About Firepower Threat Defense Access Control Policies
Firepower Threat Defense (FTD) devices have a single policy. A section of that policy has access control rules. For ease of discussion, we refer to the section of the policy that has access control rules as the access control policy. After onboarding the FTD, you add rules to, or edit rules in, the access control policy.
If you are onboarding a new FTD device, it may be that there are no rules in the policy that was imported. In that case, when you open the FTD Policy page, you will see the message, "No results found." If you see that message, you can start adding rules to the FTD Policy and then deploy them to the device from CDO.
Tips Before you Begin
When adding conditions to access control rules, consider the following tips:
You can create custom objects for some of the conditions at the time you add them to the rule. Look in the dialog boxes for a link to create custom objects.
You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for the rule to apply to traffic. For example, you can use a single rule to perform URL filtering for specific hosts or networks.
For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition's criteria satisfies the condition. For example, you can use a single rule to apply application control for up to 50 applications or application filters. Thus, there is an OR relationship among the items in a single condition, but an AND relationship between condition types (for example, between source/destination and application).
Some features require that you have enabled the appropriate Firepower licenses.
Some editing tasks may not require you to enter the edit mode. From the policy page, you can modify a condition in the rule by clicking the + button within that condition column and select the desired object or element in the popup dialog box. You can also click the x on an object or element to remove it from the rule.
Create or Edit a Firepower Threat Defense Access Control Policy
Use this procedure to edit an FTD access control policy using CDO:
- Open the Devices & Services page.
- Select the FTD device whose access control policy you want to edit.
- In the Management pane at the right, select Policy.
- Do any of the following:
- To create a new rule, click the blue plus button .
- To edit an existing rule, select the rule and click the edit icon in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)
- To delete a rule you no longer need, select the rule and click the remove icon in the Actions pane.
- To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.
When editing or adding a rule, continue with the remaining steps in this procedure.
- In the Order field, select the position for the rule within the policy. Network traffic is evaluated against the list of rules in numerical order, 1 to "last."
Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.
The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.
- Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -
Select the action to apply if the network traffic is matched by the rule:
- Trust—Allow traffic without further inspection of any kind.
- Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.
- Block—Drop the traffic unconditionally. The traffic is not inspected.
- Define the traffic matching criteria by using any combination of attributes in the following tabs:
- Source-Click the Source tab and add or remove security zones (interfaces), networks (which includes networks, continents, and custom geolocations), or ports from which the network traffic originated. The default value is "Any."
- Destination—Click the Destination tab and add or remove the security zones (interfaces), networks (which includes networks, continents and custom geolocations), or ports on which the traffic arrives. The default value is "Any." See Source and Destination Criteria in a Firepower Threat Defense Access Control Rule.
- Applications—Click the Application tab and add or remove a web application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application. See Application Criteria in a Firepower Threat Defense Access Control Rule
- URLs—Click the URL tab and add or remove a URL or URL category of a web request. The default is any URL. See URL Conditions in a Firepower Threat Defense Access Control Rule to learn how to fine-tune this condition using URL categories and reputation filters.
- Users—Active Directory realm objects, special identities (failed authentication, guest, no authentication required, unknown), and user groups added to the rule from Firepower Device Manager are visible in the rule row but it is not yet editable in CDO.
- Caution: Individual user-objects are not yet visible in an access control policy rule in CDO. Log in to FDM to see how an individual user-object may affect an access control policy rule.
- (Optional, for rules with the Allow action) Click the Intrusion Policy tab to assign an intrusion inspection policy to inspect traffic for intrusions and exploits. See Intrusion Policy Settings in a Firepower Threat Defense Access Control Rule.
- To log Intrusion events generated by intrusion policy rules, see "Configure Logging Settings" for the device.
- (Optional, for rules with the Allow action) Click the File Policy tab to assign a file policy that inspects traffic for files that contain malware and for files that should be blocked. See File Policy Settings in a Firepower Threat Defense Access Control Rule.
- To log file events generated by file policy rules, see "Configuring Logging Settings" for the device.
- (Optional) Click the logging tab to enable logging and collect connection events reported by the access control rule.
See Logging Settings in a Firepower Threat Defense Access Control Rule for more information on logging settings.
- Click Save. You are now done configuring a specific rule in the security policy.
- You can now configure the Default Action for the security policy as a whole. The Default Action defines what happens if network traffic does not match any of the rules in the access control policy, intrusion policy, or file/malware policy.
- Click the Default Action for the policy.
- Configure an intrusion policy as you did in step 9, above.
- Configure logging connection events generated by the Default Action.
- When you are ready, return to the Devices & Services page, select the device whose policy who changed, and use Deploy Configuration Changes from Defense Orchestrator to FTD to deploy the changes to the device.