Cisco Cisco Firepower Management Center 4000

The Intrusion Policy page appears.

Click the edit icon (

) next to the policy you want to edit.

If you have unsaved changes in another policy, click 

 to discard those changes and continue. See 

 for information on saving unsaved changes in another 

policy.

The Policy Information page appears.

Click 

 in the navigation panel on the left.

The Advanced Settings page appears.

You have two choices, depending on whether 

under Transport/Network Layer 

Preprocessors is enabled:

If the configuration is enabled, click 

.

If the configuration is disabled, click 

, then click 

.

You cannot disable UDP stream preprocessing when the DCE/RPC preprocessor is enabled with 
the UDP transport protocol selected, or when portscan detection is enabled with the UDP 
protocol selected. Also, you should not disable UDP stream preprocessing when you have UDP 
intrusion rules enabled that use the 

flow

 or 

flowbits

 keyword because these rules will not 

trigger unless UDP stream preprocessing is enabled.

The UDP Stream Configuration page appears. A message at the bottom of the page identifies the 
intrusion policy layer that contains the configuration. See 

for more information.

Optionally, configure a 

 value to specify the number of seconds between 1 and 86400 the 

preprocessor keeps an inactive stream in the state table. If additional datagrams are not seen in the 
specified time, the preprocessor deletes the stream from the state table.

Optionally, select 

 to ignore UDP traffic for all ports and application 

protocols that are not specified in enabled rules, except when a UDP rule with both the source and 
destination ports set to 

any

 has a 

flow

 or 

flowbits

 option. This performance improvement could result 

in missed attacks.

Save your policy, continue editing, discard your changes, revert to the default configuration settings in 
the base policy, or exit while leaving your changes in the system cache. See the 

 table for more information.