Tailored Safe: Tailor-made IPS profile suited for your own assets
Tailored Safe extension automates the verification and enforcement processes of Threat Prevention blades. It focuses on enabling blades, moving protections from Detect to Prevent with no potential business impact, exposing attacks that have not been prevented, and recommending protections based on the applications seen.
The extension contains three major capabilities:
- Blade Status and Configuration: See enforced blades, including Staging status.
- Detect to Prevent: Analyzes past IPS logs and recommends protections that can be moved to Prevent with no business impact.
- Application Discovery: Analyzes application control detection capabilities and suggests the relevant IPS tags to enable.
Smart Console Extension
The extension is an interactive window allowing you to make choices based on your needs. You may configure the extension and select which blades will be used to study your network.
To start using this feature, paste the below link to the manifest URL window:
Based on your selection, relevant Security Management configurations and applications (Application control) and logs (IPS, Anti-Bot) will be reviewed and relevant tags/protections will be marked.
After running the analysis, you will have the following choices:
- Blade Status and configuration: you will be advised to enable blades and change configuration for best practice.
- Protections with no hits: you will be advised to move them to prevent, and can choose to do so. This action will enable you to maximize prevention with no business impact.
- Protections with hits: you will receive a list of protections with hits, and will have the option to decide which (if any) protections you would like to change to Prevent mode.
- Applications Discovery: you will see a list of applications that are in use in your network. You may select the applications of your choice. Based on these, all IPS protections protecting against the chosen assets will be enforced on detect.
A new profile will now be generated, and you will receive a full report showing a summary of the process.Important notes
- Management: supported beginning in R80.30
- Security Gateway: all versions are supported
- SmartView: must be enabled for the process to work
- Profile: after every run, a new profile is generated
- SmartEvent and SmartEvent Correlation Unit enabled on the Management Server
in case you want to use the extension in an offline flow (with no connectivity to the Internet), you can download the extension from the following link with full instructions:
Download Offline Version
- Do I need to install anything?
The only component is the extension.
- How many times do I need to run it on my organization?
We suggest running it once a week.
- Why do I keep receiving "Approve Changes: pop-ups?
This is only a suggestion and does not make any changes. There are no consequences whatsoever for pressing "approve changes" in the pop-ups. We will remove these in the future.
- Why are protections matching chosen applications only moved to detect?
This allows the traffic relevant for these applications to be studied.
- Will my profile change to the newly created profile?
Following the new profile generation process, you will have the ability to configure it to be your profile. Note that the new profile is only a suggestion.
- What is the impact on my Security Management/Security Gateway?
The extension does not have any impact on the MGMT/Gateway other than profile creation.
- If I remove the extension, should I do publish/install policy/ install DB?
There is no need to.
- Which users can run the tool effectively?
A user with Super-User permissions
- Vulnerability scanner input feature
- Granularity per profile per Security Gateway
- Using profiles other than Optimized
- More detailed analysis, summary report