Skip to main content
Versa Networks

Configure SD-WAN IPS-Filtering Policies

For supported software information, click here.

The intrusion prevention system (IPS) mitigates security vulnerabilities by responding to inappropriate or anomalous activity. Responses can include dropping data packets and disconnecting connections that are transmitting unauthorized data.

You commonly place an IPS system at the perimeter of a corporate network. IPS performs the following types of vulnerability detection to help prevent attacks, including zero-day attacks such as worms or viruses:

  • Signature-based detection—Signatures are a set of rules that a vulnerability profile uses to detect intrusive activities. With signature-based detection, a security profile compares a software or application pattern with a database of signatures, identifying malicious activity by matching patterns to those in the database. Versa security packs (SPacks) provide a set of predefined signatures, and you can also create custom signatures.
  • Anomaly detection—Anomaly detection monitors a network for unusual events or trends. You configure the vulnerability profile that compares an observed event with the baseline of the normal traffic. Anomaly detection detects patterns that are normally not present in the traffic, so it is useful for detecting new attacks

By default, Versa SASE provides a predefined IPS enforcement policy. This article describes how you can configure custom IPS-filtering policies.

To configure an IPS-filtering profile:

  1. Go to Configure > Secure SD-WAN > Profile Elements > Policies > Security > IPS.

    ips-menu.png

    If there is no existing IPS policy, the following screen displays.

    ip-profile-main.png
  2. Click Create IPS Policy or + Add to add a new IPS-filtering policy. The Add IPS Policy screen displays, and Step 1, Vulnerability Rules, is selected.

    add-ips-policy-1.png
     
  3. To customize which columns display, click Select Columns down arrow, and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings.

    ips-select-columns.png
     
  4. Click + Add to add a vulnerability rule. The Add Vulnerability Rule screen displays. In the Step 1, CVE and Signature Set screen, enter information for the following fields.

    add-ips-rule-1.png
     
    Field Description
    Common Vulnerabilities and Exposures (CVE) Year Select one or more CVE years. The CVE year matches the signature in the database and identifies the attacks.
    Signature Set

    Select the signature set to use for the rule:

    • All
    • Predefined
    • User Defined
  5. Click Next. In the Step 2, General screen, enter information for the following fields.

    add-ips-rule-2.png

    Field Description
    Confidence

    Select one or more confidence levels to use to match the signatures.

    Range: 0 through 9, Unselected

    Default: None

    Action Filter

    Select one or more action filters to use to match the signatures:

    • Alert
    • Drop Packet
    • Drop Session
    • Reject
    CVSS Score

    Select one or more common vulnerability scoring system scores to use to match the signatures.

    Range: 1 through 10

    Class Type Select one or more class types of vulnerabilities to use to match the signatures.
    Direction

    Click to select the traffic direction for applying the rule to signatures:

    • Both
    • Client
    • Server
    Rule Type

    Click to select the rule type to use to match the signatures:

    • All Rules
    • Anomaly Rules
    • Signature Rules
  6. Click Next. In the Step 3, OS and Product screen, click Operating System Version, and then select an operating system and operating system version to match for signatures. Click the add-icon-blue.pngPlus icon to add an operating system. Click the minus-icon-blue.png Minus icon to remove an operating system.

    add-ips-rule-3-os.png

  7. Click Product, and then select a product and a product version to match for signatures. Click the add-icon-blue.pngPlus icon to add an operating system. Click the minus-icon-blue.png Minus icon to remove an operating system.

    add-ips-rule-3-product.png

  8. Click Next. The Step 4, Application screen displays all predefined applications. Click an application to add it to the list of applications to match. Use the search box to find specific applications. You can include or exclude the selected applications by clicking its checkbox.

    add-ips-rule-4.png

  9. Click Next, and in the Step 5, Reference and Severity screen, enter information for the following fields.

    add-ips-rule-5.png

    Field Description
    Severity

    Select one or more severity-level match criteria:

    • Any
    • Critical
    • High
    • Informational
    • Low
    • Medium
    • Unspecified
    References Select and use signatures that match a specific reference type. Click the add-icon-white-on-blue.png Add icon to add the reference type to the rule.
    Value Select and use signatures that match a specific reference value. Click the add-icon-white-on-blue.png Add icon to add the reference value to the rule.
  10. Click Next. In the Step 6, Enforcement screen, enter information for the following fields.

    add-ips-rule-6.png

    Field Description
    Action

    Select an enforcement action to apply to the signatures:

    • Default
    • Predefined
      • Allow
      • Alert
      • Deny
      • Drop Packet
      • Drop Session
      • Reset Client
      • Reset Server
      • Reject
    • Predefined-Persistent
      • Versa_Action_Block_SIP
      • Versa_Action_Block_SP
      • Versa_Action_Block_DIP
      • Versa_Action_Block_DP
      • Versa_Action_Block_SIP_SP
      • Versa_Action_Block_DIP_DP
      • Versa_Action_Block_SIP_SP_DIP_DP
      • Versa_Action_Block_SIP_SP_DIP_DP_Protocol
    Enable Packet Capture (Group of Fields) Click to enable packet capture. When enabled, packet capture logs are sent to Versa Analytics.
    • Pre-window

    Enter the number of packets immediately preceding the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1

    • Post-window

    Enter the number of packets immediately following the attacked packet that you want to capture.

    Range: 0 through 10

    Default: 1

  11. Click Next, and in the Step 7, Review and Submit screen, enter a name for the IPS profile. Optionally, enter a description and one or more tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

    add-ips-rule-7.png

  12. For all other sections, review the information. If you need to make changes, click the Edit icon.
  13. In the Add IPS Profile screen, click Next to go to Step 2, Exceptions Overrules.

    add-ips-policy-2.png
  14. Click + Add. The Add IPS Exception screen displays.

    add-ips-exception-1.png
  15. In the Signatures screen, select the vulnerability signatures to add to the vulnerability profiles exception rule.
  16. Click Next. In the Exception screen, enter information for the following fields.

    add-ips-exception-2.png
     
    Field Description

    Exempt IP Address

    Click the + Add icon to enter the IP addresses that are exempt from the vulnerability rule.

    Action

    Select the action to take:

    • Allow
    • Alert
    • Drop packet
    • Drop session
    • Reject
    • Reset client
    • Reset server

    Threshold

    Select the threshold application on the exempted IP address:

    • Interval—Enter an interval, in seconds.

    • Threshold—Enter the number of hits per interval based on the traffic direction.

    • Track By—Select the threshold tracking based on either source address, destination address, or both source and destination addresses.

    Packet Capture Enabled

    Click this, and then enter the following information:

    • Pre-window—Enter the number of packets immediately preceding the attacked packet that you want to capture.

    • Post-window—Enter the number of packets immediately following the attacked packet that you want to capture.

  17. Click Next to go to Step 3, Review and Submit.

    add-ips-exception-3.png
    1. In the General section, enter a name for the IPS exception, optionally, a description and tags.
    2. For all other sections, review the information. To make changes, click the Edit icon.
    3. Click Save.
  18. In the Add IPS Profile screen, click Next to go to Step 3, Permissions screen to set or update the permission for each role. The roles are Enterprise Administrator, Enterprise Operator, Service Provider Administrator, and Service Provider Operator. The permission for each role is selected by default, and you can update it. The role permissions are Edit, Hide, and Read.

    add-ips-policy-4.png
  19. Click Next to go to Step 3, Review and Submit.
  20. In the General section, enter a name for the IPS policy, optionally, a description and tags.
  21. For all other sections, review the information. To make changes, click the Edit icon.
  22. Click Save.

Supported Software Information

Releases 12.1.1 and later support all content described in this article.