Cisco Cisco Firepower Management Center 4000
26-15
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Understanding Packet Decoding
The IP Defragmentation page appears. A message at the bottom of the page identifies the intrusion policy
layer that contains the configuration. See
layer that contains the configuration. See
for more
information.
Step 5
Optionally, you can modify the setting for
Preallocated Fragments
under
Global Settings
.
Step 6
You have two options:
•
Add a new target-based policy. Click the add icon (
) next to
Hosts
on the left side of the page. The
Add Target pop-up window appears. Specify one or more IP addresses in the
Host Address
field and
click
OK
.
You can specify a single IP address or address block, or a comma-separated list of either or both.
You can create a total of 255 target-based policies including the default policy. For information on
using IP address blocks in the FireSIGHT System, see
You can create a total of 255 target-based policies including the default policy. For information on
using IP address blocks in the FireSIGHT System, see
A new entry appears in the list of targets on the left side of the page, highlighted to indicate that it
is selected, and the Configuration section updates to reflect the current configuration for the policy
you added.
is selected, and the Configuration section updates to reflect the current configuration for the policy
you added.
•
Modify the settings for an existing target-based policy. Click the configured address for a policy you
have added under
have added under
Hosts
on the left side of the page, or click
default
.
Your selection is highlighted and the Configuration section updates to display the current
configuration for the policy you selected. To delete an existing target-based policy, click the delete
icon (
configuration for the policy you selected. To delete an existing target-based policy, click the delete
icon (
) next to the policy you want to remove.
Step 7
Optionally, you can modify any of the options under
Configuration
.
Step 8
Optionally, click
Configure Rules for IP Defragmentation
at the top of the page to display rules associated
with individual options.
Click
Back
to return to the IP Defragmentation page.
Step 9
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Packet Decoding
License:
Protection
Before sending captured packets to a preprocessor, the system first sends the packets to the packet
decoder. The packet decoder converts packet headers and payloads into a format that preprocessors and
the rules engine can easily use. Each stack layer is decoded in turn, beginning with the data link layer
and continuing through the network and transport layers. For more information on packet decoding, see
decoder. The packet decoder converts packet headers and payloads into a format that preprocessors and
the rules engine can easily use. Each stack layer is decoded in turn, beginning with the data link layer
and continuing through the network and transport layers. For more information on packet decoding, see
Note that you must enable packet decoder rules, which have a generator ID (GID) of 116, if you want
these rules to generate events. A link on the configuration page takes you to a filtered view of packet
decoder rules on the intrusion policy Rules page, where you can enable and disable rules and configure
other rule actions. See
these rules to generate events. A link on the configuration page takes you to a filtered view of packet
decoder rules on the intrusion policy Rules page, where you can enable and disable rules and configure
other rule actions. See
for more information.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.