Merge pull request #67 from CiscoDevNet/klevenst107

Revisions FMC 107 (Access control)

Author: klevenstein

labs/firepower-restapi-107/0.md

@@ -0,0 +1,15 @@
+# Firewall Management Center (FMC) access control policies
+
+This Learning Lab teaches a basic understanding of managing FMC access control policies with the REST API.
+
+## Objectives
+The objective of this lab is to teach:
+
+* What access control policies are.
+* How to perform GET and POST operations on FMC access control policies to configure NGFW and other Firepower devices.
+
+## Prerequisites
+
+* A development environment with typical tools and applications, as well as [Postman](https://www.getpostman.com/).
+* Basic understanding of REST principles. Complete the [REST API Fundamentals Learning Lab](https://learninglabs.cisco.com/tracks/devnet-beginner/rest-api-fundamentals/what-are-rest-apis/).
+* Basic understanding of FCM REST APIs and the FMC REST API Explorer. Complete [Exploring Firepower Management Center (FMC) REST APIs](https://learninglabs.cisco.com/modules/Firepower/firepower-restapi-101/).

labs/firepower-restapi-107/1.md

@@ -1,14 +1,6 @@
-# FMC REST API 107
+# What are access control policies?
 
-## Objectives
-
-This lab teaches a basic understanding of FMC access control policies and CRUD operations using REST API. You will learn how to do operations (GET, POST) on Firepower management center (FMC) access control policy to configure NGFW and other Firepower devices.
-
-## Prerequisites
- It's best if you have a basic understanding of REST principles, Firewalls, FMC REST API.
-
-## Firepower Management Center (FMC) policy
-Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed) network traffic. Especially useful in multidomain deployments, you can nest access control policies, where each policy inherits the rules and settings from an ancestor (or base) policy. You can enforce this inheritance, or allow lower-level policies to override their ancestors. Each managed device can be targeted by one access control policy.
+Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed) network traffic. You can nest access control policies, such that child policies inherit the rules and settings from a parent or base policy. You can enforce this inheritance, or allow child policies to override their parents. Each managed device can be targeted by one access control policy.
 
 The data that the policy’s target devices collect about your network traffic can be used to filter and control that traffic based on:
 
@@ -17,34 +9,28 @@ The data that the policy’s target devices collect about your network traffic c
 * Realm, user, user group, or ISE attribute.
 * Custom Security Group Tag (SGT).
 * Characteristics of encrypted traffic; you can also decrypt this traffic for further analysis.
-* Whether unencrypted or decrypted traffic contains a prohibited file, detected malware, or intrusion attempt, each type of traffic inspection and control occurs where it makes the most sense for maximum flexibility and performance. For example, reputation-based blacklisting uses simple source and destination data, so it can block prohibited traffic early in the process. In contrast, detecting and blocking intrusions and exploits is a last-line defense.
+* Whether unencrypted or decrypted traffic contains a prohibited file, detected malware, or intrusion attempt.
+
+Each type of traffic inspection and control occurs where it makes the most sense for maximum flexibility and performance. For example, reputation-based blacklisting uses simple source and destination data, so it can block prohibited traffic early in the process. In contrast, detecting and blocking intrusions and exploits is a last-line defense.
 
 Although you can configure the system without licensing your deployment, many features require that you enable the appropriate licenses before you deploy. Also, some features are only available on certain device models. Warning icons and confirmation dialog boxes designate unsupported features.
 
+## Access control policy components
+
+**Name and description**: Each access control policy must have a unique name. A description is optional.
 
-### Access control policy components
+**Inheritance settings**: Policy inheritance allows you to create a hierarchy of access control policies. A parent (or base) policy defines and enforces default settings for the child policies, which is especially useful in multidomain deployments. A policy's inheritance settings allow you to select its base policy. You can also lock settings in the current policy to force any child policies to inherit them. Child policies can override unlocked settings.
 
-##### **Name and description**
-Each access control policy must have a unique name. A description is optional.
-##### **Inheritance settings**
-Policy inheritance allows you to create a hierarchy of access control policies. A parent (or base) policy defines and enforces default settings for its descendants, which is especially useful in multidomain deployments. A policy's inheritance settings allow you to select its base policy. You can also lock settings in the current policy to force any descendants to inherit them. Descendant policies can override unlocked settings.
+**Policy assignment**: Each access control policy identifies the devices that use it. Each device can be targeted by only one access control policy. In a multidomain deployment, you can require that all the devices in a domain use the same base policy.
 
-##### **Policy assignment**
-Each access control policy identifies the devices that use it. Each device can be targeted by only one access control policy. In a multidomain deployment, you can require that all the devices in a domain use the same base policy.
+**Rules**: Access control rules provide a granular method of handling network traffic. Rules in an access control policy are numbered, starting at 1, including rules inherited from ancestor policies. The system matches traffic to access control rules in top-down order by ascending rule number. Usually, the system handles network traffic according to the first access control rule, where all the rule’s conditions match the traffic. Conditions can be simple or complex, and their use often depends on certain licenses.
 
-##### **Rules**
-Access control rules provide a granular method of handling network traffic. Rules in an access control policy are numbered, starting at 1, including rules inherited from ancestor policies. The system matches traffic to access control rules in top-down order by ascending rule number. Usually, the system handles network traffic according to the first access control rule, where all the rule’s
-conditions match the traffic. Conditions can be simple or complex, and their use often depends on certain licenses.
+**Default action**: The default action determines how the system handles and logs traffic that is not handled by any other access control configuration. The default action can block or trust all traffic without further inspection, or inspect traffic for intrusions and discovery data. Although an access control policy can inherit its default action from a parent policy, you cannot enforce this inheritance.
 
-##### **Default action**
-The default action determines how the system handles and logs traffic that is not handled by any other access control configuration. The default action can block or trust all traffic without further inspection, or inspect traffic for intrusions and discovery data.
-Although an access control policy can inherit its default action from an ancestor policy, you cannot enforce this inheritance.
+**Security intelligence**: Security Intelligence is a first line of defense against malicious internet content. This feature allows you to blacklist (block) connections based on the latest IP address, URL, and domain name reputation intelligence. To ensure continual access to vital resources, you can override blacklists with custom whitelists.
 
-##### **Security intelligence**
-Security Intelligence is a first line of defense against malicious internet content. This feature allows you to blacklist (block) connections based on the latest IP address, URL, and domain name reputation intelligence. To ensure continual access to vital resources, you can override blacklists with custom whitelists.
+**HTTP responses**: When the system blocks a user’s website request, you can either display a generic system-provided response page, or a custom page. You can also display a page that warns users, but also allows them to continue to the originally requested site.
 
-##### **HTTP responses**
-When the system blocks a user’s website request, you can either display a generic system-provided response page, or a custom page. You can also display a page that warns users, but also allows them to continue to the originally requested site.
+**Advanced access control options**: Advanced access control policy settings typically require little or no modification. Often, the default settings are appropriate.
 
-##### **Advanced access control options**
-Advanced access control policy settings typically require little or no modification. Often, the default settings are appropriate. 
+**Next**: Access control policy default actions

labs/firepower-restapi-107/2.md

@@ -1,5 +1,7 @@
-### Access Control Policy Default Action
-In a simple access control policy, the default action specifies how target devices handle all traffic. In a more complex policy, the default action handles traffic that:
+# Access control policy default action
+
+In a simple access control policy, the default action specifies how target devices handles all traffic. In a more complex policy, the default action handles traffic that:
+
 * is not trusted by Intelligent Application Bypass.
 * is not blacklisted by Security Intelligence.
 * is not blocked by SSL inspection (encrypted traffic only).
@@ -8,6 +10,8 @@ or inspect—traffic).
 
 The access control policy default action can block or trust traffic without further inspection, or inspect traffic for intrusions and discovery data.
 
+The following table lists different default actions and what they do to network traffic.
+
 | Default Action                    | Effect on Traffic                                                      | Inspection Type and Policy                                                                                                     |
 |:-----------------------------------|:------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
 | Access Control: Block All Traffic | block without further inspection                                       | none                                                                                                                           |
@@ -17,27 +21,12 @@ The access control policy default action can block or trust traffic without furt
 | Inherit from base policy          | defined in base policy                                                 | defined in base policy                                                                                                         |
 
 <br>
-***The following diagrams illustrate the Table above ***  
-
-![Figure: Table illustration ](/posts/files/firepower-restapi-107/assets/images/image1.jpg)
-
-***The following diagrams illustrate the Block All Traffic and Trust All Traffic default actions.***  
-
-![Figure: Block All Traffic and Trust All Traffic default actions ](/posts/files/firepower-restapi-107/assets/images/image2.jpg)
-
-***The following diagrams illustrate the Intrusion Prevention and Network Discovery Only default actions.***  
-
-![Figure:  Intrusion Prevention and Network Discovery default actions ](/posts/files/firepower-restapi-107/assets/images/image3.jpg)
-
+The following diagrams provide visual representations of these actions.
 
-### Access control policy inheritance
-Access control uses a hierarchical, policy-based implementation that complements multitenancy. Just as you create a domain hierarchy, you can create a corresponding hierarchy of access control policies. For a descendant, or child, access control policy inherits rules and settings from its direct parent, or base, policy. That base policy may have its own parent policy from which it inherits rules and settings, and so on.
+![Figure: Table illustration ](assets/images/image1.jpg)
 
-An access control policy’s rules are nested between its parent policy’s Mandatory and Default rule sections. This implementation enforces Mandatory rules from ancestor policies, but allows the current policy to write rules that preempt Default rules from ancestor policies.
+![Figure: Block All Traffic and Trust All Traffic default actions ](assets/images/image2.jpg)
 
-You can lock the following settings to enforce them in all descendant policies. Descendant policies can override unlocked settings.  
-* `Security Intelligence` — blacklisting and whitelisting connections based on the latest IP address, URL, and domain name reputation intelligence.  
-* `HTTP Response pages` — displaying a custom or system-provided response page when you block a user's website request.  
-* `Advanced settings` — specifying associated subpolicies, network analysis settings, performance settings, and other general options.  
+![Figure:  Intrusion Prevention and Network Discovery default actions ](assets/images/image3.jpg)
 
-Although an access control policy can inherit its default action from an ancestor policy, you cannot enforce this inheritance.  
+**Next**: Access control policy inheritance