Cisco Cisco FirePOWER Appliance 7030
14-31
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Performing File and Intrusion Inspection on Allowed Traffic
Step 6
Optionally, click the add icon (
) above the
Categories and URLs
list to add an individual URL object.
You can specify a single URL in each individual URL object you add. You can then select objects you
added as conditions for your rule. See
added as conditions for your rule. See
and
for more information.
Step 7
Optionally, click the
Enter URL
prompt beneath the
Selected URLs
list, type a literal URL, then click
Add
.
The list updates to display your entry. See
for more information.
Note that you cannot specify a reputation level for a literal URL.
Step 8
Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see
.
Performing File and Intrusion Inspection on Allowed Traffic
License:
Protection or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
In addition to handling traffic matching the conditions in an access control rule, you can perform further
inspection on allowed traffic by associating the rule with an intrusion or file policy.
inspection on allowed traffic by associating the rule with an intrusion or file policy.
When you make this association, you are telling the system that before it passes traffic that matches the
access control rule’s conditions, you first want to inspect the traffic with an intrusion policy, a file policy,
or both. Depending on your deployment and on policy configurations, both intrusion and file policies
can prevent network traffic from reaching its intended destination.
access control rule’s conditions, you first want to inspect the traffic with an intrusion policy, a file policy,
or both. Depending on your deployment and on policy configurations, both intrusion and file policies
can prevent network traffic from reaching its intended destination.
As shown in the diagram below, for traffic that matches an Allow or user-bypassed Interactive Block
rule:
rule:
•
the system automatically performs discovery on the networks listed in the currently applied network
discovery policy,
discovery policy,
•
an optional file policy performs file control and AMP, and
•
an optional intrusion policy performs detection and prevention.
Because file inspection occurs before any intrusion policy inspection, blocked files (including malware)
are not inspected for intrusion-related exploits.
are not inspected for intrusion-related exploits.
For more information on Allow and Interactive Block rules, and why only access control rules with those
actions can trigger additional inspection, see
actions can trigger additional inspection, see
. Also note that you
can associate an intrusion policy, but not a file policy, with the access control default action.