Skip to main content

 

 

Cisco Defense Orchestrator

Configure the FTD Access Control Policy

About FTD Access Control Policies

Firepower Threat Defense (FTD) devices have a single policy. A section of that policy has access control rules. For ease of discussion, we refer to the section of the policy that has access control rules as the access control policy. After onboarding the FTD, you add rules to, or edit rules in, the access control policy.

If you are onboarding a new FTD device, it may be that there are no rules in the policy that was imported. In that case, when you open the FTD Policy page, you will see the message, "No results found." If you see that message, you can start adding rules to the FTD Policy and then deploy them to the device from CDO.

Tips Before you Begin 

When adding conditions to access control rules, consider the following tips:

  • You can create custom objects for some of the conditions at the time you add them to the rule. Look in the dialog boxes for a link to create custom objects.

  • You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for the rule to apply to traffic. For example, you can use a single rule to perform URL filtering for specific hosts or networks.

  • For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition's criteria satisfies the condition. For example, you can use a single rule to apply application control for up to 50 applications or application filters. Thus, there is an OR relationship among the items in a single condition, but an AND relationship between condition types (for example, between source/destination and application).

  • Some features require that you have enabled the appropriate Firepower licenses. 

  • Some editing tasks may not require you to enter the edit mode. From the policy page, you can modify a condition in the rule by clicking the + button within that condition column and select the desired object or element in the popup dialog box. You can also click the x on an object or element to remove it from the rule.

Create or Edit an FTD Access Control Policy

Use this procedure to edit an FTD access control policy using CDO:

  1. Open the Devices & Services page.
  2. Select the FTD device whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. Do any of the following:
  • To create a new rule, click the blue plus button cli_create_plus.png.
  • To edit an existing rule, select the rule and click the edit icon pencil.png in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)
  • To delete a rule you no longer need, select the rule and click the remove icon trash.png in the Actions pane.
  • To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.

When editing or adding a rule, continue with the remaining steps in this procedure.

  1. In the Order field, select the position for the rule within the policy. Network traffic is evaluated against the list of rules in numerical order, 1 to "last."

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

  1. Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -
  2. Select the action to apply if the network traffic is matched by the rule: 

  • Trust—Allow traffic without further inspection of any kind.
  • Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.
  • Block—Drop the traffic unconditionally. The traffic is not inspected.
  1. Define the traffic matching criteria by using any combination of attributes in the following tabs:
  • Source-Click the Source tab and add or remove security zones (interfaces), networks (which include networks, continents, and custom geolocations), or ports from which the network traffic originated. The default value is "Any." 
  • Destination—Click the Destination tab and add or remove the security zones (interfaces), networks (which include networks, continents and custom geolocations), or ports on which the traffic arrives. The default value is "Any." See Source and Destination Criteria in an FTD Access Control Rule.
  • Applications—Click the Application tab and add or remove a web application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application. See Application Criteria in an FTD Access Control Rule
  • URLs—Click the URL tab and add or remove a URL or URL category of a web request. The default is any URL. See URL Conditions in an FTD Access Control Rule to learn how to fine-tune this condition using URL categories and reputation filters.
  • Users—Active Directory realm objects, special identities (failed authentication, guest, no authentication required, unknown), and user groups added to the rule from Firepower Device Manager are visible in the rule row but it is not yet editable in CDO. 
    • Caution: Individual user-objects are not yet visible in an access control policy rule in CDO. Log in to FDM to see how an individual user-object may affect an access control policy rule.
  1. (Optional, for rules with the Allow action) Click the Intrusion Policy tab to assign an intrusion inspection policy to inspect traffic for intrusions and exploits. See Intrusion Policy Settings in an FTD Access Control Rule.
    1. To log Intrusion events generated by intrusion policy rules, see "Configure Logging Settings" for the device. 
  2. (Optional, for rules with the Allow action) Click the File Policy tab to assign a file policy that inspects traffic for files that contain malware and for files that should be blocked. See File Policy Settings in an FTD Access Control Rule
    1. To log file events generated by file policy rules, see "Configuring Logging Settings" for the device. 
  3. (Optional) Click the logging tab to enable logging and collect connection events reported by the access control rule. 

See Logging Settings in an FTD Access Control Rule for more information on logging settings. 

If you subscribe to Cisco Security Analytics and Logging, you can configure connection events in CDO and send them to the Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by one rule, to one syslog object, representing one SEC. 

  1. Click Save. You are now done configuring a specific rule in the security policy.
  2. You can now configure the Default Action for the security policy as a whole. The Default Action defines what happens if network traffic does not match any of the rules in the access control policy, intrusion policy, or file/malware policy.
  3. Click the Default Action for the policy.
  4. Configure an intrusion policy as you did in step 9, above.
  5. Configure logging connection events generated by the Default Action. 

If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by rule to one syslog object, representing one SEC. 

  1. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Configuring Access Policy Settings

You can configure settings that apply to the access policy, rather than to specific rules within the policy. 

About TLS Server Identity Discovery

Typically, the TLS 1.3 certificates are encrypted. For traffic encrypted with TLS 1.3 to match access rules that use application or URL filtering, the system must decrypt the TLS 1.3 certificate. We recommend that you enable early application detection and URL categorization to ensure encrypted connections are matched to the right access control rule. This setting decrypts the certificate only; the connection remains encrypted. 

Note: This feature is currently available for Firepower Threat Defense (FTD) devices running on software version 6.7 or later. 

  1. Open the Devices & Services page.
  2. Select the FTD device whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. Click the settings AccessPolicySetting.jpgbutton.
  5. Click the slider next to TLS Server Identity Discovery to enable early application detection and URL categorization for encrypted connections.
  6. Click Save.