Cisco Cisco FirePOWER Appliance 8390
26-4
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Normalizing Inline Traffic
Normalizing Inline Traffic
License:
Protection
The inline normalization preprocessor normalizes traffic to minimize the chances of attackers evading
detection in inline deployments. When you apply an intrusion policy as part of an access control policy
and the inline normalization preprocessor is enabled, the system tests the following two conditions to
ensure that you are using an inline deployment:
detection in inline deployments. When you apply an intrusion policy as part of an access control policy
and the inline normalization preprocessor is enabled, the system tests the following two conditions to
ensure that you are using an inline deployment:
•
Drop when Inline
is enabled
•
The policy is applied to a device using an inline set
The preprocessor normalizes specified traffic only when both conditions are met.
You can specify normalization of any combination of IPv4, IPv6, ICMPv4, ICMPv6, and TCP traffic.
Most normalizations are on a per-packet basis and are conducted by the inline normalization
preprocessor. However, the TCP stream preprocessor handles most state-related packet and stream
normalizations, including TCP payload normalization, so you must ensure that the TCP stream
preprocessor is enabled when you enable normalization of TCP traffic.
Most normalizations are on a per-packet basis and are conducted by the inline normalization
preprocessor. However, the TCP stream preprocessor handles most state-related packet and stream
normalizations, including TCP payload normalization, so you must ensure that the TCP stream
preprocessor is enabled when you enable normalization of TCP traffic.
Inline normalization takes place immediately after decoding by the packet decoder and before
processing by other preprocessors. Normalization proceeds from the inner to outer packet layers.
processing by other preprocessors. Normalization proceeds from the inner to outer packet layers.
Note that the inline normalization preprocessor does not generate events; it prepares packets for use by
other preprocessors and the rules engine in inline deployments. The preprocessor also helps ensure that
the packets the system processes are the same as the packets received by the hosts on your network.
other preprocessors and the rules engine in inline deployments. The preprocessor also helps ensure that
the packets the system processes are the same as the packets received by the hosts on your network.
Tip
In an inline deployment, Cisco recommends you configure the inline normalization preprocessor, with
the Normalize TCP and Normalize TCP Payload options enabled. In a passive deployment, Cisco
recommends you configure adaptive profiles. For more information, see
the Normalize TCP and Normalize TCP Payload options enabled. In a passive deployment, Cisco
recommends you configure adaptive profiles. For more information, see
.
See the following sections for more information:
•
•
Understanding Protocol Normalization
License:
Protection
Normalization of each protocol includes one or more base normalizations, which occur automatically
when you enable normalization of the protocol. Some protocols also have optional normalizations.
when you enable normalization of the protocol. Some protocols also have optional normalizations.
for information on configuring normalization of traffic
for different protocols. The following sections list the base normalizations and any optional
normalizations for each protocol type:
normalizations for each protocol type:
•
•
•
•