Welcome to IE-LAB!

Generic filters
Generic filters

Flexible Packet Matching (FPM)

  • FPM Introduction:

FPM is a next-generation access control matching tool that provides more detailed and custom packet filtering capabilities.

FPM allows users to create header, load, or all of their own stateless packages, And you can define multiple behaviors for a policy, such as drop, log, or send an ICMP unreachable message, to immediately filter for new viruses, worms, and network attacks.   

Can be used to analyze protocols in place of traditional ACL for filtering the infrastructure of specific malicious traffic

  • FPM Limitations:   

FPM does not mitigate network attacks because mitigation attacks require state packet classification and FPM is stateless.

So it can’t track the port number of the auto-negotiation controlled by the protocol. If you need to use FPM technology, you must manually define the port number.

FPM cannot perform fragmentation of IP packets or reassembly of TCP streams.

FPM detection is only valid for IPv4 unicast packets.              

FPM cannot use IP options to classify packets.

FPM does not support the detection of multicast packets.

FPM does not support tunnel interfaces and MPLS interfaces.

FPM cannot be configured on a FlexWAN interface card.

The FPM strategy does not support mapping to the control plane.

  • the filtering strategy needs to be defined by the following steps:   
  1. Load the PHDF file (used to match the traffic to predefined protocols such as IP, TCP, UDP, etc.)
  2. Define type maps and protocol stacks (to classify the streams that need to be checked)
  3. Define the strategy (used to act on the flow)
  4. Apply this strategy on the interface.
  • FPM call method:   
  1. The protocol header is defined in a separate file. The PHDF file is used to match the protocol of the packet. The PHDF file defines the content of the entire protocol by using the XML language. The user can also define his own PHDF file by writing the XML language.

The file can be found online


  1. Call directly based on the length or offset of the head in the traffic
  2. Combine the above two methods

For more articles you can follow us on:

error: Content is protected !!
× How can I help you?