Mantra Networking Mantra Networking

Cisco FirePOWER: Application Visibility and Control (AVC)

Cisco FirePOWER: Application Visibility and Control (AVC)
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Key Terminology
  • Supported Protocols and Categories
  • AVC Policy Actions
  • Custom Application Creation Steps
  • Troubleshooting AVC
  • Conclusion

Cisco FirePOWER: Application Visibility and Control (AVC) Overview

What is Cisco FirePOWER AVC?

Application Visibility and Control (AVC) is a feature set within Cisco FirePOWER that enables precise identification, monitoring, and control of applications running across your network. Unlike traditional firewalls that focus primarily on ports and protocols, AVC operates at the application layer, giving you deep insight into real application usage and user behavior.

Why Do You Need to Know About AVC?

  • Enhanced Security: Many threats now hide within legitimate applications or use non-standard ports to evade detection. AVC helps discover such threats by identifying applications regardless of port, protocol, or encryption.
  • Granular Control: You can apply policies that are specific to individual applications (like Facebook, Dropbox, or Skype), rather than relying solely on broad port-based rules. This lets you precisely allow, block, or monitor traffic for business-critical or high-risk apps.
  • User Productivity and Compliance: AVC lets you restrict the use of risky or recreational applications on your network, helping ensure regulatory compliance and boost productivity.
  • Visibility Into Network Usage: Administrators can generate detailed reports on which applications are being used, who is using them, and how much bandwidth they consume. This insight supports better decision-making for IT and security teams.

How Does Cisco AVC Work?

  • Application Identification: FirePOWER inspects network traffic in real time, using a combination of signature-based detection, protocol analysis, and behavioral heuristics to accurately identify thousands of known applications—even when they operate on non-standard ports or are encrypted.
  • Policy Enforcement: Once an application is detected, AVC applies pre-defined or custom policies. Administrators can allow, block, rate-limit, or simply monitor traffic at the application level.
  • Integration with Access Policies: AVC works seamlessly with Cisco’s Access Control Policies (ACP), enabling dynamic responses to detected application traffic, such as sending alerts or applying quality of service (QoS) rules.
  • Reporting and Analytics: The system provides in-depth analytics, logging every detected application, its associated users, and usage patterns. Visual dashboards assist with ongoing monitoring and compliance checks.

Key Benefits at a Glance

BenefitDescription
Application-layer SecurityDetects and controls apps beyond port/protocol limitations
Enhanced VisibilityReal-time insight into network traffic and app usage
Flexible Policy OptionsEnforce business policies specific to applications and users
Improved ComplianceHelps meet policy, regulatory, and auditing requirements
Resource OptimizationPrevents bandwidth abuse by throttling or blocking non-essential applications

In summary, Cisco FirePOWER AVC provides essential tools for organizations to increase visibility, refine security controls, and adapt to the realities of modern networked environments.

Key Terminology: Cisco Firepower Application Visibility and Control (AVC)

This section clarifies essential terms you’ll encounter in Cisco Firepower AVC:

  • AVC (Application Visibility and Control): Provides the ability to identify, monitor, and control application traffic within Cisco Firepower appliances.
  • Application Detector: Utilizes signatures and metadata to accurately identify specific applications traversing the network.
  • Custom Application: A user-defined application created for specialized detection or control based on unique business needs.
  • Application Risk and Business Relevance: Each detected application is assigned risk and business relevance scores to inform policy and security decisions.
  • Policy Actions: Possible responses you can configure for application traffic, such as allow, block, monitor, rate limit, or alert.

Supported Protocols and Categories

This section outlines common protocols recognized and classified by Cisco Firepower AVC, helping you understand the types of traffic that can be detected and managed.

Protocol Category Common Uses
HTTP/HTTPS Web Web browsing, cloud applications
DNS Infrastructure Name resolution
SIP Voice/Video VoIP calls and video conferencing
SMB File Sharing File transfer and sharing
SSL/TLS Security Encrypted communication
  • How it works: Cisco Firepower uses protocol analysis and application detectors to classify network traffic in real time, allowing policy actions based on protocol type or category.
  • Additional Categories: Other detected protocol categories may include email, instant messaging, remote access, and more, each with custom policy options.
  • Policy Tip: Group protocols by category for easier administration and broader security coverage.

AVC Policy Actions

This section explains the core actions you can configure when building Application Visibility and Control (AVC) policies within Cisco Firepower. These actions determine how the device handles application traffic based on your security objectives.

  • Allow: Permits the specified application traffic to pass through the network. Typically used for trusted, business-critical applications.
  • Block: Denies application traffic, preventing it from reaching its destination. Standard for known risky or unwanted apps.
  • Monitor: Tracks the application traffic without altering its flow. Enables traffic visibility for auditing or reporting purposes.
  • Rate Limit: Restricts the bandwidth available to certain applications, ensuring no single app consumes too many resources.
  • Alert: Generates security events or notifications when specified application traffic is detected, helping identify threats or policy violations.

How to Apply Actions in Policy:

  1. Define rules within your Access Control Policy.
  2. Choose the action (Allow, Block, Monitor, Rate Limit, Alert) for each rule based on organizational needs.
  3. Prioritize rules in the correct order—most specific to most general—to ensure appropriate policy enforcement.
  4. Commit and deploy the policy to activate AVC actions on your Firepower device.

Tip: Regularly review and adjust policy actions to adapt to business changes and evolving security threats.

Custom Application Creation Steps

This section provides a clear, step-by-step guide to creating a custom application within Cisco Firepower. Custom applications are useful when you want to identify or control network traffic that isn’t already covered by built-in detectors.

  1. Navigate to Custom Applications: Access your Firepower Management Center and go to Objects > Application Filters > Custom Applications.
  2. Click “Add Custom Application”: Initiate the creation process by selecting the option to add a new custom application.
  3. Define Matching Criteria: Set up the parameters that identify your application.
    • Specify protocol(s) and port(s) involved.
    • Add application signatures, patterns, or keywords if available.
    • Provide a descriptive name and optional description for easy identification.
  4. Save the Custom Application: Confirm your settings and save. Your new application will appear in the list of custom applications.
  5. Reference in Policies: Utilize your custom application in Access Control or QoS policies to allow, block, monitor, or apply other actions as needed.
  6. Deploy the Policy: Commit and deploy your changes to enforce detection and control of your custom application traffic.

Tip: Regularly review custom applications for relevance and accuracy, especially when network services or traffic patterns change.

Troubleshooting AVC

This section provides a step-by-step guide for diagnosing and resolving issues with Application Visibility and Control (AVC) in Cisco Firepower. Effective troubleshooting ensures reliable application detection, logging, and policy enforcement.

  1. Check Logs and System Messages:
    • Review connection and event logs in Firepower Management Center (FMC) for clues about application matches or failures.
    • Use the Message Center to identify error or warning messages related to application control.
  2. Verify Application Detector Status:
    • Ensure application detectors are up to date and correctly enabled for the relevant policies.
    • If certain applications aren’t being detected, check for updates or request custom detectors from Cisco support.
  3. Validate Policy Order and Placement:
    • Confirm AVC rules are placed above general allow/deny rules in your access control policy.
    • Check for conflicting rules that could override desired AVC actions.
  4. Update Application Signatures:
    • Regularly update the application signature database to ensure detection of the latest applications and protocols.
  5. Perform Packet Capture:
    • Use FMC advanced troubleshooting to capture packet traces for problematic traffic flows.
    • Analyze captured packets to verify classification and inspect dropped or misrouted traffic.
    • From the FMC web interface:
      1. Select the device in Devices > Device Management.
      2. Click the troubleshooting icon, choose Advanced Troubleshooting, and configure the Capture with Trace function.
      3. Download and review captures for further analysis.
  6. Check System Health and Connectivity:
    • Verify that all Firepower components (FMC and managed devices) have healthy status and stable management connectivity.
    • Check for resource bottlenecks in CPU, memory, and disk via health monitor reports.
  7. Collect Diagnostic Files for TAC:
    • If unresolved, generate and download troubleshooting files to share with Cisco TAC for advanced support.

Tip: Keep a regular maintenance schedule—review logs, update detectors, and test policy changes in a controlled environment before production deployment.

Conclusion

Throughout this blog post, we’ve explored the essential features and capabilities of Cisco Firepower’s Application Visibility and Control (AVC). Let’s review the key takeaways:

  • AVC Basics: AVC empowers network administrators to gain deep insight into application usage across their environments and apply granular controls to allow, block, or monitor traffic.
  • Key Terminology: Understanding terms like Application DetectorsCustom Applications, and Risk/Business Relevance Scores is vital for working confidently within the AVC feature set.
  • Supported Protocols and Categories: Cisco Firepower can identify and categorize traffic across a broad range of commonly used protocols such as HTTP/HTTPS, DNS, SIP, and SMB, helping you take action where it matters.
  • Policy Actions: Whether you're allowing, blocking, rate-limiting, or simply monitoring traffic, AVC gives you the tools to apply security policies that fit your organization’s needs.
  • Creating Custom Applications: When default detectors aren’t enough, you can create custom applications with hand-picked criteria to track or control specialized traffic.
  • Troubleshooting AVC: With tools like system logs, packet capture, and firmware updates, you can identify and resolve AVC-specific issues to keep your network secure and efficient.

Cisco Firepower AVC is a powerful feature that gives you both visibility and control—essential ingredients for a modern, secure network. Whether you're tightening your organization's security posture or simply aiming for better network insights, AVC offers a reliable path forward.

Thanks for joining us on this walkthrough of Cisco Firepower Application Visibility and Control. If you're just getting started, don't worry—the more you work with AVC, the more intuitive and impactful it becomes.

Share Share Share Share Share Email