Cisco Cisco Firepower Management Center 4000
14-29
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
•
If you want the rule to block traffic (the rule action is
Block
,
Block with reset
,
Interactive Block
, or
Interactive Block with reset
) selecting a reputation level also selects all reputations more severe than
that level. For example, if you configure a rule to block
Suspicious sites
(level 2), it also automatically
blocks
High risk
(level 1) sites.
•
If you want the rule to allow traffic (the rule action is
Allow
,
Trust
, or
Monitor
), selecting a reputation
level also selects all reputations better than that level. For example, if you configure a rule to allow
Benign sites
(level 4), it also automatically allows
Well known
(level 5) sites.
If you change the rule action for a rule, the system automatically changes the reputation levels in URL
conditions according to the above points. If you do not specify a reputation level, the system defaults to
conditions according to the above points. If you do not specify a reputation level, the system defaults to
any
, meaning all levels. For example, you could block all malware sites, regardless of reputation. You
can also use
any
to represent any category. For example, you could block all URLs that match
any
category, but have a
High risk
reputation.
Using Literal URLs, URL Objects, and URL Groups
You are not limited to creating URL conditions using categories and reputations; you can specify
individual URLs or groups of URLs to achieve more granular, custom control over allowed and blocked
URLs. This is also the only kind of URL filtering you can perform without a special license. You can
add either of the following kinds of URL conditions to an access control rule:
individual URLs or groups of URLs to achieve more granular, custom control over allowed and blocked
URLs. This is also the only kind of URL filtering you can perform without a special license. You can
add either of the following kinds of URL conditions to an access control rule:
•
individual URL objects and URL object groups, which represent individual URLs and groups of
URLs, respectively; see
URLs, respectively; see
Unlike URL categories, you cannot qualify URL objects and groups with reputations. If the existing
URL objects do not meet your needs, you can create a URL object on the fly while creating a URL
condition. You can then use the new object in your rule and in other existing and future rules. For
more information, see
URL objects do not meet your needs, you can create a URL object on the fly while creating a URL
condition. You can then use the new object in your rule and in other existing and future rules. For
more information, see
•
literal URLs; see
for more information
Unlike creating a URL object on the fly, adding a literal URL to an access control rule does not allow
you to reuse the URL in other rules.
you to reuse the URL in other rules.
To determine whether network traffic matches a URL condition, the system performs a simple substring
match. If the value of a URL object or literal URL matches any part of a URL requested by a monitored
host, the URL condition of the access control rule is satisfied. For example, if you allow all traffic to
example.com, your users could browse to URLs including:
match. If the value of a URL object or literal URL matches any part of a URL requested by a monitored
host, the URL condition of the access control rule is satisfied. For example, if you allow all traffic to
example.com, your users could browse to URLs including:
•
http://example.com/
•
http://example.com/newexample
•
http://www.example.com/
This means that when specifying individual URLs in URL conditions, you must carefully consider other
traffic that might be affected. For example, consider a scenario where you want to explicitly block
ign.com (a gaming site). However, substring matching means that blocking ign.com also blocks
verisign.com, which might not be your intent.
traffic that might be affected. For example, consider a scenario where you want to explicitly block
ign.com (a gaming site). However, substring matching means that blocking ign.com also blocks
verisign.com, which might not be your intent.
Note that to block HTTPS traffic, you can enter the common name from the Secure Sockets Layer (SSL)
certificate for the traffic. When entering a URL from a certificate, enter the domain name and omit
subdomain information. (For example, type
certificate for the traffic. When entering a URL from a certificate, enter the domain name and omit
subdomain information. (For example, type
example.com
rather than
www.example.com
.) If you block
traffic based on the certificate URL, both HTTP and HTTPS traffic to that website are blocked.
Choosing a URL Filtering Strategy
When deciding how to build a URL condition, keep in mind that although using URL literals, objects,
and groups gives you precise control over allowed and blocked URLs, you must be careful to make sure
that your rules do not have unintended consequences.
and groups gives you precise control over allowed and blocked URLs, you must be careful to make sure
that your rules do not have unintended consequences.