Cisco Cisco Firepower Management Center 4000
26-32
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Using UDP Stream Preprocessing
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
UDP Stream Configuration
under Transport/Network Layer
Preprocessors is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
Note
You cannot disable UDP stream preprocessing when the DCE/RPC preprocessor is enabled with
the UDP transport protocol selected, or when portscan detection is enabled with the UDP
protocol selected. Also, you should not disable UDP stream preprocessing when you have UDP
intrusion rules enabled that use the
the UDP transport protocol selected, or when portscan detection is enabled with the UDP
protocol selected. Also, you should not disable UDP stream preprocessing when you have UDP
intrusion rules enabled that use the
flow
or
flowbits
keyword because these rules will not
trigger unless UDP stream preprocessing is enabled.
The UDP Stream Configuration page appears. A message at the bottom of the page identifies the
intrusion policy layer that contains the configuration. See
intrusion policy layer that contains the configuration. See
for more information.
Step 5
Optionally, configure a
Timeout
value to specify the number of seconds between 1 and 86400 the
preprocessor keeps an inactive stream in the state table. If additional datagrams are not seen in the
specified time, the preprocessor deletes the stream from the state table.
specified time, the preprocessor deletes the stream from the state table.
Step 6
Optionally, select
Packet Type Performance Boost
to ignore UDP traffic for all ports and application
protocols that are not specified in enabled rules, except when a UDP rule with both the source and
destination ports set to
destination ports set to
any
has a
flow
or
flowbits
option. This performance improvement could result
in missed attacks.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.