Each access control policy uses its
default intrusion policy to initially inspect traffic before
the system can determine exactly how to inspect that traffic. This is needed
because sometimes the system must process the first few packets in a
allowing them to pass, before it can decide which access
control rule (if any) will handle the traffic. However, so that these packets
do not reach their destination uninspected, you can use an intrusion
policy—called the default intrusion policy—to inspect them and generate
intrusion events. By default, the default intrusion policy uses the default
A default intrusion policy is especially useful when performing
application control and URL filtering, because the system cannot identify
applications or filter URLs before a connection is fully established between
the client and the server. For example, if a packet matches all the other
conditions in an access control rule with an application or URL condition, it
and subsequent packets are allowed to pass until the connection is established
and application or URL identification is complete, usually 3 to 5 packets.
The system inspects these allowed packets with the default
intrusion policy, which can generate events and, if placed inline, block
malicious traffic. After the system identifies the access control rule or
default action that should handle the connection, the remaining packets in the
connection are handled and inspected accordingly.
When you create an access control policy, its default intrusion
policy depends on the default action you
first chose. Initial default intrusion policies for access
control are as follows:
Balanced Security and Connectivity (a system-provided policy) is
the default intrusion policy for an access control policy where you first chose
Intrusion Prevention default action.
No Rules Active is the default intrusion policy for an access
control policy where you first chose the
Block all traffic or
Network Discovery default action. Although choosing
this option disables intrusion inspection on the allowed packets described
above, it can improve performance if you are not interested in intrusion data.
If you are not performing intrusion inspection (for example, in
a discovery-only deployment), keep the No Rules Active policy as your default
If you change your default action after you create the access
control policy, the default intrusion policy does
not automatically change. To change it manually, use the
access control policy’s advanced options.
You can choose a system- or user-created policy.
The network analysis policy associated with the first matching
network analysis rule preprocesses traffic for the default intrusion policy. If
there are no network analysis rules, or none match, the default network
analysis policy is used.