Transport and Network Layer Preprocessors

The following topics explain transport and network layer preprocessors and how to configure them:

Introduction to Transport and Network Layer Preprocessors

Transport and network layer preprocessors detect attacks that exploit IP fragmentation, checksum validation, and TCP and UDP session preprocessing. Before packets are sent to preprocessors, the packet decoder converts packet headers and payloads into a format that can be easily used by the preprocessors and the intrusion rules engine and detects various anomalous behaviors in packet headers. After packet decoding and before sending packets to other preprocessors, the inline normalization preprocessor normalizes traffic for inline deployments.

When an intrusion rule or rule argument requires a disabled preprocessor, the system automatically uses it with its current configuration even though it remains disabled in the network analysis policy’s web interface.


Note

Snort 2 is not supported on threat defense Version 7.7. For information on Snort 2 features that are supported in versions earlier than 7.7, refer to the Firewall Management Center guide that matches your Firewall Threat Defense version.

License Requirements for Transport and Network Layer Preprocessors

Threat Defense License

IPS

Requirements and Prerequisites for Transport and Network Layer Preprocessors

Model Support

Any.

Supported Domains

Any

User Roles

  • Admin

  • Intrusion Admin

Advanced Transport/Network Preprocessor Settings

Advanced transport and network preprocessor settings apply globally to all networks, zones, and VLANs where you deploy your access control policy. You configure these advanced settings in an access control policy rather than in a network analysis policy.

Ignored VLAN Headers

Different VLAN tags in traffic traveling in different directions for the same connection can affect traffic reassembly and rule processing. For example, in the following graphic traffic for the same connection could be transmitted over VLAN A and received over VLAN B.

Diagram showing traffic for a single connection that could be transmitted over two VLANs

You can configure the system to ignore the VLAN header so packets can be correctly processed for your deployment.

Active Responses in Intrusion Drop Rules

A drop rule is an intrusion or preprocessor rule whose rule state is set to Drop and Generate Events. In an inline deployment, the system responds to TCP or UDP drop rules by dropping the triggering packet and blocking the session where the packet originated.


Tip

Because UDP data streams are not typically thought of in terms of sessions, the stream preprocessor uses the source and destination IP address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine the direction of flow and identify a UDP session.

You can configure the system to initiate one or more active responses to more precisely and specifically close a TCP connection or UDP session when an offending packet triggers a TCP or UDP drop rule. You can use active responses in inline, including routed and transparent, deployments. Active responses are not suited or supported for passive deployments.

To configure active responses:

  • Create or modify a TCP or UDP (resp keyword only) intrusion rule.

  • Add the react or resp keyword to the intrusion rule; see xActive Response Keywords.

  • Optionally, for a TCP connection, specify the maximum number of additional active responses to send and the number of seconds to wait between active responses; see Maximum Active Responses and Minimum Response Seconds in Advanced Transport/Network Preprocessor Options.

Active responses close the session when matching traffic triggers a drop rule, as follows:

  • TCP—drops the triggering packet and inserts a TCP Reset (RST) packet in both the client and server traffic.

  • UDP—sends an ICMP unreachable packet to each end of the session.

Advanced Transport/Network Preprocessor Options

Ignore the VLAN header when tracking connections

Specifies whether to ignore or include VLAN headers when identifying traffic, as follows:

  • When this option is selected, the system ignores VLAN headers. Use this setting for deployed devices that might detect different VLAN tags for the same connection in traffic traveling in different directions

  • When this option is disabled, the system includes VLAN headers. Use this setting for deployed devices that will not detect different VLAN tags for the same connection traffic traveling in different directions.

Maximum Active Responses

Specifies a maximum number of active responses per TCP connection. When additional traffic occurs on a connection where an active response has been initiated, and the traffic occurs more than Minimum Response Seconds after a previous active response, the system sends another active response unless the specified maximum has been reached. A setting of 0 disables additional active responses triggered by resp or react rules. See Active Responses in Intrusion Drop Rules and Active Response Keywords.

Note that a triggered resp or react rule initiates an active response regardless of the configuration of this option.

Minimum Response Seconds

Until Maximum Active Responses occur, specifies the number of seconds to wait before any additional traffic on a connection where the system has initiated an active response results in a subsequent active response.

Troubleshooting Options: Session Termination Logging Threshold


Caution

Do not modify Session Termination Logging Threshold unless instructed to do so by Support.

Support might ask you during a troubleshooting call to configure your system to log a message when an individual connection exceeds the specified threshold. Changing the setting for this option will affect performance and should be done only with Support guidance.

This option specifies for the number of bytes that result in a logged message when the session terminates and the specified number was exceeded.


Note

The upper limit of 1GB is also restricted by the amount of memory on the managed device allocated for stream processing.

Configuring Advanced Transport/Network Preprocessor Settings

You must be an Admin, Access Admin, or Network Admin to perform this task.

Procedure

Step 1

In the access control policy editor, click Edit (edit icon) on the policy you want to modify.

Step 2

Click More > Advanced Settings, and then click Edit (edit icon) next to the Transport/Network Preprocessor Settings section.

Step 3

Except for the troubleshooting option Session Termination Logging Threshold, modify the options described in Advanced Transport/Network Preprocessor Options.

Caution

 

Do not modify Session Termination Logging Threshold unless instructed to do so by Support.

Step 4

Click OK.

What to do next