Inspection of Packets That Pass Before Traffic Is Identified

For some features, including URL filtering, application detection, rate limiting, and Intelligent Application Bypass, a few packets must pass in order for the connection to be established, and to enable the system to identify the traffic and determine which access control rule (if any) will handle that traffic.

You must explicitly configure your access control policy to inspect these packets, prevent them from reaching their destination, and generate any events. See Specify a Policy to Handle Packets That Pass Before Traffic Identification.

As soon as the system identifies the access control rule or default action that should handle the connection, the remaining packets in the connection are handled and inspected accordingly.

When you create an access control policy, its default intrusion policy depends on the default action you first chose. Initial default intrusion policies for access control are as follows:

• Balanced Security and Connectivity (a system-provided policy) is the default intrusion policy for an access control policy where you first chose the Intrusion Prevention default action.

• No Rules Active is the default intrusion policy for an access control policy where you first chose the Block all traffic or Network Discovery default action. Although choosing this option disables intrusion inspection on the allowed packets described above, it can improve performance if you are not interested in intrusion data.

Important

If you change your default action after you create the access control policy, the default intrusion policy does not automatically change. To change it manually, use the access control policy’s advanced options.