Vulnerability Protection Profile¶
Vulnerability protection profiles define rules for detecting and preventing exploitation of known vulnerabilities. The scm CLI provides commands to create, update, delete, and load vulnerability protection profiles.
Overview¶
The vulnerability-protection-profile commands allow you to:
- Create vulnerability protection profiles with severity-based blocking rules
- Update existing profile configurations
- Delete profiles that are no longer needed
- Bulk import profiles from YAML files
- Export profiles for backup or migration
Set Vulnerability Protection Profile¶
Create or update a vulnerability protection profile.
Syntax¶
Options¶
| Option | Description | Required |
|---|---|---|
--folder TEXT |
Folder location | No* |
--snippet TEXT |
Snippet location | No* |
--device TEXT |
Device location | No* |
--name TEXT |
Profile name | Yes |
--description TEXT |
Profile description | No |
--block-critical-high |
Add default rule to block critical and high severity vulnerabilities | No |
* One of --folder, --snippet, or --device is required.
Examples¶
Create Basic Profile¶
$ scm set security vulnerability-protection-profile \
--folder Texas \
--name strict-vuln \
--description "Block critical vulnerabilities"
---> 100%
Created vulnerability protection profile: strict-vuln in folder Texas
Create Profile with Block Critical/High Rule¶
$ scm set security vulnerability-protection-profile \
--folder Texas \
--name vuln-protection \
--block-critical-high
---> 100%
Created vulnerability protection profile: vuln-protection in folder Texas
Delete Vulnerability Protection Profile¶
Delete a vulnerability protection profile from SCM.
Syntax¶
Options¶
| Option | Description | Required |
|---|---|---|
--folder TEXT |
Folder location | No* |
--snippet TEXT |
Snippet location | No* |
--device TEXT |
Device location | No* |
--name TEXT |
Profile name to delete | Yes |
--force |
Skip confirmation prompt | No |
* One of --folder, --snippet, or --device is required.
Example¶
$ scm delete security vulnerability-protection-profile \
--folder Texas \
--name strict-vuln \
--force
---> 100%
Deleted vulnerability protection profile: strict-vuln from folder Texas
Load Vulnerability Protection Profile¶
Load multiple vulnerability protection profiles from a YAML file.
Syntax¶
Options¶
| Option | Description | Required |
|---|---|---|
--file TEXT |
Path to YAML file containing profile definitions | Yes |
--folder TEXT |
Override folder location for all profiles | No |
--snippet TEXT |
Override snippet location for all profiles | No |
--device TEXT |
Override device location for all profiles | No |
--dry-run |
Preview changes without applying them | No |
YAML File Format¶
---
vulnerability_protection_profiles:
- name: strict-vuln
folder: Texas
description: "Block critical vulnerabilities"
- name: vuln-protection
folder: Texas
description: "Standard vulnerability protection"
Examples¶
Load with Original Locations¶
$ scm load security vulnerability-protection-profile \
--file vuln-profiles.yaml
---> 100%
✓ Loaded vulnerability protection profile: strict-vuln
✓ Loaded vulnerability protection profile: vuln-protection
Successfully loaded 2 out of 2 vulnerability protection profiles from 'vuln-profiles.yaml'
Load with Folder Override¶
$ scm load security vulnerability-protection-profile \
--file vuln-profiles.yaml \
--folder Austin
---> 100%
✓ Loaded vulnerability protection profile: strict-vuln
✓ Loaded vulnerability protection profile: vuln-protection
Successfully loaded 2 out of 2 vulnerability protection profiles from 'vuln-profiles.yaml'
Note
When using container override options (--folder, --snippet, --device), all profiles will be loaded into the specified container, ignoring the container specified in the YAML file.
Show Vulnerability Protection Profile¶
Display vulnerability protection profile objects.
Syntax¶
Options¶
| Option | Description | Required |
|---|---|---|
--folder TEXT |
Folder location | No* |
--snippet TEXT |
Snippet location | No* |
--device TEXT |
Device location | No* |
--name TEXT |
Profile name to display | No |
* One of --folder, --snippet, or --device is required.
Note
When no --name is specified, all items are listed by default.
Examples¶
Show Specific Profile¶
$ scm show security vulnerability-protection-profile \
--folder Texas \
--name strict-vuln
---> 100%
Vulnerability Protection Profile: strict-vuln
Location: Folder 'Texas'
Description: Block critical vulnerabilities
List All Profiles (Default Behavior)¶
$ scm show security vulnerability-protection-profile --folder Texas
---> 100%
Vulnerability Protection Profiles in folder 'Texas':
------------------------------------------------------------
Name: strict-vuln
Description: Block critical vulnerabilities
------------------------------------------------------------
Name: vuln-protection
Description: Standard vulnerability protection
------------------------------------------------------------
Backup Vulnerability Protection Profiles¶
Backup all vulnerability protection profile objects from a specified location to a YAML file.
Syntax¶
Options¶
| Option | Description | Required |
|---|---|---|
--folder TEXT |
Folder to backup profiles from | No* |
--snippet TEXT |
Snippet to backup profiles from | No* |
--device TEXT |
Device to backup profiles from | No* |
--file TEXT |
Output filename (defaults to auto-generated) | No |
* One of --folder, --snippet, or --device is required.
Examples¶
Backup from Folder¶
$ scm backup security vulnerability-protection-profile --folder Texas
---> 100%
Successfully backed up 5 vulnerability protection profiles to vulnerability_protection_profile_folder_texas_20240115_120530.yaml
Backup with Custom Filename¶
$ scm backup security vulnerability-protection-profile \
--folder Texas \
--file texas-vuln-profiles.yaml
---> 100%
Successfully backed up 5 vulnerability protection profiles to texas-vuln-profiles.yaml
Best Practices¶
- Block Critical and High Severity: Use
--block-critical-highto automatically block exploitation attempts for the most dangerous vulnerabilities. - Use Descriptive Names: Name profiles to reflect their protection level and purpose (e.g.,
strict-vuln,standard-protection). - Apply to Security Rules: Attach vulnerability protection profiles to security rules using the
--vulnerabilityoption on rules. - Backup Before Changes: Always backup existing profiles before making bulk modifications via load commands.
- Keep Profiles Updated: Regularly review and update profiles as new vulnerability signatures become available.