Configure Automatic Application Bypass
Automatic Application Bypass (AAB) allows packets to bypass detection if Snort is down or, for a Classic device, if a packet takes too long to process. AAB causes Snort to restart within ten minutes of the failure, and generates troubleshooting data that can be analyzed to investigate the cause of the Snort failure.
Caution | AAB activation partially restarts the Snort process, which temporarily interrupts the inspection of a few packets. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. |
See the following behavior:
Threat Defense Behavior: If Snort is down, then AAB is triggered after the specified timer duration. If Snort is up, then AAB is never triggered, even if packet processing exceeds the configured timer.
Classic Device Behavior: AAB limits the time allowed to process packets through an interface. You balance packet processing delays with your network’s tolerance for packet latency.
The feature functions with any deployment; however, it is most valuable in inline deployments.
Typically, you use Rule Latency Thresholding in the intrusion policy to fast-path packets after the latency threshold value is exceeded. Rule Latency Thresholding does not shut down the engine or generate troubleshooting data.
If detection is bypassed, the device generates a health monitoring alert.
By default the AAB is disabled; to enable AAB follow the steps described.
Procedure
Step 1 | Choose . |
Step 2 | Next to the device where you want to edit advanced device settings, click Edit ( |
Step 3 | Click Device, then click Edit ( |
Step 4 | Check Automatic Application Bypass. |
Step 5 | Enter a Bypass Threshold from 250 ms to 60,000 ms. The default setting is 3000 milliseconds (ms). |
Step 6 | Click Save. |
What to do next
-
Deploy configuration changes.