Cisco FMC Access Policies and Rules

Access Control Policies can be accessed Policies -> Access Control -> Acess Control

Under the ACPs, there are few categories

  • Prefilter Policy – An ACL check that runs before the ACP evaluation. This allows or denies traffic without deep packet inspection, which may improve performance
  • SSL Policy – This tells the ACP how to handle encrypted traffic. This may decrypt traffic for inspection, block encrypted traffic, or allow encrypted traffic
  • Identity Policy – Used along with Realms to associate traffic with users

Access Control Rules

The access rule determines how to handle unmatched traffic. The default action may be a system policy, a policy inherited from a parent, or a custom Intrusion policy.
Default system actions include:

  • Block all traffic – Block without further inspection. This is the traditional ACL approach. Only allow through traffic that is explicitly permitted
  • Trust All Traffic – Allow without further inspection
  • Intrusion Prevention – Forward traffic to an Intrusion Policy for further inspection
  • Network Discovery – Used for discovering users and hosts only. Does not block traffic

Access Control Rule Configuration

When adding a new rule, there are many options (7) to choose from. Below section will walk through them one by one.

  • Allow – Allows traffic. There may yet be more inspections, such as Intrusion and File policies
  • Trust – Sends traffic straight to the egress interface, without any extra inspections. Identity policies and rate limiting still apply
  • Monitor – Logs traffic, and continues to the rest of the rules
  • Block – Drops traffic silently, causing the connection to timeout
  • Block with reset – Drops traffic, and sends a TCP FIN, so the connection closes rather than times out
  • ​Interactive Block – Displays a web page with conditions that users may accept. This is where the Interactive Block Response Page comes into play
  • ​​Interactive Block with Reset – Combination of interactive block, with a TCP FIN

What is Cisco Defense Orchestrator ?

CDO is a cloud-based multi-device management portal. In my opinion, this is the best solution for service providers like cloud services and managed service providers. Simply you do not have to access each and every management portal. Simply using CDO, all the CISO security devices can be managed.


  • Fast platform migration
  • Fast deployment and device on-boarding
  • Pre-defined security templates
  • Simple upgrade process
  • Integration of 3rd party integrations


Supported Devices:

  • Adaptive Security Appliance (ASA)
  • Firepower Thread Defense (FTD)
  • Firepower Management Center (FMC)
  • Cisco IOS devices with Security Module
  • Meraki MX

support matrix: Data Sheet