Cisco Cisco FirePOWER Appliance 8360
14-3
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Creating and Editing Access Control Rules
When you apply an access control policy to a device, the Defense Center sends each rule defined in the
policy to the device as a set of expanded rules, where each rule expresses one possible combination of
conditions in the rule. For example, a rule with the Internal security zone as a source zone and LDAP
and HTTPS source ports would be sent to the device as two rules: one to match traffic with a source zone
of Internal over an LDAP source port, and one to match traffic with a source zone of Internal over an
HTTPS source port.
policy to the device as a set of expanded rules, where each rule expresses one possible combination of
conditions in the rule. For example, a rule with the Internal security zone as a source zone and LDAP
and HTTPS source ports would be sent to the device as two rules: one to match traffic with a source zone
of Internal over an LDAP source port, and one to match traffic with a source zone of Internal over an
HTTPS source port.
Note that an access control policy with many complex rules may not apply to a managed device if the
number of expanded rules exceeds the number allowed for that device. If this occurs, analyze the
conditions in your rules to see if you can eliminate unnecessary settings.
number of expanded rules exceeds the number allowed for that device. If this occurs, analyze the
conditions in your rules to see if you can eliminate unnecessary settings.
The web interface for adding or editing a rule is similar. You specify the rule name, state, action, and
position at the top of the page. You build conditions using the tabs on the left side of the page; each
condition type has its own tab. You configure inspection and logging options, as well as add comments
to the rule, using the tabs on the right side of the page.
position at the top of the page. You build conditions using the tabs on the left side of the page; each
condition type has its own tab. You configure inspection and logging options, as well as add comments
to the rule, using the tabs on the right side of the page.
The following list summarizes the configurable components of an access control rule.
Name
Give each rule a unique name. You can use up to thirty printable characters, including spaces and
special characters, with the exception of the colon (
special characters, with the exception of the colon (
:
).
Rule State
By default, rules are enabled. If you disable a rule, the system does not use it to evaluate network
traffic. When viewing the list of rules in an access control policy, disabled rules are grayed out,
although you can still modify them.
traffic. When viewing the list of rules in an access control policy, disabled rules are grayed out,
although you can still modify them.
Action
A rule’s action determines how the system handles traffic that matches the rule’s conditions. You
can trust, monitor, block, or allow (with or without further inspection) matching traffic. The access
control policy’s default action handles traffic that does not meet the conditions of any non-Monitor
access control rule.
can trust, monitor, block, or allow (with or without further inspection) matching traffic. The access
control policy’s default action handles traffic that does not meet the conditions of any non-Monitor
access control rule.
Note
Access control rules actions, along with the policy’s default action, determine the network traffic
that you can examine using intrusion, file, or network discovery policies. The system does not
perform inspection on trusted or blocked traffic.
that you can examine using intrusion, file, or network discovery policies. The system does not
perform inspection on trusted or blocked traffic.
For detailed information on rule actions and how they affect inspection and traffic flow, see
Current Inspection and Logging Settings
The
IPS
,
Files
, and Logging options indicate the intrusion policy, file policy, and logging options
currently selected in the rule. Click the
IPS
or
Files
setting to open the Inspection tab, or click the
Logging
setting to open the Logging tab.
Position (Order and Category)
Rules in an access control policy are numbered, starting at 1. The system matches traffic to access
control rules in top-down order by ascending rule number. Optionally, you can group rules by
category. By default the system provides three categories: Administrator, Standard, and Root. You
can add your own custom categories anywhere you like, but you cannot delete the Cisco-provided
categories or change their order.
control rules in top-down order by ascending rule number. Optionally, you can group rules by
category. By default the system provides three categories: Administrator, Standard, and Root. You
can add your own custom categories anywhere you like, but you cannot delete the Cisco-provided
categories or change their order.