Cisco Cisco Firepower Management Center 4000
13-17
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
While editing an access control policy, you can create an object on-the-fly to use in its whitelist and
blacklist: either a network object or a Security Intelligence list or feed. Note that to group network
objects or create network object groups, you must use the object manager.
blacklist: either a network object or a Security Intelligence list or feed. Note that to group network
objects or create network object groups, you must use the object manager.
To create objects to whitelist or blacklist:
Access:
Admin/Access Admin/Network Admin
Step 1
Click the add icon (
), then select the type of object you want to create:
•
Select
Add IP List
to create a Security Intelligence list or feed; see
•
Select
Add Network Object
to add a network object; see
.
Logging Blacklisted Connections
License:
Protection
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
Logging blacklisted connections allows you to generate a connection event when the system detects
network traffic to or from a blacklisted IP address. You can save these connection events to the Defense
Center database, and can also log the events to the syslog or to an SNMP trap server using alert
responses. For information on setting up alert responses, see
network traffic to or from a blacklisted IP address. You can save these connection events to the Defense
Center database, and can also log the events to the syslog or to an SNMP trap server using alert
responses. For information on setting up alert responses, see
.
Note
You must send events to the Defense Center if you want to set blacklisted objects to monitor-only, or
perform any other Defense Center-based analysis on connection events generated by Security
Intelligence filtering.
perform any other Defense Center-based analysis on connection events generated by Security
Intelligence filtering.
Unlike the logging options for access control rules or the default action, you cannot choose whether to
generate beginning- or end-of-connection events. Events generated by Security Intelligence filtering
always represent the beginning of a connection and the decision made by the system to either:
generate beginning- or end-of-connection events. Events generated by Security Intelligence filtering
always represent the beginning of a connection and the decision made by the system to either:
•
deny the traffic without further inspection (blacklist)
•
perform further analysis on the connection (blacklist set to monitor-only)
This decision is logged as a connection event’s reason: either
IP Block
or
IP Monitor
. The decision is
also reflected in the connection event’s action, which for a blacklisted connection is
Block
. Contrast with
a monitored connection, where the action is that of the first non-Monitor access control rule triggered
by the connection, or the default action.
by the connection, or the default action.
The system also logs a Security Intelligence category, which qualifies the reason the connection was
blacklisted. Connection events with an associated Security Intelligence category also appear in Security
Intelligence event views (
blacklisted. Connection events with an associated Security Intelligence category also appear in Security
Intelligence event views (
Analysis > Connections > Security Intelligence Events
), allowing you to analyze
Security Intelligence connection data more easily. For more information on connection and Security
Intelligence events, see
Intelligence events, see
.
In the event viewer, so that you can identify the blacklisted IP address in the connection, host icons next
to blacklisted and monitored IP addresses look slightly different.
to blacklisted and monitored IP addresses look slightly different.