Cisco Cisco Firepower Management Center 4000
14-33
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Performing File and Intrusion Inspection on Allowed Traffic
For detailed information on intrusion policies, including how to create custom policies and work with
variable sets, see
variable sets, see
,
., and
When an intrusion policy associated with an access control rule generates an event, the system
automatically logs the end of the associated connection to the Defense Center database, regardless of
any other logging configurations in the rule. To disable this connection logging on Series 3 or virtual
appliances, use the CLI. For more information, see
automatically logs the end of the associated connection to the Defense Center database, regardless of
any other logging configurations in the rule. To disable this connection logging on Series 3 or virtual
appliances, use the CLI. For more information, see
In contrast, when an intrusion policy associated with the access control default action generates an
intrusion event, the system does not automatically log the end of the associated connection. This is
useful in intrusion detection and prevention-only deployments, where you do not want to log any
connection data.
intrusion event, the system does not automatically log the end of the associated connection. This is
useful in intrusion detection and prevention-only deployments, where you do not want to log any
connection data.
Note, however, if you enable beginning-of-connection logging for the default action, the system does log
the end of the connection when an associated intrusion policy triggers, in addition to logging the
beginning of the connection. For more information, see
the end of the connection when an associated intrusion policy triggers, in addition to logging the
beginning of the connection. For more information, see
.
You can associate any of the following intrusion policies with an access control rule.
Cisco Authored Policies
Each of these non-modifiable default intrusion policies is tuned for a specific balance of security and
connectivity. By using a default policy either out-of-the-box or as the basis for a custom policy, you can
take advantage of the experience of the Cisco Vulnerability Research Team (VRT). For more
information, see
connectivity. By using a default policy either out-of-the-box or as the basis for a custom policy, you can
take advantage of the experience of the Cisco Vulnerability Research Team (VRT). For more
information, see
.
Caution
Do not use
Experimental Policy 1
unless instructed to do so by a Cisco representative. Cisco uses this
policy for testing.
User Created Policies
You can select a custom intrusion policy that is tailored to inspect the traffic that traverses your network
and improve performance in your environment.
and improve performance in your environment.
In addition to custom policies that you create, Cisco provides two custom policies: Initial Inline Policy
and Initial Passive Policy. These two policies use the Balanced Security and Connectivity default policy
as the base policy. The only difference between them is their
and Initial Passive Policy. These two policies use the Balanced Security and Connectivity default policy
as the base policy. The only difference between them is their
Drop When Inline
setting, which is enabled
in the inline policy and disabled in the passive policy. For more information, see
.
The following basic procedure explains how to associate an intrusion or file policy with a new access
control rule. See
control rule. See
for complete instructions on
adding and modifying rules.
To associate an intrusion or file policy with a new access control rule:
Access:
Admin/Access Admin/Network Admin
Step 1
Select
Policies > Access Control
.
The Access Control page appears.
Step 2
Click the edit icon (
) next to the access control policy you want to modify.
The policy Edit page appears.