Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Jensen
Collaborator

Using different threat prevention profiles

I am in a situation where the only threat prevention blade my gateways are running is IPS.  A custom profile is being used that has had it's IPS protections tweaked over many years and I can't just abandon it and start using another profile like "Optimized".

I need to enable Anti-Bot and Anti-Virus and I want to do so with the "Optimized" profile.

I modified my threat prevention policy so that rule 1 has the "Optimized" profile and only Anti-Bot and Anti-Virus turned on.  Rule 2 has only IPS turned on and is using "My Custom IPS" profile.

My thought was that traffic would hit rule 1 and go through ABOT and AV and then continue on to rule 2 for IPS but it doesn't, it stops at rule 1 and this basically turns off IPS for me.

Is there a way I can use different profiles for different blades?

Or if I simply alter the setting(s) of "My Custom IPS" profile by enabling Anti-Bot and Anti-Virus for it and changing the settings to mirror the "Optimized" profile?  For example I would change the "Performance Impact" in "My Custom IPS" to "Medium or Lower" to match.

That would probably change the settings on some of my IPS protections but at least I can go look ahead of time and see which ones may be changed when I change settings.

Are the only differences with the out of box profiles the settings such as performance impact, severity, high confidence, etc, or is there more behind the scenes that I can't see?

I have tested the above using both 80.30 and 80.40 with the same results.

0 Kudos
4 Replies
Marcel_Gramalla
Advisor

As in the Access Control rulebase the Threat Prevention also can only have one hit. You can of course build rules with different protected scopes or source/destination. You can just enable additional blades in the profile with the corresponding severity etc. and there are no differences between the out of the box profiles and newly created one. You also cannot edit those profiles, you can only clone them. 

You can however clone your existing profile and keep all custom IPS protections. You would end with two profiles: your "old" IPS only profile and the new profile with every feature you like with your existing IPS protections:

 

ips.png

0 Kudos
Mike_Jensen
Collaborator

Hi Marcel,

When I clone my existing profile and keep my custom IPS protections the clone that is generated has the performance impact set to high or low just like the original.  Are you suggesting that I would change the cloned new one manually to medium or lower?

0 Kudos
Marcel_Gramalla
Advisor

Yes, that's what I would do. As I said there is no hidden magic behind the out of the box profiles so just changing those parameters will do the trick.

0 Kudos
Timothy_Hall
Champion
Champion

A little-known feature added in R80 is the ability to have more than one Threat Prevention policy.  All Threat Prevention policies are evaluated simultaneously, one rule match is found from each, and the most stringent action is applied.  What I would do to minimize the impact on your existing configuration is leave your existing TP layer with My Custom IPS only alone, then add a second TP policy layer that references your Optimized AV/ABOT profile.  This way the existing IPS implementation is not touched, and any problems that suddenly appear are definitely a result of the new AV/ABOT profile and second TP policy. 

Here is an excerpt from my 2021 IPS/AV/ABOT Immersion Video Course that mentions this exact topic and shows an example:

multTP.png

 

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com