Because preprocessing and intrusion inspection are so closely
must be careful that your configuration allows the network
analysis and intrusion policies processing and examining a single packet to
complement each other.
By default, the system uses one network analysis policy to
preprocess all traffic handled by managed devices using a single access control
policy. The following diagram shows how a newly created access control policy
in an inline, intrusion-prevention deployment initially handles traffic. The
preprocessing and intrusion prevention phases are highlighted.
Notice how a default network analysis policy governs the
all traffic handled by the access control policy. Initially,
the system-provided Balanced Security and Connectivity network analysis policy
is the default.
A simple way to tune preprocessing is to create and use a custom
network analysis policy as the default. However, if you disable a preprocessor
in a custom network analysis policy but the system needs to evaluate
preprocessed packets against an enabled intrusion or preprocessor rule, the
system automatically enables and uses the preprocessor although it remains
disabled in the network analysis policy web interface.
In order to get the performance benefits of disabling a
must make sure that none of your intrusion policies have
enabled rules that require that preprocessor.
An additional challenge arises if you use multiple custom
network analysis policies. For advanced users with complex deployments, you can
tailor preprocessing to specific security zones, networks, and VLANs by
assigning custom network analysis policies to preprocess matching traffic.
cannot restrict preprocessing by VLAN.) To accomplish this, you add custom
network analysis rules to your access control policy. Each
rule has an associated network analysis policy that governs the preprocessing
of traffic that matches the rule.
You configure network analysis rules as an advanced setting in
an access control policy. Unlike other types of rules in the Firepower System,
network analysis rules invoke—rather than being contained by—network analysis
The system matches packets to any configured network analysis
rules in top-down order by rule number. Traffic that does not match any network
analysis rule is preprocessed by the default network analysis policy. While
this allows you a great deal of flexibility in preprocessing traffic, keep in
mind that all packets,
regardless of which network analysis policy preprocessed
them, are subsequently matched to access control rules—and thus to potential
inspection by intrusion policies—in their own process. In other words,
preprocessing a packet with a particular network analysis policy does
not guarantee that the packet will be examined with any
particular intrusion policy. You
must carefully configure your access control policy so it
invokes the correct network analysis and intrusion policies to evaluate a
The following diagram shows in focused detail how the network
analysis policy (preprocessing) selection phase occurs before and separately
from the intrusion prevention (rules) phase. For simplicity, the diagram
eliminates the discovery and file/malware inspection phases. It also highlights
the default network analysis and default-action intrusion policies.
In this scenario, an access control policy is configured with
two network analysis rules and a default network analysis policy:
Network Analysis Rule A preprocesses matching traffic with
Network Analysis Policy A. Later, you want this traffic to be inspected by
Intrusion Policy A.
Network Analysis Rule B preprocesses matching traffic with
Network Analysis Policy B. Later, you want this traffic to be inspected by
Intrusion Policy B.
All remaining traffic is preprocessed with the default network
analysis policy. Later, you want this traffic to be inspected by the intrusion
policy associated with the access control policy’s default action.
After the system preprocesses traffic, it can examine the
traffic for intrusions. The diagram shows an access control policy with two
access control rules and a default action:
Access Control Rule A allows matching traffic. The traffic is
then inspected by Intrusion Policy A.
Access Control Rule B allows matching traffic. The traffic is
then inspected by Intrusion Policy B.
The access control policy’s default action allows matching
traffic. The traffic is then inspected by the default action’s intrusion
Each packet’s handling is governed by a network analysis policy
and intrusion policy pair, but the system does
not coordinate the pair for you. Consider a scenario where
you misconfigure your access control policy so that Network Analysis Rule A and
Access Control Rule A do not process the same traffic. For example, you could
intend the paired policies to govern the handling of traffic on a particular
security zone, but you mistakenly use different zones in the two rules’
conditions. This could cause traffic to be incorrectly preprocessed. For this
reason, tailoring preprocessing using network analysis rules and custom
policies is an
Note that for a single connection, although the system selects a
network analysis policy before an access control rule, some preprocessing
(notably application layer preprocessing) occurs after access control rule
selection. This does
not affect how you configure preprocessing in custom network