Create an IPS/IDS Profile

Use the following procedure to create and add an IPS/IDS profile to a ruleset:

Procedure

Step 1

Navigate to Policies > Profiles > IPS/IDS.

Step 2

Click Create.

Step 3

Click into the General Settings tab.

Step 4

Enter a unique Profile Name.

Step 5

(Optional) Enter a Description. This may help differntiate between other profiles with a similar name.

Step 6

Toggle the Threat PCAP option file if the IDS/IPS Profile detects malicious activity. Note that if you toggle this option on, you must have a PCAP profile attached to the gateway.

Step 7

In the Rule Set section of the general settings, note that at least one ruleset from a rules library (Talos, Custom) is required to be specified in the IDS/IPS profile. If Talos rules and custom rulesets are used, at least one of the two must be enabled. If the desire is to disable the entire IDS/IPS Profile, remove the IDS/IPS Profile from any policy ruleset so the IDS/IPS profile will not be evaluated. Use the drop-down menu to select one of the followingsettings that are applied to all rulsets within this profile:

  • Disabled - Specify whether to disable the use of Talos rules.

  • Manual - Specify the Talos rule's version.

  • Automatic - Specify the number of days from publish date to delay automatic update to the latest Talos rule's version.

Use the other drop-down menu to select when the rules within this profile are updated. You can opt to update the rule set Immediately after Talos sends out an update, or any number of days after the update.

Step 8

Click Talos Rules: Policy and choose from the table which policy profile to use as a base. You can only select one profile.

Unless your window view is maximized, scroll to the right of the window and assign an action for the selected profile:

  • Rule Default - Allow or Deny the requests based on the action specified in each triggered Rule and log an Event.

  • Allow Log - Allow the requests and log an event.

  • Allow No Log - Allow the requests and do not log an event.

  • Deny Log - Deny the requests and log an event.

  • Deny No Log - Deny the requests and do not log an event.

Step 9

Click the Talos Rules: Category tab and choose at least one category from the table to the profile.

Step 10

Click the Talos rules: Class tab and choose at least one class from the table to the profile.

Step 11

At the top of the screen click into the Advanced Settings tab.

Step 12

Under Rule Supression click Add and enter a valid Source IP/CIDR List of IP addresses and a corresponding Rule ID List. To remove a row of lists simply click the minus icon to the right of the row.

Step 13

Under Event Filtering: Profile Event Filtering, enter the following information:

  • Type - You can opt for either Rate or Sample. Generated events are rate- or sample-limited based on the specified Number of Events triggered over a Time evaluation interval (in seconds).

  • Number of Events - Manually enter a value of allowed number of events.

  • (Available for the Rate type) Time (Seconds) - enter a numerical value in seconds.

Step 14

Under Event Filtering: Rule Event Filtering, click Add. Enter the following information:

  • Rule ID List - Specify a comma-separated list of rule IDs.

  • Number of Events - Manually enter a value of allowed number of events.

  • (Available for the Rate type) Time (Sec) - enter a numerical value in seconds.

  • Type - Select either Rate or Sample. Generated events are rate- or sample-limited based on the specified Number of Events triggered over a Timeevaluation interval (in seconds).

Step 15

Under the Rule Setting List section of the advanced settings, click Add and enter the following:

  • Source IP/CIDR List - provide a comma-separated list of IPs or CIDRs

  • Rule ID List - provide a comma-separated list of rule IDs. Note that for high number rules, only the rule ID is necessary. For low number rules, the GID and ID need to be specified for the rule ID as GID:ID. An example is 119:3.

  • Action - Select an action for when the source IP/CIDR list or rule ID list is triggered on. Note that if a rule is suppressed, no action is taken and no logs are sent or captured.

    • Allow Log - Allow the requests and log an event.

    • Allow No Log - Allow the requests and do not log an event.

    • Deny Log - Deny the requests and log an event.

    • Deny No Log - Deny the requests and do not log an event.

What to do next

Attach the profile to a policy rule set. See Rule Sets and Rule Set Groups for more information.