Configure the FDM Access Control Policy
FDM-managed devices have a single policy. A section of that policy has access control rules. For ease of discussion, we refer to the section of the policy that has access control rules as the access control policy. After onboarding the FDM-managed device, you add rules to, or edit rules in, the access control policy.
If you are onboarding a new FDM-managed device, it may be that there are no rules in the policy that was imported. In that case, when you open the FDM Policy page, you will see the message, "No results found." If you see that message, you can start adding rules to the FDM-Managed Device Policy and then deploy them to the device from CDO.
Tips Before you Begin
When adding conditions to access control rules, consider the following tips:
-
You can create custom objects for some of the conditions at the time you add them to the rule. Look in the dialog boxes for a link to create custom objects.
-
You can configure multiple conditions per rule. Traffic must match all the conditions in the rule for the rule to apply to traffic. For example, you can use a single rule to perform URL filtering for specific hosts or networks.
-
For each condition in a rule, you can add up to 50 criteria. Traffic that matches any of a condition's criteria satisfies the condition. For example, you can use a single rule to apply application control for up to 50 applications or application filters. Thus, there is an OR relationship among the items in a single condition, but an AND relationship between condition types (for example, between source/destination and application).
-
Some features require that you have enabled the appropriate Firepower licenses.
-
Some editing tasks may not require you to enter the edit mode. From the policy page, you can modify a condition in the rule by clicking the + button within that condition column and select the desired object or element in the popup dialog box. You can also click the x on an object or element to remove it from the rule.