Firepower Management Center Configuration Guide, Version 6.2.2
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics describe how to configure access control polices to use Intelligent Application Bypass (IAB)
Introduction to IAB
IAB identifies applications that you trust to traverse your network without further inspection if performance and flow thresholds
are exceeded. For example, if a nightly backup significantly impacts system performance, you can configure thresholds that,
if exceeded, trust traffic generated by your backup application.
Optionally, you can configure IAB so that, when an inspection performance threshold is exceeded, IAB trusts all traffic that
exceeds any flow bypass threshold, regardless of the application type.
The system implements IAB on traffic allowed by access control rules or the access control policy's default action, before
the traffic is subject to deep inspection. A test mode allows you to determine whether thresholds are exceeded and, if so,
to identify the application flows that would have been bypassed if you had actually enabled IAB (called bypass mode).
The following graphic illustrates the IAB decision-making process:
IAB Options
State
Enables or disables IAB.
Performance Sample Interval
Specifies the time in seconds
between IAB performance sampling scans, during which the system collects system
performance metrics for comparison to IAB performance thresholds. A value of
0 disables IAB.
Bypassable Applications and Filters
This feature provides two mutually exclusive options:
All applications including unidentified applications
When an inspection performance threshold is exceeded, trusts all traffic that exceeds any flow bypass threshold, regardless
of the application type.
Performance and Flow Thresholds
You must configure at least one inspection performance threshold and one flow bypass threshold. When a performance threshold
is exceeded, the system examines flow thresholds and, if one threshold is exceeded, trusts the specified traffic.If you enable
more than one of either, only one of each must be exceeded.
Inspection performance thresholds provide intrusion inspection performance limits that, if exceeded, trigger the inspection of flow thresholds. IAB does not
use inspection performance thresholds set to 0. You can configure one or more of the following inspection performance thresholds:
Drop Percentage
Average packets dropped as a percentage of total packets, when packets are dropped because of performance overloads caused
by expensive intrusion rules, file policies, decompression, and so on. This does not refer to packets dropped by normal configurations
such as intrusion rules. Note that specifying an integer greater than 1 activates IAB when the specified percentage of packets
is dropped. When you specify 1, any percentage from 0 through 1 activates IAB. This allows a small number of packets to activate IAB.
Processor Utilization Percentage
Average percentage of processor resources used.
Package Latency
Average packet latency in microseconds.
Flow Rate
The rate at which the system processes flows, measured as the number of flows per second. Note that this option configures
IAB to measure flow rate, not flow count.
Flow bypass thresholds provide flow limits that, if exceeded, trigger IAB to trust bypassable application traffic in bypass mode or allow application
traffic subject to further inspection in test mode. IAB does not use flow bypass thresholds set to 0. You can configure one or more of the following flow bypass thresholds:
Bytes per Flow
The maximum number of kilobytes a flow can include.
Packets per Flow
The maximum number of packets a flow can include.
Flow Duration
The maximum number of seconds a flow can remain open.
Flow Velocity
The maximum transfer rate in kilobytes per second.
Requirements and Prerequisites for Intelligent Application Bypass
Model Support
Any
Supported Domains
Any
User Roles
Admin
Access Admin
Network Admin
Configuring Intelligent Application Bypass
Caution
Not all deployments require IAB, and those that do might use it in a limited fashion. Do not enable IAB unless you have expert
knowledge of your network traffic, especially application traffic, and system performance, including the causes of predictable
performance issues. Before you run IAB in bypass mode, make sure that trusting the specified traffic does not expose you to
risk.
Before you begin
For Classic devices, you must have the Control license.
Procedure
Step 1
In the access control policy editor, click Advanced, then click Edit () next to Intelligent Application Bypass Settings.
If View () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If the configuration is unlocked, uncheck Inherit from base policy to enable editing.
Step 2
Configure IAB options:
State—Turn IAB Off or On,
or enable IAB in Test mode.
Performance Sample Interval—Enter the time in seconds between IAB
performance-sampling scans. If you enable IAB, even in test mode, enter a
non-zero value. Entering 0 disables IAB.
Click All applications including unidentified applications so that, when an inspection performance threshold is exceeded, IAB trusts all traffic that exceeds any flow bypass threshold,
regardless of the application type.
Inspection
Performance Thresholds—Click Configure and enter at
least one threshold value.
Flow Bypass
Thresholds—Click Configure and enter at least one
threshold value.
You must specify at least
one inspection performance threshold and one flow bypass threshold; both
must be exceeded for IAB to trust traffic. If you enter more than one
threshold of each type, only one of each type must be exceeded. For detailed
information, see IAB Options.
Step 3
Click OK to save IAB
settings.
Step 4
Click
Save to save the policy.
What to do next
Because some packets must be allowed to pass before an application can be detected, you must configure your system to examine
those packets.
IAB forces an end-of-connection event that logs bypassed flows and flows that would have
been bypassed, regardless of whether you have enabled connection logging. Connection
events indicate flows that are bypassed in bypass mode or that would have been bypassed
in test mode. Custom dashboard widgets and reports based on connection events can
display long-term statistics for bypassed and would-have-bypassed flows.
IAB Connection
Events
Action
When
Reason includes
Intelligent App Bypass:
Allow -
indicates that the applied IAB configuration was in test mode
and traffic for the application specified by
Application Protocol
remains available for inspection.
Trust -
indicates that the applied IAB configuration was in bypass mode
and traffic for the application specified by
Application Protocol
has been trusted to traverse the network
without further inspection.
Reason
Intelligent App Bypass indicates that IAB triggered the
event in bypass or test mode.
Application
Protocol
This field
displays the application protocol that triggered the event.
Example
In the following
truncated graphic, some fields are omitted. The graphic shows the
Action,
Reason, and
Application Protocol fields for two connection
events resulting from different IAB settings in two separate access control
policies.
For the first
event, the
Trust action indicates that IAB was enabled in bypass
mode and Bonjour protocol traffic was trusted to pass without further
inspection.
For the second
event, the
Allow action indicates that IAB was enabled in test
mode, so Ubuntu Update Manager traffic was subject to further inspection but
would have been bypassed if IAB had been in bypass mode.
Example
In the following
truncated graphic, some fields are omitted. The flow in the second event was
both bypassed (Action:
Trust;
Reason:
Intelligent
App Bypass) and inspected by an intrusion rule (Reason:
Intrusion
Monitor). The
Intrusion
Monitor reason indicates that an intrusion rule set to
Generate
Events detected but did not block an exploit during the connection.
In the example, this happened before the application was detected. After the
application was detected, IAB recognized the application as bypassable and
trusted the flow.
IAB Custom
Dashboard Widgets
You can create a
Custom Analysis dashboard widget to display long-term IAB statistics based on
connection events. Specify the following when creating the widget:
Preset:
None
Table:
Application Statistics
Field: any
Aggregate: either
of:
IAB Bypassed
Connections
IAB Would Bypass
Connections
Filter:
any
Examples
In the following
Custom Analysis dashboard widget examples:
The
Bypassed
example shows statistics for application traffic bypassed because the
applications were specified as bypassable and IAB was enabled in bypass mode in
the deployed access control policy.
The
Would Have
Bypassed example shows statistics for application traffic that would have
been bypassed because the applications were specified as bypassable and IAB was
enabled in test mode in the deployed access control policy. .
IAB Custom
Reports
You can create a
custom report to display long-term IAB statistics based on connection events.
Specify the following when creating the report:
Table:
Application Statistics
Preset:
None
Filter: any
X-Axis: any
Y-Axis: either
of:
IAB Bypassed
Connections
IAB Would Bypass
Connections
Examples
The following graphic shows two abbreviated report examples:
The
Bypassed
example shows statistics for application traffic bypassed because the
applications were specified as bypassable and IAB was enabled in bypass mode in
the deployed access control policy.
The Would Have Bypassed example shows statistics for application traffic that would have been bypassed because the applications were specified as
bypassable and IAB was enabled in test mode in the deployed access control policy.