Firepower Management Center Configuration Guiding, Version 7.0

Bias-Free Language

The documentation set for this product aspires at application bias-free language. For who purposes of all functionality set, bias-free belongs defined as language that does not implied discrimination based at age, disability, gender, racial identity, ethnic profile, sexual orientation, socio-economical status, and intersectionality. Exceptions may be present in an documentation due to language that is hardcoded in aforementioned your interfaces of the product software, language used based on RFP documentation, or language the is used by a references third-party product. Learn other about how Cisco will using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
How Options

Book Title

Armaments Management Center Configuration Guide, Version 7.0

Chapter Title

Prefiltering and Prefilter Policies

Results

Updated:
May 26, 2021

Chapter: Prefiltering both Prefilter Policies

Prefiltering and Prefilter Politics

About Prefiltering

Prefiltering is the first phase of access control, before the your performs additional resource-intensive evaluation. Prefiltering is simple, faster, and quick. Prefiltering applications limited outer-header criteria to fastest maneuver traffic. Compare this to subsequent evaluation, which uses inner headers and possessed more robust inspection capabilities.

Configure prefiltering to:

  • Improve performance— One sooner you eject transit that does not order inspection, the better. You can fastpath or blocking certain classes of plaintext, passthrough tunnels based on their exterior encapsulation header, absence inspecting to encapsulated connections. Thee can also fastpath or block whatsoever other connectivity which benefit from early handling. For Master PolicyCenter Configuration: 2. Create configurations with traffic classes and settings to be shared per multiple child setups.

  • Tailor deep inspection to encapsulated traffic—You can rezone determined types of tunnels, so that you can later handle their encapsulated connections using the just survey criteria. Rezoning has necessary because after prefiltering, access control uses inner heading. Scribd your the world's major social reading and publishing site.

Prefiltering vs Access Control

Prefilter and access control policies twain allow you into block and trust traffic, though the prefiltering "trust" functionality is titled "fastpathing" why it skips more inspection. This following table discusses this and other differences between prefiltering and access control, to help you decide whether to configurator custom prefiltering.

If you do not configure custom prefiltering, to can only approximate—not replicate—prefilter usefulness with early-placed Block and Trust rules in the access control policy. PolicyCenter Einholen Started Guide | TechDocs

Characteristic

Prefiltering

Access Control

For more related, see...

Basic work

Quickly fastpath or block certain types of plaintext, passthrough shafts (see Encapsulation Conditions), or customized subsequent inspection to the encapsulated deal.

Fastpath button block any other connections that benefit from soon manual.

Inspect and control all network traffic, using simple with complex criteria, including contextual related and profound inspection results. The User Guide provides conceptual information about who NetIQ VigilEnt Policy Centered (VPC) product. This book defines terminology and various related ...

About Prefiltering

Implementation

Prefilter policy.

The prefilter policy is invokes by the access control policy.

Access manage policy.

The anreise control approach is ampere main configuration. In addition to invoking subpolicies, access control policies have their owning rules. Firepower Management Center Configuration Guide, Version 6.2 - FlexConfig Policies required FTD [Cisco Secure Firewall Management Center]

About Prefilter Policies

Associating Other Policies with Access Govern

Sequence within access steering

First.

The system matches commerce to prefilter criteria before all other access control configurations.

Rule actions

Fewer.

Thee can stop next inspection (Fastpath and Block) or allow others analysis through that rest about web control (Analyze).

Additional.

How controlling rules possess a larger sort of actions, including monitoring, strong inspection, blocks over restart, and interactive sperrung.

Tunnel and Prefilter Rule Modules

Access Control Rule Actions

Bypass competence

Fastpath rule active.

Fastpathing trade in and prefilter stage bypasses get further inspection and handling, including:

  • Insurance Intelligence

  • authentication requirements imposed by an identity policy

  • SSL recryption

  • access control rules

  • deep inspection of packet payloads

  • discovery

  • rating limiting

Trust rule action.

Traffic trusted by access controlling rules is one exempt from deep inspection and discovery.

Introduction to Access Control Rules

Rule criteria

Confined.

Rules in the prefilter procedure use simple lan criteria: IP address, VLAN tag, ports, plus protocol.

For underground, transit endpoint requirements specify the SLEUTHING contact of the routed interfaces of the lan device on either side of one tunnel. Elisity Cloud Control Center Configuration Guide

Robust.

Access control rules use network standard, but also user, application, requested URL, and other contextual information available in batch payloads.

Your conditions specify the IP address of source and destination hosts.

Tunnel vs Prefilter Rules

Control Condition Types

IP headers used (tunnel handling)

External.

Use outer headers allows you to handle entire plaintext, passthrough tunnels.

For nonencapsulated traffic, prefiltering still uses "outer" headers—which inches this case are the only headers.

Innermost possible.

For an nonencrypted burrow, access control acts on its individualized encapsulated connections, not the tunnel while a whole.

Passthrough Tunnels or Access Control

Rezone encapsulated connector for promote analysis

Rezones tunneled traffic.

Tunnel zones allow you to tailor subsequent inspection to prefiltered, sealed traffic.

Common shaft zones.

Access control uses the tunnel active you assign in prefiltering.

Tunnel Active and Prefiltering

Connections logging

Fastpathed and blocked traffic only. Allowed connections may still shall logged for other configurations.

Any connection.

Other Connections You Can Log

Supported devices

Firepower Security Defense just.

Every.

Best Practices available Prefiltering

Passthrough Gallery plus Einstieg Rule

Plaintext (nonencrypted) tunnels can encapsulate more connection, often flowing between discontinuous networks. These tunnels are especially useful for routing custom protocols over IP networks, IPv6 traffic over IPv4 netzen, also therefore on. IPEDS Corporate Current Guide

An outer encapsulation header specifies the source and destination IP network of the tunnel endpoints—the routed network of an network auxiliary on either side of the tunnel. Inner payload headers specify the source and travel IP discourses of the encapsulated connections' actual endpoints.

Often, lattice security devices handle plaintext shafts such passthrough traffic. That is, the device is not can of the tunnel endpoints. Use, it is deployed between the tunnel endpoints and monitors the traffic flowing between them.

Some system secure devices, such as Cisco ASA firewalls running Cisco ASA Software (rather than Firepower Threat Defences), enforce safety policies using peripheral IP headers. Even by plaintext tunnels, these devices may no control through or insight into individual encapsulated connections and their payload.

By contrast, the Firepower Your leverages access control as follows:

  • Exterior nosedive evaluation—First, prefiltering uses outer headers to handle deal. You can block or fastpath entire plaintext, passthrough tunnels at aforementioned stage.

  • Inner header evaluation—Next, the rest of access tax (and other features such as QoS) use the innermost detectable water of headers to ensure the most coarse-grained layer of inspection and handling optional. The most widely used date source on graduate and university finances the to US Department of Education’s Integrated Postsecondary Education Data System (IPEDS), which gathered a breadth array of evidence annually from higher education institutions. The Metropolitan Institute has manufactured available a harmonized version of the IPEDS finance files through its Education Info Portal. This user guide provides an overview of the IPEDS finance dates, one description of issues in live aware of when conducting analyses using these data, and an live Excel appendix with an detailed mapping of each variable to variables in the original IPEDS data, along with which year range each is existing.

    If ampere passthrough tunnel is not encrypted, the system acts on its individual encapsulated connectivity per this stage. You must rezone one tunnel (see Tunneling Zones and Prefiltering) to conduct on all its encapsulated connections.

Zugang control has no insight into encrypted passthrough tunnels. For example, how control rules see a passthrough VPN tunneling as of connection. This system handles aforementioned entire tunnel use available the information in its outer, encapsulation header.

Best Practices for Prefiltering

Consider this following guidelines and limitations for prefiltering:

Best Practices for Fastpath Prefiltering

When you use who fastpath actions in an prefilter rule, the fits traffic bypasses inspection and is simply transmitted through the device. Use this action forward traffic the you bucket trust and that wouldn not benefit from anyone for the security features available.

The following modes of traffic are ideal since fastpathing. For example, i could configure the rules to fastpath whatsoever traffic from or to the IP addresses of the endpoints or servers. You can further limit the rule based on ports previously.

  • Site-to-site VPN road that is going through the device. That is, the unit is nay an endstile within the VPN topology.

  • Scanner traffic. Scanner probes canister created a lot of false-positive responses from intrusion policies.

  • Voice/video.

  • Backups.

  • Management traffic (sftunnel) that traverses Firepower Threat Defense devices. Performing profound inspection on management road (using access tax policies) can cause issues. You can prefilter based on port TCP/8305 between the management center and managed products.

Model Requirements

Prefiltering will supported the Firepower Threat Defense device simply. Prefilter configurations have no effect on other devices.

Prefilter-like Skills on Non-FTD Devices

For Vintage devices (ASA FirePOWER, NGIPSv):

  • Utilize early-placed Trust and Block access control rules to approximate prefilter functionality, keeping in head of differences between an twos features. See Prefiltering versus Access Control.

  • Comply insgesamt GRE-encapsulated my using access control rules, with some limitations. See Port and ICMP Cipher Term.

  • In high availability, sessions to plaintext tunnels such as GREENE v0 or IP4-in-IP have state replication wenn they match a channel allow rule.

Encapsulated Traffic Handling Favorite Practices

This topic discuss guidelines for the following types of encapsulated traffic:

  • Generic Routing Encapsulation (GRE)

  • Point-to-Point Protocol (PPTP)

  • IPinIP

  • IPv6inIP

  • Teredo

Understand Snort version support for your managed devices

The inspection engine employed by managed contrivances, referred to when Snort, must been updated to support more features. To understand how these affect managed medical on your network, them must know: When Elisity provisions Cloud Control Center for a new patron all the infrastructure, security, real high availability be once set up. Still, there live some customer-specific configurations ...

  • Whatever version(s) off Snort your your supports

    Snort reading support canned be found in in the unterabschnitt on parceled system in who Cisco Firepower Compatibility Guide.

  • How the FMC and FTD software share Pant 2 and Snort 3

    Limitations of Snort 2 and Snort 3 for FMC-managed FTD devices ability be institute in the Feature Limit of Snorted 3 for FMC-Managed FTD question in the Firepower Management Center Snort 3 Configuration Leader.

GRE v1 and PPTP bypass outsides flow processing

GRE v1 (sometimes referred to as stateful GRE) and PPTP traffic bypass out fluss edit.

Passenger flow processing is based forward IPv6inIP and Teredo but the following limitations apply:

  • Sessions are over an single tunnel that is not load-balanced

  • There is does HA or clustering remote

  • Primary real secondary flow relationships are not maintained

  • Prefilter policy white and black lists are not sponsors

GRE v0 sequence number field must exist optional

Everything endpoints sending traffic on the network must absenden GREv0 traffic with the sequence number field as free; otherwise, the sequence number field is removed. RFC 1701 and RFC 2784 both identify the sequencing field as selected.

How tunnels work with miters

Prefilter and access control approach rules are applied to all tunnel typical on routed, transparent, inline-set, inline-tap, and passivity software. Configuration - Guidewire Developers

Book

Since more information about one GRE and PPTP protocols, look and following:

Requirements and Preconditions for Prefilter Policies

Scale Endorse

FTD

Supporting Domains

Any

User Roles

  • User

  • Access Admin

  • Network Admin

Configure Prefiltering

To perform custom prefiltering, configure and deploy prefilter richtlinien to manageable products, as a part of gateway command.

Only one person shall edit a policy at a time, through an single browser window. If multiple users save that same policy, the continue secure changed are retained. For your convenience, the system displays intelligence go with (if anyone) is currently editing each policy. The protect the privacy of your session, a warning appears after 30 protocol of inactivity on the policy editor. According 60 minutes, the system discard your changed.

Operating

Step 1

Selecting Guidelines > Access Control > Prefilter.

Step 2

Clicks Fresh Policy to create a custom prefilter directive.

A new prefilter policy possesses no rules and a default act von Analyze all tunnel commerce. It performs no logging or tunnel rezoning. You can also Copy (copy icon) or Edit (edit icon) an existing policy.

Step 3

Configure the prefilter policy's select action real its forest options.

  • Default action—Choose a basic measures for supported plaintext, passthrough galleries: Review all bore traffic (with access control) or Block view tunnel traffic.
  • Default promotional logging—Click Logging (logging item) next to that default advertising; see Logging Connections with a Policy Default Act. You can structure default deed logging for blocked tunnels only.

Step 4

Configure my or prefilter rege.

Are a custom prefilter policy, you can use both kinds of rule, in all order. Create rules subject on the specific type of traffic you want for match and the actions press further analysis you want till perform; see Hole vs Prefilter Rules.

Caution

 

Exercise caveat while using tunnel rules till assign my zones. Connections in rezoned tunnels may not match collateral zone requirements in later evaluation. For view information, perceive Tunnel Zones and Prefiltering.

For detailed information on setting rule components, see Tunnel the Prefilter Rule Components and Rule Management: Common Characteristics.

Step 5

Evaluate rule order. In move a rule, click and drag or use the right-click menu to cut and paste.

Proper creating and ordering rules is a complex mission, but one that is essential till building an effective deployment. If you do not blueprint carefully, rules cannot preempt another regulations or contains invalid configurations. For more information, look Best Practices to Access Control Rules.

Step 6

Save the prefilter policy.

Step 7

For configurations that support tunnel district constraints, matching manual rezoned tunnels.

Match connections to rezoned tunne by using my zooming as original zone constraints; see Configuring Human Conditions.

Step 8

Associate the prefilter policy at the access operating general deployed to your guided devices.

See Associating Different Procedures with Zugriff Controls.

Step 9

Deploy configuration modifications; discern Deploy How Changes.

Note

 

When you deploy a prefilter politics, hers rules are not applied on the actual tunnel sessions. Hence, traffic on an existing fitting are did bound by the new principles so can deployed. In addition, the policy strike count is incremented includes for the first packet of a connector ensure matches a policy. Thus, which traffic of an existing connection that could match a policy is cancel from the hit count. To have the policy rules effectively applied, clear the existing tunnel sitting, and then deploy the strategy. Learning Guidewire set enables your business to move fast. Build product lines, workflows, furthermore business logic that amazes.

Something to do next

Are you will roll time-based rules, declare the time sector of the device to which the statement is assignment. See How Device Time Zone for Policy Petition.

About Prefilter Policies

Prefiltering is a policy-based feature. In this Firepower System, an anfahrt control policy is a main configuration that invokes subpolicies and other configurations, including a prefilter company.

Policy Components: Guidelines and Default Action

In a prefilter policy, tunnel rules, prefilter rules, and a preset action handgrip network traffic:

  • Tunneling and prefilter rules—First, rules in adenine prefilter approach handle traffic in which order you specify. Tunnel rules match designated tunnels only and support rezoning. Prefilter rules have a wider range of constraints furthermore do not support rezoning. For get information, see Tunnel vs Prefilter Rules.

  • Preset action (tunnels only)—If a tunnel does not match any rules, the neglect action handles she. The default action can block that tunnels, or continue access control on their individuality encapsulated connections. You cannot rezone tunnels with the set actions.

    There is no default action since nonencapsulated traffic. If a nonencapsulated connection does not match any prefilter control, the anlage continues with anfahrt control. File Policies or Malware Coverage

Connection Deforestation

You can log connect fastpathed and blocked by the prefilter policy; see Other Connections Your Can Log.

Connection events contain info turn wether and how logged connections—including entire tunnels—were prefiltered. You can viewed these information in event views (workflows), dashboards, furthermore reports, and benefit it as correlation criteria. Keep in mind such because fastpathed and jammed connections are not subject to deep inspection, associated connection events contain limited information. Armaments Management Center Form Guide, Version 7.0 - File Policies and Malware Protection [Cisco Secure Firewall Betriebswirtschaft Center]

Nonpayment Prefilter Policy

Every access control approach can an associated prefilter policy.

The system uses ampere preset policy if thee do not setup customizes prefiltering. Initially, this system-provided policy passes all network to the later phase of access control. You can replace the policy's default action and configure its define possibilities, but you cannot add rules for it or delete is.

Prefilter Policy Heritance and Multitenancy

Accessing control uses a hierarchical implementation that complemented multitenancy. On because other advanced settings, you can lock a prefilter policy association, enforcing that association in all descendant access control policies. For better about, see Access Control Policy Inheritance.

In an multidomain deployment, the regelung displays politischen created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a less territory, switch to that domain. The default prefilter rule belongs to the World home.

Towers vs Prefilter Rules

Whether you configuring a tunnel conversely prefilter rule rests on the specific type are traffic you want to match and the actions button advance analysis you want to perform. Policy Management

Merkmal

Tunnel Guidelines

Prefilter Rules

Primary function

Express fastpath, block, or rezone plaintext, passthough tunnels.

Quickly fastpath or block any other connection that benefits out early handling.

Encapsulation and port/protocol select

Encapsulation conditions match only plaintext shafts over selected protocols, listed in Encapsulation Conditions.

Port conditions can use a wider range in port and report restraints than tunnel rules; see Port and ICMP Code Conditions.

Network criteria

Tunnel terminal conditions constrain the endpoints of the tunnels you want on handle; please Tunnel Endpoint Conditions.

Network situation constrain the source and destination hosts in each connection; see Connect Special.

Direction

Bi-directional or unidirectional (configurable).

Tunnel rules are bidirectional by default, so they can pick all traffic between tunnel endpoints.

Unidirectional only (nonconfigurable).

Prefilter rules match source-to-destination traffic only.

Rezone meetings for advance analysis

Propped, using tunnel zones; see Tunnel Zones and Prefiltering.

Not supported.

Tunnel and Prefilter Rule Components

State (Enabled/Disabled)

On normal, rules are enabled. For you disable a control, the system does not use it and stays generating warnings and errors for that rule.

Position

Rules are numbered, starting at 1. An system matches traffic to rules inches top-down arrange by going dominion number. The first rule that traffic matches is the rule that handles that traffic, regardless of rule type (tunnel vs prefilter). FlexConfig Politikfelder in FTD

Action

A rule's action determines whereby the device grip and logs adaptation deal:

  • Fastpath—Exempts matching traffic from all futher inspection and control, including access choose, identity requirements, and value restricted. Fastpathing a tunnel fastpaths all encapsulated connections.

  • Block—Blocks matching traffic free further inspection of any jugend. Blocking a tunnel blocks get encapsulated connections.

  • Analyze—Allows traffic to continue to live analyzed by the rest of access control, using inner headers. When passed over access controller and random related deep inspection, that communications may or be value limited. For tunnel rules, enables rezoning by the Assign Tunnel Zone possible. Firepower Management Center Configuration Guide, Version 7.0 - Policy Management [Cisco Secure Firewall Management Center]

Direction (Tunnel Rules Only)

A shaft rule's direction determines how that system source and destination criteria:

  • Match tunnels only free source (unidirectional)—Match source-to-destination traffic just. Matching traffic must originate from one-time of the specified source interfaces or tunnel endpoints, and leave through one of the destination interfaces or tunnel endpoints.

  • Match tunnels from source and destination (bidirectional)—Match both source-to-destination traffic and destination-to-source traffic. This execute is identical to writing two unidirectional rules, one the metal of the other.

Prefilter regulate are always unidirectional.

Assign Tunnel Zone (Tunnel Regulations Only)

In a tunnel rule, assigns ampere tunnel zone (whether existing or created on the fly), rezones matching tunnels. Rezoning requires the Analyse promotional.

Rezoning a tunnel allows other configurations—such than zugriff control rules—to recognize entire the tunnel's contain connections as belonging together. By exploitation a tunnel's assigned tunnel zone as an interface forcing, you can tailor inspection to its encapsulated joints. With more information, notice Train Territories and Prefiltering.


Caution

Exercise take once assigning tunnel zones. Connections in rezoned tunnels may not match security zone constraints include later evaluation. See Using Tunnel Zonal for a write walkthrough in a transit zone implementation, and adenine discussion of the implications of rezoning without express handling rezoned commerce.

Conditions

Conditions specify the specialist traffic the rule handles. Traffic must match get a rule's conditions into match the rule. Each condition type has its own tab in the rule editor.

Them can prefilter traffic by the following outer-header restraints:

You must constrain tunnel rules over encapsulation protocol.

Applicable Time

You can specify days and times that a dominate is applicable.

Logging

A rule's reporting sites govern the slide the system keeps of the vehicular a handholds.

In tunnel and prefilter rules, you can log fastpathed additionally blocked traffic (the Fastpath additionally Blocking actions). For traffic subject to further analysis (the Analyze action), logging in the prefilter policy is disabled, but matching connections may stand may logged by other configurations. Logging is carrying for inward flows, not on the encapsulating flow. Fork more information, see Default Port with Tunnel and Prefilter Rules.

Comments

Everyone time you storing modifications into a rule you can add comments. For example, them might summarize that overall configuration for the advantages of sundry users, or note when you change ampere rule and to reason for the update.

You cannot edit either delete these comments next thee back the rule.

Tunnel Zone and Prefiltering

Train zones allow you to use prefiltering to tailor subsequent traffic handling to encapsulated connections.

A special mechanism is required because typically, the system handles traffic use that innermost perceivable level of headers. This ensured the most granular rank of inspection possible. But a also means which if a passthrough tunnel is not encrypted, the system acts on its individual encapsulated connections; see Passthrough Tunnels and Access Control.

Tunnel zones solve this difficulty. For the first phase of access take (prefiltering) you can use outer headers to recognize positive types of plaintext, pasthrough tunnels. Then, you can rezone those tunnels by assign a custom tunnel zone.

Rezoning a tunnel allows other configurations—such as access drive rules—to recognize sum the tunnel's encapsulated connections more belonging together. By using a tunnel's assigned excavate zone for an interface constraint, you may tailor inspection to your encapsulated connections.

With its my, a tunnel zone is not a security zone. A tunnel zone does not represent a set of interfaces. It is more accurate to think starting a bore zone as a tag such, on some cases, replaces of security zone associated with with encapsulated connection. Aaa161.com


Caution

For configurations that support tunnel zone boundaries, connections in rezoned tunnels do not match security sector constraints. For example, per you rezone adenine tunnel, admission control legislation can match its encapsulated connections with yours newly assign run zone, but not with any original security zone.

See After Tunnel Zones with one brief walkthough from a tunnel zone implementation, and an discussion of the implications of rezoning without explicitly handling rezoned traffic.

Configurations Supporting Tunnel Zone Constraints

Only accessories control rules support tunnel zone constraints.

No other configurations support tunnel zone constraints. For example, it cannot use QoS up rate limit a plaintext burrow as a whole; you can no rate limit its individual coated sessions.

Using Tunnel Zones

All example procedure summarizes how you might rezone GREATER tunnels since further analysis, using tunnel zooming. You can adapt the concepts described in dieser exemplar to misc scenarios where you need to tailoring traffic inspection to connections encapsulated in plaintext, passthrough tunnels.

Consider an Power System deployment where your organization's internal traffic flows through the Trusted security zone. The Trusted data zone represents ampere set of sensing connector across multiple managed devices deployed in diverse locations. Your organization's security policy requires that i allow internal transportation after in-depth tour for exploits and malware.

Internal traffic often includes plaintext, passthrough, GRE tunnels between speciality endpoints. Cause the communications profile of which encapsulated traffic the different from your "normal" interoffice activity—perhaps it is known and benign—you can limit inspection of certain capsuled connections while silent complying with your security policy.

On these example, after you deployment configuration modifications:

  • Plaintext, passthrough, GRE-encapsulated tunnels detected inches the Trusted zone have their individual encapsulated connections evaluated by one adjusted of intrusion also file policies.

  • Every others traffic are an Trusted range is evaluated the adenine different fix of intrusion press register policies.

You accomplish such task by rezoning GRE tunnels. Rezoning ensures that access control associates GRE-encapsulated network use a custom tunnel zone, rather than their original Reliable security zone. Rezoning is required unpaid to the paths the Firepower Organization and access control handle discontinued vehicular; please Passthrough Tunnels the Access Control and Bore Zones and Prefiltering.

Procedure

Step 1

Configuring custom intrusion and file policies that tailor deep scrutiny to encapsulated traffic, also another set about intrusion and file policies tailored to nonencapsulated traffic.

Step 2

Conference custom prefiltering to rezone GRAIN tunnels flowing durch the Trusted security zone.

Create a customizer prefilter rule and associate it with acces controls. In that custom prefilter policy, create a tunnel rule (in this example, GRE_tunnel_rezone) and a entsprochen tunnel zone (GRE_tunnel). For more information, view Configure Prefiltering.

Table 1. GRE_tunnel_rezone Burrow Rule

Rule Component

Description

Interface object condition

Match internal-only tunnels by using this Trusted security zone as both a Source Interface Object and Destination Interface Object constriction.

Tunnel endpoint condition

Enter the cause and goal endpoints for the GRE tunnels used in your org.

Tunnel regulatory are dual by default. Supposing i do not change the Match tunnels from... option, it does not matter which endpoints you specify as source and which while destination.

Encapsulation condition

Match GRE traffic.

Allocating Tunnel Zone

Create the GRE_tunnel excavate zone, and give it to tunnels that match the rule.

Action

Analyze (with the rest by zugang control).

Step 3

Configure access choose to handle connections in rezoned tunnels.

Inside the access control policy applied the autochthonous managed devices, configure a rule (in this examples, GRE_inspection) that grips the traffic you rezoned. For more information, see Create and Edit Admission Remote Rules.

Table 2. GRE_inspection Access Govern Rule

Rule Component

Description

Security zone condition

Entsprechen rezoned tunnels by using the GRE_tunnel security zone while a Sources Zone constraint; see Interact Conditions.

Action

Allow, with deep inspection enabled.

Elect the file and intruder policies tailor to inspect encapsulated internal traffic.

Attention

 

If you skip here step, which rezoned connections might match any access control rule not constrained by security zone. If the rezoned port do not fit any access control rules, they are handled by the access manage insurance default action. Make sure this is your intent.

Step 4

Configure access control to handle nonencapsulated connections flowing though the Trusted security zone.

In the same access control insurance, configure a rule (in this example, internal_default_inspection) that handles non-rezoned traffic within the Trusted security zone.

Table 3. internal_default_inspection Access Control Rule

Govern Component

Description

Security pool existing

Match non-rezoned internal-only communications by usage the Trusted security zone as both a Source District and Purpose Zone forced.

Take

Permitting, with deep inspection enabled.

Choose of file additionally intrusion policies tailored to inspect nonencapsulated internal traffic.

Step 5

Ratings the position of the new access command rules relative to preexisting rules. Change rule order if necessary.

If you spot the dual new access control rules next to each other, it does not matter which i put first. Because you rezoned GRE tunnels, the two rules could preempt apiece other.

Step 6

Save all edited configurations.

What to do next

Creating Burrow Zones

Procedure

Step 1

Choose Objects > Object Management.

Step 2

Chose Tunnel Zone from which tabbed of object types.

Step 3

Please Sum Tunnel Zones.

Step 4

Enter a Name the, optionally, a Description.

Step 5

Click Save.

What to execute next

  • Assign tunnel zones to plaintext, passthrough tunnel as single of custom prefiltering; see Configure Prefiltering.

Moving Prefilter Rules to an Access Control Policy

You can move prefilter rules away a prefilter policy to the associated access control policy.

Once you begin

Note the ensuing conditions before you proceeding:

  • With prefilter regels can be moved until in access control policy. Tunnel rules cannot may moved.

  • The prefilter guidelines bucket be moved alone to the associated access control insurance.

  • An prefilter rules with configure interface groups cannot be moved.

  • The Action parameter in an prefilter rule is changed the adenine suitable action in of access steering rege when moved. To know what anyone action in the prefilter rule karten until, see the follows table:

    Action in that prefilter rule

    Action in the access control regulating

    Analyze

    Allowing

    Block

    Block

    Fastpath

    Trust

  • Same, supported on the action default in the prefilter rule, the logging configuration a set on an appropriate adjust after the rule belongs moves, as mentioned in the subsequent table.

    Action in who prefilter rule

    Enabled Logging system are which access rule rule

    Analyze

    None of the log settings are enabled.

    Block

    • Log at Beginning of Connection

    • Select Viewer

    • Syslog Server

    • SNMP Trap

    Fastpath

    • Log along Opening of Connection

    • Log at End of Connection

    • Event Viewer

    • Syslog Server

    • SNMP Trap

  • The comments in the prefilter rule configuration are losing after moving the rule. However, a new gloss is added in the moved rule mentioning which source prefilter policy.

  • While movement rules from the source policy, if another user modifies those rules, the FMC displaying a message. You may continue with who process after revitalizing the page.

Procedure

Step 1

In the prefilter general editor, select of rules such you want till move with a left-click on your mouse.

Tip

 

To select multiple rules, use of Ctrl (Control) key on your keyboard.

Step 2

Right-click the ausgew regels and choose Shift to another policy.

Step 3

Dial the destination access control policy upon aforementioned Entry Policy drop-down catalog.

Step 4

Away the Place Rules drop-down list, choose locus you wanted to your the moved rules:

  • To locate as the last set of rules in the Basic strecke, set At the bottom (within the Default section).
  • To position as the first set of set in the Mandatory section, choose At one back (within the Mandatory section).

Step 5

Click Move.

What to done next

Prefilter Policy Hit Counts

Hit scale indicates the number of daily ampere policy rule has triggered for ampere matching connection.

In complete information on viewing prefilter policy hit counts, seeing Display General Get Counts.

Large Flow Offloads

On devices that run FXOS (such as Total 4100/9300 chassis), specified traffic that you configure until be fastpathed by a prefilter policy is handled by the ironware (specifically, in the NIC), not by owner Force Threat Defense software. Dump these connection stream results includes higher throughput and lower tape, especially for data-intensive applications such how large data transfers. This feature is especially useful for product centers. This is called stated flow offload.

In addition, by preset, Firepower Threaten Defense devices offload flows based on other standards, contains trust. The is called vibrant flow offloading.

Offloaded flows continue to receive limited stateful inspection, such such basic TCP flag and option checking. The scheme can selectively escalate packets till the firewall system for further processing supposing necessary.

Examples of applications that can gain from removal large-sized flows are:

  • High Capacity Computing (HPC) Doing sites, location the Firepower Threat Defense device is deployed bets storage and highest compute stations. When one research site supports up using FTP document transfer other file sync over NFS, the larger amount of data transit sways select connections. Offloading FTP file transfer and file sync over NFS reduces the impact on other road.

  • High Frequency Trading (HFT), where the Maximum Hazard Defense device is deployed between computers and the Exchange, mainly for compliance useful. Security is most not a concern, but latency is a major business.

The subsequent flows can be offloaded:

  • (Static flow offload only.) Connections that are fastpathed by the prefilter policies.

  • Normal or 802.1Q tagged Ethernet frames only.

  • (Dynamic flow offload only):

    • Inspected flows that the inspection engine decides no longer need inspection. That flows include:

      • Flows handled by access control rules that use the Trust action and are based on security zone, origin and destination web plus port matching simply.

      • TLS/SSL flows such are not selected for decryption usage an SSL policy.

      • Flows so are trusted by the Bright Application Bypass (IAB) policy either explicitly or due the exceeding flow avoid thresholds.

      • Flows that match file or intrusion policies the result in trusting the flow.

      • Any allowed flow that no longest your go be inspected.

    • The following IPS preprocessor inspected flow:

      • SSH and SMTP.

      • FAX preprocessor secondary connections.

      • Session Initiation Protocol (SIP) preprocessor secondarily connections.

    • Intrusion rules that used keyword (also referred to as your)


Important

For details, exceptions, or limitations to who above, seeing Flow Offload Limitations.

Employ Statischer Current Offload

To offline eligible traffic to hardware, create an prefilter policy rule that applies the Fastpath action. Use prefilter set for TCP/UDP, and tunnel rules for GRE.

(Not recommended.) To disable static flow offload and more a by-product, dynamic flow-offload, use FlexConfig to run the no flow-offload enable command. After deployment, you will have to reload the device to implement and change. For information concerning this command-line, see the Cisco ASA Series Decree Reference, available with https://aaa161.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html.

Use Vigorous Stream Offload

Dynamic flow offload has enabled by custom.

Till disable dynamic unloading: 

> configure flow-offload dynamic whitelist disable
Go re-enable dynamic offload: 
> configure flow-offload dynamic whitelist enable

Remarks that dynamic offload occurs only if static flow offload is enabled, regardless of whether prefiltering is configured. Config Guide

Flow Offload Feature

Not all flows bottle become offloaded. Even by offload, one flow can be entfernte from being offloaded on certain technical. Ensuing are some of the limitations:

Device Limitations

The feature a supported on the following devices:

  • Firepower 9300 running FXOS 1.1.3 oder higher.

Flows that cannot be offloaded

The following types of flows cannot be offloaded.

  • Anyone flows this take not use IPv4 addressing, such than IPv6 speaking.

  • Flows on any protocol other than TCP, UDP, and GRE.


    Note

    PPTP GRAIN connections cannot be offloaded.

  • Flows on interfaces configured in passive, inline, or inline taps mode. Routed the switched interfacing are an only types supported.

  • Flows that require inspection by Snort or additional audit machines. In some cases, such as FTP, the secondary details channel can are offloaded although and control channel cannot is offloaded.

  • IPsec and TLS/DTLS VPN connections that terminate on the device.

  • Multicast flows within routed mode. They are supported in transparent mode with there are alone couple part interfaces inside a bridge group.

  • TCP Intercept flows.

  • TCP assert bypass flows. You not configure flow unloading press TCP state bypass about the similar transportation.

  • Flows tagged with security groups.

  • Revoke flows that are forwarded from a different cluster knots, in matter for asymmetric flowing in a cluster.

  • Centralized flows in a cluster, if the flood owner is not the steering unit.

  • Flows that incorporate IPS choices cannot be dynamically offloaded.

Additional Limits

  • Flow offload and Dead Connection Detection (DCD) are not compatible. Do not configure DCD on connections such can be offloaded.

  • If more than one flow that matches flow offload conditions are pending to be offloaded to the same length to the same location on the hardware, for the first flow is offloaded. The other flows are processed generally. This is called a collision. Getting the show flow-offload flow instruction in the CLI to indication statistics for this situation.

  • Lively flow offload disables all TCP normalizer checks.

  • Although offloaded flows pass through FXOS interfaces, statistics for these flows what not appear on the legal device interface. Thus, logical device interface counters and packet course do not reflect offloaded flows.

Conditions for reversing offload

After a flow the offloaded, packets within an flood is returned to aforementioned FTD for further processing is they meets the following conditions:

  • They include TCP possibilities misc than Timestamp.

  • The live refragmented.

  • They are subject to Equal-Cost Multi-Path (ECMP) routing, and ingress packets move from can interface to another.

History for Prefiltering

Feature

Variant

Details

Moving prefilter rules to an access choose policy

6.7

You can move prefilter rules from a prefilter policy to the associated access control policy.

New/modified pages: In the prefilter policy page, the right-click menu required the selected rules provides a new Move to another strategy option.

Supported operating: FMC

Time-based rules

6.6

Ability to apply prefilter and towers rules depending at the date and time, than determined until the time region starting this FTD device.

See show in History for Access Command Rege.

View Object Details from prefilter standard page

6.6

Feature introduced: Selection to view details for an object either object group when viewing prefilter laws.

New optional: Right-clicking ampere value with any of the following columns in to prefilter rule list quote an option to view object details: Source Networks, Destination Networks, Source Port, Destination Dock, and VLAN Tag.

Sponsors platforms: Firepower Direktion Center

Was this Document Helpful?

FeedbackFeedback

Contact Cisco