FMC - Whitelist Location

JoshfromPHX · ‎07-15-2022

Hello,

I have started to manage our Cisco Firepower Management Center and have been asked to white list some websites. I have found that I can do this in two locations and it has worked.

Policies > Access Control > Prefilter (When doing prefilter I will Fastpath the allow rule)
Policies > Access Control > Access Control (When doing this I am placing the whitelisted site before all the other rules)

Is there a "best practice" for where to place the white-listed sites?

I have also noticed that when I am looking at the Connection Events page (Analysis > Connections > Events) I can right-click on the blocked Responder IP address and choose "Add IP to Do-Not-Block List" however after making this choice I would still get blocked by the firewall. This option looks like an easy way to whitelist by IP but I am not sure if there is a setting that I need to change in order for this to work correctly.

Thank you all in advance for your time and help on my post.

manofsteel03 · ‎07-15-2022

Personally I wouldn't place them in the prefilter rules as that bypasses all inspection. Typically you would put things like vulnerability scanners and/or systems that conduct backups of systems because you trust those systems and you don't require any sort of inspection of the traffic.

You can have a read from another post on prefilter vs access control policy https://community.cisco.com/t5/network-security/cisco-ftd-prefilter-policies-vs-access-control-policies/td-p/3060770.

hth

Marvin Rhoads · ‎07-17-2022

Like @manofsteel03 mentioned, only put them in prefilter if you are wanting to exempt them from ALL IPS inspection. Using an ACP can be done either directly (the way you describe) or indirectly (adding them the Security Intelligence (SI) local whitelist which is done via the object definition). I typically prefer the latter as it continues to afford you all of the other protections provided by the system, only exempting the address(es) from SI.

JoshfromPHX · ‎07-18-2022

Thank you @Marvin Rhoads.

In the FMC I found Objects > Object Management. From there Add Network > Add Object. I then filled out the form with the name and the host IP address of the website I would like to whitelist. Then I just go here and add the object I just made?

Policies > Access Control > Access Control (When doing this I am placing the whitelisted site before all the other rules)

Are there any other steps? Do they have a KB on this process?

JoshfromPHX · ‎07-18-2022

I have also noticed that when I am looking at the Connection Events page (Analysis > Connections > Events) I can right-click on the blocked Responder IP address and choose "Add IP to Do-Not-Block List" however after making this choice I would still get blocked by the firewall. This option looks like an easy way to whitelist by IP but I am not sure if there is a setting that I need to change in order for this to work correctly.

Any ideas on how this option works?

manofsteel03 · ‎07-18-2022

That is mostly setup for dealing with Security Intelligence which allows you to quickly add IPs to the block or do not block list without having to redeploy changes to the ACP. You still have to configure the rule(s) in your ACP to allow that traffic.

If you look under Objects \ Security Intelligence \ Network Lists, you'll see the Global Block and Do Not Block which get populated when you take that action.