About prefilter policies
The prefilter policy is the first security policy applied to incoming connections. Prefilter rules evaluate traffic on layer 3/4 criteria only, that is, protocol and source/destination IP address and port. They give you a chance to make early decisions on connections so you can avoid further processing and improve device performance.
Use prefilter policies to implement the following main actions:
-
Improve performance—The sooner you exclude traffic that does not require inspection, the better. Specifically, you can:
-
Offload trusted flows—If your device supports flow offload, use the prefilter Fastpath action to identify flows you trust to be eligible for offloading to NIC processing. No further processing, including inspection, is needed for these connections. See Best practices for fastpath prefiltering and Large flow offloads.
-
Block unwanted connections—For example, if you know you want to block entire subnets, or entire protocols or TCP/UDP ports, this is ideally done in the prefilter policy.
-
-
Rezone plain text encapsulated tunnels so you can handle them as a unit in the access control policy. Some protocols, such as GRE, create a plain-text tunnel that includes many connections within the tunnel. By rezoning a tunnel, you give the tunnel a tag, which you can then select in access control rules as a source/destination zone, and thus apply customized intrusion or other rules to the tunneled traffic. This provides granular insight and control for plain-text tunnels.
NoteVPN or other encrypted tunnels are not plain-text tunnels and cannot be rezoned.
You must assign each access control policy a prefilter policy. However, the system comes with a pre-defined prefilter policy that might work for you.
The following topics provide more detail about the prefilter policy.