Cisco Cisco Firepower Management Center 4000
14-12
FireSIGHT System User Guide
Chapter 14 Understanding and Writing Access Control Rules
Understanding Rule Conditions and Condition Mechanics
You can add up to 50 conditions of each type to a list of selected conditions. For example, you can add
up to 50 source zone conditions, up to 50 destination zone filters, up to 50 user conditions, and so on,
until you reach the upper limit for the appliance.
up to 50 source zone conditions, up to 50 destination zone filters, up to 50 user conditions, and so on,
until you reach the upper limit for the appliance.
Note that when you apply an access control policy to a device, the Defense Center sends each rule
defined in the policy to the device as a set of expanded rules, where each rule expresses one possible
combination of conditions in the rule. For example, a rule with the Internal security zone as a source
zone and LDAP and HTTPS source ports would be sent to the device as two rules: one to match traffic
with a source zone of Internal over an LDAP source port, and one to match traffic with a source zone of
Internal over an HTTPS source port.
defined in the policy to the device as a set of expanded rules, where each rule expresses one possible
combination of conditions in the rule. For example, a rule with the Internal security zone as a source
zone and LDAP and HTTPS source ports would be sent to the device as two rules: one to match traffic
with a source zone of Internal over an LDAP source port, and one to match traffic with a source zone of
Internal over an HTTPS source port.
An access control policy with many complex rules may not apply to a managed device if the number of
expanded rules exceeds the number allowed for that device. If this occurs, analyze the conditions in your
rules to see if you can eliminate unnecessary settings.
expanded rules exceeds the number allowed for that device. If this occurs, analyze the conditions in your
rules to see if you can eliminate unnecessary settings.
When a list of available conditions contains more conditions than can be displayed on a single page, you
can use navigation links under the list to switch between pages.
can use navigation links under the list to switch between pages.
The following table describes the actions you can take to select and add conditions to a rule.
Table 14-3
Adding Conditions
To...
You can...
select available conditions to add to a list of
selected conditions
selected conditions
click the available condition; use the Ctrl and Shift keys to select multiple
conditions.
conditions.
select all listed available conditions
right-click the row for any available condition, then click
Select All
.
search a list of available conditions or filters click inside the search field and type a search string. See
for more information.
clear a search when searching available
conditions or filters
conditions or filters
click the reload icon (
) above the search field or the clear icon (
) in the
search field.
add selected conditions from a list of
available conditions to a list of selected
source or destination conditions
available conditions to a list of selected
source or destination conditions
click
Add to Source
or
Add to Destination
. You can add zone, network,
geolocation, and port conditions to lists of source and destination conditions.
See
See
,
for more information.
add selected conditions from a list of
available conditions to a single list of
selected conditions
available conditions to a single list of
selected conditions
click
Add to Rule
. VLAN tag, user, application, and URL conditions use single
lists of selected conditions.
drag and drop selected available conditions
into a list of selected conditions
into a list of selected conditions
right-click a selected condition, then drag and drop into the list of selected
conditions.
conditions.
add a literal condition to a list of selected
conditions using a literal field
conditions using a literal field
click to remove the prompt from the literal field, type the literal condition, then
click
click
Add
. Network, VLAN tag, and URL conditions provide a field for adding
literal conditions.
add a literal condition to a list of selected
conditions using a drop-down list
conditions using a drop-down list
select a condition from the drop-down list, then click
Add
. Port conditions
provide a drop-down list for adding literal conditions. See
for more information.
add an individual object or condition filter so
you can then select it from the list of
available conditions
you can then select it from the list of
available conditions
click the add icon (
). See
information on adding objects using the object manager.
delete a single condition from a list of
selected conditions
selected conditions
click the delete icon (
) next to the condition