Cisco Cisco Firepower Management Center 4000
14-34
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Logging Connection, File, and Malware Information
Step 3
Click
Add Rule
.
The Add Rule page appears.
Step 4
Ensure the
Action
is set to
Allow
,
Interactive Block
, or
Interactive Block with reset
.
Step 5
Select the
Inspection
tab.
The Inspection page appears.
Tip
To open a new browser tab where you can edit your associated file policy, user-created intrusion policy,
or variable set, click the edit icon (
or variable set, click the edit icon (
) next to the appropriate drop-down list.
Step 6
Select an
Intrusion Policy
then, if you selected a user-created intrusion policy, optionally link a
Variable
Set
to the intrusion policy. See
for more information.
Select
None
to disable intrusion inspection for traffic that matches the access control rule.
Caution
Do not select
Experimental Policy 1
unless instructed to by a Cisco representative. Cisco uses this
policy for testing.
Step 7
Select a
File Policy
.
Select
None
to disable file inspection for traffic that matches the access control rule.
Step 8
Click
Add
to save your changes.
The rule is added and the policy Edit page appears.
Logging Connection, File, and Malware Information
License:
Any
For each access control rule in your policies, you must decide whether you want to log connection data
for the traffic that matches the conditions in the rule. Tying connection logging to individual rules gives
you granular control over the connections you want to log. An access control rule’s logging
configuration also determines whether you log file and malware events associated with the connection.
for the traffic that matches the conditions in the rule. Tying connection logging to individual rules gives
you granular control over the connections you want to log. An access control rule’s logging
configuration also determines whether you log file and malware events associated with the connection.
Tip
You can log two other types of connection data, outside of access control rules. First, you can log
connections handled by the default action. You can also log the decision made by the system to either
deny (blacklist) or inspect (blacklist set to monitor-only) a connection based on Security Intelligence
data.
connections handled by the default action. You can also log the decision made by the system to either
deny (blacklist) or inspect (blacklist set to monitor-only) a connection based on Security Intelligence
data.
Deciding Which Connections to Log
You should log connections according to the security and compliance needs of your organization. If your
goal is to limit the number of events you generate, only enable logging for the rules critical to your
analysis. However, if you want a broad view of your network traffic, you can enable logging for
additional access control rules or for the default action.
goal is to limit the number of events you generate, only enable logging for the rules critical to your
analysis. However, if you want a broad view of your network traffic, you can enable logging for
additional access control rules or for the default action.