Limitations and Precautions for Intrusion Prevention

Hardware Requirements

The intrusion prevention function is supported by all models.

The USG6510E/6510E-POE/6530E does not support IPS threat intelligence linkage.

License Requirements

To update the IPS signature database, an IPS license file must be loaded. For details about the license control scope, see License Control Items.

In versions earlier than V600R007C20SPC300, you need to update the IPS signature database immediately after the license is loaded. In V600R007C20SPC300 and later versions, the device automatically loads the predefined IPS signature database after the license is loaded.

Limitations

• The IPS Third-Generation Engine does not support the detection of ICMP packets.
• Intrusion prevention supports IPv4 and IPv6.
• IPS threat intelligence linkage depends on the threat intelligence linkage component package. For details about the component package, see Dynamic Loading.

Precautions

• When the intrusion prevention function is used to perform content security detection on traffic, the performance of the device is affected. Therefore, configure the function as required.
• If a signature has been removed from the latest IPS signature database after an update, all configurations associated with this signature cease to take effect.
• In a hot standby deployment, intrusion prevention is recommended in active/standby mode. In a per-flow load balancing deployment, intrusion prevention is supported but with a lower detection rate than in active/standby mode.
• Intrusion prevention may function improperly if the forward and return paths of packets are different.
• If you want the device to perform the intrusion prevention check on SFTP traffic, HTTPS traffic, SMTPS traffic, POP3S traffic, or IMAPS traffic, configure SSL-encrypted traffic detection. For details, see SSL-Encrypted Traffic Detection.
• On networks with inconsistent forward and return paths, the following commands need to be run on the FW:
  • undo firewall session link-state check: disables the link status check function of the session table.
  • undo fragment-reassemble enable: disables the fragment reassembly function.
  • stream-reassemble session-cache 0: sets the maximum cache for a single session during TCP flow reassembly to 0.
• If the FW is deployed between two routers, and the routers detect each other through BFD, you are advised to properly prolong the BFD time (longer than 100 ms is recommended) to prevent BFD flapping resulting from occasional network congestion.
• User-defined and predefined signatures do not have priorities. When traffic matches both user-defined and predefined signatures, the more strict signature prevails. For example, if the user-defined signature action is Alert and the predefined signature action is Block, when the traffic matches both signatures, the action is Block.
• If traffic matches a signature whose default action is Allow, the device does not record logs or collect matching statistics. In addition, the exception signature configured for the signature whose default action is Allow does not take effect.
• During IPS detection, the device sends packets one by one to the IAE for detection. If the signature field and the IPS global evidence collection field are not in the same packet (for example, in the packet fragmentation scenario) and the packet carrying the signature field matches the signature and triggers the device to send a threat log before the packet carrying the evidence collection field reaches the IAE, the extension information of the threat log cannot carry the evidence collection information.
• For traffic matching associated signatures such as brute-force cracking, the device directly blocks the traffic through the blacklist function without sending interference packets (Reset packets). For traffic matching non-associated signatures such as cross-site attacks and mining attacks, the device sends Reset packets to block the session.
• IPS does not support attack evidence collection for associated signatures.