I have a simple query around access control policy using applications in the rule. If we want to create access control policies with applications is it necessary for configuring the port/protocol information as well. Or can we just use applications in the policy without defining the ports/protocols. Will Firepower automatically detect the allowed application across any port ?
Is it also possible to bind an application to be detected & allowed on the custom port.
logical operator between tabs within the rule statement is an "and", therefor I suggest to only use a "port" rule, if want to be sure the rule is hit. you can not believe on the attacker to use the correct application-id and port :-). otherwise an other rule will be hit or default action comes in place, but with default action no file check is possible.
"Default Action handles all traffic that does not match any of the rules. In this scenario, the default action performs intrusion prevention before allowing non-malicious traffic to pass. In a different deployment, you might have a default action that trusts or blocks all traffic, without further inspection. (You cannot perform file or malware inspection on traffic handled by the default action.) "
Thanks for your reply. So since the tabs are with a "and" operator I can practically bind an application to a port. I can create a rule to only allow e.g. facebook on port 8080. In this case both the conditions of Application & port have to match for the rule to be matched?. if facebook is recognized on lets day port 80 the rule will not match & be checked by the action set in the default rule ?
You are asking whether device is able to detect application on any port? Yes, it is. Actually, this is the way is designed to work.
The traffic is first identified, regardless of ports used on the ACP rule. If you add the ports, also, will narrow the matching condition of the entire rule, will not prevent the application to be identified.
So, if you add Facebook as Appid on a rule, it will match any traffic that is Facebook, regardless of the port used for that traffic.