Manage Security Services > Intrusion Prevention Service > Configure Intrusion Prevention

Configure Intrusion Prevention

To use Intrusion Prevention Service (IPS), you must have a feature key to enable the service.

For more information, see:

IPS Setup Wizard

You can use the IPS Setup Wizard to enable and configure IPS and apply the feature to your firewall policies.

  1. Click Next to begin.
  2. Select the Scan Mode. You can select one of two modes:
    • Full Scan — Scan all packets for policies that have IPS enabled.
    • Fast Scan — Scan fewer packets to improve performance. This option greatly improves the throughput for scanned traffic, but does not provide the comprehensive coverage of Full Scan mode. This is the default setting.
  3. For each threat level, select the action. Available actions are:
  • Allow — Allows the connection.
  • Drop — Denies the request and drops the connection. No information is sent to the source of the content.
  • Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list. If the content that matches an IPS signature came from a client, the client IP address is added to the Blocked Sites list. If the content came from a server, the server IP address is added to the Blocked Sites list.
  1. For each threat level, to send a log message for an IPS action, select the Log check box.
  2. For each threat level, to trigger an alarm for an IPS action, select the Alarm check box.
  3. Click Next.
  4. Select the firewall policies that use IPS, then click Next.
  5. Click Finish.

Make sure that you enable automatic updates of IPS signatures to keep your signatures current. To configure signature update settings, select Update Server. For more information, see Configure the IPS Update Server.

Enable IPS and Configure IPS Actions

To enable IPS:

  1. Select Subscription Services > Intrusion Prevention (IPS).

Screen shot of the IPS page, Settings tab
IPS configuration in Fireware Web UI

Screen shot of the Intrusion Prevention Service dialog box - Settings tab
IPS configuration in Policy Manager

  1. Select the Enable Intrusion Prevention check box.
  2. Select the Scan Mode. You can select one of two modes:
    • Full Scan — Scan all packets for policies that have IPS enabled.
    • Fast Scan — Scan fewer packets to improve performance. This option greatly improves the throughput for scanned traffic, but does not provide the comprehensive coverage of Full Scan mode. This is the default setting.

If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for your device.

  1. For each threat level, select the action. Available actions are:
  • Allow — Allows the connection.
  • Drop — Denies the request and drops the connection. No information is sent to the source of the content.
  • Block — Denies the request, drops the connection, and adds the IP address of the content source to the Blocked Sites list. If the content that matches an IPS signature came from a client, the client IP address is added to the Blocked Sites list. If the content came from a server, the server IP address is added to the Blocked Sites list.
  1. For each threat level, to send a log message for an IPS action, select the Log check box.
  2. For each threat level, to trigger an alarm for an IPS action, select the Alarm check box.
  3. Click Save.

If you enable IPS for an HTTPS proxy policy, you must also enable Content Inspection in the HTTPS proxy action, in order for IPS to scan the HTTPS content. For more information, see HTTPS-Proxy: Content Inspection. IPS scanning of HTTPS content is not supported on XTM 21, 22, and 23 devices.

Configure Other IPS Settings

You can disable or enable IPS for each policy in your configuration. For more information, see Enable or Disable IPS for a Policy.

To configure signature update settings, select Update Server. For more information, see Configure the IPS Update Server.

To add signatures to the exceptions list, select the Signatures. For more information, see Configure IPS Exceptions.

To configure notification settings for IPS, click Notification. For more information, see Set Logging and Notification Preferences.

Give Us Feedback     Get Support     All Product Documentation     Technical Search