The default prefilter policy

Every access control policy must have an assigned prefilter policy. For convenience, the system includes a default prefilter policy that is automatically assigned when you create a new access control policy. You cannot delete this policy.

The default prefilter policy does one thing: it analyzes plain-text encapsulated tunnels. This makes it possible for the access control policy to act on the connections that are contained within the tunnel.

You can instead change the default policy to block all plain-text tunnels. See Configuring the default action.

If you want to do any other customization, including adding prefilter or tunnel rules, you must create your own prefilter policy and assign it to the appropriate access control policies, as explained in Assigning devices to an access control policy.