Examples of creating custom network analysis rules

babiojd01 · ‎10-31-2016

Does anyone have any examples of custom network analysis rules (advanced section of Access control policy). I have tuned the NA policy based on reassembly and fragmentation but I am trying to imagine a scenario where you would need a custom na rule. Please include pics if you can.

Oliver Kaiser · ‎11-02-2016

In case you want to tweak specific settings for performance/security it does make sense to create a network analysis policy.

For example you could ignore ftp transfers to improve performance on ftp data transfers, specify the HTTP methods you wish to inspect using the http pre-processor or enable event triggers for tcp session hijacking etc.

It really depends on what you want to achieve but normally you do not need to edit these settings, just keep them in mind in case you find a corner-case that needs specific tweaks to how traffic is handled.

babiojd01 · ‎11-02-2016

Yea i agree but in my case i have linux servers behind the same IPS. I would edit the reassembly part of the policy and specify the ip address and linux. Same with the fragmentation section.The part i am curious about is creating a special rule in the advanced section of a access control policy. I would be interested to see an example in a scenario where you need custom rules.

Oliver Kaiser · ‎11-02-2016

I would consider custom rules the equivalent of modular policy framework on asa side. You may change certain processing parameters based on an acl. For example if you do not wish to change network analysis settings globally, you could use a specific custom rule so it only affects certain traffic, you want to treat differently and everything else will be processed using the default rule.