Cisco Cisco Firepower Management Center 4000
14-32
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Performing File and Intrusion Inspection on Allowed Traffic
Tip
The system does not perform any kind of inspection on trusted traffic. Although configuring an Allow
rule with neither an intrusion nor file policy passes traffic like a Trust rule, Allow rules let you perform
discovery on matching traffic.
rule with neither an intrusion nor file policy passes traffic like a Trust rule, Allow rules let you perform
discovery on matching traffic.
An access control policy can have multiple access control rules associated with file and intrusion
policies, which allows you to match different inspection profiles against different types of traffic on your
network.
policies, which allows you to match different inspection profiles against different types of traffic on your
network.
Note that the number of unique intrusion policies you can use in a single access control policy depends
on the model of the target devices; more powerful devices can handle more. Note also that the system
counts each unique combination of an intrusion policy and its linked variable set as a single intrusion
policy. The system does not allow you to apply an access control policy if the target devices have
insufficient resources to perform inspection. If you attempt to apply an access control policy with more
intrusion policies than your device can support, a pop-up window warns that you have exceeded the
maximum number of intrusion policies supported by the device.
on the model of the target devices; more powerful devices can handle more. Note also that the system
counts each unique combination of an intrusion policy and its linked variable set as a single intrusion
policy. The system does not allow you to apply an access control policy if the target devices have
insufficient resources to perform inspection. If you attempt to apply an access control policy with more
intrusion policies than your device can support, a pop-up window warns that you have exceeded the
maximum number of intrusion policies supported by the device.
Tip
If you exceed the number of intrusion policies supported by your device, reevaluate your access control
policy. You may want to consolidate intrusion policies so you can associate a single intrusion policy with
multiple access control rules.
policy. You may want to consolidate intrusion policies so you can associate a single intrusion policy with
multiple access control rules.
File Policies and Access Control Rules
A file policy is a set of configurations that the system uses to perform file control — that is, to detect and
block your users from uploading (sending) or downloading (receiving) files of specific types over
specific application protocols. With a Malware license, file policies also allow you to inspect a restricted
set of those files for malware, and optionally block detected malware. For detailed information on file
policies, see
block your users from uploading (sending) or downloading (receiving) files of specific types over
specific application protocols. With a Malware license, file policies also allow you to inspect a restricted
set of those files for malware, and optionally block detected malware. For detailed information on file
policies, see
When you associate a file policy with an access control rule, the Defense Center automatically enables
file and malware event logging for that file policy. Cisco recommends that you leave this logging setting
enabled.
file and malware event logging for that file policy. Cisco recommends that you leave this logging setting
enabled.
Also, when a file policy generates an event, the system automatically logs the end of the associated
connection to the Defense Center database, regardless of any other logging configurations in the
invoking access control rule. For more information, see
connection to the Defense Center database, regardless of any other logging configurations in the
invoking access control rule. For more information, see
Note that because you cannot use a Malware license with a DC500, you cannot use that appliance to
apply file policies that include rules with the Block Malware or Malware Cloud Lookup action.
Similarly, because you cannot enable a Malware license on a Series 2 device, you cannot apply a file
policy that includes rules with these actions to those appliances.
apply file policies that include rules with the Block Malware or Malware Cloud Lookup action.
Similarly, because you cannot enable a Malware license on a Series 2 device, you cannot apply a file
policy that includes rules with these actions to those appliances.
Intrusion Policies and Access Control Rules
An intrusion policy is a set of intrusion detection and prevention configurations that the system uses to
analyze network traffic and, optionally, drop offending packets. The system logs intrusion policy
violations as intrusion events.
analyze network traffic and, optionally, drop offending packets. The system logs intrusion policy
violations as intrusion events.
Intrusion rules that you enable in an intrusion policy can use variables instead of literal configurations
to more conveniently identify source and destination IP addresses and ports in your network traffic. You
manage variables within variable sets. You can link different variables sets with customized values to
different intrusion policies to more precisely match your network traffic. By default, an intrusion policy
you associate with an access control rule uses the variable values in the default variable set. Optionally,
you can link a custom variable set to an intrusion policy.
to more conveniently identify source and destination IP addresses and ports in your network traffic. You
manage variables within variable sets. You can link different variables sets with customized values to
different intrusion policies to more precisely match your network traffic. By default, an intrusion policy
you associate with an access control rule uses the variable values in the default variable set. Optionally,
you can link a custom variable set to an intrusion policy.