Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Security Intelligence Profiles

 

To create a profile:

  1. Select Security Director > Security Intelligence > Profiles.

    The Profiles page appears, listing the existing profiles, as shown in Figure 1.

    Figure 1: Profiles Page
    Profiles Page
  2. To create a new Security Intelligence profile, click the plus sign (+).

    The Create Security Intelligence Profile page appears, as shown in Figure 2.

    Figure 2: Create Security Intelligence Profile Page
    Create
Security Intelligence Profile Page
  3. In the Name field, enter the name of the profile.
  4. In the Description field, enter a description of the profile.
  5. From the Feed Category drop-down list, select a required feed category.

    The available categories are Device Fingerprint and Command & Control. By default, the feed category is set to Device Fingerprint.

  6. Configure the Blocking Threshold field to either for the recommended values, or configure your own parameters.

    Recommended actions provide the best balance between increased security and reduced false positives. Recommended actions provide the best balance between increased security and reduced false positives. Recommended actions dynamically blocks malicious or highly suspicious traffic based on the most current thread assessment provided through the dynamic feed

  7. If the feed category is Device Fingerprint:
    • The recommended action for all the blocked traffic under Block Options is Close connection (recommended). When closing the HTTP traffic, the recommended action is not send any message to the user.

    • The recommended action for log events under Logging is Log all traffic (recommended).

    You can customize the data to block traffic based on the threat score, as shown in Figure 3.

    Figure 3: Create Security Intelligence Profile-Custom Values
    Create
Security Intelligence Profile-Custom Values

    Under Blocking Options, you can customize the following action to be taken for all the closed HTTP traffic:

    • No Message

    • Default Message

    • Redirect URL

    • Customer Message

    Under Logging section, you can customize the following log events:

    • Log only blocked traffic

    • Log all traffic (not recommended)

    • Don’t log any traffic

  8. If the feed category is Command & Control:
    • Under the Block Options, the recommended action for all the blocked traffic is log all traffic (recommended).

    • Under Logging section, the recommended action is Log only blocked traffic.

    You can customize Blocking Options and Logging fields to the required values.

  9. Click Create.

    A new profile is created and added to the Profiles page.

Note
  • On the Profiles page, the Global Blocklist and Global Allowlist profiles are created by default.

  • The Security Intelligence profiles can be assigned only to the firewall policies.