Access control rules provide a granular method of
handling network traffic across multiple managed devices. The system matches
traffic to access control rules in the order you specify. In most cases, the
system handles network traffic according to the
first access control rule where
all the rule’s conditions match the traffic.
An access control rule’s
action determines how the system handles
matching traffic. You can monitor, trust, block, or allow (with or without
further inspection) matching traffic.
The following diagram shows the flow of traffic in an inline intrusion prevention and AMP for Networks deployment, as governed by an access control policy that contains four different types of access control rules and a default
In the scenario above, the first three access
control rules in the policy—Monitor, Trust, and Block—cannot inspect matching
traffic. Monitor rules track and log but do not inspect network traffic, so the
system continues to match traffic against additional rules to determine whether
to permit or deny it. Trust and Block rules handle matching traffic without
further inspection of any kind, while traffic that does not match continues to
the next access control rule.
The fourth and final rule in the policy, an Allow
rule, invokes various other policies to inspect and handle matching traffic, in
the following order:
Discovery Policy—First, the network discovery policy inspects traffic for
discovery data. Discovery is passive analysis and does not affect the flow of
traffic. Although you do not explicitly enable discovery, you can enhance or
disable it. However, allowing traffic does not automatically guarantee
discovery data collection. The system performs discovery only for connections
involving IP addresses that are explicitly monitored by your network discovery
AMP for Networks and File Control: File Policy—After traffic is inspected by discovery, the system can inspect it for prohibited files and malware. AMP for Networks detects and optionally blocks malware in many types of files, including PDFs, Microsoft Office documents, and others. If
your organization wants to block not only the transmission of malware files, but all files of a specific type (regardless
of whether the files contain malware), file control allows you to monitor network traffic for transmissions of specific file types, then either block or allow the file.
Intrusion Policy—After file inspection, the system can inspect traffic for
intrusions and exploits. An intrusion policy examines decoded packets for
attacks based on patterns, and can block or alter malicious traffic. Intrusion
policies are paired with
variable sets, which allow you to use
named values to accurately reflect your network environment.
Destination—Traffic that passes all the checks
described above passes to its destination.
An Interactive Block rule (not shown in the
diagram) has the same inspection options as an Allow rule. This is so you can
inspect traffic for malicious content when a user bypasses a blocked website by
clicking through a warning page.
Traffic that does not match any of the non-Monitor
access control rules in the policy is handled by the default action. In this
scenario, the default action is an Intrusion Prevention action, which allows
traffic to its final destination as long as it is passed by the intrusion
policy you specify. In a different deployment, you might have a default action
that trusts or blocks all traffic without further inspection. Note that the
system can inspect traffic allowed by the default action for discovery data and
intrusions, but not prohibited files or malware. You
cannot associate a file policy with the
access control default action.
Sometimes, when a connection is analyzed by an
access control policy, the system must process the first few packets in that
allowing them to pass, before it can
decide which access control rule (if any) will handle the traffic. However, so
these packets do not reach their destination uninspected, you can use an
intrusion policy—called the default intrusion policy—to inspect them and
generate intrusion events.