My Cybersecurity Journal: Configuring Cisco FMC Objects and Access Control Rules

The system matches traffic to access control rules in the order you specify. In most cases, the system handles network traffic according to the first access control rule where all the rule’s conditions match the traffic.

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic. When you allow traffic, you can specify that the system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited files before they reach your assets or exit your network.

The following scenario summarizes the ways that traffic can be evaluated by access control rules in an inline, intrusion prevention deployment.

In this scenario, traffic is evaluated as follows:

Rule 1: Monitor evaluates traffic first. Monitor rules track and log network traffic but do not affect traffic flow. The system continues to match traffic against additional rules to determine whether to permit or deny it.
Rule 2: Trust evaluates traffic next. Matching traffic is allowed to pass to its destination without further inspection, though it is still subject to identity requirements and rate limiting. Traffic that does not match continues to the next rule.
Rule 3: Block evaluates traffic third. Matching traffic is blocked without further inspection. Traffic that does not match continues to the final rule.
Rule 4: Allow is the final rule. For this rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its destination, though it is still subject to identity requirements and rate limiting. You can configure Allow rules that perform only file inspection, or only intrusion inspection, or neither.
Default Action handles all traffic that does not match any of the rules. In this scenario, the default action performs intrusion prevention before allowing non-malicious traffic to pass. In a different deployment, you might have a default action that trusts or blocks all traffic, without further inspection. (You cannot perform file or malware inspection on traffic handled by the default action.)

Traffic you allow, whether with an access control rule or the default action, is automatically eligible for inspection for host, application, and user data by the network discovery policy. You do not explicitly enable discovery, although you can enhance or disable it. However, allowing traffic does not automatically guarantee discovery data collection. The system performs discovery only for connections involving IP addresses that are explicitly monitored by your network discovery policy; additionally, application discovery is limited for encrypted sessions.

Note that access control rules handle encrypted traffic when your SSL inspection configuration allows it to pass, or if you do not configure SSL inspection. However, some access control rule conditions require unencrypted traffic, so encrypted traffic may match fewer rules. Also, by default, the system disables intrusion and file inspection of encrypted payloads. This helps reduce false positives and improve performance when an encrypted connection matches an access control rule that has intrusion and file inspection configured.

These are my initial Access Control Rules configured in my FMCv.

Create first your security zone objects under Objects tab > Interface > Add.

Type the Name of the Security Zone > choose ASA (if device is an ASA FirePOWER) under Interface Type > select the device under Available Interfaces > click Add to move to the Selected Interfaces column on the right.

Click Save > Yes.

I selected all the inside interfaces since the ASA5506W-X uses a BVI interface (bridged).

I configured the same for the INSIDE-WIFI (wifi) and OUTSIDE-WAN (outside) Security Zones.

You can verify the Security Zones applied to the ASA Interface under Devices > Device Management > click edit (pencil icon) on a specific device.

Create the Network Objects under Objects > Network > Add Network > Add Objects. Notice there are default IPv4 and IPv6 network objects configured on the FMC.

Type a Name > type the Network (CIDR notation) > Save.

You can group individual Network Object to a group by choosing Add Group instead.

Type a Name > choose the individual Network Objects (hold Ctrl to select multiple entries) > click Add to move to the Selected Networks on the right column > Save.

Notice under the Type column it displayed Group.

You can use (or search) for pre-defined Port Objects under Objects > Port. I tried searching for RDP and 3389 but there were none.

You can manually add TCP and UDP ports by clicking Add Port > Add Objects.

Type a Name > choose the Protocol (TCP in this case) > type the port number (RDP is TCP 3389) > click Save.

You can verify by searching for the Protocol Name or Port Number.

Create a Port Group Object for HTTP (80) and HTTPS (443) by clicking on Add Port > Add Group.

Search for the Name or Port Number > click Add to move to the Selected Ports on the right column > click Save.

Add a Geolocation (public IP) under Objects > Geolocation > Add Geolocation.

Type a Name (no spaces allowed) > expand the region (Asia in this case) > select the country or countries (China in this case) > click Save.

Configure the Firepower Access Control Policy (ACP) under Policies > Access Control.

There's currently an ACP called LAB_POLICY used for the initial Network Discovery, which I ran for a couple of weeks. Click edit (pencil icon) to add new rules.

You can optionally edit the Policy Name and add a description. Click Save afterwards.

Notice there are default ACP Categories: Mandatory, Default and Default Action. Like an ACL, rules are matched from top to bottom.

You can create or add a new Category by clicking Add Category (click either the green + symbol or the blue hyperlnk)> type a Name > choose where to Insert the new Category (into Mandatory in this case) > click OK.

Click Add Rule (blue hyperlink) under the new Category FMC_LAB_RULES.

For ACP Rule #1, add a new rule to Block RDP and FTP sourced from the 192.168.1.0/16 wired network to Any External RDP servers.

Type a Name (Enabled is automatically ticked) > the new rule will be automatically Insert into the new Category FMC_LAB_RULES > choose Allow under Action.

This link describes the different Rule Action.

Add the Source (INSIDE-WIRED) and Destination Zones (OUTSIDE-WAN) under the Zones tab.

Add the Source and Destination Networks (LAB-WIRED) under the Networks tab.

Under the Ports tab > search for RDP under Available Ports > click Add to Destination.

Under Logging > tick Log at Beginning of Connection which is the only option when doing blocking. The Event Viewer under Send Connection Events to is automatically selected.

The Log at Beginning of Connection usually capture the first few packets (based a packet's 5 tuple) versus Log of End of Connection will do a deep packet capture, thus more info.

You can optionally put a Comment under the Comments tab > click New Comment.

Type a text friendly Comment > click OK.

Click Add once done configuring the ACP Rule.

For ACP Rule #2, add a new Rule to Block web traffic sourced from the 192.168.0.0/16 network (wired and wifi) to Any public IP addresses in China.

Choose the Action of Block with reset for FMC to send a TCP reset instead of the web browser keeps on loading.

Under Networks tab > Available Networks > Geolocation > choose GEO_BLACKLIST object created earlier > click Add to Destination.

Under Ports tab > choose the LAB_WEB Port Group (HTTP and HTTPS ports) > click Add to Destination.

You can only choose to Log at Beginning of Connection when performing an Action of Block and Block with Reset. Click Add once done configuring the ACP Rule.

For ACP Rule #3, add a new Rule to Allow web traffic sourced from the 192.168.0.0/16 network (wired and wifi) to Any External websites (HTTP and HTTPS).

Customers usually leverage the Firepower Next Generation Firewall (NGFW) features such as Security Intelligence, URL Filtering and AMP and then have an implicit action to Allow Any traffic at the end of the ACP. This will also prevent me from locking myself out if I do Block All Traffic since I usually use Teamviewer or AnyDesk remotely to my lab server.

So I chose the Default Action of Trust All Traffic.

You can also choose which specific device the ACP will be pushed if managing several Firepower devices. Click on Filter by Device (under Rules tab) > tick All or specific devices > OK.

I'll just show the available options under each Tabs. This is the Security Intelligence (Cisco SIO cloud) tab.

You can choose or customize the web blocking error message Under HTTP Responses > choose System-provided (None by default).

This will display an Access Denied page when a certain website is blocked by the FMC ACP.

Click Save > Deploy (at the top beside System) > select the device > Deploy. Click on the alert triangle symbol to view the Deployment Status.

The Deploy Status will change to a green check symbol once ACP Deployment to the device is successful.

You can also verify the ACP Status by going to Policies > Access Control. Notice under Status there's an Up-to-date on all targeted devices.

For testing RDP, I used a free RDP public server found on this link.

For testing FTP, I used a free FTP public server found on this link.

You can verify the Event logs under Analysis > Connections > Events.

The 192.168.1.100 is my Windows 10 wired test machine. Notice the Event with Block with reset under the Action column has a Destination port of TCP 21 (FTP).

Click on the Initiator (192.168.1.100) to filter Events related to the specific Initiator IP address. Click on the < > arrows at the bottom to view more Events.