Traffic Normalization filters block network traffic when the traffic is considered
improper or malformed.
These filters allow you to set alerts to trigger when the system recognizes this
traffic. Traffic pattern anomaly filters alert when network traffic varies from normal.
Traffic normalization filters enforce valid packet processing within the Threat Suppression
Engine. They protect the engine by detecting invalid or abnormal packets.
Because they inspect traffic for malformed packets, Traffic Normalization filters
are set to Block by default. We do not recommend using a Permit action because it
could
introduce vulnerabilities with malformed packets. If you select the Block action set,
the SMS
does not log the traffic that matches this filter. Use caution when selecting this
action as
it might cause a network outage, if not correctly defined.
As these filters manage traffic, you may notice that not all filters result in blocked
streams. The following filters do not hold blocked data streams:
- 7102: IP fragment invalid. The packet is dropped.
- 7103: IP fragment out of range. The packet is dropped.
- 7104: IP duplicate fragment. The packet is dropped.
- 7105: IP length invalid. The packet is dropped.
- 7121: TCP header length invalid. The packet is dropped.
Traffic Normalization filter names must be unique within a profile. The SMS
gives each filter a unique ID, which it uses as a reference in the system.