Re: Building a Policy in FMC

Steven Williams · ‎02-19-2019

When you look at an access control policy in FMC and the default action has a drop down list and I have multiple things in here including system policies and user created policies. So when i choose a IPS policy it wont block traffic after the policy was evaluated top to bottom, I assume because there is no "deny ip any any" so my question is why would you make this anything but block all traffic?

aandersons · ‎02-19-2019

Depends on the granularity of your policy. You could set the default action to Access Control: Block All Traffic, and that default action would function as a implicit deny rule.

However there are cases where you don't want to block everything. For example if your sensor were to hang off of a packet broker. By this point, traffic has already been permitted into your network, and is feeding the broker. You could write a policy that subjects the traffic to different actions and/or different IPS policies, depending on where it is coming from and going to, with the default that the traffic, if it doesn't adhere to one of the above rules, gets inspected, and moves on.

The default action can be tailored to the location within your network, not just at the edge.

Steven Williams · ‎02-19-2019

But I assume most edge policy scenarios the default action is going to be block all traffic.

aandersons · ‎02-19-2019

Exactly, apply inspection to the rules that permit traffic in. With the default action of dropping it, if it isn't permitted. The other settings are for sensor located behind/below the edge, or between network segments.

socratesp1980 · ‎02-19-2019

This has to do with the configured action of your IPS policy.

If your network traffic matches a particular rule on your policy and that rule is allowed then it will be evaluated under your IPS policy.

You should check if your traffic falls into a specific IPS signuture and whether the default action for this signuture is to drop the traffic.