Cisco Cisco Firepower Management Center 4000

You can log blocked network traffic only at the beginning of connections.

For HTTP traffic, the 

 and 

 actions give users a chance to bypass 

a website block, by clicking through a warning page. If a user does not bypass the block, matching traffic 
is denied without further inspection. Interactive Block with reset rules also reset the connection. For 
information on configuring the warning page, see 

On the other hand, if a user bypasses the block, matching network traffic is treated identically to allowed 
traffic; see 

. When the system initially blocks a user’s HTTP request using an 

Interactive Block rule, it marks the beginning-of-connection event with the Interactive Block or 
Interactive Block with Reset action. If the user clicks through the warning page that the system displays, 
any additional connection events you log for the session have an action of Allow. Therefore, as with 
Allow rules, you can associate either type of Interactive Block rule with a file and intrusion policy. The 
system can also use network discovery to inspect this user-allowed traffic.

Logging options for interactively blocked traffic are identical to those in allowed traffic, but keep in mind 
that if a user does not bypass the interactive block, the system can log only beginning-of-connection 
events.

Any

You can add conditions to access control rules to identify the type of traffic that matches the rule. You 
can add any of several types of conditions to a rule, either alone or in any combination.