Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create Infected Hosts Profile

Infected hosts indicate local devices that are potentially compromised because they appear to be part of a C&C network or exhibit other symptoms. Create an Infected Hosts profile to configure feeds and threat score to list the IP address or IP subnet of the compromised host.

To create an Infected Host profile:

  1. Click SRX > Security Subscriptions > SecIntel > Profiles.
    The SecIntel Profiles page appears.
  2. Select Create > Infected Hosts.
    The Create Infected Hosts Profile page appears.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK to save the changes. To discard your changes, click Cancel.

    Once you create the Infected Hosts profile, you can associate it with the SecIntel profile groups.

    Table 1: Fields on the Create Infected Hosts Profile Page
    Field Action

    Name

    Enter a name for the Infected Hosts profile.

    The name must be a unique string of alphanumeric and special characters; 63-character maximum. Special characters such as < and > are not allowed.

    Description

    Enter a description for the Infected Hosts profile.

    Default action for all feeds

    Drag the slider to change the action to be taken for all the feed types. Actions are Permit (1 - 4), Log (5-6), and Block (7 - 10).

    Log will have the permit action and also logs the event.

    Specific action for feeds

    Do the following:

    1. Click + to define feeds and threat score to the Infected Hosts profile.

      The Add Feeds window appears.

    2. Enter the following details:

      1. Feeds—Select one or more feeds from the Available column and move it to the Selected column to associate with the Infected Hosts profile.

      2. Threat score—Drag the slider to change the action to be taken based on the threat score.

    3. Click OK.

    Block action

    Select one of the following block actions from the list:

    • Drop Packets—Device silently drops the session’s packet and the session eventually times out.

    • Close session—Device sends a TCP RST packet to the client and server and the session is dropped immediately.

    Close session options

    Select one of the following options from the list: None, Redirect URL, or Redirect message.

    Redirect URL

    Enter a remote file URL to redirect users when connections are closed.

    Redirect message

    Enter a custom message to send to the users when connections are closed.

Related Documentation