Configure Policies to Support Threat Intelligence Director

You must configure access control policies to publish threat intelligence director data from the management center to your managed devices (elements). In addition, we recommend that you configure your access control policies to maximize observation and management center event generation.

For each managed device that you want to support threat intelligence director, perform the steps below to configure the associated access control policy.

Elements that are configured to use threat intelligence director after data has been published will automatically receive all currently-published observables.

Procedure

Step 1	Verify that the Enable Threat Intelligence Director check box is checked in General Settings of the access control policy. To navigate to General Settings, choose Policies > Access Control > Edit > More > Advanced Settings. This option is enabled by default. For more information, see Access Control Policy Advanced Settings.
Step 2	Add rules that allow (rather than trust) connections to the access control policy if they are not already present. Threat Intelligence Director requires that the access control policy specify at least one rule. Because threat intelligence director depends on inspection, ensure that you allow traffic, rather than trust it, because the purpose of trusting traffic is to bypass inspection. For more information, see Creating a Basic Access Control Policy.
Step 3	If you choose Intrusion Prevention as the default action for the access control policy and you want to decrypt traffic for TID detection, associate an SSL policy with the access control policy; see Associating Other Policies with Access Control.
Step 4	If you want `SHA-256` observables to generate observations and Secure Firewall Management Center events: Create a file policy containing one or more Malware Cloud Lookup or Block Malware file rules. For more information, see Configure File Policies. Associate this file policy with one or more rules in the access control policy.
Step 5	If you want `IPv4`, `IPv6`, `URL`, or `Domain Name` observations to generate connection and security intelligence events, enable connection and security intelligence logging in the access control policy: In access control rules where you invoked a file policy, enable Log at End of Connection and File Events: Log Files, if not already enabled. Verify that default logging (DNS Policy, Networks, and URLs) is enabled in your Security Intelligence settings. For more information, see Logging Connections with Security Intelligence.
Step 6	Deploy configuration changes.

What to do next

Complete remaining items in How To Set Up Threat Intelligence Director