Cisco Cisco Firepower Management Center 4000
13-5
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
•
is not blacklisted by Security Intelligence
•
does not match any non-Monitor rule in the policy
When you apply an access control policy that does not contain any access control rules or Security
Intelligence configurations, the default action determines how all traffic on your network is handled.
Intelligence configurations, the default action determines how all traffic on your network is handled.
The following table lists the default actions you can choose, as well as their effect on traffic and the types
of inspection performed on traffic handled by each option.
of inspection performed on traffic handled by each option.
:
The diagram below illustrates the block and trust Access Control default actions. Notice that the system
does not perform any kind of inspection on traffic blocked or trusted by the default action.
does not perform any kind of inspection on traffic blocked or trusted by the default action.
You can also set the default action so that it inspects default-action traffic with network discovery, an
intrusion policy, or both. If you are performing neither intrusion detection nor access control, selecting
a default action of
intrusion policy, or both. If you are performing neither intrusion detection nor access control, selecting
a default action of
Network Discovery Only
can improve Defense Center performance. Note that to take
advantage of this performance improvement, you must make sure your access control rules do not
contain: application, user, or URL conditions; or file and intrusion inspection options.
contain: application, user, or URL conditions; or file and intrusion inspection options.
Note
Selecting a default action of
Network Discovery Only
does not automatically guarantee discovery
inspection. The system performs discovery only for connections involving IP addresses that are
explicitly monitored by your network discovery policy. For more information, see
explicitly monitored by your network discovery policy. For more information, see
.
If you inspect default-action traffic with an intrusion policy, the system can also inspect it using network
discovery, depending on the settings in your network discovery policy. See
discovery, depending on the settings in your network discovery policy. See
for a discussion on associating intrusion policies with access control rules.
Table 13-3
Access Control Policy Default Actions
Default Action
Effect on Traffic
Inspection
Access Control: Block
All Traffic
All Traffic
block without further inspection
none
Access Control: Trust
All Traffic
All Traffic
trust (allow without further inspection)
none
Network Discovery
Only
Only
allow
network discovery
Intrusion Prevention
allow, as long as it is passed by the intrusion
policy you specify
policy you specify
intrusion and network
discovery
discovery