- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Customizing Traffic Preprocessing
Many of the advanced settings in an access control policy govern intrusion detection and prevention configurations that require specific expertise to configure. Advanced settings typically require little or no modification and are not common to every deployment.
This chapter explains how to set the following preferences:
- Setting the Default Intrusion Policy for Access Control explains how to change the access control policy’s default intrusion policy, which is used to initially inspect traffic before the system can determine exactly how to inspect that traffic
- Customizing Preprocessing with Network Analysis Policies explains how to tailor certain traffic preprocessing options to specific security zones, networks, and VLANs by assigning custom network analysis policies to preprocess matching traffic.
Other chapters describe policy-wide preprocessing and performance options for access control policies. For more information, see:
Setting the Default Intrusion Policy for Access Control
Each access control policy uses its default intrusion policy to initially inspect traffic before the system can determine exactly how to inspect that traffic. This is needed because sometimes the system must process the first few packets in a connection, allowing them to pass , before it can decide which access control rule (if any) will handle the traffic. However, so that these packets do not reach their destination uninspected, you can use an intrusion policy—called the default intrusion policy—to inspect them and generate intrusion events.
A default intrusion policy is especially useful when performing application control and URL filtering, because the system cannot identify applications or filter URLs before a connection is fully established between the client and the server. For example, if a packet matches all the other conditions in an access control rule with an application or URL condition, it and subsequent packets are allowed to pass until the connection is established and application or URL identification is complete, usually 3 to 5 packets.
The system inspects these allowed packets with the default intrusion policy, which can generate events and, if placed inline, block malicious traffic. After the system identifies the access control rule or default action that should handle the connection, the remaining packets in the connection are handled and inspected accordingly.
When you create an access control policy, its default intrusion policy depends on the default action you first chose. Initial default intrusion policies for access control are as follows:
- Balanced Security and Connectivity (a system-provided policy) is the default intrusion policy for an access control policy where you first chose the Intrusion Prevention default action.
- No Rules Active is the default intrusion policy for an access control policy where you first chose the Block all traffic or Network Discovery default action. Although choosing this option disables intrusion inspection on the allowed packets described above, it can improve performance if you are not interested in intrusion data.
Note If you are not performing intrusion inspection (for example, in a discovery-only deployment where you are not licensed for Protection), keep the No Rules Active policy as your default intrusion policy. For more information, see IPS or Discovery-Only Performance Considerations.
Note that if you change your default action after you create the access control policy, the default intrusion policy does not automatically change. To change it manually, use the access control policy’s advanced options.
To change an access control policy’s default intrusion policy:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to change the default intrusion policy, select the
Advanced
tab, then click the edit icon (
) next to the Network Analysis and Intrusion Policies section.
The Network and Analysis Policies dialog box appears.
Step 2 From the Intrusion Policy used before Access Control rule is determined drop-down list, select a default intrusion policy. You can choose a system- or user-created policy.
Note that if you choose a user-created policy, you can click an edit icon (
) to edit the policy in a new window. You cannot edit system-provided policies.
Step 3 Choose the variable set matched with the selected policy.
Optionally, use the
Intrusion Policy Variable Set
drop down to change the variable set associated with the selected intrusion policy. You can also edit the selected variable set in a new window by clicking the edit icon (
). If you do not change the variable set, the system uses a default set. For more information, see Working with Variable Sets.
Step 4 Click OK to save your changes.
You must apply the access control policy for your changes to take effect.
Customizing Preprocessing with Network Analysis Policies
Supported Devices: feature dependent
Network analysis policies govern how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt. This traffic preprocessing occurs after Security Intelligence blacklisting and traffic decryption, but before intrusion policies inspect packets in detail. By default, the system-provided Balanced Security and Connectivity network analysis policy applies to all traffic handled by an access control policy.
Tip The system-provided Balanced Security and Connectivity network analysis policy and the Balanced Security and Connectivity intrusion policy work together and can both be updated in intrusion rule updates. However, the network analysis policy governs mostly preprocessing options, whereas the intrusion policy governs mostly intrusion rules.
A simple way to tune preprocessing is to create and use a custom network analysis policy as the default; see Creating a Custom Network Analysis Policy. Tuning options available vary by preprocessor.
For advanced users with complex deployments, you can create multiple network analysis policies, each tailored to preprocess traffic differently. Then, you can configure the system to use those policies to govern the preprocessing of traffic using different security zones, networks, or VLANs. (Note that ASA FirePOWER devices cannot restrict preprocessing by VLAN.)
To accomplish this, you add custom network analysis rules to your access control policy. Each rule has:
- a set of rule conditions that identifies the specific traffic you want to preprocess
- an associated network analysis policy that you want to use to preprocess traffic that meets all the rules’ conditions
When it is time for the system to preprocess traffic, it matches packets to network analysis rules in top-down order by rule number. Traffic that does not match any network analysis rules is preprocessed by the default network analysis policy.
Note If you disable a preprocessor but the system needs to evaluate preprocessed packets against an enabled intrusion or preprocessor rule, the system automatically enables and uses the preprocessor although it remains disabled in the network analysis policy web interface. Tailoring preprocessing, especially using multiple custom network analysis policies, is an advanced task. Because preprocessing and intrusion inspection are so closely related, you must be careful that you allow the network analysis and intrusion policies examining a single packet to complement each other. For more information, see Limitations of Custom Policies.
For more information, see the following sections:
- Setting the Default Network Analysis Policy for Access Control
- Specifying Traffic to Preprocess Using Network Analysis Rules
- Managing Network Analysis Rules
Setting the Default Network Analysis Policy for Access Control
By default, the system-provided Balanced Security and Connectivity network analysis policy applies to all traffic handled by an access control policy. If you add network analysis rules to tailor traffic preprocessing options, the default network analysis policy preprocesses all traffic not handled by those rules.
An access control policy’s advanced settings allow you to change this default policy.
To change an access control policy’s default network analysis policy:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to change the default network analysis policy, select the
Advanced
tab, then click the edit icon (
) next to the Network Analysis and Intrusion Policies section.
The Network and Analysis Policies dialog box appears.
Step 2 From the Default Network Analysis Policy drop-down list, select a default network analysis policy. You can choose a system- or user-created policy.
Note that if you choose a user-created policy, you can click an edit icon (
) to edit the policy in a new window. You cannot edit system-provided policies.
Step 3 Click OK to save your changes,.
You must apply the access control policy for your changes to take effect.
Specifying Traffic to Preprocess Using Network Analysis Rules
Supported Devices: feature dependent
Within your access control policy’s advanced settings, you can use network analysis rules to tailor preprocessing configurations to network traffic. Similar to access control rules, network analysis rules are numbered, starting at 1.
When it is time for the system to preprocess traffic, it matches packets to network analysis rules in top-down order by ascending rule number, and preprocesses traffic according to the first rule where all the rule’s conditions match. The conditions you can add to a rule are described in the following table.
entering or leaving a device via an interface in a specific security zone |
A security zone is a logical grouping of one or more interfaces according to your deployment and security policies. Interfaces in a zone may be located across multiple devices. To build a zone condition, see Preprocessing Traffic Per Zone. |
|
by its source or destination IP address, country, or continent |
You can explicitly specify IP addresses. To build a network condition, see Preprocessing Traffic Per Network. |
|
The system uses the innermost VLAN tag to identify a packet by VLAN. Note that the ASA FirePOWER cannot restrict preprocessing by VLAN. To build a VLAN condition, see Preprocessing Traffic Per VLAN. |
If you do not configure a particular condition for a rule, the system does not match traffic based on that criterion. For example, a rule with a network condition but no zone condition evaluates traffic based on its source or destination IP address, regardless of its ingress or egress interface. Traffic that does not match any network analysis rules is preprocessed by the default network analysis policy.
To add a custom network analysis rule:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to create custom preprocessing configurations, select the
Advanced
tab, then click the edit icon (
) next to the Intrusion and Network Analysis Policies section.
The Network and Analysis Policies dialog box appears. If you have not added any custom network analysis rules, the web interface indicates that you have No Custom Rules , otherwise it displays how many you have configured.
Tip Click Network Analysis Policy List to display the Network Analysis Policy page in a new window. Use this page to view and edit your custom network analysis policies; see Managing Network Analysis Policies
Step 2 Next to Network Analysis Rules , click the statement that indicates how many custom rules you have.
The dialog box expands to show the custom rules, if any.
The network analysis rule editor appears.
Step 4 Build your rule’s conditions. You can restrict NAP preprocessing using the following criteria:
Step 5 Associate a network analysis policy with the rule by clicking the Network Analysis tab and choosing a policy from the Network Analysis Policy drop-down list.
The system uses the network analysis policy you choose to preprocess traffic that meets all the rule’s conditions. Note that if you choose a user-created policy, you can click an edit icon (
) to edit the policy in a new window. You cannot edit system-provided policies.
The rule is added after any other rules. To change the rule’s evaluation order, see Managing Network Analysis Rules.
Preprocessing Traffic Per Zone
Zone conditions in network analysis rules allow you to preprocess traffic by its source and destination security zones. A security zone is a grouping of one or more interfaces, which may be located across multiple devices in a way that makes sense for your deployment and security policies. For more information on creating zones, see Working with Security Zones.
You can add a maximum of 50 zones to each of the Source Zones and Destination Zones in a single zone condition:
- To match traffic leaving the device from an interface in the zone, add that zone to Destination Zones . Note that because devices deployed passively do not transmit traffic, you cannot use a zone comprised of passive interfaces in a Destination Zone condition.
- To match traffic entering the device from an interface in the zone, add that zone to Source Zones .
If you add both source and destination zone conditions to a rule, matching traffic must originate from one of the specified source zones and egress through one of the destination zones.
Note that just as all interfaces in a zone must be of the same type (all inline, all passive, all switched, or all routed), all zones used in a zone condition for an network analysis rule must be of the same type. That is, you cannot write a single rule that matches traffic to or from zones of different types.
Warning icons (
) indicate invalid configurations, such as zones that contain no interfaces. For details, hover your pointer over the icon.
To preprocess traffic by zone:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to preprocess traffic by zone, create a new network analysis rule or edit an existing rule.
For detailed instructions, see Specifying Traffic to Preprocess Using Network Analysis Rules.
Step 2 In the network analysis rule editor, select the Zones tab.
Step 3 Find and select the zones you want to add from the Available Zones .
To search for zones to add, click the Search by name prompt above the Available Zones list, then type a zone name. The list updates as you type to display matching zones.
Click to select a zone. To select multiple zones, use the Shift and Ctrl keys, or right-click and then select Select All .
Step 4 Click Add to Source or Add to Destination to add the selected zones to the appropriate list.
You can also drag and drop selected zones.
Step 5 Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see Applying an Access Control Policy.
Preprocessing Traffic Per Network
Network conditions in network analysis rules allow you to preprocess traffic by its source and destination IP address. You can manually specify the source and destination IP addresses for the traffic you want to preprocess, or you can configure network conditions with network objects, which are reusable and associate a name with one or more IP addresses and address blocks.
Tip After you create a network object, you can use it not only to build network analysis rules, but also to represent IP addresses in various other places in the system’s web interface. You can create these objects using the object manager; you can also create network objects on-the-fly while you are configuring network analysis rules. For more information, see Working with Network Objects.
You can add a maximum of 50 items to each of the Source Networks and Destination Networks in a single network condition:
- To match traffic from an IP address, configure Source Networks .
- To match traffic to an IP address, configure Destination Networks .
If you add both source and destination network conditions to a rule, matching traffic must originate from one of the specified IP addresses and be destined for one of the destination IP addresses.
When building a network condition, warning icons (
) indicate invalid configurations. For details, hover your pointer over the icon.
To preprocess traffic by network:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to preprocess traffic by network, create a new network analysis rule or edit an existing rule.
For detailed instructions, see Specifying Traffic to Preprocess Using Network Analysis Rules.
Step 2 In the network analysis rule editor, select the Networks tab.
Step 3 Find and select the networks you want to add from the Available Networks , as follows:
) above the
Available Networks
list; see Working with Network Objects.To select an object, click it. To select multiple objects, use the Shift and Ctrl keys, or right-click and then select Select All .
Step 4 Click Add to Source or Add to Destination to add the selected objects to the appropriate list.
You can also drag and drop selected objects.
Step 5 Add any source or destination IP addresses or address blocks that you want to specify manually.
Click the Enter an IP address prompt below the Source Networks or Destination Networks list; then type an IP address or address block and click Add .
Step 6 Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see Applying an Access Control Policy.
Preprocessing Traffic Per VLAN
Supported Devices: Any except ASA FirePOWER
VLAN conditions in network analysis rules allow you to control how VLAN-tagged traffic is preprocessed. The system uses the innermost VLAN tag to identify a packet by VLAN. Note that ASA FirePOWER devices cannot restrict preprocessing by VLAN.
When you build a VLAN-based network analysis condition, you can manually specify VLAN tags. Alternately, you can configure VLAN conditions with VLAN tag objects, which are reusable and associate a name with one or more VLAN tags.
Tip After you create a VLAN tag object, you can use it not only to build network analysis rules, but also to represent VLAN tags in various other places in the system’s web interface. You can create VLAN tag objects either using the object manager or on-the-fly while you are configuring network analysis rules. For more information, see Working with VLAN Tag Objects.
You can add a maximum of 50 items to the
Selected VLAN Tags
in a single VLAN tag condition. When building a VLAN tag condition, warning icons (
) indicate invalid configurations. For details, hover your pointer over the icon.
To preprocess traffic by VLAN tag:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to preprocess traffic by VLAN tag, create a new network analysis rule or edit an existing rule.
For detailed instructions, see Specifying Traffic to Preprocess Using Network Analysis Rules.
Step 2 In the network analysis rule editor, select the VLAN Tags tab.
Step 3 Find and select the VLANs you want to add from the Available VLAN Tags , as follows:
) above the Available VLAN Tags list; see Working with VLAN Tag Objects.- To search for VLAN tag objects and groups to add, click the Search by name or value prompt above the Available VLAN Tags list, then type either the name of the object, or the value of a VLAN tag in the object. The list updates as you type to display matching objects.
- To select an object, click it. To select multiple objects, use the Shift and Ctrl keys, or right-click and then select Select All .
Step 4 Click Add to Rule or drag and drop to add the selected objects to the Selected VLAN Tags list.
Step 5 Add any VLAN tags that you want to specify manually.
Click the Enter a VLAN tag prompt below the Selected VLAN Tags list; then type a VLAN tag or range and click Add . You can specify any VLAN tag from 1 to 4094; use a hyphen to specify a range of VLAN tags.
Step 6 Save or continue editing the rule.
You must apply the access control policy for your changes to take effect; see Applying an Access Control Policy on page 369.
Managing Network Analysis Rules
A network analysis rule is simply a set of configurations and conditions that specifies how you preprocess traffic that matches those qualifications. You create and edit network analysis rules in the advanced options in an existing access control policy. Each rule belongs to only one policy.
To edit a custom network analysis rule:
Access: Admin/Access Admin/Network Admin
Step 1 In the access control policy where you want to change your custom preprocessing configurations, select the
Advanced
tab, then click the edit icon (
) next to the Intrusion and Network Analysis Policies section.
The Network and Analysis Policies dialog box appears. If you have not added any custom network analysis rules, the web interface indicates that you have No Custom Rules ; otherwise, it displays how many you have configured.
Step 2 Next to Network Analysis Rules , click the statement that indicates how many custom rules you have.
The dialog box expands to show the custom rules, if any.
Step 3 Edit your custom rules. You have the following options:
- To edit a rule’s conditions, or change the network analysis policy invoked by the rule, click the edit icon (
) next to the rule.- To change a rule’s order of evaluation, click and drag the rule to the correct location. To select multiple rules, use the Shift and Ctrl keys.
- To delete a rule, click the delete icon (
) next to the rule.
Tip Right-clicking a rule displays a context menu that allows you to cut, copy, paste, edit, and add new network analysis rules.
Step 4 Click OK to save your changes.
You must apply the access control policy for your changes to take effect; see Applying an Access Control Policy.
Feedback