Getting started with Situation elements

Situation elements define a pattern in traffic that the engine looks for.

The patterns and events are defined by selecting a Context for the Situation element. The Context contains the information on the traffic to be matched, and the options you can set for the matching process.

The Inspection Policy defines how the Situation elements are matched to traffic and what action the engine takes when a match is found.

Correlation Situation elements are Situation elements that group event data to find patterns in that data.

Situation elements also provide a description that is shown in the logs, and a link to relevant external information (CVE/BID/MS/TA) in the form of a Vulnerability element attached to the Situation.

You can group Situations together using Tags. The Tag elements are shown as branches in the Situations tree and they can be used in policies to represent all Situations that are associated with that Tag. For example, using the Tag Windows in a rule means that the rule matches all Situations that are classified as concerning Windows systems.

Associating a Situation with a Situation Type includes the Situation in the Rules tree in the Inspection Policy, which is grouped according to the Situation Type.

Depending on the Usage Context properties of a Correlation Situation, correlation can be done only on the NGFW Engine, only on the Log Server, or on both the NGFW Engine and the Log Server. When correlation is done only on the NGFW Engine, the Correlation Situation only matches when all correlated events are detected by the same NGFW Engine. The following table lists the Usage Contexts for predefined Correlation Situations:
Table 1. Usage Contexts for predefined Correlation Situations
Correlation Context Usage Context
Compress Engine Only
Count Engine Only
Group Engine Only
Match Engine Only
Sequence Log Server Only

By default, correlation is done on both the NGFW Engine and the Log Server for custom Correlation Situations.