Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Threat Defense Access Control Policy

About Firepower Threat Defense Access Control Policy

You can use Cisco Defense Orchestrator (CDO) to manage the Firepower Threat Defense (FTD) access control policy. The access control policy controls access to network resources by evaluating network traffic against access control rules. FTD compares the criteria of the access control rules, in the order they appear in the access control policy, to the network traffic. When all the traffic conditions in an access control rule are matched, FTD takes the action defined by the rule. That action may be to Trust, Allow, or Block the network traffic:

  • Trust—Allow traffic without further inspection of any kind.
  • Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.
  • Block—Drop the traffic unconditionally. The traffic is not inspected.

If none of the rules in the access control policy match the network traffic, FTD takes the default action listed below the access control rules. 

Read a Firepower Threat Defense Access Control Policy

  1. Open the Devices & Services page.
  2. Select the FTD device whose policy it is you want to read.
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. To ensure that you see the whole policy, click Show All in the Filter panel.
  5. Toggle the rule column display to view the rules with more or fewer column. If you are used to viewing access control rules in Firepower Device Manager, toggle the rule column display to show more columns. 

toggle_ftd_rule_column_display.png

Here is an example of how to read a rule in a policy. All traffic is evaluated against rule 1 first for a match. If the traffic matches rule 1, the action for that rule is applied to the traffic. Traffic that originates from the inside zone, AND originates from Africa OR Australia, AND originates from HTTP or HTTPS ports, AND arrives at the outside zone, AND arrives at the Aland Islands OR Albania, AND arrives at any port, AND arrives at ABC OR About.com is allowed to flow from the source to the destination. We can also see that an intrusion policy and a file policy are applied to the rule and that events from the rule are being logged.

ftd_policy.png