Guidelines and limitations for the prefilter policy

You can log connections fast pathed and blocked by the prefilter policy. Prefilter connection events contain information on whether and how logged connections—including entire tunnels—were prefiltered. However, because fast pathed and blocked connections are not subject to deep inspection, associated connection events contain limited information.

Access control uses a hierarchical implementation that complements multitenancy. Along with other advanced settings, you can lock a prefilter policy association, enforcing that association in all descendant access control policies. For more information, see Access control policy inheritance.

When you deploy a prefilter policy, its rules are not applied on the existing connections. Hence, traffic on an existing connection is not bound by the new policy that is deployed. In addition, the policy hit count is incremented only for the first packet of a connection that matches a policy. Thus, the traffic on an existing connection that could match a policy is omitted from the hit count. To have the rules effectively applied, clear the existing connections, and then deploy the policy.

For a prefilter rule with action as Fastpath and logging options disabled, you might observe that the end-of-flow events are still generated in the system. However, the events are not visible on the management center event pages.