Cisco Cisco Firepower Management Center 2000

Typically, the system uses the static settings you configure in an intrusion policy to process and analyze 
traffic. With the adaptive profiles feature, however, the system can adapt to network traffic by associating 
traffic with host information from the network map and then processing the traffic accordingly.

When a host receives traffic, the operating system running on the host reassembles IP fragments. The 
order used for that reassembly depends on the operating system. Similarly, each operating system may 
implement TCP in different ways, and therefore reassemble TCP streams differently. If preprocessors 
reassemble data using a format other than that used for the operating system of the destination host, the 
system may miss content that could be malicious when reassembled on the receiving host.

In a passive deployment, Cisco recommends you configure adaptive profiles. In an inline deployment, 
Cisco recommends you configure the inline normalization preprocessor, with the Normalize TCP and 
Normalize TCP Payload options enabled. For more information, see 

 and 

.

For more information on using adaptive profiles to improve reassembly of packet fragments and TCP 
streams, see the following topics:

FireSIGHT + Protection

Adaptive profiles enable use of the most appropriate operating system profiles for IP defragmentation 
and for TCP stream preprocessing. For more information on the aspects of the intrusion policy affected 
by adaptive profiles, see 

The system can use host information detected by network discovery, obtained through an Nmap scan, or 
added through the host input feature to adapt processing behavior. 

When you input host information from a third-party application using the command line import utility 
or the host input API, you must first map the data to product definitions so the system can use it for 
adaptive profiles. For more information, see