BRKCRT 2215

Did you get a number at your seat?
See a stick with a number on

your seat? Don’t throw it
away! Hold onto it!
BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
BRKCRT-2215
Cisco Firepower NGIPS

Tuning and Best Practices
John Wise
Security Instructor
Your Speaker
Security Instructor: Cisco High Touch Delivery
Started with Sourcefire many years back!
John Wise - johnwis@cisco.com
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRT-2215
Reference Slides
When you see this

icon it is a slide for
your reference!
Firepower Platforms
Dedicated NGIPS
Cisco ASA 5500-X with FirePOWER Services
Traditional ASA with

FirePOWER software
module
Firepower Threat Defense – 2100 NGFW
Up to 3 security modules available
Software Availability
Classic Device 5.x/6.x Firepower Threat Defense (FTD) 6.x
• NGIPS 7000 • ASA 5500-X (reimaged as FTD)

• NGIPS 8000 • 4100 Series
• ASA FirePOWER Services • 9000 Series
• NGIPSv for VMware • 2100 Series
• FTD for ISR
• FTDv
Managed by the Firepower Management Center
FMC
FMC was previously called the Defense Center
Firepower Packet Flow
The better you know
the packet flow,
the
more Firepower success
and the
less
Firepower stress
Firepower Security Inspections
• Inspect, Block,
Store files
• Detect and
Block known or
suspected
Malware
• Blocks blacklisted • Decrypts, blocks and • Application-aware • IPS… your

IPs, DNS, and URLs controls SSL/TLS Firewall SNORT rules
before inspection by traffic • Direct traffic to
ACP • Decrypted traffic can further security
• Traffic blocked here be seen by the later inspections
never enters the later policies • Trust and Block
policies traffic
Firepower Threat Defense Packet Flow
Firepower OS
ASA OS (Lina)
Network Discovery
Firepower Network Discovery
Network Discovery occurs here
What is Network Discovery?
Firepower’s ability to SNORT your traffic
Which is a much deeper sniff
To Build
Host
Profiles
Is Your Network Discovery Policy Defined?
Firepower will automatically build Host Profiles Based on your Network Discovery Policy
When you define this, Firepower builds these
automatically
Firepower Management Center

Host Profiles
Network Vulnerabilities
Discovery
Services Protocols
Policy
Applications Ports
Operating Systems
Managed Device
Network Discovery Policy Processing Order
Discovery occurs here
Malware & File

Policy
Traffic Fast Security SSL Access Control Network
Flow Path Intelligence Policy Policy Discovery
Intrusion
Policy
If traffic does not reach this inspection point no discovery information is captured!
Network discovery occurs here
Enabling Network Discovery Policy
You must go in and define this
policy to match your protected network
Caution! Not defining your Network Discovery Policy can cause you to
exceed your host limits!
Define By Discover And Exclude
This is how
you enable
• Discover – build host profile information Network
• Your internal network – what you are protecting Discovery
• Note: Prior to 6.x this was on by default
• Exclude – don’t build host profile information
• Load Balancers, NAT Devices, anything you don’t want to build host profiles on
Network Discovery Discover Rule
Notice only Private IP spaces? This has been changed to represent
only internal IP addresses. By default its all IPs, and you need to
change this! Otherwise you will build host profiles for public hosts.
ACP Allow Rule
Mistakes
Access Control Policy
URL Filtering
URL Filtering
Category Reputation License
required!
URL Filtering– How does it work?
URL Database
• Ensure you have a URL Filtering license and
enable it in the FMC
This forces the

FMC to query the Firepower
cloud every 30 Management
minutes for Center
updates
URL Database on the Managed Device may

not have all URLs. This is based on the Firepower
available memory. Select this to query for Managed
unknown URLs. Device
URL Filtering with SSL
URL Filtering For Well-Known Sites
Consider not decrypting well—known sites
URL Filtering To Prevent Decrypting Financial
Do not decrypt Financial websites
URL Filtering For Uncategorized Websites
Decrypt all uncategorized websites
URL Filtering with Security Inspections
Uncategorized websites are suspicious – consider inspecting for malware
Don’t forget to also

inspect with an
Intrusion Policy!
Easy mistake to make!
Do not overlook assigning an IPS policy to ALLOW rules
Allow should be be assigned to an Intrusion Policy

No Intrusion
Policy
assigned!
Interactive Block Mapping to IPS Policy
IPS assignments also apply to Interactive Block rules
Interactive Block should be be assigned to an

Intrusion Policy
No Intrusion
Policy
assigned!
Identifying Traffic to not
inspect
Trust and Fast Path
Trust in your Access Control Policy

Trusting of traffic occurs in two places in FTD!
Prefilter ‘trust’ is always fast-pathed

Understanding Trust
• In Firepower Trust means do not inspect
• You will want to Trust certain types of traffic, especially:
• Voice Traffic
• Backup Traffic
• Scanner Traffic
Why Trust?
• Certain types of traffic can cause issues in Firepower:
• Example 1 – Backup traffic (a type of ‘elephant flow’)

Any sort of flow that is large and continuous – we call this an elephant
flow, and these can cause performance issues
• Example 2 – Scanner Traffic (from a network scanner or pen test)

Scanner traffic can trigger large numbers of false positive events
Fast Path
Try to ‘Fast Path’ Trusted Traffic
You can also block at this point in the flow on certain platforms
Fast-pathed traffic is
trusted BEFORE all security
inspections and SSL
decryption
Fast Pathing on Different Platforms
Cisco ASA with

FirePOWER Firepower Threat
FirePOWER 7000/8000
Services Defense
2100/4100/9300,
FTDv, ASA5500-X
(Reimaged as FTD)
Fast path is done differently
on each platform
Fast Path on the ASA with FirePOWER Services
Fast Path is done on
the ASA, not in
FirePOWER
Fast Path on the 8000 Series Appliance
Under the Devices tab
However, Cisco Recommends fast pathing on in your Access Control Policy

instead
Rule Promotion in FirePOWER 7000/8000 Series
BLOCK and TRUST ACP rules can be Promoted, which will allow
Firepower to process the traffic in hardware
Traffic identified by:
VLAN
Security
Zone
IP
Port
How to Promote Rules on the 7000/8000 Series
They must: Example:
1. Trust or Block Action The first two rules will be promoted
2. Contain only IP, Port, VLAN, Sec Zone conditions
3. Be placed above all other rules
You will not see this in the GUI, as this is an automatic

system process.
Promoted Rule Processing
The rules are promoted and processed here once you deploy the Policy
In the GUI, however, you will still see the rules in your ACP
Fast Pathing with Firepower Threat Defense
FTD has a Prefilter Policy, which uses
limited outer-header criteria to fast
path traffic
You can Trust and Block here, using the same network-based
conditions. In addition, you can also log the traffic.
Prefilter Policy in FTD
Prefilter Policy in
GUI
Action of Fastpath
for trusting
Same traffic conditions:

• IP
• Port
• VLAN
• Sec Zone
Prefiltering
occurs here
Connection Events
Managing Connection Events
You manage the bulk of your Connection Events in your Access Control Policy
Connection Event Logging
In Firepower, a ’Connection Event’ is any packet seen going through the device.
All events are
FMC stored here
‘Event Viewer’ refers to your FMC
Event
data
Managed
Device
Traffic Flow All events on the FMC are first in

first out!
Logging Options
Should I log at beginning or the end?
Log at beginning only if Cisco

you are tying this event recommends
to an alert! logging at the
end of the
connection.
Logging at beginning and

end will cause two
connection events!
Automatic Connection Event Logging
Security Events will automatically log connection events!
With logging off, if the

packet triggers any security
event, an end of connection
is automatically logged!
EStreamer
EStreamer is Firepower’s proprietary tool for streaming events to a SIEM
The FMC uses eStreamer

The 7000/8000
series also lets you
use eStreamer to
Note you can also send stream events
connection events directly to a SIEM
directly to a syslog server
You Will Need to Tune Connection Events
In most environments you do not have the option to log every connection
Logging all connections
can result in performance
WHY? issues on your FMC and
unrealistic retention times
For all security events, the system will

automatically log a connection event at
the end of the connection even when
you have logging off!
Tune Using an Access Control Policy Rule
Use your ACP rules to create rules to tune connection logging
Every ACP rule allows you to specify
To turn logging off simply
logging options!
select no options under the
logging tab
Choose ‘Log at
End’ unless you are
tying this to an
event you wish to
see immediately
DNS No Logging Rule Example
DNS request rule to reduce logging
Connection logging is off
Notice you are still
sending this traffic
through SNORT (your
Intrusion Policy)
Database Settings in Your FMC
You can adjust the retention amount in your FMC
Under System-Configuration-Database you can
adjust how many events you retain…
Caution! It is not
recommended to
change these
settings unless
recommended by
support!
Malware and File Policy
Strategies
Malware and File Policy Inspection
Malware and File Inspection are done here
Mapping ACP to Your Malware and File Policy
Map your Access Control Policy to the Protocols to the Malware/File Policy
Intrusion
Policy Malware/File
Policy
SafeSearch YouTube
EDU Logging
Application Protocols
available in your
Malware/File Policy
Malware Blocking Behavior
Test the behavior when Blocking Malware in Email Protocols
The way Firepower blocks

malware is by dropping the last
packet, which may not play
nicely with email servers
File Storage This stores the
File on the
Don’t be overzealous with storing files Managed Device,
and selecting all
The 8000, 2100/4100/9300 all have an optional Malware Storage Pack for this!
might over-
burden the
device
Consider
instead storing
only Unknown
so you can
submit them
later for
analysis
Misc. Firepower SNORT
Settings
SNORT Misc Settings
A few settings are configurable to deal with potential latency issues
within SNORT
SNORT begins and ends at the DAQ

Automatic Application Bypass
AAB
Allows you to catch (and automatically
resolve) hung SNORT processes
• Available in all
Classic Device
versions
• Available in FTD
effective 6.2.1
Automatic Application Bypass Settings
Disabled by Default
• Per packet timer

• SNORT core file is
collected
• Process manager will
restart SNORT
Note: Do not change the

Bypass threshold unless
recommended by TAC!
Automatic Application Bypass Alerting
The Health Monitor can alert you to AAB events
Remember the Health

Modules run at 5-minute
intervals
SNORT Performance Thresholds
Firepower has two threshold settings
Latency-Based Rule-Based
These are found in
the Access Control
Policy Advanced
Prevents latency for packets Prevents SNORT Tab!
going through SNORT rules from
causing latency
Disables and re-
enables SNORT rules
automatically when
thy are causing
Note: These are set by default issues
and Cisco does not
recommend you change these
in most environments
Latency Threshold Alerting
By default you are not alerted when these are triggered
Consider alerting on these – select the ‘Generate Events’ to
generate an Intrusion Event
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
You can also set these events

to drop
Intrusion Policies
The better you know
the packet flow,
the
more Firepower success
and the
less
Firepower stress
Intrusion Policies Manage Your SNORT Rules
SNORT rules get evaluated here. This is your Intrusion Policy!
Understanding Base Policies
Base Polices are provided for you by Cisco Talos
These are also updated for you regularly during Rule Updates
Great Starting Policy!
Base Policies
Connectivity Balanced Security Security
over and over
Security Connectivity Connectivity
-1,000 rules enabled +- 8,000 rules enabled +- 12,000 rules enabled
Increasing Protection Level
Intrusion Policy Key Points to Remember
For each Managed Device, you can have only one ACP, however:
Each Intrusion Policy

can use its own
Base Policy The more rules enabled the more
performance is impacted, but the more
security secure you have.
You can have multiple

Intrusion Policies
Less Common Base Intrusion Policies
• Maximum Detection is not typical for

production networks
• No Rules Active does not give you a
starting point based on the importance
of the rules
Caution! Be careful with maximum

Detection. Cisco highly
recommends Security Over
Connectivity instead!
Firepower Recommendations!
Maps your Host Host

Profile CVEs to the Profiles
CVEs in the Snort
Rules automatically!
Firepower
Recommendations
Disable Enable
SNORT
No CVE seen in CVE seen in host Rules
Host Profiles? Turns profile but rule is
rule with this CVE off? Turns rule with
OFF. this CVE ON.
Firepower Recommendations Gone Wrong
Scenario 1:
• Network Discovery ON, but left to Any/Any for Discovery (the default)
• Remember this MUST define only your protected network, and all of the network spaces you are protecting
What would happen? It would enable rules that are not part of your network, and would likely
oversubscribe the box
Scenario 2:
• Network Discovery ON, but host profiles are not identifying host information correctly because
of Asymmetric Routing
• If Firepower does not see all parts of the conversation, it cannot properly identify host data,
and would cause this feature to be completely inaccurate
Firepower Recommendations Tips
Make sure this
matches your
Network Discovery!
This can work

against you if
you do not have
accurate host
data. Do not
enable unless
Generate first then spend time you have time to
looking at what it recommended by ensure your host
getting familiar with your host data looks good.
profiles! do not rush its initial setup.
Variables
Variables Used in your Intrusion Policy
Assigned to Intrusion Policies in your Access Control Policy Rule
Variables in your SNORT Rules
Rule Header
Rule header determines what traffic the enabled rules will run against
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

uricontent:”/scripts/tools/newdsn.exe”; nocase;
reference:cve,cve-1999-0191;
classtype:web-application-activity; sid:1024; rev:5;)
Rule body is where SNORT inspects the traffic

Rule Body
So, this rule will only run against a packet coming

from $EXTERNAL_NET destined to $HTTP_SERVERS
1) Packet
Variables in the Flow matches
2) It’s an
’Allow’ rule,
the ACP and sends the
rule traffic to the
specified
Intrusion Policy
3) The Variable Set is also assigned here, so

the variable definitions assigned in the
‘Default Set’ Variable Set will be used to
match against the rules
4) The SNORT Rule header’s variable definitions are

used to determine if the rule is run against the packet
Your Default-Set
In your Objects, you will find your ‘Default-Set’ Variable set. This is what is used for all
variable definitions unless otherwise specified.
HOME_NET Variable Tuning
You will need to ensure you have
defined HOME_NET
Server definitions reference

HOME_NET
Notice by default HOME_NET is

set to ‘any’
How to Define HOME_NET Variable
Define Your
HOME_NET as all
RFC1918 Private IP
spaces and any
public spaces you
own
Caution! If you choose to define

server variables, do so with
extreme caution as missing a
server network space will result
in no inspection by SNORT
rules referencing that variable.
EXTERNAL_NET Variable
EXTERNAL_NET is
defined as ‘any’ by
default
Defining EXTERNAL_NET
It is typical to define this
as !HOME_NET which
excludes these networks,
but doing so can result in
missing attacks!
Why? Consider this rule

header
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
If it is an internal to internal attack, the rule will not be run against that traffic!
Consider Two Definitions of EXTERNAL_NET
This variable set will be for all This variable set will be for external to
internally sourced traffic internal traffic
Externally Sourced Traffic EXTERNAL_NET
Security Zones to identify externally sourced traffic
The EXTERNAL_NET
definition is excluding
HOME_NET
Internally Sourced Traffic EXTERNAL_NET
Security Zones to identify internally-sourced traffic
The EXTERNAL_NET
definition is left to ANY for the
Default Set
Advanced Variable Tuning Caution
Please note that incorrectly defining or

mapping your variables can have the
effect of no inspection for certain rules
and/or networks.
In other words, do not make mistakes here!
Tuning False Positives
False Positive Intrusion Events
Most false positives occur here… with SNORT rules firing on traffic that is
determined to not a security concern
False Positive Tuning
SNORT rules can generate False Positives
Remember and Intrusion
Event comes from
SNORT, and is either a
SNORT or Preprocessor
rule.
So what is a false positive?
When we have an intrusion event that

is benign.
False Positive Example
You can’t change how the
Consider this example:
application operates, so you
A server at 10.2.2.3 has an in- need to address the rule is
house application triggering a breaking the application.
SNORT rule that drops the packet
and breaks the application
X
SNORT drops
the packet 10.2.2.3
because it
Internet matched the
rule
False Positive Option 1
Suppress or Threshold the event
FMC FMC
Intrusion Event
generated and
sent to FMC
when SNORT Suppression
rule fires
If you suppress, the

Dropped event is never Dropped
packet generated, but packet packet
still dropped! This does
not fix the issue.
Se the rule to Generate Events
1’st Select ‘Rule State’
2’nd change to ‘Generate Events’
This fixes the issue with the application but now we

have turned off the protection the rule gave us for all
the other traffic!
Disable the Rule
Unless this rule does not apply to your environment, this is clearly not a viable option
Use your ACP and a new Intrusion Policy to fix this
Here you see a rule written
just for the traffic destined to
that server
You create a second

Intrusion Policy with that
rule disabled
Technically this
solution would
work, but is not
what Cisco
recommends!
A big solution to a
small problem.
Rewrite the SNORT rule
This does not fix the issue, since the

rule is written correctly in this scenario.
It is not the rule's fault!
If you re-wrote the rule, it would no

longer work like it was intended to, and
would no longer be protecting your
environment.
Write a Pass Rule
A Pass Rule is a rule designed match on specific traffic conditions that when
met, pass the respective packet through SNORT.
Pass rules are
processed first!
Intrusion Intrusion
Pass Rules Rules
A Pass rule can be written to identify just the traffic destined to that server, and if it
matches the rule, it passes the traffic through SNORT without being inspected by the
other rule that was dropping the packet.
In this example, a Pass Rule is the solution!
Steps to Writing a Pass Rule
Identify the SNORT Rule causing the issue
The objective: Identify the rule:

Prevent the rule from
dropping traffic for
just your one host, In our example, we know
while leaving it the rule causing the issue is
enabled and set to SID 40134
drop for all the
remaining hosts
Identify the Rule Header
The rule header is what we change in writing a pass rule
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
Identify the Rule Header Modification Needed
The header destination IP is what needs to be changed in our example
Change the destination to the IP or subnet you wish to ‘pass’
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> 10.2.2.3 any
Locate the Rule in your FMC
Remember all your SNORT rules are in your FMC
Click ‘edit’
SID is 40134
Change the Rule Header to Match as Required
Changing the action to pass
puts the rule in the pass
area of SNORT and will be
processed before any alert
rules!
1’st change the

Action to Pass
2’nd change the

required rule header
value
3’rd click ‘Save As New’
Save the New Rule
You just wrote a new SNORT rule!
You cannot modify All imported and

SNORT rules. What created rules in the
you did was create system have a SID of
a new rule 1,000,000+
Find The Rule in Your Intrusion Policy
All imported and created
rules are stored in Local
Rules
Set The Rule to Generate Events
1’st Select ‘Rule State’
2’nd change to ‘Generate Events’
Optionally Add a Suppression
If you wish to now

have the pass rule
silent, suppress
your new rule
Use a New Variable For Frequent Changes
You can use a

custom Variable in
the Pass rule
instead
This allows you to quickly add

new hosts to the PASS rule
Commit Changes and Deploy
Once deployed traffic destined to that IP that matches the rule will be
processed by the Pass rule, and will not match on the unmodified rule!
All Done!
Commit your changes and deploy!
Pass Rule Logic
Pass Rules Alert Rules
Intrusion
Rules
All other
traffic
No other
Triggers SID
rules
Traffic to 1,000,000
10.2.2.3 evaluted
Where To Go Next
Support Documentation
Cisco’s Support Page
Find the Appliances You Have
Here is an example of the

documents available for the
9300 series appliance
Download the Correct FMC User Guide
The User Guide is

called the
‘Configuration Guide’
Download the guide

that matches the
version you are
currently using!
This is officially the FMC user

guide, but it really is your user
guide for everything Firepower
including the devices you are
managing!
Understand Your Managed Devices
‘Classic’ refers to the 7000/8000, NGIPSv,
and the ASA/FP module
‘Firepower Threat Defense’ refers FTD,

which would be the 2100/4100/9000,
FTDv, and ASA 5500-X (if reimaged as
FTD)
Product Updates Perspective
Remember
Classic FTD there are
two
• 5.4 • 6.0 software
• 6.0 • 6.0.1 types
available!
• 6.0.1 • 6.1
• 6.1 • 6.2
• 6.2 • 6.2.1 FTD software
• 6.2.1 • 6.2.2 updates have
• 6.2.2 • 6.2.3 significant
• 6.2.3 • 6.3 new features
available since
it is bringing
over ASA
features!
Do you have the winning number?
Note… this book

is 30% off this
week at the
Cisco Store!
We Offer Cisco Firepower Training!
Official Cisco Training for Firepower, SNORT
Rule writing and AMP for Endpoints! Offered
In-Person and as a Virtual Class.
Just ask me for more information!
Link to trainings: https://learninglocator.cloudapps.cisco.com – and search for firepower!
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRT-2215
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Questions?
This Photo
by Unknown
Author is
licensed
under CC
BY-SA
Thank you

BRKCRT 2215

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRT 2215

Uploaded by

Copyright:

Available Formats

Did you get a number at your seat?

See a stick with a number on

Cisco Firepower NGIPS

John Wise - johnwis@cisco.com

When you see this

Traditional ASA with

Up to 3 security modules available

• NGIPS 7000 • ASA 5500-X (reimaged as FTD)

FMC was previously called the Defense Center

• Blocks blacklisted • Decrypts, blocks and • Application-aware • IPS… your

Network Discovery occurs here

Firepower’s ability to SNORT your traffic

Which is a much deeper sniff

Firepower Management Center

Malware & File

This forces the

URL Database on the Managed Device may

Don’t forget to also

Allow should be be assigned to an Intrusion Policy

Interactive Block should be be assigned to an

Trust in your Access Control Policy

Prefilter ‘trust’ is always fast-pathed

• You will want to Trust certain types of traffic, especially:

• Example 1 – Backup traffic (a type of ‘elephant flow’)

• Example 2 – Scanner Traffic (from a network scanner or pen test)

Cisco ASA with

Under the Devices tab

However, Cisco Recommends fast pathing on in your Access Control Policy

Traffic identified by:

You will not see this in the GUI, as this is an automatic

Same traffic conditions:

Traffic Flow All events on the FMC are first in

Log at beginning only if Cisco

Logging at beginning and

With logging off, if the

The FMC uses eStreamer

For all security events, the system will

Malware and File Inspection are done here

The way Firepower blocks

SNORT begins and ends at the DAQ

• Per packet timer

Note: Do not change the

Remember the Health

You can also set these events

SNORT rules get evaluated here. This is your Intrusion Policy!

Great Starting Policy!

Increasing Protection Level

Each Intrusion Policy

You can have multiple

• Maximum Detection is not typical for

Caution! Be careful with maximum

Maps your Host Host

This can work

Assigned to Intrusion Policies in your Access Control Policy Rule

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

Rule body is where SNORT inspects the traffic

So, this rule will only run against a packet coming

3) The Variable Set is also assigned here, so

4) The SNORT Rule header’s variable definitions are

Server definitions reference

Notice by default HOME_NET is

Caution! If you choose to define