Access Control
When you use ASA CLI or ADSM to configure an ASA, you are always configuring a single device at a time.
In comparison, the access control policy in Secure Firewall Management Center is always a shared policy. You create the policy, then you assign it to one or more devices.
Typically, you would create an access control policy for multiple devices. For example, you might assign the same policy to all remote location firewalls (which connect remote sites to the main corporate network). Then, you might have a different policy for the firewalls that reside in your core data center. You can, of course, create separate policies for each device, but that is not an efficient use of a multiple device manager.
Whether a given acess control rule will apply to a device is controled by the interfaces specified in the rule:
-
If you specify no interfaces, the rule applies to all devices that are assigned the policy.
-
If you specify security zones, which are objects that are a list of specific device interfaces, the rule applies, and is deployed, to only those devices that have interfaces in the specified zones. Security zones do not simply include interface names, but "interface on device" pairs. For example, "inside on device1" could be in a zone that does not contain "inside on device2."
The following table shows the main access control features for the ASA, and where you would configure them, or their equivalents, on a Secure Firewall Threat Defense device.
ASA Feature |
Threat Defense Feature in Secure Firewall Management Center |
Notes |
---|---|---|
Objects for Access Control. |
Objects UI path: .See: Object Management. How To: Configure Dynamic Objects |
You also can create network and port (service) objects when editing the access control policy. Also supported are security group tags and time ranges. Not supported (or needed) are network-service and local user groups. Additional objects you can use in access control rules: application filters, geolocation, interface security zones, URL, and VLAN tag. These objects apply to features not available on the ASA. |
Access Control Lists (ACL) for non-access control groups/rules. |
Access Control Lists (ACL) UI path: Standard and Extended ACLs: .Ethertype ACLs: .See: Object Management and FlexConfig Policies. How To:
|
You create objects for standard or extended ACLs, then use those objects when configuring routing or other features that require ACLs. |
Access Control Rules—basic (network, port, protocol, ICMP). |
Access Control Rules UI path: .See: Access Control Rules. How To:
|
The access control policy supports basic 5-tuple and VLAN access control rules. In addition, you can use geolocation objects to target IP addresses associated with particular geographical locations. You can also use prefilter policies to control tunneled traffic (such as GRE) and other 5-tuple traffic. Prefilter rules are processed before access control rules and are not available on the ASA. See . |
Access Control Rules—user-based control |
Access Control Rules UI path: To configure the rules for obtaining user name and group mappings, go to .You can then select user names and groups in access control rules; .See: Access Control Rules and User Identity Policies. How To: Configure an Access Control Policy Rule for a Dynamic Object |
There are more options for obtaining user/group membership compared to the ASA. |
Access Control Rules—security group and Trustsec |
Access Control Rules UI path: To set up Identity Services Engine, go to .You can then select security group tags in access control rules; .See: Access Control Rules and User Control with ISE/ISE-PIC. |
You can also use Identity Services Engine to gather username/user group information for user-based control. |
(Not available on ASA.) Access Control Rules—layer 7 application control. |
Access Control Rules UI path: .See: Access Control Rules. |
You can write access control rules for applications that otherwise use the same protocol and port, enabling you to differentiate between different types of HTTP/HTTPS traffic, for example. Application filtering can help you apply more granular control than what is available on the ASA. |
Access Control Rules—URL Filering. |
Access Control Rules UI path: .See: URL Filtering. |
Requires a URL filtering license for controlling access based on URL category and reputation. You can also use the Security Intelligence policy defined within an access control policy to do early filtering based on URL or network object. The DNS policy can do the same thing for DNS lookup requests. |
ICMP access rules for to-the-device traffic (icmp permit/deny and ipv6 icmp permit/deny commands.) |
ICMP access rules UI path: ICMP Access page. . ,See: Platform Settings. |
Like the access control policy, the platform settings policy is shared and you can apply the policy to multiple devices. |
Cisco Umbrella |
Cisco Umbrella UI path:
. See: DNS Policies and Site-to-Site VPNs for Secure Firewall Threat Defense. |
You can create Umbrella DNS policies and Umbrella SASE VPN topologies. |