topic Re: PREFILTER ANALYZE VS FASTPATH in Network Security

PREFILTER ANALYZE VS FASTPATH

craneman — Tue, 05 May 2020 20:12:50 GMT

With Prefilter Fastpath, traffic bypasses inspection and is basically fastpathed out of the ftd device into what you may call a "toll bypass' hardware lane of some sort.

With Prefilter Analyze the traffic does not bypass inspection....the question is when the traffic returns from the "snort instance" inspection does it go into the "toll bypass" lane and out of the device or does it return and go through the other items such as Flow Update, ALG, QOS, ETC?

Thanks, Mike

Re: PREFILTER ANALYZE VS FASTPATH

Marvin Rhoads — Wed, 06 May 2020 04:23:11 GMT

If the packet was analyzed by Snort it will come out via DAQ into the ALG and subsequent steps like any normal fully analyzed packet.

Only if the prefilter action was Fastpath (or Drop of course) would it skip those steps.

FTD OOO Reference

Re: PREFILTER ANALYZE VS FASTPATH

CiscoBrownBelt — Mon, 20 Nov 2023 14:25:31 GMT

Hi @Marvin Rhoads so is Fast Path basically just using the outer header IP to allow/block the traffic? If we were to want the FTD to secure internal networks as much as possible would it be a good reason to not allow Fast Path (given let's say no performance issues or something)?

Re: PREFILTER ANALYZE VS FASTPATH

Marvin Rhoads — Mon, 20 Nov 2023 15:28:41 GMT

Fastpath will only be able to use the classic 5-tuple (protocol, source IP, source port, destination IP, destination port) like a legacy ASA. Known trusted flows (for instance bulk backup jobs or IPsec VPN traffic that terminates inside the firewall on some other device) can be added in the prefilter to bypass Snort altogether as a performance enhancement but it is recommended to use it sparingly.

But you are right:
"Prefiltering can be thought of as the first phase of access control before the firewall passes connections onto more resource-intensive evaluation controls. A prefilter policy uses limited, outer-header criteria to process connections quickly. The rule actions available in a prefilter policy are Fastpath, Block and Analyze.

The Fastpath rule action in the prefilter policy bypasses all further packet inspection and handling, including security intelligence, authentication requirements, SSL decryption, access control rules, deep inspection (IPS), network discovery and rate limiting."

Reference: https://secure.cisco.com/secure-firewall/v7.2/docs/access-control-policy