AppProtection profiles allow you to determine how traffic is inspected and managed. Each AppProtection profile uses a paranoia level if using ThreatLabZ predefined controls, Open Web Application Security Project (OWASP) predefined controls, or WebSocket predefined controls. Predefined controls are a selection of the controls to establish the requirements for AppProtection, and what action is taken for those controls. You can use your own WebSocket custom controls or HTTP custom controls. Or you can use the ThreatLabZ predefined controls, OWASP predefined controls, or WebSocket predefined controls. There is also flexibility to have the same action for all the controls, or a different action for each control in the AppProtection profile.

All AppProtection profiles automatically have some predefined ones enabled from the Preprocessors category. These controls are 200002, 200003, and 200004. They have a default action of Block, and this action cannot be removed or changed. If you are using ThreatLabZ predefined controls and WebSocket predefined controls, the default action is Allow for the Preprocessors category.

Using the Default AppProtection Profile Template

A default AppProtection profile is included with the setup of your ZPA account. It is located in the AppProtection profile table and is named OWASP Top-10 for Visibility. Use the default profile as a template for custom AppProtection profiles. The default profile can't be edited or deleted. Its Paranoia Level is set to 1. You can also use this default profile in an AppProtection policy.

See image.

Some controls are excluded from the default AppProtection profile for higher efficacy. All other controls included in this profile must have their action set to Allow.

After creating an AppProtection profile, add it to an AppProtection policy for the ZPA service to use. To learn more, see About AppProtection Policy.

About the AppProtection Profile Page

On the AppProtection Profile page (Policies > Cybersecurity > Inline Security > Protection Profiles > AppProtection), you can do the following:

1. Go to the Browser Protection profiles page to manage your Browser Protection profiles.
2. Expand all the rows in the table to see more information about each AppProtection profile.
3. Add an AppProtection profile.
4. Filter the information that appears in the table. By default, no filters are applied.
5. View a list of all AppProtection profiles that were configured for your organization. You can see the name of each AppProtection profile. When you expand the row, the following information is displayed:
   • Description: The description of the AppProtection profile if available.
   • Paranoia Level: The associated level, which corresponds to the levels available in the AppProtection controls.
   • Used in AppProtection Controls: The predefined and custom controls in use by the AppProtection profile.
6. Copy an existing AppProtection profile, and use it to create a new AppProtection profile.
7. Edit an AppProtection profile.
8. Delete an AppProtection profile.

You can't edit or delete the default AppProtection profile. To learn more, see Default AppProtection Profile.