Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
105
Views
0
Helpful
0
Replies

Prefilter Fastpath Rule for IP Range Not Fully Excluding Traffic

navidn
Level 1
Level 1

‎09-23-2025 04:54 AM

Hi, we have configured a prefilter policy on Cisco Secure Firewall Virtual to exclude a specific IP range from being inspected by Snort using the Fastpath action. Despite this, in Unified Events, we still observe intrusion alerts for traffic from the same IP prefix that should be excluded.

Key observations:

  • The Virtual Firewall Interfaces are in Passive mode receiving SPAN.
  • Even adding a upper rule in access control policy did not filter the inspection completely. 
  • The prefilter rule uses the Fastpath action and correctly matches the IP prefix.
  • Even adding a rule above inspect all to match the traffic did not work.
  • Connection events show the traffic as fastpathed, but intrusion events still appear for that traffic.
  • The issue persists even though the IP range is explicitly defined in the prefilter exclusion.
  • Verified that no conflicting access control policies override the prefilter.
  • This causes contradictory logging with both fast path and Snort intrusion events for the same prefix.

Has anyone encountered this behavior or have best practices on fully excluding traffic from Snort inspection using prefilter Fastpath rules? Does it expected to prefilter works in detection and passive mode or it is only for inline mode?

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card