Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 00-Preface
- 01-System management and maintenance FAQ
- 02-Device forwarding FAQ
- 03-License management FAQ
- 04-RBM-based hot backup FAQ
- 05-NAT FAQ
- 06-User access and authentication FAQ
- 07-Attack detection and prevention FAQ
- 08-IPS FAQ
- 09-Anti-virus FAQ
- 10-URL filtering FAQ
- 11-File filtering FAQ
- 12-Bandwidth management FAQ
- 13-SSL VPN FAQ
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
08-IPS FAQ
IPS FAQ
Q. Why threat logs are not updated when traffic has been passing through the device for a long time?
A. To resolve the issue:
· Verify that the traffic actually reaches the device.
· Identify whether memory alarms occur on the device. If memory thresholds are exceeded, the device does not update log reports unless you restart the device.
Q. What are the similarities and differences between IPS and other DPI services?
A. The similarities and differences are as follows:
· Differences
¡ The IPS module requires a license to run on the device. If the license expires, you can still use the IPS functions but cannot upgrade the IPS signature library a version released on the official website after license expiration. For more information about licenses, see license management in Fundamentals Configuration Guide.
¡ The device supports predefined IPS signatures that are automatically generated by the device based on the local signature library. You cannot add, modify, or delete a predefined IPS signature. You cannot change the state or actions for a predefined IPS signature.
¡ When the device detects a matching packet for an IPS signature, it takes the actions specified for the signature on the packet.
The device supports the following signature actions:
- Blacklist—Blocks matching packets. The device also adds the sources of the matching packets to the IP blacklist if the IP blacklist feature is enabled. The subsequent packets from the blacklisted sources will be directly dropped. If the IP blacklist feature is not enabled, the device only blocks matching packets.
For more information about the blacklist feature, see attack detection and prevention in Security Configuration Guide.
- Drop—Drops matching packets.
- Permit—Permits matching packets to pass.
- Reset—Closes the TCP connections for matching packets by sending TCP reset messages or close the UDP connections for matching packets by sending ICMP port unreachable messages.
- Redirect—Redirects matching packets to a webpage.
- Capture—Captures matching packets.
- Logging—Logs matching packets.
- Mail—Generates email information for matching packets.
DPI engine is an inspection module shared by all DPI service modules. DPI engine performs service detection after you use a DPI application profile in a security policy rule. Each DPI service module uses DPI sessions to identify attacks. In addition, attack identification is also related to APR settings.
Q. What's the relationship between the priorities of IPS processing and the blacklist feature?
A. The blacklist feature has higher priority than IPS processing.
Q. What's the relationship between IPS actions?
A. The device can take only one of the reset, redirect, blacklist, drop, and permit actions at a time, but can also take one or more of the capture, logging, and mail actions at the same time.
Q. What are priorities of IPS actions?
A. The actions in descending order of priority are reset, redirect, blacklist/drop, and permit, where the blacklist and drop actions have the same priority.
Q. How does the device process the packets that match multiple IPS signatures?
A. If a packet matches multiple IPS signatures, the device takes the action of the highest priority.
Q. Why previously identified attacks suddenly cannot be identified when the IPS signature library does not have any changes?
A. This issue occurs typically because port mapping settings are configured on ports for attack packets that should have been identified. To identify these attack packets again, remove port mapping settings.
Q. Why cannot I upgrade the IPS signature library when the display license command displays that the license has not expired?
A. To avoid bypassing license check for system time modification, the license status cannot determine whether you can upgrade the signature library. Instead, whether the signature library can be upgraded depends on the comparison between the license validity period and the release time of the signature library. If the release time of the signature library is not within the license validity period, you cannot upgrade the signature library.
Q. How to obtain the real source IP address in a threat log?
A. The real source IP address of an attack packet is extracted from the Cdn-Src-Ip and X-Forwarded-For fields in the packet.
Q. Why cannot I download captured packets that match an IPS signature with the capture action?
A. At present, the packet capture function takes effect only when the following conditions are met:
· The device is mounted to a hard disk.
· The ips capture cache X command is enabled, where X is in the range of 1 to 10, indicating the number of packets captured each time.
