Could you suggest the best way to setup an approval process for IPS protections and have a record of time and date when s specific protection was enabled.
Thanks in advance.
This is really a Threat Prevention question.
For a fully enforced "approval process" we would need functionality that's not currently present in the product.
You can find a partial process here: Re: Will (Smart)Workflow come back?
In terms of tracking, there's really two things you have to track:
This will appear in the Audit Logs.
For example, my gateways auto-update IPS signatures nightly, so you will see in the Audit Logs that protections got added and that install policies happened.
I also, for demonstration purposes, activated a protection that wasn't previously activated.
Here's the log entry that was created.
Unfortunately, it's not obvious from looking at this what protection I enabled here.
It's obvious what profile it was modified on (e.g. Profile name).
The Protection name listed is an internal one and not the one you see in SmartConsole.
To find out what protection was actually modified, you have to look at the "Performed On" field.
You'll notice there are two UIDs separated by an underscore:
Using show object in the API, I can see what protection was modified:
There is clearly some room for improvement here.
Retrieving data ...