Cisco Cisco Firepower Management Center 4000
14-10
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Conditions and Condition Mechanics
If you do not configure a particular condition for a rule, the system does not match traffic based on that
criterion. For example, a rule with a network condition but no application condition evaluates traffic
based on its source or destination, regardless of the application used in the session.
criterion. For example, a rule with a network condition but no application condition evaluates traffic
based on its source or destination, regardless of the application used in the session.
Note
When you apply an access control policy, the system evaluates all its rules and creates an expanded set
of criteria that target devices use to evaluate network traffic. Complex access control policies and rules
may command significant resources.
of criteria that target devices use to evaluate network traffic. Complex access control policies and rules
may command significant resources.
Note that although you can create access control rules with any license, certain rule conditions require
that you enable specific licensed capabilities on the access control policy’s targeted devices before you
can apply the policy.
that you enable specific licensed capabilities on the access control policy’s targeted devices before you
can apply the policy.
When you add or edit an access control rule, use the tabs on the left side of the lower portion of the rule
editor to add and edit rule conditions. The following table summarized the types of conditions you can
add:
editor to add and edit rule conditions. The following table summarized the types of conditions you can
add:
Table 14-2
Access Control Rule Condition Types
Condition
Description
Supported
Defense Centers
Defense Centers
Supported Devices
Zones
A configuration of one or more interfaces where you can apply
policies. Zones provide a mechanism for classifying traffic on
source and destination interfaces, and you can add source and
destination zone conditions to rules. See
policies. Zones provide a mechanism for classifying traffic on
source and destination interfaces, and you can add source and
destination zone conditions to rules. See
manager. See
for more
information on adding these conditions.
Any
Any
Networks
Any combination of individual IP addresses, CIDR blocks, and
prefix lengths, either specified explicitly or using network objects
and groups (see
prefix lengths, either specified explicitly or using network objects
and groups (see
). You can
add source and destination network conditions to rules. See
for more information on adding
these conditions.
Any
Any
Geolocation
Any combination of individual countries and continents identified
as the sources or destinations of monitored traffic, either specified
explicitly or using geolocation objects (see
as the sources or destinations of monitored traffic, either specified
explicitly or using geolocation objects (see
). You can add source and
destination geolocation conditions to rules. See
for more information on
adding these conditions.
Any except
DC500
DC500
Series 3, Virtual,
ASA FirePOWER
ASA FirePOWER
VLAN Tags
A number from 0 to 4094 that identifies traffic on your network by
VLAN. See
VLAN. See
for
information on creating individual and group VLAN Tag objects
using the object manager. See
using the object manager. See
for more information on adding these conditions.
Any
Any, except
ASA FirePOWER
ASA FirePOWER