Configuration > Overlays & Security > Security > IDS/IPS
The Intrusion Detection/Prevention System (IDS/IPS) can monitor traffic for potential threats and malicious activity. It generates threat events based on preconfigured rules. Packets are copied and inspected against signatures downloaded to Orchestrator from Cloud Portal. Orchestrator sends to appliances the signature file and any rules that have been added to the allow list.
IDS designates traffic for inspection using matching rules enabled in the zone-based firewall.
IPS protects traffic by matching a signature and then performing a configured action (Drop, Inspect, or Allow).
Use the Intrusion Detection/Prevention tab to view IDS/IPS status or state, or to modify the IDS/IPS configuration for appliances selected in the appliance tree.
|Appliance||Name of the appliance.|
|Status||Status of IDS/IPS for the appliance, such as Not Eligible, Protecting Traffic, or License applied but EC Not Eligible.|
|IDS/IPS State||State of IDS/IPS on the appliance (IDS Enabled, IPS Enabled, or Disabled).|
|Profile||IDS/IPS signature profile applied to the appliance.|
|Eligible||Indicates whether the appliance is eligible to enable IDS/IPS. For more information, see Prerequisites for IDS/IPS below.|
|Licensed||Indicates whether the appliance is licensed to run IDS/IPS.|
|Signature Version||Signature version running IDS/IPS.|
|Inspected pkts/sec (last 5 min)||Number of packets inspected in the previous five minutes.|
|Threats detected (last 5 min)||Number of threats detected in the previous five minutes.|
|IPS Flow Drops (Cumulative)||Number of dropped flows since IPS has been running. The flow drop count is cumulative and is added to the previous flow drop count.|
|Events||Click the info icon to view the most recent IDS/IPS events on the appliance.|
|Stats||Click the stats icon to view the following IDS/IPS statistics for the appliance: Packets per second sent to the IDS/IPS, IPS Flow Drops (Cumulative), Threats Detected, and Bits per second sent to the IDS/IPS.|
IDS/IPS can be enabled on the following ECOS releases and appliances.
ECOS 9.1.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US
ECOS 9.1.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)
ECOS 9.2.x.x or later for all EdgeConnect appliances except EC-XS (part numbers 200889 and 200900 only) and EC-US
ECOS 9.2.x.x or later for EC-V deployments (minimum of 4 cores and 16 GB of RAM required)
IDS/IPS can be enabled only on appliances running ECOS 188.8.131.52 or later. Appliances running an earlier version of ECOS will not be shown on the Intrusion Detection/Prevention tab.
IDS/IPS is a licensed feature and can be enabled only on appliances that have been assigned the Advanced Security license. Refer to the help information for the Licenses tab (Configuration > Overlays & Security > Licensing > Licenses).
NOTE: IDS/IPS alarms are logged in standard syslog format. You can configure a logging facility for IDS/IPS and remote log receiver to send logs to a third party for additional review and analytics. See Advanced Reporting and Analytics below.
You can turn on or off IDS/IPS for appliances displayed in the table. You can also apply a different signature profile to the appliances. Orchestrator provides a Default signature profile.
Click Apply IDS/IPS on Appliances.
The Apply IDS/IPS dialog box opens.
To apply or remove IDS/IPS, select the IDS/IPS Mode check box, and then select one of the following:
Off to turn off IDS and IPS for all appliances.
IDS Only to enable IDS on the appliances.
IPS-Performant to enable IPS on the appliances.
To apply a different signature profile, select the Profile check box, and then select the appropriate profile from the drop-down list. For more information about signature profiles, see Manage Signature Profiles below.
The proposed modifications, if any, are displayed for the appliances in the Modification column. To apply your changes, click Save. Or, to close the dialog box without making any changes, click Cancel.
Signature profiles enable you to configure rules that are downloaded from the signature set on Cloud Portal. Orchestrator provides a Default signature profile that includes default settings for the rules. It is automatically used across all appliances. You can create additional signature profiles and override the default rule settings by choosing different actions as needed. To open the Signature Profiles tab, click Signature Profiles. For information about creating signature profiles and modifying their rules, refer to the help information for the Signature Profiles tab.
You can immediately update signatures on your appliances or schedule the updates to occur when convenient for your organization—on a daily, weekly, monthly, or yearly basis.
To immediately update your appliances with signature updates, click Update Signatures. Orchestrator checks for any signature updates and pushes them to the appliances. This might take some time. You can check the audit log for status updates.
To update based on a schedule:
Click Signature Scheduler.
The Signature Scheduler dialog box opens.
Click the edit icon.
The Schedule dialog box opens.
Click Daily, Weekly, Monthly, or Yearly.
Specify the appropriate schedule criteria, and then click OK.
On the Signature Scheduler dialog box, click Save.
Orchestrator will automatically update your appliances according to your specified schedule.
NOTE: The time zone displayed in Signature Scheduler reflects the global time zone setting for scheduled jobs and reports (Orchestrator > Software & Setup > Setup > Timezone for Scheduled Jobs). The time zone displayed on the calendar when you click the calendar icon on the Schedule dialog box reflects your local time zone.
You can view a history of signature versions. You can also view the differences between a signature version and the one before it. Differences are the new signatures in the signature version compared to the previous one.
Click Signature History.
The Signature History dialog box opens with a historical table of signature versions displayed. The Level column in the table indicates the restriction level applied to IPS usage (lenient, moderate, or strict).
To view the differences between a signature version and the one before it, click the icon in the Diff column.
The Signature History Detail dialog box opens.
The table lists new signatures in the signature version compared to the previous signature version.
You can specify the traffic to be inspected according to source and destination zone, as well as specify detailed match criteria, using Firewall Zone Security Policies (Configuration > Overlays & Security > Security > Firewall Zone Security Policies).
With the addition of IDS/IPS, firewall actions have the following meanings:
allow: Allow traffic and do not inspect.
deny: Deny traffic and do not inspect.
inspect: Allow traffic and inspect.
NOTE: No traffic will be inspected until rules with the inspect action are specified in the security policy.
For more information, see the following tabs in Orchestrator:
Templates (Security Policies): Configuration > Templates & Policies > Templates
Routing Segmentation: Configuration > Networking > Routing > Routing Segmentation (VRF)
For users who are using or trying Splunk, you can install the Aruba EdgeConnect Security App for Splunk application to enable advanced reporting and analytics using the IDS/IPS alarms forwarded from EdgeConnect appliances. Search Splunkbase for “EdgeConnect” or click this link to search in your browser.
Follow the instructions provided to install and configure the application.