You can create a threat protection profile and associate an active ruleset with it. Infoblox supports common threat protection rulesets for both hardware and Software ADP members. You can either upload a ruleset or download rulesets from a server. You can create any number of threat protection profiles, but you can select only a maximum of five rulesets in combination at the Grid, member and profile levels. For more information about rulesets, see Understanding Threat Protection Rulesets and Rules.
The threat protection profile allows you to create your own set of rules for either a member or a group of members that experience a similar kind of traffic. After you define a profile, you can clone it and test the copied settings for a new ruleset on one member before publishing the changes for a group of members that are associated with the profile.
To define threat protection profiles:
- From the Data Management tab, select the Security tab -> Profiles tab and then click the Add icon.
- In the Add Threat Protection Profile Wizard, add the following:
- Name: Enter a name for the threat protection profile.
- Comment: Enter information about the threat protection profile.
- Active Ruleset Version: Select a value from the drop-down list. This indicates the current ruleset that is used for the respective threat protection profile. If you inherit a ruleset from the Grid and later change the respective ruleset at the Grid level, the new ruleset is not reflected in the profile. You must manually change the selected ruleset for the profile. For more information about active rulesets, see Understanding Threat Protection Rulesets and Rules.
- Active Ruleset Comment: Click Override to override the comment.
- Events per Second per Rule: Click Override to override the values. This indicates the number of events that is logged per second per rule to allow the appliance to log events to the syslog. Specify the number of events logged per second per rule. The default value is one and the maximum value is 700. Setting the value to 0 (zero) disables the appliance from logging events for the rules. The appliance displays an error message when you enter a value greater than the maximum value. You can override this event filter at the member level. For information and guidelines about using this setting, see Using the Events Per Second Rule Setting.
- Disable multiple DNS requests via single TCP session: Click Override to override the values. This determines if multiple DNS responses through TCP connection are disabled. For more information, see Enabling Multiple DNS Requests through a Single TCP Session.
A member associated with a threat protection profile can neither modify Events per Second per Rule and Disable multiple DNS requests via single TCP session settings at the member level nor enable or disable rules and change rule parameters at the member level.
3. Click Next to add extensible attributes.
4. Save the configuration.