With IPS policies, you can prevent network attacks using rules.
The firewall enforces the actions specified in the rules and logs the corresponding events. The set of default policies prevents network attacks for several common types of traffic. You can create custom policies with rules that meet your traffic requirements.
- To add a policy, click Add and type a name. Then, you can clone the rules from an existing policy.
- To add rules to a policy, click Edit for the policy you want to edit and click Add.
Turn on IPS protection
IPS protection is turned off by default. To download IPS signatures to Sophos Firewall, configure IPS policies, and enforce IPS protection, you must turn it on.
Go to Intrusion prevention > IPS policies to turn on IPS protection.
To be able to turn it on, you must have one of the following:
- Network Protection subscription
- Trial license
After you activate the subscription, make sure IPS protection is turned on.
Network Protection subscription
When the subscription expires, the IPS protection switch remains turned on, but Sophos Firewall won't enforce IPS protection.
If you turn the switch off manually, see the following table for the IPS protection details:
|Subscription status||IPS switch: On||IPS switch: Off||IPS switch: Off|
|Within 30 days||After 30 days|
|Active||Enforces IPS protection.||You can turn it back on.||You can turn it back on.|
|Expired||Doesn't enforce IPS protection.||You can only turn it on after activating Network Protection subscription.||You can only turn it on after activating Network Protection subscription.|
|Active or Expired||See above|| || |
Export the IPS configurations or take a backup if you must turn off IPS protection.
If your trial license expires, Sophos Firewall automatically turns off IPS protection. See the following table for the protection details:
|Subscription status||IPS switch: On||IPS switch: Off (automatic)||IPS switch: Off (automatic)|
|30 days from expiration||30 days after expiration|
|Active||Enforces IPS protection.||Not applicable.||Not applicable.|
|Expired||Not applicable. |
IPS switch is automatically turned off.
| || |
Export the IPS configurations or take a backup within 30 days from the expiration of the trial license.
IPS policy rules
Rules specify signatures and an action. The firewall matches signatures with traffic patterns and takes the action specified in the rule. The action specified for the rule overrides the action recommended by the signature.
Signatures identify threats and specify a recommended action to take when the firewall encounters matching traffic. Signatures are specific to applications, services, or platforms. The firewall includes predefined signatures and you also can create custom signatures.
SID: ID of the IPS signature.
Category: Category of IPS signature.
Severity: Degree of threat severity.
Platform: Signatures that apply to specific platforms (for example, Microsoft Windows).
Target: Client or server-based signatures.
Recommended action: Action recommended by the firewall when traffic matches the signature.