Verification and Check
This section describes the verification and check operations after the intrusion prevention feature is configured.
Verification
After configuring the intrusion prevention feature, you can do as follows to check the configuration result.
Operation |
Command |
|---|---|
View IPS signatures. |
display ips-signature ips-signature-id display ips-signature [ { pre-defined | user-defined } [ associated ] ] [ application { application-name | all } | category { category-name | all } | os { all | android | ios | unix-like | windows | other } * | protocol { protocol-name | all } | severity { information | low | medium | high } * | state { disabled | enabled | retired } | target { server | client | both } ] * |
View a predefined IPS signature based on a CVE ID. |
display ips-signature cve-id { cve-id | year year } |
View a predefined IPS signature based on a CVE ID. |
display ips-signature vendor-id vendor-id |
View the status of predefined IPS signatures. |
|
View the actions of predefined signatures. |
|
View the rule of a specified user-defined signature. |
display ips signature-id signature-id rule { name rule-name | all } |
View all exception domain names configured for domain name filtering. |
|
View the IPS profile. |
display profile type ips [ name name [ signature-set-name signature-set-name | exception-signature-id exception-signature-id ] ] |
View information about the configured IPS global evidence collection rule. |
|
Displaying the configuration of IPS threat intelligence linkage. |
After configuring the intrusion prevention feature, you can do as follows to view or clear statistics:
Operation |
Command |
|---|---|
View IPS statistics. |
display ips statistics [ slot slot-id cpu cpu-id ] |
View top N matched IPS signatures. |
display ips-signature statistics top-number [ slot slot-id cpu cpu-id ] |
View domain name filtering statistics. |
display cnc domain-filter { exception | domain-name domain-name } statistics |
View top N matched malicious domain names. |
display cnc domain-filter domain statistics [ topn-number ] [ slot slot-id cpu cpu-id ] |
View detailed information about domain names loaded in the CNC database. |
|
Displaying IPS threat intelligence linkage statistics. |
display threat-intelligence statistics [ type ip ] |
Displaying IPS threat intelligence cached on the device. |
display threat-intelligence cache type ip [ ipv4 ipv4-address | ipv6 ipv6-address ] |
Clear IPS statistics. |
reset ips statistics [ slot slot-id cpu cpu-id ] |
Clear IPS signature statistics. |
reset ips-signature statistics { signature-id signature-id | all } { event | collect-attack-evidence | all } [ slot slot-id cpu cpu-id ] |
Clear domain name filtering statistics. |
reset cnc domain-filter { domain | exception | domain-name domain-name } statistics |
Clearing IPS threat intelligence linkage statistics. |
|
Clearing IPS threat intelligence cached on the device. |
reset threat-intelligence cache type ip [ ipv4 ipv4-address | ipv6 ipv6-address ] |
Viewing Logs
After referencing the IPS profile, the FW checks traffic that matches the security policy. When detecting attack behavior, the FW takes the action specified in the IPS profile and generates a log.
After configuring the IPS feature, you can perform as follows to set the output mode and output information of IPS logs.
Operation |
Command |
|---|---|
Enable the IPS log merging function. |
|
Enable the function of outputting extended information of IPS logs. |
|
Configure IPS threat logs to record source and destination IP addresses by session or packet. |
The following figure shows a threat log regarding the Internet Explorer.
IPS/4/DETECT(l)[0]:An intrusion was detected. (SyslogId=2, VSys="public",
Policy="policy1", SrcIp=192.168.1.2, DstIp=192.168.0.2, SrcPort=80, DstPort=53319,
SrcZone=untrust, DstZone=trust, User="unknown", Protocol=TCP, Application="HTTP",
Profile="profile_ips", SignName="Microsoft Internet Explorer CVE-2014-1815 Use After Free",
SignId=263490, EventNum=1, Target=client, Severity=high, Os=windows, Category=Code-execution, Reference=CVE-2013-1234, Action=Alert)
The following table describes the meanings of each field.
Field |
Description |
|---|---|
SyslogId |
Log ID |
VSys |
Name of the virtual system |
Policy |
Name of the security policy |
SrcIp |
Source IP address of packets |
DstIp |
Destination IP address of packets |
SrcPort |
Source port of packets (the field is 0 for ICMP packets) |
DstPort |
Destination port of packets (the field is 0 for ICMP packets) |
SrcZone |
Source security zone of packets |
DstZone |
Destination security zone of packets |
User |
User name |
Protocol |
Protocol of the packets matching the signature |
Application |
Application of the packets matching the signature |
Profile |
Profile name |
SignName |
Signature name |
SignId |
Signature ID |
EventNum |
Field for log merging: Logs are merged on the basis of the log generating frequency and the condition for log merging. The value is 1 if logs are not merged. |
Target |
Attack target of the packets matching the signature
|
Severity |
Attack severity of the packets matching the signature
|
Os |
Operating system attacked by the packets matching the signature
|
Category |
Category of the attack matching the signature |
Reference |
Signature reference information, which contains only the CVE field currently CVE: indicates the Common Vulnerabilities and Exposures (CVE) ID of a signature. You can query the CVE ID on the https://cve.mitre.org/ website and obtain detailed information based on the CVE ID. |
Action |
Action for the signature:
|