Enabling Traffic Inspection on Gateways

You must configure traffic inspection to enable Gateway IDS/IPS. Use only the HPE Aruba Networking IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it.-supported gateways with the gateway or SD-Branch security license. For more information, see Preparing to add IDPS-Supported Gateways.

  • When you assign a subscription with security license, the gateways reboot to enable the traffic inspection engine for the first time. It is recommended that you apply the security license after business hours, as this might result in a downtime in the network.

  • When assigning subscriptions, if you change a subscription with security license to a subscription without a security license, you must reboot the gateway manually to release the CPU Central Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. resources that were assigned to the traffic inspection engine. It is recommended to reboot the gateway after business hours, as this might result in a down time in the network.

Before you begin

Ensure that the following requirements are met before you configure Gateway IDS/IPS:

  • Prerequisites for IDPS configuration:
  • You have an active gateway subscription with security license.
  • You must have on-boarded and connected the Gateway IDS/IPS supported Branch Gateways to HPE Aruba Networking Central successfully.
  • You must install AOS 10.3 or later version on the gateways to enable the traffic inspection engine.

From 10.4, by default, the IPSec encrypted traffic does not go through IDPS inspection.

To enable traffic inspections complete the following steps:

  1. In the WebUI, select one of the two following options:
    • To configure a Branch Gateway, complete the following steps:
      1. Set the filter to a group containing at least one Branch Gateway or Mobility Gateway.
        The dashboard context for the group is displayed.
      2. Click Gateways.
      3. Click the Config icon to view the Branch Gateway or Mobility Gateway group configuration dashboard.
    • To configure a Branch Gateway, complete the following steps:
      1. Set the filter to Global or a group containing at least one Branch Gateway or campus mobility gateway.
      2. Under Manage, click Devices > Gateways.
        A list of gateways is displayed in the List view.
      3. Click a gateway under Device Name.
        The dashboard context for the gateway is displayed.

    The HPE Aruba Networking gateway (independent or part of a group) that you want to configure must be Gateway IDS/IPS supported.

  2. Under Manage, click Security > Gateway IDS/IPS.
  3. Click the Config icon to open the Gateway IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network./IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. configuration page.
  4. In the General tab, select the Enable traffic inspection check box.

After traffic inspection is enabled, the Branch Gateways start detecting malicious events in the inbound and outbound data. IDS is selected as the default mode and IDS Strict is selected as the default policy. You can either configure IDS and IPS based on the requirement. Otherwise, the traffic inspection engine is set up to work on the default configuration.

Disabling Traffic Inspection

You must clear the Enable traffic inspection check box to disable traffic inspection.