16-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Understanding Access Rules
will ask you if the rule can be created at the nearest valid location. You must accept the suggestion
or the rule will not be added to the table. You can always move the rule after creating it if the
suggested location is not ideal (but without violating the rules on order).
You cannot inherit a policy if the rules in the inherited policy will violate the required order. For
example, if you create global rules in the device policy, and try to inherit a shared policy that
contains interface-specific rules in the Default section, Security Manager will prevent you from
inheriting the policy.
After assigning or inheriting a shared policy, you cannot edit the policy in a way that will violate
rule order on any device that uses the policy.
If you assign or inherit a policy that contains global rules on a device that does not support them, all
global rules are ignored and not configured on the device. For example, if you permit all traffic from
host 10.100.10.10 in a global rule in a shared policy, and assign that policy to an IOS device, the
rule permitting 10.100.10.10 access is not configured on the IOS device, and traffic from that host
is handled either by another interface-specific policy, or the default deny all policy. As a good
practice, you should not assign shared policies that contain global rules to devices that do not
support them, to ensure that you do not mistakenly believe the policy defined in a global rule is being
configured on the unsupported device.
There are also some changes in how certain tools work with global rules:
Find/Replace—You can search for global rules by using the Global interface name. However, there
is no way to convert between global and interface-specific rules. Although you can find global rules
using the Global interface name, if you try to replace an interface name with the name “Global,” you
are actually creating an interface-specific access rule that uses a policy object named Global.
Rule Combiner—Interface-specific and global rules are never combined.
Related Topics
Understanding Access Rules, page 16-1
Understanding Device Specific Access Rule Behavior, page 16-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5
Configuring Access Rules, page 16-7
Moving Rules and the Importance of Rule Order, page 12-19
Understanding Device Specific Access Rule Behavior
If you do not create an access rule policy, the following is the default behavior based on the type of
device, and what happens when you create an access rule:
IOS devices—Permit all traffic through an interface.
When you create an access rule permitting source A to destination B without configuring TCP/UDP
inspection on the inspection rule table, or configuring the established advanced option on the rule,
the device permits any packet from A to B. However, for any returning packet from B to A, the
packet is not allowed, unless there is a corresponding access rule permitting that packet. If you
configure TCP/UDP inspection on the traffic the inspection rule table, a rule permitting B to A is
not needed in the access rule, as any returning packet from B to A automatically passes the device.
ASA and PIX devices—Permit traffic from a higher-security interface to a lower-security interface.
Otherwise, all traffic is denied.