Access Control Rules Applications
Access Control Rules Applications
The following topics describe how to control application traffic on your network:
Application Control
When the Firepower System analyzes IP traffic, it can identify and classify the commonly used applications
on your network. The system uses this discovery-based application awareness feature to allow you to control
application traffic on your network.
Application filters allow you to quickly create application conditions for access control rules. They simplify
policy creation and administration, and grant you assurance that the system will control web traffic as expected.
For example, you could create an access control rule that identifies and blocks all high risk, low business
relevance applications. If a user attempts to use one of those applications, the session is blocked.
In addition, Cisco frequently updates and adds additional detectors via system and vulnerability database
(VDB) updates. You can also create your own detectors and assign characteristics (risk, relevance, and so on)
to the applications they detect. By using filters based on application characteristics, you can ensure that the
system uses the most up-to-date detectors to monitor application traffic.
You can combine application conditions with each other and with other types of conditions to create an access
control rule. These access control rules can be simple or complex, matching and inspecting traffic using
multiple conditions.
Note Hardware-based fast-path rules, Security Intelligence-based traffic filtering, SSL inspection, user
identification, and some decoding and preprocessing occur before access control rules evaluate network
traffic.
In the web interface, filters added to a condition are listed above and separately from individually added
applications.
When you deploy an access control policy, for each rule with an application condition, the system generates
a list of unique applications to match. In other words, you can use overlapping filters and individually specified
applications to ensure complete coverage.
Note For encrypted traffic, the system can identify and filter traffic using only the applications tagged SSL
Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic. Also,
the system assigns the decrypted traffic tag to applications that the system can detect in decrypted traffic
only—not encrypted or unencrypted.
Note that the mechanism for filtering applications within an access control rule is the same as that for creating
reusable, custom application filters using the object manager. You can also save many filters you create
on-the-fly in access control rules as new, reusable filters. You cannot save a filter that includes another
user-created filter because you cannot nest user-created filters.
Once constrained, an All apps matching the filter option appears at the top of the Available Applications
list.
Note If you select one or more filters in the Application Filters list and also search the Available Applications
list, your selections and the search-filtered Available Applications list are combined using an AND
operation. That is, the All apps matching the filter condition includes all the individual conditions
currently displayed in the Available Applications list as well as the search string entered above the
Available Applications list.
You can add multiple instances of All apps matching the filter to an application condition, with each instance
counting as a separate item in the Selected Applications and Filters list. For example, you could add all high
risk applications as one item, clear your selections, then add all low business relevance applications as another
item. This application condition matches applications that are high risk OR have low business relevance.
Procedure
Step 1 In the access control rule editor, click the Applications tab.
Step 2 If you want to constrain the list of applications displayed in the Available Applications list, select one or
more filters in the Application Filters list.
Step 3 Find and select the applications you want to add from the Available Applications list. You can search for
and select individual applications, or, when the list is constrained, All apps matching the filter.
Step 4 Click Add to Rule. You can also drag and drop selected applications and filters. Filters appear under the
heading Filters, and applications appear under the heading Applications.
Tip Click Clear All Filters to clear your existing
selections.
Step 5 If you want to save a custom filter comprised of all the individual applications and filters currently in the
Selected Applications and Filters list, you must click the add icon ( ) above the list. Use the object manager
to manage this on-the-fly-created filter.
Note You cannot save a filter that includes another user-created filter; you cannot nest user-created filters.
Example
The following graphic shows the application condition for an access control rule that blocks: a custom group
of applications for MyCompany, all applications with high risk and low business relevance, gaming applications,
and some individually selected applications.
What to Do Next
• Deploy configuration changes; see Deploying Configuration Changes.
This identification should occur within 3 to 5 packets, or after the server certificate exchange in the SSL
handshake if the traffic is encrypted. If one of these first packets matches all other conditions in an access
control rule containing an application condition but the identification is not complete, the access control policy
allows the packet to pass. This behavior allows the connection to be established so that applications can be
identified. For your convenience, affected rules are marked with an information icon ( ).
The allowed packets are inspected by the access control policy’s default intrusion policy (not the default action
intrusion policy nor the almost-matched rule’s intrusion policy).
After the system completes its identification, the system applies the access control rule action, as well as any
associated intrusion and file policy, to the remaining session traffic that matches its application condition.