Cisco Cisco Firepower Management Center 4000
14-16
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
•
from a Microsoft Active Directory Server.
•
explains how to filter traffic based on a
predefined list of applications provided by Cisco, custom applications, and application filters you
create using the object manager.
create using the object manager.
•
explains how to filter traffic by specified transport protocol
ports.
•
explains how to filter traffic by URL, including by statistics
such as reputation and category.
Adding Zone Conditions
License:
Any
The security zones on your system are comprised of interfaces on your managed devices. Zones that you
add to an access control rule target the rule to devices on your network that have interfaces in those
zones. You can add security zones as conditions for access control rules. See
add to an access control rule target the rule to devices on your network that have interfaces in those
zones. You can add security zones as conditions for access control rules. See
for information on creating security zones using the object manager.
Keep the following important points in mind when you filter traffic by zone:
•
All zones in a rule must be of the same type (switched, routed, and so on).
•
You can add a passive zone only as a source zone.
•
The warning icon (
) next to a zone in the list of available zones indicates that the zone does not
include an interface. When you hover your pointer over the icon, a message explains that the zone
must include at least one interface for the rule to take effect. See
must include at least one interface for the rule to take effect. See
.
Note
In a Layer 2 deployment, you cannot block egress traffic based on destination network or destination
security zone. You must instead write access control rules that block ingress traffic based on blocking
source network or source security zone. For more information on Layer 2 deployments, see
security zone. You must instead write access control rules that block ingress traffic based on blocking
source network or source security zone. For more information on Layer 2 deployments, see
The following procedure explains how to add source and destination zone conditions while adding or
editing an access control rule. See
editing an access control rule. See
for more detailed information.
To add zone conditions to an access control rule:
Access:
Admin/Access Admin/Network Admin
Step 1
Select the
Zones
tab on the rule Edit page.
The Zones page appears.
Step 2
Optionally, click the
Search by name
prompt above the
Available Zones
list, then type a name or value.
The list updates as you type to display matching conditions. See
for more information.
Step 3
Click a condition in the
Available Zones
list. Use the Shift and Ctrl keys to select multiple conditions, or
right-click and then click
Select All
.