Views:
Adaptive Filtering Configuration (AFC) is a device function configured to avoid congestion by automatically disabling filters that trigger excessively. You can configure AFC on individual filters or all filters (at the device level). Edit the filter and clear the Use Adaptive Configuration Settings checkbox if you choose not to submit filters to adaptive filtering. You can view which disabled filters are most recently affected by AFC in the Adaptive Filter List.

View AFC filters

View a list of filters that were most recently affected by AFC. IPS devices display the ten most recent filters. TPS devices display the twenty-five most recent filters. The Adaptive Filter List provides the following information:
 
OptionDescription
Device NameDevice name.
Filter TypeSecurity or Application filter.
Filter NameThe name of the filter being managed by AFC.
Filter StateEnabled - When selected, this indicates that the filter was once disabled by AFC and cleared by a user. It is now enabled in the engine and will execute the associated action set.

Disabled - If the checkbox is not selected, AFC has uninstalled this filter from the engine.

When a filter enters AFC, the device automatically performs a traffic capture. After you clear the filter state, it might still appear on the Adaptive Filter List, so you can download the associated packet capture (PCAP) file.

Procedure:
  1. From the SMS toolbar, select Devices > All Devices > Member Summary > Events, and then select the Adaptive Filter tab.
  2. To clear a filter's AFC state, select the filter(s) and then click Clear Selected Filters. This re-enables the selected filter states. 
  3. To clear the AFC state on all the device filters, click Clear All. This re-enables every filter state on the device. 
  4. To change the AFC setting on a filter, edit the filter.
Configuring a device for adaptive filtering

The Adaptive Filter Configuration (AFC) state enables the Threat Suppression Engine to manage a device automatically. This feature protects against the potential adverse effects of a filter that interacts poorly with the network environment. At the filter level, you have the option to disable adaptive filtering so that a filter is never impacted by the adaptive filter settings on a device. You can also view the filters most recently affected by adaptive filtering in the Adaptive Filter List and re-enable the filter state.

Procedure:
  1. From the SMS toolbar, select Devices > All Devices > device, and then click Device Configuration.
  2. Select AFC Settings.
  3. Select the AFC setting:
    1. Auto - This setting enables the device to disable the defective filter and auto-generate a system message.
    2. Manual - This setting enables the device to generate a system message regarding the filter. However, the filter is not disabled.
  4. Select the severity of the system log message that is generated when a filter triggers the AFC setting configured on a filter.
  5. Click OK.

To reset an AFC filter go to;

  • TPS: Reports > Security > Adaptive Filter Control
  • SMS: Devices > All Devices > Member Summary > Events > Adaptive Filter
Keywords: Adaptive Filtering Configuration (AFC), Adaptive Filtering, AFC