Hello,
I have confusing now what should be correct order of data inspection under firepower.
With reference to information:
My understand packet will going thru like following but few components I have mess up now.
- Intrusion policy used before access control rule is determined
- Default network analysis policy
- Default Access control policy
- Security Intelligence
- Default action policy
Could anyone can explain more clear?
Thanks!
Traffic is being processed in two steps
Step 01: Pre-processing
- Hardware-based fast-path rules (only available on NGIPS like FP8000)
- Security Intelligence-based traffic filtering, Normalization, App ID (in conjunction with ssl decryption if configured)
- user identification
- decoding and preprocessing using network analysis policy
Step 02: Access-Control Policy
Let me know if that answers your question. In case you want to know anything more specific about any step let me know.
Thank for update.
How about what is "Network Discovery Policy"?
and from diagram
- When will "Intrusion Policy used before Access Control rule is determined" apply?
- "Default Network Analysis Policy" means applied at Step 01?
Thanks!
The network discovery policy is used to detect applications (using open-app-id), hosts (using traffic analysis + active checks using nmap) and identity discovery (using traffic analysis of http/ftp/etc. (identity using agent/pxgrid not included)
Considering "Intrusion Policy used before Access Control rule is determined"
A default intrusion prevention policy can be applied that is used before access-control-policy rules. Since many rules like url-filtering need to see the payload to determine if traffic is allowed, an ips policy can be applied to check traffic that is initially allowed to check if a access control policy rule matches.
Considering "Default Network Analysis Policy"
The default network analysis policy is used if no other network-analysis rules are matched. Network analysis policy is used to pre-process traffic (normalization).
Traffic flow:
