criteria of an access rule defines the application used in an IP connection, or
a filter that defines applications by type, category, tag, risk, or business
relevance. The default is any application.
Although you can
specify individual applications in the rule, application filters simplify
policy creation and administration. For example, you could create an access
control rule that identifies and blocks all high risk, low business relevance
applications. If a user attempts to use one of those applications, the session
In addition, Cisco
frequently updates and adds additional application detectors via system and
vulnerability database (VDB) updates. Thus, a rule blocking high risk
applications can automatically apply to new applications without you having to
update the rule manually.
You can specify
applications and filters directly in the rule, or create application filter
objects that define those characteristics. The specifications are equivalent,
although using objects can make it easier to stay within the
50-items-per-criteria system limit if you are creating a complex rule.
To modify the
application and filters list, you click the
+ button within the condition, select the desired
applications or application filter objects, which are listed on separate tabs,
OK in the popup dialog box. On either tab, you can
Filter to select filter criteria or to help you search for specific
applications. Click the
x for an application, filter, or object to remove it
from the policy. Click the
Filter link to save the combined criteria that is not already an
object as a new application filter object.
You can use the
Filter criteria to identify the application or filter to match in
the rule. These are the same elements used in application filter objects.
selections within a single filter criteria have an OR relationship. For
example, Risk is High OR Very High. The relationship between filters is AND, so
Risk is High OR Very High, AND Business Relevance is Low OR Very Low. As you
select filters, the list of applications in the display updates to show only
those that meet the criteria. You can use these filters to help you find
applications that you want to add individually, or to verify that you are
selecting the desired filters to add to the rule.
that the application is used for purposes that might be against your
organization's security policy, from very low to very high.
that the application is used within the context of your organization's business
operations, as opposed to recreationally, from very low to very high.
The type of
Protocol—Application protocols such as HTTP and SSH, which
represent communications between hosts.
Protocol—Clients such as web browsers and email clients, which
represent software running on the host.
Application—Web applications such as MPEG video and Facebook, which
represent the content or requested URL for HTTP traffic.
classification for the application that describes its most essential function.
information about the application, similar to category.
traffic, the system can identify and filter traffic using only the applications
Protocol. Applications without this tag can only be detected in
unencrypted or decrypted traffic. Also, the system assigns the
decrypted traffic tag to applications that the
system can detect in decrypted traffic only, not encrypted or unencrypted.
List (bottom of the display)
updates as you select filters from the options above the list, so you can see
the applications that currently match the filter. Use this list to verify that
your filter is targeting the desired applications when you intend to add filter
criteria to the rule. If your intention is to add specific applications, select
them from this list.