Skip to main content

 

 

Cisco Defense Orchestrator

Application Criteria in a Firepower Threat Defense Access Control Rule

The Application criteria of an access rule defines the application used in an IP connection, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application.

Although you can specify individual applications in the rule, application filters simplify policy creation and administration. For example, you could create an access control rule that identifies and blocks all high risk, low business relevance applications. If a user attempts to use one of those applications, the session is blocked.

In addition, Cisco frequently updates and adds additional application detectors via system and vulnerability database (VDB) updates. Thus, a rule blocking high risk applications can automatically apply to new applications without you having to update the rule manually.

You can specify applications and filters directly in the rule, or create application filter objects that define those characteristics. The specifications are equivalent, although using objects can make it easier to stay within the 50-items-per-criteria system limit if you are creating a complex rule. See Create and Edit a Firepower Application Filter Object for more information about creating an application filter object. 

To modify the application and application filters used in a rule, you can edit the rule using the procedure in Configure the Firepower Threat Defense Access Control Policy. Simple edits may be performed without entering edit mode. From the policy page, you can modify an application condition in the rule by selecting the rule and clicking the + button within the application condition column and selecting a new object or element in the popup dialog box. You can also click the x on an object or element to remove it from the rule.