Summary: The Access Control Policy is the primary traffic classification and enforcement mechanism on FTD; it evaluates rules in order, applying actions from Allow to Block with optional intrusion and file inspection.
An Access Control Policy (ACP) is the top-level policy on an FTD device that determines how traffic is handled. Every packet flows through the ACP and matches a rule — or hits the default action if no rule matches.
An ACP is configured in Firepower Management Center (FMC) and deployed to one or more FTD devices.
Key concepts:
The default action applies to traffic that matches no rule. Options:
| Default Action | Behaviour |
|---|---|
| Block All Traffic | Drop all unmatched traffic |
| Trust All Traffic | Pass all unmatched traffic without inspection |
| Intrusion Prevention | Allow with intrusion inspection (IPS) |
| Network Discovery Only | Allow, send to discovery engine (no IPS) |
Set default action in FMC under Policies → Access Control → → Default Action.
⚠️ Default Action Risk
"Trust All Traffic" passes traffic without any inspection — use only where all permitted traffic is explicitly allowed via rules above. "Block All Traffic" is the safer baseline; add explicit allow rules above it.
Each ACP rule has the following fields:
| Field | Description |
|---|---|
| Name | Descriptive rule label |
| Enabled | Toggle rule on/off without deleting |
| Action | What to do with matching traffic |
| Source / Destination Zones | Security zones (interface groupings) |
| Source / Destination Networks | IP addresses, ranges, network objects |
| Source / Destination Ports | TCP/UDP port objects |
| Applications | Application layer (App-ID) |
| Users | Identity-based matching (requires ISE/AD) |
| URLs | URL categories and reputations |
| Intrusion Policy | IPS policy applied if action is Allow |
| File Policy | AMP/file inspection policy |
| Logging | Log at connection start, end, or both |
Permits the traffic to pass. Optionally applies intrusion and file policies for inspection.
Action: Allow
Intrusion Policy: Balanced Security and Connectivity
File Policy: Block Malware-All
Traffic is allowed but inspected for threats. Connections that trigger intrusion rules are blocked or alerted depending on the IPS policy.
Drops all matching traffic silently. No RST is sent to the source.
Action: Block
(No intrusion or file policy needed — traffic is dropped)
Drops traffic and sends TCP RST to the source, terminating the connection immediately.
Action: Block with Reset
Useful for applications that hang waiting for a response — RST speeds up failure detection.
Displays an HTTP block page to the user (HTTP/HTTPS traffic only). User can optionally bypass the block.
Action: Interactive Block
(Redirect to block page)
Passes traffic without any inspection — bypasses IPS, file policy, and deep inspection.
Action: Trust
(Use for trusted high-volume flows: backups, replication)
⚠️ Trust vs Allow
Trust skips all inspection. Allow with no intrusion policy is similar but traffic still flows through the inspection engine. Use Trust only for explicitly trusted, high-bandwidth flows where inspection is not required and performance matters.
Does not act on traffic — logs the match and continues to the next rule. Used for visibility without blocking.
Action: Monitor
(Log traffic; continue evaluating remaining rules)
FTD evaluates rules in this order:
1. Prefilter Policy → Fastpath or Block before full inspection
2. SSL Policy → TLS decryption (if configured)
3. Identity Policy → User/group identification
4. Access Control Rules → Top-to-bottom, first match
5. Default Action → No rule matched
Within the ACP, rules are evaluated top to bottom. First match wins — place more specific rules above general rules.
An intrusion policy applies Snort-based IPS rules to allowed traffic. Attach to any Allow action rule.
| Policy | Description |
|---|---|
| Connectivity over Security | Fewer rules; prioritises throughput |
| Balanced Security and Connectivity | Recommended default; balanced detection |
| Security over Connectivity | Maximum detection; higher false-positive risk |
| Maximum Detection | Aggressive; not recommended for production without tuning |
File policies inspect transferred files for malware (AMP) and block specific file types.
| Action | Description |
|---|---|
| Detect Files | Log file type without blocking |
| Block Files | Block specific file types (e.g., .exe over HTTP) |
| Malware Cloud Lookup | Send SHA-256 to AMP cloud for verdict |
| Block Malware | Block files with malware verdict |
Attach via rule Inspection tab → File Policy dropdown.
Configure per rule what is logged:
Send events to:
Enable logging per rule → Logging tab → select events to capture.
Changes to ACPs are staged in FMC and must be deployed to take effect on the FTD device.
⚠️ Deployment Impact
Policy deployment briefly interrupts traffic inspection (seconds). On high-availability pairs, FMC deploys to standby first, then fails over and deploys to active — minimising disruption. For standalone devices, expect a brief inspection gap during deployment.
Common deployment errors:
$HOME_NET etc.Test how traffic would be handled without sending real packets:
> packet-tracer input <ingress-interface> tcp <src-ip> <src-port> <dst-ip> <dst-port> detail
Example:
> packet-tracer input inside tcp 10.1.1.100 12345 8.8.8.8 443 detail
Output shows each inspection phase:
A ALLOW result confirms the ACP rule is permitting the traffic.
In FMC: Analysis → Connections → Events
Filter by:
Use Connection Summary for aggregate views; Connection Events for per-flow detail.
On FTD CLI, show active connections:
> show conn
> show conn detail address <host-ip>