Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bbmcgee
Explorer
Jump to solution

Running Profile Cleanup on Threat Prevention profiles cloned from Optimized

I am starting to work on Threat Prevention in an environment with many years of history updating the SMS and Gateways from R77 to R80+. Everything is now R80+.

There is several Threat Prevention profiles cloned from Optimized applied to the shared IPS layers as well as Threat Prevention under Custom Policy. I can't risk making potentially large scale changes, and need to take a step back and work with a single gateway and "clean" Optimized profile.

I believe the profiles currently in use were cloned AFTER changes to the default Optimized profile. Many IPS Protections were changed from the default action for the Optimized profile, General Policy settings for the profile were changed in various ways and changed back, IPS Updates exceptions, etc. I've spent days looking at this and it's next to impossible to make sense of it, and even more daunting to think about making changes without breaking all the things.

I want to run the "profile cleanup" action to start with a clean/baseline clone of the default Optimized profile. It's not practical to run this against the current Optimized profile because that is assigned to several gateways and too big of blast radius. If I clone Optimized again and cleanup the cloned profile, will it reset to the default Optimized settings, IPS Protection activations, etc., or will it only reset to the point in time it was cloned? 

If this works, I plan incremental steps to create similar clones of Optimized for each gateway and migrate from the shared IPS layer to Threat Prevention for specific Protected Scopes assigned to the cloned profiles.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
bbmcgee
Explorer

Thanks for your reply. Sorry, I should have been more specific. I confirmed you can't make changes to the Optimized profile configuration. However, it is possible to change or override a specific IPS Protection from it's initial state for the conditions set in the Optimized profile, for example from Prevent to Detect. That's the scenario I am running up against. In case it helps anyone else, I did some testing, and verified that when cloning the Optimized profile, the IPS Protections for the newly cloned profile remove any user modifications. Alternatively, there is the option to run Profile cleanup, but that doesn't seem to be necessary in this scenario.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

As far as I know, you can't really make any changes to the default profiles (Basic/Optimized/Strict).
Cloning them should, therefore, start you from our default settings. 

0 Kudos
bbmcgee
Explorer

Thanks for your reply. Sorry, I should have been more specific. I confirmed you can't make changes to the Optimized profile configuration. However, it is possible to change or override a specific IPS Protection from it's initial state for the conditions set in the Optimized profile, for example from Prevent to Detect. That's the scenario I am running up against. In case it helps anyone else, I did some testing, and verified that when cloning the Optimized profile, the IPS Protections for the newly cloned profile remove any user modifications. Alternatively, there is the option to run Profile cleanup, but that doesn't seem to be necessary in this scenario.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events