Access Control Rules: Applications

The following topics describe how to control application traffic on your network:

• Application Control, page 1

• Application Control Notes, page 2
• Application Filters and Matching Traffic, page 2
• Individual Application Detection in Traffic, page 3
• Adding an Application Condition to an Access Control Rule, page 5
• Limitations to Application Control, page 6

Application Control
When the Firepower System analyzes IP traffic, it can identify and classify the commonly used applications
on your network. The system uses this discovery-based application awareness feature to allow you to control
application traffic on your network.

Understanding Application Control

Application conditions in access control rules allow you to perform this application control. Within a single
access control rule, there are a few ways you can specify applications whose traffic you want to control:
• You can select individual applications, including custom applications.
• You can use system-provided application filters, which are named sets of applications organized according
to the applications’ basic characteristics: type, risk, business relevance, categories, and tags.
• You can create and use custom application filters, which group applications (including custom
applications) in any way you choose.

Application filters allow you to quickly create application conditions for access control rules. They simplify
policy creation and administration, and grant you assurance that the system will control web traffic as expected.
For example, you could create an access control rule that identifies and blocks all high risk, low business
relevance applications. If a user attempts to use one of those applications, the session is blocked.
In addition, Cisco frequently updates and adds additional detectors via system and vulnerability database
(VDB) updates. You can also create your own detectors and assign characteristics (risk, relevance, and so on)

Firepower Management Center Configuration Guide, Version 6.0

Online Only 1
 Access Control Rules: Applications
Application Control Notes

to the applications they detect. By using filters based on application characteristics, you can ensure that the
system uses the most up-to-date detectors to monitor application traffic.
You can combine application conditions with each other and with other types of conditions to create an access
control rule. These access control rules can be simple or complex, matching and inspecting traffic using
multiple conditions.

Note Hardware-based fast-path rules, Security Intelligence-based traffic filtering, SSL inspection, user
identification, and some decoding and preprocessing occur before access control rules evaluate network
traffic.

Application Control Notes

For traffic to match an access control rule with an application condition, the traffic must match one of the
filters or applications that you add to a Selected Applications and Filters list.
In a single application condition, you can add a maximum of 50 items to the Selected Applications and
Filters list. Each of the following counts as an item:
• One or more filters from the Application Filters list, individually or in custom combination. This item
represents a set of applications, grouped by characteristic.
• A filter created by saving an application search in the Available Applications list. This item represents
a set of applications, grouped by substring match.
• An individual application from the Available Applications list.

In the web interface, filters added to a condition are listed above and separately from individually added
applications.
When you deploy an access control policy, for each rule with an application condition, the system generates
a list of unique applications to match. In other words, you can use overlapping filters and individually specified
applications to ensure complete coverage.

Note For encrypted traffic, the system can identify and filter traffic using only the applications tagged SSL
Protocol. Applications without this tag can only be detected in unencrypted or decrypted traffic. Also,
the system assigns the decrypted traffic tag to applications that the system can detect in decrypted traffic
only—not encrypted or unencrypted.

Application Filters and Matching Traffic

When building an application condition in an access control rule, use the Application Filters list to create a
set of applications, grouped by characteristic, whose traffic you want to match.
For your convenience, the system characterizes each application that it detects by criteria such as type, risk,
and business relevance; you can use these criteria as filters or create custom combinations of filters to perform
application control.

Firepower Management Center Configuration Guide, Version 6.0

2 Online Only
 Access Control Rules: Applications
Individual Application Detection in Traffic

Note that the mechanism for filtering applications within an access control rule is the same as that for creating
reusable, custom application filters using the object manager. You can also save many filters you create
on-the-fly in access control rules as new, reusable filters. You cannot save a filter that includes another
user-created filter because you cannot nest user-created filters.

Understanding How Filters Are Combined

When you select filters, singly or in combination, the Available Applications list updates to display only the
applications that meet your criteria. You can select system-provided filters in combination, but not custom
filters.
The system links multiple filters of the same filter type with an OR operation. For example, if you select the
Medium and High filters under the Risks type, the resulting filter is:

Risk: Medium OR High

If the Medium filter contains 110 applications and the High filter contains 82 applications, the system displays
all 192 applications in the Available Applications list.
The system links different types of filters with an AND operation. For example, if you select the Medium and
High filters under the Risks type, and the Medium and High filters under the Business Relevance type, the
resulting filter is:

Risk: Medium OR High

AND
Business Relevance: Medium OR High
In this case, the system displays only those applications that are included in both the Medium or High Risk
type AND the Medium or High Business Relevance type.

Finding and Selecting Filters

To select filters, click the arrow next to a filter type to expand it, then select or clear the check box next to
each filter whose applications you want to display or hide. You can also right-click a system-provided filter
type (Risks, Business Relevance, Types, Categories, or Tags) and select Check All or Uncheck All.
To search for filters, click the Search by name prompt above the Available Filters list, then type a name.
The list updates as you type to display matching filters.
After you are done selecting filters, use the Available Applications list to add those filters to the rule.

Individual Application Detection in Traffic

For traffic to match an access control rule with an application condition, the traffic must match one of the
filters or applications that you add to a Selected Applications and Filters list.

Browsing the List of Applications

When you first start to build the condition the list is unconstrained, and displays every application the system
detects, 100 at a time:
• To page through the applications, click the arrows underneath the list.
• To display a pop-up window with summary information about the application’s characteristics, as well
as Internet search links that you can follow, click the information icon ( ) next to an application.

Firepower Management Center Configuration Guide, Version 6.0

Online Only 3
 Access Control Rules: Applications
Individual Application Detection in Traffic

Finding Applications to Match

To help you find the applications you want to match, you can constrain the Available Applications list in
the following ways:
• To search for applications, click the Search by name prompt above the list, then type a name. The list
updates as you type to display matching applications.
• To constrain the applications by applying a filter, use the Application Filters list. The Available
Applications list updates as you apply filters. For your convenience, the system uses an unlock icon
( ) to mark applications that the system can identify only in decrypted traffic—not encrypted or
unencrypted.

Once constrained, an All apps matching the filter option appears at the top of the Available Applications
list.

Note If you select one or more filters in the Application Filters list and also search the Available Applications
list, your selections and the search-filtered Available Applications list are combined using an AND
operation. That is, the All apps matching the filter condition includes all the individual conditions
currently displayed in the Available Applications list as well as the search string entered above the
Available Applications list.

Selecting Single Applications to Match in a Condition

After you find an application you want to match, click to select it. Right-click and select Select All to select
all applications in the current constrained view.
In a single application condition, you can match a maximum of 50 applications by selecting them individually,
and filters added to a condition are listed above and separately from individually added applications. To add
more than 50 you must either create multiple access control rules or use filters to group applications.
When building an application condition, warning icons indicate invalid configurations. For details, hover your
pointer over the icon.

Selecting All Applications Matching a Filter for a Condition

Once constrained by either searching or using the filters in the Application Filters list, the All apps matching
the filter option appears at the top of the Available Applications list.
This option allows you to add the entire set of applications in the constrained Available Applications list to
the Selected Applications and Filters list, at once. In contrast to adding applications individually, adding
this set of applications counts as only one item against the maximum of 50, regardless of the number of
individual applications that comprise it.
When you build an application condition this way, the name of the filter you add to the Selected Applications
and Filters list is a concatenation of the filter types represented in the filter. For example, the following filter
name includes two filters under the Risks type and three under Business Relevance:

Risks: Medium, High Business Relevance: Low, Medium, High

Filter types that are not represented in a filter you add with All apps matching the filter are not included in
the name of the filter you add. The instructional text that is displayed when you hover your pointer over the
filter name in the Selected Applications and Filters list indicates that these filter types are set to any; that
is, these filter types do not constrain the filter, so any value is allowed for these.

Firepower Management Center Configuration Guide, Version 6.0

4 Online Only
 Access Control Rules: Applications
Adding an Application Condition to an Access Control Rule

You can add multiple instances of All apps matching the filter to an application condition, with each instance
counting as a separate item in the Selected Applications and Filters list. For example, you could add all high
risk applications as one item, clear your selections, then add all low business relevance applications as another
item. This application condition matches applications that are high risk OR have low business relevance.

Adding an Application Condition to an Access Control Rule

Smart License Classic License Supported Devices Supported Domains Access
Any Control Any Any Admin/Access
Admin/Network
Admin

Procedure

Step 1 In the access control rule editor, click the Applications tab.
Step 2 If you want to constrain the list of applications displayed in the Available Applications list, select one or
more filters in the Application Filters list.
Step 3 Find and select the applications you want to add from the Available Applications list. You can search for
and select individual applications, or, when the list is constrained, All apps matching the filter.
Step 4 Click Add to Rule. You can also drag and drop selected applications and filters. Filters appear under the
heading Filters, and applications appear under the heading Applications.
Tip Click Clear All Filters to clear your existing
selections.
Step 5 If you want to save a custom filter comprised of all the individual applications and filters currently in the
Selected Applications and Filters list, you must click the add icon ( ) above the list. Use the object manager
to manage this on-the-fly-created filter.
Note You cannot save a filter that includes another user-created filter; you cannot nest user-created filters.

Step 6 Save or continue editing the rule.

Example
The following graphic shows the application condition for an access control rule that blocks: a custom group
of applications for MyCompany, all applications with high risk and low business relevance, gaming applications,
and some individually selected applications.

Firepower Management Center Configuration Guide, Version 6.0

Online Only 5
 Access Control Rules: Applications
Limitations to Application Control

What to Do Next
• Deploy configuration changes; see Deploying Configuration Changes.

Limitations to Application Control

Speed of Application Identification
The system cannot perform application control before:
• a monitored connection is established between a client and server, and
• the system identifies the application in the session

This identification should occur within 3 to 5 packets, or after the server certificate exchange in the SSL
handshake if the traffic is encrypted. If one of these first packets matches all other conditions in an access
control rule containing an application condition but the identification is not complete, the access control policy
allows the packet to pass. This behavior allows the connection to be established so that applications can be
identified. For your convenience, affected rules are marked with an information icon ( ).
The allowed packets are inspected by the access control policy’s default intrusion policy (not the default action
intrusion policy nor the almost-matched rule’s intrusion policy).
After the system completes its identification, the system applies the access control rule action, as well as any
associated intrusion and file policy, to the remaining session traffic that matches its application condition.

Handling Encrypted Traffic

The system can identify and filter unencrypted application traffic that becomes encrypted using StartTLS,
such as SMTPS, POPS, FTPS, TelnetS, and IMAPS. In addition, it can identify certain encrypted applications
based on the Server Name Indication in the TLS client hello message, or the server certificate subject
distinguished name value.
These applications are tagged SSL Protocol. Applications without this tag can only be detected in unencrypted
or decrypted traffic.

Firepower Management Center Configuration Guide, Version 6.0

6 Online Only
 Access Control Rules: Applications
Limitations to Application Control

Handling Application Traffic Packets Without Payloads

The system applies the default policy action to packets that do not have a payload in a connection where an
application is identified.

Handling Referred Traffic

To create a rule to act on traffic referred by a web server, such as advertisement traffic, add a condition for
the referred application rather than the referring application.

Automatically Enabling Application Detectors

At least one detector must be enabled for each application rule condition in the policy. If no detector is enabled
for an application, the system automatically enables all system-provided detectors for the application; if none
exist, the system enables the most recently modified user-defined detector for the application.

Controlling Application Traffic That Uses Multiple Protocols (Skype)

The system can detect multiple types of Skype application traffic. When building an application condition to
control Skype traffic, select the Skype tag from the Application Filters list rather than selecting individual
applications. This ensures that the system can detect and control all Skype traffic the same way.

Firepower Management Center Configuration Guide, Version 6.0

Online Only 7
 Access Control Rules: Applications
Limitations to Application Control

Firepower Management Center Configuration Guide, Version 6.0

8 Online Only