Table of Contents
Advertisement
Deployment Options
•
•
Access control rules further define how traffic is handled by targeted devices, from simple IP address
matching to complex scenarios involving different users, applications, ports, and URLs. For each rule,
you specify a rule action, that is, whether to trust, monitor, block, or inspect matching traffic with an
intrusion or file policy.
Access control can filter traffic based on Security Intelligence data, a feature that allows you to specify
the traffic that can traverse your network, per access control policy, based on the source or destination
IP address. This feature can create a blacklist of disallowed IP addresses whose traffic is blocked and
not inspected.
The sample deployment illustrates common network segments. Deploying your managed devices in each
of these locations serves different purposes. The following sections describe typical location
recommendations:
•
•
•
•
•
Inside the Firewall
Managed devices inside the firewall monitor inbound traffic allowed by the firewall or traffic that passes
the firewall due to misconfiguration. Common network segments include the DMZ, the internal network,
the core, mobile access, and remote networks.
The diagram below illustrates traffic flow through the Firepower System, and provide some details on
the types of inspection performed on that traffic. Note that the system does not inspect fast-pathed or
blacklisted traffic. For traffic handled by an access control rule or default action, flow and inspection
depend on the rule action. Although rule actions are not shown in the diagram for simplicity, the system
does not perform any kind of inspection on trusted or blocked traffic. Additionally, file inspection is not
supported with the default action.
Firepower 7000 Series Hardware Installation Guide
6-12
allow all traffic to enter your network, and inspect the traffic with a network discovery policy only
allow all traffic to enter your network, and inspect the traffic with intrusion and network discovery
policies
Inside the Firewall, page 6-12
the firewall.
On the DMZ, page 6-13
explains how access control within the DMZ can protect outward-facing
servers.
On the Internal Network, page 6-14
from intentional or accidental attack.
On the Core Network, page 6-14
your critical assets.
On a Remote or Mobile Network, page 6-15
the network from traffic at remote locations or on mobile devices.
Chapter 6
explains how access control functions on traffic that passes through
explains how access control can protect your internal network
explains how an access control policy with strict rules can protect
explains how access control can monitor and protect
Deploying Firepower Managed Devices
Advertisement
Table of Contents
