Verification and Check
This section describes the verification and check operations after the intrusion prevention feature is configured.
Verification
After configuring the intrusion prevention feature, you can do as follows to check the configuration result:
Check the intrusion prevention profile.
Choose , click the name of the IPS profile to be checked, and verify that the parameter settings in the profile are correct.
Check the security policy configuration.
Choose , click the name of the security policy to be checked, and verify that the intrusion prevention part correctly references the IPS profile.
Viewing Logs
After referencing the IPS profile, the FW checks traffic that matches the security policy. When detecting attack behavior, the FW takes the action specified in the IPS profile and generates a log.
Choose to view threat logs. The following figure shows a threat log regarding the Internet Explorer.
The following table describes the meanings of each field.
Field |
Description |
|---|---|
View |
Click In View Threat Log Details, click the Source Address/Destination Address/Application/Security Policy/Profile/Source Region/Destination Region/Threat Name field value. When the threat log type is virus log, you can see the Hash Value field in View Threat Log Details. This field enables you to view the Hash value of the virus file. When the threat log type is virus log, intrusion log, or botnet, Trojan horse, and worm log, you can see the Accessed Content field in View Threat Log Details. This field enables you to view URL content contained in the threats. |
Attack Evidence Collection |
Click NOTE:
Only the audit administrator has the permission of viewing the collected packets. |
Time |
Time when a threat log is generated. |
Threat Type |
Threat type:
|
Severity |
The severity level is the same as that in the signature database. Focus on high-risk threats. If a threat is not blocked, add the attack source to the blacklist to block the threat. |
Threat ID |
ID of a threat. NOTE:
If Threat Type is virus or intrusion, click Threat ID to add the virus or intrusion to the running or another configuration file as an virus or signature exception. Note that if the configuration file corresponding to the log does not exist, add the virus or intrusion to another configuration file. Virus/signature exceptions cannot be added to the default configuration file. |
Threat Name |
Name of a threat. |
CVE Number |
CVE number. You can obtain vulnerability information by CVE number to fix vulnerabilities in a timely manner. The CVE number is displayed only when Threat Type is set to Intrusion. |
Source Zone |
Source security zone of traffic. |
Destination Zone |
Destination security zone of traffic. |
Attacker |
IP address/user of an attacker. |
Victim |
IP address/user of a victim. |
Source Address/Source Port |
Source IP address/Source port of traffic. |
Destination Address/Destination Port |
Destination IP address/Destination port of traffic. |
Application |
Application type of traffic. |
Protocol |
Protocol type of traffic. |
Action |
Actions against various threats:
|
Security Policy |
Security policy that traffic matches. |
Profile |
Security profile that traffic matches. |
Source Region |
Attacking region. |
Destination Region |
Attacked region. |
Virtual System |
Virtual system that generates the traffic. |
You can click Threat Name in the log to view the basic feature, principle, and countermeasure for the threat. You can also access the URL in Related link to get more information about the threat. Some threats may have Common Vulnerabilities and Exposures (CVE) ID, Bugtraq ID (BID) or China National Vulnerability Database of Information Security (CNNVD) ID. You can access http://cve.mitre.org/, http://www.securityfocus.com/bid or http://www.cnnvd.org.cn/ to further understand such a threat based on the CVE ID, BID or CNNVD ID, as shown in the following figure.
