02-25-2018 06:25 AM
Hi
I am wondering, firewall does not have the option to make vulnerability protection profiles based on signature categories like vulnerability signatures for dns server and web server and then used them in security policies realted to dns only or web server only.
in firewall, I can see I have just only one vulnerability protection profile and use in all polices either its for dns or web server. Is there any performance impact for this?
03-16-2018 01:05 AM
No
The packet is handed over to the content scanning engine and it will inspect the packet as efficiently as possible, it uses protocol specific decoders, so if dns is detected it will be inspected by the dns decoder, if http is detected, it will be processed by the http decoder
03-19-2018 03:09 AM
yes, for dns related vulnerabilities
02-26-2018 01:39 AM
No
The kind of application your profile touches is controlled by the security policy, but the content scanning process is the same for all your sessions. (the presense of a profile sends the packets to the content scanning engine and it will scan the session appropriately)
The security profiles control the decission making process (alert, drop, block ip, ...) but not how the applications are scanned
03-16-2018 12:31 AM
Hi @reaper
Thanks for the reply. Sorry for late for coming back to this discussion.
So you mean, regardless of the application, the session is scanned for all vulerability signatures by content engine? Its not like if application is identified as DNS then only DNS specific sigantures are checked against the session?
03-16-2018 01:05 AM
No
The packet is handed over to the content scanning engine and it will inspect the packet as efficiently as possible, it uses protocol specific decoders, so if dns is detected it will be inspected by the dns decoder, if http is detected, it will be processed by the http decoder
03-17-2018 01:04 AM
@reaper thanks
Just last thing, if decoder is identified as DNS then still it will inspect all vulnerability signatures right?
03-19-2018 03:09 AM
yes, for dns related vulnerabilities
03-26-2018 12:49 AM
Thanks
@reaper I also observed for the application unknown-tcp, all vulnerabilities were checked in logs like IIS realted etc
03-26-2018 02:30 AM
unknown-tcp does not have a decoder (because it is unknown) so is checked for all vulnerabilities
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
