Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Traffic Normalization Filters

    • Updated:
    • 12 Feb 2019
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
Traffic Normalization filters block network traffic when the traffic is considered improper or malformed. These filters allow you to set alerts to trigger when the system recognizes this traffic. Traffic pattern anomaly filters alert when network traffic varies from normal. Traffic normalization filters enforce valid packet processing within the Threat Suppression Engine. They protect the engine by detecting invalid or abnormal packets. By protecting the engine, the filters scrub the network of possible issues.
Details
Public

By default, Traffic Normalization filters are set to Block. We do not recommend using a Permit action because it could introduce vulnerabilities with malformed packets.

 As these filters manage traffic, you may notice not all filters result in blocked streams.

The following filters do not hold blocked data streams:

  • 7102: IP fragment invalid. The packet is dropped.
  • 7103: IP fragment out of range. The packet is dropped.
  • 7104: IP duplicate fragment. The packet is dropped.
  • 7105: IP length invalid. The packet is dropped.
  • 7121: TCP header length invalid. The packet is dropped.

Note: Traffic Normalization filter names must be unique within a profile. The SMS gives each filter a unique ID, which it uses as a reference in the system.

Procedure:

  1. Log in to the SMS from a client.
  2. From the top navigation pane, click Profiles.
  3. From the navigation pane on the left, click the + sign next to the Inspection Profiles to expand the category.
  4. From the navigation pane on the left, locate and expand the Profile you will be working with.
  5. Select and expand the Security Filters category.
  6. Select Traffic Normalization.
  7. On the Traffic Normalization Filters screen, locate and select a filter and do one of the following:
    1. Double-click the filter.
    2. Right-click the selected filter and choose Edit.
  8. In the Filter Setting section
    1. Locked: Change locked status.
    2. Action
    3. General Settings
  9. In the Action area you can choose to:
    1. Use Category Settings to use the recommended action setting for the selected filter.
    2. Use Filter Specific Settings to customize the action setting for the selected filter.
      1.  For State, click the Enabled check box. If you do not click this check box, the filter custom settings are disabled.
      2.  From the Action Set drop-down menu, select an action set.
  10. Note: If you select Recommended as the action set, this sets the filter to the recommended setting for that filter. If you assign a Permit action to a Traffic Normalization filter, packets matching the rule are logged and passed without further inspection. This process differs from normal packet processing and can introduce vulnerabilities. When you select a non-blocking action set or create an exception to a Normalization filter, you receive a notification from the system. If you select a rate limit, it applies only to TCP, UDP, or ICMP traffic.
  11. In the General Settings area, you can choose to:
    1. Use Adaptive Configuration Settings to apply the global adaptive filter settings for flow control.
      1. To add AFC settings, select the checkbox.
      2. To remove any global adaptive filter settings for this filter, deselect the checkbox.
    2. Comments – Enter or change filter comments
  12. To Add an exception do the following:
    1. In the Exceptions area click Add. The Create or Edit Exception dialog box displays.
    2. Enter a Name for the exception.
    3. For the Src IP Address, enter an IP address. Select the format for the address: CIDR, IP Mask, or Any IP.
    4. For the Dest IP Address, enter an IP address. Select the format for the address: CIDR, IP Mask, or Any IP.
    5. Click OK.
  13. You can also click Distribute to distribute the change.
  14. Click OK.

Additional Information: What are Invalid Packets

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000125919
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.