Cisco Cisco Firepower Management Center 4000
29-2
FireSIGHT System User Guide
Chapter 29 Using Adaptive Profiles
Understanding Adaptive Profiles
Using Adaptive Profiles with Preprocessors
License:
FireSIGHT + Protection
Adaptive profiles, like the target-based profiles you can configure in an intrusion policy, help to
defragment IP packets and reassemble streams in the same way as the operating system on the target
host. The rules engine then analyzes the data in the same format as that used by the destination host.
defragment IP packets and reassemble streams in the same way as the operating system on the target
host. The rules engine then analyzes the data in the same format as that used by the destination host.
Manually configured target-based profiles only apply the default operating system profile you select or
profiles you bind to specific hosts. Adaptive profiles, however, switch to the appropriate operating
system profile based on the operating system in the host profile for the target host, as illustrated in the
following diagram.
profiles you bind to specific hosts. Adaptive profiles, however, switch to the appropriate operating
system profile based on the operating system in the host profile for the target host, as illustrated in the
following diagram.
For example, you configure an intrusion policy where adaptive profiles are enabled for the 10.6.0.0/16
subnet and where you have set the default IP Defragmentation target-based policy to Linux. The Defense
Center where you configure the policy has a network map that includes the 10.6.0.0/16 subnet.
subnet and where you have set the default IP Defragmentation target-based policy to Linux. The Defense
Center where you configure the policy has a network map that includes the 10.6.0.0/16 subnet.
When a device detects traffic from Host A, which is not in the 10.6.0.0/16 subnet, it uses the Linux
target-based policy to reassemble IP fragments. However, when it detects traffic from Host B, which is
in the 10.6.0.0/16 subnet, it retrieves Host B’s operating system data from the network map, where Host
B is listed as running Microsoft Windows XP Professional. The system uses the Windows target-based
profile to do the IP defragmentation for the traffic destined for Host B.
target-based policy to reassemble IP fragments. However, when it detects traffic from Host B, which is
in the 10.6.0.0/16 subnet, it retrieves Host B’s operating system data from the network map, where Host
B is listed as running Microsoft Windows XP Professional. The system uses the Windows target-based
profile to do the IP defragmentation for the traffic destined for Host B.
for information on the IP Defragmentation preprocessor. See
for information on the stream preprocessor.
Adaptive Profiles and FireSIGHT Recommended Rules
License:
FireSIGHT + Protection