General best practices for access control

Review the following requirements and general best practices:

  • Use a prefilter policy to provide early blocking for unwanted traffic, and to fastpath traffic that does not benefit from access control inspection. For more information, see Best Practices for Fastpath Prefiltering.

  • Although you can configure the system without licensing your deployment, many features require that you enable the appropriate licenses before you deploy.

  • Access control rules are deployed as access control lists (ACL) on the device. To minimize the number of access control entries created per access control rule, and improve overall performance, enable object group search for each device. Object group search is a device setting, not an access control policy setting, so you must edit each device to ensure the feature is enabled. For more information, see Configure Object Group Search.

  • When you deploy an access control policy, its rules are not applied to existing connections. Traffic on an existing connection is not bound by the new policy that is deployed. In addition, the policy hit count is incremented only for the first packet of a connection that matches a policy. Thus, the traffic on an existing connection that could match a policy is omitted from the hit count. To have the policy rules effectively applied, clear the existing connection sessions, and then deploy the policy.

  • Whenever possible, combine multiple network objects into a single object group. The system automatically creates an object group (during deployment) when you select more than one object (for source or destination separately). Selecting existing groups can avoid object group duplication and reduce the potential impact on CPU usage when there are a large number of duplicate objects.

  • For the system to affect traffic, you must deploy relevant configurations to managed devices using routed, switched, or transparent interfaces, or inline interface pairs.

    Sometimes, the system prevents you from deploying inline configurations to passively deployed devices, including inline devices in tap mode.

    In other cases, the policy might deploy successfully, but attempting to block or alter traffic using passively deployed devices can have unexpected results. For example, the system might report multiple beginning-of-connection events for each blocked connection, because blocked connections are not blocked in passive deployments.

  • Certain features, including URL filtering, application detection, and rate limiting, must allow some packets to pass in order for the system to identify the traffic.

  • Some features are only available on certain device models. Warning icons and confirmation dialog boxes designate unsupported features.

  • If you will use syslog or store events externally, avoid special characters in object names such as policy and rule names. Object names should not contain special characters, such as commas, that the receiving application may use as separators.

  • Best practices for creating, ordering, and implementing access control rules are detailed in Best practices for access control rules and subtopics.