Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4873
Views
0
Helpful
8
Replies

Best Practice to create Access Control Policy

n.avramenko87
Level 1
Level 1

‎09-08-2016 05:02 AM - edited ‎03-12-2019 06:07 AM

Hello Friends! I need an advice.How better to create rules for access control policy? I had not practice.
How I do that.
1.Policies -> access control -> Here create My Policy
2.In my new policy I can create different rules, which can either block or allow.
For example I have rule 1 (it inspect my network use intrusion policy and inspect files).
rule2 - I want to deny access one of my computer to sait.I use BLOCK action and it works!

Is it right to use rules or maybe i do it wrong?

P.S. I used the follow structure of the network:
WAN - ASA - FIREPOWER - LAN (asa and firepower work separately, i do not use modules for asa, i have firepower and fire sight)
Thank you!

2 people had this problem
Labels:
0 Helpful
8 Replies 8

n.avramenko87
Level 1
Level 1

‎09-09-2016 05:28 AM

Hello!Trying to understand.
I have problems with 2 rules (rule 2 and rule 4). Rule 2 must block sites for one computer.And rule 4 must block utorrent.
Rule 4 is working. But rule 2 is not working (it working only if rule 4 disabled). What I do not right? Thank you!

Preview file
73 KB
0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to n.avramenko87

‎09-09-2016 05:39 AM

Hi , Rule 2 has URL's in it you should add only the name as in google.com instead of http and https in there . Regards, Aastha Bhardwaj Rate if that helps!!!
0 Helpful

n.avramenko87
Level 1
Level 1
In response to Aastha Bhardwaj

‎09-09-2016 06:41 AM

Thank you for your time! I try to change names of sites, but it is not working.

But if I disabled rule 4 (must block utorrent) - rule 2 start to work. And computers do not have an access to this sites. Thank you!!!

I add my policy.

Preview file
80 KB
0 Helpful

sebrjohnson
Level 1
Level 1
In response to n.avramenko87

‎09-09-2016 06:50 AM

Hello,

Are there any errors beside your rules when you have them in the order that they are in? (Yellow Triangle with explanation point)?

Also, have you tried switching those two rules spots, to see if that would affect the top - down matching criteria.

0 Helpful

n.avramenko87
Level 1
Level 1
In response to sebrjohnson

‎09-09-2016 07:09 AM

O! I have not errors. And  i tryed to interchange the position of rules. And no effect.

0 Helpful

sebrjohnson
Level 1
Level 1
In response to n.avramenko87

‎09-09-2016 07:24 AM

Since Rule 4 works and rule two doesn't;

Try removing the all the filters on rule two except the URLs that you don't want to access. Do you want them to be an "interactive block"?

=Rule2= "any""any", then URLs, and Block

0 Helpful

n.avramenko87
Level 1
Level 1
In response to sebrjohnson

‎09-23-2016 01:48 AM

Hello! I need an advice.

I have access policy and I do not know use it right or not?

Is it need to add rule with INTRUSION POLICY or it will be used as default (default action)?

And I want to detect files. Do I need to use it as a individual rule. Or I need to use it with intrusion policy? (7)

Thank you!!!

Preview file
115 KB
0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎09-09-2016 05:36 AM

Hi ,

I would suggest you to create Block statement on top because it is specific to 1 PC , the rules are matched from top to bottom , so if the rule matches first it wont even look for other rules . So more specific rules should be places on top and then followed by generic rules.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card