Configuring Security Profile Groups

Overview

When Designer creates a new rule, its Security Profile Groups are set to None by default. You can change this default in the stconf file by configuring Security Profiles globally or per Device Management ID.

This procedure is relevant for Palo Alto and Fortinet devices.

See also Configuring a Log Forwarding Profile.

Prerequisites

  • Profile defined on the device.

Configure the Security Profile Group

Configure the Security Profile Groups for rules created in Designer. You can either define a single, global profile that applies across all devices, or define individual profiles per Device Management ID.

  1. Navigate to: https://<SecureTrack_IP>/securetrack/admin/stcgitest.htm

  2. Navigate to Edit StConf > Fetch Current StConf.

  3. In the stconf file, navigate to the Designer_Default_Profiles ;.

  4. Add the Security_Profile_Group:

    <Designer_Default_Profiles>
        <Security_Profile_Group>
            <Profile>name_of_security_profile_group</Profile>
            <Profile management="device_management_id">name_of_security_profile_group2</Profile>
        </Security_Profile_Group>
    </Designer_Default_Profiles>

    where:

    • <Profile>...</Profile> defines the default global Security Group profile.
      For example, <Profile>name_of_security_profile_group</Profile> defines name_of_security_profile_group as the default global Security Profile Group.

    • <Profile management="device_management_id">...</Profile> defines the specific profile for the device with the specified Device Management ID .
      For example, <Profile management="11">name_of_security_profile_group2</Profile> defines name_of_security_profile_group2 as the specific Security Profile Group for the device with Device Management ID 11.

    For Palo Alto Panorama devices: When a profile is set per Device Management ID, the configuration will also apply for all Device Groups beneath it in the hierarchy. When the profile provided is not found on the device, the global default is used. If no global default is found, none will be used.

  5. Click Submit New Conf.

Example

Below is an example with multiple Log Forwarding and Security profiles configured.

<Designer_Default_Profiles>
    <Log_Forwarding_Profile>
       <Profile>log_profile1</Profile>
       <Profile management="7">log_profile2</Profile>
       <Profile management="10">log_profile3</Profile>
       <Profile management="20">log_profile4</Profile>
    </Log_Forwarding_Profile>
    <Security_Profile_Group>
       <Profile>security_profile1</Profile>
       <Profile management="7">security_profile2</Profile>
       <Profile management="10">security_profile3</Profile>
       <Profile management="20">security_profile4</Profile>
    </Security_Profile_Group>
</Designer_Default_Profiles>