Chapter 3 IPS Filtering

The default security profile is set to the ANY ==> ANY security zone pair with all IPS filters configured with the default Digital Vaccine settings. With the default profile in place, all incoming and outgoing traffic in any security zone configured on the device is monitored according to the recommended IPS filter configuration. You can edit the default Security Profile to customize the security zones that it applies to and create custom filter settings, or create your own Security Profiles as required.

Note Before creating Security Profiles, verify that the Network and System configuration on the X family device is set up correctly for your environment. In particular, you need to configure all required Security Zones before you can create the Security Profiles to protect them. For details, see “System” on page 217 and “Network” on page 129.

You can monitor and configure IPS from the IPS menu pages available in the LSM. For additional information, see the following topics:

“Using the IPS” on page 16

“Security Profiles” on page 17

“IPS Digital Vaccine (DV) Filters” on page 23

“Traffic Threshold Filters” on page 38

“Action Sets” on page 44

Using the IPS

You can monitor and configure the settings for IPS from the IPS menu pages available in the LSM. The following menu options are available:

Security Profiles —View and manage the Security Profiles available on the device, view the security profile coverage by security zone.

Traffic Threshold —View, manage and create Traffic Threshold filters to monitor network traffic levels. These filters can be configured to trigger when traffic is either above or below normal levels.

Action Sets — View, manage and create actions that define the operations a filter performs when a traffic match occurs.

IPS Services —Add and manage non-standard ports supported by the device. Use this feature to configure additional ports associated with specific applications, services, and protocols to expand scanning of traffic. When filters scan traffic against the standard ports for listed services, the engine then accesses and scans traffic against the list of additional ports.

Preferences —Reset IPS filters to the factory default values, configure timeout, logging, and congestion threshold settings to manage performance of the Threat Suppression Engine, configure the Adaptive Filter feature used to protect performance from the effects of over-active filters.

For details on each menu option, see the following topics:

“Security Profiles” on page 17

“Traffic Threshold Filters” on page 38

“Action Sets” on page 44

“IPS Services” on page 55

“Preferences” on page 57

16 X Family LSM User’s Guide V 2.5.1