Advanced

Event Data

Allow Intrusion Prevention Rules to capture data for first hit of each rule (in period): Determines whether Vulnerability ProtectionDeep Security will save the packet data which triggered an Intrusion Prevention Rule. This setting works in conjunction with the advanced Network Engine settings that can be found in Computer\Policy Editor > Settings > Network Engine > Advanced Network Engine Settings.

Log All Packet Data: Record the packet data for Events that are not associated with specific Firewall or Intrusion Prevention Rules. That is, log packet data for Events such as "Dropped Retransmit" or "Invalid ACK".
Events that have been aggregated because of Event folding cannot have their packet data saved.
Log only one packet within period: If this option is enabled and Log All Packet Data is not, most logs will contain only the header data. A full packet will be attached periodically, as specified by the Period for Log only one packet within period setting.
Period for Log only one packet within period: When Log only one packet within period is enabled, this setting specifies how often the log will contain full packet data.
Maximum data size to store when packet data is captured: The maximum size of header or packet data to be attached to a log.

Rule Updates

Automatically assign new Intrusion Prevention Rules as required by updated Application Types and Intrusion Prevention Rule dependencies: Security Updates sometimes include new or updated Application Types and Intrusion Prevention Rules which require the assignment of secondary Intrusion Prevention Rules. This setting will allow Vulnerability ProtectionDeep Security to automatically assign these Rules if they are required by the Application Types or Intrusion Prevention Rules that were assigned to a Policy or computer during a Security Update.

SSL Configurations (Computer editors only)

Vulnerability ProtectionDeep Security Manager supports Intrusion Prevention analysis of SSL traffic. The SSL Configurations page allows you to create SSL Configurations for a given certificate-port pair on one or more interfaces. Certificates can be imported in P12 or PEM format and Windows computers have the option of using Windows CryptoAPI directly.

To create a new SSL Configuration, click New and follow the steps in the SSL Configuration wizard.

If the computer you are configuring is being installed on the computer hosting the Vulnerability ProtectionDeep Security Manager, the wizard will let you use credentials already stored in the Vulnerability ProtectionDeep Security Manager.

Double-click an existing configuration to display its Properties window.

Assignment

General Information: The name and description of the SSL configuration, and whether it is enabled on this computer.
Interface Assignments: Which interfaces this configuration is being applied to.
IP Assignment: Which IP(s) this configuration applies to.
Port Selection: Which port(s) this configuration applies to.

Credentials

The Credentials tab lists the current credentials, and has an Assign New Credentials... button which lets you change them.

Filtering of SSL traffic is only supported by the Deep Security Agent, not the Deep Security Appliance. The Agent does not support filtering SSL connections on which SSL compression is implemented.

For information on setting up SSL filtering, see SSL Data Streams.

NSX Security Tagging

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security Tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information on Deep Security Event Tagging, see Event Tagging.

Intrusion Prevention Events have a severity level that is determined by the severity level of the Intrusion Prevention Rule that caused it.

The severity level of an Intrusion Prevention Rule is configurable on the Rule Properties > General tab.

Intrusion Prevention Rule severity levels map to NSX tags as follows:

IPS Rule Severity	NSX Security Tag
Critical	IDS_IPS.threat=high
High	IDS_IPS.threat=high
Medium	IDS_IPS.threat=medium
Low	IDS_IPS.threat=low

You can configure the sensitivity of the tagging mechanism by specifying the minimum Intrusion Prevention severity level that will cause an NSX security tag to be applied to a VM.

The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:

Default (No Tagging): No NSX tag is applied.
Critical: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Critical is triggered.
High: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of High or Critical is triggered.
Medium: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Medium, High, or Critical is triggered.
Low: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Low, Medium, High, or Critical is triggered.

Separate settings are provided for Rules that are operating in Prevent mode and for Rules that operating in Detect-only mode.

Whether an IPS Rule is operating in Prevent or Detect-only mode is determined not only by the Intrusion Prevention module setting (Computer/Policy Editor > Intrusion Prevention > General tab), but also by the configuration of the individual Rule itself (Rule Properties > General tab > Details).