Cisco Cisco Firepower Management Center 4000
14-38
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Logging Connection, File, and Malware Information
For connections where an intrusion was blocked, the associated action in the connection log is
Block
,
with a reason of
Intrusion Block
, even though you associated the intrusion policy with an Allow rule.
Note that when an intrusion policy associated with the access control default action generates an
intrusion event, the system does not automatically log the end of the associated connection. This is
useful for intrusion detection and prevention-only deployments, where you do not want to log any
connection data. For more information, see
intrusion event, the system does not automatically log the end of the associated connection. This is
useful for intrusion detection and prevention-only deployments, where you do not want to log any
connection data. For more information, see
.
Logging the Default Action
The options for logging traffic handled by the policy default action largely parallel the options for
logging traffic handled by individual access control rules. For example, if your default action blocks all
traffic, you cannot log end-of-connection events for the default action. For more information, see
logging traffic handled by individual access control rules. For example, if your default action blocks all
traffic, you cannot log end-of-connection events for the default action. For more information, see
Logging Security Intelligence Filtering Decisions
Logging blacklisted connections allows you to generate a connection event when the system detects
network traffic to or from a blacklisted IP address.
network traffic to or from a blacklisted IP address.
Events generated by Security Intelligence filtering represent the beginning of a connection and the
decision made by the system to either deny (blacklist) or inspect (blacklist set to monitor-only) the
connection. For these inspected connections, the system may generate additional connection events
depending on the logging settings in the access control rule or default action that later handles the
connection.
decision made by the system to either deny (blacklist) or inspect (blacklist set to monitor-only) the
connection. For these inspected connections, the system may generate additional connection events
depending on the logging settings in the access control rule or default action that later handles the
connection.
The options for logging Security Intelligence filtering decisions are similar to the options for logging
traffic handled by individual access control rules. For detailed information, see
traffic handled by individual access control rules. For detailed information, see
.
Understanding the Connection Log
The information available for any individual connection event depends on several factors, including the
options you set when configuring connection logging. For details, see
options you set when configuring connection logging. For details, see
The following procedure explains how to set a new rule to log a connection in traffic that matches the
conditions of an access control rule. See
conditions of an access control rule. See
complete instructions on adding and modifying rules.
To configure an access control rule to log connection, file, and malware information:
Access:
Admin/Access Admin/Network Admin
Step 1
Select
Policies > Access Control
.
The Access Control page appears.
Step 2
Click the edit icon (
) next to the access control policy you want to modify.
The policy Edit page appears.
Step 3
Click
Add Rule
.
The Add Rule page appears.
Step 4
Select the
Logging
tab.
The Logging tab appears. The following graphic shows the Logging page for a rule associated with a file
policy.
policy.