Cisco Cisco Firepower Management Center 4000
14-30
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
Alternately, relying on category and reputation data from the Cisco cloud gives you less precise control,
but simplifies policy creation and administration. It also grants you more assurance that the system will
filter URLs as expected. More important, because the cloud is continually updated with new URLs, as
well as new categories and risks for existing URLs, using the cloud ensures that the system uses
up-to-date information to filter requested URLs. Malicious sites that represent security threats such as
malware, spam, botnets, and phishing may appear and disappear faster than you can update and apply
new policies.
but simplifies policy creation and administration. It also grants you more assurance that the system will
filter URLs as expected. More important, because the cloud is continually updated with new URLs, as
well as new categories and risks for existing URLs, using the cloud ensures that the system uses
up-to-date information to filter requested URLs. Malicious sites that represent security threats such as
malware, spam, botnets, and phishing may appear and disappear faster than you can update and apply
new policies.
For example:
•
If a rule blocks all gaming sites, as new domains get registered and classified as
Gaming
, the system
can block those sites automatically.
•
If a rule blocks all malware, and a blog page gets infected with malware, the cloud can recategorize
the URL from
the URL from
Blog
to
Malware
and the system can block that site.
•
If a rule blocks high-risk social networking sites, and somebody posts a link on their profile page
that contains links to malicious payloads, the cloud can change the reputation of that page from
that contains links to malicious payloads, the cloud can change the reputation of that page from
Benign sites
to
High risk
so the system can block it.
Search Query Parameters in URLs
Note that the system does not use search query parameters in the URL to match URL conditions. For
example, consider a scenario where you block all shopping traffic. In that case, using a web search to
search for amazon.com is not blocked, but browsing to amazon.com is.
example, consider a scenario where you block all shopping traffic. In that case, using a web search to
search for amazon.com is not blocked, but browsing to amazon.com is.
The following procedure explains how to add URL conditions to an access control rule while adding or
editing the rule. See
editing the rule. See
detailed information.
To add URL conditions to an access control rule:
Access:
Admin/Access Admin/Network Admin
Step 1
Select the
URLs
tab.
The URLs page appears.
Step 2
Optionally, click the
Search by name or value
prompt above the
Available Users
list, then type a name or
value.
The list updates as you type to display matching conditions. See
for more information.
Step 3
Click a condition in the
Categories and URLs
list to select the condition. Use the Shift and Ctrl keys to
select multiple conditions. To clear selected conditions, click any condition in the list.
Note that selecting all conditions in the Categories and URLs list exceeds the maximum of 50 items you
can add to the Selected URLs list.
can add to the Selected URLs list.
Conditions you select are highlighted.
Step 4
Optionally, click a reputation level in the
Reputations
window. Note that you can select only a single
reputation level even though you can right-click and then click
Select All
to select
Any
.
The level you selected is highlighted.
Step 5
You have the following choices:
•
Click
Add to Rule
.
•
Drag and drop selected conditions into the
Selected URLs
list.
Conditions you selected are added with selected reputation levels appended.