Working with Inspection options policies

You can create inspection options policies for configuring traffic inspection, advanced callback detection, endpoint reputation analysis, heuristic analysis of web server and prevention of denial of service on web server. After creating an inspection option policy, you can assign the policy to interfaces and subinterfaces.

Inbound traffic is that traffic received on the port designated as Outside (that is, originating from outside the network) in Inline or Tap mode. Typically, inbound traffic is destined to the protected network, such as an enterprise intranet. Outbound refers to any traffic that originated from your internal network. Outbound traffic is that traffic sent by a system in your intranet, and is on the port designated as Inside (that is, originating from inside the network) in Inline or Tap mode.

When GTI participation is enabled, the IP address reputation is applicable only for inbound connections. When GTI is enabled and Connection Limiting rules are configured, you can block the malicious traffic received on the inbound connections. For example, you can deploy a Sensor in front of a web server, and enable GTI with Connection Limiting rules to limit access to the server and prevent DoS attacks.

With the advanced traffic inspection options, the HTTP and SMTP traffic can be inspected and the traffic segments can be encoded or reassembled for detection of any threats and anomalies. For more information, refer Advanced Traffic Inspection.

Advanced callback detection provides detailed information retrieved from different attack phases at the end of a successful correlation. For more information, refer Advanced Botnet Detection.

Endpoint reputation analysis configuration can be set for inbound and outbound traffic and to influence it for SmartBlocking. Endpoint reputation is determined using a combination of IP address and port. For more information, refer IP address Reputation.

You can enable behavior-based detection of attacks against your Web servers, and optionally add blacklisted text. For more information, refer Implementing the Heuristic Web Application Server Inspection option.

You can configure the Layer 7 DoS inspection options to prevent denial-of-service attacks against your Web servers. For more information, refer Layer 7 DoS protection for web servers.

You create Inspection Options policies at the domain level. Then, you can apply the Inspection Options policy to the required Sensor interfaces and subinterfaces owned by that domain.

Task

  1. In the Manager, click Policy and then select the required Domain.
  2. Go to Intrusion PreventionPolicy TypesInspection Options Policies.
    The Inspection Options Policies page is displayed.
    Inspection options policies page


    The options in this page are as follows:

    Option Definition
    Name The name assigned to the inspection options policy.
    Description The description of the inspection options policy.
    Owner Owner Domain Only: Indicates the admin domain to which an inspection options policy belongs.

    Owner and Child Domains: Indicates that the policy is available to the corresponding child admin domains also.

    Visibility Indicates the visibility settings of settings to the domains, whether it is visible only to the owner domain or to both owner and child domains.
    Editable here Indicates whether you can edit or delete an inspection options policy from the current admin domain. You can edit but not delete the predefined IPS Policies. You can edit or delete a user-defined inspection options policy only from the admin domain from where it was created. Yes indicates that the IPS policy belongs to the current admin domain. If it is No, you cannot edit the IPS policy because it is defined at a parent admin domain.
    Statistics Last Updated: Displays the time when the inspection options policy was last updated.
    Last Updated By: Displays the user who changed the inspection options policy.
    Assignments: The number of interfaces and subinterfaces to which a policy is assigned. This information is according to the current information in the Manager database. Click the link in the Assignments column to assign the corresponding policy to the required interfaces and subinterfaces.
    New Click New to create an inspection options policy. The Properties and Inspection Options tabs are explained in the sections that follow.
    Copy Select an inspection options policy and click Copy to copy it. This is helpful especially if you want to use a non-editable policy with slight changes.
    Edit Select any of the listed policies and click Edit to edit or view the details.
    Delete Select an eligible policy and click Delete to delete. Make sure that this policy is not assigned to any Sensor resources. To delete in bulk, select more than one policy and click Delete.