Managing IPS Inspection profiles on SNS firewalls from SMC

In SMC, you can create filter rules referencing IPS Inspection profiles configured locally on firewalls by selecting their identifier (00 to 09).

IPS Inspection profiles

However you cannot set up these profiles directly in SMC and they may be different on each firewall even if they have the same identifier.

This section explains how to deploy common IPS Inspection profiles on all or part of your firewalls thanks to SMC, based on the profiles configured on a “template” firewall.

You will need two scripts to do so: a first one which allows collecting the profiles from the template firewall and another one which allows deploying these profiles on the selected firewalls.

IMPORTANT
The template firewall and the target firewalls must be in the same version.

To apply this procedure, follow the three steps below in the order given.

The first step consists in editing one or more IPS profiles among the 10 profiles available on a firewall. This firewall stands for the template IPS configuration to be deployed on other firewalls.

  1. Connect to the web administration interface of the template firewall with its IP address or connect directly through SMC.
  2. Open the menu Application protection > Applications and protections.
  3. Edit settings for the wanted applications and protections.

    4. Menu Applications and protections

  4. Open the menu Application protection > Protocols.
  5. Edit settings for the wanted protocols.

    6. Menu Protocols

The script below makes it possible to retrieve the IPS Inspection profiles of the template firewall.

#####################################################################
# Save the IPS configuration for a given SNS firewall               
#                                                                   
# The $SAVE_TO_DATA_FILE argument indicates the name of the file in  
# which the result of the execution will be saved                   
#####################################################################
        
CONFIG BACKUP list=securityinspection $SAVE_TO_DATA_FILE("backup-IPS-Conf.na")

To save the profiles:

  1. Copy the script to a text editor and save it with the .script extension.
  2. In SMC, open the menu Deployment > SNS CLI Scripts.
  3. Select the script you saved previously.
  4. Select the firewall of which the IPS Inspection profiles must be saved.

    5. Firewalls selection screen

  5. Execute the script.
  6. Download the archive generated by the script. The archive contains the backup file backup-IPS-Conf.na.

For more information on SNS CLI scripts, please refer to the section Running SNS CLI commands on an environment of firewalls.

The script below makes it possible to deploy the IPS Inspection profiles previously saved on the other firewalls.

###############################################################
# Restore the IPS configuration for one or several SNS firewall(s) 
#
# The $FROM_DATA_FILE argument indicates the name of the file that will 
# be uploaded to the firewall(s)
###############################################################


# Restore the IPS configuration
CONFIG RESTORE list=securityinspection $FROM_DATA_FILE("backup-IPS-Conf.na")

To deploy the profiles:

  1. Copy the script to a text editor and save it with the .script extension.
  2. In SMC, open the menu Deployment > SNS CLI Scripts.
  3. Select the script you saved previously.
  4. Select the .na backup file previously created as attached file.
  5. Select the firewalls on which deploying the IPS Inspection profiles.

    6. Firewalls selection screen

  6. Execute the script.
  7. You can connect to a firewall through SMC to see the profiles have been properly deployed.