Configuring intelligent application bypass

Not all deployments require IAB, and those that do might use it in a limited fashion. Do not enable IAB unless you have expert knowledge of your network traffic, especially application traffic, and system performance, including the causes of predictable performance issues. Before you run IAB in bypass mode, make sure that trusting the specified traffic does not expose you to risk.

Before you begin

IAB settings are applicable for Snort2 devices or pre 7.2.0 Snort3 devices. For Snort 3 devices, use elephant flow detection instead.

Procedure

Step 1

In the access control policy editor, click Advanced Settings from the More drop-down arrow at the end of the packet flow line. Then, click Edit (edit icon) next to Intelligent Application Bypass Settings.

Step 2

Set the enabled State for IAB.

Turn IAB Off or On, or enable IAB in Test mode.

In test mode, connection events and dashboards tell you what the system would have done if IAB had been on, but traffic is not impacted. Use test mode to check your configuration.

Step 3

Set the Performance Sample Interval.

The Performance Sample Interval specifies the time in seconds between IAB performance sampling scans, during which the system collects system performance metrics for comparison to IAB performance thresholds. The default is 5 seconds. The range is 1 to 1000 seconds.

Step 4

Select the Bypassable Applications and Filters.

Choose from:

  • X Applications/Filters—Click the link and select the applications or application filters whose traffic you want to bypass. You can select by general attributes, specific applications, or both. For example, you could limit bypassable traffic to very low risk applications only.

  • All applications including unidentified applications—Do not restrict bypass. When an inspection performance threshold is exceeded, IAB trusts all traffic that exceeds any flow bypass threshold, regardless of the application type. This is the default.

Step 5

Configure the performance and flow thresholds.

You must configure at least one Inspection Performance Thresholds and one Flow Bypass Thresholds. However, all have defaults and you do not need to change the settings if the defaults are appropriate for your network.

When a performance threshold is exceeded, the system examines flow thresholds and, if one threshold is exceeded, trusts the specified traffic. If you enable more than one of either, only one of each must be exceeded.

  1. Click Configure under Inspection Performance Thresholds and configure the options.

    Inspection performance thresholds provide intrusion inspection performance limits that, if exceeded, trigger the inspection of flow thresholds. Inspection performance thresholds set to 0 are ignored.

    You can configure one or more of the following thresholds:

    • Drop Percentage —The average packets dropped as a percentage of total packets, when packets are dropped because of performance overloads caused by expensive intrusion rules, file policies, decompression, and so on. This does not refer to packets dropped by normal configurations such as intrusion rules.

      Note that specifying an integer greater than 1 activates IAB when the specified percentage of packets is dropped. When you specify 1, any percentage from 0 through 1 activates IAB. This allows a small number of packets to activate IAB.

      The default is 5%. The range is 0 to 100.

    • Processor Utilization Percentage—Average percentage of processor resources used. The default is 95. The range is 0 to 100.

    • Packet Latency —The average packet latency in microseconds. The default is 1000. The range is 0 to 1000000.

    • Flow Rate—The rate at which the system processes flows, measured as the number of flows per second. Note that this option configures IAB to measure flow rate, not flow count. The default is 0. The range is 0 to 1000000.

  2. Click Configure under Flow Bypass Thresholds and configure the options.

    Flow bypass thresholds provide flow limits that, if exceeded, trigger IAB to trust bypassable application traffic in bypass mode or allow application traffic subject to further inspection in test mode. Flow bypass thresholds set to 0 are ignored.

    You can configure one or more of the following flow bypass thresholds:

    • Bytes per Flow —The maximum number of kilobytes a flow can include. The default is 500000. The range is 0 to 2147483647.

    • Packets per Flow—The maximum number of packets a flow can include. The default is 0. The range is 0 to 2147483647.

    • Flow Duration—The maximum number of seconds a flow can remain open. The default is 0. The range is 0 to 2147483647.

    • Flow Velocity—The maximum transfer rate in kilobytes per second. The default is 250000. The range is 0 to 2147483647.

Step 6

Click OK to save IAB settings.

Step 7

Click Save to save the policy.

What to do next

  • Deploy configuration changes.