Configure FQDN Based Object for Access Control Rule

Available Languages

Download Options

  • PDF     (461.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (495.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (543.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 11, 2019
Document ID:214505

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the configuration of the Fully Qualified Domain Name (FQDN) object through the Firewall Management Center (FMC) and how to use FQDN object in the access rule creation.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Knowledge of Firepower Technology.
    • Knowledge of configuring access control policy on Firesight Management Center (FMC)

    Components Used

    The information in this document is based on these software and hardware versions:

    • Firepower Management Center running version 6.3 and above.
    • Firepower Threat Defense running version 6.3 and above.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Step 1. In order to configure and use FQDN based object, first, configure DNS on the Firepower Threat Defense.

    Login to the FMC and navigate to Devices > Platform Settings > DNS.

    Note: Ensure that the System Policy is applied to the FTD after configuring the DNS. (The DNS server configured should resolve the FQDN that will be used)

    Step 2. Create the FQDN Object, in order to do that navigate to Objects > Object Management > Add Network > Add Object.

    Step 3. Create an access control rule by navigating to Policies > Access Control.

    Note: You can create a rule or modify the existing rule based on the requirement. The FQDN object can be either used in Source and/or Destination Networks.

    Ensure that the policy is applied after the configuration is completed.

    Verify

    Initiate traffic from the client machine which is expected to trigger the FQDN based rule created.

    On the FMC, navigate to Events > Connection Events, filter for the specific traffic.

    Troubleshoot

    The DNS server should be able to resolve the FQDN object, this can be verified from the CLI runs these command:

    • system support diagnostic-cli
    • show fqdn

    .

    TAC Authored

    Contributed by Cisco Engineers

    • Raghunath Kulkarni
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products