Configure Extended ACL Objects

Use extended ACL objects when you want to match traffic based on source and destination addresses, protocol and port, application group or if the traffic is IPv6.

Procedure

Step 1

Select Objects > Object Management and choose Access List > Extended from the table of contents.

Step 2

Do one of the following:

  • Click Add Extended Access List to create a new object.

  • Click Edit (edit icon) to edit an existing object.

Step 3

In the New Extended Access List Object dialog box, enter a name for the object (no spaces allowed), and configure the access control entries:

  1. Do one of the following:

    • Click Add to create a new entry.

    • Click Edit (edit icon) to edit an existing entry.

  2. Select the Action, whether to Allow (match) or Block (not match) the traffic criteria.

    Note

    The Logging, Log Level, and Log Interval options are used for access rules only (ACLs attached to interfaces or applied globally). Because ACL objects are not used for access rules, leave these values at their defaults.

  3. Configure the source and destination addresses on the Network tab using any of the following techniques:

    • Select the desired network objects or groups from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. You can mix IPv4 and IPv6 addresses.

    • Type an address in the edit box below the source or destination list and click Add. You can specify a single host address (such as 10.100.10.5 or 2001:DB8::0DB8:800:200C:417A), or a subnet (in 10.100.10.0/24 or 10.100.10.0 255.255.255.0 format, or for IPv6, 2001:DB8:0:CD30::/60).

  4. Click the Port tab and configure the service using any of the following techniques.

    • Select the desired port objects from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. The object can specify TCP/UDP ports, ICMP/ICMPv6 message types, or other protocols (including “any”). However, the source port, which you typically would leave empty, accepts TCP/UDP only. You cannot select port groups.

      For TCP/UDP, note that you must use the same protocol in both the source and destination fields, if you specify both. For example, you cannot specify a UDP source port and a TCP destination port.

    • Type or select a port or protocol in the edit box below the source or destination list and click Add.

    Note

    To get an entry that applies to all IP traffic, select a destination port object that specifies “all” protocols.

  5. Click the Application tab and choose the applications that are to be grouped for the direct internet access policy.

    Important

    • You cannot configure applications for cluster devices. Hence, this tab is not applicable for cluster devices.

    • Use extended ACL with applications only in Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note

    • The Available Applications list displays a fixed set of pre-defined applications. This list is a subset of the applications that are available on the Access Control policy as only they can be detected by their first packet (FQDN end-points resolved to IP addresses and port). The application definitions are updated through the VDB updates and are pushed to threat defense during subsequent deployments.

    • User-defined custom applications or group of applications are not supported.

    • Currently, management center neither supports user-defined custom applications or group of applications nor allows you to modify the pre-defined applications list.

    • You can use the filter options provided under the Application Filters to refine this list.

  6. Select the required application, and click Add to Rule.

    Note

    • Do not configure destination networks and applications in the extended ACL object.

    • The selected applications (Nertwork Service objects) in each of the access control entries, form a Network Service Group (NSG) and this group is deployed on the threat defense. The NSG is used in direct internet access to classify traffic based on the match with the selected application group.

  7. Click Add to add the entry to the object.

  8. If necessary, click and drag the entry to move it up or down in the rule order to the desired location.

    Repeat the process to create or edit additional entries in the object.

Step 4

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 5

Click Save.