Cisco Cisco Firepower Management Center 4000
14-26
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Working with Different Types of Conditions
You must apply the access control policy for your changes to take effect; see
.
Adding Port Conditions
License:
Any
Add a port condition to a rule to match network traffic based on the source and destination port and
transport protocol. You can add any of the following kinds of port conditions to an access control rule:
transport protocol. You can add any of the following kinds of port conditions to an access control rule:
•
individual and group port objects that you have created using the object manager
See
for information on creating individual and group port
objects using the object manager.
•
individual port objects that you add from the Ports conditions page, and can then add to your rule
and to other existing and future rules
and to other existing and future rules
See
for more information.
•
literal port values, consisting of a transport protocol, a port, or both (for some transport protocol
selections)
selections)
See
for more information.
The following procedure explains how to add port conditions while adding or editing an access control
rule. See
rule. See
for more detailed
information.
Note that when you add a destination ICMP port with the type set to 0 or a destination ICMPv6 port with
the type set to 129, the access control rule only matches unsolicited echo replies. ICMP echo replies sent
in response to ICMP echo requests are ignored. For a rule to match on any ICMP echo, use ICMP type
8 or ICMPv6 type 128.
the type set to 129, the access control rule only matches unsolicited echo replies. ICMP echo replies sent
in response to ICMP echo requests are ignored. For a rule to match on any ICMP echo, use ICMP type
8 or ICMPv6 type 128.
When you select an ICMP or ICMPv6 type for a port, you can only select a relevant code for the port.
For more information on ICMP types and codes, see
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml and
http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml.
For more information on ICMP types and codes, see
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml and
http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml.
When you add both source and destination ports to a rule, you can only add port objects or port literals
that share a single transport protocol (TCP or UDP) for all ports in the rule. After you add a port to the
Selected Source Ports list, you can only add subsequent ports using the same protocol (TCP or UDP) to
either port list. Similarly, after you add a destination port, any additional source or destination port you
add must have the same protocol. For example, after you add DNS over TCP as a source port, you can
add Yahoo Messenger Voice Chat (TCP) as a destination port but not Yahoo Messenger Voice Chat
(UDP).
that share a single transport protocol (TCP or UDP) for all ports in the rule. After you add a port to the
Selected Source Ports list, you can only add subsequent ports using the same protocol (TCP or UDP) to
either port list. Similarly, after you add a destination port, any additional source or destination port you
add must have the same protocol. For example, after you add DNS over TCP as a source port, you can
add Yahoo Messenger Voice Chat (TCP) as a destination port but not Yahoo Messenger Voice Chat
(UDP).
If you add only source ports to a rule, you can add ports that use different transport protocols. For
example, if a rule has no destination ports, you can add both DNS over TCP and DNS over UDP to the
rule. Similarly, if you add only destination ports, you can add destination port literals or port objects
using different transport protocols. After you add ports using both protocols to the Selected Source Ports
list, you cannot add any ports to the Selected Destination Ports list, and vice versa.
example, if a rule has no destination ports, you can add both DNS over TCP and DNS over UDP to the
rule. Similarly, if you add only destination ports, you can add destination port literals or port objects
using different transport protocols. After you add ports using both protocols to the Selected Source Ports
list, you cannot add any ports to the Selected Destination Ports list, and vice versa.
Note that you cannot add a port object or port object group containing a port with a protocol that is
invalid for the context. For example, you cannot add an ICMP port object as a source port. If you add a
port with an invalid protocol to a port object group already in a rule, a warning displays next to the rule.
If you add both source and destination ports, the rule editor requires that all port objects and groups
match the protocol specified in the first literal port created in the rule. See
invalid for the context. For example, you cannot add an ICMP port object as a source port. If you add a
port with an invalid protocol to a port object group already in a rule, a warning displays next to the rule.
If you add both source and destination ports, the rule editor requires that all port objects and groups
match the protocol specified in the first literal port created in the rule. See