Showing results for 
Search instead for 
Did you mean: 


Best Practice to create Access Control Policy

Hello Friends! I need an advice.How better to create rules for access control policy? I had not practice.
How I do that.
1.Policies -> access control -> Here create My Policy
2.In my new policy I can create different rules, which can either block or allow.
For example I have rule 1 (it inspect my network use intrusion policy and inspect files).
rule2 - I want to deny access one of my computer to sait.I use BLOCK action and it works!

Is it right to use rules or maybe i do it wrong?

P.S. I used the follow structure of the network:
WAN - ASA - FIREPOWER - LAN (asa and firepower work separately, i do not use modules for asa, i have firepower and fire sight)
Thank you!


Hello!Trying to understand.
I have problems with 2 rules (rule 2 and rule 4). Rule 2 must block sites for one computer.And rule 4 must block utorrent.
Rule 4 is working. But rule 2 is not working (it working only if rule 4 disabled). What I do not right? Thank you!

Hi , Rule 2 has URL's in it you should add only the name as in instead of http and https in there . Regards, Aastha Bhardwaj Rate if that helps!!!

Thank you for your time! I try to change names of sites, but it is not working.

But if I disabled rule 4 (must block utorrent) - rule 2 start to work. And computers do not have an access to this sites. Thank you!!!

I add my policy.


Are there any errors beside your rules when you have them in the order that they are in? (Yellow Triangle with explanation point)?

Also, have you tried switching those two rules spots, to see if that would affect the top - down matching criteria.

O! I have not errors. And  i tryed to interchange the position of rules. And no effect.

Since Rule 4 works and rule two doesn't;

Try removing the all the filters on rule two except the URLs that you don't want to access. Do you want them to be an "interactive block"?

=Rule2= "any""any", then URLs, and Block

Hello! I need an advice.

I have access policy and I do not know use it right or not?

Is it need to add rule with INTRUSION POLICY or it will be used as default (default action)?

And I want to detect files. Do I need to use it as a individual rule. Or I need to use it with intrusion policy? (7)

Thank you!!!

Aastha Bhardwaj
Cisco Employee

Hi ,

I would suggest you to create Block statement on top because it is specific to 1 PC , the rules are matched from top to bottom , so if the rule matches first it wont even look for other rules . So more specific rules should be places on top and then followed by generic rules.


Aastha Bhardwaj

Rate if that helps!!!

Content for Community-Ad