What can I do here?
Use this window to create and edit profiles.
Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Profiles |
The Optimized profile is activated by default, because it gives excellent security with good gateway performance.
These are the goals of the Optimized profile, and the settings that achieve those goals:
Goal |
Parameter |
Setting |
---|---|---|
Apply settings to all the Threat Prevention Software Blades |
Blades Activation |
Activate the profile for IPS, Anti-Bot, Anti-Virus, Threat Emulation and Threat Extraction. |
Do not have a critical effect on performance |
Performance impact |
Activate protections that have a Medium or lower effect on performance. |
Protect against important threats |
Severity |
Protect against threats with a severity of Medium or above. |
Reduce false-positives |
Confidence |
Set to Prevent the protections with an attack confidence of Medium or High. Set to Detect the protections with a confidence of Low. |
The pane shows a list of profiles that have been created, their confidence levels, and performance impact settings. The Profiles pane contains these options:
Option |
Meaning |
---|---|
New |
Creates a new profile. |
View |
Shows an existing profile. |
Edit |
Modifies an existing profile. |
Clone |
Creates a copy of an existing profile. |
Delete |
Deletes a profile. |
Where Used |
Shows you reference information for the profile. |
Search |
Searches for a profile. |
Last Modified |
Shows who last modified the selected profile, when and on which client. |
Performance Impact
Performance impact is how much a protection affects the gateway performance. Some activated protections might cause issues with connectivity or performance. You can set protections to not be prevented or detected if they have a higher impact on gateway performance.
There are three options:
Severity
Severity of the threat. Probable damage of a successful attack to your environment.
There are three degrees of severity:
Activation Settings
Confidence Level
The confidence level is how confident the Software Blade is that recognized attacks are actually virus or bot traffic. Some attack types are more subtle than others and legitimate traffic can sometimes be mistakenly recognized as a threat. The confidence level value shows how well protections can correctly recognize a specified attack.
You can choose from multiple pre-configured Profiles, but not change them. You can create a new profile or clone a profile. When you create a new profile, it includes all the Threat Prevention Software Blades by default.
When HTTPS inspection is enabled on the Security Gateway, Threat Emulation, Anti-Bot, and Anti-Virus can analyze the applicable HTTPS traffic.
To create a new Threat Prevention profile:
The Profiles page opens.
You can create a clone of a selected profile and then make changes. You cannot change the out-of-the-box profiles: Basic, Optimized, and Strict.
To clone a Threat Prevention profile:
The Profiles page opens.
You can change the settings of the Threat Prevention profile according to your requirements.
To edit a profile:
The Profiles page opens.
IPS lets you import and export profiles using the ips_export_import
command from the CLI. Supported in Security Management Server and Multi-Domain Security Management environments, the command lets you copy profile configurations between management servers of the same version.
The exported profile is stored in a tar archive. The archive includes all protection settings but does not include:
On a Multi-Domain Server, you must use one of these methods to set the environment in which the command will run:
mdsenv
to set the environment (Multi-Domain Server or specific Domain Management Server) where the IPS profile is configured.-p <ip>
to enter the IP address of the Multi-Domain Server or Domain Management Server where the IPS profile is configured.To export an IPS profile:
ips_export_import export <profile-name> [-o <export-file-name>] [-p <ip>]
You must enter the exact name of the profile that you want to export.
The archive will be named <profile-name>.tar
and is saved to your present working directory. You can also use the -o <file-name>
to give the archive a specific name.
To import an IPS profile:
ips_export_import import <new-profile-name> -f <file-name> [-p <ip>]
You must enter a name for the profile and the location of the archive. You can either import an archive that is in your present working directory or enter the exact location of the archive that you want to import.
You can delete a profile, but you cannot delete the default Threat Prevention profiles.
To delete a profile:
The Profiles page opens.
A window opens and shows a confirmation message.
If the profile is used by another object, you cannot delete it. The error message is shown in the Tasks window.
To show the objects that use a profile:
The Summary
The Where Used window opens and shows the profile.
You can show the Audit log and see changes that were made to a Threat Prevention profile.
To show the Audit log for a Threat Prevention profile:
The search results are filtered to Threat Prevention profiles.