General Best Practices for Access Control
Review the following requirements and general best practices:
-
Use a prefilter policy to provide early blocking for unwanted traffic, and to fastpath traffic that does not benefit from access control inspection. For more information, see Best Practices for Prefiltering.
-
Although you can configure the system without licensing your deployment, many features require that you enable the appropriate licenses before you deploy.
-
For the system to affect traffic, you must deploy relevant configurations to managed devices using routed, switched, or transparent interfaces, or inline interface pairs.
Sometimes, the system prevents you from deploying inline configurations to passively deployed devices, including inline devices in tap mode.
In other cases, the policy may deploy successfully, but attempting to block or alter traffic using passively deployed devices can have unexpected results. For example, the system may report multiple beginning-of-connection events for each blocked connection, because blocked connections are not blocked in passive deployments.
-
Certain features, including URL filtering, application detection, rate limiting, and Intelligent Application Bypass, must allow some packets to pass in order for the system to identify the traffic.
To prevent these packets from reaching their destination uninspected, see Best Practices for Handling Packets That Pass Before Traffic Identification and Specify a Policy to Handle Packets That Pass Before Traffic Identification.
-
You cannot perform file or malware inspection on traffic handled by the access control policy's default action.
-
Some features are only available on certain device models. Warning icons and confirmation dialog boxes designate unsupported features.
-
If you will use syslog or store events externally, avoid special characters in object names such as policy and rule names. Object names should not contain special characters, such as commas, that the receiving application may use as separators.
-
Logging for connections handled by the default action is initially disabled, though you can enable it.
-
Best practices for creating, ordering, and implementing access control rules are detailed in Best Practices for Access Control Rules and subtopics.