12.10.6. Configuring IPS

PASS

WARNING

DENY

IDPS rule action:

• PASS: do not block traffic.

• WARNING: do not block traffic and log information.

• DENY: block traffic and log information.

enabled

Enable/disable a rule:

• enabled(yes) or enabled(true).

• enabled(no) or enabled(false).

name

IDPS rule name.

Example: name("IDPS rule example").

desc

A description of the rule.

Example: desc("Intrusion prevention rule example set via CLI").

src.zone

Traffic source zone.

To specify a source zone, such as Trusted: src.zone = Trusted.

For more details about configuring zones using the CLI, see Zones.

src.ip

Add lists of source IP addresses, MAC addresses, and domains.

Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00.

src.geoip

Source GeoIP. Specify a country code (for example, src.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

dst.zone

Traffic destination zone.

To specify a traffic destination zone, such as Untrusted: dst.zone = Untrusted.

For more details about configuring zones using the CLI, see Zones.

dst.ip

Add lists of destination IP addresses, MAC addresses, and domains.

To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses.

To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists.

To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00.

dst.geoip

Destination GeoIP. Specify a country code (for example, dst.geoip = AE).

Click here for the list of ISO 3166-1 country codes.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

service

Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups).

To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...).

To specify a services group: service = lib.service(). Provide the services group name in parentheses.

idps_profiles

IPS profiles to use in this rule: idps_profiles("IDPS profile example").

IPS profiles are set for the rules that use the Reset and Log actions. An IPS profile cannot be set for an allowing rule; this implementation provides a way to configure exceptions for a specific traffic type.

idps_profiles_exclusions

List of IPS profiles whose signatures should be excluded from the signatures specified in the IPS profiles. You can only specify them for rules with Reset or Log action: idps_profiles_exclusions("Example of IDPS profile with exclusions").

This feature allows you to use centrally created signature profiles in which the administrator cannot change the content, but to still exclude some signatures from that profile if they are redundant or generate false positives.

intelligent-mode

Enable/disable smart scan mode:

• on.

• off.

intelligent-limit

Number of the first kilobytes of each session that the IPS system will scan. Available values: from 50 to 200kB.