Prefiltering vs Access Control
Prefilter and access control policies both allow you to block and trust traffic, though the prefiltering "trust" functionality is called "fastpathing" because it skips more inspection. The following table explains this and other differences between prefiltering and access control, to help you decide whether to configure custom prefiltering.
If you do not configure custom prefiltering, you can only approximate—not replicate—prefilter functionality with early-placed Block and Trust rules in the access control policy.
|
Characteristic |
Prefiltering |
Access Control |
For more information, see... |
|---|---|---|---|
|
Primary function |
Quickly fastpath or block certain types of plaintext, passthrough tunnels (see Encapsulation Rule Conditions), or tailor subsequent inspection to their encapsulated traffic. Fastpath or block any other connections that benefit from early handling. |
Inspect and control all network traffic, using simple or complex criteria, including contextual information and deep inspection results. | |
|
Implementation |
Prefilter policy. The prefilter policy is invoked by the access control policy. |
Access control policy. The access control policy is a main configuration. In addition to invoking subpolicies, access control policies have their own rules. | |
|
Sequence within access control |
First. The system matches traffic to prefilter criteria before all other access control configurations. |
— |
— |
| Rule actions |
Fewer. You can stop further inspection (Fastpath and Block) or allow further analysis with the rest of access control (Analyze). |
More. Access control rules have a larger variety of actions, including monitoring, deep inspection, block with reset, and interactive blocking. | |
|
Bypass capability |
Fastpath rule action. Fastpathing traffic in the prefilter stage bypasses all further inspection and handling, including:
|
Trust rule action. Traffic trusted by access control rules is only exempt from deep inspection and discovery. | |
|
Rule criteria |
Limited. Rules in the prefilter policy use simple network criteria: IP address, VLAN tag, port, and protocol. For tunnels, tunnel endpoint conditions specify the IP address of the routed interfaces of the network devices on either side of the tunnel. |
Robust. Access control rules use network criteria, but also user, application, requested URL, and other contextual information available in packet payloads. Network conditions specify the IP address of source and destination hosts. | |
|
IP headers used (tunnel handling) |
Outermost. Using outer headers allows you to handle entire plaintext, passthrough tunnels. For nonencapsulated traffic, prefiltering still uses "outer" headers—which in this case are the only headers. |
Innermost possible. For a nonencrypted tunnel, access control acts on its individual encapsulated connections, not the tunnel as a whole. | |
|
Rezone encapsulated connections for further analysis |
Rezones tunneled traffic. Tunnel zones allow you to tailor subsequent inspection to prefiltered, encapsulated traffic. |
Uses tunnel zones. Access control uses the tunnel zones you assign during prefiltering. | |
|
Connection logging |
Fastpathed and blocked traffic only. Allowed connections may still be logged by other configurations. |
Any connection. | |
|
Supported devices |
Secure Firewall Threat Defense only. |
All. |
— |