Cisco Cisco Firepower Management Center 4000
13-18
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
Because the decision to blacklist a connection occurs before the network traffic is evaluated by access
control rules, connection events generated by Security Intelligence filtering do not contain information
that must be determined by examining traffic over the duration of the session, nor do they contain
application data. For details on the information in connection events, see
control rules, connection events generated by Security Intelligence filtering do not contain information
that must be determined by examining traffic over the duration of the session, nor do they contain
application data. For details on the information in connection events, see
IP Block
connection events have a threshold of 15 seconds per unique initiator-responder pair. That is,
once the system generates an event when it blocks a connection, it does not generate another connection
event for additional blocked connections between those two hosts for the next 15 seconds, regardless of
port or protocol.
event for additional blocked connections between those two hosts for the next 15 seconds, regardless of
port or protocol.
Note that the system may generate additional events for monitored connections, depending on the
logging settings in the access control rule or default action that later handles the connection. For similar
reasons, the system does not generate a special connection event when it detects a connection to or from
a whitelisted IP address. That is, whitelisted connections generate events depending on how the system
later handles the connection.
logging settings in the access control rule or default action that later handles the connection. For similar
reasons, the system does not generate a special connection event when it detects a connection to or from
a whitelisted IP address. That is, whitelisted connections generate events depending on how the system
later handles the connection.
To log blacklisted connections:
Access:
Admin/Access Admin/Network Admin
Step 1
On the Security Intelligence tab in an access control policy, click the logging icon (
).
The Blacklist Options dialog box appears.
Step 2
Select the
Log Connections
check box to log beginning-of-connection events when traffic meets Security
Intelligence conditions.
Step 3
Specify where to send connection events. You have the following choices:
•
To send connection events to the Defense Center, select
Defense Center.
•
To send connection events to syslog, select
Syslog
, then select a syslog alert response from the
drop-down list. Optionally, you can add a syslog alert response by clicking the add icon (
); see
.
•
To send connection events to an SNMP trap server, select
SNMP Trap
, then select an SNMP alert
response from the drop-down list. Optionally, you can add an SNMP alert responses by clicking the
add icon (
add icon (
); see
Step 4
Click
OK
to set your logging options.
The Security Intelligence tab appears again.
Step 5
Click
Save
.
You must apply the access control policy for your changes to take effect. For more information, see
Configuring Advanced Access Control Policy Settings
License:
Any
Advanced access control policy settings typically require little or no modification. The default settings
are appropriate for most deployments.
are appropriate for most deployments.
General Advanced Options
You have the following general options when configuring an access control policy: