Inspection Policy elements and how they work

Inspection Policy elements define how the main traffic analysis is done for traffic that has been allowed and selected for deep inspection in the Access rules. They define what action the engine takes when a match is found.

The Inspection Policy elements are selected in Firewall, IPS, and Layer 2 Firewall Policy elements. The IPS Template and Layer 2 Firewall Template enable deep inspection for all IP traffic. Deep inspection is not automatically enabled in the Firewall Template.

Deep inspection examines the packet payload throughout whole connections, and acts when something threatening is discovered.

Engines examine IPv4 and IPv6 traffic against traffic patterns defined in Situation elements. Engines and Log Servers process the detected events using Correlation Situation criteria. Dynamic update packages are the main source of Situation elements. If you want to detect a specific traffic pattern (for example, a particular internal file server in your network being accessed) or if you want to create an edited version of some existing Situation element, you can also define new patterns as custom Situation elements. You can add your custom Situation elements to the Rules tree by selecting a Situation Type for them.

There are three general types of cases for using Inspection Policy elements:
  • You can detect attempts to exploit known vulnerabilities in your systems and prevent such attempts from succeeding if the system is not patched against it.
  • You can monitor traffic that does not cause alarm on the surface, but when examined for certain patterns, can turn out to conceal actual threats. For example, you can detect if a series of occasional service requests are someone secretly scanning the network structure or if a spike in traffic is a denial-of-service attack.
  • You can also detect other sequences in traffic, such as the use of certain applications or even access to a particular file.
Based on the detection results, the Inspection Policy element provides several different ways to react when some traffic is found to match a pattern of interest:
  • Stop the traffic if it is going through a Firewall.
  • Stop the traffic if it is going through an IPS engine or Layer 2 Firewall with inline interfaces.
  • Reset the connection.
  • Blacklist the connection on one or more Engines.
  • Allow the traffic.
Regardless of which action is taken, a match can also create:
  • A log entry with or without recording some of the detected traffic.
  • An alert with or without recording some of the detected traffic.

Firewalls can inspect all protocols. Virtual Engines do not individually inspect traffic. One shared inspection process running on the Master Engine handles the inspection and correlation for all Virtual Engines associated with the Master Engine. To prevent excessive resource consumption on the Master Engine, take care when configuring Inspection policies for use on Virtual Engines.