Security Services
Configuring Intrusion Prevention
Cisco ISA500 Series Integrated Security Appliances Administration Guide 323
7
NOTE: For ease of use, you can edit the preventive actions for a group of
signatures. Check the box for each signature that you want to change, or
select all signatures by checking the box in the top left corner of the table. To
edit the settings for the selected signatures , click the Edit (penci l) ic on at t he
top of the table.
•Block Threshold: Specify a threshold at which blocking occurs; whether the
Current Action is to block and log or to log only, traffic is blocked after the
specified number of occurrences. Enter 0 to apply the Current Action
immediately upon detection.
NOTE: The counter is reset to 0 whenever IPS settings are saved in the
configuration utility or the security appliance is rebooted.
STEP 5 Click Save to apply your settings.
Configuring Signature ActionsAfter selecting one or more signatures on the Security Services > Intrusion
Prevention (IPS) > IPS Policy and Protocol Inspection page, use the Edit Selected
Signature Actions page to enable or disable the selected signatures and to
configure the actions.
STEP 1 Enter the following information:
•Enable detection of selected signatures: Check this box to enable the
intrusion detection for this signature, or uncheck this box to disable it.
•Name: The name of the signature.
•ID: The unique identifier of the signature.
•Severity: The severity level of the threat that the signature can identify.
•Default Action: The default preventive action for the signature.
•Action on Detect: Choose one of the following actions for the signature:
-Block and Log: Deny the request, drop the connection, and log the event
when the security signature is detected by the IPS engine.
-Log only: Only log the event when the security signature is detected by
the IPS engine. This option is mostly used for troubleshooting purposes.