You configure the intrusion detection and prevention system at the security-policy intrusion-prevention level.
IDPS rules are configured at the security-policy intrusion-prevention idps-rules level. For more details on the command structure, see Configuring Rules Using UPL.
Available parameters:
Parameter |
Description |
---|---|
PASS WARNING DENY |
IDPS rule action:
|
enabled |
Enable/disable a rule:
|
name |
IDPS rule name. Example: name("IDPS rule example"). |
desc |
A description of the rule. Example: desc("Intrusion prevention rule example set via CLI"). |
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones. |
src.ip |
Add lists of source IP addresses, MAC addresses, and domains. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify source MAC addresses, such as 02:00:00:00:00:00: use src.ip = 02:00:00:00:00:00. |
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
dst.zone |
Traffic destination zone. To specify a traffic destination zone, such as Untrusted: dst.zone = Untrusted. For more details about configuring zones using the CLI, see Zones. |
dst.ip |
Add lists of destination IP addresses, MAC addresses, and domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. To specify destination MAC addresses, such as 02:00:00:00:00:00: use dst.ip = 02:00:00:00:00:00. |
dst.geoip |
Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
service |
Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses. |
idps_profiles |
IPS profiles to use in this rule: idps_profiles("IDPS profile example"). IPS profiles are set for the rules that use the Reset and Log actions. An IPS profile cannot be set for an allowing rule; this implementation provides a way to configure exceptions for a specific traffic type. |
idps_profiles_exclusions |
List of IPS profiles whose signatures should be excluded from the signatures specified in the IPS profiles. You can only specify them for rules with Reset or Log action: idps_profiles_exclusions("Example of IDPS profile with exclusions"). This feature allows you to use centrally created signature profiles in which the administrator cannot change the content, but to still exclude some signatures from that profile if they are redundant or generate false positives. |
You can configure smart scan mode (scan only the first bytes of each session) only using CLI. You configure the mode at the security-policy intrusion-prevention settings level. To configure it, use the following command:
Admin@UGOS# set security-policy intrusion-prevention settings
Available parameters:
Parameter |
Description |
---|---|
intelligent-mode |
Enable/disable smart scan mode:
|
intelligent-limit |
Number of the first kilobytes of each session that the IPS system will scan. Available values: from 50 to 200kB. |
To view the current state, use the following command:
Admin@UGOS# show security-policy intrusion-prevention settings
By default, Smart scan is enabled. It checks the first 200kB of each session.