Link Search Menu Expand Document

Intrusion Detection/Prevention System

Configuration > Overlays & Security > Security > IDS/IPS

The Intrusion Detection/Prevention System (IDS/IPS) can monitor traffic for potential threats and malicious activity. It generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from the Cloud Portal. Orchestrator sends to appliances the signature file and any rules that have been added to the allow list.

  • IDS designates traffic for inspection using matching rules enabled in the zone-based firewall.

  • IPS protects traffic by matching a signature and then performing a configured action (Drop, Inspect, or Allow).

Use the Intrusion Detection/Prevention tab to view IDS/IPS status or state, or to modify the IDS/IPS configuration for appliances selected in the appliance tree.

The Auto updates ON and OFF buttons enable you to control whether signatures should be automatically updated. By setting this to OFF, you can make informed decisions before proceeding with signature updates. To make this evaluation, use the Signature History subtab to examine the differences between the signature rules in the latest active signature version on Cloud Portal and the production rules in your current signature version in Orchestrator.

img

Field Description
Appliance Name of the appliance.
Status Status of IDS/IPS for the appliance, such as Not Eligible, Protecting Traffic, or License applied but EC Not Eligible.
IDS/IPS State State of IDS/IPS on the appliance (IDS Enabled, IPS-Performant Enabled, IPS-Inline Enabled, or Disabled).
Profile IDS/IPS signature profile applied to the appliance.
Eligible Indicates whether the appliance is eligible to enable IDS/IPS. For more information, see Prerequisites for IDS/IPS below.
Licensed Indicates whether the appliance is licensed to run IDS/IPS.
Engine Version IPS engine version.
Signature Family Proofpoint ETPro signature family, such as 4.x or 5.x.
Signature Version IDS/IPS signature version, such as 10500 or 10729.
Inspected pkts/sec (last 5 min) Number of packets inspected in the previous five minutes.
Threats detected (last 5 min) Number of threats detected in the previous five minutes.
Over Subscription Drops Number of dropped kernel flows (cumulative since IDS/IPS has been active) due to traffic oversubscription. This field displays the cumulative count of such dropped packets since IDS/IPS was enabled.
IPS Flow Drops Number of dropped flows. These are drops that IPS does based on rule-based drops. This drop count is per minute.
Events Click the info icon to view the most recent IDS/IPS events on the appliance. Click Export CSV to save the data to a CSV file.
Stats Click the stats icon to view the following IDS/IPS statistics for the appliance: IPS Flow Drops per minute, Packets per second sent to the IDS/IPS, Threats Detected, Bits per second sent to the IDS/IPS, and Over Subscription Drops (Cumulative).

Prerequisites for IDS/IPS

  • IDS/IPS can be enabled on the following ECOS releases and appliances.

    For IDS:

    • ECOS 9.1.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US

    • ECOS 9.1.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)

    For IDS/IPS:

    • ECOS 9.2.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US

    • ECOS 9.2.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)

  • IDS/IPS can be enabled only on appliances running ECOS 9.1.0.0 or later. Appliances running an earlier version of ECOS will not be shown on the Intrusion Detection/Prevention tab.

  • IDS/IPS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license. Refer to the help information for the Licenses tab (Configuration > Overlays & Security > Licensing > Licenses).

NOTE: IDS/IPS alarms are logged in standard syslog format. You can configure a logging facility for IDS/IPS and remote log receiver to send logs to a third party for additional review and analytics. See Advanced Reporting and Analytics below.

Apply IDS/IPS on Appliances

You can turn on or off IDS/IPS for appliances displayed in the table. You can also apply a different signature profile to the appliances. Orchestrator provides a Default signature profile.

  1. Click Apply IDS/IPS on Appliances.

    The Apply IDS/IPS dialog box opens.

  2. To apply or remove IDS/IPS, select the IDS/IPS Mode check box, and then select one of the following:

    • Off to turn off IDS and IPS for all appliances.

    • IDS Only to enable IDS on the appliances.

    • IPS-Performant to enable IPS-Performant on the appliances.

    • IPS-Inline to enable IPS-Inline on the appliances.

      NOTE: IPS-Inline mode can be applied only to appliances on ECOS version 9.4.1.0 or later. Appliances on earlier versions will ignore this mode.

  3. To apply a different signature profile, select the Profile check box, and then select the appropriate signature family from the first drop-down list. The second drop-down list includes the Orchestrator-provided default profile that corresponds to the signature family you selected (Default for 4.x or Default_S5 for 5.x) and any other signature profiles you have created. Select the signature profile you want to use. For more information about signature profiles, see Manage Signature Profiles below.

  4. The Modification column displays the proposed changes, if any, for the appliances. To apply your changes, click Save. Or, to close the dialog box without making any changes, click Cancel.

Manage Signature Profiles

Signature profiles enable you to configure rules that are downloaded from the signature set on the Cloud Portal. Orchestrator provides the following default signature profiles:

  • For the 4.x signature family, the Default signature profile

  • For the 5.x signature family, the Default_S5 signature profile

These default profiles include default settings for the signature rules. Default profiles are automatically used across all appliances. You can create additional signature profiles and override default rule settings by choosing different actions as needed. To open the Signature Profiles tab, click Signature Profiles. For information about creating signature profiles and modifying their rules, refer to the help information for the Signature Profiles tab.

Update Signatures on Appliances

You can immediately update signatures on your appliances or schedule the updates to occur when convenient for your organization—on a daily, weekly, monthly, or yearly basis.

To immediately update your appliances with signature updates, ensure that Auto updates is set to ON, and then click Update Signatures. Orchestrator checks for any signature updates and pushes them to the appliances. This might take some time. You can check the audit log for status updates.

NOTE: If Auto updates is set to OFF when you click Update Signatures, the signatures will be downloaded but not activated on Orchestrator. This enables you to make informed decisions before proceeding with signature updates. Use the Signature History subtab to examine the differences between the signature rules in the latest active signature version on Cloud Portal and the production rules in your current signature version in Orchestrator. After evaluating, you can activate and push them to the appliances by setting Auto updates to ON and clicking Update Signatures.

To update based on a schedule:

  1. Click Signature Scheduler.

    The Signature Scheduler dialog box opens.

    img

  2. Click the edit icon.

    The Schedule dialog box opens.

    img

  3. Click Daily, Weekly, Monthly, or Yearly.

  4. Specify the appropriate schedule criteria, and then click OK.

  5. On the Signature Scheduler dialog box, click Save.

    Orchestrator will automatically update your appliances according to your specified schedule.

NOTE: The time zone displayed in Signature Scheduler reflects the global time zone setting for scheduled jobs and reports (Orchestrator > Software & Setup > Setup > Timezone for Scheduled Jobs). The time zone displayed on the calendar when you click the calendar icon on the Schedule dialog box reflects your local time zone.

img

View Signature History

You can view a history of signature versions on your Orchestrator, including both the current and previous versions. Select the signature family from the drop-down menu at the top (such as 4.x or 5.x) to access the signature history. This provides the history for the past five signature versions for each active signature family on the network. You can also review the differences between:

  • A signature version listed in the top table and the preceding listed version.

  • The current version (listed in the top table) and the active signature version on cloud portal (listed in the bottom table). To view these differences, Auto updates must be set to OFF on the Intrusion Detection/Prevention tab.

Differences shown include modified, deleted, and added rules.

  1. Click Signature History.

    The Signature History dialog box opens with a historical table of signature versions displayed based on signature family.

    img

    You can select a different signature family from the Signature Family drop-down list.

    The Level column indicates the rules package applied to the IDS/IPS subsystem with varying levels of rules that control the strictness of inspection on the device. This setting does not indicate a restriction level on IPS usage. Rather, it specifies the intensity of IDS/IPS inspection (from lenient to strict) based on the selected rules package. Only the Strict rule package is currently supported. The Updated Date column indicates when the signature version was last updated.

    The bottom table (Active signature on cloud portal) shows the active signature version on the Cloud Portal.

  2. To view the differences, click the appropriate chart icon in the Diff column.

    The Signature Family dialog box opens.

    NOTE: The title of this dialog box varies based on the signature family selected on the Signature History dialog box.

    img

    Use the tabs on this dialog box to view lists of new, modified, or deleted signatures in the signature version compared to the previous one.

Specify Traffic to Be Inspected

You can specify the traffic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies (Configuration > Overlays & Security > Security > Firewall Zone Security Policies).

img

With the addition of IDS/IPS, firewall actions have the following meanings:

  • allow: Allow traffic and do not inspect.

  • deny: Deny traffic and do not inspect.

  • inspect: Allow traffic and inspect.

NOTE: No traffic will be inspected until rules with the inspect action are specified in the security policy.

For more information, see the following tabs in Orchestrator:

  • Templates (Security Policies): Configuration > Templates & Policies > Templates

  • Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)

Advanced Reporting and Analytics

For users who are using or trying Splunk, you can install the HPE Aruba Networking EdgeConnect Security App for Splunk application to enable advanced reporting and analytics using the IDS/IPS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or click this link to search in your browser.

img

Follow the instructions provided to install and configure the application.


Back to top

© Copyright 2025 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America