Global

On the Network Protection > Intrusion Prevention > Global tab you can activate the Intrusion Prevention System (IPS) of Sophos UTM on AWS.

To enable IPS, proceed as follows:

  1. Enable the intrusion prevention system.

    Click the toggle switch.

    The toggle switch turns amber and the Global IPS Settings area becomes editable.

  2. Specify the following settings:

    Local networks: Add or select the networks that should be protected by the intrusion prevention system. If no local network is selected, intrusion prevention will automatically be deactivated and no traffic is monitored. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.

    Policy: Select the security policy that the intrusion prevention system should use if a blocking rule detects an IPS attack signature.

    • Drop silently: The data packet will be dropped without any further action.
    • Terminate connection: A terminating data packet (RST for TCP and ICMP Port Unreachable for UDP connections) will be sent to both communication partners to close the connection.

    Note – By default, Drop silently is selected. There is usually no need to change this, especially as terminating data packets can be used by an alleged intruder to draw conclusions about the gateway.

    Restart policy: Select the policy for connection handling when an IPS engine restart is required, for example when the engine is updated.

    • Drop (default): All incoming and outgoing connections will be dropped during engine restart.
    • Bypass: All incoming and outgoing connections will bypass IPS scanning while the engine is restarting.
  3. Click Apply.

    Your settings will be saved.

    The switch turns green.

Cross Reference – Find information about configuring IPS in the Sophos Knowledge Base.

Live Log

The intrusion prevention live log can be used to monitor the selected IPS rules. Click the button to open the live log in a new window.