Cisco Cisco Firepower Management Center 4000
13-15
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Use the Security Intelligence tab in the access control policy to configure the whitelist, blacklist, and
logging options. The page lists the Available Objects you can use in either the whitelist or blacklist, as
well as the Available Zones you can use to constrain whitelisted and blacklisted objects. Each type of
object or zone is distinguished with an different icon. The objects marked with the Cisco icon (
logging options. The page lists the Available Objects you can use in either the whitelist or blacklist, as
well as the Available Zones you can use to constrain whitelisted and blacklisted objects. Each type of
object or zone is distinguished with an different icon. The objects marked with the Cisco icon (
)
represent the different categories in the Cisco Intelligence Feed.
In the blacklist, objects set to block are marked with the block icon (
) while monitor-only objects are
marked with the monitor icon (
). Because the whitelist overrides the blacklist, if you add the same
object to both lists, the system displays the blacklisted object with a strikethrough.
You can add up to a total of 255 objects to the whitelist and the blacklist. That is, the number of objects
in the whitelist plus the number in the blacklist cannot exceed 255.
in the whitelist plus the number in the blacklist cannot exceed 255.
Note that although you can add network objects with a netmask of /0 to the whitelist or blacklist, address
blocks using a
blocks using a
/0
netmask in those objects will be ignored and whitelist and blacklist filtering will not
occur based on those addresses. Address blocks with a
/0
netmask from security intelligence feeds will
also be ignored. If you want to monitor or block all traffic targeted by a policy, use an access control rule
with the
with the
Monitor
or
Block
rule action, respectively, and a default value of
any
for the
Source Networks
and
Destination Networks
, instead of security intelligence filtering.
Tip
The general mechanics of constructing Security Intelligence whitelists and blacklists are the same as
those for constructing access control rules. For detailed information, see
those for constructing access control rules. For detailed information, see
To build the Security Intelligence whitelist and blacklist for an access control policy:
Access:
Admin/Access Admin/Network Admin
Step 1
Select
Policies > Access Control
.
The Access Control page appears.
Step 2
Click the edit icon (
) next to the access control policy you want to configure.
The policy Edit page appears.
Step 3
Select the
Security Intelligence
tab.
Security Intelligence settings for the access control policy appear.
Step 4
Optionally, click the logging icon (
) to log blacklisted connections.
You must enable logging before you can set blacklisted objects to monitor-only. For details, see
Step 5
Begin building your whitelist and blacklist by selecting one or more Available Objects.
Use Shift and Ctrl to select multiple objects, or right-click and
Select All
.
Tip
You can search for existing objects to include, or create objects on the fly if no existing objects meet the
needs of your organization. For more information, see
needs of your organization. For more information, see
Step 6
Optionally, constrain the selected objects by zone by selecting an Available Zone.