Applies To:Show Versions
BIG-IQ Centralized Management
Managing Intrusion Prevention System (IPS)
Managing inspection profiles for Network Security
- Profile applied to a virtual server firewall policy rule
- Profile directly applied to a context (vip-type context)
Configuring inspection profiles in a production environment
- Change the inspection ID action settings to Accept.
- Set the inspection log to Yes.
- After you deploy the protocol inspection profile, and the system processes traffic for a period of time, monitor the total hit count for each inspection ID.
- Determine the impact to your environment by monitoring data from traffic processed through the protocol inspection profile on this screen:.
Create a protocol inspection profile
- Go to.
- ClickCreate.Alternatively, you can clone an existing inspection profile by selecting the profile and clickingClone.
- Type aNamefor your profile.
- To enforce signatures, fromSignatures, selectEnabled.If you are enforcing only compliance items, you can selectDisabledhere.
- To enforce compliance checks, fromCompliance,selectEnabled.If you are enforcing only signature items, you can selectDisabledhere.
- To collect AVR stats, from theAVR Stats Collectlist, selectEnabled.This action allows you to monitor data for traffic managed by the inspection profile using the IPS dashboard. You must have AVR provisioned on your BIG-IP device, and your BIG-IQ configuration must include a DCD with statistics collection enabled.
- From the services setting, select the services you want to add to this inspection profile.Each selected service type displays its unique list of attack signatures and compliance checks in the Inspection Properties area.By default, all selected service items are enabled.
- Edit inspection service item settings as needed, in the Inspection Properties area.For services and single inspection items, you can select a port or port range. These indicate the acceptance criteria for inspecting traffic assigned to a host firewall policy or virtual server.
- To edit all inspection items from all services, selectSelect/Unselect All.If you enable this option,Edit Selected Inspectionsallows you to configure theActionandLogsettings. Once you have configured these settings, clickSet.
- To disable the status of all inspection items for a single service, click the name of the service, and selectDisabledfrom theStatuslist.Disabling a service's status allows you to save inspection action and logging settings, without deleting your changes.If you would like to add logging settings to all inspections in a service, expand the service to display all inspection items, and click the box at the top left of the list to select all. Under theEdit All Inspection Settingsfield, you can select a log setting and clickSet.If you have disabled the service's status, the service is crossed off in the Inspection Properties list.
- To edit settings for a single inspection, expand a service and click the ID link to change the action and log settings for the inspection item.You can perform changes for multiple inspection items by selecting box next to the inspection ID, and configuring bulk changes using theEdit Selected Inspectionssettings. To save your changes, clickSet.
- To trigger a delayed action following a suggestion period, once the inspection item is detected, under Suggestions Properties, select the check box forSuggestion Mode.Once you select the suggestion mode, you can set either a time or a confidence level threshold for the suggestion period.You can configure either time or confidence level as the suggestion period threshold, but you cannot configure both. This setting is not active for BIG-IP devices running version 13.1 or later.
For inspection profiles running on BIG-IP devices 14.1 or later, there is an enabled suggestion period, by default. This means that the system will take corrective action against detected inspection items, whether or not you enabled theSuggestion Mode.
- In theAuto Approval Triggersetting, for a time suggestion period, set the number of minutes.The default automatic approval time is 10080 minute (7 days). You can set the time threshold from 720 to 43200 minutes.
- For Confidence Level, set the percentage of confidence required for the system to take automatic action.For inspection profiles running on BIG-IP version 14.0, you cannot set a Confidence Level.
- To automatically download any inspection updates for the services in this profile, select the check box forUpdate Mode.
- ClickSave & Close.
Edit a protocol inspection profile
- Go to.
- To edit an inspection profile, click the name.The properties screen opens for that profile.
- Edit the profile as needed, and clickSave & Close.The Protocol Inspection profile list is displayed.
- Ensure that the edited profile is selected, and clickDeploy.
Assign a protocol inspection profile to a virtual server
- Go to.
- In the name column, click the name of the relevant virtual server (with a firewall type of vip).This displays the properties of the selected virtual server.
- At the lower part of the screen, from theShared Objectslist, selectInspection Profiles.The list of the configured inspection profiles displays.
- Click the row of the inspection profile you want to add, and drag the row upto theProtocol Inspection Profilesetting located in the Properties area.
- ClickSave & Close.The Contexts screen opens.
- In the Contexts screen, ensure that the virtual server is still selected, and clickDeploy.
Assign a protocol inspection profile to a network firewall
- Go to
- Click the name of the firewall policy.The firewall properties screen opens to theRULESscreen.
- From the firewall rule list, identify the firewall rule you want to add to an inspection policy.
- If you do not have an existing rule:
- ClickCreate Ruleto add a blank firewall rule. For existing child rules, you might not be able to edit the rule within the firewall policy.
- To edit a complex rule list you can go toand select the rule you want to attach an inspection profile.
- For your firewall rule, select the pencil icon to the far left of the rule's row.This displays all fields of the rule so you can edit them.
- Scroll to the far right of the rule row, and select a Protocol Inspection Profile from the list under the Protocol Inspection Profile column.
- ClickSave & Close.The firewall policy list is now displayed.
- Select the policy (or rule) and clickDeploy.
Pin a protocol inspection profile to a device
- Go to.The screen displays a list of the managed BIG-IP devices with AFM provisioning.
- Click the name of the device on which to pin a protocol inspection profile.The properties screen opens for that device.
- From theNetwork Security (AFM)list in the middle of the screen, selectInspection Profiles.
- From the list of inspection profiles, select the inspection profile you want to pin to the device.
- ClickSave & Close.
Monitoring IPS traffic
Identify issues with traffic managed by an inspection profile
- A Data Collection Device (DCD) configured to your BIG-IQ system
- Managed BIG-IP devices that have AFM provisioned for managing network firewall policies or Network Security contexts
- A protocol inspection profile with enabled AVR Stats Collect, assigned to a virtual server or network firewall rule
- Statistics collection that is enabled for the managed BIG-IP devices
- Go toThe screen displays the Average Matched Events chart, which represents the average events per second for all inspected traffic (over the selected time period) that have been detected across all inspection profiles configured within your managed environment. Additionally, it displays the top aspects of inspected traffic in the widgets about the charts.
- To detect issues based on the inspected traffic details you can view the following traffic aspects:
- Expand one or more of the following dimensions located in the dimensions pane to the far right of the screen:Countries,Client IPs,Destination Ports,Network Protocols.Each expanded dimension displays objects that have been detected and their data over the selected time period.
- To filter displayed data, select one or more of the dimension objects.Each object selection filters data in the charts and dimensions to include only the data relevant to your selections.
- Once you have filtered required traffic characteristics, you can identify the corresponding inspection profile by expanding theProfile Namesdimension.
- To detect issues based on the inspection profile's virtual servers:
- Expand theVirtual Serversdimension.
- Select one of the virtual servers listed in the dimension display that server's data.From here, you can analyze the chart data, or the tabular data in the other dimensions.
- Isolate the associated inspection profile, by expanding theProfile Namesdimension.You can focus on additional aspects of the inspection items, by expanding theInspection IDs,Inspection Names,Destination Ports, andServices. Details from these dimensions may assist you in the editing process of an inspection profile.
- To view actions against inspected traffic for a single inspection profile:
- Expand theProfile Namesdimension.
- Select the profile name from the dimension list.This selection filters data in the charts and dimensions to include only the data relevant to your selection.
- Expand theActionsdimension to display how the inspected traffic was managed.