Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2696
Views
0
Helpful
6
Replies

Cisco Firepower Management Center - negate object/network

marco.iacono
Level 1
Level 1

‎03-04-2020 01:07 AM

Hello together,

 

does anyone know if it is possible to negate an object or network in the policies?

 

Unfortunately I have not found anything for this.

I wanted to create a rule for Internet Access (allow any to "not RFC1918" http and https) just as an example.

 

Anyone have an idea or is this not possible in the FMC?

0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-04-2020 01:34 AM

You'd have to use two entries. First entry would to block http and https to RFC 1918 network object. Second entry to permit http and https to any destination. Rules are processed from top down with rule processing stopping after first matched entry (with action other than monitor).
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-04-2020 02:00 AM

Hi,

    

     Yes you can, by using the excluded list in your network object definition.

 

Regards,

Cristian Matei.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Cristian Matei

‎03-04-2020 03:39 AM - edited ‎03-04-2020 03:41 AM

Hi Cristian,

Can you explain in more detail how to use an excluded list in a network object or object group definition? I don't see that option in my FMC running 6.5.0.2.

FMC Network Group object.PNG

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-04-2020 04:47 AM

Hi,

 

   I meant "network variables". So you define a new network variable set, you include the networks and exclude the specific ranges. You than select in your access-control policy rule the newly defined variable set, from inspection tab. Although the variable set is used for intrusion policies, in the end you attach the intrusion policy to your access-control policy rules. There are some restrictions, read carefully in the Configuration Guide, in the Managing Reusable Objects section, Variable Sets.

 

 

Regards,

Cristian Matei.

 

Preview file
137 KB
Preview file
72 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Cristian Matei

‎03-04-2020 11:48 AM - edited ‎03-04-2020 11:49 AM

@Cristian Matei would excluding the objects from inspection by the IPS policy have the effect of blocking the connections in the associated Access Control Policy rule?

I would have thought the effect would be to exempt the excluded network(s) from IPS inspection once the associated rule action was determined - but not blocking the TCP connections in the first place.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-04-2020 12:43 PM

Hi,

 

@Marvin Rhoads Yes Marvin, that is correct, i read the first questions "which says policies" and i replied, thinking IPS policies. If he needs to "negate networks" for ACP, he actually needs multiple ACP rules; if he needs to "negate networks" for IPS, he needs variable set.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card