Create or Edit an FDM-Managed Access Control Policy

• To create a new rule, click the blue plus button .

• To edit an existing rule, select the rule and click the edit icon in the Actions pane. (Simple edits may also be performed inline without entering edit mode.)

• To delete a rule you no longer need, select the rule and click the remove icon in the Actions pane.

• To move a rule within the policy, select the rule in the access control table and click the up or down arrow at the end of the rule row to move the rule.

When editing or adding a rule, continue with the remaining steps in this procedure.

Rules are applied on a first-match basis, so you must ensure that rules with highly specific traffic matching criteria appear above policies that have more general criteria that would otherwise apply to the matching traffic.

The default is to add the rule to the end of the list. If you want to change a rule's location later, edit this option.

• Trust—Allow traffic without further inspection of any kind.

• Allow—Allow the traffic subject to the intrusion and other inspection settings in the policy.

• Block—Drop the traffic unconditionally. The traffic is not inspected.

• Source—Click the Source tab and add or remove security zones (interfaces), networks (which include networks, continents, and custom geolocations), or ports from which the network traffic originated. The default value is "Any."

• Destination—Click the Destination tab and add or remove the security zones (interfaces), networks (which include networks, continents and custom geolocations), or ports on which the traffic arrives. The default value is "Any." See Source and Destination Criteria in an FDM Access Control Rule.

• Applications—Click the Application tab and add or remove a web application, or a filter that defines applications by type, category, tag, risk, or business relevance. The default is any application. See Application Criteria in an FDM Access Control Rule

• URLs—Click the URL tab and add or remove a URL or URL category of a web request. The default is any URL. See URL Conditions in an FDM Access Control Rule to learn how to fine-tune this condition using URL categories and reputation filters.

• Users—Active Directory realm objects, special identities (failed authentication, guest, no authentication required, unknown), and user groups added to the rule from firewall device manager are visible in the rule row but it is not yet editable in CDO.

  Caution

  Individual user-objects are not yet visible in an access control policy rule in CDO. Log in to an FDM-managed device to see how an individual user-object may affect an access control policy rule.

1. To log Intrusion events generated by intrusion policy rules, see " Configure Logging Settings " for the device.

1. To log file events enerated by file policy rules, see "Configuring Logging Settings" for the device.

See Logging Settings in an FDM Access Control Rule for more information on logging settings.

If you subscribe to Cisco Security Analytics and Logging, you can configure connection events in CDO and send them to the Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by one rule, to one syslog object, representing one SEC.

If you subscribe to Cisco Security Analytics and Logging, you can send events generated by the default action to a Secure Event Connector (SEC) by configuring a syslog object with the SEC's IP address and port. See Cisco Security Analytics and Logging for more information about this feature. You would create one syslog object for every SEC that you have onboarded to your tenant, but you would only send events generated by rule to one syslog object, representing one SEC.