Intrusion prevention system (IPS) is a security feature that enables devices to monitor network traffic for malicious activity and to proactively take prevention actions.

IPS functions

IPS provides the following functions:

· In-depth protection—IPS inspects the application layer data of packets, performs protocol analysis and reassembly on network traffic flows, and takes actions according to the analysis results.

· Real-time protection—IPS monitors network traffic in real-time and can take actions on detected attacks.

· All-around protection—IPS can detect and prevent the following types of attacks:

¡ Malicious software such as worms, viruses, Trojan, bots, spyware, adware, scanners, and backdoors.

¡ Malicious attacks such as common gateway interface (CGI) attacks, cross-site scripting attacks, injection attacks, directory traversal attacks, information leakage attacks, remote file inclusion attacks, buffer overflow attacks, code execution attacks, and DoS attacks.

· Bidirectional protection—IPS monitors both incoming and outgoing traffic to prevent attacks arising from the internal and external networks.

IPS policies

IPS is implemented based on IPS policies. An IPS policy contains a set of IPS signatures for matching packets and the actions for the packets.

IPS signatures

The device compares packets with IPS signatures to detect, classify, and prevent network attacks.

Each IPS signature contains various attributes, including attack category, action, protected target, severity level, and direction. You can filter the IPS signatures that an IPS policy uses based on the IPS signature attributes.

The device supports the following types of IPS signatures:

· Predefined IPS signatures—Automatically generated by the device based on the local signature library. You cannot add, modify, or delete a predefined IPS signature.

· User-defined IPS signatures—For new attacks that cannot be detected by predefined signatures, you can customize IPS signatures. The user-defined IPS signatures include Snort signatures that are imported from a Snort file and user-configured signatures that are manually configured.

IPS actions

When the device detects a matching packet for an IPS signature, it takes the actions specified for the signature on the packet.

The device supports the following signature actions:

· Reset—Closes the TCP connections for matching packets by sending TCP reset messages.

· Redirect—Redirects matching packets to a webpage.

· Block-source—Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for a duration set by the block-period command. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked.

To enable the IP blacklist feature, use the blacklist global enable command. For more information about the IP blacklist feature, see Security Configuration Guide.

For more information about the block-period command, see DPI Command Reference.

· Drop—Drops matching packets.

· Permit—Permits matching packets to pass.

· Capture—Captures matching packets.

· Logging—Logs matching packets.

IPS mechanism

IPS takes effect after you apply an IPS policy to a DPI application profile and use the DPI application profile in a security policy rule.

As shown in Figure 1, upon receiving a packet, the device performs the following operations:

1. The device identifies the packet application layer protocol and extracts the packet signatures.

2. The device determines the actions for the packet by comparing the extracted packet signatures with the IPS signatures in the IPS policy:

¡ If the packet does not match any IPS signatures, the device permits the packet to pass.

¡ If the packet matches only one IPS signature, the device takes the signature actions.

¡ If the packet matches multiple IPS signatures, the device uses the following rules to select the actions:

- If the matching IPS signatures have two or more actions, including redirect, drop, permit, and reset, the device takes the action of the highest priority. The actions in descending order of priority are reset, redirect, drop, and permit.

- The device will execute the block-source, capture, and logging actions if they are in the matching IPS signatures.

Figure 1 IPS mechanism

‌

IPS signature library update

The device uses IPS signatures to inspect application layer traffic for malicious threats and attacks.

You can update the device IPS signature library to the latest version.

Updating the IPS signature library

The following methods are available for updating the IPS signature library on the device:

· Automatic update.

The device automatically downloads the most up-to-date IPS signature file to update its local signature library periodically.

· Triggered update.

The device downloads the most up-to-date IPS signature file to update its local signature library immediately after you trigger the operation.

· Manual update.

Use this method when the device cannot obtain the IPS signature file automatically.

You must manually download the most up-to-date IPS signature file, and then use the file to update the signature library on the device.

Restrictions: Licensing requirements for IPS

The IPS module requires a license to run on the device. If the license expires, you can still use the IPS functions but you can no longer upgrade the IPS signature library on the device. For more information about licenses, see License Management Configuration Guide.

IPS tasks at a glance

To configure IPS, perform the following tasks:

1. Configuring an IPS policy

2. Applying an IPS policy to a DPI application profile

3. Activating IPS policy settings

4. Applying a DPI application profile to a security policy rule

5. Updating the IPS signature library

6. (Optional.) Importing and deleting Snort IPS signatures

7. (Optional.) Managing a user-configured IPS signature

8. (Optional.) Enabling IPS signature hit counting

9. (Optional.) Configuring IPS whitelist

Configuring an IPS policy

Creating an IPS policy

About this task

By default, a newly created IPS policy uses all enabled IPS signatures and applies to the packet matching a signature the default signature action. You can filter the IPS signatures used by the IPS policy and change the signature actions.

Procedure

1. Enter system view.

system-view

2. Create an IPS policy and enter its view.

ips policy policy-name

A default IPS policy named default exists. The default IPS policy uses all enabled IPS signatures on the device and cannot be modified or deleted.

Configuring IPS signature filtering criteria for an IPS policy

About this task

By default, an IPS policy uses all enabled IPS signatures on the device. You can set criteria to filter IPS signatures that an IPS policy uses based on the signature attributes.

An IPS policy uses an IPS signature only if the signature matches all the configured criteria.

For certain attribute-based criterion (such as the action, object direction, or severity level criterion), you can specify multiple attribute values. An IPS signature matches the criterion if it matches any of the specified attribute values.

Procedure

1. Enter system view.

system-view

2. Enter IPS policy view.

ips policy policy-name

3. Configure the IPS signature filtering criteria.

¡ Set a target criterion.

protect-target { target [ subtarget | all ] }

By default, the target attribute is not used for IPS signature filtering.

¡ Set an attack category criterion.

attack-category { category [ subcategory ] | all }

By default, the attack category attribute is not used for IPS signature filtering.

¡ Set an action criterion.

action { block-source | drop | permit | reset } *

By default, the action attribute is not used for IPS signature filtering.

¡ Set an object direction criterion.

object-dir { client | server } *

By default, the object direction attribute is not used for IPS signature filtering.

¡ Set a severity level criterion.

severity-level { critical | high | low | medium } *

By default, the severity level attribute is not used for IPS signature filtering.

¡ Set a default status criterion.

status { disabled | enabled } *

By default, the default status attribute is not used for IPS signature filtering.

In the IPS signature library, the default status of an IPS signature indicates whether or not the IPS signature is recommended. IPS signatures in disabled default status are not recommended, and IPS signatures in enabled default status are recommended.

Configuring IPS actions for an IPS policy

About this task

By default, the system applies the default actions of an IPS signature to packets matching the signature.

You can also configure global actions for an IPS policy or change the actions for individual IPS signatures in the policy.

The system selects the actions for packets matching an IPS signature in the following order:

1. Actions configured for the IPS signature in the IPS policy.

2. Actions configured for the IPS policy.

3. Default actions of the IPS signature.

Restrictions and guidelines

The logging keyword enables the IPS module to log packet matching events and send log messages to the information center.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output IPS logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view IPS logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see System Management Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter the view of an IPS policy.

ips policy policy-name

3. Specify the global packet processing actions for the IPS policy.

signature override all { { block-source | drop | permit | redirect | reset } | capture | logging } *

By default, no actions are specified for an IPS policy and the default actions of IPS signatures are applied to matching packets.

4. (Optional.) Change the state or actions for an IPS signature.

signature override { pre-defined | user-defined } signature-id { { disable | enable } [ { block-source | drop | permit | redirect | reset } | capture | logging ] * }

By default:

¡ Predefined IPS signatures use the actions and states defined by the system.

¡ User-defined IPS signatures use the actions and states defined in the IPS signature file from which the signatures are imported.

You cannot change the state or actions for an IPS signature in the default IPS policy.

5. (Optional.) Specify the number of the captured packets to be cached for threat analysis.

ips capture-cache number

By default, the number of the captured packets to be cached for threat analysis is not specified, and the device does not cache any captured packets.

This command enables the device to cache the IPS captured packets. After caching the specified number of the captured packets, the device writes all cached packets and the hit packet into the capture file for threat analysis.

Specifying a parameter profile for an IPS action

About this task

The block source, capture, and logging actions take effect only after a parameter profile is specified. You can specify a parameter profile for an IPS action as follows:

· Specify a global parameter profile in system view. The setting takes effect in all IPS policies.

· Specify a parameter profile in IPS policy view, which is a policy-specific setting. Only the email action supports specifying a parameter profile in IPS policy view.

Restrictions and guidelines

· The global parameter profile for an IPS action takes precedence over a policy-specific parameter profile for the action.

· To have a parameter profile for an IPS action in an IPS policy take effect, make sure the global parameter profile is disabled.

· As a best practice, enable the global parameter profile after the global parameter profile configuration is completed.

Specifying a global parameter profile for an IPS action

1. Enter system view.

system-view

2. Specify a global parameter profile for an IPS action.

ips { block-source | capture | email | logging | redirect } parameter-profile parameter-name

By default, no global parameter profile or email notification service is specified for an IPS action.

Use this command to specify a parameter profile for the block-source, capture, logging, and redirect actions. The parameters for the execution of the email action are determined by the email notification service. For more information about configuring an action parameter profile, see DPI engine commands in DPI Command Reference. For more information about configuring an email notification service, see Network Management and Monitoring Command Reference.

Specifying an action parameter profile in an IPS policy

1. Enter system view.

system-view

2. Enter IPS policy view.

ips policy policy-name

3. Specify the log output method.

log { email | syslog }

By default, the IPS log output method is syslog.

4. (Optional.) Specify an email notification service for the email action.

email parameter-profile parameter-profile-name

By default, no email notification service is specified for the email action.

This command is available only when the log output method is email. The parameters for the execution of the email action are determined by the specified email notification service. For more information about configuring an email notification service, see Network Management and Monitoring Command Reference.

5. (Optional.) Disable the global parameter profile.

undo global-parameter enable

By default, global parameter profiles are enabled.

Applying an IPS policy to a DPI application profile

About this task

An IPS policy must be applied to a DPI application profile to take effect.

Restrictions and guidelines

A DPI application profile can use only one IPS policy. If you apply different IPS policies to the same DPI application profile, only the most recent configuration takes effect.

Procedure

1. Enter system view.

system-view

2. Enter DPI application profile view.

app-profile profile-name

For more information about this command, see DPI engine commands in DPI Command Reference.

3. Apply an IPS policy to the DPI application profile.

ips apply policy policy-name mode { protect | alert }

By default, no IPS policy is applied to the DPI application profile.

Activating IPS policy settings

About this task

After you edit the IPS policy settings, perform this task to activate the settings.

Procedure

1. Enter system view.

system-view

2. Activate IPS policy settings.

inspect activate

By default, IPS policy settings do not take effect.

‌

CAUTION:

This command can cause temporary outage for all DPI services, and might further cause a service based on these DPI services to interrupt. For example, a security policy might fail to control access to applications.

‌

Applying a DPI application profile to a security policy rule

1. Enter system view.

system-view

2. Enter security policy view.

security-policy

3. Enter security policy rule view.

rule { rule-id | [ rule-id ] name rule-name }

4. Set the rule action to pass.

action pass

The default rule action is drop.

5. Use a DPI application profile in the rule.

profile app-profile-name

By default, no DPI application profile is used in a security policy rule.

Updating the IPS signature library

You can update the version of the IPS signature library on the device.

Restrictions and guidelines

· Do not delete the /dpi/ folder in the root directory of the storage medium.

· Do not perform IPS signature update when the device's free memory is below the normal state threshold. For more information about device memory thresholds, see hardware resource management in System Management Configuration Guide.

· For successful automatic and immediate signature update, make sure the device can resolve the domain name of the company's website into an IP address through DNS. For more information about DNS, see DNS configuration in Network Connectivity Configuration Guide.

· Update only one signature library at a time. Do not perform signature library update until the existing signature library update is completed.

Scheduling automatic IPS signature library update

About this task

You can schedule automatic IPS signature library update if the device can access the signature database services on the company's website. The device periodically obtains the latest signature file from the company's website to update its local signature library according to the update schedule.

Procedure

1. Enter system view.

system-view

2. Enable automatic IPS signature library update and enter automatic IPS signature library update configuration view.

ips signature auto-update

By default, automatic IPS signature library update is disabled.

3. Schedule the update time.

update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes

By default, the device updates the IPS signature library at a random time between 01:00:00 and 03:00:00 every day.

4. (Optional.) Configure the device to overwrite the current IPS signature library without backing up the library during an automatic signature library update.

override-current

By default, the device backs up the current IPS signature library as the previous version before performing an automatic IPS signature library update.

Triggering an immediate IPS signature update

About this task

Anytime you find a release of new signature version on the company's website, you can trigger the device to immediately update the local signature library.

Procedure

1. Enter system view.

system-view

2. Trigger an immediate IPS signature library update.

ips signature auto-update-now

Performing an IPS signature manual update

About this task

If the device cannot access the signature database services on the company's website, use one of the following methods to manually update the IPS signature library on the device:

· Local update—Updates the IPS signature library by using a locally stored update IPS signature file.

Store the update file on the master device for successful signature library update.

· FTP/TFTP update—Updates the IPS signature library by using the file stored on the FTP or TFTP server.

Procedure

1. Enter system view.

system-view

2. Manually update the IPS signature library on the device.

ips signature update [ override-current ] file-path

Importing and deleting Snort IPS signatures

Importing Snort IPS signatures

About this task

To add your own IPS signatures, create an IPS signature file in the Snort format and import the signatures from the file to the device.

Restrictions and guidelines

Make sure the IPS signature file contains all Snort signatures that you want to use. All existing Snort signatures on the device will be overwritten by the imported signatures.

For a signature defined by a Snort rule to be imported correctly from the IPS signature file, make sure Snort rule is valid.

Procedure

1. Enter system view.

system-view

2. Import Snort IPS signatures from a Snort file.

ips signature import snort file-path

Deleting Snort IPS signatures

1. Enter system view.

system-view

2. Delete all Snort IPS signatures.

ips signature remove snort

Managing a user-configured IPS signature

Creating a user-defined IPS signature

About this task

You can create signatures that do not exist in the current signature library.

Procedure

1. Enter system view.

system-view

2. Create an IPS signature and enter its view.

ips signature user-defined name signature-name

By default, no user-configured IPS signatures exist.

3. (Optional.) Configure the description for the user-defined IPS signature.

description text

Configuring attributes in a user-defined IPS signature

About this task

Each IPS signature contains various attributes, including action, direction, severity level, and the logical operator between the rules in the signature.

You can create multiple rules in a user-defined IPS signature. If the logical AND operator is specified, a packet matches the signature only when the packet matches all rules in the signature. If the logical OR operator is specified, a packet matches the signature when the packet matches any rule in the signature.

Procedure

1. Enter system view.

system-view

2. Enter the view of a user-defined IPS signature.

ips signature user-defined name signature-name

By default, no user-defined IPS signatures exist.

3. Configure the attributes for the user-defined IPS signature.

¡ Set the actions for packets matching the IPS signature.

action { block-source | drop | permit | reset } [ capture | logging ] *

By default, the action for a user-defined IPS signature is permit.

¡ Set the traffic direction attribute.

direction { any | to-client | to-server }

By default, both client-to-server and server-to-client directions are defined for a user-defined IPS signature.

¡ Set a severity level.

severity-level { critical | high | low | medium } *

By default, the low severity level attribute is specified for a user-defined IPS signature.

¡ Set a logical operator between the rules in the signature.

rule-logic { and | or }

By default, the logical OR operator is specified between the rules in a user-defined IPS signature.

Configuring rules for a user-defined IPS signature

About this task

A user-defined IPS signature rule can be one of the following types:

· Keyword.

· Integer.

A user-defined signature rule might contain filtering criteria, detection items, and a detection trigger condition. The device uses the rule for packet filtering as follows:

1. The device compares the packet with the filtering criteria.

¡ If the packet matches all filtering criteria, the device goes to the next step.

¡ If the packet does not match all filtering criteria, IPS does not process the packet.

2. The device compares the packet with the detection trigger condition.

This step is available only for a rule of the keyword type.

¡ If the packet matches the detection trigger condition, the device goes to the next step.

¡ If the packet does not match the detection trigger condition, IPS does not process the packet.

3. The device compares the packet with the detection items.

The detection items are used to match the specified contents in a packet. A packet matches a rule only when the packet matches all detection items in the rule. The match order of the detection items is their configuration order.

Restrictions and guidelines

A detection item compares its keyword with the contents in the specified protocol field.

To avoid detection errors, configure detection items based on the sequence of protocol fields in the HTTP protocol.

In a signature rule of the keyword match pattern type, a detection trigger condition must be configured before detection item configuration. If you delete the detection trigger condition, all detection items in the rule will also be deleted.

To define the start and end positions for the match operation, use either the offset and depth, or the relative offset and relative depth.

Procedure

1. Enter system view.

system-view

2. Enter the view of a user-defined IPS signature.

ips signature user-defined name signature-name

3. Create a user-defined IPS signature rule and enter its view.

rule rule-id l4-protocol l4-protocol-name l5-protocol l5-protocol-name pattern-type { keyword | integer }

By default, no user-defined IPS signature rules exist.

4. Configure the filtering criteria for the rule.

¡ Set a source IP address filtering criterion.

source-address ip ip-address

By default, a user-defined IPS signature rule matches all source IP addresses.

¡ Set a destination IP address filtering criterion.

destination-address ip ip-address

By default, a user-defined IPS signature rule matches all destination IP addresses.

¡ Set source port filtering criteria.

source-port start-port [ to end-port ]

By default, a user-defined IPS signature rule matches all source ports.

¡ Set destination port filtering criteria.

destination-port start-port [ to end-port ]

By default, a user-defined IPS signature rule matches all destination ports.

¡ Set an HTTP request method filtering criterion.

http-method method-name

By default, a user-defined IPS signature rule matches all HTTP request methods.

5. Configure the detection trigger condition and detection items for a rule in a signature of the keyword type.

a. Create a detection trigger condition.

trigger field field-name include { hex hex-string | text text-string } [ offset offset-value ] [ depth depth-value ]

b. Create a detection item.

detection-keyword detection-id field field-name match-type { exclude | include } { hex hex-string | regex regex-pattern | text text-string } [ offset offset-value [ depth depth-value ] | relative-offset relative-offset-value [ relative-depth relative-depth-value ] ]

6. Configure detection items for a rule in a signature of the integer type.

detection-integer field field-name match-type { eq | gt | gt-eq | lt | lt-eq | nequ } number

Enabling IPS signature hit counting

About this task

This feature enables the device to collect hit statistics for each IPS signature. You can view IPS signature hit statistics on the Web interface of the device.

Procedure

1. Enter system view.

system-view

2. Enable the view of an IPS policy.

ips policy policy-name

3. Enable IPS signature hit counting.

statistics signature-hit enable

By default, IPS signature hit counting is disabled.

Configuring IPS whitelist

About this task

If false alarms exist in IPS logs, you can enable the IPS whitelist feature, and add the detected IPS signature IDs, URLs, or source IP addresses to the IPS whitelist. The IPS signature IDs, URLs, and source IP addresses are recorded in the IPS logs. The device permits packets matching the IPS signatures, URLs, or source IP addresses on the IPS whitelist to pass through, reducing false alarms.

If an IPS whitelist entry contains a signature ID, URL, and source IP address, or two of them, a packet matches this entry only when it matches all configured criteria.

Procedure

1. Enter system view.

system-view

2. Enable the IPS whitelist feature.

ips whitelist enable

By default, the IPS whitelist feature is disabled.

3. Create an IPS whitelist entry and enter its view.

ips whitelist entry-id

4. Configure the description for the IPS whitelist entry.

description text

By default, an IPS whitelist entry does not have any description.

5. Configure the IPS whitelist entry. Choose at least one of the following options to configure:

¡ Add a signature ID to the IPS whitelist entry.

signature-id sig-id

By default, no signature ID exists in an IPS whitelist entry.

¡ Add a URL to the IPS whitelist entry.

url match-type { accurate | substring } url-text

By default, no URL exists in an IPS whitelist entry.

¡ Add a source IP address to the IPS whitelist entry.

source-address { ip ipv4-address | ipv6 ipv6-address }

By default, no source IP address exists in an IPS whitelist entry.

6. Return to system view.

quit

7. Activate the IPS whitelist configuration.

ips whitelist activate

After you create or edit an IPS whitelist entry that contains a URL, you must execute this command to have the configuration take effect.

Verifying and maintaining IPS

Perform display tasks in any view.

· Display IPS policy information.

display ips policy policy-name

· Display IPS signature library information.

display ips signature library

· Display IPS signature information.

display ips signature [ pre-defined | user-defined { snort | user-config } ] [ direction { any | to-client | to-server } ] [ category category-name | fidelity { high | low | medium } | protocol { icmp | ip | tcp | udp } | severity { critical | high | low | medium } ] *

· Display detailed information about a predefined IPS signature.

display ips signature pre-defined signature-id

· Display detailed information about a user-defined IPS signature.

display ips signature user-defined { snort | user-config } signature-id

· Display information about IPS signatures that failed to be parsed during signature import.

display ips signature user-defined parse-failed

17-DPI Configuration Guide

Configuring IPS

IPS signatures

Updating the IPS signature library

Restrictions: Licensing requirements for IPS

About this task

Procedure

About this task

Procedure

Configuring IPS actions for an IPS policy

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Specifying a global parameter profile for an IPS action

Specifying an action parameter profile in an IPS policy

About this task

Restrictions and guidelines

Procedure

Activating IPS policy settings

About this task

Procedure

Updating the IPS signature library

About this task

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Procedure

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us