Cisco Cisco Firepower Management Center 4000
13-19
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Configuring Policies
•
When you log an end-of-connection event to the Defense Center database (see
) for HTTP traffic, the system records the URL requested
by the monitored host during the session.
By default, the system stores the first 1024 characters of the URL in the connection log. Using
Maximum URL characters to store in connection events
, you can configure the system to store up to 4096
characters per URL to make sure you capture the full URLs requested by monitored hosts. Or, if you
are uninterested in the individual URLs visited, you can disable URL storage entirely by storing zero
characters. Depending on your network traffic, disabling or limiting the number of stored URL
characters may improve system performance.
are uninterested in the individual URLs visited, you can disable URL storage entirely by storing zero
characters. Depending on your network traffic, disabling or limiting the number of stored URL
characters may improve system performance.
Disabling URL logging does not affect URL filtering. Access control rules properly filter traffic
based on requested URLs, their categories, and reputations, even though the system does not record
the individual URLs requested in the traffic handled by those rules. For more information, see
based on requested URLs, their categories, and reputations, even though the system does not record
the individual URLs requested in the traffic handled by those rules. For more information, see
.
•
When traffic matches access control rules with
Interactive Block
or
Interactive Block with Reset
as the
action, the user can click through a response page to bypass the block. Using
Allow an Interactive
Block to bypass blocking for (seconds)
, you can set how long the system allows a user to bypass the
block without displaying the response page. The default setting is
600
seconds (equivalent to 10
minutes). You can set the duration to as long as
31536000
seconds (equivalent to 365 days). Set this
option to zero to force the user to bypass the block every time.
•
When you associate an intrusion policy with the default action of an access control policy,
Default
Action Variable Set
identifies the variable set to use with the intrusion policy. The variable set
determines how intrusion rules in your intrusion policy identify source and destination IP addresses
and ports in network traffic when those rules use the variables in the selected set. By default, access
control policies use the default variable set. However, if you have created custom sets you can also
select any of these from the drop-down list. Optionally, you can click the edit icon (
and ports in network traffic when those rules use the variables in the selected set. By default, access
control policies use the default variable set. However, if you have created custom sets you can also
select any of these from the drop-down list. Optionally, you can click the edit icon (
) next to the
selected variable set to modify the set in a new browser tab. Note that you can select different
variable sets for different access control policies; this allows you to tailor your intrusion rules to
match different kinds of traffic on your network.
variable sets for different access control policies; this allows you to tailor your intrusion rules to
match different kinds of traffic on your network.
See
and
for more
information.
File and Malware Detection Options
If you use file policies to perform file control, file storage, dynamic analysis, or malware detection or
blocking, you can set the options listed in the following table:
blocking, you can set the options listed in the following table: