You can enable or disable protection against threats from malicious traffic originating Inbound, Outbound to the organization and across its WAN. You can also configure the service to block the traffic, or monitor without blocking.
Cato's IPS service is comprised of several layers of security including:
Reputation Analysis: Protecting against inbound / outbound communication with compromised or malicious resources.
Known Vulnerabilities: Protecting against known CVEs, rapidly adapting to incorporate new ones.
Anti-Bot: Protecting against outbound traffic to C&C servers based on reputation feeds, and network behavioral analysis.
Network Behavioral Analysis: Protecting against inbound / outbound network scans.
Protocol Validation: Protecting against invalid packet (conformance to the protocol wise), reducing attack surface from exploits using anomalous traffic.
Geo Restriction: Enforce a custom geo-restriction policy to block inbound, outbound, or all traffic to specific countries.
Note
Note: We recommend that you enable TLS inspection so that the IPS service provides the maximum protection for your network.
The IPS Categories section provides explanations for the threat types identified by the IPS engine. The section shows all of the Cato-defined IPS threat categories and the number of events triggered for each threat type in the previous seven days.
You can click a number to open the Events screen pre-filtered for the threat type.
This section explains how to configure the IPS Policy to protect the networks in your account.
For WAN, Inbound and Outbound traffic, you can define the actions triggered by threat detection and set their alerts. These are the available actions:
Block - Blocks the malicious traffic from reaching its destination. When applicable, redirects the user to a dedicated blocking web page.
Monitor - Generates events (shown in Monitoring > Events) for the malicious traffic. The traffic then continues to the destination.
To configure file protection actions for the IPS policy:
From the navigation menu, click Security > IPS.
-
Click the Protection Policy tab, and define the settings for each Protection Scope:
In the Protection Scope column, click the traffic type. The Edit panel opens.
In the General section, enable or disable the Protection Scope (green is enabled, grey is disabled).
In the Action section, set the action for traffic that matches an IPS protection.
-
In the Track section, set the event and email notification options.
Click Event, to generate events for traffic that matches an IPS protection.
-
Click Email Notification, and set the Frequency that notifications are sent.
Select the Mailing List of the admins that receive the notifications.
-
Click Apply.
The settings for the protection scope are added to the IPS Policy.
Click Save. The IPS Policy is saved.
The Enforcement Options for the IPS policy lets you add an extra level of threat protection for inbound and outbound traffic.
For outbound traffic you can configure IPS to automatically block domains that are less than 14 days old. Malware often uses newly registered domains to evade threat protection. The majority of newly registered domains are malicious or suspicious.
The Suspicious IP quarantine feature enables IPS to temporarily block suspicious inbound IP addresses that are aggressively scanning your network. This feature blocks the traffic from these suspicious IP addresses for five minutes.
You can define IPS Geo Restriction rules to block traffic to (outbound) or from (inbound) specific countries, or all traffic to the countries defined in the rule.
Note
Note: If you configure a Geo Restriction rule for inbound traffic, this applies to all inbound traffic including RPF resources.
To define a Geo Restriction rule:
From the navigation menu, click Security > IPS.
From the Geo Restriction tab, click New. The Add panel opens.
-
In the General section, configure the following settings:
Enter a Name for the rule.
Make sure that the rule is enabled (green is enabled, grey is disabled).
Select the traffic direction for this rule: Outbound, Inbound or Both Directions.
-
In the Countries section, define the countries for this geo restriction rule.
Search for the country, and then select it.
Repeat the previous step for each country that you are adding to this rule.
-
In the Actions section, set the action and tracking settings for this rule:
Define the action for the rule: Block , Monitor, or Allow (both the Monitor and Allow actions generate events without blocking the traffic).
Click Event, to generate events for traffic that matches an IPS protection.
-
Click Email Notification, and set the Frequency that notifications are sent.
Select the Mailing List of the admins that receive the notifications.
Click Apply. The rule is added.
Click Save.
You can temporarily disable geo restriction rules and then re-enable them in the future.
Note
Note: You cannot undo the action to delete a geo restriction rule!
Comments
0 comments
Please sign in to leave a comment.