Cisco Cisco Firepower Management Center 4000

Page of 1844
 
14-7
FireSIGHT System User Guide
 
Chapter 14      Understanding and Writing Access Control Rules
  Understanding Rule Actions
Trust
The Trust action allows traffic to pass without further inspection. You cannot inspect trusted traffic with 
a file, intrusion, or network discovery policy.
You can log trusted network traffic at both the beginning and end of connections. Note that the system 
logs TCP connections detected by a trust rule differently depending on the appliance:
  •
On Series 2, virtual appliances, and FireSIGHT Software for X-Series, TCP connections detected 
by a trust rule on the first packet only generate an end-of-connection event. The system generates 
the event one hour after the final session packet.
  •
On Series 3 appliances, TCP connections detected by a trust rule on the first packet generate 
different events depending on the presence of a monitor rule. If the monitor rule is active, the system 
evaluates the packet and generates both a beginning and end-of-connection event. If no monitor rule 
is active, the system only generates an end-of-connection event.
Monitor
The 
Monitor
 action does not affect traffic flow; matching traffic is neither immediately permitted nor 
denied. Rather, traffic is matched against additional rules, if present, to determine whether to permit or 
deny it. The first non-Monitor rule matched determines traffic flow and any further inspection. If there 
are no additional matching rules, the system uses the default action.
Because the primary purpose of Monitor rules is to track network traffic, the system automatically logs 
end-of connection events for monitored traffic. That is, connections are logged even if the traffic matches 
no other rules and you do not enable logging on the default action. The action associated with a logged 
connection is either that of the first non-Monitor rule triggered by the connection, or the default action.
If locally-bound traffic matches a monitor rule in a Layer 3 deployment, that traffic may bypass 
inspection. To ensure inspection of the traffic, enable 
Inspect Local Router Traffic
 in the advanced device 
settings for the managed device routing the traffic.
Block and Block with Reset
The 
Block
 and 
Block with reset
 actions deny traffic without further inspection. Block with reset rules also 
reset the connection. You cannot inspect blocked traffic with a file, intrusion, or network discovery 
policy.