Configure Extended ACL Objects

Use extended ACL objects when you want to match traffic based on source and destination addresses, protocol and port, application group or if the traffic is IPv6.

Procedure


Step 1

Select Objects > Object Management and choose Access List > Extended from the table of contents.

Step 2

Do one of the following:

  • Click Add Extended Access List to create a new object.

  • Click Edit (edit icon) to edit an existing object.

Step 3

In the New Extended Access List Object dialog box, enter a name for the object (no spaces allowed), and configure the access control entries:

  1. Do one of the following:

    • Click Add to create a new entry.

    • Click Edit (edit icon) to edit an existing entry.

  2. Select the Action, whether to Allow (match) or Block (not match) the traffic criteria.

    Note

    The Logging, Log Level, and Log Interval options are used for access rules only (ACLs attached to interfaces or applied globally). Because ACL objects are not used for access rules, leave these values at their defaults.

  3. Configure the source and destination addresses on the Network tab using any of the following techniques:

    • Select the desired network objects or groups from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. You can mix IPv4 and IPv6 addresses.

    • Type an address in the edit box below the source or destination list and click Add. You can specify a single host address (such as 10.100.10.5 or 2001:DB8::0DB8:800:200C:417A), or a subnet (in 10.100.10.0/24 or 10.100.10.0 255.255.255.0 format, or for IPv6, 2001:DB8:0:CD30::/60).

  4. Click the Port tab and configure the service using any of the following techniques.

    • Select the desired port objects from the Available list and click Add to Source or Add to Destination. You can create new objects by clicking the + button above the list. The object can specify TCP/UDP ports, ICMP/ICMPv6 message types, or other protocols (including “any”). However, the source port, which you typically would leave empty, accepts TCP/UDP only. You cannot select port groups.

      For TCP/UDP, note that you must use the same protocol in both the source and destination fields, if you specify both. For example, you cannot specify a UDP source port and a TCP destination port.

    • Type or select a port or protocol in the edit box below the source or destination list and click Add.

    Note

    To get an entry that applies to all IP traffic, select a destination port object that specifies “all” protocols.

  5. Click the Application tab and choose the applications that are to be grouped for the direct internet access policy.

    Important
    • You cannot configure applications for cluster devices. Hence, this tab is not applicable for cluster devices.

    • Use extended ACL with applications only in Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note
    • The Available Applications list displays a fixed set of pre-defined applications. This list is a subset of the applications that are available on the Access Control policy as only they can be detected by their first packet (FQDN end-points resolved to IP addresses and port). The application definitions are updated through the VDB updates and are pushed to threat defense during subsequent deployments.

    • User-defined custom applications or group of applications are not supported.

    • Currently, management center neither supports user-defined custom applications or group of applications nor allows you to modify the pre-defined applications list.

    • You can use the filter options provided under the Application Filters to refine this list.

  6. Click the Users tab and choose the users, user groups, or both that are to be classified for the Policy Based Routing (PBR).

    Important

    Use extended ACL with users, user groups, or both only for Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note
    • The Available Realms list displays the configured active directory/LDAP realms. For information on creation of realm and managing them, see Create an LDAP Realm or an Active Directory Realm and Realm Directory and Manage a Realm respectively.

      Note

      Local realms and Azure AD realms are not supported.

    • The Available Users list displays the downloaded users and user groups of the selected AD/LDAP realms. To download the users, user groups, or both, navigate to Integrations > Other Integrations > Realms, and then click Download against the relevant active directory/LDAP realms.

      Note

      Threat defense can support a maximum of 512 user groups and 64000 user-IP mappings.

    • The user to IP mapping and user group membership information are updated and pushed to the threat defense from the management center during the user login or logouts, and changes in the group memberships.

  7. Click the Security Group Tag tab and choose the source SGT tags to be classified for the direct internet access policy.

    Important

    Use extended ACL with SGTs only for Policy Based Routing. Do not use it in other policies as its behavior is unknown and not supported.

    Note
    • The Available Security Group Tags list displays the configured security group tags. You can choose to use the ISE SGTs or create custom SGTs.

    • To use ISE SGTs, ensure that ISE is integrated with management center with Session Directory Topic and SXP Topic subscribed. For information on ISE integration, see Configure ISE for User Control.

      Note

      The supported ISE versions are 3.2, 3,1, 3.0, and 2.7 patch 2+.

    • For information on creating custom SGTs, see Creating Security Group Tag Objects.

    Important

    You can configure Users and Security Group Tag for Secure Firewall 4200 devices only.

  8. Select the required application, and click Add to Rule.

    Note
    • Do not configure destination networks and applications in the extended ACL object.

    • The selected applications (Nertwork Service objects) in each of the access control entries, form a Network Service Group (NSG) and this group is deployed on the threat defense. The NSG is used in direct internet access to classify traffic based on the match with the selected application group.

  9. Click Add to add the entry to the object.

  10. If necessary, click and drag the entry to move it up or down in the rule order to the desired location.

    Repeat the process to create or edit additional entries in the object.

Step 4

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 5

Click Save.