Cisco Cisco Firepower Management Center 4000
14-19
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
Note
To apply an access control policy that contains geolocation conditions, target managed devices must be
running Version 5.3 or later of the FireSIGHT System.
running Version 5.3 or later of the FireSIGHT System.
You can add either of the following kinds of geolocation conditions to an access control rule:
•
continents and countries that you select directly from the
Geolocation
tab of the
Available Networks
list
•
geolocation objects that you have created using the object manager, which represent custom
combinations of countries and continents
combinations of countries and continents
See
for information on creating geolocation objects
using the object manager.
The following procedure explains how to add source and destination geolocation conditions while
adding or editing an access control rule. See
adding or editing an access control rule. See
for more detailed information.
To add geolocation conditions to an access control rule:
Access:
Admin/Access Admin/Network Admin
Step 1
Select the
Networks
tab on the rule Edit page.
The Networks page appears.
Step 2
Under
Available Networks
, select the
Geolocation
tab.
The Geolocation page appears.
Step 3
Optionally, click the
Search by name or value
prompt above the
Available Networks
list, then type the name
of a country, continent, object, or country ISO code (such as
USA
or
CHN
).
The list updates as you type to display matching conditions. See
for more information.
Step 4
Click a condition (country or continent) in the
Available Networks
list. Use the Shift and Ctrl keys to select
multiple conditions, or right-click and then click
Select All
.
If you select a continent, all countries associated with that continent are automatically selected, as well
as any countries that GeoDB updates may add under that continent in the future. Deselecting any country
under a continent deselects that continent as a whole, thereby disabling the automatic addition of future
countries there. You can select any combination of countries and continents.
as any countries that GeoDB updates may add under that continent in the future. Deselecting any country
under a continent deselects that continent as a whole, thereby disabling the automatic addition of future
countries there. You can select any combination of countries and continents.
Conditions you select are highlighted.
Step 5
You have the following choices:
•
To filter traffic by source country or continent, click
Add to Source
.
•
To filter traffic by destination country or continent, click
Add to Destination
.
Alternatively, you can drag and drop selected conditions into the
Source Networks
or
Destination Networks
list.
Conditions you selected are added. Note that you can add the same condition as both a source
country/continent and a destination country/continent.
country/continent and a destination country/continent.
Step 6
Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see
.