Configuring prefilter rules

Use prefilter rules in a non-default prefilter policy to provide early blocking for unwanted traffic, and to fast path traffic that does not benefit from access control inspection.

If your device supports flow offload, fast path traffic is eligible for flow offload if it meets all other criteria. See Large flow offloads.

Before you begin

You cannot create rules in the default prefilter policy. If you have not created a custom prefilter policy, do so now.

Procedure

Step 1	Choose Policies > Security policies > Prefilter and create or edit a prefilter policy.
Step 2	Click Add Prefilter Rule. You can also right-click a rule and select Insert New Prefilter Rule.
Step 3	Enter a Name for the rule.
Step 4	Select whether the rule should be Enabled. A rule must be enabled to affect traffic through the device.
Step 5	Select the Action to be taken on matching traffic. Fastpath—Exempts matching traffic from all further inspection and control, including access control, identity requirements, and rate limiting. These connections are eligible for flow offload if the device supports it. Block—Blocks matching traffic without further inspection of any kind. Analyze—Allows traffic to continue to be analyzed by the rest of access control. If passed by access control and any related deep inspection, this traffic may also be rate limited.
Step 6	Select where to Insert the rule. The default is to insert the rule at the end of the policy, but you can select an existing rule and insert the new rule before or after that rule. The action of the first rule that matches a connection is applied to that connection, so order matters.
Step 7	(Optional.) Select the object that defines the Time Range for the rule. You can limit what times of day, or which days, a rule is operational. For example, the rule could apply during business hours only. Select an existing time range object or create a new one. For more information, see Creating Time Range Objects.
Step 8	Configure the traffic matching conditions for the rule. The rule is applied to connections that match all of the conditions. Within a condition type, separate elements are OR’ed, so that matching any of the selected items counts as a match. For the rule as a whole, all condition types are AND’ed: a connection must match at least one item on each tab to match the rule. You can use the following types of conditions: Interface Objects—Select the security zones or interface groups that contain the interfaces to which the rule should apply. The default, no objects selected, applies the rule to all interfaces on the device. Networks—Select the network objects that define the source (Add to Source) or destination (Add to Destination) IP addresses, or both. The default (no objects selected) matches all source and destination IP addresses. VLAN tags—Select the objects that define the VLANs to which the rule should apply. For more information, see VLAN tags rule conditions. Ports—Select the TCP/UDP ports, or other protocol, for the connections and add them to the source or destination criteria. Source criteria is TCP/UDP only, but you can select other protocols for the destination. For more information, see Port rule conditions for prefilter rules.
Step 9	(Fastpath and Block rules only.) Click Logging and configure how matching connections should be logged.
Step 10	(Optional.) Click Comment and add comments to the rule. Use comments to help you understand the purpose of the rule and its change history.
Step 11	Click Add. If you need to move the rule, do so now.
Step 12	Click Save to save the policy.