Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-system-ips

ips

You can set up the Intrusion Prevention System (IPS). It consists of a signature engine (Snort) with a predefined set of signatures. Signatures are patterns known to be harmful. IPS compares traffic to these signatures and responds rapidly if it finds a match. You can't edit the firewall's built-in signatures.

Command

set ips

show ips-settings

Syntax

set ips
enable_appsignatures [on|off]
ac_atr exception fwrules [<firewall rule IDs>|none]
failclose [on|off]
failclose timeout [tcp|udp] <1-43200>
failclose apply
http_response_scan_limit <0-262144>
scan_decrypted_port_agnostic [on|off]
inspect [all-content|untrusted-content]
ips-instance [add|clear] IPS cpu <0-maximum CPUs in the device>
ips-instance apply
ips_mmap [on|off]
maxpkts [numeric value more than 8| all| default]
packet-streaming [on|off]
pki-acceleration [enable|disable]
search-method [ac-bnfa|ac-q|hyperscan]
sip_ignore_call_channel [enable|disable]
sip_preproc [enable|disable]
tcp urgent-flag [allow|remove]
set ips engine_update_mode [reload|restart]

Options

enable_appsignatures [on|off]

Turn app-based signatures on to enable the firewall to identify malicious applications based on matching traffic patterns.

Default: on

ac_atr exception fwrules [<firewall rule IDs>|none]

Create a firewall rule exception to bypass firewall rules for application classification and Active threat response. You can specify one or more firewall rules. To specify multiple rules, enter the firewall rule IDs in a comma-separated list.

Example

set ips ac_atp_exception_fwrules 1,2

To remove the firewall rule exception, enter none.

Example

set ips ac_atp_exception_fwrules none

failclose [on|off]

Controls how the firewall handles connections when the IPS engine reaches its connection or memory limit. If you turn it on, the firewall drops new connections once the limit is reached. If you turn it off, the IPS service removes old connections from the cache to free up resources for new ones.

The default status of this option depends on the amount of RAM in the appliance:

  • 8 GB of RAM or less: Turned off
  • More than 8 GB of RAM: Turned on

Note

If the status of this option in a backup is different than what's configured in the firewall, restoring that backup will change the status of this option. You must manually update your configuration afterward.

failclose timeout [tcp|udp] <1-43200>

Set the timeout in seconds for both TCP and UDP connections that pass through IPS.

The available timeout values for UDP and TCP traffic are 1 to 43200 seconds.

When failclose is off, the default timeout value is 180 seconds.

When failclose is on, the default timeout value is 600 seconds.

failclose apply

Apply the "failclose" configuration after you've changed it. You must enter set ips failclose apply separately after you turn "failclose" on or off or change its timeout value.

http_response_scan_limit <0-262144>

Set the scan limit for HTTP response packets. For full scanning, you must set this to 0.

Range: 0 to 262144

scan_decrypted_port_agnostic [on|off]

Turn it on to scan decrypted traffic in a port agnostic way. For example, decrypted traffic is successfully scanned even though signatures use HTTP but the traffic is SSL.

Default: on

inspect [all-content|untrusted-content]

Specify whether IPS should inspect all content or only content from untrusted sources.

  • all-content: Inspects all content. Provides the best security. This is secure enough for most users.
  • untrusted-content: Inspects untrusted content only. Doesn't inspect content trusted by SophosLabs. Provides the best performance.

Default: untrusted-content

ips-instance [add|clear] IPS cpu <0-maximum CPUs in the device>

Add or clear an IPS CPU instance. When you're adding an IPS instance, specify the CPU you want the IPS instance to use.

CPU range: 0 to maximum CPUs in the device

ips-instance apply

Apply the IPS instance configuration after you've changed it. You must enter set ips-instance apply separately after you add or clear an IPS CPU instance.

Warning

You're prompted to restart the firewall after you run this command. If you don't restart, the updated configuration isn't applied.

ips_mmap [on|off]

Turn it on to optimize RAM usage, especially in low-end devices.

Default: on

Note

This option is deprecated in SFOS 18.0 and later versions.

maxpkts [numeric value more than 8|all|default]

Specify the number of packets the application filter policies must scan in new and updated connections from the client and the server. For example, if you specify 9, the firewall scans the first nine packets from the client and the first nine from the server. So, application classification is complete after the first nine packets are scanned, but IPS scanning continues.

Default: 8

To identify complex or evasive applications, such as proxy or P2P applications, we recommend that you set this option to 80. See Configure recommended settings for P2P and Proxy and Tunnel.

Warning

Setting this value too high results in reduced connection speed.

packet-streaming [on|off]

Turn it on to restrict the streaming of packets in situations where the system is experiencing memory issues.

If packet-streaming is set to on, which is the default setting, the IPS engine builds an internal table during a session and deletes it at the end. It also reassembles all incoming packets and checks the data for known signatures.

If packet-streaming is set to off, the firewall doesn't reassemble packets or segments. Data is sometimes broken up into chunks of packets and must be reassembled to check for signatures. So, traffic over protocols such as Telnet, POP3, SMTP, and HTTP is now vulnerable to malicious files that are hidden by splitting.

Note

This option is deprecated in SFOS 18.0 and later versions.

pki-acceleration [enable|disable]

Turn it on to offload the re-signing of X.509 server certificates for SSL/TLS flows inspected by the DPI engine to the crypto hardware on the Xstream Flow Processor.

Default: enable

On SFOS versions and XGS Series models that don't support PKI acceleration, its status appears as "disabled". See Summary of supporting versions and appliance models.

To see the pki-acceleration status, enter show ips-settings.

For PKI acceleration to take effect, firewall acceleration must be turned on. If PKI acceleration is turned on but firewall acceleration is turned off, the status appears as enabled (inactive). See Firewall acceleration.

search-method [ac-bnfa|ac-q|hyperscan]

Set the search method for IPS signature pattern matching.

  • ac-bnfa: Low memory usage, high performance.
  • ac-q: High memory usage, best performance.
  • hyperscan: Low memory usage, best-performance.

Default: hyperscan

sip_ignore_call_channel [enable|disable]

Turn it on to exempt audio and video data channels from IPS scanning.

Default: enable

sip_preproc [enable|disable]

Turn it on to scan all the SIP sessions for network attacks.

Default: enable

tcp urgent-flag [allow|remove]

Set how IPS handles the TCP urgent flag and pointer if the flag is sent in TCP packets.

  • allow: Allows the urgent flag and pointer without changing the packet.
  • remove: Removes and resets the urgent flag and pointer.

Default: remove

set ips engine_update_mode [reload|restart]

Specify whether you want to reload or restart the IPS engine when the IPS signature pack is updated.

  • reload: Reloads the IPS engine configuration. Some packets may be dropped while the configuration is reloading.
  • restart: Restarts the IPS engine. All incoming and outgoing packets bypass IPS scanning while the engine is restarting.

Default: reload

Warning

For security reasons, we strongly recommend that you don't change this setting.

To see the current setting, run the following command:

show ips_conf

Example 
console> show ips_conf
config stream       1
config maxsesbytes      0
config stdsig       1
config qnum     10
config maxpkts      8
config disable_tcpopt_experimental_drops        0
config enable_appsignatures     1
var SEARCH_METHOD       hyperscan
var SIP_STATUS      enabled
var IGNORE_CALL_CHANNEL     enabled
var TCP_POLICY      windows
var LOCAL_RULE      local.rules
var DETECT_ANOMALIES        no
var TCP_BLOCK       nblock
config inspect_content      untrusted
config sacmaxpkts       8
config snaplen      1514
var FAST_BLOCKING       off
var NORMALIZE_NULLS     off
var SMALL_SEGMENTS      3
var SMALL_SEGMENTS_BYTES        150
var SMALL_SEGMENTS_ACTION       none
var SMALL_SEGMENTS_PKTS     1
config decrypt_service_rule_detection       on
var TCP_URGENT      removed
config pki-acceleration     disable
config failclose        off
config update_mode      reload
show ips-settings

Shows the currently configured IPS settings and running instances.