There are many policies we hear when we deal with Cisco FMC which makes it confusing where to find and where to apply. In this post, I'm going to make a brief note on all of them and and their interrelationship.
Policies are reusable set of rules/conditions. The different kinds of policies in FMC are Access Control Policy, Intrusion Policy, Malware & File Policy, DNS Policy, Identity Policy, SSL Policy, Prefilter Policy, Network Analysis Policy, Network Discovery Policy, NAT Policy, QoS Policy, Settings Policy, Correlation Policy and Health Policy. 😵 I think I named all..
Following are short descriptions for the above rules.
Access Control Policy - From all of above, the Access Control Policy (ACP) is the main type of policy which most of other policies are packaged in.
1 FTD can only have 1 Access Control Policy
Access Control Policy rules have it's legacy firewall rule functionality with added next-generation features which are defined in most of other types of polices.
Intrusion Policy - This defines set of intrusion detection and prevention configurations which inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
Malware & File Policy - This is a set of configurations that the system uses to perform malware protection and file control, as part of your overall access control configuration.
DNS Policy - DNS based Security Intelligence allows you to whitelist or blacklist traffic based on the domain name requested by a client.
Identity Policy - Identity policies contain identity rules. Identity rules associate sets of traffic with a realm and an authentication method: passive authentication, active authentication, or no authentication.
This is a requirement when we plan to use the users or group in our Access Control Policy
SSL Policy - An SSL policy determines how the system handles encrypted SSL traffic (https etc) on your network.
Prefilter Policy - This is basically to drop traffic or bypass the firewall inspections totally which is unwanted even to go through the FTD.
Network Analysis Policy - These are for traffic preprocessing options. Cisco is saying that Network analysis-related preprocessing occurs after Security Intelligence blacklisting and SSL decryption, but before intrusion or file inspection begins.
Network Discovery Policy - This is there to identify what are attached to the network.
It is used to build Host Profiles of devices including information like OS, services, web apps, protocols, users, IOC tags, VLAN tags, malware events, vulnerabilities, scan results, hostname, mac address, scan results and much more..
NAT Policy - This is to configure the Network Address Translation settings of a FTD.
QoS Policy - This is to configure the QoS settings for a FTD.
Settings Policy - This is where you configure the basic settings of a FTD like ARP Inspection, Banner etc.
Correlation Policy - This is basically If This --> Then That functionality of the FMC. It can be used to respond in real-time to threats / specific event types/ specific hosts / specific users or network traffic conditions.
Health Policy - This is to monitor overall functionality and performance of the whole Firepower system. So this policy can apply to both FMC itself and to FTDs.
Now let's look the interrelationship of the above polices.
When you click on Policies tab, the 1st menu is the Access Control and the default selection is Access Control menu item. In line to Access Control, you can see Network Discovery and Correlation are there. Those 2 are also types of policies you can configure in FMC which is for FMC.
"in FMC which is for FMC" means the policies used in FMC itself, not to deploy in FTDs..
You can see the place to attach DNS Policy under Security Intelligence tab in ACP.
in front of the policy. Also you can do the same thing by Devices > Choose the device then click Device, there you will see the applied Health Policy.
No comments:
Post a Comment