Signature Profiles

Signature profiles enable you to configure rules that are downloaded from the Cloud Portal. Orchestrator provides the following default signature profiles:

• For the 4.x signature family, the Default signature profile

• For the 5.x signature family, the Default_S5 signature profile

These default profiles include default settings for the signature rules. Default profiles are automatically used across all appliances. You can create additional signature profiles and override default rule settings by choosing different actions as needed.

By default, all rules included in the signatures list are enabled on all appliances where IPS is enabled. The default action is to drop traffic when a rule is triggered. However, for certain traffic or in some other cases, you might want to specify different actions for IPS to take.

1. To open the Signature Profiles tab, click Signature Profiles on the Intrusion Detection/Prevention tab (Configuration > Overlays & Security > Security > IDS/IPS).

   

2. Select the appropriate signature family from the Signature Family drop-down list.

   NOTE: You can apply profiles for the 5.x signature family only to appliances with IPS engine version 6.x or later.

3. Initially, the Profile field indicates that rules for the default signature profile (Default for the 4.x signature family or Default_S5 for the 5.x signature family) are displayed on this tab. To change the displayed signature profile, select the appropriate profile from the Profile drop-down list.

   To create signature profiles, see Create a Signature Profile below.

4. Use the Filter Rules field above the table to filter the list of rules. You can also use the filters to the right of the field to view rules by affected products, rule category, severity, and/or action.

5. To set the response for a specific rule, select one of the following actions from the drop-down list in the Action column. For multiple rules, select the appropriate rule rows in the table, and then select an action from the Bulk Edit Filtered Rules drop-down list.

   • Drop: Drop the traffic when a matching signature condition exists for the source, destination, or both.

   • Inspect: Continue the traffic flow to the destination after inspecting the traffic and raising an event for matching signature. This action detects the anomaly.

   • Allow: Excludes the rule from participating in IDS/IPS, rendering it no longer part of IDS/IPS processing.

   NOTE: You can change signature rules for any custom signature profile, but you cannot change the Default signature profile. This ensures that you always have the original signature rules as provided by Orchestrator.

   You can apply profiles to your appliances by clicking the Apply Profile link. For details, refer to the help information for the Intrusion Detection/Prevention tab.

Create a Signature Profile

When you create a signature profile, it will be selectable from the Profile drop-down list. Then you can change the rule actions for that profile as needed.

1. On the Signature Profiles tab, select the appropriate signature family from the Signature Family drop-down list

2. Click the edit icon associated with the Profile field.

   The Signature Profiles dialog box opens.

3. Click + Add.

   The Add Signature dialog box opens.

4. Verify that the appropriate signature family is indicated.

5. In the Profile Name field, enter a signature profile name, and then click Ok.

   The new signature profile appears on the Signature Profiles dialog box.

   NOTE: If your newly created signature profile is based on signature family 5.x (or when previously existing signature profiles based on signature family 4.x are migrated during ECOS upgrade), Orchestrator appends the profile name you provided with _S5. For example, if the profile name is BankCo, Orchestrator changes it to BankCo_S5.

6. Click Save.

---