Configure Policy, Computer, and System Settings

Settings control some of the behaviors of protection modules and the Deep Security Manager platform. Therefore, many tasks that you automate using the API require you to configure settings. It is important that you understand the types of settings, their scope, and how to configure them.

You use policy extension objects, computer extension objects, and common objects to configure many behaviors of the protection modules:

Setting classes

The Deep Security SDKs provide several classes for storing settings. These classes are used to pass setting values between Deep Security Manager and SDK or API clients. Each class of settings has different scopes and purposes.

  • DefaultPolicySettings: Control certain behaviors of protection modules for top-level policies. Note that child policies inherit the settings of their parent policy unless they override them. Therefore, a DefaultPolicySettings setting is used by policies down the heirarchy until a policy overrides it.
  • PolicySettings: Control certain behaviors of protection modules at the policy level. These settings override the settings that are inherited from the parent policy or, for top-level policies, override the default policy settings.
  • ComputerSettings: Control certain behaviors of protection modules at the computer level. These settings override the policy settings of the policy that the computer is assigned.
  • SystemSettings: Control certain Deep Security Manager platform behaviors, protection module event severity and retention times, and Firewall connectivity test behaviors. These settings have a global scope and apply to the entire system. You cannot override system settings at the policy or computer level.

The settings of the DefaultPolicySettings, PolicySettings, and ComputerSettings classes are identical, with a few exceptions.

For more information about the policy hierarchy and inheritance, see Policies, inheritance, and overrides in the Deep Security Help Center.

Retrieve settings

The way you retrieve settings from Deep Security Manager depends on the setting class.

  • Default policy settings: Use aPoliciesApi object to get a DefaultPolicySettings object from the manager.
  • Policy settings: Use aPoliciesApi object to get a Policy object for a policy from the manager. Then, get aPolicySettings object from the Policy object.
  • Computer settings: Use aComputersApi object to get a Computer object from the manager. Then, get aComputerSettings object from the Computer object.
  • System settings: Use aSystemSettingsApi object to get a SystemSettings object from the manager.

Example: Retrieve policy settings (firewall network engine mode)

Python
def get_network_engine_mode(api, configuration, api_version, api_exception, policy_id):
    """ Gets the value of the firewall_setting_network_engine_mode property of a policy.

    :param api: The Deep Security API modules.
    :param configuration: Configuration object to pass to the api client.
    :param api_version: The version of the API to use.
    :param api_exception: The Deep Security API exception module.
    :param policy_id: The id of the policy to get the firewall_setting_network_engine_mode value from.
    :return: A string with the firewall_setting_network_engine_mode value.
    """

    # Get the policy details from Deep Security Manager
    policies_api = api.PoliciesApi(api.ApiClient(configuration))

    try:
        policy = policies_api.describe_policy(policy_id, api_version, overrides=False)
        policy_settings = policy.policy_settings

        # Get the setting value
        network_engine_mode_value = policy_settings.firewall_setting_network_engine_mode

        return network_engine_mode_value

    except api_exception as e:
        return "Exception: " + str(e)
JavaScript
 /*
  * Retrieves the value of the FirewallSettingNetworkEngineMode property of a policy.
  * @param {Object} api The Deep Security API modules.
  * @param {String} policyID The ID of the policy.
  * @param {String} apiVersion The API version to use. 
  * @returns {Promise} A promise that resolves to the property value.
  */
exports.getNetworkEngineMode = function(api, policyID, apiVersion) {
  return new Promise((resolve, reject) => {= new api.PoliciesApi();
    policiesApi.describePolicy(policyID, apiVersion, { overrides: false })
    .then( policy => {resolve(policy.policySettings.firewallSettingNetworkEngineMode.value);
    })
    .catch(error => {
      reject(error);
    });
  });
};
Java
/*
 * Gets the value of the Network Engine Mode setting for a policy.
 * @param policyID The ID of the policy.
 * @returns A String that contains the setting value.
 */
public static String getNetworkEngineMode(Integer policyID) {
	SettingValue networkEngineModeValue = null;
	PoliciesApi policiesApi = new PoliciesApi();
	try {
		Policy policy = policiesApi.describePolicy(policyID, false, "v1");
		PolicySettings policySettings = policy.getPolicySettings();
		networkEngineModeValue = policySettings.getFirewallSettingNetworkEngineMode();
		
	} catch (ApiException e) {
		e.printStackTrace();
	}
	
	return networkEngineModeValue.getValue();
}

Configure settings

For each class of settings, you create the settings object and set a value in the same way:

  1. Create a SettingValue object and set the value (all values are strings). When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console.
  2. Create an object from the settings class (DefaultPolicySettings, PolicySettings, ComputerSettings, or SystemSettings).
  3. Set the value of the setting to the SettingValue object.

You can configure as many settings as required in the same settings object.

For each class of settings, the way you modify the setting on Deep Security Manager is slightly different:

  • Default policy settings: Use a PoliciesApi object to modify the DefaultPolicySettings object on the manager.
  • Policy settings: Add the PolicySettings object to a Policy object. Then, use the PoliciesApi class to modify the policy on the manager.
  • Computer settings: Add the ComputerSettings object to a Computer object. Then, use a ComputersApi object modify the Computer object on the manager.
  • System settings: Use a SystemSettings object to modify the SystemSettings object on the manager.

Deep Security Manager validates all modified settings before persisting the values. If one or more settings in the object is invalid, none of the modified settings are persisted. The error response includes the reason for each failure.

Deep Security Manager validates setting values one by one without considering possible interdependencies of the settings.

Example: Configure a system setting for a policy (Firewall network engine mode)

For an example of configuring a system setting, see Example: Set the maximum number of sessions for a user.

Python
def set_network_engine_mode_to_inline(api, configuration, api_version, api_exception, policy_id):
    """ Sets the value of the firewall_setting_network_engine_mode property of a policy.

    :param api: The Deep Security API modules.
    :param configuration: Configuration object to pass to the api client.
    :param api_version: The version of the API to use.
    :param api_exception: The Deep Security API exception module.
    :param policy_id: The id of the policy to get the firewall_setting_network_engine_mode value from.
    :return: A PoliciesApi object with the modified policy.
    """

    # Create a SettingValue object and set the value to either "Inline" or "Tap"
    network_engine_mode_value = api.SettingValue()
    network_engine_mode_value.value = "Inline"
    policies_api = api.PoliciesApi(api.ApiClient(configuration))

    try:
        # Create a policy and add the setting value
        policy = policies_api.describe_policy(policy_id, api_version)
        policy_settings = policy.policy_settings
        policy_settings.firewall_setting_network_engine_mode = network_engine_mode_value

        # Modify the policy on the Deep Security Manager.
        return policies_api.modify_policy(policy_id, policy, api_version, overrides=False)

    except api_exception as e:
        return "Exception: " + str(e)
JavaScript
 /*
  * Sets the value of the FirewallSettingNetworkEngineMode property of a policy to Inline.
  * @param {Object} api The Deep Security API modules.
  * @param {String} policyID The ID of the policy.
  * @param {String} apiVersion The API version to use. 
  * @returns {Promise} A promise that resolves to the new value of FirewallSettingNetworkEngineMode.
  */
exports.setNetworkEngineModeToInline = function(api, policyID, apiVersion) {
  return new Promise((resolve, reject) => {= new api.SettingValue();
    networkEngineModeValue.value = "Inline";= new api.PolicySettings();
    policySettings.firewallSettingNetworkEngineMode = networkEngineModeValue;= new api.Policy();
    policy.policySettings = policySettings;Manager.
    const policiesApi = new api.PoliciesApi();
    policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false })
    .then(returnedPolicy => {
      resolve(returnedPolicy.policySettings.firewallSettingNetworkEngineMode.value);
    })
    .catch(error => {
      reject(error);
    });
    
  });
};
Java
/*
 * Sets the value of the Network Engine Mode setting for a policy.
 * @param policyID The ID of the policy.
 */
public static void setNetworkEngineModeToInline(Integer policyID) {= new SettingValue();
	networkEngineModeValue.setValue("Inline");
	
	PolicySettings policySettings = new PolicySettings();
	policySettings.setFirewallSettingNetworkEngineMode(networkEngineModeValue);
	
	Policy policy = new Policy();
	policy.setPolicySettings(policySettings);= new PoliciesApi();
	try {
		policiesApi.modifyPolicy(policyID, policy, false, "v1");
	} catch (ApiException e) {
		e.printStackTrace();
	}
}

Settings reference

The following tables list the settings that are available in the API with a description.
Setting names are prefixed with platform or the name of the associated protection module. Suffixes can indicate the nature of the setting. For example, the Enabled suffix indicates a Boolean value.

We are continuously adding settings and improving the descriptions, so periodically check for updates.

Default policy, policy, and computer settings

The following table lists the settings that are included in default policy settings, policy settings, and computer settings. Note that these settings are included only in DefaultPolicySettings:

  • antiMalwareSettingState
  • applicationControlSettingState
  • firewallSettingState
  • integrityMonitoringSettingState
  • logInspectionSettingState
  • sapSettingState
  • webReputationSettingState
Setting Description
Anti-Malware Settings
antiMalwareSettingBehaviorMonitoringScanExclusionList Scan Exclusions for Suspicious Activity/Unauthorized Change
antiMalwareSettingCombinedModeProtectionSource Anti-Malware
antiMalwareSettingConnectedThreatDefenseSuspiciousFileDdanSubmissionEnabled Submit files identified as suspicious by Document Exploit Protection scanning to Deep Discovery Analyzer
antiMalwareSettingConnectedThreatDefenseUseControlManagerSuspiciousObjectListEnabled Use Control Manager’s Suspicious Object List
antiMalwareSettingDocumentExploitProtectionRuleExceptions Allowed Advanced Threat Detection Rules
antiMalwareSettingFileHashEnabled Calculate Hash values of all anti-malware events (at least SHA1 by default)
antiMalwareSettingFileHashMd5Enabled MD5
antiMalwareSettingFileHashSha256Enabled SHA256
antiMalwareSettingFileHashSizeMaxMbytes Skip hash values calculation if file size is large than (64MB~512MB)
antiMalwareSettingIdentifiedFilesSpaceMaxMbytes Maximum disk space used to store identified files
antiMalwareSettingMalwareScanMultithreadedProcessingEnabled Use multithreaded processing for Malware scans (if available)
antiMalwareSettingNsxSecurityTaggingEnabled Anti-Malware NSX Security Tagging State
antiMalwareSettingNsxSecurityTaggingOnRemediationFailureEnabled Anti-Malware NSX Only Tag on Failure to Remediate
antiMalwareSettingNsxSecurityTaggingRemoveOnCleanScanEnabled Anti-Malware NSX Remove Tag
antiMalwareSettingNsxSecurityTaggingValue Anti-Malware NSX Security Tag
antiMalwareSettingPredictiveMachineLearningExceptions Predictive Machine Learning Exclusion List
antiMalwareSettingScanCacheOnDemandConfigId Anti-Malware On Demand Scan Cache Configuration
antiMalwareSettingScanCacheRealTimeConfigId Anti-Malware Real-Time Scan Cache Configuration
antiMalwareSettingScanFileSizeMaxMbytes Maximum file size to scan
antiMalwareSettingSmartProtectionGlobalServerEnabled Use Global Smart Protection Service for Smart Scan
antiMalwareSettingSmartProtectionGlobalServerUseProxyEnabled Use Proxy when accessing Smart Protection Service for Smart Scan
antiMalwareSettingSmartProtectionLocalServerAllowOffDomainGlobal When off domain, connect to global Smart Protection Service. (Windows only)
antiMalwareSettingSmartProtectionLocalServerUrls Local Smart Protection Servers for Smart Scan
antiMalwareSettingSmartProtectionServerConnectionLostWarningEnabled Warn if connection to Smart Protection Server is lost
antiMalwareSettingSmartScanState Smart Scan State
antiMalwareSettingSpywareApprovedList Allowed Spyware/Grayware
antiMalwareSettingState (Default policy settings only) Anti-Malware State
antiMalwareSettingSyslogConfigId Anti-Malware Syslog Configuration
antiMalwareSettingVirtualApplianceOnDemandScanCacheEntriesMax Max On-Demand Malware Scan Cache Entries
antiMalwareSettingVirtualApplianceRealTimeScanCacheEntriesMax Max Real-Time Malware Scan Cache Entries
Application Control Settings
applicationControlSettingExecutionEnforcementLevel Enforcement:
applicationControlSettingRulesetMode Ruleset mode:
applicationControlSettingSharedRulesetId Shared Application Control Ruleset
applicationControlSettingState (Default policy settings only) Application Control State
applicationControlSettingSyslogConfigId Application Control Syslog Configuration
Firewall Settings
firewallSettingAntiEvasionCheckEvasiveRetransmit Evasive Retransmit
firewallSettingAntiEvasionCheckFinNoConnection FIN packet out of connection
firewallSettingAntiEvasionCheckFragmentedPackets Fragmented Packets
firewallSettingAntiEvasionCheckOutNoConnection Outgoing packet out of connection
firewallSettingAntiEvasionCheckPaws Invalid TCP Timestamps
firewallSettingAntiEvasionCheckRstNoConnection RST packet out of connection
firewallSettingAntiEvasionCheckTcpChecksum TCP Checksum
firewallSettingAntiEvasionCheckTcpCongestionFlags TCP Congestion Flags
firewallSettingAntiEvasionCheckTcpPawsZero Timestamp PAWS Zero Allowed
firewallSettingAntiEvasionCheckTcpRstFinFlags TCP Rst Fin Flags
firewallSettingAntiEvasionCheckTcpSplitHandshake TCP Split Handshake
firewallSettingAntiEvasionCheckTcpSynFinFlags TCP Syn Fin Flags
firewallSettingAntiEvasionCheckTcpSynRstFlags TCP Syn Rst Flags
firewallSettingAntiEvasionCheckTcpSynWithData TCP Syn with Data
firewallSettingAntiEvasionCheckTcpUrgentFlags TCP Urgent Flags
firewallSettingAntiEvasionCheckTcpZeroFlags TCP Zero Flags
firewallSettingAntiEvasionSecurityPosture Anti-Evasion Posture
firewallSettingAntiEvasionTcpPawsWindowPolicy TCP Timestamp PAWS Window
firewallSettingCombinedModeProtectionSource Firewall
firewallSettingConfigPackageExceedsAlertMaxEnabled Advanced – Generate an Alert when Agent configuration package exceeds maximum size
firewallSettingEngineOptionAckTimeout ACK Storm Timeout
firewallSettingEngineOptionAllowNullIpEnabled Allow Null IP
firewallSettingEngineOptionBlockIpv6Agent8AndEarlierEnabled Advanced – Block IPv6 on Agents and Appliances versions 8 and earlier
firewallSettingEngineOptionBlockIpv6Agent9AndLaterEnabled Advanced – Block IPv6 on Agents and Appliances verions 9 and later
firewallSettingEngineOptionBlockSameSrcDstIpEnabled Block Same Src-Dest IP Address
firewallSettingEngineOptionBootStartTimeout Boot Start Timeout
firewallSettingEngineOptionBypassCiscoWaasConnectionsEnabled Bypass Cisco WAAS Connections
firewallSettingEngineOptionCloseTimeout CLOSED Timeout
firewallSettingEngineOptionCloseWaitTimeout CLOSE_WAIT Timeout
firewallSettingEngineOptionClosingTimeout CLOSING Timeout
firewallSettingEngineOptionColdStartTimeout Cold Start Timeout
firewallSettingEngineOptionConnectionCleanupTimeout Connection Cleanup Timeout
firewallSettingEngineOptionConnectionsCleanupMax Maximum Connections per Cleanup
firewallSettingEngineOptionConnectionsNumIcmpMax Maximum ICMP Connections
firewallSettingEngineOptionConnectionsNumTcpMax Maximum TCP Connections
firewallSettingEngineOptionConnectionsNumUdpMax Maximum UDP Connections
firewallSettingEngineOptionDebugModeEnabled Enable Debug Mode
firewallSettingEngineOptionDebugPacketNumMax Number of Packets to retain in Debug Mode
firewallSettingEngineOptionDisconnectTimeout DISCONNECT Timeout
firewallSettingEngineOptionDrop6To4BogonsAddressesEnabled Drop 6to4 Bogon Addresses
firewallSettingEngineOptionDropEvasiveRetransmitEnabled Drop Evasive Retransmit
firewallSettingEngineOptionDropIpZeroPayloadEnabled Drop IP Packet with Zero Payload
firewallSettingEngineOptionDropIpv6BogonsAddressesEnabled Drop IPv6 Bogon Addresses
firewallSettingEngineOptionDropIpv6ExtType0Enabled Drop IPv6 Extension Type 0
firewallSettingEngineOptionDropIpv6FragmentsLowerThanMinMtuEnabled Drop IPv6 Fragments Lower Than minimum MTU
firewallSettingEngineOptionDropIpv6ReservedAddressesEnabled Drop IPv6 Reserved Addresses
firewallSettingEngineOptionDropIpv6SiteLocalAddressesEnabled Drop IPv6 Site Local Addresses
firewallSettingEngineOptionDropTeredoAnomaliesEnabled Drop Teredo Anomalies
firewallSettingEngineOptionDropUnknownSslProtocolEnabled Drop Unknown SSL Protocol
firewallSettingEngineOptionErrorTimeout ERROR Timeout
firewallSettingEngineOptionEstablishedTimeout ESTABLISHED Timeout
firewallSettingEngineOptionEventNodesMax Number of Event Nodes
firewallSettingEngineOptionFilterIpv4Tunnels Filter IPv4 Tunnels
firewallSettingEngineOptionFilterIpv6Tunnels Filter IPv6 Tunnels
firewallSettingEngineOptionFinWait1Timeout FIN_WAIT1 Timeout
firewallSettingEngineOptionForceAllowDhcpDns Force Allow DHCP DNS
firewallSettingEngineOptionForceAllowIcmpType3Code4 Force Allow ICMP type3 code4
firewallSettingEngineOptionFragmentOffsetMin Minimum Fragment Offset
firewallSettingEngineOptionFragmentSizeMin Minimum Fragment Size
firewallSettingEngineOptionGenerateConnectionEventsIcmpEnabled Generate Connection Events for ICMP
firewallSettingEngineOptionGenerateConnectionEventsTcpEnabled Generate Connection Events for TCP
firewallSettingEngineOptionGenerateConnectionEventsUdpEnabled Generate Connection Events for UDP
firewallSettingEngineOptionIcmpTimeout ICMP Timeout
firewallSettingEngineOptionIgnoreStatusCode0 Ignore Status Code
firewallSettingEngineOptionIgnoreStatusCode1 Ignore Status Code
firewallSettingEngineOptionIgnoreStatusCode2 Ignore Status Code
firewallSettingEngineOptionLastAckTimeout LAST_ACK Timeout
firewallSettingEngineOptionLogAllPacketDataEnabled Log All Packet Data
firewallSettingEngineOptionLogEventsPerSecondMax Maximum Events Per Second
firewallSettingEngineOptionLogOnePacketPeriod Period for Log only one packet within period
firewallSettingEngineOptionLogOnePacketWithinPeriodEnabled Log only one packet within period
firewallSettingEngineOptionLogPacketLengthMax Maximum data size to store when packet data is captured
firewallSettingEngineOptionLoggingPolicy Advanced Logging Policy
firewallSettingEngineOptionSilentTcpConnectionDropEnabled Silent TCP Connection Drop
firewallSettingEngineOptionSslSessionSize SSL Session Size
firewallSettingEngineOptionSslSessionTime SSL Session Time
firewallSettingEngineOptionStrictTerodoPortCheckEnabled Strict Teredo Port Check
firewallSettingEngineOptionSynRcvdTimeout SYN_RCVD Timeout
firewallSettingEngineOptionSynSentTimeout SYN_SENT Timeout
firewallSettingEngineOptionTcpMssLimit TCP MSS Limit
firewallSettingEngineOptionTunnelDepthMax Maximum Tunnel Depth
firewallSettingEngineOptionTunnelDepthMaxExceededAction Action if Maximum Tunnel Depth Exceeded
firewallSettingEngineOptionUdpTimeout UDP Timeout
firewallSettingEngineOptionVerifyTcpChecksumEnabled Verify TCP Checksum
firewallSettingEngineOptionsEnabled Use custom driver settings
firewallSettingEventLogFileCachedEntriesLifeTime Cache Lifetime
firewallSettingEventLogFileCachedEntriesNum Cache Size
firewallSettingEventLogFileCachedEntriesStaleTime Cache Stale time
firewallSettingEventLogFileIgnoreSourceIpListId Do not record events with source IP of
firewallSettingEventLogFileRetainNum Number of event log files to retain (on Agent/Appliance)
firewallSettingEventLogFileSizeMax Maximum size of the event log files (on Agent/Appliance)
firewallSettingEventsOutOfAllowedPolicyEnabled Generate Firewall Events for packets that are ‘Out Of Allowed Policy’
firewallSettingFailureResponseEngineSystem Network Engine System Failure
firewallSettingFailureResponsePacketSanityCheck Network Packet Sanity Check Failure
firewallSettingInterfaceIsolationEnabled Enable Interface Isolation
firewallSettingInterfaceLimitOneActiveEnabled Limit to one active interface
firewallSettingInterfacePatterns Interface Patterns
firewallSettingNetworkEngineMode Network Engine Mode
firewallSettingReconnaissanceBlockFingerprintProbeDuration Computer OS Fingerprint Probe – Block Traffic
firewallSettingReconnaissanceBlockNetworkOrPortScanDuration Network or Port Scan – Block Traffic
firewallSettingReconnaissanceBlockTcpNullScanDuration TCP Null Scan – Block Traffic
firewallSettingReconnaissanceBlockTcpSynFinScanDuration TCP SYNFIN Scan – Block Traffic
firewallSettingReconnaissanceBlockTcpXmasAttackDuration TCP Xmas Scan – Block Traffic
firewallSettingReconnaissanceDetectFingerprintProbeEnabled Computer OS Fingerprint Probe – Enabled
firewallSettingReconnaissanceDetectNetworkOrPortScanEnabled Network or Port Scan – Enabled
firewallSettingReconnaissanceDetectTcpNullScanEnabled TCP Null Scan – Enabled
firewallSettingReconnaissanceDetectTcpSynFinScanEnabled TCP SYNFIN Scan – Enabled
firewallSettingReconnaissanceDetectTcpXmasAttackEnabled TCP Xmas Scan – Enabled
firewallSettingReconnaissanceEnabled Reconnaissance Scan Detection – Enabled
firewallSettingReconnaissanceExcludeIpListId Reconnaissance Scan Detection – Do not perform detection on traffic coming from
firewallSettingReconnaissanceIncludeIpListId Reconnaissance Scan Detection – Computers/Networks on which to perform detection
firewallSettingReconnaissanceNotifyFingerprintProbeEnabled Computer OS Fingerprint Probe – Notify DSM Immediately
firewallSettingReconnaissanceNotifyNetworkOrPortScanEnabled Network or Port Scan – Notify DSM Immediately
firewallSettingReconnaissanceNotifyTcpNullScanEnabled TCP Null Scan – Notify DSM Immediately
firewallSettingReconnaissanceNotifyTcpSynFinScanEnabled TCP SYNFIN Scan – Notify DSM Immediately
firewallSettingReconnaissanceNotifyTcpXmasAttackEnabled TCP Xmas Scan – Notify DSM Immediately
firewallSettingState (Default policy settings only) Firewall State
firewallSettingVirtualAndContainerNetworkScanEnabled Scan container network traffic
Integrity Monitoring Settings
integrityMonitoringSettingAutoApplyRecommendationsEnabled Automatically assign/unassign recommended Integrity Monitoring Rules to Computer during Recommendation Scans
integrityMonitoringSettingCombinedModeProtectionSource Integrity Monitoring
integrityMonitoringSettingContentHashAlgorithm Integrity Monitoring Hash Algorithm
integrityMonitoringSettingCpuUsageLevel Integrity Monitoring CPU Usage Level:
integrityMonitoringSettingRealtimeEnabled Real Time
integrityMonitoringSettingScanCacheConfigId Integrity Scan Cache Configuration:
integrityMonitoringSettingState (Default policy settings only) Integrity Monitoring State
integrityMonitoringSettingSyslogConfigId Integrity Monitoring Syslog Configuration
integrityMonitoringSettingVirtualApplianceOptimizationScanCacheEntriesMax Max Integrity Monitoring Scan Cache Entries
Intrusion Prevention Settings
intrusionPreventionSettingAutoApplyRecommendationsEnabled Automatically implement Recommendations
intrusionPreventionSettingCombinedModeProtectionSource Intrusion Prevention
intrusionPreventionSettingEngineOptionFragmentedIpKeepMax Maximum number of fragmented IP packets to keep
intrusionPreventionSettingEngineOptionFragmentedIpPacketSendIcmpEnabled Send ICMP to indicate fragmented packet timeout exceeded
intrusionPreventionSettingEngineOptionFragmentedIpTimeout Fragment Timeout
intrusionPreventionSettingEngineOptionFragmentedIpUnconcernedMacAddressBypassEnabled Bypass MAC addresses that don’t belong to host
intrusionPreventionSettingEngineOptionsEnabled Use custom driver settings
intrusionPreventionSettingLogDataRuleFirstMatchEnabled Allow Intrusion Prevention Rules to capture data for first hit of each rule (in period)
intrusionPreventionSettingNsxSecurityTaggingDetectModeLevel Detect Mode
intrusionPreventionSettingNsxSecurityTaggingPreventModeLevel Prevent Mode
intrusionPreventionSettingState (Default policy settings only) Intrusion Prevention State
intrusionPreventionSettingVirtualAndContainerNetworkScanEnabled Scan container network traffic
Log Inspection Settings
logInspectionSettingAutoApplyRecommendationsEnabled Automatically assign/unassign recommended Log Inspection Rules to Computer during Recommendation Scans
logInspectionSettingSeverityClippingAgentEventSendSyslogLevelMin Send Agent/Appliance events to syslog when they equal or exceed the following severity level
logInspectionSettingSeverityClippingAgentEventStoreLevelMin Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level
logInspectionSettingState (Default policy settings only) Log Inspection State
logInspectionSettingSyslogConfigId Log Inspection Syslog Configuration
Platform Settings
platformSettingAgentCommunicationsDirection Direction of Deep Security Manager to Agent/Appliance communication
platformSettingAgentEventsSendInterval Period between sending of events
platformSettingAgentSelfProtectionEnabled Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent
platformSettingAgentSelfProtectionPassword Password
platformSettingAgentSelfProtectionPasswordEnabled Local override requires password
platformSettingAutoAssignNewIntrusionPreventionRulesEnabled Automatically assign new Intrusion Prevention Rules as required by updated Application Types and Intrusion Prevention Rule dependencies
platformSettingAutoUpdateAntiMalwareEngineEnabled Automatically update anti-malware engine
platformSettingCombinedModeNetworkGroupProtectionSource Network Combined Mode Affinity
platformSettingEnvironmentVariableOverrides Environment Variable Overrides
platformSettingHeartbeatInactiveVmOfflineAlertEnabled Raise Offline Errors For Inactive Virtual Machines
platformSettingHeartbeatInterval Heartbeat Interval
platformSettingHeartbeatLocalTimeShiftAlertThreshold Maximum change (in minutes) of the local system time on the computer between heartbeats before an alert is raised
platformSettingHeartbeatMissedAlertThreshold Number of Heartbeats that can be missed before an alert is raised
platformSettingInactiveAgentCleanupOverrideEnabled Prevent this computer from being deleted if Inactive Agent Cleanup is enabled:
platformSettingNotificationsSuppressPopupsEnabled Suppress all pop-up notifications on host
platformSettingRecommendationOngoingScansInterval Ongoing Scan Interval
platformSettingRelayState Relay State
platformSettingScanCacheConcurrencyMax Max Concurrent Scans
platformSettingScanOpenPortListId Ports to scan
platformSettingSmartProtectionAntiMalwareGlobalServerProxyId Use Proxy when accessing Smart Protection Service for Smart Scan
platformSettingSmartProtectionGlobalServerEnabled Use Global Service for Census
platformSettingSmartProtectionGlobalServerProxyId Use Proxy when accessing Global Service for Census
platformSettingSmartProtectionGlobalServerUseProxyEnabled Use Proxy when accessing Global Service for Census
platformSettingTroubleshootingLoggingLevel Logging Level
platformSettingUpgradeOnActivationEnabled Automatically upgrade agents on activation
SAP Settings
sapSettingState (Default policy settings only) Configuration
Web Reputation Settings
webReputationSettingAlertingEnabled Alert
webReputationSettingAllowedUrlDomains Allowed Domain URLs
webReputationSettingAllowedUrls Allowed Page URLs
webReputationSettingBlockedUrlDomains Blocked Domain URLs
webReputationSettingBlockedUrlKeywords Blocked Keywords
webReputationSettingBlockedUrls Blocked Page URLs
webReputationSettingBlockingPageLink Blocked Page Link
webReputationSettingCombinedModeProtectionSource Web Reputation
webReputationSettingMonitorPortListId Ports to monitor
webReputationSettingSecurityBlockUntestedPagesEnabled Block Untested Pages
webReputationSettingSecurityLevel Security Level
webReputationSettingSmartProtectionGlobalServerUseProxyEnabled Use Proxy when accessing Smart Protection Service for Web Reputation
webReputationSettingSmartProtectionLocalServerAllowOffDomainGlobal When off domain, connect to global Smart Protection Service. (Windows only)
webReputationSettingSmartProtectionLocalServerEnabled Use Local Smart Protection Server for Web Reputation Service
webReputationSettingSmartProtectionLocalServerUrls Local Smart Protection Servers for Web Reputation
webReputationSettingSmartProtectionServerConnectionLostWarningEnabled Warn if connection to Smart Protection Server is lost
webReputationSettingSmartProtectionWebReputationGlobalServerProxyId Use Proxy when accessing Smart Protection Service for Web Reputation
webReputationSettingState (Default policy settings only) Web Reputation State
webReputationSettingSyslogConfigId Web Reputation Syslog Configuration

System settings

Setting Description
Anti-Malware Settings
antiMalwareSettingEventEmailBodyTemplate Email Template
antiMalwareSettingEventEmailEnabled Anti-Malware Email Notifications Enabled
antiMalwareSettingEventEmailRecipients Email Recipients
antiMalwareSettingEventEmailSubject Email Subject Text
antiMalwareSettingRetainEventDuration Automatically delete Anti-Malware Events older than
Application Control Settings
applicationControlSettingRetainEventDuration Automatically delete Application Control Events older than
applicationControlSettingServeRulesetsFromRelaysEnabled Serve application control rulesets from relays
Firewall Settings
firewallSettingEventRankSeverityDeny Deny
firewallSettingEventRankSeverityLogOnly Log Only
firewallSettingEventRankSeverityPacketRejection Packet Rejection
firewallSettingGlobalStatefulConfigId Global Firewall Stateful Configuration
firewallSettingInternetConnectivityTestExpectedContentRegex Regular Expression for returned content used to confirm Connectivity
firewallSettingInternetConnectivityTestInterval Test Interval
firewallSettingInternetConnectivityTestUrl URL for testing Internet Connectivity Status
firewallSettingIntranetConnectivityTestExpectedContentRegex Regular Expression for returned content used to confirm Intranet Connectivity
firewallSettingIntranetConnectivityTestUrl URL for testing Intranet Connectivity Status
firewallSettingRetainEventDuration Automatically delete Firewall Events older than
Integrity Monitoring Settings
integrityMonitoringSettingEventRankSeverityCritical Critical
integrityMonitoringSettingEventRankSeverityHigh High
integrityMonitoringSettingEventRankSeverityLow Low
integrityMonitoringSettingEventRankSeverityMedium Medium
integrityMonitoringSettingRetainEventDuration Automatically delete Integrity Monitoring Events older than
Intrusion Prevention Settings
intrusionPreventionSettingEventRankSeverityFilterCritical Critical
intrusionPreventionSettingEventRankSeverityFilterError Error
intrusionPreventionSettingEventRankSeverityFilterHigh High
intrusionPreventionSettingEventRankSeverityFilterLow Low
intrusionPreventionSettingEventRankSeverityFilterMedium Medium
intrusionPreventionSettingRetainEventDuration Automatically delete Intrusion Prevention Events older than
Log Inspection Settings
logInspectionSettingEventRankSeverityCritical Critical
logInspectionSettingEventRankSeverityHigh High
logInspectionSettingEventRankSeverityLow Low
logInspectionSettingEventRankSeverityMedium Medium
logInspectionSettingRetainEventDuration Automatically delete Log Inspection Events older than
Platform Settings
platformSettingActiveSessionsMax Number of concurrent sessions allowed per User
platformSettingActiveSessionsMaxExceededAction Action when concurrent session limit is exceeded
platformSettingAgentInitiatedActivationDuplicateHostnameMode If a computer with the same name already exists
platformSettingAgentInitiatedActivationEnabled Allow Agent-Initiated Activation
platformSettingAgentInitiatedActivationPolicyId Policy to assign (if Policy not assigned by activation script):
platformSettingAgentInitiatedActivationReactivateClonedEnabled Reactivate cloned Agents
platformSettingAgentInitiatedActivationReactivateUnknownEnabled Reactivate unknown Agents
platformSettingAgentInitiatedActivationSpecifyHostnameEnabled Allow Agent to specify hostname
platformSettingAgentInitiatedActivationToken Agent activation token:
platformSettingAgentInitiatedActivationWithinIpListId Agent-Initiated Activation IP List
platformSettingAgentlessVcloudProtectionEnabled Allow Appliance protection of vCloud VMs
platformSettingAlertAgentUpdatePendingThreshold Length of time an Update can be pending before raising an Alert
platformSettingAlertDefaultEmailAddress Alert Email Address – The email address to which all alert emails should be sent
platformSettingApiSoapWebServiceEnabled SOAP web service API Enabled
platformSettingApiStatusMonitoringEnabled Status Monitoring API Enabled
platformSettingAwsManagerIdentityAccessKey Access Key – The Access Key of an AWS User used for the manager identity
platformSettingAwsManagerIdentitySecretKey Secret Key – The Secret Access Key of an AWS User used for the manager identity
platformSettingAwsManagerIdentityUseInstanceRoleEnabled Use Instance Role
platformSettingAzureSsoCertificate Azure resource provider certificate for SSO
platformSettingCaptureEncryptedTrafficEnabled Allow packet data capture on encrypted traffic (SSL)
platformSettingConnectedThreatDefenseControlManagerManualSourceApiKey API Key
platformSettingConnectedThreatDefenseControlManagerManualSourceServerUrl Server URL (ex: “https://[server]/webapp”)
platformSettingConnectedThreatDefenseControlManagerProxyId Use Proxy when accessing Control Manager
platformSettingConnectedThreatDefenseControlManagerSourceOption Suspicious Object List Source
platformSettingConnectedThreatDefenseControlManagerSuspiciousObjectListComparisonEnabled Compare objects against Suspicious Object List
platformSettingConnectedThreatDefenseControlManagerUseProxyEnabled When accessing Control Manager, use proxy:
platformSettingConnectedThreatDefensesUsePrimaryTenantServerSettingsEnabled Use default server settings
platformSettingContentSecurityPolicy Content security policy
platformSettingContentSecurityPolicyReportOnlyEnabled Report only
platformSettingDdanAutoSubmissionEnabled Enable automatic file submission
platformSettingDdanManualSourceApiKey API Key
platformSettingDdanManualSourceServerUrl Server URL (ex: “https://[server]/”)
platformSettingDdanProxyId Use Proxy when accessing Deep Discovery Analyzer
platformSettingDdanSourceOption Deep Discovery Analyzer Source
platformSettingDdanSubmissionEnabled Enable submission of suspicious files to Deep Discovery Analyzer
platformSettingDdanUseProxyEnabled When accessing Deep Discovery Analyzer, use proxy:
platformSettingDemoModeEnabled Demo Mode Enabled
platformSettingEventForwardingSnsAccessKey Access Key – The Access Key of an AWS User with access to the SNS Topic
platformSettingEventForwardingSnsAdvancedConfigEnabled AWS SNS Advanced Configuration
platformSettingEventForwardingSnsConfigJson AWS SNS Configuration
platformSettingEventForwardingSnsEnabled Publish Events to AWS Simple Notification Service
platformSettingEventForwardingSnsSecretKey Secret Key – The Secret Key of an AWS User with access to the SNS Topic
platformSettingEventForwardingSnsTopicArn SNS Topic ARN
platformSettingExportedDiagnosticPackageLocale Exported Diagnostic Package Language
platformSettingExportedFileCharacterEncoding Exported file Character Encoding
platformSettingHttpPublicKeyPinPolicy HTTP public key pin policy
platformSettingHttpPublicKeyPinPolicyReportOnlyEnabled Report only
platformSettingHttpStrictTransportEnabled Enable HTTP Strict Transport Security
platformSettingInactiveAgentCleanupDuration Delete Agents that have been inactive for:
platformSettingInactiveAgentCleanupEnabled Delete Agents that have been inactive for:
platformSettingLoadBalancerHeartbeatAddress Load Balancer Heartbeat Hostname
platformSettingLoadBalancerHeartbeatPort Load Balancer Heartbeat Port
platformSettingLoadBalancerManagerAddress Load Balancer Manager Hostname
platformSettingLoadBalancerManagerPort Load Balancer Manager Port
platformSettingLoadBalancerRelayAddress Load Balancer Relay Hostname
platformSettingLoadBalancerRelayPort Load Balancer Relay Port
platformSettingLogoBinaryImageImg Logo Bytes
platformSettingManagedDetectResponseCompanyGuid Company GUID
platformSettingManagedDetectResponseEnabled Enable the MDR service
platformSettingManagedDetectResponseProxyId Use Proxy when accessing MDR server
platformSettingManagedDetectResponseServerUrl Server URL (ex: “https://[server]/”)
platformSettingManagedDetectResponseServiceToken Service Token
platformSettingManagedDetectResponseUsePrimaryTenantSettingsEnabled Use default server settings
platformSettingManagedDetectResponseUseProxyEnabled When accessing MDR server, use proxy:
platformSettingNewTenantDownloadSecurityUpdateEnabled Enable the automatic download of Security Updates on new Tenants
platformSettingPrimaryTenantAllowTenantAddVmwareVcenterEnabled Allow Tenants to add VMware vCenters
platformSettingPrimaryTenantAllowTenantConfigureForgotPasswordEnabled Show the “Forgot Password?” option
platformSettingPrimaryTenantAllowTenantConfigureRememberMeOptionEnabled Show the “Remember Account Name and Username” option
platformSettingPrimaryTenantAllowTenantConfigureSiemEnabled Allow Tenants to configure SIEM settings (If not checked, all Tenants use the settings located on the SIEM tab for ALL event types and syslog is relayed via the Manager)
platformSettingPrimaryTenantAllowTenantConfigureSnmpEnabled Allow Tenants to configure SNMP settings
platformSettingPrimaryTenantAllowTenantConfigureSnsEnabled Allow Tenants to configure SNS settings
platformSettingPrimaryTenantAllowTenantControlImpersonationEnabled Allow Tenants to control access from the Primary Tenant
platformSettingPrimaryTenantAllowTenantDatabaseState Primary Database Server State
platformSettingPrimaryTenantAllowTenantRunComputerDiscoveryEnabled Allow Tenants to run “Computer Discovery” (directly and as a Scheduled Task)
platformSettingPrimaryTenantAllowTenantRunPortScanEnabled Allow Tenants to run “Port Scan” (directly and as a Scheduled Task)
platformSettingPrimaryTenantAllowTenantSyncWithCloudAccountEnabled Allow Tenants to add with Cloud Accounts
platformSettingPrimaryTenantAllowTenantSynchronizeLdapDirectoriesEnabled Allow Tenants to synchronize with LDAP Directories
platformSettingPrimaryTenantAllowTenantUseDefaultRelayGroupEnabled Allow Tenants to use the Relays in my “Default Relay Group”
platformSettingPrimaryTenantAllowTenantUseScheduledRunScriptTaskEnabled Allow Tenants to use the “Run Script” Scheduled Task
platformSettingPrimaryTenantLockAndHideTenantDataPrivacyOptionEnabled Data Privacy options on the “Agents” Tab
platformSettingPrimaryTenantLockAndHideTenantSmtpTabEnabled All options on the “SMTP” Tab
platformSettingPrimaryTenantLockAndHideTenantStorageTabEnabled All options on the “Storage” Tab
platformSettingPrimaryTenantShareConnectedThreatDefensesEnabled Allow Tenants to use the Primary Tenant’s Trend Micro Control Manager and Deep Discovery Analyzer Server settings.
platformSettingPrimaryTenantShareManagedDetectResponsesEnabled Allow Tenants to use Primary Tenant’s Managed Detection and Response settings.
platformSettingProxyAgentUpdateProxyId Primary Security Update Proxy used by Agents, Appliances, and Relays:
platformSettingProxyManagerCloudProxyId Deep Security Manager (Cloud Accounts – HTTP Protocol Only):
platformSettingProxyManagerUpdateProxyId Deep Security Manager (Software Updates, CSSS, News Updates, Product Registration and Licensing):
platformSettingRecommendationCpuUsageLevel CPU Usage Level
platformSettingRecommendationOngoingScansEnabled Perform ongoing Recommendation Scans
platformSettingRetainAgentInstallersPerPlatformMax Number of older software versions to keep per platform
platformSettingRetainCountersDuration Automatically delete Counters older than
platformSettingRetainSecurityUpdatesMax Number of older Rule Updates to keep
platformSettingRetainServerLogDuration Automatically delete Server Logs older than
platformSettingRetainSystemEventDuration Automatically delete System Events older than
platformSettingSamlIdentityProviderCertificateExpiryWarningDays Warn when a SAML identity provider certificate will expire within (days)
platformSettingSamlRetainInactiveExternalAdministratorsDuration Automatically delete inactive identity provider users after (days)
platformSettingSamlServiceProviderCertificate SAML Service Provider Certificate
platformSettingSamlServiceProviderCertificateExpiryWarningDays Warn when the Deep Security Manager SAML Service Provider certificate will expire within (days)
platformSettingSamlServiceProviderEntityId Entity ID
platformSettingSamlServiceProviderName Service Name
platformSettingSamlServiceProviderPrivateKey SAML Service Provider Private Key
platformSettingSignInPageMessage Text
platformSettingSmartProtectionFeedbackBandwidthMaxKbytes Maximum bandwidth:
platformSettingSmartProtectionFeedbackEnabled Enable Trend Micro Smart Feedback (recommended)
platformSettingSmartProtectionFeedbackForSuspiciousFileEnabled Send suspicious file signatures along with feedback
platformSettingSmartProtectionFeedbackIndustryType Your industry (optional):
platformSettingSmartProtectionFeedbackInterval Feedback Interval (min)
platformSettingSmartProtectionFeedbackThreatDetectionsThreshold Feedback Interval by threats
platformSettingSmtpBounceEmailAddress “Bounce” email address (optional) – The email address to which delivery failure notifications should be sent
platformSettingSmtpFromEmailAddress “From” email address – The email address from which outgoing emails should be sent
platformSettingSmtpPassword SMTP password
platformSettingSmtpRequiresAuthenticationEnabled Mail server requires authentication
platformSettingSmtpServerAddress SMTP mail server address (optionally include :port)
platformSettingSmtpStartTlsEnabled STARTTLS
platformSettingSmtpUsername SMTP username
platformSettingSyslogConfigId Forward System Events to a remote computer (via Syslog) using configuration
platformSettingSystemEventForwardingSnmpAddress Hostname or IP address to which events should be sent
platformSettingSystemEventForwardingSnmpEnabled Forward System Events to a remote computer (via SNMP)
platformSettingSystemEventForwardingSnmpPort UDP port to which events should be sent
platformSettingTenantAllowImpersonationByPrimaryTenantEnabled Allow Primary Tenant access to my Deep Security Environment
platformSettingTenantAutoRevokeImpersonationByPrimaryTenantEnabled Automatically revoke Primary Tenant access after
platformSettingTenantAutoRevokeImpersonationByPrimaryTenantTimeout Automatically revoke Primary Tenant access after
platformSettingTenantProtectionUsageMonitoringComputerId1 Computer Identifier 1
platformSettingTenantProtectionUsageMonitoringComputerId2 Computer Identifier 2
platformSettingTenantProtectionUsageMonitoringComputerId3 Computer Identifier 3
platformSettingTenantUseDefaultRelayGroupFromPrimaryTenantEnabled Use the Primary Tenant Relay Group as my Default Relay Group
platformSettingUpdateAgentSecurityContactPrimarySourceOnMissingRelayEnabled Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible
platformSettingUpdateAgentSecurityOnMissingDeepSecurityManagerEnabled Allow Agents/Appliances to download security updates when Deep Security Manager is not accessible
platformSettingUpdateAgentSoftwareUseDownloadCenterOnMissingDeepSecurityManagerEnabled Allow Relays to download software updates from Trend Micro Download Center when Deep Security Manager is not accessible
platformSettingUpdateApplianceDefaultAgentVersion Upon deployment, update Deep Security Virtual Appliances to
platformSettingUpdateHostnameOnIpChangeEnabled Update the “Hostname” entry if an IP is used as a hostname and a change in IP is detected on the computer after Agent/Appliance-initiated communication or discovery
platformSettingUpdateImportedSoftwareAutoDownloadEnabled Automatically download updates to imported software
platformSettingUpdateRelaySecurityAllRegionsPatternsDownloadEnabled Download Patterns for all Regions
platformSettingUpdateRelaySecuritySupportAgent9AndEarlierEnabled Allow supported 8.0 and 9.0 Agents to be updated
platformSettingUpdateRulesPolicyAutoApplyEnabled Automatically apply Rule Updates to Policies
platformSettingUpdateSecurityPrimarySourceMode Relay Update Source
platformSettingUpdateSecurityPrimarySourceUrl URL
platformSettingUpdateSoftwareAlternateUpdateServerUrls Alternate Software Update Web Server(s)
platformSettingUserEnforceTermsAndConditionsEnabled User must agree to the terms and conditions
platformSettingUserEnforceTermsAndConditionsMessage List of Terms And Conditions
platformSettingUserEnforceTermsAndConditionsTitle Text
platformSettingUserHideUnlicensedModulesEnabled Hide unlicensed Protection Modules for new Users
platformSettingUserPasswordExpiry User password expires
platformSettingUserPasswordExpirySendEmailEnabled Send email when a user’s password is about to expire
platformSettingUserPasswordLengthMin User password minimum length
platformSettingUserPasswordRequireLettersAndNumbersEnabled User password requires both letters and numbers
platformSettingUserPasswordRequireMixedCaseEnabled User password requires both upper and lower case characters
platformSettingUserPasswordRequireNotSameAsUsernameEnabled User password cannot match username or username spelled backward
platformSettingUserPasswordRequireSpecialCharactersEnabled User password requires non-alphanumeric characters
platformSettingUserSessionDurationMax Maximum session duration
platformSettingUserSessionIdleTimeout Session idle timeout
platformSettingUserSignInAttemptsAllowedNumber Number of incorrect sign-in attempts allowed (before lock out)
platformSettingVmwareNsxManagerNode Manager Node for NSX communication
platformSettingWhoisUrl Whois URL – The full URL to a Whois lookup with the IP represented as [IP]
Web Reputation Settings
webReputationSettingEventRankRiskBlockedByAdministratorRank Blocked By Administrator
webReputationSettingEventRankRiskDangerous Dangerous
webReputationSettingEventRankRiskHighlySuspicious Highly Suspicious
webReputationSettingEventRankRiskSuspicious Suspicious
webReputationSettingEventRankRiskUntested Untested
webReputationSettingRetainEventDuration Automatically delete Web Reputation Events older than