Cisco Firepower Network Analysis Policy determines how much deep a traffic must be pre-processed and decoded before traffic is inspected by access control and IPS policy. Some features like data loss detection or port scan detection require deep traffic pre-processing. 

what is Firepower Network Analysis Policy?

Network Analysis Policy occurs after Security Intelligence and SSL decryption, but before access control or intrusion policy begins.

What is Network Analysis Policy
What is Network Analysis Policy

There is a default Network Analysis Policy activated based on Balanced Security and Connectivity inspection.

Depending on if security or performance is more important to you, you can choose Security over Connectivity, Connectivity over Security or Balanced Security and Connectivity. Another option is maximum detection of which traffic is decoded the deepest.

Network Analysis Policy Options
Network Analysis Policy Options

After choosing your default network analysis policy, you can change the options according to your needs as we will make changes in the next video.

Notice that IPS policy and Network Analysis Policy are different, however the options seems to be the same. Network Analysis Policy determines which part of traffic must be decoded. Then it is inspected and matched with IPS signatures according to IPS Policy.

Network Analysisi Policy versus IPS Policy
Network Analysisi Policy versus IPS Policy

Cisco Firepower Network Analysis Policy Configuration

To add Network Analysis Policy, go to

Policies -> Intrusion -> Network Analysis Policies -> create Policy

Add Network Analysisi Policy
Add Network Analysisi Policy

To see how traffic is decoded differently, I create two network analysis policies, one based on Balanced Security and connectivity and the other based on Maximum detection. then I compare between these two policies.

compare Network Analysis Policies
compare Network Analysis Policies

As you can see, in balanced security and connectivity, there are many option which are disabled or ignored but they are enabled in maximum detection option.

To configure Network Analysis Policy, there are two options, snort version 2 and snort version 3.

Normally I should configure Snort version 3, but since the setting that I need for the next video, Sensitive Data Detection, is still not exist in Snort version 3, I configure Snort version 2 settings of Network Analysis Policy.

As an example, to implement  “Sensitive Data Detection” that will be configured in the next video, we need to enable FTP and Telnet configuration, IP defragmentation, and TCP stream in Network Analysis Policy.

Enable reuired features in Network Analysis Policy
Enable reuired features in Network Analysis Policy

For each of these settings, there are a few parameters that can be adjusted. Parameters are advanced settings that must not be manipulated unless there is sufficient knowledge.

Detailed parameters for each feature
Detailed parameters for each feature

As I have mentioned earlier, default network analysis policy is based on balanced security and connectivity. To change it to your own customized network analysis policy, go to

Policies -> access control -> edit policy -> advanced -> network analysis and intrusion policies section -> edit -> change default network analysis policy to your own customized policy.

change default network analysis policy
change default network analysis policy

Notice that default network analysis policy is balanced security and connectivity.

Also notice that network analysis policy is configured globally and not per access control rule.

Back to: Cisco FTD Design and Implementation > Cisco Firepower IPS Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment