Table of Contents
Advertisement
Network and Security Manager Administration Guide
Updating Profiler Settings
704
Select Profile Context to include context information. If you clear Profile Context, IDP
profile data only includes higher-level traffic data such as source, destination, and service.
If you want Profiler information to include context values and network probes (for
example, port scans), also configure the Profiler to "Include Probes and Attempts" in the
General tab.
Configuring Alerts
Use the Alert tab to configure the Profiler to indicate the appearance of a new host,
protocol, or port on your internal network. When you enable New Host Detected, New
Protocol Detected, or New Port Detected, the device generates a specific log record, such
as PROFILER_NEW_HOST, in the Profiler Logs section of the Log Viewer, when the device
discovers a new host, protocol, or port.
If you are configuring the Profiler for the first time, do not enable the new host, protocol,
or port alerts. As the Profiler runs, the device views all network components as new, which
can generate unnecessary log records. After the Profiler has learned about your network
and has established a baseline of network activity, you should reconfigure the device to
record new hosts, protocols, or ports discovered on your internal network. For details,
see "Configuring a Network Baseline" on page 717.
Enable the Database Limit Exceeded alert to indicate when you have reached the
maximum limit of the database size. You can configure the maximum limit of the Profiler
DB using the dbLimit parameter in the General tab of the Profiler Settings dialog box.
The default limit is the value that has been set for Profiler preferences (see "Customizing
Profiler Preferences" on page 705 ). After a device reaches this limit, it begins purging the
database.
Example of Using Alerts
For example, a network host performs the normal connections required for Internet
connectivity (SMTP, POP3, HTTP, and so on). The host becomes infected by a worm
and begins making outbound connections on an arbitrary port. The device logs the unique
event and generates PROFILER_NEW_PROTO and PROFILER_NEW_PORT log records.
The system immediately e-mails these log records to the Security Administrator, who
can investigate the worm and take action to contain it.
Repeat the configuration process for each device in your network. When you have
configured all devices on your network, you are ready to start the Profiler.
After you configure settings on the Profiler, you must update those settings on the device.
To update the settings on the device:
From the Device Manager, right-click on the device and select Update Device.
1.
The Device Update Options window prompts you to Restart IDP Profiler After
Device Update.
Click OK.
2.
The Job Information window shows the status of the update. After the operation
finishes, the device begins collecting data for the Profiler DB.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
