Configuring IDS Settings and Viewing Activity

This topic covers how to configure IDS and view the results produced by the IDS engine.

  1. Enable IDS and specify its settings.
  2. Enable the signatures relative to your environment. See Understanding and Configuring IDS Signatures Settings. From the Settings module, select Security Settings > IDS Signatures. See Figure 50 and Figure 51.

    Figure 50: IDS Signatures

    IDS Signatures

    Figure 51: IDS Custom Signatures

    IDS Custom Signatures
  3. Create and apply a firewall rule that offloads traffic to the IDS engine. The vGW Series gives you the ability to specify at a granular level which traffic to scan. For example, you might want to scan traffic to or from a specific VM, or traffic that uses a specific protocol.

    Figure 52 shows an inbound firewall rule that specifies that all inbound traffic is to be inspected by IDS and logged.

    Figure 52: IDS Inbound Policy Rule

    IDS Inbound Policy Rule
  4. Apply the IDS rule using the Apply Policy tab.

    After you complete this configuration, the IDS engine begins to flag alerts when suspicious traffic occurs on the virtual network.

To verify that the IDS engine is working properly:

  1. Open an http connection to a protected VM, and make a request.

    For example, enter http://10.10.10.10/php.exe. Assuming the VM is listening on port 80, this request for php.exe violates Signature ID 1773 (WEB-PHP php.exe access).

  2. Click any rule violation posted on your screen to get more information about the alert.

    The Alert Details page shows details on the WEB-PHP alert. See Figure 53.

    Figure 53: IDS Alert Details Dialog Box

    IDS Alert Details Dialog Box

Related Documentation