Link Search Menu Expand Document

Intrusion Detection/Prevention System

Configuration > Overlays & Security > Security > IDS/IPS

The Intrusion Detection/Prevention System (IDS/IPS) can monitor traffic for potential threats and malicious activity. It generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from the Cloud Portal. Orchestrator sends to appliances the signature file and any rules that have been added to the allow list.

  • IDS designates traffic for inspection using matching rules enabled in the zone-based firewall.

  • IPS protects traffic by matching a signature and then performing a configured action (Drop, Inspect, or Allow).

Use the Intrusion Detection/Prevention tab to view IDS/IPS status or state, or to modify the IDS/IPS configuration for appliances selected in the appliance tree.

img

Field Description
Appliance Name of the appliance.
Status Status of IDS/IPS for the appliance, such as Not Eligible, Protecting Traffic, or License applied but EC Not Eligible.
IDS/IPS State State of IDS/IPS on the appliance (IDS Enabled, IPS-Performant Enabled, IPS-Inline Enabled, or Disabled).
Profile IDS/IPS signature profile applied to the appliance.
Eligible Indicates whether the appliance is eligible to enable IDS/IPS. For more information, see Prerequisites for IDS/IPS below.
Licensed Indicates whether the appliance is licensed to run IDS/IPS.
Engine Version IPS engine version.
Signature Family Proofpoint ETPro signature family, such as 4.x or 5.x.
Signature Version IDS/IPS signature version.
Inspected pkts/sec (last 5 min) Number of packets inspected in the previous five minutes.
Threats detected (last 5 min) Number of threats detected in the previous five minutes.
IPS Flow Drops (Cumulative) Number of dropped flows since IPS has been running. The flow drop count is cumulative and is added to the previous flow drop count.
Events Click the info icon to view the most recent IDS/IPS events on the appliance.
Stats Click the stats icon to view the following IDS/IPS statistics for the appliance: Packets per second sent to the IDS/IPS, IPS Flow Drops (Cumulative), Threats Detected, and Bits per second sent to the IDS/IPS.

Prerequisites for IDS/IPS

  • IDS/IPS can be enabled on the following ECOS releases and appliances.

    For IDS:

    • ECOS 9.1.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US

    • ECOS 9.1.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)

    For IDS/IPS:

    • ECOS 9.2.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US

    • ECOS 9.2.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)

  • IDS/IPS can be enabled only on appliances running ECOS 9.1.0.0 or later. Appliances running an earlier version of ECOS will not be shown on the Intrusion Detection/Prevention tab.

  • IDS/IPS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license. Refer to the help information for the Licenses tab (Configuration > Overlays & Security > Licensing > Licenses).

NOTE: IDS/IPS alarms are logged in standard syslog format. You can configure a logging facility for IDS/IPS and remote log receiver to send logs to a third party for additional review and analytics. See Advanced Reporting and Analytics below.

Apply IDS/IPS on Appliances

You can turn on or off IDS/IPS for appliances displayed in the table. You can also apply a different signature profile to the appliances. Orchestrator provides a Default signature profile.

  1. Click Apply IDS/IPS on Appliances.

    The Apply IDS/IPS dialog box opens.

  2. To apply or remove IDS/IPS, select the IDS/IPS Mode check box, and then select one of the following:

    • Off to turn off IDS and IPS for all appliances.

    • IDS Only to enable IDS on the appliances.

    • IPS-Performant to enable IPS-Performant on the appliances.

    • IPS-Inline to enable IPS-Inline on the appliances.

      NOTE: IPS-Inline mode can be applied only to appliances on ECOS version 9.4.1.0 or later. Appliances on earlier versions will ignore this mode.

  3. To apply a different signature profile, select the Profile check box, and then select the appropriate signature family from the first drop-down list. The second drop-down list includes the Orchestrator-provided default profile that corresponds to the signature family you selected (Default for 4.x or Default_S5 for 5.x) and any other signature profiles you have created. Select the signature profile you want to use. For more information about signature profiles, see Manage Signature Profiles below.

  4. The Modification column displays the proposed changes, if any, for the appliances. To apply your changes, click Save. Or, to close the dialog box without making any changes, click Cancel.

Manage Signature Profiles

Signature profiles enable you to configure rules that are downloaded from the signature set on the Cloud Portal. Orchestrator provides the following default signature profiles:

  • For the 4.x signature family, the Default signature profile

  • For the 5.x signature family, the Default_S5 signature profile

These default profiles include default settings for the signature rules. Default profiles are automatically used across all appliances. You can create additional signature profiles and override default rule settings by choosing different actions as needed. To open the Signature Profiles tab, click Signature Profiles. For information about creating signature profiles and modifying their rules, refer to the help information for the Signature Profiles tab.

Update Signatures on Appliances

You can immediately update signatures on your appliances or schedule the updates to occur when convenient for your organization—on a daily, weekly, monthly, or yearly basis.

To immediately update your appliances with signature updates, click Update Signatures. Orchestrator checks for any signature updates and pushes them to the appliances. This might take some time. You can check the audit log for status updates.

To update based on a schedule:

  1. Click Signature Scheduler.

    The Signature Scheduler dialog box opens.

    img

  2. Click the edit icon.

    The Schedule dialog box opens.

    img

  3. Click Daily, Weekly, Monthly, or Yearly.

  4. Specify the appropriate schedule criteria, and then click OK.

  5. On the Signature Scheduler dialog box, click Save.

    Orchestrator will automatically update your appliances according to your specified schedule.

NOTE: The time zone displayed in Signature Scheduler reflects the global time zone setting for scheduled jobs and reports (Orchestrator > Software & Setup > Setup > Timezone for Scheduled Jobs). The time zone displayed on the calendar when you click the calendar icon on the Schedule dialog box reflects your local time zone.

img

View Signature History

You can view the history of signature versions. You can also view the differences between a listed signature version and the previous one. The differences show the changes reflected in the new signature set compared to the previous one, including modified, deleted, and added rules.

  1. Click Signature History.

    The Signature History dialog box opens with a historical table of signature versions displayed based on signature family.

    img

    You can select a different signature family from the Signature Family drop-down list. The Level column in the table indicates the restriction level applied to IPS usage (lenient, moderate, or strict).

  2. To view the differences between a signature version and the previous one, click the icon in the Diff column.

    The Signature History Detail dialog box opens.

    img

    The table lists new signatures in the signature version compared to the previous one.

Specify Traffic to Be Inspected

You can specify the traffic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies (Configuration > Overlays & Security > Security > Firewall Zone Security Policies).

img

With the addition of IDS/IPS, firewall actions have the following meanings:

  • allow: Allow traffic and do not inspect.

  • deny: Deny traffic and do not inspect.

  • inspect: Allow traffic and inspect.

NOTE: No traffic will be inspected until rules with the inspect action are specified in the security policy.

For more information, see the following tabs in Orchestrator:

  • Templates (Security Policies): Configuration > Templates & Policies > Templates

  • Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)

Advanced Reporting and Analytics

For users who are using or trying Splunk, you can install the Aruba EdgeConnect Security App for Splunk application to enable advanced reporting and analytics using the IDS/IPS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or click this link to search in your browser.

img

Follow the instructions provided to install and configure the application.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America