Skip to main content
Versa Networks

Configure SD-WAN IPS Profiles

  1. Last updated
  2. Save as PDF

For supported software information, click here.

The intrusion prevention system (IPS) mitigates security vulnerabilities by responding to inappropriate or anomalous activity. Responses can include dropping data packets and disconnecting connections that are transmitting unauthorized data.

You commonly place an IPS system at the perimeter of a corporate network. IPS performs the following types of vulnerability detection to help prevent attacks, including zero-day attacks such as worms or viruses:

  • Signature-based detection—Signatures are a set of rules that a vulnerability profile uses to detect intrusive activities. With signature-based detection, a security profile compares a software or application pattern with a database of signatures, identifying malicious activity by matching patterns to those in the database. Versa security packs (SPacks) provide a set of predefined signatures, and you can also create custom signatures.
  • Anomaly detection—Anomaly detection monitors a network for unusual events or trends. You configure the vulnerability profile that compares an observed event with the baseline of the normal traffic. Anomaly detection detects patterns that are normally not present in the traffic, so it is useful for detecting new attacks

You can configure IPS profiles to detect and prevent malware threats. You then associate the policies with access control security policies. For more information, see Configure SD-WAN Access Control Policies.

Configure an IPS Profile

  1. In Tenant view, select Configure > Secure SD-WAN > Security > Profiles.

    security-profiles-1.png
  2. Select the IPS tab. 
    • If you have not yet configured an IPS profile, click Add IPS Profile.
    • If you have configured one or more IPS profiles, the following screen displays. Click the + icon. 

      ips-prof.png

      The Add IPS Profile workflow displays, beginning with step 1, Vulnerability Rules. 

      ips-filter-flow.png
  3. Click Add Vulnerability Rule. The screen displays the workflow to create a vulnerability rule.

    vulnerability-rule-flow.png
  4. In step 1, CVE and Signature Set, enter information for the following fields.

    cve-signature-set.png
     
    Field Description
    Common Vulnerability and Exposures (CVE) Year Select one or more CVE years. The CVE year matches the signature in the database and identifies the attacks.
    Signature Set

    Select the signature set to use for the rule:

    • Both
    • Predefined
    • User Defined

  5. Click Next. In step 2, General, enter information for the following fields.

    general-ip-vulnerability.png

    Field Description
    Confidence

    Select one or more confidence levels to use to match the signatures.

    Range: 0 through 9, Unselected

    Default: None
    Action Filter

    Select one or more action filters to use to match the signatures:

    • Alert
    • Drop Packet
    • Drop Session
    • Reject
    CVSS Score

    Select one or more common vulnerability scoring system scores to use to match the signatures.

    Range: 1 through 10
    Class Type Select one or more class types of vulnerabilities to use to match the signatures.
    Direction

    Click to select the traffic direction for applying the rule to signatures:

    • Both
    • Client
    • Server
    Rule Type

    Click to select the rule type to use to match the signatures:

    • Both
    • Anomaly Rules
    • Signature Rules
  6. Click Next or click step 3, OS and Product.
  7. To select which operating systems and products to match for the signatures, enter information for the following fields.

    os-product.png
     
    Field Description
    Operating System Version Enabled/Disabled 

    Click to enable operating system version to match for signatures, and select the following:

    • Operating system
    • Operating System Version

    Click the add-icon-blue.pngPlus icon to add an operating system. Click the minus-icon-blue.png Minus icon to remove an operating system.

    Product Enabled/Disabled

    Click to enable product system version to match for signatures, and select the following:
    Product System

    Product Version

    Click the add-icon-blue.pngPlus icon to add a product system. Click the minus-icon-blue.png Minus icon to remove a product system.
  8. Click Next or click step 4, Application.
  9. The screen displays all predefined applications. Click an application to add it to the list of applications to match. Use the search box to find specific applications. You can include or exclude the selected applications by clicking its checkbox.

    application-vulnerability.png
  10. Click Next or click step 5, Reference and Severity.
  11. To configure the severity and reference values to match the signatures, enter information for the following fields.

    reference-severity.png
    Field Description
    Severity

    Select one or more severity-level match criteria:

    • Any
    • Critical
    • High
    • Informational
    • Low
    • Medium
    • Unspecified
    References Select and use signatures that match a specific reference type. Click the add-icon-white-on-blue.png Add icon to add the reference type to the rule.
    Value Select and use signatures that match a specific reference value. Click the add-icon-white-on-blue.png Add icon to add the reference value to the rule.
  12. Click Next or click step 6, Enforcement.
  13. To configure the security action, enter information for the following fields.

    enforcement-ips.png
     
    Field Description
    Security Action

    Select an enforcement action to apply to the signatures:

    • Allow
    • Alert
    • Deny
    • Drop Packet
    • Drop Session
    • Reject
    • Reset Client
    • Reset Server
    • + Create New—Click to create a new Security Action object.
    Packet Capture Enabled/Disabled Click to enable or disable packet capture. When enabled, packet capture logs are sent to Versa Analytics.
    • Pre-window

    If you enable packet capture, enter the number of packets immediately preceding the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1
    • Post-window

    If you enable packet capture, enter the number of packets immediately following the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1
  14. Click Next or click step 7, Review and Submit.
  15. Enter a name for the IPS profile. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    review-submit-basic.png
  16. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  17. Click Add Vulnerability Rule.
  18. In the Add IPS Profile screen, click Next or click step 2, Exception Rules.

    add-ips-policy-2.png
  19. Click Add Exception Rules. The Add IPS Exception workflow displays.

    exception-rule-flow.png
  20. In step 1, Signatures, select the vulnerability signatures to add to the exception rule. You can select predefined or user-defined signatures, and use the search box to find signatures. 
  21. Click Next or click step 2, Exceptions.
  22. To specify the actions for the exception rule, enter information for the following fields.

    exception-rule-actions.png
     
    Field Description

    Exempt IP Address

    Click the + Add icon to enter the IP addresses that are exempt from the vulnerability rule.

    Security Action

    Select the action to take:

    • Allow
    • Alert
    • Drop packet
    • Drop session
    • Reject
    • Reset client
    • Reset server
    • + Create New—Click to create a new Security Action object. 

    Threshold

    Select the threshold application on the exempted IP address:

    • Interval—Enter an interval, in seconds.

    • Threshold—Enter the number of hits per interval based on the traffic direction.

    • Track By—Select the threshold tracking based on either source address, destination address, or both source and destination addresses.

    Packet Capture Enabled/Disabled

    Click to enable or disable packet capture. When enabled, packet capture logs are sent to Versa Analytics.
    • Pre-window

    If you enable packet capture, enter the number of packets immediately preceding the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1
    • Post-window

    If you enable packet capture, enter the number of packets immediately following the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1
  23. Click Next or click step 3, Review and Submit.

    review-submit-basic.png
  24. In the General section, enter a name for the exception rule. You can also enter a description and tags. A tag is an alphanumeric text descriptor with no spaces or special characters. 
  25. For all other sections, review the information. If you need to make changes, click the edit-icon-blue-on-white.png Edit icon.
  26. Click Add Exception Rule.
  27. In the Add IPS Profile screen, click Next or click step 3, Permissions.
  28. The permission for each role is selected by default, and you can update it. To change permissions for a role, select or deselect the Create, Read, Update, and Delete fields for the role.

    permissions.png
  29. Click Next or click step 3, Review and Submit.
  30. In the General section, enter a name for the IPS profile. You can also enter a description and tags. 

    review-submit-enable-logging.png
     
  31. To enable logging, click the Logging Disabled toggle, and then select a logging profile that indicates where to forward the logs. 
    • Use Default—Click to use the default logging profile.
    • Custom—Click to use a custom logging profile, and then select a profile in the drop-down list. To create a custom profile, select + Create New.

      logging-enabled.png
  32. For all other sections, review the information. To make changes, click the edit-icon.png Edit icon.
  33. Click Submit to create the IPS profile.

Configure a Custom Signature

To configure custom signatures, you upload intrusion prevention system (IPS) signature files in .zip or .rules format. 

To configure a custom signature:

  1. Select Configure > SD-WAN > Security > Profiles.

    security-profiles-1.png
  2. Select the IPS tab, and then select the Custom Signature tab. 

    custom-signature.png
  3. Click the + icon. The Create Custom Signature window displays.

    create-custom-sig.png
  4. Click Browse to select a file to upload. The file must in .zip or .rules format.
  5. Click the toggle to enable the signature, and then click Add. 

Supported Software Information

Releases 13.1.1 and later support all content described in this article.