Setting the access control default action

For detailed information on what each option does, see Access control policy default action.

You can configure the following options. Click OK when finished.

• Logging options—Whether to log the connection. You can Log at beginning of connection, Log at end of connection, or both. If you select block as the default action, you can log at the beginning of the connection only.

• Send connection events to—If you select one of the logging options, select whether to send events to any combination of the following:

  • Firewall Management Center—Send events to the manager.

  • Syslog server—Send events to the default syslog server configured for the policy. You can configure overrides to specify a different severity level or syslog server destination.

  (Splunk or SIEM syslog server integration) If you have configured Firewall Management Center as the source of connection events in Splunk configuration, choose Firewall Management Center under Send Connection Events to options. If you have configured Firewall Threat Defense as the connection event source, select at least one syslog destination. For Splunk or any SIEM syslog configuration procedure, see the Cisco Secure Firewall Management Center Administration Guide.

• SNMP trap—If you enable logging, you can send SNMP traps to an SNMP server. Select an SNMP configuration, or click + to configure a new one.

• Default action variable set—If you selected one of the intrusion prevention default actions, select the variable set that should be used with the intrusion policy you selected.