Summary
This article discusses what Adaptive Filtering on TippingPoint devices, and how to configure/manage the same.
Details
Adaptive Filtering (AFC) is a device function configured to avoid congestion by automatically disabling filters that trigger excessively. You can configure AFC on individual filters or all filters (at the device level). Edit the filter and clear the Use Adaptive Configuration Settings checkbox if you choose not to submit filters to adaptive filtering. You can view which disabled filters most recently affected by AFC in the Adaptive Filter List.
View AFC filters
View a list of filters that were most recently affected by AFC. IPS devices display the ten most recent filters. TPS devices display the twenty-five most recent filters. The Adaptive Filter List provides the following information:
The device automatically performs a traffic capture when a filter enters AFC. After you clear the filter state, it might still appear on the Adaptive Filter List so that you can download the associated packet capture (PCAP) file.
Procedure:
The Adaptive Filter Configuration (AFC) state enables the Threat Suppression Engine to automatically manage a device. This feature protects against the potential adverse effects of a filter that interacts poorly with the network environment. At the filter level, you have the option to disable adaptive filtering so that a filter is never impacted by the adaptive filter settings on a device. You can also view the filters most recently affected by adaptive filtering in the Adaptive Filter List, and re-enable the filter state.
Procedure:
View AFC filters
View a list of filters that were most recently affected by AFC. IPS devices display the ten most recent filters. TPS devices display the twenty-five most recent filters. The Adaptive Filter List provides the following information:
Option | Description |
Device Name | Device name. |
Filter Type | Security or Application filter. |
Filter Name | The name of the filter being managed AFC. |
Filter State | Enabled - When selected, this indicates that the filter was once disabled by AFC, cleared by a user, and is now enabled in the engine and will execute the associated action set. Disabled - If the checkbox is not selected, then this filter has been uninstalled from the engine by AFC. |
The device automatically performs a traffic capture when a filter enters AFC. After you clear the filter state, it might still appear on the Adaptive Filter List so that you can download the associated packet capture (PCAP) file.
Procedure:
- From the SMS toolbar select Devices > All Devices > Member Summary > Events, and then select the Adaptive Filter tab.
- To clear the AFC state on a filter, select the filter(s) and then click Clear Selected Filters. This re-enables the selected filter states. This option is available on IPS devices running any supported TOS, and on TPS devices running TOS version 5.1 and later.
- To clear the AFC state on all the device filters, click Clear All. This re-enables every filter state on the device. This option is available only on TPS devices running TOS version 5.1 and later.
- To change the AFC setting on a filter, edit the filter.
The Adaptive Filter Configuration (AFC) state enables the Threat Suppression Engine to automatically manage a device. This feature protects against the potential adverse effects of a filter that interacts poorly with the network environment. At the filter level, you have the option to disable adaptive filtering so that a filter is never impacted by the adaptive filter settings on a device. You can also view the filters most recently affected by adaptive filtering in the Adaptive Filter List, and re-enable the filter state.
Procedure:
- From the SMS toolbar select Devices > All Devices > device, and then click Device Configuration.
- Select AFC Settings.
- Select the AFC setting:
- Auto - This setting enables the device to disable the defective filter and auto-generate a system message.
- Manual - This setting enables the device to generate a system message regarding the filter. However, the filter is not disabled.
- Select the severity of the system log message that is generated when a filter triggers the AFC setting configured on a filter.
- Click OK.