- Cisco ASA with FirePOWER Services Local Management Configuration Guide
- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the FireSIGHT System ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Intelligent Application Bypass (IAB)
The following topics describe how to configure access control polices to use Intelligent Application Bypass:
Introduction to IAB
Intelligent Application Bypass (IAB) identifies applications that you trust to traverse your network without further inspection if performance and flow thresholds are exceeded. For example, if a nightly backup significantly impacts system performance, you can configure thresholds that, if exceeded, trust traffic generated by your backup application. Optionally, you can configure IAB so that, when an inspection performance threshold is exceeded, IAB trusts all traffic that exceeds any flow bypass threshold, regardless of the application type; this option requires a Version 6.0.1.4 or subsequent 6.0.1.x patch.
The system implements IAB on traffic allowed by access control rules or the access control policy's default action, before the traffic is subject to deep inspection. A test mode allows you to determine whether thresholds are exceeded and, if so, to identify the application flows that would have been bypassed if you had actually enabled IAB (called bypass mode ).
The following graphic illustrates the IAB decision-making process:
IAB Options
Specifies the time in seconds between IAB performance sampling scans, during which the system collects system performance metrics for comparison to IAB performance thresholds. A value of 0 disables IAB.
Bypassable Applications and Filters
This feature provides two mutually exclusive options:
Provides an editor where you can specify bypassable applications and sets of applications (filters) in essentially the same ways you specify application conditions in access control rules. See Controlling Application Traffic for more information.
All applications including unidentified application
When an inspection performance threshold is exceeded, trusts all traffic that exceeds any flow bypass threshold, regardless of the application type. This option requires a Version 6.0.1.4 or subsequent 6.0.1.x patch.
Inspection Performance Thresholds
Inspection performance thresholds provide intrusion inspection performance limits that, if exceeded, trigger inspection of flow thresholds. IAB does not use inspection performance thresholds set to 0.
Note Inspection performance and flow bypass thresholds are disabled by default. You must enable at least one of each, and one of each must be exceeded for IAB to trust traffic. If you enable more than one inspection performance or flow bypass threshold, only one of each must be exceeded for IAB to trust traffic.
Average packets dropped as a percentage of total packets, when packets are dropped because of performance overloads caused by expensive intrusion rules, file policies, decompression, and so on. This does not refer to packets dropped by normal configurations such as intrusion rules. Note that specifying an integer greater than 1 activates IAB when the specified percentage of packets is dropped. When you specify 1, any percentage from 0 through 1 activates IAB. This allows a small number of packets to activate IAB.
Processor Utilization Percentage
Average percentage of processor resources used.
Average packet latency in microseconds.
The rate at which the system processes flows, measured as the number of flows per second. Note that this option configures IAB to measure flow rate , not flow count .
Flow bypass thresholds provide flow limits that, if exceeded, trigger IAB to trust bypassable application traffic in bypass mode or allow application traffic subject to further inspection in test mode. IAB does not use flow bypass thresholds set to 0.
Note Inspection performance and flow bypass thresholds are disabled by default. You must enable at least one of each, and one of each must be exceeded for IAB to trust traffic. If you enable more than one inspection performance or flow bypass threshold, only one of each must be exceeded for IAB to trust traffic.
The maximum number of kilobytes a flow can include.
The maximum number of packets a flow can include.
Configuring IAB
Caution Not all deployments require IAB, and those that do might use it in a limited fashion. Do not enable IAB unless you have expert knowledge of your network traffic, especially application traffic, and system performance, including the causes of predictable performance issues. Before you run IAB in bypass mode, make sure that trusting the specified traffic does not expose you to risk.
To identify applications that you trust to traverse your network when thresholds are exceeded:
Step 1 In the access control policy editor, click the
Advanced
tab, then click the edit icon (
) next to
Intelligent Application Bypass Settings
.
If a view icon (
) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
– Click the number of bypassed applications and filters and specify the applications whose traffic you want to bypass; specify in essentially the same ways you specify application conditions in access control rules. See Controlling Application Traffic for more information.
– Click All applications including unidentified applications so that, when an inspection performance threshold is exceeded, IAB trusts all traffic that exceeds any flow bypass threshold, regardless of the application type. This option requires a Version 6.0.1.4 or subsequent 6.0.1.x patch.
You must specify at least one inspection performance threshold and one flow bypass threshold; both must be exceeded for IAB to trust traffic. If you enter more than one threshold of each type, only one of each type must be exceeded. For detailed information, see IAB Options.
Step 3 Click OK to save IAB settings.
Step 4 Click Save to save the policy.
- Deploy configuration changes; see Deploying Configuration Changes.
IAB Logging and Analysis
IAB forces an end-of-connection event that logs bypassed flows and flows that would have been bypassed, regardless of whether you have enabled connection logging. Connection events indicate flows that are bypassed in bypass mode or that would have been bypassed in test mode. Custom dashboard widgets and reports based on connection events can display long-term statistics for bypassed and would-have-bypassed flows.
When
Reason
includes
Intelligent App Bypass
:
Allow —indicates that the applied IAB configuration was in test mode and traffic for the application specified by Application Protocol remains available for inspection.
Trust - indicates that the applied IAB configuration was in bypass mode and traffic for the application specified by Application Protocol has been trusted to traverse the network without further inspection.
Intelligent App Bypass
indicates that IAB triggered the event in bypass or test mode.
This field displays the application protocol that triggered the event.
In the following truncated graphic, some fields are omitted. The graphic shows the Action , Reason , and Application Protocol fields for two connection events resulting from different IAB settings in two separate access control policies.
For the first event, the
Trust
action indicates that IAB was enabled in bypass mode and Bonjour protocol traffic was trusted to pass without further inspection.
For the second event, the
Allow
action indicates that IAB was enabled in test mode, so Ubuntu Update Manager traffic was subject to further inspection but would have been bypassed if IAB had been in bypass mode.
In the following truncated graphic, some fields are omitted. The flow in the second event was both bypassed (
Action
:
Trust
;
Reason
:
Intelligent App Bypass
) and inspected by an intrusion rule (
Reason
:
Intrusion Monitor
). The
Intrusion Monitor
reason indicates that an intrusion rule set to
Generate Events
detected but did not block an exploit during the connection. In the example, this happened before the application was detected. After the application was detected, IAB recognized the application as bypassable and trusted the flow.
You can create a Custom Analysis dashboard widget to display long-term IAB statistics based on connection events. Specify the following when creating the widget:
–
IAB Would Bypass Connections
In the following Custom Analysis dashboard widget examples:
- The Bypassed example shows statistics for application traffic bypassed because the applications were specified as bypassable and IAB was enabled in bypass mode in the deployed access control policy.
- The Would Have Bypassed example shows statistics for application traffic that would have been bypassed because the applications were specified as bypassable and IAB was enabled in test mode in the deployed access control policy.
You can create a custom report to display long-term IAB statistics based on connection events. Specify the following when creating the report:
–
IAB Would Bypass Connections
The following graphic shows two abbreviated report examples:
- The Bypassed example shows statistics for application traffic bypassed because the applications were specified as bypassable and IAB was enabled in bypass mode in the deployed access control policy. The Would Have Bypassed example shows statistics for application traffic that would have been bypassed because the applications were specified as bypassable and IAB was enabled in test mode in the deployed access control policy.
Feedback