Cisco Cisco Firepower Management Center 4000
26-9
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Normalizing Inline Traffic
Normalize Urgent Pointer
Sets the two-byte Urgent Pointer header field to the payload length if the pointer is greater than the
payload length. You must enable
payload length. You must enable
Normalize TCP
to select this option.
Normalize TCP Payload
Enables normalization of the TCP Data field to ensure consistency in retransmitted data. Any
segments that cannot be properly reassembled are dropped. You must enable
segments that cannot be properly reassembled are dropped. You must enable
Normalize TCP
to select
this option.
Normalize TCP Excess Payload
Disables event generation for rule 129:2 and enables the following normalizations:
–
removes data in synchronization (SYN) packets if your TCP operating system policy is not Mac
OS
OS
–
removes any data from a reset (RST) packet
–
trims the Data field to the size specified in the Window field
–
trims the Data field to the Maximum Segment Size (MSS) if the payload is longer than MSS
You must enable
Normalize TCP
to select this option.
Explicit Congestion Notification
Enables per-packet or per-stream normalization of Explicit Congestion Notification (ECN) flags as
follows:
follows:
–
select
Packet
to clear ECN flags regardless of negotiation
–
select
Stream
to clear ECN flags if ECN use was not negotiated
You must enable
Normalize TCP
to select this option. If you select
Stream
, you must also ensure that
the TCP stream preprocessor
Require TCP 3-Way Handshake
option is enabled for this normalization to
take place; see
for more information.
Allow These TCP Options
Disables normalization of specific TCP options you allow in traffic. You must enable
Normalize TCP
to select this option.
The system does not normalize options that you explicitly allow. It normalizes options that you do
not explicitly allow by setting the options to No Operation (TCP Option 1).
not explicitly allow by setting the options to No Operation (TCP Option 1).
The system always allows the Maximum Segment Size (MSS), Window Scale, and Time Stamp TCP
options because these options are commonly used for optimal TCP performance. the system
normalizes these commonly used options as described in
options because these options are commonly used for optimal TCP performance. the system
normalizes these commonly used options as described in
regardless
of the configuration of
Allow These TCP Options
. The system does not allow other, less commonly used
options.
You can allow specific options by configuring a comma-separated list of option keywords, option
numbers, or both as shown in the following example:
numbers, or both as shown in the following example:
sack, echo, 19
Specifying an option keyword is the same as specifying the number for one or more TCP options
associated with the keyword. For example, specifying
associated with the keyword. For example, specifying
sack
is the same as specifying TCP options 4
(Selective Acknowledgement Permitted) and 5 (Selective Acknowledgement). Option keywords are
not case sensitive.
not case sensitive.