page allows you to control which computers can access your appliance on specific ports.
By default, port 443 (Hypertext Transfer Protocol Secure, or HTTPS), which is used to access the web
interface, and port 22 (Secure Shell, or SSH), which is used to access the command line, are enabled for
any IP address. You can also add SNMP access over port 161. Note that you must add SNMP access for
any computer you plan to use to poll for SNMP information.
By default, port 443 (Hypertext Transfer Protocol Secure, or HTTPS), which is used to access the web
interface, and port 22 (Secure Shell, or SSH), which is used to access the command line, are enabled for
any IP address. You can also add SNMP access over port 161. Note that you must add SNMP access for
any computer you plan to use to poll for SNMP information.
Caution
By default, access to the appliance is not restricted. To operate the appliance in a more secure
environment, consider adding access to the appliance for specific IP addresses and then deleting the
default
environment, consider adding access to the appliance for specific IP addresses and then deleting the
default
any
option.
The access list is part of the system policy. You can specify the access list either by creating a new system
policy or by editing an existing system policy. In either case, the access list does not take effect until you
apply the system policy.
policy or by editing an existing system policy. In either case, the access list does not take effect until you
apply the system policy.
Note that this access list does not also control external database access. For more information on the
external database access list, see
external database access list, see
To configure the access list:
Access:
Admin
Step 1
Select
System > Local > System Policy
.
The System Policy page appears.
Step 2
You have the following options:
•
To modify the access list in an existing system policy, click the edit icon (
) next to the system
policy.
•
To configure the access list as part of a new system policy, click
Create Policy
.
Provide a name and description for the system policy as described in
, and click
Save
.
In either case, the Access List page appears.
Step 3
Optionally, to delete one of the current settings, click the delete icon (
).
The setting is removed.
Caution
If you delete access for the IP address that you are currently using to connect to the appliance interface,
and there is no entry for “
and there is no entry for “
IP=any port=443
”, you will lose access to the system when you apply the
policy.
Step 4
Optionally, to add access for one or more IP addresses, click
Add Rules
.
The Add IP Address page appears.
Step 5
In the
IP Address
field, you have the following options, depending on the IP addresses you want to add:
•
an exact IP address (for example, 192.168.1.101)
•
an IP address block using CIDR notation (for example, 192.168.1.1/24)
For information on using CIDR in the FireSIGHT System, see
.
•
any
, to designate any IP address