Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

IPS policies

With IPS policies, you can prevent network attacks using rules.

The firewall enforces the actions specified in the rules and logs the corresponding events. The set of default policies prevents network attacks for several common types of traffic. You can create custom policies with rules that meet your traffic requirements.

  • To add a policy, click Add and type a name. Then, you can clone the rules from an existing policy.
  • To add rules to a policy, click Edit Edit button. for the policy you want to edit and click Add.

Turn on IPS protection

IPS protection is turned off by default. To download IPS signatures to Sophos Firewall, configure IPS policies, and enforce IPS protection, you must turn it on.

Go to Intrusion prevention > IPS policies to turn on IPS protection.

To be able to turn it on, you must have one of the following:

  • Network Protection subscription
  • Trial license

Note

After you activate the subscription, make sure IPS protection is turned on.

Network Protection subscription

When the subscription expires, the IPS protection switch remains turned on, but Sophos Firewall won't enforce IPS protection.

If you turn the switch off manually, see the following table for the IPS protection details:

Subscription status IPS switch: On IPS switch: Off IPS switch: Off
Within 30 days After 30 days
Active Enforces IPS protection. You can turn it back on. You can turn it back on.
Expired Doesn't enforce IPS protection. You can only turn it on after activating Network Protection subscription. You can only turn it on after activating Network Protection subscription.
Active or Expired See above
  • Doesn't enforce protection.
  • Doesn’t update signatures.
  • You can't configure policies and custom signatures.
  • You can add IPS policies to rules (example: firewall rules).
  • Doesn't enforce protection.
  • Deletes all IPS signatures and rules.
  • Doesn’t update signatures.
  • You can't configure policies and custom signatures.
  • You can add IPS policies to rules (example: firewall rules).

Note

Export the IPS configurations or take a backup if you must turn off IPS protection.

Trial license

If your trial license expires, Sophos Firewall automatically turns off IPS protection. See the following table for the protection details:

Subscription status IPS switch: On IPS switch: Off (automatic) IPS switch: Off (automatic)
30 days from expiration 30 days after expiration
Active Enforces IPS protection. Not applicable. Not applicable.
Expired Not applicable.
IPS switch is automatically turned off.
  • You can only turn it on after activating the Network Protection subscription.
  • Doesn't enforce protection.
  • Doesn’t download signatures.
  • You can't configure policies and custom signatures.
  • You can add IPS policies to rules (example: firewall rules).
  • You can only turn it on after activating the Network Protection subscription.
  • Deletes all IPS signatures and rules.
  • You can add IPS policies to rules (example: firewall rules).

Note

Export the IPS configurations or take a backup within 30 days from the expiration of the trial license.

IPS policy rules

Rules specify signatures and an action. The firewall matches signatures with traffic patterns and takes the action specified in the rule. The action specified for the rule overrides the action recommended by the signature.

IPS signatures

Signatures identify threats and specify a recommended action to take when the firewall encounters matching traffic. Signatures are specific to applications, services, or platforms. The firewall includes predefined signatures and you also can create custom signatures.

SID: ID of the IPS signature.

Category: Category of IPS signature.

Severity: Degree of threat severity.

Platform: Signatures that apply to specific platforms (for example, Microsoft Windows).

Target: Client or server-based signatures.

Recommended action: Action recommended by the firewall when traffic matches the signature.

More resources