Configure IPS Override

For supported software information, click here.

An intrusion prevention system (IPS) mitigates security vulnerabilities by responding to inappropriate or anomalous activity. Responses can include dropping data packets and disconnecting connections that are transmitting unauthorized data.

You commonly place an IPS system at the perimeter of a corporate network.

IPS performs the following types of vulnerability detection to help prevent attacks, including zero-day attacks such as worms or viruses:

• Signature-based detection—Signatures are a set of rules that a vulnerability profile uses to detect intrusive activities. With signature-based detection, a security profile compares a software or application pattern with a database of signatures, identifying malicious activity by matching patterns to those in the database. Versa security packs (SPacks) provide a set of predefined signatures, and you can also create custom signatures.
• Anomaly detection—Anomaly detection monitors a network for unusual events or trends. You configure the vulnerability profile that compares an observed event with the baseline of the normal traffic. Anomaly detection detects patterns that are normally not present in the traffic, so it is useful for detecting new attacks

By default, Versa SASE provides a predefined IPS enforcement policy. This article describes how you can modify the parameters in the predefined vulnerability profile.

For more information about configuring custom IPS filtering profiles, see Configure Custom IPS Filtering Profiles.

To modify the parameters in a predefined vulnerability profile, you create an override profile:

1. Go to Configure > Security Service Edge > Real-Time Protection > Profiles.
   
   
   
   The following screen displays:
   
   
    
2. Select the Malware Protection & IPS tab, and then select the IPS Override subtab.
   
   Note: In Release 12.2.2, the IPS Override subtab was moved under the new Malware Protection & IPS tab.
    
3. To customize which columns display, click the Select Columns down arrow and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings.
   
   
4. Click + Add to add a new IPS override profile. The Create IPS Override Profile screen displays. In Step 1, Action Override and Packets, enter information for the following fields.
   
   
    

   Field	Description
   Override Action	Select an override action. This action overrides the action in the predefined vulnerability profile. Allow Alert Drop Packet Drop Session Reset Client Reset Server Reject
   Packet Capture (Group of Fields)	Click to enable packet capture. Packet capture information is automatically sent to the Analytics node, where you can view and download it.
   Pre-window	Enter the number of packets immediately preceding the attacked packet that you want to capture.
   Post-window	Enter the number of packets immediately following the attacked packet that you want to capture.

5. Click Next to go to Step 2, Exceptions Override.
   
   
6. Click + Add. The Add Exception field displays.
   
   
7. In the Signatures section, click the + icon, and then select the vulnerability signatures to add to the vulnerability profiles exception rule.
   
   
8. Click Next. In the Exception Details section, enter information for the following fields.
   
   
    

   Field	Description
   Exempt IP Address	Click the + Add icon to enter the IP addresses that are exempt from the vulnerability rule.
   Action	Select the action to take: Allow Alert Drop packet Drop session Reject Reset client Reset server
   Threshold (Group of Fields)	Select the threshold application on the exempted IP address: Interval—Enter an interval, in seconds. Threshold—Enter the number of hits per interval based on the traffic direction. Track By—Select the threshold tracking based on either source address, destination address, or both source and destination addresses.
   Packet Capture (Group of Fields)	Click Enable Packet Capture, and then enter the following information: Pre-window—Enter the number of packets immediately preceding the attacked packet that you want to capture. Post-window—Enter the number of packets immediately following the attacked packet that you want to capture.

9. Click Next. In the Threat ID and Description section, enter information for the following fields.
   
   
    

   Field	Description
   Threat ID	Enter the threat ID.
   Description	Enter a text description for the threat.
   Tags	Enter a keyword or phrase that allows you to filter the threat exception. This is useful when you have many threat exceptions and want to view those that are tagged with a particular keyword.

10. Click Add.
11. Click Next to go to Step 3, Review and Submit.
    
    
12. In the General section, enter a name for the IPS override profile and, optionally, a description and tags.
13. For all other sections, review the information. To make changes, click the Edit icon.
14. Click Save.