Table of Contents
Advertisement
Configuring Intrusion Detection and Prevention Devices Guide
Specifying Alert Options
18
When you first configure the Profiler, select all contexts. This enables the device to collect
data about every context on your network, giving you a complete view of your network
traffic. Later, when you have analyzed your traffic, you can eliminate contexts that you
know will not be used on your network.
Select Profile Context to include context information. If you clear Profile Context, IDP
profile data only includes high-level traffic data such as source, destination, and service.
If you want Profiler information to include context values and network probes (for
example, port scans), also configure the Profiler to include probes and attempts.
You configure Profiler context settings to determine whether Profiler logs include not
only host and application data but also data pulled from application contexts. For
example, if you specify context targets for FTP usernames, the Profiler logs will include
the username specified for the FTP connection in addition to the hostname and service
(FTP).
To specify Profiler context targets:
From Device Manager, double-click a device and then click Profiler Settings.
1.
Click the Contexts To Profile tab.
2.
Browse and select from the predefined list of contexts.
3.
Click Apply.
4.
NOTE: If you change Profiler settings, you must push a configuration update to the
device before the new settings take effect. From the Device Manager, right-click the
device, select Update Device, check Restart IDP Profiler After Device Update, and click
OK.
Indicate which profiler events you want to generate alerts for in the Alert Options tab.
Use this tab to configure the Profiler to indicate the appearance of a new host, protocol,
or port on your internal network. When you select New Host Detected, New Protocol
Detected, or New Port Detected, the device generates a specific log record, such as
PROFILER_NEW_HOST, in the Profiler Logs section of the Log Viewer when the device
discovers a new host, protocol, or port.
If you are configuring the Profiler for the first time, do not enable the new host, protocol,
or port alerts. As the Profiler runs, the device views all network components as new, which
can generate unnecessary log records. After the Profiler has learned about your network
and has established a baseline of network activity, you should reconfigure the device to
record new hosts, protocols, or ports discovered on your internal network. For details,
see the Network and Security Manager Administration Guide.
Select the Database Limit Exceeded alert to indicate when you have reached the
maximum limit of the database size. You can configure the maximum limit of the Profiler
database using the dbLimit parameter in the General tab of the Profiler Configuration
dialog box. The default is 500 MB; the minimum-maximum range is 0 to 500 MB. After
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Troubleshooting
