IPS configuration examples

 

The following information provides IPS configuration examples.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the IPS feature.

 

The IPS feature requires a license to run on the device. After the license expires, IPS can use the existing IPS signature library on the device, but the library cannot be updated.

Network configuration

As shown in Figure 1, the device acts as the security gateway. Configure the IPS feature to meet the following requirements:

·     Protect the internal network from the vulnerability attacks from the Internet.

·     Allow the internal users to use the application that matches the IPS signature with signature ID 936.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on R8860 of the CSAP-NTA-300 device.

Procedure

1.     Assign IP addresses to interfaces:

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Trust security zone.

b.     Click the IPv4 Address tab, and then enter the IP address and mask length of the interface. This example uses 10.1.1.1/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.

2.     Configure routing settings.

This example configures a static route. To use dynamic routing, configure dynamic routing protocols as required.

To configure a static route:

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 0.0.0.0:

¡     Enter destination IP address 0.0.0.0.

¡     Enter mask length 0.

¡     Enter next hop address 20.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

3.     Update the IPS signature library to the latest version. (Details not shown.)

4.     Configure an IPS profile:

# On the top navigation bar, click Objects.

# From the navigation pane, select APP Security > IPS > Profiles.

# Click Create.

# In the dialog box that opens, configure an IPS profile:

¡     Enter the name ips.

¡     In the View Matching Signatures area, configure the following settings:

-     Select All for the protected target.

-     Select Vulnerability for the attack categories.

-     Set To-server and To-client for the direction.

-     Set the predefined action to drop, permit, reset and blacklist.

-     Set the severity level to critical, high, medium, and low.

-     Enable the predefined status.

¡     In the Action area on the top of the page, configuration the actions:

-     Select Drop from the action list.

-     Enable logging.

-     Use the default settings for other parameters.

Figure 2 Creating an IPS profile

 

# In the active signature list, select signature 936, and click Custom. In the dialog box that opens, configure the following parameters:

¡     Set the status to Enable.

¡     Select Permit from the action list.

¡     Enable logging.

¡     Use the default settings for other parameters.

Figure 3 Customizing the signature

 

# Click OK.

# Click OK.

5.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select destination IP address 10.1.1.0/24.

¡     Select IPS profile ips in the Content security area.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy trust-untrust to permit the specified traffic from the Trust to Untrust security zones:

¡     Enter policy name trust-untrust.

¡     Select source zone Trust.

¡     Select destination zone Untrust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IP address 10.1.1.0/24.

¡     Select IPS profile ips in the Content security area.

¡     Use the default settings for other parameters.

# Click OK.

# After you apply the IPS profile to the security policy, click Submit to have the content security configuration take effect.

Verifying the configuration

Verify that IPS can implement the following protection for the internal network:

·     Log and block the vulnerability attacks.

·     Allow the internal users to use the application that matches IPS signature 936.

To view the logs generated for these events, click Monitor on the top navigation bar, and then select Security Logs > Threat Logs from the navigation pane.