Cisco Cisco FirePOWER Appliance 7030
14-8
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Conditions and Condition Mechanics
You can log blocked network traffic only at the beginning of connections.
Interactive Block and Interactive Block with Reset
For HTTP traffic, the
Interactive Block
and
Interactive Block with reset
actions give users a chance to bypass
a website block, by clicking through a warning page. If a user does not bypass the block, matching traffic
is denied without further inspection. Interactive Block with reset rules also reset the connection. For
information on configuring the warning page, see
is denied without further inspection. Interactive Block with reset rules also reset the connection. For
information on configuring the warning page, see
On the other hand, if a user bypasses the block, matching network traffic is treated identically to allowed
traffic; see
traffic; see
. When the system initially blocks a user’s HTTP request using an
Interactive Block rule, it marks the beginning-of-connection event with the Interactive Block or
Interactive Block with Reset action. If the user clicks through the warning page that the system displays,
any additional connection events you log for the session have an action of Allow. Therefore, as with
Allow rules, you can associate either type of Interactive Block rule with a file and intrusion policy. The
system can also use network discovery to inspect this user-allowed traffic.
Interactive Block with Reset action. If the user clicks through the warning page that the system displays,
any additional connection events you log for the session have an action of Allow. Therefore, as with
Allow rules, you can associate either type of Interactive Block rule with a file and intrusion policy. The
system can also use network discovery to inspect this user-allowed traffic.
Logging options for interactively blocked traffic are identical to those in allowed traffic, but keep in mind
that if a user does not bypass the interactive block, the system can log only beginning-of-connection
events.
that if a user does not bypass the interactive block, the system can log only beginning-of-connection
events.
Understanding Rule Conditions and Condition Mechanics
License:
Any
You can add conditions to access control rules to identify the type of traffic that matches the rule. You
can add any of several types of conditions to a rule, either alone or in any combination.
can add any of several types of conditions to a rule, either alone or in any combination.