Cisco Cisco Firepower Management Center 2000

Protection

In an inline deployment, the system responds to TCP or UDP drop rules by dropping the triggering 
packet and blocking the session where the packet originated. In a passive deployment, the system cannot 
drop the packet and does not block the session except with the use of active responses.

Because UDP data streams are not typically thought of in terms of sessions, see 

 for further explanation of how the stream preprocessor uses the source and 

destination IP address fields in the encapsulating IP datagram header and the port fields in the UDP 
header to determine the direction of flow and identify a UDP session.

You can configure the 

 option to initiate one or more active responses to more 

precisely and specifically close a TCP connection or UDP session when an offending packet triggers a 
TCP or UDP drop rule.

When active responses are enabled in an inline deployment, the system responds to TCP drop rules by 
dropping the triggering packet and inserting a TCP Reset (RST) packet in both the client and server 
traffic. When active responses are enabled in a passive deployment, the system cannot drop the packet 
but sends a TCP reset to both the client and server ends of a TCP connection. When active responses are 
enabled in inline or passive deployments, the system closes a UDP session by sending an ICMP 
unreachable packet to each end of the session. Active responses are most effective in inline deployments 
because resets are more likely to arrive in time to affect the connection or session.

Depending on how you configure the 

 option, the system can also initiate 

additional active responses if it sees additional traffic from either end of the connection or session. The 
system initiates each additional active response, up to a specified maximum, after a specified number of 
seconds have elapsed since the previous response. Note that to initiate additional TCP resets you must 
ensure that TCP Stream Configuration is enabled, and to initiate additional ICMP unreachable packets 
you must ensure that UDP Stream Configuration is enabled. See 

 for more information.

See 

 for information on setting the maximum number of 

active responses.

Note that a triggered 

 or 

 rule also initiates an active response regardless of the configuration of 

; however, 

 control whether the system initiates 

additional active responses for 

 and 

 rules in the same way it controls the maximum number of 

active responses for drop rules. See 

 for 

more information.

You can also use the 

config response

 command to configure the active response interface to use and 

the number of TCP resets to attempt in a passive deployment. See 

 for more information.

Protection

This section describes the options that control how the TCP stream preprocessor functions. If no 
preprocessor rule is mentioned, the option is not associated with a preprocessor rule.