Views:
  1. Select Enable Vulnerability Protection.
  2. Configure intrusion prevention settings:
    1. Click the Intrusion Prevention Rules tab.
    2. Select one of the following scanning profiles:

      • Recommended: Ensures protection against known vulnerability issues, provides more relevant data, and reduces performance impact on endpoints

      • Aggressive: Applies additional Intrusion Prevention Rules for suspicious network activities to the Recommended scanning profile

        Important:

        Aggressive scanning may generate a large number of nonessential logs and impact endpoint performance. Trend Micro strongly advises using the Recommended profile.

    3. (Optional) Select a view to filter the list of Intrusion Prevention Rules by status.

      View

      Description

      All

      Displays all Intrusion Prevention Rules

      Default (Enabled)

      Displays only the Intrusion Prevention Rules that the selected scanning profile enables by default

      Default (Disabled)

      Displays only the Intrusion Prevention Rules that the selected scanning profile disables by default

      User-defined (Enabled)

      Displays only the Intrusion Prevention Rules enabled by the user

      User-defined (Disabled)

      Displays only the Intrusion Prevention Rules disabled by the user
    4. Modify the status of a rule by selecting from the Status drop-down control.

      • Default (Enabled): The selected scanning profile enables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.

      • Default (Disabled): The selected scanning profile disables the corresponding rule by default. Select to apply the rule status defined by the scanning profile.

      • User-defined (Enabled): Select to enable the rule.

      • User-defined (Disabled): Select to disable the rule.

  3. Configure network engine settings:
    1. Click the Network Engine Settings tab.
    2. Select the Network Engine Detection Mode*.
      Note:

      You can also use the selected Network Engine Detection Mode to configure the Advanced Logging Policy.

      • Inline: Live packet streams pass directly through the Vulnerability Protection network engine. All rules are applied to the network traffic before the packets proceed up the protocol stack.

      • Tap (Detect-only): Live packet streams are replicated and diverted from the main stream.

    3. Configure the following settings:

      Setting

      Description

      ESTABLISHED Timeout

      How long to stay in the ESTABLISHED state before closing the connection

      LAST_ACK Timeout

      How long to stay in the LAST-ACK state before closing the connection

      Cold Start Timeout

      The amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started

      UDP Timeout

      The maximum duration of a UDP connection

      Maximum TCP Connections

      The maximum number of simultaneous TCP connections

      Maximum UDP Connections

      The maximum number of simultaneous UDP connections

      Ignore Status Code

      Select up to 3 types of events to ignore

      Advanced Logging Policy

      Select from the following settings:

      • Bypass: No filtering of events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined on the Apex One server

      • Network Engine Detection Mode*: Uses Tap Mode if Tap (Detect-only) is selected for the Network Engine Detection Mode, or Normal if Inline is selected for the Network Engine Detection Mode

      • Normal: All events are logged except dropped retransmits

      • Backwards Compatibility Mode: For support use only

      • Verbose Mode: Same as Normal but including dropped retransmits

      • Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy

      • Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation

      • Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events

      • Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection

      For a more comprehensive list of which events are ignored for Stateful and Normalization Suppression, Stateful, Normalization, and Frag Suppression, Stateful, Frag, and Verifier Suppression, and Tap Mode, see Advanced Logging Policy Modes.
  4. Click Save to apply settings.
Parent topic: Vulnerability Protection Policy Settings