Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Enabling Traffic Inspection on Gateways
You must configure traffic inspection to enable Gateway IDS/IPS. Use only the HPE Aruba Networking IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it.-supported gateways with the gateway or SD-Branch security license. For more information, see Preparing to add IDPS-Supported Gateways.
-
When you assign a subscription with security license, the gateways reboot to enable the traffic inspection engine for the first time. It is recommended that you apply the security license after business hours, as this might result in a downtime in the network.
-
When assigning subscriptions, if you change a subscription with security license to a subscription without a security license, you must reboot the gateway manually to release the CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. resources that were assigned to the traffic inspection engine. It is recommended to reboot the gateway after business hours, as this might result in a down time in the network.
Before you begin
Ensure that the following requirements are met before you configure Gateway IDS/IPS:
- Prerequisites for IDPS configuration:
- You have an active gateway subscription with security license.
- You must have on-boarded and connected the Gateway IDS/IPS supported Branch Gateways to HPE Aruba Networking Central successfully.
- You must install AOS 10.3 or later version on the gateways to enable the traffic inspection engine.
From 10.4, by default, the IPSec encrypted traffic does not go through IDPS inspection.
To enable traffic inspections complete the following steps:
- In the WebUI, select one of the two following options:
-
To configure a Branch Gateway, complete the following steps:
- Set the filter to a group containing at least one Branch Gateway or Mobility Gateway.
The dashboard context for the group is displayed. - Click .
- Click the Branch Gateway or Mobility Gateway group configuration dashboard. icon to view the
- Set the filter to a group containing at least one Branch Gateway or Mobility Gateway.
- To configure a Branch Gateway, complete the following steps:
- Set the filter to Branch Gateway or campus mobility gateway. or a group containing at least one
- Under
A list of gateways is displayed in the List view. , click > . - Click a gateway under
The dashboard context for the gateway is displayed. .
The HPE Aruba Networking gateway (independent or part of a group) that you want to configure must be Gateway IDS/IPS supported.
-
To configure a Branch Gateway, complete the following steps:
- Under , click > .
- Click the IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network./IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. configuration page. icon to open the Gateway
- In the tab, select the check box.
After traffic inspection is enabled, the Branch Gateways start detecting malicious events in the inbound and outbound data. IDS is selected as the default mode and IDS Strict is selected as the default policy. You can either configure IDS and IPS based on the requirement. Otherwise, the traffic inspection engine is set up to work on the default configuration.
Disabling Traffic Inspection
You must clear the
check box to disable traffic inspection.