Cisco+ Secure Connect - Creating Access Policies for Private Applications and Network (Legacy)
This guide shows the legacy method of updating firewall policies in Umbrella Dashboard. The Cloud Firewall configuration is now part of the Secure Connect dashboard. Please review the Cloud Firewall guide for more information on defining a Private Application and Network rule.
The Secure Connect cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site.
Through the firewall policy rules, you can filter traffic that is destined for private applications or networks at layer 3 and layer 4.
Prerequisites
- Define private applications and/or networks see: Defining Private Applications
- If the rule leverages user identity, SAML must be configured
Deployment Considerations
A default rule is in place to block all private access traffic. This rule, can not be deleted but can be edited to allow traffic rather than block. However, no changes to source or destination traffic are possible. This provides the flexibility to accommodate a block all or permit all policy model.
Private access policies apply to specific traffic flows- see Securing Access to Private Applications and Networks for more detail
Configuration
- Navigate to Policies->Firewall. This will take you to the Umbrella Dashboard.
- In the upper right hand corner of the page, click Add
- Select the Rule Type as Private Applications and Networks
- Give your rule a good descriptive Name, and a Description for the rule, and choose a Priority Order. Rules are applied sequentially, with the Default Rule always in the last position. Priority Order positions the rules in the Firewall Policy in the order in that rules are evaluated and applied.
- Choose the Rule Action
- Choose the rule's criteria:
- Source CIDR IP Addresses (optional)- The source addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any
- Identities (optional if the source IP was previously selected) - Select the groups and/or users to which the rule applies
Group/user identity is only evaluated for traffic sourced from remote access (client-based) users
- Destination CIDR IP Addresses- The destination addresses (IP or CIDR) to which the rule applies- choose Specify IP and add each CIDR IP address or choose Any.
- Private Applications- Select the application and/or application groups to which the rule applies.
- Choose a Time Zone, and configure Start and Expiration dates and times. Optionally, check Does Not Expire so that this rule never expires.
- Select an interval for the hit counter. If you disable logging for this firewall rule, the hit counter is also disabled. For more information, see Monitor Hit Count.
- Specify whether logging is desired
- Click Save