You can configure Intrusion Prevention policy with a configuration wizard. The Intrusion Prevention configuration workflow contains the following components:
- Administration Settings
- Intrusion Prevention Configuration
- Apply IPS Policy to a device
In Cisco vManage NMS, select the Administration ► Settings tab in the left side panel to configure IPS Signature Update. Click on Edit to Enable/Disable and provide Username and Password details to save the Policy details as shown in the following screenshot.
Intrusion Prevention Configuration
To configure Intrusion Prevention through Security, use the vManage security configuration wizard:
1. In Cisco vManage NMS, select the Configuration ► Security tab in the left side panel.
2. Click Add Security Policy. The Add Security Policy wizard opens, and various use-case scenarios display.
3. In Add Security Policy, select a scenario that supports intrusion prevention (Compliance, Direct Cloud Access, Direct Internet Access, or Custom).
4. Click Proceed to add an Intrusion Prevention policy in the wizard.
5. In the Add Security Policy wizard, click Next to select the Add Intrusion Prevention tab to create a new Intrusion Prevention Policy.
6. Click the Add Intrusion Prevention Policy drop-down, select Create New to create a new Intrusion Prevention policy. The Intrusion Prevention - Policy Rule Configuration wizard appears.
7. Enter a policy name in the Policy Name field.
8. Choose a signature set that defines rules for evaluating traffic from the Signature Set drop-down. The following options are available. Connectivity provides the least restrictions and the highest performance. Security provide the most protections but can affect system performance.
- Connectivity—Less restrictive/better performance (fewer rules)
- Balanced—Designed to provide protection without a significant effect on system performance
- SecuritySecurity—More protection/less performance
9. Choose mode of operation from the Inspection Mode drop-down. The following options are available:
- Detection—Select this option for intrusion detection mode
- Protection—Select this option for intrusion protection mode
10. From the Advanced tab, choose one or more existing IPS signature whitelist lists or create new ones as needed from the Signature Whitelist drop-down.
To create a new signature list, click New Signature List at the bottom of the drop-down. In the IPS Signature List Name field, enter a list name consisting of up to 32 characters (letters, numbers, hyphens and underscores only). In the IPS Signature field, enter signatures in the format Generator ID:Signature ID, separated with commas.You also can use the Import button to add a whitelist from an accessible storage location. Click Save when you are finished.
You also can create or manage IPS Signature Whitelist lists by selecting the Configuration ► Security tab in the left side panel, choosing Lists from the Custom Options drop-down at the top right of the page, and then selecting Signatures in the left panel.
To remove an IPS Signature Whitelist from the Signature Whitelist field, click the “X” next to the list name in the field.
11. Choose an alert level for syslogs from the Alert Log Level drop-down. The options are:
12. Click on Target VPNs to add required number of VPNs in Add Target VPNs wizard.
13. Click Save Changes to add an Intrusion Prevention policy.
14. Click on Policy Summary tab to attach a policy to Security Master Policy Configuration.
15. Enter Security Policy Name and Security Policy Description in the respective fields.
16. In the Additional Policy Settings tab ► Intrusion Prevention and/or URL Filtering, choose the following options:
- External Syslog Server VPN
- Server IP
- Failure Mode – Open/Close
17. Click Save Policy Changes to configure Intrusion Security policy.
18. You can edit the existing Intrusion Prevention policy by clicking on Custom Options in the right-side panel of vManage ► Configuration ► Security wizard.
Applying Intrusion Prevention Policy to a Device
1. In vManage NMS, select the Configuration ► Templates screen.
2. In the Device tab, from the Create Template drop-down, select From Feature Template.
3. From the Device Model drop-down, select one of the IOS XE SD-WAN devices.
4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
5. From the Security Policy drop-down, select the name of the Intrusion Policy you configured in the above procedure.
6. Click Create to apply Intrusion policy to a device.
Monitoring Intrusion Prevention Feature
You can monitor the Intrusion Prevention System (IPS) signature violations by severity and by count using the following steps.
To monitor the Signatures of IPS Configuration on IOS XE SD-WAN device:
- From the Monitor ► Network screen, select a device.
2. In the left panel, under Security Monitoring, select Intrusion Prevention tab. The Intrusion Prevention wizard displays.
3. Click By Severity or By Count to designate how you want to display intrusion prevention information.