Create or Edit an FDM-Managed Access Control Policy

Use this procedure to edit an FDM-managed access control policy using Cisco Security Cloud Control:

Procedure


Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and whose access control whose policy you want to edit.

Step 4

In the Management pane at the right, select Policy.

Step 5

Do any of the following:

  • To create a new rule, click the blue plus button .

  • To edit an existing rule, select the rule and click the edit icon in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)

  • To delete a rule you no longer need, select the rule and click the remove icon in the Actions pane.

  • To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.

When editing or adding a rule, continue with the remaining steps in this procedure.

Step 6

In the Order field, select the position for the rule within the policy. Network traffic is evaluated against the list of rules in numerical order, 1 to "last."

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

Step 7

Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -

Step 8

Select the action to apply if the network traffic is matched by the rule:

  • Trust—Allow traffic without further inspection of any kind.

  • Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.

  • Block—Drop the traffic unconditionally. The traffic is not inspected.

Step 9

Define the traffic matching criteria by using any combination of attributes in the following tabs:

  • Source—Click the Source tab and add or remove security zones (interfaces), networks (which include networks, continents, and custom geolocations), or ports from which the network traffic originated. The default value is "Any."

  • Destination—Click the Destination tab and add or remove the security zones (interfaces), networks (which include networks, continents and custom geolocations), or ports on which the traffic arrives. The default value is "Any." See Source and Destination Criteria in an FDM Access Control Rule.

  • Applications—Click the Application tab and add or remove a web application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application. See Application Criteria in an FDM Access Control Rule

  • URLs—Click the URL tab and add or remove a URL or URL category of a web request. The default is any URL. See URL Conditions in an FDM Access Control Rule to learn how to fine-tune this condition using URL categories and reputation filters.

  • Users—Active Directory realm objects, special identities (failed authentication, guest, no authentication required, unknown), and user groups added to the rule from firewall device manager are visible in the rule row but it is not yet editable in Security Cloud Control.

    Caution

    Individual user-objects are not yet visible in an access control policy rule in Security Cloud Control. Log in to an FDM-managed device to see how an individual user-object may affect an access control policy rule.

Step 10

(Optional, for rules with the Allow action) Click the Intrusion Policy tab to assign an intrusion inspection policy to inspect traffic for intrusions and exploits. See Intrusion Policy Settings in an FDM Access Control Rule.

  1. To log Intrusion events generated by intrusion policy rules, see " Configure Logging Settings " for the device.

Step 11

(Optional, for rules with the Allow action) Click the File Policy tab to assign a file policy that inspects traffic for files that contain malware and for files that should be blocked. See File Policy Settings in an FDM Access Control Rule.

  1. To log file events enerated by file policy rules, see "Configuring Logging Settings" for the device.

Step 12

(Optional) Click the logging tab to enable logging and collect connection events reported by the access control rule.

See Logging Settings in an FDM Access Control Rule for more information on logging settings.

If you subscribe to Cisco Security Analytics and Logging, you can configure connection events in Security Cloud Control and send them to the Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by one rule, to one syslog object, representing one SEC.

Step 13

Click Save. You are now done configuring a specific rule in the security policy.

Step 14

You can now configure the Default Action for the security policy as a whole. The Default Action defines what happens if network traffic does not match any of the rules in the access control policy, intrusion policy, or file/malware policy.

Step 15

Click the Default Action for the policy.

Step 16

Configure an intrusion policy as you did in step 9, above.

Step 17

Configure logging connection events generated by the Default Action.

If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by rule to one syslog object, representing one SEC.

Step 18

(Optional) For any rule that you created, you can select it and add a comment about it in the Add Comments field. To learn more about rule comments see, Adding Comments to Rules in FTD Policies and Rulesets.

Step 19

Review and deploy now the changes you made, or wait and deploy multiple changes at once.