Cisco Cisco Firepower Management Center 4000

Page of 1844
 
13-2
FireSIGHT System User Guide
 
Chapter 13      Using Access Control Policies 
  
This chapter contains information on creating a basic access control policy (including Security 
Intelligence filtering) and adding rules to that policy. For detailed information on associated components 
of the FireSIGHT System, see the following documentation:
  •
  •
  •
  •
  •
Although you can create access control policies regardless of the licenses on your Defense Center, 
certain aspects of access control require that you enable specific licensed capabilities on target devices 
before you can apply the policy. Additionally, some features are only available on certain appliance 
models. The Defense Center uses warning icons (
) and confirmation dialog boxes to designate 
unsupported features for your deployment. For details, hover your pointer over a warning icon.
The following table explains the license and appliance model requirements to apply access control 
policies. Note that Series 2 devices automatically have most Protection capabilities; you do not have to 
explicitly enable Protection on those devices.
Table 13-1
License and Appliance Requirements for Access Control 
To apply a policy that...
Add this license...
To one of these Defense 
Centers...
And enable it on one of 
these devices...
performs access control based on zone, 
network, VLAN, or port, or that performs URL 
filtering using literal URLs and URL objects
Any
Any
Any, except Series 2 
devices cannot perform 
URL filtering using literal 
URLs and URL objects and 
ASA FirePOWER devices 
cannot identify traffic 
using VLAN tag conditions
performs intrusion detection and prevention, 
file control, or Security Intelligence filtering
Protection
Any
Any, except Series 2 
devices cannot perform 
Security Intelligence 
filtering
performs advanced malware protection, that is, 
network-based malware detection and blocking
Malware
Any except DC500
Series 3, Virtual, X-Series, 
ASA FirePOWER