Configuring advanced settings for the access control policy

Advanced access control policy settings typically require little or no modification. The default settings are appropriate for most deployments. Note that many of the advanced preprocessing and performance options in access control policies may be modified by rule updates as described in Update Intrusion Rules.

Caution

See Configurations that Restart the Snort Process When Deployed or Activated for a list of advanced setting modifications that restart the Snort process, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the assigned device handles traffic. See Snort Restart Traffic Behavior for more information.

Before you begin

Inheriting settings from a parent policy:

If the access control policy has a base policy, you can elect to inherit settings from the base policy. Select Inherit from (base policy) for each setting group where you want to use the parent policy's settings. If you are allowed to configure unique settings for the policy, you must deselect the option to make your edits.
If View () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. In this case, inheritance has been configured so that these settings are locked. The settings are read-only.

Procedure

Step 1

Choose Policies > Security policies > Access Control.

Step 2

Create or edit an access control policy.

Step 3

Select Advanced Settings from the More drop-down arrow at the end of the packet flow line.

Step 4

For each settings group, click Edit ( edit icon ) and configure the settings as needed.

For each feature group, a separate dialog box is opened where you can make your changes. Click OK to save any changes.

General Settings—These settings apply broadly to the policy, including URL filtering options. For more information, see General settings.
Identity Policy Settings—Select the policy to be used to implement user identity discovery. You must implement an identity policy to get user or user group information in connection events, or to write access control rules based on users or groups. For more information, see About identity policies.
Decryption Policy Settings—Select the policy to be used when decrypting connections. You must decrypt traffic to apply inspection to encrypted connections.
TLS Server Identity Discovery—Whether to allow the firewall to extract certificate details such as Common Name (CN), Organization, or Subject Alternative Names (SANs) even when TLS 1.3 encryption would normally hide them. This improves policy accuracy without requiring a decryption rule; the original client connection remains encrypted. For more information, see TLS server identity discovery.
Prefilter Policy Settings—Select the policy to be used for statically offloading large flows, implementing early connection blocks, or rezoning plain-text tunnel traffic.
Network Analysis and Intrusion Policies—Advanced network analysis and intrusion policy settings allow you to:
- Specify the intrusion policy and associated variable set that are used to inspect packets that must pass before the system can determine exactly how to inspect that traffic.
- Change the access control policy’s default network analysis policy, which governs many preprocessing options.
- Use custom network analysis rules and network analysis policies to tailor preprocessing options to specific security zones, networks, and VLANs.
For more information, see Advanced Access Control Settings for Network Analysis and Intrusion Policies.
Threat Defense Service Policy—Use the service policy to apply services to specific traffic classes. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. The service policy rules are applied after the access control rules. For more information, see Service Policies.
Files and Malware Settings—Tuning File and Malware Inspection Performance and Storage provides information on performance options for file control and malware defense.
Threat Detection—Configure the portscan detector to detect and prevent portscan activity in all types of traffic to protect networks from eventual attacks. Portscan traffic can be detected efficiently in both allowed and denied traffic..
Elephant Flow Settings—Elephant flows are large, long duration, and fast flows that can cause duress for Snort cores. There are two actions that you can apply on elephant flows to reduce system stress, CPU hogging, packet drops, and so on. These actions are:
- Bypass any or all applications—This action bypasses flow from Snort inspection.
- Throttle—This action applies dynamic rate limit policy (10% reduction) on elephant flows.
For more information, see Configure elephant flow detection.
Intelligent Application Bypass Settings—(Use Elephant Flow Settings instead of this option.) Intelligent application bypass (IAB) is an expert-level configuration that specifies applications to bypass or test for bypass if traffic exceeds a combination of inspection performance and flow thresholds.

IAB settings are applicable for Snort2 devices or pre 7.2.0 Snort3 devices. For more information, see Intelligent application bypass.
Transport/Network Layer Preprocessor Settings—Advanced transport and network preprocessor settings apply globally to all networks, zones, and VLANs where you deploy your access control policy. For more information, see Transport/network layer preprocessor settings.
Detection Enhancement Settings—Detection enhancement settings determine whether adaptive profiles are used for application detection and intrusion rules in the access control policy. Typically, the system uses the static settings in your network analysis policy to preprocess and analyze traffic. With adaptive profile updates, the system can adapt processing behavior using host information either detected by network discovery or imported from a third party. For more information, see Detection enhancement settings.
Performance Settings—Settings for improving the performance of your system as it analyzes traffic for attempted intrusions. These settings are very advanced and should be left as defaults by most users. See Performance settings.
Latency-Based Performance Settings—Settings specific to latency-based performance. These settings are very advanced and should be left as defaults by most users. See Latency-Based Performance Settings.
Shadow Traffic—The Shadow traffic dashboard enhances the visibility of traffic originating from unsanctioned privacy technologies. This type of traffic is specifically designed to evade traditional network monitoring and analysis by advanced firewalls. There is also a shadow traffic type attribute added to connection and unified events. You can disable this option if you do not need visibility on traffic that might contain unsanctioned content. For more information, see

Advanced Logging—Enable this feature to enrich connection logs with application data and forward the generated logs to the syslog destinations. Application logging leverages existing deep packet inspection capabilities to extract application data and enables you to enhance network monitoring and gain deeper insights into network traffic. This feature applies to Snort 3 Firewall Threat Defense devices.

For more information about the application logging, see Application-Aware and Protocol-Aware Syslogs.

Note	Application logging can cause performance drop within network if used without filters configured in the access control rule. Filter specific traffic types using the access control rules to reduce the volume of logged traffic.

Step 5

Click Save to save the changes to the access control policy.

To get back to the rules list, click Access Control in the packet flow line.
You must deploy the configuration to apply changes to the managed devices.