Manual Chapter : Create a protocol inspection profile

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Create a protocol inspection profile

A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax. Signatures are selected and added to the profile by Service, and you can narrow the scope of signatures by a number of other characteristics. You can enforce signatures, compliance items, or both.
  1. On the Main tab, click
    Protocol Security
    Inspection Profiles
    The Inspection Profiles screen opens.
  2. Click
    and select
    Alternatively, copy an existing inspection profile by selecting the profile and clicking
    , then
    Clone Existing
  3. Type a profile name, and optionally add a description.
  4. From the
    menu, select
    to enforce signatures.
    If you are enforcing only Signature items, you can select
    for compliance items.
  5. From the
    menu, select
    to enforce compliance items.
    If you are enforcing only Compliance items, you can select
    for signatures.
  6. To collect AVR stats, from the
    AVR Stats Collect
    menu, select
  7. From the
    menu, select the services you want to add to the inspection profile.
    Each selected service type displays as a new category at the bottom of the screen. By default, all inspection items are disabled. You must enable items or categories you want to inspect.
  8. From
    Auto Approval Trigger
    , configured the thresholds to automatically approve suggestions. You can choose either a time based threshold between 720-43200 minutes, or a confidence based threshold, between 0% and 100%. Only one threshold can be configured, enter
    to disable the unused threshold.
    Confidence indicates the degree to which BIG-IP AFM calculates false positives for a signature based on traffic analysis. A high percentage indicates a low false positive risk and a low percentage indicates a high false positive risk.
  9. To enable inspections in the service, click the service category name on the screen.
    The service category expands to show the inspections.
  10. To enable an inspection, select the checkbox for the inspection.
    The Edit Selected Inspections panel opens on the right of the screen.
  11. To enable an inspection, select
    , and click
  12. To change the action for the selected inspection, from the Action menu select
    , or
  13. To select whether the inspection item is logged, from the Log menu select
    You can select and edit multiple inspections at once. You can select the checkbox at the top of the category to select and edit all inspections in the category.
  14. When you have finished adding services and editing inspections, click
    Commit Changes to System
The Inspection Profiles screen appears and the inspection profile you created is displayed in the list.
You can attach a protocol inspection profile to a firewall rule or to a virtual server.