Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS protection track and approval process


Could you suggest the best way to setup an approval process for IPS protections and have a record of time and date when s specific protection was enabled.

Thanks in advance.


0 Kudos
1 Reply

This is really a Threat Prevention‌ question. 

For a fully enforced "approval process" we would need functionality that's not currently present in the product.

You can find a partial process here: Re: Will (Smart)Workflow come back?

In terms of tracking, there's really two things you have to track:

  • When a protection was modified
  • When the Threat Prevention policy was installed (Access Policy for pre-R80 gateways)

This will appear in the Audit Logs.

For example, my gateways auto-update IPS signatures nightly, so you will see in the Audit Logs that protections got added and that install policies happened. 

I also, for demonstration purposes, activated a protection that wasn't previously activated.

Here's the log entry that was created.

Unfortunately, it's not obvious from looking at this what protection I enabled here.

It's obvious what profile it was modified on (e.g. Profile name).

The Protection name listed is an internal one and not the one you see in SmartConsole.

To find out what protection was actually modified, you have to look at the "Performed On" field.

You'll notice there are two UIDs separated by an underscore:

  • First one is the Threat Prevention profile being modified (which is already obvious)
  • Second one is the IPS Protection that was actually modified

Using show object in the API, I can see what protection was modified:

There is clearly some room for improvement here.