Intrusion Prevention System (IPS) is a network-based platform that inspects network traffic for malicious or unwanted activity such as worms, spyware, and policy violations. When IPS detects a threat, it reacts in real-time by taking actions such as blocking or dropping connections, logging the detected activities, and sending notifications about these activities. You can use the default actions for each signature or customize the actions to suit your requirements.
IMPORTANT: IPS uses signatures to identify the attacks in progress. You must update the IPS signatures frequently to keep the protection current. See Updating IPS Signature Database.
After setting up IPS, you have these options for monitoring the activity:
• Enable the IPS report from the Security Services > Security Services Reports page or from the Status > Security Services Reports page to see the number of packets detected and the number of packets dropped by IPS. See Viewing IPS Report.
• Enable the IPS Alert feature to send an alert email to a specified email address if an attack is detected by IPS. See Configuring Email Alert Settings, page 340.
Note You must install licenses on the License Management page before you can configure IPS.
1. Click Security Services > Intrusion Prevention (IPS) > IPS Policy and Protocol Inspection.
The IPS Policy and Protocol Inspection window opens.
2. At the top of the page, enable or disable IPS by clicking On or Off.
3. In the Zone area, chose the zones to be inspected. IPS inspects inter-zone traffic only.
• To add a zone: In the Zones Available list, click a zone, and then click Add to move it to the Selected Zones list. All incoming and outgoing traffic for the selected zones is inspected.
• To remove a zone: In the Selected Zones list, click a zone, and then click Remove to move it to the Zones Available list.
NOTE: You can block an intrusion based on the source zones or based on the destination zones. For example, if you select the LAN and DMZ zones, IPS inspects all traffic for the LAN and DMZ zones regardless of its source. Traffic between LAN and DMZ is inspected once, not twice. If you select the WAN zone, IPS inspects all traffic for the WAN zone regardless of its destination.
4. In the IPS Signature area, use the options below to filter the list of signatures in the Selected Signature table. The unfiltered list includes thousands of IPS signatures that are used to identify attacks. After selecting filters, click Refresh to redisplay the Selected Signature table showing only the matching signatures.
• Severity Level: Choose a severity level, from highest to lowest: Critical, High, Medium, Low, and Information.
• Operating System Type: Choose All to include all signatures regardless of the type of operating system, or choose Selected OS Types Only to include only the signatures that match the specified types of operation systems.
• Host Type: Choose a host type.
• Category: Choose All to include all signatures regardless of the category, or choose Selected Categories Only to include only the signatures that match the specified categories.
The Selected Signature table displays this information:
• Name: The name of the signature.
• ID: The unique identifier of the signature. To view complete details for a signature, click the link in the ID column.
• Severity: The severity level of the threat that the signature can identify.
• Category: The category that the signature belongs to.
• Default Action: The default preventive action for the signature.
– Block and Log: Deny the request, drop the connection, and log the event when a signature is detected by the IPS engine.
– Log Only: Only log the event when a signature is detected by the IPS engine.
• Current Action: The current preventive action for the signature.
• Edit Action: Click the pencil icon to enable, disable, or set the preventive actions for a signature. For more information, see Configuring Signature Actions.
NOTE: For ease of use, you can edit the preventive actions for a group of signatures. Check the box for each signature that you want to change, or select all signatures by checking the box in the top left corner of the table. To edit the settings for the selected signatures, click the Edit (pencil) icon at the top of the table.
• Block Threshold: Specify a threshold at which blocking occurs; whether the Current Action is to block and log or to log only, traffic is blocked after the specified number of occurrences. Enter 0 to apply the Current Action immediately upon detection.
NOTE: The counter is reset to 0 whenever IPS settings are saved in the configuration utility or the security appliance is rebooted.