Cisco Cisco Firepower Management Center 4000

Page of 1844
 
26-13
FireSIGHT System User Guide
 
Chapter 26      Using Transport & Network Layer Preprocessors
  Defragmenting IP Packets
Selecting Defragmentation Options
License: 
Protection
You can choose to simply enable or disable IP defragmentation; however, Cisco recommends that you 
specify the behavior of the enabled IP defragmentation preprocessor at a more granular level.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
You can configure the global 
Preallocated Fragments
 option:
Preallocated Fragments
The maximum number of individual fragments that the preprocessor can process at once. Specifying 
the number of fragment nodes to preallocate enables static memory allocation.
Caution
Processing an individual fragment uses approximately 1550 bytes of memory. If the preprocessor 
requires more memory to process the individual fragments than the predetermined allowable memory 
limit for the managed device, the memory limit for the device takes precedence.
You can configure the following options for each IP defragmentation policy:
Network
The IP address of the host or hosts to which you want to apply the defragmentation policy.
You can specify a single IP address or address block, or a comma-separated list of either or both. 
You can specify up to 255 total profiles, including the default policy. For information on using IPv4 
and IPv6 address blocks in the FireSIGHT System, see 
.
Note that the 
default
 setting in the default policy specifies all IP addresses on your monitored 
network segment that are not covered by another target-based policy. Therefore, you cannot and do 
not need to specify an IP address or CIDR block/prefix length for the default policy, and you cannot 
leave this setting blank in another policy or use address notation to represent 
any
 (for example, 
0.0.0.0/0 or ::/0).
Policy
The defragmentation policy you want to use for a set of hosts on your monitored network segment. 
You can choose among seven policies: BSD, BSD-Right, First, Linux, Last, Solaris, and Windows. 
See 
 for detailed information on these policies.
Timeout
The maximum amount of time, in seconds, that the preprocessor engine can use when reassembling 
a fragmented packet. If the packet cannot be reassembled within the specified time period, the 
preprocessor engine stops attempting to reassemble the packet and discards received fragments.
Minimum TTL
Specifies the minimum acceptable TTL value a packet may have. This option detects TTL-based 
insertion attacks.
You can enable rule 123:1 to generate events for this option. See 
 for 
more information.
Detect Anomalies
Identifies fragmentation problems such as overlapping fragments.