Cisco Cisco Firepower Management Center 4000
C H A P T E R
14-1
FireSIGHT System User Guide
14
Understanding and Writing Access Control Rules
A set of access control rules is a key component of an access control policy. Although you can create
basic access control policies without them, access control rules allow you to manage, in a granular
fashion, which traffic can enter your network, exit it, or cross from within without leaving it. For
example, you could block some or all social networking traffic, prevent your sales department from
accessing accounting records, monitor which users access which sites or networks, and so on.
basic access control policies without them, access control rules allow you to manage, in a granular
fashion, which traffic can enter your network, exit it, or cross from within without leaving it. For
example, you could block some or all social networking traffic, prevent your sales department from
accessing accounting records, monitor which users access which sites or networks, and so on.
Note
Hardware-based fast-path rules and Security Intelligence-based traffic filtering (blacklisting) occur
before network traffic is evaluated by access control rules.
before network traffic is evaluated by access control rules.
Within an access control policy, the system matches traffic to rules in top-down order by rule number.
In addition to its rule order and some other basic attributes, each rule has the following major
components:
In addition to its rule order and some other basic attributes, each rule has the following major
components:
•
a set of rule conditions that identifies the specific traffic you want to control
•
a rule action, which determines how the system handles traffic that meets the rule’s conditions
•
file, malware, and intrusion inspection options, which allow you to examine (and optionally block)
matching traffic that you would otherwise allow
matching traffic that you would otherwise allow
•
logging options, which allow you to keep a record of the matching traffic and how it was handled
by the rule
by the rule
The access control policy’s default action handles traffic that is not blacklisted by Security Intelligence
and does not meet the conditions of any non-Monitor rule in the policy. For more information on access
control policies and the default action, see
and does not meet the conditions of any non-Monitor rule in the policy. For more information on access
control policies and the default action, see
.
Tip
If you want to use the FireSIGHT System to perform intrusion detection and prevention but do not need
to take advantage of discovery data, you can optimize performance by disabling new discovery. First,
make sure that your applied access control policies do not contain rules with user, application, or URL
conditions. Then, remove all rules from your network discovery policy and apply it to your managed
devices. For more information on configuring discovery, see
to take advantage of discovery data, you can optimize performance by disabling new discovery. First,
make sure that your applied access control policies do not contain rules with user, application, or URL
conditions. Then, remove all rules from your network discovery policy and apply it to your managed
devices. For more information on configuring discovery, see
.
Although you can create access control rules with any license, certain rule conditions and inspection
options require that you enable specific licensed capabilities on the access control policy’s targeted
devices. You cannot apply a policy that uses licensed capabilities to unlicensed devices. The Defense
Center uses warning icons (
options require that you enable specific licensed capabilities on the access control policy’s targeted
devices. You cannot apply a policy that uses licensed capabilities to unlicensed devices. The Defense
Center uses warning icons (
) and confirmation dialogs to designate unlicensed features. For details,
hover your pointer over a warning icon.
The following table explains the licenses you must have to use access control rules.