Using Attack Objects Overview
Occasionally, an attack object produces false positives when included in a security policy for your network. You can remove the attack from the firewall rule by removing the attack object group to which the attack belongs or by disabling the individual attack object at the device level. Although disabling attack objects does not improve throughput performance for the security device, this fine-tuning of the attacks detected by each device helps reduce false positives in your logs.
To disable attack objects, the attack object database on the managed device must match the version of the database on the GUI server. If the databases do not match, the Disable Attacks option does not appear in the device navigation tree, and a validation icon appears next to the Attack Database Version setting in Security > Attack DB > Settings.
To disable an attack object on a device, double-click the device to open the device configuration. In the device navigation tree, select Security > Attack DB > Disable Attacks, and then select the attack objects you want to disable.
Disabled attack objects are device-specific. For example, disabling an attack object within the root system does not disable the attack object in any of its virtual systems, and disabling an attack object in one vsys does not affect that attack object in any other vsys.
For more information about the attack object database, see the “Attack Detection and Defense Mechanisms” volume in the Concepts & Examples ScreenOS Reference Guide.