The Application Policy Management view provides a perspective of application-level policies across devices and services. This unique capability allows for changes to be applied consistently across managed devices and services for URL, URL Categories, Applications, Application Categories, and others, in or outside of the network.
Layer 7 policies are managed differently when compared to managing Layer 3 policies. Layer 3 policies are applied explicitly in support of the desired security profile. For example, should a given IP need to be blocked, an explicit rule would be applied to the device to enforce this policy. Application Policies are different in that they are managed both explicitly and implicitly, when developing a security profile.
To demonstrate this, consider the need to block access to download.com. How might this be accomplished within CDO? Let's assume that there are two properly configured FirePOWER devices where FP1 contains an explicit rule blocking download.com while a second device, FP2, does not contain an explicit rule blocking download.com. Navigating to the Application Policy Management view and entering download.com into the Search bar starts the process. As might be expected, the results show the line for the download.com URL, for the FP1 device, shows an explicit rule that is set to block.
The second device FP2, while containing no explicit rule blocking download.com, also shows the URL as blocked, due to an implicit rule. Looking deeper at the Search results, the URL Category "Freeware and Shareware", which contains the URL download.com, is set to block. As a result of the containing URL Category, with no explicit rule for download.com on FP2 set to allow, means that the FP2 device will block download.com implicitly.
The ability to search across types and devices simplifies the management of Layer 7 policies, by focusing on the intended question at hand. For example, How do I block Bittorrent? or Why can't I get to poker.com? In the latter case, a simple search on poker.com may show that while there is no explicit rule blocking the URL, there may be an explicit block on the "Gambling" URL category. To permit poker.com, and not change the explicit block "Gambling", simply highlight the poker.com URL and allow traffic on the desired device. This will create an explicit Allow rule which can be pushed to the device.
Managing Layer 7 policy across multiple devices is also easy to perform. To illustrate this, imagine that the Application Category "web gaming" is blocked across all devices within an organization, however there is the need to permit Farmville. Using the Search capability in Application Policy Manager, a simple search on Farmville will demonstrate that it is implicitly blocked due to the Application Category block on "web gaming". To enable Farmville, set the Action to Enable for the Farmville Application type entries listed. Writing the policies to their respective devices will enable this Application across the network.
If Automatic IPS Updates were enabled when on-boarding the FirePOWER device, then changes to Layer 7 policies may change dynamically. Here too, the Search capability of Application Policy Management permits easy assessment of URLs.
Using Application Policy Management
- The lock icon indicates Explicit (blue) policies or Implicit (grey) policies
- Click on Show All to list all explicit Layer 7 policies on managed devices
- Policy Status indicates which policies have been written to devices and those that are pending
Application Policy Management and Identity Profiles
For onboarded Cisco Umbrella and WSA devices, Defense Orchestrator supports the management of application policies across multiple identity profiles. This allows you as the administrator to choose different actions for a given rule. For example, it is possible to choose a variety of different actions for the URL Category Social Networking on a WSA or Cisco Umbrella, allowing you to create rules that for instance block it for the Engineering Identity Profile while allowing it for Marketing.
Blocking Individual URLs on the WSA
The WSA does not allow the creation of rules for individual URLs. As a result, if you were to search for download.com, you would only be allowed to make policy changes on rules for the URL category Freeware and Shareware and not for the URL itself.