The Intrusion Detection/Prevention System ("IDS/IPS") maintains a database of known threats to protect the computers on your network from a wide range of hostile attack scenarios, to generate alerts when any such threats are detected, and to terminate communication from hostile sources. The network threat detection and prevention system is based on Suricata.
The threat database consists of an extensive rule set provided by ProofPoint. This rule set includes blacklisted IP addresses, patterns to recognize malware in communication links, patterns to scan networks, patterns to detect brute-force attacks and many more. In IDS mode, the IDS/IPS engine only generates alerts if the traffic matches one of the rules. In IPS mode, the IDS/IPS engine generates alerts and additionally blocks malicious traffic. Once you activate IDS/IPS, all rules are activated by default. If any of the services in the network are falsely blocked by the IDS/IPS, you can configure the IDS/IPS engine to ignore the rule that caused the false positive. For more information on the categories, see FAQ Emerging Threats.
When enabled, the IDS/IPS engine continuously scans traffic on all interfaces.
IDS/IPS is included in the UTM license. When you boot your LANCOM R&S®Unified Firewall for the first time, IDS/IPS runs as a test version for 30 days. When this period has expired, IDS/IPS is deactivated automatically. For further information on the licenses, see License.
Navigate to to open a configuration dialog to display, activate and adjust the IDS/IPS settings.
The IDS/IPS configuration dialog allows you to configure the following elements:
| Input field | Description |
|---|---|
| I/0 | A slider switch indicates whether IDS/IPS is active (I) or inactive (0). Click the slider switch to toggle the state of IDS/IPS. IDS/IPS is deactivated by default. |
| IDS/IPS License | This field displays your license information for IDS/IPS. |
| Mode |
Select the desired IDS/IPS mode by clicking the respective radio button. The following modes are
available:
|
Under Rules you can specify the IDS/IPS rules which you want to be ignored. You can add as many rules as you like.
| Input field | Description |
|---|---|
| SID |
Enter the unique signature ID (SID) of a rule and click  to add the rule to the list. You can edit or
delete individual entries in the list by clicking the corresponding button next to an entry. You can fetch a
rule’s SID from the respective log entry (see Logs).
For more information, see Icons and buttons.
|
| Description | Optional: In the input field, enter additional information regarding the IDS/IPS rule to be ignored. If you leave the text field blank, it will be automatically filled as soon as your LANCOM R&S®Unified Firewall finds a rule that matches the signature ID. |
Alternatively, you can add IDS/IPS rules which you want to be ignored by selecting the respective rules in the system log. For more information, see System Log.
The Clear Ignored Rules button at the bottom left of the panel allows you to delete all ignored IDS/IPS rules at once.
On the Updates tab, you can create profiles for automatic IDS/IPS updates:
| Input field | Description |
|---|---|
| From | Enter the date and time for the first automatic IDS/IPS update. You can enter a date in the MM/DD/YYYY format or choose a date from the calendar. Set a time using the hh:mm:ss format. |
| Interval | Specify the interval for IDS/IPS updates in hours. If you enter 0 hours, the update is carried out immediately. |
Click Add to add the profile to the list. You can edit or delete individual entries in the list by clicking the corresponding button next to an entry.
For more information, see Icons and buttons.
If you have modified these settings, use the buttons at the bottom right of the editor panel to confirm (Save) or to discard your changes (Reset). Otherwise, you can close the dialog (Close).
Click 
Activate in the toolbar at the top of the desktop to apply your configuration changes.
