Over previous months we have looked at several features in depth, and often shown you our recommended configuration and how to implement them. This month we are taking a step back, and reviewing a basic feature, one that can be critically important. Let’s dive into WatchGuard Intrusion Prevention Service, or IPS as you will come to know it.
What is it?
IPS is a tool that is intrinsic to WatchGuard devices; it is part of the Subscriptions Services that exist on the firewall and is included int he Basic and Total Security Suite. Intrusion Prevention scrutinizes incoming and outgoing data at fundamental level. It then compares this traffic to a database of signatures looking for potential matches to known harmful material. IPS then preforms an action with the traffic to block its source or notify the administrator, depending on the settings you configure.
How do I use it?
Intrusion prevention is easy to apply. By default, once IPS is activated, it will apply to all new policies and proxies you create on that firebox. You will need to manually enable IPS on any previously existing policies. As you can see in the screenshot below, enabling or disabling IPS within a policy is as simple as checking the associated box.
What settings do you recommend?
The signature database used by IPS is constantly being updated with the most recent malicious monikers. As such, we recommend configuring the WatchGuard device to auto-update this service. The threats that IPS detects are broken down into several categories: Critical, High, Medium, Low, and Information. Normally, we recommend setting the action to “Drop” for all levels except Information. This ensures that all threats remotely disruptive will be stopped automatically. Your configuration should look similar to the screen capture below.
Truly, that’s it for IPS. A simple service, that goes a long way to preventing unwanted intrusion into your network. If you have any remaining questions, let us know and we would be happy to help. Tune in next time as we take a closer look at another feature that, when configured correctly, could protect you from losing data.