Ok - understood. But just to make sure: This is only for the Core Activations specified in the profile. The other profile settings (marked pink) have no impact on the autonomous threat profil?



So it would be possible to create a profile under custom profiles with everything deactivated and only specify the needed settings for the Core Activations?

Bump 🙂

?

It should not be necessary to define a Threat Prevention profile to manage the settings for the Core Protections as their settings are managed directly.
That's suggested by the tooltip in the screenshot @Tal_Paz-Fridman provided.

OK - Got that! I filtered according to the tool tip and was able to see the Core Protections. But still one question remains:

When I view the core protections from one of the old profiles I can see actions according to the profile settings like shown here:

Also when I select the Gateways section I can see a profile attached to my fw-cluster:



So if there is no need to create a profile for the Core Protections -> Can I just delete my custom made profiles and than do what? Will than the "default action" of the Core Protection kick in? This is kind of confusing me 😞

I will try to get a definitive answer to this question about what happens with Core Protections with ATP.

Thank you in advance. Looking forward to the final wisdom 🙂

My guess that since Core Protections/Activations and Inspection Settings changes are made effective by installing the Access Control policy (not the Threat Prevention policy which is fully controlled by Autonomous mode), these still operate independently even though Autonomous Threat Prevention (ATP) is enabled.  This is further bolstered by the fact the Core Protections/Activations and Inspection Settings have their own completely independent profile settings, completely separate from the IPS ThreatCloud protections which are controlled by profiles specified in the Threat Prevention policy itself (which ATP takes over).

Hello @Timothy_Hall ,

my "guess" goes in the same direction. But I want to get away from guessing around ATP. Maybe @PhoneBoy has an final answer on this issue?

Kind regards
Oliver

What do you expect to gain by deleting the custom made profiles ? Could not be disk space, i think 😉 So why not just leave all as it is ?

No - it is not about gaining disk space 🙂 It's more about getting to know what the system does. When using ATP how are the Core Protections controlled? Via one of the default (or custom profiles) profiles under the custom policy section? If not -> what controls the settings of the Core Protections when using ATP? Seems like nobody knows the answer 🙂

I think that this is rather confusing, too 😉 But if i look:

i find that Core Protections are configured according to the settings defined in IPS profile:

Hi @G_W_Albrecht ,

looks the same on my side. When I use Autonomous Theat Prevent I specify the level of protection in the autonomous section. Please note that there are no profiles in the Autonomous policy tools (marked pink).


I can choose between these levels ...

So why in the world I need a IPS profile (custom of default) under the CUSTOM POLICY section when I use the Autonomous Policy?

Only to set the security level of the Core Protections? This is totally confusing. And we didn't start talking about the shared Inspections Settings yet which adds an additional level of madness 🙂

Yes,  we both find that confusing. But it comes from history, a time where core protections were part of IPS, and things have evolved quickly. I hope that in the near future this will be reflected in Dashboard settings, but currently, we have to cope with these incongruencies. As we all live on the complexity of security, i am not so hard on the developers that strife to make TP better (incorporating technologies that have been bought by CP) without being able to make Dashboard settings as easy as possible at the same time.