Adding / Editing Profiles - ZyXEL Communications ZyWall 110 User Manual
Security firewalls
Hide thumbs
Also See for ZyWall 110:
- User manual (1090 pages) ,
- Handbook (749 pages) ,
- Handbook & instructions (255 pages)
Table of Contents
Advertisement
The following table describes this screen.
Table 201 Base Profiles
BASE PROFILE
none
all
wan
lan
dmz
OK
Cancel
30.2.2 Adding / Editing Profiles
You may want to create a new profile if not all signatures in a base profile are applicable to your
network. In this case you should disable non-applicable signatures so as to improve ZyWALL/USG
IDP processing efficiency.
You may also find that certain signatures are triggering too many false positives or false negatives.
A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is
wrongly allowed to pass through the ZyWALL/USG. As each network is different, false positives and
false negatives are common on initial IDP deployment.
You could create a new 'monitor profile' that creates logs but all actions are disabled. Observe the
logs over time and try to eliminate the causes of the false alarms. When you're satisfied that they
have been reduced to an acceptable level, you could then create an 'inline profile' whereby you
configure appropriate actions to be taken when a packet matches a signature.
Packet inspection signatures examine the contents of a packet for malicious data. It operates at
layer-4 to layer-7. An IDP profile is a group of IDP signatures that have the same log and action
settings. In 'group view' you can configure the same log and action settings for all IDP signatures
by severity level in the Add Profile screen. You may also configure signature exceptions in the
sameview.
Chapter 30 IDP
DESCRIPTION
All signatures are disabled. No logs are generated nor actions are taken.
All signatures are enabled. Signatures with a high or severe severity level (greater than
three) generate log alerts and cause packets that trigger them to be dropped.
Signatures with a very low, low or medium severity level (less than or equal to three)
generate logs (not log alerts) and no action is taken on packets that trigger them.
Signatures for all services are enabled. Signatures with a medium, high or severe
severity level (greater than two) generate logs (not log alerts) and no action is taken on
packets that trigger them. Signatures with a very low or low severity level (less than or
equal to two) are disabled.
This profile is most suitable for common LAN network services. Signatures for common
services such as DNS, FTP, HTTP, ICMP, IM, IMAP, MISC, NETBIOS, P2P, POP3, RPC,
RSERVICE, SMTP, SNMP, SQL, TELNET, TFTP, MySQL are enabled. Signatures with a high
or severe severity level (greater than three) generate logs (not log alerts) and cause
packets that trigger them to be dropped. Signatures with a low or medium severity level
(two or three) generate logs (not log alerts) and no action is taken on packets that
trigger them. Signatures with a very low severity level (one) are disabled.
This profile is most suitable for networks containing your servers. Signatures for
common services such as DNS, FTP, HTTP, ICMP, IMAP, MISC, NETBIOS, POP3, RPC,
RSERVICE, SMTP, SNMP, SQL, TELNET, Oracle, MySQL are enabled. Signatures with a
high or severe severity level (greater than three) generate log alerts and cause packets
that trigger them to be dropped. Signatures with a low or medium severity level (two or
three) generate logs (not log alerts) and no action is taken on packets that trigger
them. Signatures with a very low severity level (one) are disabled.
Click OK to save your changes.
Click Cancel to exit this screen without saving your changes.
ZyWALL/USG Series User's Guide
487
- Quick Links:
- Web Configurator
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
