Cisco Cisco Firepower Management Center 4000
14-6
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Actions
The access control policy’s default action handles traffic that does not meet the conditions of any
non-Monitor access control rule; see
non-Monitor access control rule; see
. For detailed information on
rule actions and how they affect connection logging, see following sections, as well as
Allow
The
Allow
action allows matching traffic to pass. Optionally, you can associate an Allow rule with an
intrusion or file policy, or both. These two types of policy further inspect and can block network traffic
according to their own configurations:
according to their own configurations:
•
Use an associated file policy to perform file control, that is, to detect and block your users from
uploading (sending) or downloading (receiving) files of specific types over specific application
protocols. File policies also allow you to inspect a restricted set of those files for malware, and
optionally block detected malware.
uploading (sending) or downloading (receiving) files of specific types over specific application
protocols. File policies also allow you to inspect a restricted set of those files for malware, and
optionally block detected malware.
•
Use an associated intrusion policy to analyze network traffic according to intrusion detection and
prevention configurations and, optionally, drop offending packets.
prevention configurations and, optionally, drop offending packets.
For instructions on how to associate an intrusion or file policy with an access control rule, see
The diagram below illustrates the types of inspection performed on traffic that meets the conditions of
an Allow rule (or a user-bypassed Interactive Block rule; see
an Allow rule (or a user-bypassed Interactive Block rule; see
). Notice that file inspection occurs before intrusion inspection; blocked files are
not inspected for intrusion-related exploits.
For simplicity, the diagram displays traffic flow for situations where both (or neither) an intrusion and a
file policy are associated with an access control rule. You can, however, configure one without the other.
Without a file policy, traffic flow is determined by the intrusion policy; without an intrusion policy,
traffic flow is determined by the file policy.
file policy are associated with an access control rule. You can, however, configure one without the other.
Without a file policy, traffic flow is determined by the intrusion policy; without an intrusion policy,
traffic flow is determined by the file policy.
Regardless of whether the traffic is inspected or dropped by an intrusion or file policy, the system can
inspect it using network discovery.
inspect it using network discovery.
Note
Selecting a rule action of
Allow
does not automatically guarantee discovery inspection. The system
performs discovery only for connections involving IP addresses that are explicitly monitored by your
network discovery policy. For more information, see
network discovery policy. For more information, see
You can log allowed network traffic at both the beginning and end of connections.