Views:

Procedure

  1. Select Enable Vulnerability Protection.
  2. Configure intrusion prevention settings:
    1. Click the Intrusion Prevention Rules tab.
    2. Select one of the following scanning profiles:
      • Recommended: Ensures protection against known vulnerability issues, provides more relevant data, and reduces performance impact on endpoints
      • Aggressive: Applies additional Intrusion Prevention Rules for suspicious network activities to the Recommended scanning profile
        Important
        Important
        Aggressive scanning may generate a large number of nonessential logs and impact endpoint performance. Trend Micro strongly advises using the Recommended profile.
    3. (Optional) Select a view to filter the list of Intrusion Prevention Rules by status.
      View
      Description
      All
      Displays all Intrusion Prevention Rules
      Default (Enabled)
      Displays only the Intrusion Prevention Rules that the selected scanning profile enables by default
      Default (Disabled)
      Displays only the Intrusion Prevention Rules that the selected scanning profile disables by default
      User-defined (Enabled)
      Displays only the Intrusion Prevention Rules enabled by the user
      User-defined (Disabled)
      Displays only the Intrusion Prevention Rules disabled by the user
    4. Modify the status of a rule by selecting from the Status drop-down control.
      • Default (Enabled): The selected scanning profile enables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.
      • Default (Disabled): The selected scanning profile disables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.
      • User-defined (Enabled): Select to enable the rule.
      • User-defined (Disabled): Select to disable the rule.
  3. Configure network engine settings:
    1. Click the Network Engine Settings tab.
    2. Select the Network Engine Detection Mode*.
      Note
      Note
      You can also use the selected Network Engine Detection Mode to configure the Advanced Logging Policy.
      • Inline: Live packet streams pass directly through the Vulnerability Protection network engine. All rules are applied to the network traffic before the packets proceed up the protocol stack.
      • Tap (Detect-only): Live packet streams are replicated and diverted from the main stream.
    3. Configure the following settings:
      Setting
      Description
      ESTABLISHED Timeout
      How long to stay in the ESTABLISHED state before closing the connection
      LAST_ACK Timeout
      How long to stay in the LAST-ACK state before closing the connection
      Cold Start Timeout
      The amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started
      UDP Timeout
      The maximum duration of a UDP connection
      Maximum TCP Connections
      The maximum number of simultaneous TCP connections
      Maximum UDP Connections
      The maximum number of simultaneous UDP connections
      Ignore Status Code
      Select up to 3 types of events to ignore
      Advanced Logging Policy
      Select from the following settings:
      • Bypass: No filtering of events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined on the Apex One server
      • Network Engine Detection Mode*: Uses Tap Mode if Tap (Detect-only) is selected for the Network Engine Detection Mode, or Normal if Inline is selected for the Network Engine Detection Mode
      • Normal: All events are logged except dropped retransmits
      • Backwards Compatibility Mode: For support use only
      • Verbose Mode: Same as Normal but including dropped retransmits
      • Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy
      • Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation
      • Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events
      • Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection
      For a more comprehensive list of which events are ignored for Stateful and Normalization Suppression, Stateful, Normalization, and Frag Suppression, Stateful, Frag, and Verifier Suppression, and Tap Mode, see Advanced Logging Policy Modes.
  4. Click Save to apply settings.