Global

On the Network Protection > Intrusion Prevention > Global tab you can activate the Intrusion Prevention System (IPS Closed Intrusion Prevention System) of Sophos UTM.

To enable IPS, proceed as follows:

Enable the intrusion prevention system.

Click the toggle switch.

The toggle switch turns amber and the Global IPS Settings area becomes editable.
Make the following settings:

Local networks: Add or select the networks that should be protected by the intrusion prevention system. If no local network is selected, intrusion prevention will automatically be deactivated and no traffic is monitored. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

Policy: Select the security policy that the intrusion prevention system should use if a blocking rule detects an IPSIntrusion Prevention System attack signature.
- Drop silently: The data packet will be dropped without any further action.
- Terminate connection: A terminating data packet (RST for TCPTransmission Control Protocol and ICMP Port Unreachable for UDP connections) will be sent to both communication partners to close the connection.
Note – By default, Drop silently is selected. There is usually no need to change this, especially as terminating data packets can be used by an alleged intruder to draw conclusions about the gateway.

Restart policy: Select the policy for connection handling when an IPS engine restart is required, for example when the engine is updated.
- Drop (default): All incoming and outgoing connections will be dropped during engine restart.
- Bypass: All incoming and outgoing connections will bypass IPS scanning while the engine is restarting.
Click Apply.

Your settings will be saved.

The toggle switch turns green.

Cross Reference – Find information about configuring IPS in the Sophos Knowledge Base.

Live Log

The intrusion prevention live log can be used to monitor the selected IPS rules. Click the button to open the live log in a new window.