Cisco Cisco Firepower Management Center 4000
C H A P T E R
13-1
FireSIGHT System User Guide
13
Using Access Control Policies
An access control policy determines how the system handles non-fast-pathed traffic on your network.
You can configure one or more access control policies, which you can then apply to one or more managed
devices. Each device can have one currently applied policy.
You can configure one or more access control policies, which you can then apply to one or more managed
devices. Each device can have one currently applied policy.
A simple access control policy can filter (blacklist or monitor) traffic based on Security Intelligence data,
then use the policy’s default action to handle non-blacklisted traffic in one of the following ways:
then use the policy’s default action to handle non-blacklisted traffic in one of the following ways:
•
block all traffic from entering your network
•
trust all traffic to enter your network without further inspection
•
allow all traffic to enter your network, and inspect the traffic with a network discovery policy only
•
allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery
policies
policies
Optionally, you can add access control rules to a policy, which provide granular control over how you
handle and log network traffic. For each rule, you specify a rule action, that is, whether to trust, monitor,
block, or inspect matching traffic with an intrusion or file policy. Each rule contains a set of conditions
that identify the specific traffic you want to control. Rules can be simple or complex, matching traffic
by any combination of security zone, network, VLAN, source or destination country or continent, Active
Directory LDAP user or group, application, transport protocol port, or URL.
handle and log network traffic. For each rule, you specify a rule action, that is, whether to trust, monitor,
block, or inspect matching traffic with an intrusion or file policy. Each rule contains a set of conditions
that identify the specific traffic you want to control. Rules can be simple or complex, matching traffic
by any combination of security zone, network, VLAN, source or destination country or continent, Active
Directory LDAP user or group, application, transport protocol port, or URL.
The system matches traffic to access control rules in order; the first matched rule handles the traffic. (An
exception occurs with Monitor rules, which allow traffic to continue to be evaluated.)
exception occurs with Monitor rules, which allow traffic to continue to be evaluated.)
The diagram below illustrates traffic flow through the FireSIGHT System, and provides some details on
the types of inspection performed on that traffic. Notice that the system does not inspect fast-pathed or
blacklisted traffic. For traffic handled by an access control rule or default action, flow and inspection
depend on the rule action. Although rule actions are not shown in the diagram for simplicity, the system
does not perform any kind of inspection on trusted or blocked traffic. Additionally, file inspection is not
supported with the default action.
the types of inspection performed on that traffic. Notice that the system does not inspect fast-pathed or
blacklisted traffic. For traffic handled by an access control rule or default action, flow and inspection
depend on the rule action. Although rule actions are not shown in the diagram for simplicity, the system
does not perform any kind of inspection on trusted or blocked traffic. Additionally, file inspection is not
supported with the default action.