Cisco Cisco Firepower Management Center 2000
13-26
FireSIGHT System User Guide
Chapter 13 Using Access Control Policies
Organizing Rules in a Policy
Step 2
Click the edit icon (
) next to the access control policy you want to modify.
The policy Edit page appears.
Step 3
Click
Filter by Device
above the list of rules.
The Filter by Device pop-up window appears. If you have added devices or device groups to your policy,
a list of targeted devices and device groups appears.
a list of targeted devices and device groups appears.
Step 4
Select one or more of the check boxes to display only the rules that apply to those devices or groups.
Alternatively, select the
Alternatively, select the
All
check box to reset and display all of the rules.
Step 5
Click the
OK
button to update the list of rules.
The page updates to display rules for devices and device groups that you selected and hide rules for
devices and device groups that you did not select.
devices and device groups that you did not select.
Tip
Filters are cleared if you add a new rule, or if you edit and save an existing rule.
Working with Warnings and Errors
License:
Any
Because of the number of configurable elements in an access control policy, policies can be very
complex. Rules may be preempted by other rules. Functionality may be configured that depends on
configuration outside of the access control policy. To help ensure that the policy you configure has the
result you expect, the access control policy interface has a robust warning and error feedback system. If
a rule or other element within a policy has a warning, the policy can be applied, but that piece of
configuration will have no effect. If an element has an error, policy apply will fail unless the erroneous
configuration is corrected.
complex. Rules may be preempted by other rules. Functionality may be configured that depends on
configuration outside of the access control policy. To help ensure that the policy you configure has the
result you expect, the access control policy interface has a robust warning and error feedback system. If
a rule or other element within a policy has a warning, the policy can be applied, but that piece of
configuration will have no effect. If an element has an error, policy apply will fail unless the erroneous
configuration is corrected.
To view the warning text for an object in the policy, hover your pointer over the warning icon (
) next
to it. To view the error text for an object, hover your pointer over the error icon (
) next to it.
If you disable a rule with a warning, the warning icon disappears. It reappears if you enable the rule
without correcting the underlying issue. If you disable a rule with a warning, note that the error icon
remains and the policy will still not apply even with the rule disabled.
without correcting the underlying issue. If you disable a rule with a warning, note that the error icon
remains and the policy will still not apply even with the rule disabled.
Understanding Invalid Configurations
Because outside settings that the access control policy depends on may change, an access control policy
setting that was valid may become invalid.
setting that was valid may become invalid.
For example, if you have a URL condition in a rule, the rule might be valid until you choose to target a
device that does not have a URL Filtering license. At that point, an error icon appears next to the rule,
and you cannot apply the policy to that device until you edit or delete the rule, retarget the policy, or
enable the appropriate license.
device that does not have a URL Filtering license. At that point, an error icon appears next to the rule,
and you cannot apply the policy to that device until you edit or delete the rule, retarget the policy, or
enable the appropriate license.
In another example, if you add a port group to the source ports in a rule, then change the port group to
include an ICMP port, the rule becomes invalid and a warning icon appears next to it. You can still apply
the policy, but the rule will not actually be applied to targeted devices.
include an ICMP port, the rule becomes invalid and a warning icon appears next to it. You can still apply
the policy, but the rule will not actually be applied to targeted devices.
Similarly, if you add a user to a rule, then change your LDAP user awareness settings to exclude that
user, that rule will no longer apply because the user is no longer an access controlled user.
user, that rule will no longer apply because the user is no longer an access controlled user.