Configuring IP Defragmentation

Note	This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

Before you begin

Confirm that any networks you want to identify in a custom target-based policy match or are a subset of the networks, zones, and VLANs handled by its parent network analysis policy. See Advanced Settings for Network Analysis Policies for more information.

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note	If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit ( edit icon ) next to the policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings in the navigation panel.

Step 5

If IP Defragmentation under Transport/Network Layer Preprocessors is disabled, click Enabled.

Step 6

Click Edit ( edit icon ) next to IP Defragmentation.

Step 7

Optionally, enter a value in the Preallocated Fragments field.

Step 8

You have the following choices:

Add a server profile — Click Add () next to Servers on the left side of the page, then enter a value in the Host Address field and click OK. You can specify a single IP address or address block, or a comma-separated list of either or both. You can create a total of 255 target-based policies including the default policy.
Edit a server profile — Click the configured address for under Servers on the left side of the page, or click default.
Delete a profile — Click Delete () next to the policy.

Step 9

Modify the options described in IP Defragmentation Options.

Step 10

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, cached changes since the last commit are discarded if you edit a different policy.

If you want to generate events and, in an inline deployment, drop offending packets, enable IP defragmentation rules (GID 123). For more information, see Setting Intrusion Rule States and IP Defragmentation Options.
Deploy configuration changes.