Cisco Cisco Firepower Management Center 4000
13-14
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Logging Blacklisted Connections
Logging blacklisted connections allows you to generate a connection event when the system detects
network traffic to or from a blacklisted IP address. Events generated by Security Intelligence filtering
represent the decision made by the system to either deny (blacklist) or inspect (blacklist set to
monitor-only) the connection. This logging configuration is independent of the logging configurations
for access control rules or the default action.
network traffic to or from a blacklisted IP address. Events generated by Security Intelligence filtering
represent the decision made by the system to either deny (blacklist) or inspect (blacklist set to
monitor-only) the connection. This logging configuration is independent of the logging configurations
for access control rules or the default action.
You must enable logging for Security Intelligence if you want to set blacklisted objects to monitor-only.
Note that for those matching connections that go on to be inspected by access control rules, the system
may generate additional connection events, depending on the logging settings in the access control rule
or default action that later handles the connection.
Note that for those matching connections that go on to be inspected by access control rules, the system
may generate additional connection events, depending on the logging settings in the access control rule
or default action that later handles the connection.
Health Monitoring
The default health policy includes the Security Intelligence module (see
), which warns you if:
•
the Defense Center cannot update a feed, or if feed data is corrupt or contains no recognizable IP
addresses
addresses
•
a managed device had a problem receiving updated Security Intelligence data from the Defense
Center
Center
•
a managed device cannot load all of the Security Intelligence data provided to it by the Defense
Center, due to memory issues
Center, due to memory issues
For detailed information on configuring your access control policy to perform Security Intelligence
filtering, see the following sections:
filtering, see the following sections:
•
•
•
•
Building the Security Intelligence Whitelist and Blacklist
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
To build a whitelist and blacklist, populate them with any combination of network objects and groups,
as well as Security Intelligence feeds and lists, all of which you can constrain by security zone.
as well as Security Intelligence feeds and lists, all of which you can constrain by security zone.
By default, access control policies use the Defense Center’s global whitelist and blacklist, which apply
to any zone. These lists are populated by your analysts, who can quickly add individual IP addresses
using the context menu. You can opt not to use these global lists on a per-policy basis. For more
information, see
to any zone. These lists are populated by your analysts, who can quickly add individual IP addresses
using the context menu. You can opt not to use these global lists on a per-policy basis. For more
information, see
.
After you build your whitelist and blacklist, you can log blacklisted connections. You can also set
individual blacklisted objects, including feeds and lists, to monitor-only. This allows the system to
handle connections involving blacklisted IP addresses using access control, but also logs the
connection’s match to the blacklist.
individual blacklisted objects, including feeds and lists, to monitor-only. This allows the system to
handle connections involving blacklisted IP addresses using access control, but also logs the
connection’s match to the blacklist.