Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What are: Flow Management Filters?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint NGFW All
    • TippingPoint SecBlade All
    • TippingPoint TPS All
    • TippingPoint Virtual TPS All
    • Platform:
Summary
Flow Management Filters are a special set of policy based DV filters which "match" once a certain amount of traffic has passed, these filters are to be used in conjunction with TRUST as an Action. Most attacks occur in the first few bytes of a flow; using these filters you can trust a flow after the flow has been clean for the first 5, 10, 100 or 500MB of transferred data. So when a filter match occurs, the stream will be placed in the Trusted Streams table.
Details
Public
Flow Management Filters
7620: TCP Flow Management (5MB)
7621: TCP Flow Management (10MB)
7622: TCP Flow Management (100MB)
7623: TCP Flow Management (500MB)
 7624: UDP Flow Management (5MB)
 7625: UDP Flow Management (10MB)
 7626: UDP Flow Management (100MB)
 7627: UDP Flow Management (500MB)
Note: Only one TCP and/or one UDP filter should be enabled.

Trust as an Action Set: Actions configured under shared settings; you can create a TRUST or TRUST+NOTIFY action set which can then be assigned to any DV filter. If traffic matches a filter with an action set of TRUST, a trusted stream is created, and that flow will pass through the IPS uninspected until the trusted stream times out (default 30 minutes). Trusted streams are also shared with the partner IPS in a TRHA configuration.

Implementation and Management

Best practice calls for the Traffic Management Filter to be set to a TRUST action, however during the initial configuration and observation period the filter should be set to an action of TRUST+NOTIFY. After the system has been verified to be working properly, the filter should be set to TRUST.

Note: Setting the filter to PERMIT+NOTIFY is not the recommended action for these filters.

 

You may view the TRUSTED streams table at the following locations:

  1.  SMS: via TRUSTED STREAMS table via the Devices->"IPS"->Events->Trusted Streams tab
  2.  LSM: via Events->Managed Streams->Trusted Streams

 

IPS CLI command: "show np tier"
Tier 2:
----------------------------------------------------------
Tx trust packets/sec = 0.0 (0.0)
Rx Mbps = 72.8 (130.8)
Rx packets/sec = 9,663.0 (53,792.0)
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000086249
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.