Configure Prefiltering

To perform custom prefiltering, configure prefilter policies and assign the policies to access control policies. It is through the access control policy that prefilter policies get assigned to managed devices.

Only one person should edit a policy at a time, using a single browser window. If multiple users save the same policy, the last saved changes are retained. For your convenience, the system displays information on who (if anyone) is currently editing each policy. To protect the privacy of your session, a warning appears after 30 minutes of inactivity on the policy editor. After 60 minutes, the system discards your changes.

Procedure


Step 1

Choose Policies > Access Control > Prefilter.

Step 2

Click New Policy to create a custom prefilter policy.

A new prefilter policy has no rules and a default action of Analyze all tunnel traffic. It performs no logging or tunnel rezoning. You can also Copy (copy icon) or Edit (edit icon) an existing policy.

Step 3

Configure the prefilter policy's default action and its logging options.

  • Default action—Choose a default action for supported plaintext, passthrough tunnels: Analyze all tunnel traffic (with access control) or Block all tunnel traffic.
  • Default action logging—Click Logging (logging icon) next to the default action; see Logging Connections with a Policy Default Action. You can configure default action logging for blocked tunnels only.
Step 4

Configure tunnel and prefilter rules.

In a custom prefilter policy, you can use both kinds of rule, in any order. Create rules depending on the specific type of traffic you want to match and the actions or further analysis you want to perform; see Tunnel vs Prefilter Rules.

Caution

Exercise caution when using tunnel rules to assign tunnel zones. Connections in rezoned tunnels may not match security zone constraints in later evaluation. For more information, see Tunnel Zones and Prefiltering.

For detailed information on configuring rule components, see Tunnel and Prefilter Rule Components.

Step 5

Evaluate rule order. To move a rule, click and drag or use the right-click menu to cut and paste.

Properly creating and ordering rules is a complex task, but one that is essential to building an effective deployment. If you do not plan carefully, rules can preempt other rules or contain invalid configurations. For more information, see Best Practices for Access Control Rules.

Step 6

Save the prefilter policy.

Step 7

For configurations that support tunnel zone constraints, appropriately handle rezoned tunnels.

Match connections in rezoned tunnels by using tunnel zones as source zone constraints.

Step 8

Associate the prefilter policy with the access control policy deployed to your managed devices.

Step 9

Deploy configuration changes; see Deploy Configuration Changes.

Note

When you deploy a prefilter policy, its rules are not applied on the existing tunnel sessions. Hence, traffic on an existing connection is not bound by the new policy that is deployed. In addition, the policy hit count is incremented only for the first packet of a connection that matches a policy. Thus, the traffic on an existing connection that could match a policy is omitted from the hit count. To have the policy rules effectively applied, clear the existing tunnel sessions, and then deploy the policy.


What to do next

If you will deploy time-based rules, specify the time zone of the device to which the policy is assigned. See Configure Device Time Zone for Policy Application.