Manual Chapter : Create a protocol inspection profile

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Create a protocol inspection profile

A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax. Signatures are selected and added to the profile by Service, and you can narrow the scope of signatures by a number of other characteristics. You can enforce signatures, compliance items, or both.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection Profiles
    .
    The Inspection Profiles screen opens.
  2. Click
    Add
    and select
    New
    .
    Alternatively, copy an existing inspection profile by selecting the profile and clicking
    Add
    , then
    Clone Existing
    .
  3. Type a profile name, and optionally add a description.
  4. From the
    Signatures
    menu, select
    Enabled
    to enforce signatures.
    If you are enforcing only Signature items, you can select
    Disabled
    for compliance items.
  5. From the
    Compliance
    menu, select
    Enabled
    to enforce compliance items.
    If you are enforcing only Compliance items, you can select
    Disabled
    for signatures.
  6. To collect AVR stats, from the
    AVR Stats Collect
    menu, select
    Enabled
    .
  7. From the
    Services
    menu, select the services you want to add to the inspection profile.
    Each selected service type displays as a new category at the bottom of the screen. By default, all inspection items are disabled. You must enable items or categories you want to inspect.
  8. From
    Auto Approval Trigger
    , configured the thresholds to automatically approve suggestions. You can choose either a time based threshold between 720-43200 minutes, or a confidence based threshold, between 0% and 100%. Only one threshold can be configured, enter
    0
    to disable the unused threshold.
    Confidence indicates the degree to which BIG-IP AFM calculates false positives for a signature based on traffic analysis. A high percentage indicates a low false positive risk and a low percentage indicates a high false positive risk.
  9. To enable inspections in the service, click the service category name on the screen.
    The service category expands to show the inspections.
  10. To enable an inspection, select the checkbox for the inspection.
    The Edit Selected Inspections panel opens on the right of the screen.
  11. To enable an inspection, select
    Enable
    , and click
    Apply
    .
  12. To change the action for the selected inspection, from the Action menu select
    Accept
    ,
    Reject
    , or
    Drop
    .
  13. To select whether the inspection item is logged, from the Log menu select
    Yes
    or
    No
    .
    You can select and edit multiple inspections at once. You can select the checkbox at the top of the category to select and edit all inspections in the category.
  14. When you have finished adding services and editing inspections, click
    Commit Changes to System
    .
The Inspection Profiles screen appears and the inspection profile you created is displayed in the list.
You can attach a protocol inspection profile to a firewall rule or to a virtual server.