Configure Intrusion Prevention
To use Intrusion Prevention Service (IPS), you must have a feature key to enable the service. For more information, go to:
IPS Scan Modes
IPS has two scan modes
- Full Scan — Scan all packets for policies that have IPS enabled.
- Fast Scan — Scan fewer packets within each connection to improve performance.
Full scan mode inspects a larger portion of the file and requires more time and resources to complete. Fast scan mode inspects a smaller portion of each file that in most cases is enough to identify all threats, and provides much better IPS performance. WatchGuard recommends you use the Full scan mode in most environments.
IPS Threat Levels
IPS categorizes IPS signatures into five threat levels, based on the severity of the threat. The severity levels, from highest to lowest are:
- Critical
- High
- Medium
- Low
- Information
When you enable IPS, the default setting is to drop and log traffic that matches the Critical, High, Medium, or Low threat levels. Traffic that matches the Information threat level is allowed and not logged by default.
IPS Actions
For each threat level you can select one of these actions:
- Allow — Allows the connection.
- Drop — Denies the request and drops the connection. No information is sent to the source of the content.
- Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list. If the content that matches an IPS signature came from a client, the client IP address is added to the Blocked Sites list. If the content came from a server, the server IP address is added to the Blocked Sites list.
Enable and Configure IPS
If your Firebox has an active IPS subscription, the Web Setup Wizard and Quick Setup Wizard automatically enable IPS with recommended settings. For more information, go to Setup Wizard Default Policies and Settings.
When you enable IPS, a warning message appears if automatic updates are disabled for IPS signatures. To configure automatic updates, go to Configure the IPS Update Server.
- In Fireware Web UI, select Subscription Services > Intrusion Prevention Service.
If IPS is licensed but not enabled, the IPS Setup Wizard starts automatically. - Click Next to begin.
- Select the Scan Mode.
- For each threat level, from the Action drop-down list, select the action.
- For each threat level, to send a log message for an IPS action, select the Log check box.
- For each threat level, to trigger an alarm for an IPS action, select the Alarm check box.
- Click Next.
- Select the firewall policies that use IPS. Click Next.
- Click Finish.
- Select Subscription Services > Intrusion Prevention Service.
- If IPS is not enabled, click Skip to configure the settings manually.
- Select the Enable Intrusion Prevention check box.
- Select the Scan Mode. You can select one of two modes: Full Scan or Fast Scan.
- For each threat level, from the Action drop-down list, select the action.
- For each threat level, to send a log message for an IPS action, select the Log check box.
- For each threat level, to trigger an alarm for an IPS action, select the Alarm check box.
- Click Save.
- Select Subscription Services > Intrusion Prevention.
- Select the Enable Intrusion Prevention check box.
- Select the Scan Mode.
- For each threat level, from the Action drop-down list, select the action.
- For each threat level, to send a log message for an IPS action, select the Log check box.
- For each threat level, to trigger an alarm for an IPS action, select the Alarm check box.
- Click OK.
If you enable IPS for an HTTPS-proxy policy, you must also enable Content Inspection in the HTTPS-proxy action, in order for IPS to scan the HTTPS content. For more information, go to HTTPS-Proxy: Content Inspection.
Configure Other IPS Settings
To keep your signatures current, make sure that you enable automatic updates of IPS signatures.
- To configure signature update settings, select Update Server. For more information, go to Configure the IPS Update Server.
- You can disable or enable IPS for each policy in your configuration. For more information, go to Enable or Disable IPS for a Policy.
- To add signatures to the exceptions list, select the Signatures. For more information, go to Configure IPS Exceptions.
- To configure notification settings for IPS, click Notification. For more information, go to Set Logging and Notification Preferences.
Video tutorial: Getting Started with IPS