Cisco Cisco FirePOWER Appliance 7030
14-23
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
When the system processes an access control rule containing an application condition, packets that
otherwise match that rule are allowed and inspected using the default intrusion policy until an
application is identified in the session. If the application matches the condition in the rule, then the
system applies the rule action. Otherwise, the remaining access control rules in the policy are
evaluated. Application identification should occur within 3 to 5 packets. If it does not, confirm that
your network discovery policy is up-to-date and applied to all devices and does not exclude any of
the networks and ports configured in the access control rule.
otherwise match that rule are allowed and inspected using the default intrusion policy until an
application is identified in the session. If the application matches the condition in the rule, then the
system applies the rule action. Otherwise, the remaining access control rules in the policy are
evaluated. Application identification should occur within 3 to 5 packets. If it does not, confirm that
your network discovery policy is up-to-date and applied to all devices and does not exclude any of
the networks and ports configured in the access control rule.
•
To create a rule to act on traffic referred by a web server, such as advertisement traffic, add a
condition for the referred application rather than the referring application. For more information,
see
condition for the referred application rather than the referring application. For more information,
see
.
•
At least one detector must be enabled (see
) for
each application rule condition in the policy. If no detector is enabled for an application, the system
automatically enables all Cisco-provided detectors for the application; if none exist, the system
enables the most recently modified user-defined detector for the application. See
automatically enables all Cisco-provided detectors for the application; if none exist, the system
enables the most recently modified user-defined detector for the application. See
See the following sections for more information:
•
•
Understanding Application Condition Lists
License:
Control
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
The Applications conditions page displays three lists:
•
The Application Filters list on the left displays filters that you can select to constrain the
applications listed in the Available Applications list.
applications listed in the Available Applications list.
•
The Available Applications list in the middle provides applications from which you can select those
you want to add as conditions to your rule.
you want to add as conditions to your rule.
•
The Selected Applications list on the right displays the applications that you have added to your rule.
Note the following when selecting the filters in the Application Filters list whose applications you want
to display in the Available Applications list:
to display in the Available Applications list:
•
You can select multiple filters in the Application Filters list under any combination of filter types
provided by Cisco.
provided by Cisco.
The system links multiple filters of the same filter type with an OR operation. For example, if you
select the Medium and High filters under the Risks type, the resulting filter is:
select the Medium and High filters under the Risks type, the resulting filter is:
Risk: Medium OR High
If, for example, the Medium filter contained 110 applications and the High filter contained 82
applications, the system would display all 192 applications in the Available Applications list.
applications, the system would display all 192 applications in the Available Applications list.
The system links different types of filters with an AND operation. For example, if you select the
Medium and High filters under the Risks type, and the Medium and High filters under the Business
Relevance type, the resulting filter is:
Medium and High filters under the Risks type, and the Medium and High filters under the Business
Relevance type, the resulting filter is:
Risk: Medium OR High
AND
Business Relevance: Medium OR High
In this case, the system would display only those applications that are included in both the Medium
or High Risk type AND the Medium or High Business Relevance type.
or High Risk type AND the Medium or High Business Relevance type.