16-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter16 Managing Firewall Access Rules
Configuring Access Rules
Note If you have conflict detection enabled, Security Manager will analyze the new rule to see if it
conflicts or overlaps with other rules. For more information, see Using Automatic Conflict
Detection, page 16-25.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-19. There are special restrictions for moving rules when you mix
interface-specific and global rules; see Understanding Global Access Rules, page 16-3.
Step 5 If you already have a large number of rules, consider analyzing and combining them before deploying
the new rules. You can use the conflict detection tool to analyze your rules (see Using Automatic Conflict
Detection, page 16-25). If analysis shows that you have a lot of redundant rules, right-click anywhere in
the rules table and choose Combine Rules to combine them. You can either allow Security Manager to
evaluate all rules for combination, or just the rules you select before starting the rule combination tool.
For more information, see Combining Rules, page 12-22.
Access Rules Page
Use the Access Rules page to configure access control rules for device interfaces. Access rules policies
define the rules that allow or deny traffic to transit an interface. Typically, you create access rules for
traffic entering an interface, because if you are going to deny specific types of packets, it is better to do
it before the device spends a lot of time processing them. Access rules are processed before other types
of firewall rules.
Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate policies
and objects for configuring IPv4 and IPv6 access rules were “unified,” meaning one set of access rules
in which you can use either IPv4 or IPv6 addresses, or a mixture of both. (See Policy Object Changes in
Security Manager 4.4, page 1-9 for additional information.) In Policy view, IPv4 and unified versions of
the access policy type are provided. In addition, a utility that you can use to convert existing IPv4
policies is provided (see Converting IPv4 Rules to Unified Rules, page 12-28). The following
descriptions apply to apply to all versions of the access rule table, except where noted.
Read the following topics before you configure access rules:
Understanding Access Rules, page 16-1
Understanding Global Access Rules, page 16-3
Understanding Device Specific Access Rule Behavior, page 16-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5
Configuring Access Rules, page 16-7
Tip Disabled rules are grayed out. When you deploy the configuration, disabled rules are removed from the
device. For more information, see Enabling and Disabling Rules, page 12-20.
Navigation Path
To open the Access Rules page, do one of the following: