Cisco Cisco Firepower Management Center 4000
14-4
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Creating and Editing Access Control Rules
When you add a rule to a policy, you specify its position in one of two ways. First, you can
Insert
it
in a category, which places it last (numerically) in that category. Or, you can place it
above
or
below
a specific rule, using rule numbers as a reference point. When editing an existing rule, you can
Move
the rule in a similar fashion. For more information, see
.
Conditions
Rule conditions identify the specific traffic you want to control. Conditions can match traffic by any
combination of multiple attributes, including security zone, network, VLAN, Active Directory
LDAP user or group, application, transport protocol port, source/destination country or continent,
or URL information. Conditions can be simple or complex, and in some cases require that you apply
a license to the access control policy’s target devices.
combination of multiple attributes, including security zone, network, VLAN, Active Directory
LDAP user or group, application, transport protocol port, source/destination country or continent,
or URL information. Conditions can be simple or complex, and in some cases require that you apply
a license to the access control policy’s target devices.
For detailed information on adding conditions, see
.
File and Intrusion Inspection Options
A rule’s inspection options apply to traffic that you would normally allow. You configure the system
to perform further inspection by associating an intrusion or file policy (or both) with a rule, and by
linking a variable set to the associated intrusion policy.
to perform further inspection by associating an intrusion or file policy (or both) with a rule, and by
linking a variable set to the associated intrusion policy.
File policies perform file control, that is, they can detect and block your users from uploading
(sending) or downloading (receiving) files of specific types over specific application protocols. File
policies can also use Cisco’s advanced malware protection feature to determine if certain transmitted
files represent a threat to your organization, then block them. Intrusion policies perform intrusion
detection and prevention and can drop offending packets.
(sending) or downloading (receiving) files of specific types over specific application protocols. File
policies can also use Cisco’s advanced malware protection feature to determine if certain transmitted
files represent a threat to your organization, then block them. Intrusion policies perform intrusion
detection and prevention and can drop offending packets.
Both types of inspection require the Protection license. AMP requires a Malware license. For
detailed information on associating an intrusion or file policy with a rule, see
detailed information on associating an intrusion or file policy with a rule, see
Logging Options
An access control rule’s logging options allow you to specify whether and how to keep a record of
matching traffic, as well as log the detection of files or malware in that traffic.
matching traffic, as well as log the detection of files or malware in that traffic.
In general, you can log a connection event at the beginning or end of a connection, or both. However,
you can log only beginning-of-connection events for blocked traffic because matching traffic is
denied without further inspection. Additionally, although the system automatically logs
end-of-connection events for monitored traffic, beginning-of-connection logging for monitored
traffic is determined by the first non-Monitor rule triggered by the traffic, or the default action.
you can log only beginning-of-connection events for blocked traffic because matching traffic is
denied without further inspection. Additionally, although the system automatically logs
end-of-connection events for monitored traffic, beginning-of-connection logging for monitored
traffic is determined by the first non-Monitor rule triggered by the traffic, or the default action.
If you choose to log at the end of connections, the system generates events when it detects the close
of a connection, when it does not detect the end of a connection after a period of time, or when it
can no longer track the session due to memory constraints.
of a connection, when it does not detect the end of a connection after a period of time, or when it
can no longer track the session due to memory constraints.
You can log connections to the Defense Center database, as well as to the system log (syslog) or to
an SNMP trap server. For detailed information, see
an SNMP trap server. For detailed information, see
Comments
Each time you save changes to an access control rule, you can add a comment. For example, you
might summarize the overall configuration for the benefit of other users, or note when you change
a rule and the reason for the change. You can display a list of all comments for a rule along with the
user who added each comment and the date the comment was added. For more information, see
might summarize the overall configuration for the benefit of other users, or note when you change
a rule and the reason for the change. You can display a list of all comments for a rule along with the
user who added each comment and the date the comment was added. For more information, see