cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Application based access-control Policy query

Hi,

I have a simple query around access control policy using applications in the rule. If we want to create access control policies with applications is it necessary for configuring the port/protocol information as well. Or can we just use applications in the policy without defining the ports/protocols. Will Firepower automatically detect the allowed application across any port ?

Is it also possible to bind an application to be detected & allowed on the custom port.

Can someone please advise on the same.

Regards

Vaibhav

4 REPLIES 4

tneuhuber
Beginner
Beginner

hi,

logical operator between tabs within the rule statement is an "and", therefor I suggest to only use a "port" rule, if want to be sure the rule is hit. you can not believe on the attacker to use the correct application-id and port :-). otherwise an other rule will be hit or default action comes in place, but with default action no file check is possible.

"Default Action handles all traffic that does not match any of the rules. In this scenario, the default action performs intrusion prevention before allowing non-malicious traffic to pass. In a different deployment, you might have a default action that trusts or blocks all traffic, without further inspection. (You cannot perform file or malware inspection on traffic handled by the default action.) "

hope that helps, br

thomas

Hi,

Thanks for your reply. So since the tabs are with a "and" operator I can practically bind an application to a port. I can create a rule to only allow e.g. facebook on port 8080. In this case both the conditions of Application & port have to match for the rule to be matched?. if facebook is recognized on lets day port 80 the rule will not match & be checked by the action set in the default rule ?

Thanks

Vaibhav

Hi, yes, that is what I have observed.

from my point of view, it is better to use a "port rule" for a connection from outside to inside to get it hit.

inside to outside rule (permit or deny apps) can rely on the open app-id (snort), which is the basic algorithm to detect applications.

br, Thomas

Claudiu Cismaru
Cisco Employee
Cisco Employee

Vaibhav,

You are asking whether device is able to detect application on any port? Yes, it is. Actually, this is the way is designed to work.

The traffic is first identified, regardless of ports used on the ACP rule. If you add the ports, also, will narrow the matching condition of the entire rule, will not prevent the application to be identified.

So, if you add Facebook as Appid on a rule, it will match any traffic that is Facebook, regardless of the port used for that traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: