Procedure
- Select Enable Vulnerability Protection.
- Configure intrusion prevention settings:
- Click the Intrusion Prevention Rules tab.
- Select one of the following scanning profiles:
-
Recommended: Ensures protection against known vulnerability issues, provides more relevant data, and reduces performance impact on endpoints
-
Aggressive: Applies additional Intrusion Prevention Rules for suspicious network activities to the Recommended scanning profile
Important
Aggressive scanning may generate a large number of nonessential logs and impact endpoint performance. Trend Micro strongly advises using the Recommended profile.
-
- (Optional) Select a view to filter the list of Intrusion Prevention Rules by
status.ViewDescriptionAllDisplays all Intrusion Prevention RulesDefault (Enabled)Displays only the Intrusion Prevention Rules that the selected scanning profile enables by defaultDefault (Disabled)Displays only the Intrusion Prevention Rules that the selected scanning profile disables by defaultUser-defined (Enabled)Displays only the Intrusion Prevention Rules enabled by the userUser-defined (Disabled)Displays only the Intrusion Prevention Rules disabled by the user
- Modify the status of a rule by selecting from the Status drop-down
control.
-
Default (Enabled): The selected scanning profile enables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.
-
Default (Disabled): The selected scanning profile disables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.
-
User-defined (Enabled): Select to enable the rule.
-
User-defined (Disabled): Select to disable the rule.
-
- Configure network engine settings:
- Click the Network Engine Settings tab.
- Select the Network Engine Detection Mode*.
Note
You can also use the selected Network Engine Detection Mode to configure the Advanced Logging Policy.-
Inline: Live packet streams pass directly through the Vulnerability Protection network engine. All rules are applied to the network traffic before the packets proceed up the protocol stack.
-
Tap (Detect-only): Live packet streams are replicated and diverted from the main stream.
-
- Configure the following settings:SettingDescriptionESTABLISHED TimeoutHow long to stay in the ESTABLISHED state before closing the connectionLAST_ACK TimeoutHow long to stay in the LAST-ACK state before closing the connectionCold Start TimeoutThe amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was startedUDP TimeoutThe maximum duration of a UDP connectionMaximum TCP ConnectionsThe maximum number of simultaneous TCP connectionsMaximum UDP ConnectionsThe maximum number of simultaneous UDP connectionsIgnore Status CodeSelect up to 3 types of events to ignoreAdvanced Logging PolicySelect from the following settings:
-
Bypass: No filtering of events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined on the Apex One server
-
Network Engine Detection Mode*: Uses Tap Mode if Tap (Detect-only) is selected for the Network Engine Detection Mode, or Normal if Inline is selected for the Network Engine Detection Mode
-
Normal: All events are logged except dropped retransmits
-
Backwards Compatibility Mode: For support use only
-
Verbose Mode: Same as Normal but including dropped retransmits
-
Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy
-
Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation
-
Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events
-
Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection
For a more comprehensive list of which events are ignored for Stateful and Normalization Suppression, Stateful, Normalization, and Frag Suppression, Stateful, Frag, and Verifier Suppression, and Tap Mode, see Advanced Logging Policy Modes. -
- Click Save to apply settings.