Print topic

IPS

Our implementation of IPS improved significantly in the Fireware XTM v11.4 release. We have implemented a new signature set with greater performance and efficiency. IPS is no longer restricted to only those ports and protocols used with proxies. It can now also be applied to packet filter policies. Signatures have been broken into 5 threat levels that are simpler to understand. You can find more information about each signature directly from the UI, and you can right click to simply add a signature to an exception list.

With Fireware XTM v11.4.x, you now create a global IPS action, which applies to traffic on all ports. You have the ability to enable or disable IPS at a per-policy level to meet your organizational needs. All policies for which IPS is enabled use the same IPS action. It is not possible to use more than one IPS action in your configuration at the same time.

This table is a useful summary of the differences between IPS in Fireware XTM v11.4.x and IPS in earlier Fireware XTM releases.

  IPS in Fireware XTM v11.4.x IPS in Earlier Fireware XTM Releases
IPS Configuration Configure IPS settings globally, enable and disable IPS per policy. The global IPS configuration applies to all policies that have IPS enabled.* Activate IPS with a wizard. Must configure IPS settings per-policy. Each policy that has IPS enabled can have a different IPS configuration.
IPS in Policies IPS is automatically enabled for all policies. IPS scans traffic on all ports IPS can be configured for only the DNS, FTP, SMTP, HTTP, POP3, and TCP/UDP proxy policies.
Threat Levels Five threat levels: Critical, High, Medium, Low, Information Numeric threat level from 1 to 100. 100 is the highest severity threat.
Signature Exceptions You can configure IPS to allow, block, or drop traffic that matches each signature exception. IPS allows traffic that matches the signature exceptions.
Where to See IPS Signature Information In Firebox System Manager, on the Subscription Services tab, click Show to see information about each IPS signature.  
In Fireware XTM Web UI, select Subscription Services > IPS, then select the Signatures tab to see information about each IPS signature.    
Additional IPS signature information is published on the WatchGuard web site at http://www.watchguard.com/SecurityPortal/ThreatDB.aspx.    
From this security portal, you can look up a signature ID. Click the signature ID to see links to additional information about the signatures, including CVE ID, Bugtraq ID, and other information, where applicable. In Firebox System Manager, on the Subscription Services tab, click Show to see information about each IPS signature.  
The CVE identifier (CVE-ID) is shown in the signature list in Firebox System Manager for signatures that have an associated CVE identifier.    
Signature information is not available in the Fireware XTM Web UI in v11.3.x.    

* For those customers that use HTTPS with DPI, it is important to note that IPS scanning occurs before decryption of the HTTPS stream so IPS is not an effective tool for blocking possible intrusion attempts that pass through your XTM device as part of an encrypted HTTPS stream.

When you upgrade to Fireware XTM v11.4 or v11.4.1, your IPS configuration is upgraded to match the v11.4 configuration options. During the upgrade:

Give us feedback  •   All product documentation  •   Knowledge Base