Configure IPS Exceptions

When you enable the IPS feature, the Firebox examines traffic to look for patterns of traffic that match the signatures of known intrusions. When an IPS signature match occurs, the Firebox denies the content and the intrusion is blocked. If you want to allow traffic that is blocked by an IPS signature, you can find the identification number for the signature (the signature ID) and add the signature ID to the IPS exception list.

Find the IPS Signature ID

When the Firebox blocks a connection based on a match with an IPS signature, the signature ID appears in the log file if you have enabled logging for IPS. To see which IPS signature blocked the connection, look in the log file for the IPS signature ID number. If a connection that you want to allow is blocked by an IPS signature, use the signature ID to add an IPS exception to allow that connection.

In Firebox System Manager or Fireware Web UI, you can look up the IPS signature ID to see information about the threat a signature ID represents. For more information, go to Show IPS Signature Information.

Add an IPS Signature Exception

  1. Select Subscription Services > Intrusion Prevention Service.
    The IPS configuration page opens.
  2. Select the Exceptions tab.
    The list of IPS signature exceptions opens.
  3. Click Add.
    The Add Exception dialog box opens.

Screen shot of the Signature Exceptions dialog box

  1. In the ID text box, type the ID of the IPS signature you want to add.
  2. From the Action drop-down list, select the action you want IPS to take for this signature. The available actions are:
  • Allow — Allows the connection.
  • Drop — Denies the request and drops the connection. No information is sent to the source of the content.
  • Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list. If the content that matches an IPS signature came from a client, the client IP address is added to the Blocked Sites list. If the content came from a server, the server IP address is added to the Blocked Sites list.
  1. To send a log message for this IPS exception, select the Log check box.
  2. To send an alarm for this IPS exception, select the Alarm check box.
  3. Click OK.
    The exception is added to the Signature Exceptions list.

Screen shot of the IPS Exceptions tab

  1. Click Save

To edit the settings for an exception, select the exception and click Edit.

To remove an exception, select the exception and click Remove.

  1. Select Subscription Services > Intrusion Prevention.
    The Intrusion Prevention Service dialog box opens.

Screen shot of the Intrusion Prevention Service dialog box - Settings tab

  1. Click Exceptions.
    The Signature Exceptions dialog box opens.

Screen shot of the Signature Exceptions dialog box

  1. In the Signature ID text box, type the ID of the signature you want to add.
  2. From the Action drop-down list, select the action you want IPS to take for this signature. The available actions are:
  • Allow — Allows the connection.
  • Drop — Denies the request and drops the connection. No information is sent to the source of the content.
  • Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list. If the content that matches an IPS signature came from a client, the client IP address is added to the Blocked Sites list. If the content came from a server, the server IP address is added to the Blocked Sites list.
  1. To send a log message for this IPS exception, select the Log check box.
  2. To send an alarm for this IPS exception, select the Alarm check box.
  3. Click Add.
    The exception is added to the Signature Exceptions list.

To edit settings for an exception, click the Action, Alarm, or Log column in the Signature Exceptions table.

To remove an exception, click the exception and click Remove.

Related Topics

Configure Intrusion Prevention