Cisco FirePOWER Access Control Policies - Todd Lammle Training Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right good morning good afternoon and good evening and welcome back to another episode of IT Pro TV I'm your host Don pizzette back again with another episode of Cisco firepower and boy and we got an episode lined up for this one we're going to be tackling access control policies the thing that we've probably mentioned in every single episode up until now because all the work we've done really isn't active until we put it together into that access control policy so I've been just anxious with anticipation all the way up to this moment and here all of our dreams will come true and in here too yeah I know I'm setting these really high standards and and here to try and live up to this excitement we've got todd lammle back in the studio with us you know Todd love access control policies and it's a good thing I'll get all excited about them because you know now of course we did do our system policy in our health policy and those were applied separately but anything that's going to give us some vents on traffic you know for files or snort you know something I generated there and alerted on a snort rule is going to come from my access control policy now right so let's go ahead and do something and then we'll generate some traffic right very easy to do all right so I'm going to come out here and I'm going to create some generic access control policy a policy I just click policies and it takes my left my most left one here and it's going to come up and we have our default policy we know that that was there it automatically applied to our box and we can go in and take a look at it real quick and see that it doesn't do anything and it's not even up-to-date on both boxes that's because I was playing with the boxes and it's like hey well need to reapply our access control plus I was like why would I want to reapply that access control policy doesn't do anything so let's go it create a new policy and we're going to start from the beginning and I'm going to just say the same thing pod one into ACP right now there's a couple default action meaning that think of again your access control policy somewhat like an access list we start at the top and as soon as you match possibly you're sent to the egress you know if we trust traffic or your or your dropped or you might just go down to the next row so the fact is it says if I get through this whole access control policy what's going to happen at the end am I just going to block all traffic that's not necessarily a bad thing because I'm now all mon li allowing things through that I explicitly permit which sounds a lot like an access control list at that point typically I'm going to do something with IPS right and say I want an IPS at the end and we're going to go ahead and set that and again I can change these network discovery again now we're just discovering the network we're not really changing anything so I rarely rarely have picked this now at this point here I can click my targeted device I have a couple devices on this defense center I say I want the access control policy to be part of this I can add these later I can Adam now doesn't matter okay so I again I could have before I even added these devices created my system policy health policy file policy IPS policy maxes control policy and then when I actually added the device and it says hey you got added an access control policy out of that end boom I was done I'm done for the damn con my my box is up and running okay well let's take a look at this there's kind of a lot to this my friend so just bear with me as we get through some of the details here again this is a very important policy all right now first thing we're going to do is we can create some rules now it's the last thing I'm going to do based on this access control policy is coming to create the rules the first thing I'm going to do though is come down to the bottom and set my default action notice I had set it to intrusion prevention so it came back and gave me default and says hey well let me give you an IPS rule at the bottom so now I've got an IPS policy at the bottom that's balance security and protection now I can easily check change this and they they got some really cool stuff in here so I could sit here and say security over connectivity there's got an experimental policy in here they they had one in here that I see sometimes depending on the version I'm where is it called maximum detection and it's kind of like the Magnum of access control policies right so anyways it was like so I'm going to choose connectivity over security here or I could just you know really I'm just going to block all traffic why because it's more fun that way that way I get more events my users might be more upset but hey I get a more colorful graph for sure right and if I'm lonely at the phone will definitely ring all right so I'm going to click now here's the deal notice I clicked on the scroll let me come back over here and show you there's a scroll here then you always need to pay attention this when you're creating your access control policies my friends always think about logging logging logging how do I get events right you're not going to get them if you don't tell them to send you events so the first thing I'm going to do is I don't have to create any rules I can just have this one here this default action of block all traffic and and then log it that'd be kind of fun I guess now we can't log at the end because since we're blocking all traffic there is no end all right so we can send this to a defense center or syslog or an SNMP trap I usually just send it to the defense center but you have that option here now I'll say okay so I got the bottom one done and I think that's what I want to do this might be a little heavy for you in production but you're going to play with the different different policies that you want if I do change this check this out if I do changes and say security over connectivity notice it changes that variable this dollar sign that we saw yesterday that we are changing home that external net and so on when we were in our objects right because this is saying I've got an IPS policy here I'm just going to leave the scanner block and some people have set theirs to go hey if you get to my list you through my IPS post you get to my file Palsy man you're pretty tough so we're going to trust all traffic that's certainly an option here right so it's kind of like the permit IP any any on the access list right anyways I'm not a big fan of permit IP and Annie when it comes to Sourcefire all right here we would choose our targets I'm going to go ahead and choose them now because I'm going to put this on both of them so notice I pick both of them again I can create this policy without putting anything at the targets at this time but when I'm done I'm just going to say save and apply and then we know what it's going to do okay now we're going to go to a very important tab now of course everything's very important but in this case here we certainly don't want to skip Security Intelligence does anyone remember from yesterday what security intelligence is maybe we can ask our host here does he remember what security intelligence is well that's the information that we're pulling from Cisco right the the data they populate and send to us as part of our subscription which it is but which data so the he's absolutely correct Oh anybody just hasn't quite finished defining it yet but it is something that is it is objects that are updated but what are the objects are white and blacklist our global white and black list right so he was absolutely correct but it was specific to our global white and black list so if we take a look at this here we're saying here's my white list here's my black list now I can't add anything in here so you know I what I can do though let me open another screen here a lot of times you guys you can get off the screen relatively easy so I'll say I want to go to announce connection events while I'm configuring this and find an IP address because I want to add to my blacklist whatever so I'm going to say right-click open a new tab is what that says any PI couldn't read that because I know I couldn't and I'm standing right here you guys are like forever away so I'm going to open that a new tab and hopefully we saw that did it did it take no I guess it did not it popped up in the tab right next to it it didn't go all the way to the end oops he's not going to let you go here but it yeah okay so I'll just go from here to connection events it didn't quite do it what I wanted but it's fine all right so in this case here I'm seeing my connection events and I could take an IP address and notice I see this guy now I'm not going to do this but notice I can blacklist this now this would immediately go into that global - it'll be blacklisted forever immediately I don't have to access update my access control policy Sumida updated now if I say Global whitelist because I'm saying hey this guy's not bad he's showing up in here tired of it showing up I want to fix this he's good and I whitelist myself to update my access control policy now if I go in there and say I made a mistake I didn't mean the blacklist the finance server because I didn't get my check so I didn't I didn't mean to blacklist that guy for poor guy and I need to put him in the whitelist and I didn't have to update my access control or if I'm taking him on black blacklist then I have to update my access control policy but this is how you add them into the global white and blacklist my coming to work on to explore and right clicking I can do it from multiple different screens but you get it from your events and that's how you add it alright that was kind of what I was trying to get to just come back here where am i coming in here we are in Security Intelligence now the first thing I want to do is I'm going to see some cisco author - source of our authored objects right this is things security intelligence is updated every two hours these objects are updated I would use these they're not on by default so you have to choose them so I'm going to come down here and notice there's of your tour exit node isn't it that you mentioned yesterday right and I'm going to add these two blacklist okay so now they're in my blacklist and these are objects and when Cisco updates these every two hours I don't have to update my access control policy but the blacklist is being updated constantly I would do this every time you've got nothing to lose by doing this it's part of what you pay for you might as well take advantage of absolutely that's part of your subscription that you're paying every year right all right now down here though notice here's my objects that I made yesterday for my internal networks here's my corporate network which includes all of this stuff right so I'm going to say okay this is the corporate network and if you guys remember I put all those other objects in this group so I'm going to add this to the whitelist now why would I do that because if someone comes in here and does this watch this so I've got this and someone adds it to the blacklist look what happens you see that probably not let me but nonetheless it's crossed out so basically it's saying yeah I'm not blacklisting you because you're in the white list the white list only exists to override the black list in case someone screws up because if someone takes your internal network and goes like this and takes RFC 1918 and adds that to your black list now now it's in my black list it's going to be overridden here because it's inside this this group up here right but down here you know it's here and it's automatically taking a fact and someone actually put that in there the sales service so some so I'm going to the sales server and they accidentally right clicked and put that into the from the events and put that in my black list all right so I'm less like oh my gosh so I don't want to put that in there so we're going to make sure in white lists this stuff right and make sure that none of this if it ends up in the black list that we override that okay so first off just choose these guys take your internal networks add them to your white list that's the first thing I tell all my students to do when you start your access control policy okay now but wait what was the one thing I told you when we started access control policies I'm waiting what do you think what do we need to do every time we do something in access control policy what do we have to do an able logging this is no different here so I'm going to come over here to the right there's a school right here so something's hit by the black list don't you want to know about it or maybe you don't want to know about it you just want to blocked and is gone right but I like to see things so I'm going to go ahead and log the connections on my blacklist now the next one's kind of fun so we do a lot of HTTP blocking in other words we don't want people to go to a certain place whether it's Facebook or whatever we say hey we don't want you to go out to this place we know it's mail where we're going to put that in there we're going to block it with HTTP well if the user goes out there and it's got a block with reset what are they going to get they're going to get like a 404 or something like that not a very good user experience and the problem with that is it makes people want to call you and so I try to stop people from call me as much as possible but by letting them know hey we block this on purpose you know if you want more information you can call me but you get an idea what I'm going to tell you so the block response page says I can do a block in HTTP block and in this case here I can give them a message I can do Sourcefire provided or custom and I can change it here says hey you're attempting to access a forbidden site consult your administrator for details I like to add things like please gather your personal belongings and meet security at the front door that one I like that was fun right I likes criminal people so you know when they see something like that they're like oh my god you know so you can have fun like that but you know on a serious note in a serious enterprise maybe your CEO my table CFO or CTO might not think that's too funny but I think it's funny so I'm going to save that all right so right now if they go out to a site I didn't like and it could have been anything that I choose at this point they're going to get grabbed their personal belongings and meet secure the front door all right so on a serious note we can change that now here's the other thing we can do let's say that a lot of people spend time in social media well I think that's a DAW at any company that everyone's on YouTube and Facebook and Twitter all the time so we can set up URL filtering I'm going to show you how easy it is to do we just go like that and boom they're done they can't do it so they go out there and what you want to do is they say hey you know I work for I work for the Union or whatever and I demand my break and I demand social media whatever give me eggs dream example but we could sit there and say okay all right all right it's not coming palsy but you know brakes demand it you get your brakes so what I can do is say I'm going to let you go out there but after ten minutes I'm going to block reset the connection or I can change that to 15 and say you have 15 minute breaks in other words I can allow them to go so basically what this says is hey you're going to go out there to you know it's not meeting our security policy we're going to allow you to go out there you click here but we're watching you right and it by default it's ten minutes but we can change that and say you know after this sort of certain amount of period of time it's going to be reset that means it's time to go back to work right this is an example of what you can do or in this case here we could just sit there say hey your accident forbidden site clip press here to go and just don't even tell them it's just reset after 10 minutes depending on what you want to do so now yeah I've seen policies where they basically said like all right well from noon to 1:00 yeah you can you can browse the internet I said to a time but you mentioned brakes and people take breaks at different times so this would actually work out really well than that because it's just because now they can go to Twitter or Facebook and that's just reset and then every time that that's reset we get an alert so if they did it a hundred times a day we would know they were basically at Facebook or Twitter all day long still but if they stayed within their ten minutes it would be okay they laughed and we wouldn't even know and it's fine excellent yeah yeah and so that's these are your options and the reason I'm showing you this is because if you don't do something like this and we are going to block HTTP and HP is going to come up block you are going to get a phone call right there say hey I can't get to the side the internet or you get you usually get the blank one the internet is down right that's the typical call you get the internet is down they can't get to the site I'm like oh the Internet's down okay great so we can all a hole in it yeah the whole internet is out awesome let's just take the rest of day off I'll go reboot the internet Yeah right now what we're doing here is is sort of like a URL filter and I know that's one of the license features that we have but this is technically not this is a response to a URL filter okay so we haven't done the URL filter yet when I do the URL filter and I block something this what I'm setting up now is the response they're gonna get trying to call me or that I'm going to allow them to so we haven't done it again we haven't gotten in we haven't done anything yet again we're now we're setting up what happens when they try to do that and I set the URL filter for Facebook or whatever right and they go out there what's the response they get got so I'm trying to say I don't want you to call me so I'm going to put this message out there for you that's that's alright now let's go through this this next screen when it says a dance that's what they mean this is kind of advanced but it's important we go through this now you don't have to change anything here I would probably make a couple changes let's take a look first off we have some general settings oops now so maximum URL characters a store we'll leave that now the interactive block remember that 10-minute setting I just showed you notice that set for 10 minutes 60 seconds so I can change that to however long I want say okay they want to do it on the lunch hour maybe I give them an hour you know whatever it is now SSL policies are encrypt inspecting encrypted connections at this point with the ASA's I can't even do this I'm not going to change this but with the appliance as I can and it's something you might want to think about at that time now here's the next one that's kind of important to you do I inspect traffic during policy apply now this is a hard question my friend it sounds easy but it's really relatively rough on you because what you're saying is hey I got to apply my access control policy and I want to incite anything to go through uninspected now how long does it take to do your access control policy it you know depending on the the box you know if you have an appliance not really that concern you're not even droppin that much traffic you know in this case here what it's saying is look I can't go through and inspected so I'm going to drop traffic while I'm updating my access control policy five this 5506 they could be ten minutes you know or something like that that I'm dropping traffic you know so it depends on your device but the answer is anywhere from a few seconds to a few minutes but nonetheless you're dropping traffic because what you're saying is I can't let any traffic come through here uninspected now now might not maybe you don't work at a hospital but you don't have to worry about hit but maybe maybe that's not that important to you and you want connectivity over security well I'm going to come in here and change this then I'll just click this pencil icon and change that says there well I'm doing my access control policy let things go through uninspected I'm sure everything will be fine you know everyone in this world is actually good people I really don't think anyone's truly trying to attack me right all that other stuff right good luck with that one all right that's a decision you guys have to make right that's the hard one right you have to decide do I let it go through uninspected or do I make it wait all right that's a decision by default it's saying don't write it's it's saying no no it has to be inspected so I'm not going to let it go through right that's your default just remember that all right let's come down here to the next one this has to do with my file policy I mention this while we're determining what type of file it is we have to look at the first for 280 bytes right how can you know that takes some time you know but not time like like we think about time like great we're going to lunch head we're going to take this kind of time we're talking about milliseconds and so on but you know we can get a lot of threats through in that a period of time so what we're saying is intrusion policy used before access control rule is determined so basically you know it could be a file policy where we determine that or the rule list which rule that we hit on which rule is this triggered on you knows it get all the way to the end while we're determining the access control policy where this is applied this file is applied we're saying well we have an IPS rule now this is the new this is new with five four and in six oh and it's basically saying because the very first thing you guys understand I want to give you guys I want to back let me backtrack for one second when a file comes in okay before this was here the first thing that hit was security intelligence and if it was whitelisted boom then it went to the access control policy if it didn't meet in the blacklist it went to the access control policy if it hit the blacklist boom it was sent to the nola bucket period right so the first thing we hit was security intelligence once we hit security intelligence then we went to our access control policy and we went down line by line by line until we got to the end and hit our base policy right down at the bottom that's the way that it worked but they said well wait a minute well we're going down line by line determining how we're supposed to handle this file maybe we can be looking you know at an IPS policy and that's what this is right and we can determine the file type you know and so on and all of this as well we're doing this we're determining that we're running this snort rule now be careful here guys having all these on and putting this on your get you might be adding a lot of overhead that happens even before you hear access control policy so you need to kind of think about this now the network announced policy we'll come back to but these are the pre processes that I've mentioned for the last two days so it's a configuration of the pre-processors we'll definitely going to do that we're going to go through and do it but I need you to be careful with this so I'm going to show you this but we're not going to tell anybody else because if they go out there and they screw these up then it makes your network inefficient and you might miss threads and we're reading the data wrong and so we don't really want to screw with pre-processors so this is just going to between me and you and you're not going to share this with anyone right I'm going to keep this right here between all of us right here we're all friends all right so now we got our basic file of malware settings and these didn't really change from the last version but this was all new here right all right now so limit the number of bytes in spectrum doing file types and it's 14 I've been saying 1480s 1460 now remember I mentioned yesterday when we're doing a file type detection how much time do we have to send it's enzyme analysis get a file disposition send it to the fence center which of then sends the manage device how much time do we have to do this big loop two seconds and that's set right here do you really want to do that for more than two seconds not really at this point here if it's more than two seconds we just let the file go right and so that's something you need to consider do not calculate sha values for anything larger than 10 Meg's so now we're sitting there saying well we're not going to look for malware for something larger we're not gonna send it to the malware cloud for something larger than 10 Meg's why well I was looking at some malware today that was like 2 K yeah I mean maybe was 3 K I was it was really small I was using that to do some attacks I was like let me use this little malware I'm like man this is the smallest thing I've ever seen it's you know so I mean these things fit in apps I mean they're really really small we can get ransomware in a very small package my friends all right now so basically they're sitting there saying there's two things here one we don't see malware in large files like that and two it's going to take a long time for me to calculate something like that - all right minimum file to store invites maximum file to store bytes remember we're transferring packets I want to store these files so I can do analysis dynamic analysis you know send it up to the cloud for analysis later or the reason I would store it is so I can send to my own sandbox say like I trust mine more than theirs I don't think that you should say that because these guys are pretty smart but you you might want to just have your on sandbox minimum file size for Namek analysis and maximum for dynamic analysis right so we're not going to send more 20 Meg's all right some of this other stuff over here I'm not going to go through right now we're going to go through this when we hit the pre process and we're talking about the network analysis policy all right in this case here you can see there's pre-processors here adaptive profiles is something you'll probably want to set and these performance settings will go through as well okay so now that we've gone through this you may want to screw with the general settings under inspect traffic during apply and network analysis intrusion policies while we're looking at our file and determining the file type and go into our access control policy what what happens before we hit security intelligence that's what this is saying all right so you can determine that you may leave these alone I might just turn them off so I can come in here and say you know what man I've got so much data I'm trying to get through this thing's just slow me down so I'm going to come down here and say intrusion policy and I say no rules active in other words I'm saying just go straight to Security Intelligence this might not be a bad thing my friends it depends on your network and if you do that if you're just going through security intelligence well you're downloading that information Francisco so it's kind of like following their best practice but if you have exceptions yeah it kind of takes that power away from you yeah it's the one thing that when I when I saw this I was like ok this seems like a little overkill it's a lot of work that's what my access control policies for I'm supposed to go through here but remember I can't say enough about how smart these people are there is a reason that they did this right we're spending a lot of time going to access control policy and the key was is remember I told you yesterday as we're determining the file type if we have a file policy what are we doing we're transferring that file and if we don't get an answer by the time we get to the end we're going to send that file so we're going to DES is why they set this up while determining the file type for example let's go through the snort rules and that's what this is saying and that's why they did this ok so you again you might not need that you might not want to change the network analysis you'll determine that when we get to the preprocessor settings all right so this looks pretty good but we really haven't done a lot yet I keep saying that we've been saying that for two days now but we were getting to that support point where we're actually going to do something right now so now I'm going to come back here and create some rules now I could leave this alone and just do security intelligence log my thing but I'm basically I'm going through security intelligence and if it's not blacklisted which means it's gonna be dropped I'm just going to drop it anyways that's what this rule says so far I'm gonna might be good with that just because maybe all my users upset me you know a quiet network is a stable network really look no one's getting any data they're not going to get an email where I promise you that okay so this this first one let's just make up some rules and go through some different some different options the actions allow trust monitor block so we can see this I want to create an allow rule we we really should create some allow rules especially based on my base policy here but we're going to create an allow rule that says okay allow I don't know Bob and in sales to get to the HR HR server right so we get HR information that type of thing with HTTP so that's an allow rule now the trust rule is relatively interesting because now what we're saying is notice this arrow goes right to the right when I use a trust rule that says hey when you see this go to the anger egress right you're done you're not going through any more rules or I'm gonna hit the baseball C you're done you're going to the egress all right and we would use something I'll give you an example when we do something like that this monitor I use all the time and notice the arrow it says hey come down to this monitor log it and then just go down to the rest of the rules maybe you're permitted maybe you're dropped after that I don't really care I'm just going to log that you were here and I use this rule and I'm going to show you how and why all right then of course we can just do a block I typically don't use this one I usually use either block with reset or interactive block with reset but the reason why is if I'm blocking something and and I just drop in it what TCP doesn't know that it's going to try to keep sending from that source host when I'm sitting the reason I'm sitting a TCP reset back to the I'm just in a fin flag right I'm basically saying hey we're done here stop talking to me they'd have to start again and try to try to do it again if I just do a block that's not going to happen I'm just blocking the data so you need to decide how to do that during an interactive block is basically that screen that says hey we're blocking you but if you click to accept these cookies we're going to allow you go ten minutes by default to that site but we're logging you right and the interactive block with reset probably may be something you want to choose but okay so I'm going to use all these let's go ahead and start with a block with reset all right so I'm going to say block HTTP to sales server because I know I got that object I created that one error now when I create a rule and I find that it's annoying or something's wrong with it I need to do it I can disable it I can come in here instead of just delete in the rule I can just disable that rule spike by clicking this so come in here and say hey this is giving me a lot of noise let me go out and fix those snort rules and I'll come back to me enable it I don't really typically do this but it's a possibility for you now there's some different categories will see in some and in some different headings and we're going to come through these once I create this first rule now so notice that I could say zones now zones are my interfaces now I didn't really create these now if I was on an appliance I definitely have zones in here because it would basically I basically have physical interfaces in this case here they're the aasa' interfaces they're not really mine so I can create zones and air faces and say hey if you're coming from this interface to this interface I would see something like this if I was doing contacts in other words I had a large 5585 with multiple customers and then I would probably create some sort of zones to differentiate the interface between the customers and create different policies right great alright but now notice my networks here it's already giving me an error here because it's say my fire site license is not not enabled I see this every once a while but it's not necessarily a bad thing so in this case here I'm going to click the network and I'm going to say block HTTP sales server here's my sales server so I'm going to say look if my destination is sales or right now this I'm just explaining to you now you're seeing why we created those objects aren't you because if not I'd have to come over here and I can just put in the IP address here of the sale server but what fun is that when I can put an object in but wait there's more ok let's say that you didn't oh shoot I meant to create the sales new server with the six cores and 64 gigs of RAM and I forgot to put that guy and so look I'm just going to click that guy here and what's it doing I'm create my object from here and this is the same thing I told you when you're out in objects it's not all that important there's some stuff we can do on here but every but most of those I can create within the access control policy and this wasn't in hexing yeah this was an any exception sales server part to it to me the most useful thing an object like this is what's say in the future the IP addresses the sales server changes all wait to do is go and change the object and all these rules they they pick up the change based on the object's name to change in one place it takes pecked everywhere yeah in that and again that's why we use these Auto so I'm going to take both these objects here because I have that new I was looking at that new Mac I got to change something here that hing Mac cool it had six cores and 64 gigs or an a.m. and and I was like oh I got to get this click and exit it was ninety eight hundred bucks I'm like oh no so I need a new car first anyways anyway so but this company here could afford that and that's that other servers that's right so they have this six core 64 gigs of ram and so on anyways so my destination are these sales servers right and that's why we create the objects because it really a leti what I could have done is gone in edited this sales server and just added another IP address in there and I could rename the sales servers and then I would have said ok I know it's all the sale servers right but either way ok now at this case here though I want to say I I can click users here but notice we're not going to see anything here and I'm going to explain why when we get to network discovery and basically I want to say you know if you're coming from sales go into the sales server right you're permitted or something like that but we're blocking HTTP to sales server in this case because I knew I had no users here but I'm going to show you how to get the users from your ad into here that's our next section or so stick around alright now I could do a couple things I can come here to applications and remember this screen might look familiar this was in objects as well we had applications there but I can i that's what I told I said well we'll just hold off on this we can create them here so I could do something like you know it should be or Facebook or whatever else I want in here in this case here we're blocking HTTP so I'm going to say on one HTTP HTTP - OH add to rule in HTTP all right so now I've got these applications whatever I choose here and I'm and I'm saying okay if it's destination is sale servers and they're using HTTP right we're going to block with reset and but wait what is it that I always told you to do when you do an access control policy rule or are thinking about access control policy logging logging that's our answer next time when I ask you lucky whatever we're doing sup with access control policies logging logging logging logging right that's our always our number one concern okay because I'm blocking off this and if I don't tell it to log it I'm blocking it it's doing its job but we just don't see that and do - with you if I'm blocking something going to a server someone's trying to get something to there and I don't want to do it I really think I should know about it alright that would hold true even if we weren't blocking right because you'd still want to see the the detection piece right so if you weren't logging you really wouldn't have any idea what was going on if I don't come in here and do some sort of logging I see nothing right right so the fact is this I want to see connection I want to see a bents right so it this is going to allow me to do that so so speaking of that so now I'm going to add this and I'm blocking anyone do an HTTP because my source was ME right so source is any going to the sales servers and they're doing some sort of HTTP whatever I chose here block with reset and log it okay that sounds great notice it's understanding rules now there's administrator rules Tanner Rose wrote rules is not really much difference between there's however like an access control list it goes from top to bottom so I said here and said well I want something to administrator rules and that's fine and the reason you would do that is just so you can read it administratively and understand these rules I thought were kind of important so they're always going to be at the top but I can leave everything in standard rules and move them around to how I want him and that's what I'm going to do here all right so Todd that's a pretty good rundown of getting the access control policy created putting some basic rules in there I know you want to show us some advanced stuff but we're kind of out of time on this episode so why don't we break this into a two parter and the viewers can tune back in for part two or we'll dive into some of the advanced features because it there's a lot more power hidden in there right I just scratching the surface alright so definitely stay tuned for that but for now signing out for IT Pro TVs I'm Dom pizzette todd lammle and we will see you in part 2

Info

Channel: Todd Lammle

Views: 82,212

Rating: undefined out of 5

Keywords: cisco, firepower, sourcefire, itpro.tv

Id: kCZQrAYdrFo

Channel Id: undefined

Length: 33min 4sec (1984 seconds)

Published: Sun Jan 03 2016