Configuring IPS

This section describes how to configure IPS.

Preparing

Before enabling IPS, make the following preparations:

1. Make sure your system version supports IPS.
2. Import an IPS license and reboot. The IPS will be enabled after the rebooting.
   

Creating an IPS Rule

To create an IPS rule, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. Click New on the upper-left of the rule list.
3. In the IPS Configuration dialog, type the name into the Rule name box.
4. Select a security zone for the IPS rule from the Binding zone drop-down list, and click a direction (Inbound, Outbound, Bi-direction). The IPS rule will be applied to the traffic that is matched with the specified security zone and direction. Click Add to add to the system. Repeat the steps above to add more security zones.
5. In the Protocol types section, select the signature set(s) that will be used in the scan (each set identifies an attacking signature set related to a specific protocol).
6. Click OK to save your changes and return to the IPS page.
7. To edit a signature set, in the IPS rule list, click a signature set name in the Protocol type column, and edit options in the signature set page, including actions for attacks of different levels (Log only, Reset, Block attacker), configurations related to the protocol and actions for a specific attacking signature (the priority is higher than that of the action configured in the signature set).
   Configuring protocol-related options
   
   Protocol-related options include actions for attacks of different levels and other related options. For detailed instructions, see the description below:
   

   Option	Description
   Action for Critical/Warning/Information level attack	Action: Specifies an action for attacks of different levels. The options include Log only and Reset. Log only: Only generates logs if intrusions have been detected. Reset: Resets connections (TCP) or sends destination unreachable packets (UDP) and also generates logs if intrusions have been detected.
   	Block attacker: Select the Enable check box to block the specified attacker. Block by: Specifies an object that will be blocked. The options include Attacker IP and Attacker protocol/source IP/destination IP/destination port. Block duration: Specifies a block duration for the object. The value range is 60 to 3600 seconds, and the default value is 30.
   Other configuration	Other related options that may vary from different types of protocols. For detailed instructions, see Descriptions of Other Options.

   Configuring a specific attacking signature
   
   To configure an action for a specific attacking signature, take the following steps:

   1. Select the signature you want to edit from the signature list, and click Edit.
   2. In the IPS Signature Configuration dialog, select an action for the signature in the Action section.
   3. Select a block configuration from the Block configuration section. If Block attacker is selected, you also need to specify an object and duration.
   4. Click OK to save your changes and return to the signature set page.

   To enable/disable an attacking signature, take the following steps:

   1. Select the signature you want to enable/disable from the signature list.
   2. Click Enable/Disable.

   Note: If a signature is enabled in the global configuration mode while disabled in a specific signature set, its status will be Disabled in the signature set; however, if a signature is disabled in the global configuration, no matter what is the configuration in a signature set, its status will always be Disabled in the signature set.

With IPS configured, system will generate IPS logs if system intrusions have been detected. IPS logs contain the signature IDs for the detected attacks, and you can view detailed information about the attacking signatures according to the IDs in IPS online help pages. To view IPS logs, on the Navigation pane, click Log > Attack Log > IPS to visit the IPS log list page.

Editing an IPS Rule

To edit an IPS rule, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. Select the IPS rule you want to edit from the rule list below, and click Edit. In the IPS Configuration dialog, modify according to your need.
3. Click OK to save your changes.

Deleting an IPS Rule

To delete an IPS rule, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. Select the IPS rule you want to delete from the rule list below, and Delete.

Updating IPS Signature Database

By default system updates the IPS signature database everyday automatically. You can change the update configuration as needed. System supports auto update and local update.

To configure options for auto update, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. On the Task tab in the right auxiliary pane, click Configure behind Auto update.
3. In the in the Auto Update Configuration - IPS Signature DB dialog, configure the options.
   • Last update result: Displays the status of the last update.
   • Last update time: Displays the last update time of the virus database.
   • Auto update: Enables or disables auto update.
   • Schedule: Specifies an update schedule which can be an arbitrary time of a day or a week. You can specify a time at your own choice.
   • Server 1: Specifies an IP address for the update server.
   • Server 2: Specifies an IP address for the update server.
   • Server 3: Specifies an IP address for the update server.
   • Restore Default Server: Click the button to restore to the default.
   • OK: Saves the changes and returns to the previous dialog/page.
   • Cancel: Cancels the changes and returns to the previous dialog/page.
4. Click OK to save your changes and close the dialog.

After completion, system will update the IPS signature database automatically according to the configured schedule.

To update the IPS signature database locally, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. On the Task tab in the right auxiliary pane, click Upload after Local update.
3. In the IPS Local Update Configuration dialog, click Browse, select an IPS signature database file on the local disk, and click Upload.

To update the IPS signature database immediately, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. On the Task tab in the right auxiliary pane, click Update Now. System will update the IPS signature database immediately.

Configuring IPS Global options

To configure the global options of IPS, take the following steps:

1. On the Navigation pane, click Configure > Security > IPS to visit the IPS page.
2. On the Task tab in the right auxiliary pane, configure the options in the IPS Global Configuration section.
   • IPS: Select/clear the Enable check box to enable/disable IPS.
   • Log: Select/clear the Enable check box to enable/disable logging
   • Force check: Select the Enable check box to enable IPS force check. With this function enabled, system will drop the traffic that requires IPS detection if the detection cannot be properly implemented (for example, during signature database update or configuration update). By default this function is disabled, i.e., the traffic that requires IPS detection can still pass through even if the detection cannot be properly implemented.
   • Mode: Specifies a working mode for IPS:
     IPS - If attacks have been detected, system will generate protocol anormaly alarms and attacking behavior logs, and will also reset connections or block attackers. This is the default mode.
     Log only - If attacks have been detected, system will only generate protocol anormaly alarms and attacking behavior logs, but will not reset connections or block attackers.
3. Click OK to save your settings.