Which of the following statements are true regarding the FirePOWER inline normalization preprocessor
engine? (Select 2 choices.)

A.
Inline normalization can process IPv4 and ICMPv4 traffic but not IPv6 traffic.

B.
Inline normalization can process IPv4 and IPv6 traffic but not ICMPv4 traffic.

C.
Inline normalization cannot detect TCP SYN flood attacks.

D.
Inline normalization cannot detect TCP session hijacking attacks.

E.
Inline normalization takes place immediately before decoding by the packet decoder.

Explanation:
The FirePOWER inline normalization preprocessor engine cannot detect Transmission Control Protocol (TCP)
SYN flood attacks or session hijacking attacks. The inline normalization preprocessor can be used by a
FirePOWER Intrusion Prevention System (IPS) that is deployed in an inline configuration. Packet normalization
can reduce the chances of malicious traffic evading detection. The inline normalization process takes place
immediately after the IPS packet decoder decodes the packet, which ensures that packets being analyzed by
the IPS are identical to the packets that will be assembled by the target host. The inline normalization
preprocessor can perform normalizations on various components of Internet Control Message Protocol version
4 (ICMPv4), IP version 4 (IPv4), IPv6, and TCP packets. For example, it can reset the timetolive (TTL) value on
a packet if it detects a TTL value outside of a userdefined range.
The FirePOWER ratebased prevention preprocessor engine, not the inline normalization detection
preprocessor engine, can detect SYN flood traffic. The ratebased prevention preprocessor engine detects
traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can trigger
ratebased attack prevention:
– Traffic containing excessive incomplete TCP connections
– Traffic containing excessive complete TCP connections
– Excessive rule matches for a particular IP address or range of IP addresses
– Excessive rule matches for one particular rule regardless of IP address
The FirePOWER TCP stream preprocessor engine, not the inline normalization detection preprocessor, can
detect session hijacking attacks. The stream preprocessor assembles the packets of a TCP data stream into a
single comprehensive unit for scanning. Because the TCP stream preprocessor has access to multiple packets
in a data stream, it can analyze state information, analyze payload anomalies, and identify streambased attacks
that are not possible to identify based on singlepacket analysis.

Cisco: Configuring Transport & Network Layer Preprocessing: Normalizing Inline Traffic