Firepower Management Center Configuration Guide, Version 6.0.1

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: February 14, 2024

Chapter: Adaptive Profiles

Adaptive Profiles
About Adaptive Profiles
License Requirements for Adaptive Profiles
Requirements and Prerequisites for Adaptive Profiles
Adaptive Profiles and Firepower Recommended Rules
Adaptive Profile Options
Configuring Adaptive Profiles

Adaptive Profiles

The following topics describe how to configure adaptive profiles:

About Adaptive Profiles

Typically, the system uses the static settings in your network analysis policy to preprocess and analyze traffic. With adaptive profiles, the system can adapt processing behavior using host information either detected by network discovery or imported from a third party.

Adaptive profiles, like the target-based profiles you can configure manually in a network analysis policy, help to defragment IP packets and reassemble streams in the same way as the operating system on the target host. The intrusion rules engine then analyzes the data in the same format as that used by the destination host.

Manually configured target-based profiles apply either the default operating system profile you select, or profiles you bind to specific hosts. Adaptive profiles, however, switch to the appropriate operating system profile based on the operating system in the host profile for the target host.

Consider a scenario where you configure adaptive profiles for the 10.6.0.0/16 subnet and set the default IP Defragmentation target-based policy to Linux. The Firepower Management Center where you configure the settings has a network map that includes the 10.6.0.0/16 subnet.

When the system detects traffic from Host A, which is not in the 10.6.0.0/16 subnet, it uses the Linux target-based policy to reassemble IP fragments.
When the system detects traffic from Host B, which is in the 10.6.0.0/16 subnet, it retrieves Host B’s operating system data from the network map. The system uses a profile based on that operating system to defragment the traffic destined for Host B.

License Requirements for Adaptive Profiles

FTD License

Threat

Classic License

Protection

Requirements and Prerequisites for Adaptive Profiles

Model Support

Any.

Supported Domains

Any

User Roles

Admin
Access Admin
Network Admin

Adaptive Profiles and Firepower Recommended Rules

The adaptive profiles feature is an advanced setting in an access control policy that applies globally to all intrusion policies invoked by that access control policy. The Firepower recommended rules feature applies to the individual intrusion policy where you configure it.

Like Firepower recommended rules, adaptive profiles compare metadata in a rule to host information to determine whether a rule should apply for a particular host. However, while Firepower recommended rules provide recommendations for enabling or disabling rules using that information, adaptive profiles use the information to apply specific rules to specific traffic.

Firepower recommended rules require your interaction to implement suggested changes to rule states. Adaptive profiles, on the other hand, do not modify intrusion policies. Adaptive treatment of rules happens on a packet-by-packet basis.

Additionally, Firepower recommended rules can result in enabling disabled rules. Adaptive profiles, in contrast, only affect the application of rules that are already enabled in intrusion policies. Adaptive profiles never change the rule state.

You can use adaptive profiles and Firepower recommended rules in combination. Adaptive profiles use the rule state for a rule when your intrusion policy is deployed to determine whether to include it as a candidate for applying, and your choices to accept or decline recommendations are reflected in that rule state. You can use both features to ensure that you have enabled or disabled the most appropriate rules for each network you monitor, and then to apply enabled rules most efficiently for specific traffic.

Adaptive Profile Options

Adaptive Profiles - Enabled

Enable or disable adaptive profiles

Adaptive Profiles - Attribute Update Interval

You can control how frequently in minutes network map data is synced from the Firepower Management Center to its managed devices. The system uses the data to determine what profiles should be used when processing traffic. Increasing the value for this option can improve performance in a large network.

Adaptive Profiles - Networks

Optionally, you can improve performance by constraining adaptive profiles to a comma-separated list of IP addresses, address blocks, and network variables. If you use a network variable, the system uses the variable's value in the variable set linked to the default intrusion policy for your access control policy. For example, you could enter: 192.168.1.101, 192.168.4.0/24, $HOME_NET. IPv4 and IPv6 are supported.

The default value (0.0.0.0/0) applies adaptive profile updates to all networks.

Note

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. If you enable and enforce adaptive profiles in an ancestor policy, Cisco recommends you keep the default network constraint of 0.0.0.0/0, or use a network variable with a value of any . This setting applies adaptive profiles to all monitored hosts in all subdomains.

Configuring Adaptive Profiles

In a passive deployment, Cisco recommends that you configure adaptive profiles. In an inline deployment, configure the inline normalization preprocessor with the Normalize TCP Payload option enabled.

Caution

Adaptive profiling must be enabled as described in this procedure for access control rules to perform application or file control, including malware protection (AMP), and for intrusion rules to use service metadata. Enabling or disabling adaptive profiles restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Before you begin

The access control policy must have a network discovery policy that is enabled to do host/service discovery, or host data must be imported from a third-party source.

Procedure

Step 1	In the access control policy editor, click Advanced, then click Edit () next to the Detection Enhancement Settings section. If View () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
Step 2	Set adaptive profile options as described in Adaptive Profile Options.
Step 3	Click OK.
Step 4	Click Save to save the policy.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)