02-14-2013 11:42 AM
Dear all,
We've got one, okay, two little questions on the configuration of vulnerability protection:
Assuming we have a security policy configured with the pre-defined vulnerability protection profile named "strict". From that policy we're getting "LDAP: User Login Brute-force Attempt" (ID 40'005, severity high) log entries from time to time. The action is to drop all packets (because of the rule in place to block all critical, high and medium rated threats).
The queries are legitimate and we'd like to tweak the timing attributes for that specific threat ID. Now the first question is: What happens if we just change the timing values on that threat ID using the little pencil icon without enabling the exception using the "Enable" check box in the first column? Will the new timing values be applied or is it mandatory to also check the Enable checkbox for the change to take effect?
The second question (just to be sure): What action is applied if we'd enable this threat ID in the exceptions tab? Is it correct that the default action for threat ID 40005 (which is set to alert only) would be applied?.
Thanks for any clarification.
Regards,
Oliver
02-14-2013 11:45 AM
Oliver,
When you modify the vulnerability settings, you will need to use the "Enable" check box. If you don't, the changes you made will not take effect.
As for your second question, when you enable the threat in the exceptions tab, the action defined on this signature will be used. In this case, alert.
Thanks,
Sri
02-14-2013 11:45 AM
Oliver,
When you modify the vulnerability settings, you will need to use the "Enable" check box. If you don't, the changes you made will not take effect.
As for your second question, when you enable the threat in the exceptions tab, the action defined on this signature will be used. In this case, alert.
Thanks,
Sri
02-14-2013 11:47 AM
Thank you very much for your very quick reply.
02-15-2013 12:47 AM
As another workaround wouldnt it be possible to create an IPS profile which only contains this threat where you force it to alert (in case the default for the threat is block) and then in the security policy setup a new rule above the current one but with only the particular src/dstip which then uses this new IPS profile to bypass the check?
I mean in a situation where:
- The threat in question has block as default (but you want it to alert).
- At the same time as you only want to change this for a particular flow.
02-15-2013 03:04 AM
I didn't test it myself but I'd say that would work as well. The firewall processes the security rules from top to bottom until a match is found. So if the new security rule above the old one is a match it would allow it and alert it in the Threat log.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
