Cisco Cisco Firepower Management Center 4000
14-9
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Conditions and Condition Mechanics
For each condition type, you select conditions you want to add to a rule from a list of available
conditions. When applicable, condition filters allow you to constrain available conditions. Lists of
available and selected conditions may be as short as a single condition or many pages long. You can
search available conditions and display only those matching a typed name or value in a list that updates
as you type.
conditions. When applicable, condition filters allow you to constrain available conditions. Lists of
available and selected conditions may be as short as a single condition or many pages long. You can
search available conditions and display only those matching a typed name or value in a list that updates
as you type.
Depending on the type of condition, lists of available conditions may be comprised of a combination of
conditions provided directly by Cisco or configured using other FireSIGHT System features, including
objects created using the object manager (
conditions provided directly by Cisco or configured using other FireSIGHT System features, including
objects created using the object manager (
Objects > Object Management
), objects created directly from
individual conditions pages, and literal conditions.
See the following sections for information on specifying rule conditions:
•
defines the different types of rule conditions.
•
describes the controls used to select and add rule conditions.
•
explains how to search available conditions and display only
those matching a typed name or value in a list that updates as you type.
•
explains how to add literal conditions to a rule.
•
explains how to add individual objects to the system from
the configuration pages for relevant condition types.
Understanding Rule Conditions
License:
Any
An access control rule’s conditions identify the type of traffic that rule handles. Conditions can be simple
or complex; you can control traffic by security zone, network, geographical location, VLAN, port,
application, requested URL, and user conditions.
or complex; you can control traffic by security zone, network, geographical location, VLAN, port,
application, requested URL, and user conditions.
When adding conditions to access control rules, keep the following points in mind:
•
You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for
the rule to apply to traffic. For example, you can use a single rule to perform URL filtering (URL
condition) for specific hosts (zone or network condition).
the rule to apply to traffic. For example, you can use a single rule to perform URL filtering (URL
condition) for specific hosts (zone or network condition).
•
For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition’s
criteria satisfies the condition. For example, you can use a single rule to perform user control for up
to 50 users and groups.
criteria satisfies the condition. For example, you can use a single rule to perform user control for up
to 50 users and groups.
Note that you can constrain zone and network conditions by source and destination. If you add both
source and destination criteria to a zone or network condition, matching traffic must originate from
one of the specified source zones/network and egress through one of the destination
zones/networks.
source and destination criteria to a zone or network condition, matching traffic must originate from
one of the specified source zones/network and egress through one of the destination
zones/networks.
In other words, the system links multiple condition criteria of the same type with an OR operation, and
links multiple conditions with an AND operation. For example, if your rule conditions are:
links multiple conditions with an AND operation. For example, if your rule conditions are:
Source Networks: 10.0.0.0/8, 192.168.0.0/16
Application Category: peer to peer
the rule would match peer-to-peer application traffic from a host on one of your private IPv4 networks.
In other words, a packet must originate from either one OR the other source network, AND represent
peer-to-peer application traffic. Both of the following connections trigger the rule:
In other words, a packet must originate from either one OR the other source network, AND represent
peer-to-peer application traffic. Both of the following connections trigger the rule:
10.42.0.10.5 to anywhere, using LimeWire
192.168.42.05 to anywhere, using Kazaa