Create and Edit Access Control Rules

If you edit an access control rule that is actively in use, the changes do not apply to established connections at deploy-time. The updated rule is used to match against future connections. However, if the system is actively inspecting a connection (for example, with an intrusion policy), it will apply changed matching or action criteria to existing connections.

For FTD, you can ensure that your changes apply to all current connections by using the FTD clear conn CLI command to end established connections. Note that you should only do this if it is acceptable to end those connections, on the assumption that the sources for the connections will then attempt to reestablish the connection and thus be matched appropriately against the new rule.

Procedure

Step 1

In the access control policy editor, you have the following options:

  • To add a new rule, click Add Rule.

  • To edit an existing rule, click Edit (edit icon) .

  • To edit multiple rules, shift-click a range of rules or control-click multiple rules to edit, then right-click and choose an option.

If View (View button) appears next to a rule instead, the rule belongs to an ancestor policy, or you do not have permission to modify the rule.

Step 2

If this is a new rule, enter a Name.

Step 3

Configure the rule components.

If you are bulk-editing multiple rules, only a subset of options are available.

  • Enabled—Specify whether the rule is Enabled.

  • Position—Specify the rule position; see Access Control Rule Order.

  • Action—Choose a rule Action; see Access Control Rule Actions.

  • Time Range—(Optional.) For FTD devices, choose the days and times when the rule is applicable. For details, see Creating Time Range Objects.

  • Conditions—Click the corresponding condition you want to add. See Access Control Rule Conditions for more information.

    Note

    VLAN tags in access rules only apply to inline sets; they cannot be used in access rules applied to firewall interfaces.

  • Deep Inspection—(Optional.) For Allow and Interactive Block rules, click Intrusion policy (intrusion policy icon) or File policy (file policy icon) to configure the rule’s Inspection options. If the option is dimmed, no policy of that type is selected for the rule. See Access Control Overview for more information.

  • Content Restriction—Click Safe search (safe search icon) or YouTube EDU (YouTube EDU icon) to configure content restriction settings on Applications of the rule editor. If the option are dimmed, content restriction is disabled for the rule. See About Content Restriction for more information.

  • Logging—Click Logging (logging icon) to specify Logging options. If the option is dimmed, connection logging is disabled for the rule. See Best Practices for Connection Logging for more information.

  • Comments—Click the number in the comment column to add Comments. The number indicates how many comments the rule already contains.

Step 4

Click OK to save the rule.

Step 5

Click Save to save the policy.

What to do next

If you will deploy time-based rules, specify the time zone of the device to which the policy is assigned. See Configure Device Time Zone for Policy Application.

Deploy configuration changes; see Deploy Configuration Changes.