Beruflich Dokumente
Kultur Dokumente
TO
FIREPOWER POLICIES
Prefilter Policy
Prefiltering is the first phase of access control, before the system performs more resource-intensive
evaluation.
Prefiltering is simple, fast, and early. Prefiltering uses limited outer-header criteria to quickly handle traffic.
Compare this to subsequent evaluation, which uses inner headers and has more robust inspection
capabilities.
Prefilter rule can be set with reference “Interface Objects”, “Networks”, “VLAN Tags”, and “Ports”
Tunnel rule can be set to reference “Interface Objects”, “Tunnel Endpoints”, “VLAN Tags”, “Encapsulation & Ports”
Fastpath—Exempts matching traffic from all further inspection and control, including access control, identity
requirements, SSL Inspection and rate limiting. Fastpathing a tunnel fastpaths all encapsulated connections.
Block—Blocks matching traffic without further inspection of any kind. Blocking a tunnel blocks all encapsulated
connections.
Analyze—Allows traffic to continue to be analyzed by the rest of access control, using inner headers. If passed by
access control and any related deep inspection, this traffic may also be rate limited. For tunnel rules, enables rezoning
with the Assign Tunnel Zone option.
SSL Policy
SSL rules provide a granular method of handling encrypted traffic across multiple managed devices, whether
blocking the traffic without further inspection, not decrypting the traffic and inspecting it with access control,
or decrypting the traffic for access control analysis.
Actions:
Do not decrypt: traffic might be exempted from decryption if forbidden i.e. some jurisdiction forbids decrypting
Financial information.
Decrypt - Resign: This is the recommended action for decrypting outgoing traffic.
If traffic matches this rule, the system re-signs the server certificate with pre-defined CA certificate, then
acts as a man-in-the-middle. It creates two TLS/SSL sessions, one between client and managed device, one
between managed device and server. Each session contains different cryptographic session details, and
allows the system to decrypt and re-encrypt traffic.
Decrypt – Known Key: This method of decryption is recommended for incoming traffic because you must
have access to the private key of the destination server.
If traffic matches the rule, and the certificate used to encrypt the traffic matches the certificate associated with the action, the
system uses the appropriate private key to obtain the session encryption and decryption keys.
Block: to terminate the connection, resulting in an error in the client browser.
Block with Reset: to terminate and reset the connection, resulting in an error in the client browser.
The error indicates the connection was reset but does not indicate why.
Monitor: The Monitor action is not designed to permit or deny traffic. Rather, its primary purpose is to force connection logging,
regardless of how matching traffic is eventually handled. Traffic is then matched against additional rules, if present, to determine
whether to trust, block, or decrypt it. The first non-Monitor rule matched determines traffic flow and any further inspection. If
there are no additional matching rules, the system uses the default action.
Identity Policy
Identity policies contain identity rules. Identity rules associate sets of traffic with a realm and an authentication
method: passive authentication, active authentication, or no authentication.
DNS
DNS-based Security Intelligence allows you to whitelist or blacklist traffic based on the domain name requested by a
client. Cisco provides domain name intelligence you can use to filter your traffic; you can also configure custom lists
and feeds of domain names tailored to your deployment.
DNS policy can be configured with reference to “Source Zones”, “Networks”, “VLAN Tags”, and “DNS”
DNS policy action can be set to “Whitelist”, “Monitor”, “Domain Not Found”, “Drop”, “Sinkhole”
Whitelist: allows matching traffic to pass. When you whitelist traffic, it is subject to further inspection
either by a matching access control rule, or the access control policy's default action.
Monitor: designed to force connection logging; matching traffic is neither immediately whitelisted nor blacklisted.
Rather, traffic is matched against additional rules to determine whether to permit or deny it.
Domain Not Found: action returns a non-existent internet domain response to the DNS query, which prevents the client
from resolving the DNS request.
Sinkhole: action returns a sinkhole object's IPv4 or IPv6 address in response to the DNS query.
Malware & File
Advanced Malware Protection (AMP) for Firepower can detect, capture, track, analyze, log, and optionally block the
transmission of malware in network traffic.
Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is
blocked, and store captured files to the managed device.
Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their
transmission.
Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files
traversing your network contain malware, then block files that represent threats.
Intrusion Policy
An intrusion policy uses intrusion and preprocessor rules (sometimes referred to collectively as intrusion rules) to
examine the decoded packets for attacks based on patterns. Intrusion policies are paired with variable sets, which
allow you to use named values to accurately reflect your network environment.
Access control policy contains access rules which provides granular method of
handling network traffic based on matched rule action i.e. monitor, trust, block
or allow.
Access rule can be created with reference to zone, network, VLAN Tags, Users,
Applications, Ports, URLs, SGT/ISE attributes. You can also decide to inspect the
traffic and log depending on requirements.
Security Intelligence
As an early line of defense against malicious internet content, Security Intelligence uses reputation intelligence to
quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence
blacklisting.
Security Intelligence is an early phase of access control, before the system performs more resource-intensive
evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.
Although you can configure custom blacklists, Cisco provides access to regularly updated intelligence feeds. Sites
representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you
can update and deploy custom configurations.
FIREPOWER TRAFFIC FLOW
Prefilter - comes before any other inspection. if traffic is fastpathed it bypasses further evaluation i.e. Security Intelligence,
SSL Policy, Identity Policy, IPS, Malware/File, and URL Policy. If analyzed, it proceeds for further advance inspection. If blocked,
traffic will be discarded.
Traffic are evaluated against Security Intelligence, SSL Decryption, Identity Policy, and Network Analysis Policy before access
rules (L7 ACL, App, URL, IPS, File/Malware policy)
Therefore, setting access rule to “Trust” only allow the traffic to bypass IPS and Malware/File inspection.
Setting access rule to allow gives you the privilege of further evaluating the traffic with IPS and Malware/File inspection.
Setting access rule to block discards the traffic
NAT