Creating Security Intelligence Profiles
To create a profile:
- Select Security Director > Security Intelligence
The Profiles page appears, listing the existing profiles, as shown in Figure 1.
- To create a new Security Intelligence profile, click the
plus sign (+).
The Create Security Intelligence Profile page appears, as shown in Figure 2.
- In the Name field, enter the name of the profile.
- In the Description field, enter a description of the profile.
- From the Feed Category drop-down list, select a required
The available categories are Device Fingerprint and Command & Control. By default, the feed category is set to Device Fingerprint.
- Configure the Blocking Threshold field to either for the
recommended values, or configure your own parameters.
Recommended actions provide the best balance between increased security and reduced false positives. Recommended actions provide the best balance between increased security and reduced false positives. Recommended actions dynamically blocks malicious or highly suspicious traffic based on the most current thread assessment provided through the dynamic feed
- If the feed category is Device Fingerprint:
The recommended action for all the blocked traffic under Block Options is Close connection (recommended). When closing the HTTP traffic, the recommended action is not send any message to the user.
The recommended action for log events under Logging is Log all traffic (recommended).
You can customize the data to block traffic based on the threat score, as shown in Figure 3.
Under Blocking Options, you can customize the following action to be taken for all the closed HTTP traffic:
Under Logging section, you can customize the following log events:
Log only blocked traffic
Log all traffic (not recommended)
Don’t log any traffic
- If the feed category is Command & Control:
Under the Block Options, the recommended action for all the blocked traffic is log all traffic (recommended).
Under Logging section, the recommended action is Log only blocked traffic.
You can customize Blocking Options and Logging fields to the required values.
- Click Create.
A new profile is created and added to the Profiles page.
On the Profiles page, the Global Blocklist and Global Allowlist profiles are created by default.
The Security Intelligence profiles can be assigned only to the firewall policies.