Cisco+ Secure Connect - Creating Private Applications and Network Access Policies
The Secure Connect cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site.
Through the firewall policy rules, you can filter traffic that is destined for private applications or networks at layer 3 and layer 4.
Prerequisites
- Defined private applications and/or networks see: Defining Private Applications and Networks
- If the rule leverages user identity, SAML must be configured
Deployment Considerations
- By default a rule is in place to block all private access traffic.
This rule can be edited to allow traffic rather than block, but no change to source or destination traffic is possible. This provides the flexibility to accommodate a block all or permit all policy model.
- Private access policies apply to specific traffic flows- see Securing Access to Private Applications and Networks for more detail
Configuration
- Navigate to Policies->Firewall
OR
Click on Network-Based Access Policy following a new private app definition
- In the upper right hand corner of the page, click Add
- Select the Rule Type as Private Applications and Networks
- Give your rule a good descriptive Name, a Description for the rule, and choose a Priority Order. Priority Order positions rules in the Firewall Policy in the order in that rules are evaluated and then applied. Rules are applied sequentially, with the Default Rule always in the last position.
- Choose the Rule Action
- Choose the rule's critieria:
- Source CIDR IP Addresses (optional)- The source addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
- Identities (optional if source IP was previously selected)- Select the groups and/or users to which the rule applies
Group/user identity is only evaluated for traffic sourced from remote access (client based) users
- Destination CIDR IP Addresses- The destination addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
- Private Applications- Select the application and/or application groups to which the rule applies
- Choose a Time Zone, configure Start and Expiration dates and times.
Optionally, check Does Not Expire so that this rule never expires.
- Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.
- Specify whether logging is desired
- Click Save