Cisco Cisco Firepower Management Center 4000
13-27
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Managing Access Control Policies
For all of these situations, warnings or errors appear in the access control policy or access control policy
list to alert you to the issues.
list to alert you to the issues.
Understanding Rule Pre-emption
The conditions of an access control rule may preempt a subsequent rule from matching traffic. For
example:
example:
Rule 1: allow Administrator users
Rule 2: block Administrator users
The second rule above will never block traffic because the first rule will have already allowed the traffic.
Any type of rule condition can preempt a subsequent rule. For example, the VLAN range in the first rule
below includes the VLAN in the second rule, so the first rule preempts the second rule:
below includes the VLAN in the second rule, so the first rule preempts the second rule:
Rule 1: allow VLAN 22-33
Rule 2: block VLAN 27
In the following example, Rule 1 matches any VLAN because no VLANs are configured, so Rule 1
preempts Rule 2, which attempts to match VLAN 2:
preempts Rule 2, which attempts to match VLAN 2:
Rule 1: allow Source Network 10.4.0.0/16
Rule 2: allow Source Network 10.4.0.0/16, VLAN 2
A rule also preempts an identical subsequent rule where all configured conditions are the same. For
example:
example:
Rule 1: allow VLAN 1 URL www.example.com
Rule 2: allow VLAN 1 URL www.example.com
A subsequent rule would not be preempted if any condition is different. For example:
Rule 1: allow VLAN 1 URL www.example.com
Rule 2: allow VLAN 2 URL www.example.com
Managing Access Control Policies
License:
Any
On the Access Control policy page (
Policies > Access Control
) you can view all your current access control
policies by name with optional description and the following status information:
•
when a policy is up to date on targeted devices, in green text
•
when a policy is out of date on targeted devices, in red text
Options on this page allow you to compare policies, create a new policy, apply a policy to targeted
devices, copy a policy, view a report that lists all of the most recently saved settings in each policy, and
edit, or delete a policy.
devices, copy a policy, view a report that lists all of the most recently saved settings in each policy, and
edit, or delete a policy.
Tip
You can export access control policies to, and import access control policies from, other Defense Centers
in your deployment. See
in your deployment. See
for more information.
Depending on your choices when you add a device, either of two default access control policies might
appear and already be applied to the device:
appear and already be applied to the device:
•
The Default Access Control policy blocks all traffic from entering your network.
•
The Default Intrusion Prevention policy allows all traffic and applies the Balanced Security and
Connectivity intrusion policy to traffic on your network; see
Connectivity intrusion policy to traffic on your network; see
.