Introduction to Access Control Policy on FTD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello welcome to firepower threat defense training video series I'm Nanda in this video we are going to look at the access control policy the access control policy is the prime pillar of the firepower when you deployed either as a nation IPS or nation firewall you need to have an access control policy on the device which inspects the traffic and takes policy decision based on your configuration this access control policy has various components in the series video and we are going to look at each of this components and look at how these comments is going to impact your policy and how do you define policy on each of these components here is the abstract version of access control policy which you see it in firepower management center we have various components right from pre-filter policy security integer intelligent dns SSL policy identity and user define axle access rules and at last we have a default action which is sir for access control policy when a traffic comes it passes through pre-filter policy security intelligent DNS policy SSL and identity before passing through the user define access rules let's see in the upcoming slides I'm good coming videos I'm going to talk about each of the components let's suggest a filter policy security intelligence e DNS but in this video on the high level how it works here this rule one rule to ultra rule three are are the one which is being defined by user who access rules with various parameter right from network IP address zones TCP user identity app application you are referring file inspection all the things are defined on access rules whereas on the prefilter policy you can have multiple pre-filter rules which are being defined in the pre-filter policy which has its own unique name which should be referred to access control policy similarly on the dns you can have multiple DNS rules or policies which will have its own unique name which will be cross referred to in the access control policy similarly on SSL decryption and identity let's go and cross refer this on fiber management center and then see how what place you can find the access controller sees under policy access control you couldn't have multiple access control policy but only one access control policy can be attached or targeted to our device so once you go into the access control policy you can find the pre-filter policy here and then SSL policy and identity policy which piece you know pre-filter policy security intelligence DNS SSL and identity which you can see it here security intelligence ease here DNS policies here and then a pre-filter SSL and identity so each of these rules except security intelligence e that is pre-filter SSL and identity and DNS will pick up policies from from here so here you can for example you can go to a pre-filter policy and have various different a pre-filter policy but each pre-filter policy will have its own pre-filter rules example this test has can have multiple pre-filter rules these pre-filter policies are has been referred as test - pre-filter rules that can be associated to access control policy coming back to access multiple assi you can cross associate by here so whatever the pre-filter rules that you have will be listed here you can pick which bits suits this brief access control policy similarly on the SSL you can click SSL policy and then whatever the policy that you had defined on prefilled SSL rules will be displayed here you can pick that you had defined for this access control policy similarly on identity policy and same thing applies for DNS policy whatever the DNS policy that you define on under DNS policy will list out here and then you can pick one which suits this policy the security intelligence e does not have anything of its own so each access control ICICI will have standard rule which is up with the same across all the access code of policy within this FMC you can fine tune and their access control policy so apart from the pre-filter yes security intelligent DNS SSL and identity you have user-defined rules that you can see it here but you can create by add click Add and you have various parameters right from zone network VLAN user that is identity application based on this you can identify your traffic and then have an action the action can be either and allow trust monitor block or block with resets and apart from that you can enable inspection on top of the allowed traffic those inspection can be your identity policy interest policy file policy and variable sets and if none of this if a packet passes through Security Intelligence II pre-filter SSL and identity and does not match any of the user-defined access rules it will at last get match under the default action and then whatever you had defined here will get matched in this example the default action is block all traffic which means that if in a packet does not match any of this user-defined rules it get dropped you can sit any other policy like trust all the traffic which means that if it does not match any of this the traffic would continue to flow out on the aggress interface considering that it is a trusted or simply do a useless packet for network discovery or use subject a traffic under intrusion prevention by in traditional policy IPS policies with this we have come to the end of this video in the next video we'll look at each of the components such as pre-filter policy Secret Intelligence II in the next videos thank you see you soon in the next video

Info

Channel: Securing Networks with Cisco Firepower Threat Defense

Views: 7,220

Rating: undefined out of 5

Keywords: Firepower Management Center, FMC, FTD, Firepower Threat Defense, understanding Access Control Policy on FTD, SI policy, DNS policy, Access rules, Identity policy, PreFilter, NGIPS, NGFW, Cisco FTD, how to configure Access Control policy on FTD, how to configure Access Control policy on FMC, how to configure Access Control policy on Firepower Management Center.

Id: BF84kutnVGc

Channel Id: undefined

Length: 7min 55sec (475 seconds)

Published: Fri Dec 08 2017