Manual Chapter :
Create a protocol inspection
profile
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Create a protocol inspection
profile
A protocol inspection profile
collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom
signatures defined using the Snort syntax. Signatures are selected and added to the
profile by Service, and you can narrow the scope of signatures by a number of other
characteristics. You can enforce signatures, compliance items, or both.
- On the Main tab, click.The Inspection Profiles screen opens.
- ClickAddand selectNew.Alternatively, copy an existing inspection profile by selecting the profile and clickingAdd, thenClone Existing.
- Type a profile name, and optionally add a description.
- From theSignaturesmenu, selectEnabledto enforce signatures.If you are enforcing only Signature items, you can selectDisabledfor compliance items.
- From theCompliancemenu, selectEnabledto enforce compliance items.If you are enforcing only Compliance items, you can selectDisabledfor signatures.
- To collect AVR stats, from theAVR Stats Collectmenu, selectEnabled.
- From theServicesmenu, select the services you want to add to the inspection profile.Each selected service type displays as a new category at the bottom of the screen. By default, all inspection items are disabled. You must enable items or categories you want to inspect.
- FromAuto Approval Trigger, configured the thresholds to automatically approve suggestions. You can choose either a time based threshold between 720-43200 minutes, or a confidence based threshold, between 0% and 100%. Only one threshold can be configured, enter0to disable the unused threshold.Confidence indicates the degree to which BIG-IP AFM calculates false positives for a signature based on traffic analysis. A high percentage indicates a low false positive risk and a low percentage indicates a high false positive risk.
- To enable inspections in the service, click the service category name on the screen.The service category expands to show the inspections.
- To enable an inspection, select the checkbox for the inspection.The Edit Selected Inspections panel opens on the right of the screen.
- To enable an inspection, selectEnable, and clickApply.
- To change the action for the selected inspection, from the Action menu selectAccept,Reject, orDrop.
- To select whether the inspection item is logged, from the Log menu selectYesorNo.You can select and edit multiple inspections at once. You can select the checkbox at the top of the category to select and edit all inspections in the category.
- When you have finished adding services and editing inspections, clickCommit Changes to System.
The Inspection Profiles screen
appears and the inspection profile you created is displayed in the list.
You can attach a protocol inspection
profile to a firewall rule or to a virtual server.