Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I: Configure my IPS/TPS device to function in IDS mode?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SMS All
    • TippingPoint TPS All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary

This article discuses configuring your N/NX-Platform or TPS/vTPS device as an Intrusion Detection System (IDS).

When IDS mode is enabled, it adjusts the IPS/TPS device configuration such that the IPS/TPS operates in a manner suitable for Intrusion Detection scenarios and filter configurations. When in IDS mode the following areas are modified;

  •  Performance protection is disabled
  •  Adaptive Filtering is set to Manual
  •  Filters currently set to Block are not switched to Permit, and Block filters can still be set

 

Details
Public

Procedure:

  1.  Configure network device for port mirroring/SPAN mode
  2.  Connect IPS/TPS device "Segment A" to network device (mirroring/SPAN port), leave "Segment B” open
  3.  Enable IDS mode

N/NX-Platform:

On the LSM; IDS mode is enabled on the IPS Preferences page (IPS -> Preferences) under the "Configure Threat Suppression Engine" section. When IDS Mode settings are changed, the device must be rebooted for the change to take effect.

TPS/vTPS:

On the LSM; IDS mode is enabled on the Settings preferences page (Policy -> Settings). When IDS Mode settings are changed, the device must be rebooted for the change to take effect.

Important: Changing IDS Mode does not change Performance Protection mode. For best results, when enabling IDS Mode, go to the System -> Settings -> Log Configuration -> Performance Protection page and change Performance Protection to Always log Alert and Block events mode.

For SMS

On the SMS client go to Devices and then choose your device from the list on the left or the window on the right. Once selected choose "Device Configuration". Another windows will pop-up and in this window choose "TSE Settings" on the left. On the right side click the "IDS Mode" check box and press "OK" to continue. Once again this will require a reboot.

Note: Using the IPS/TPS device in a mixed configuration is not supported. If the IPS/TPS device will be used in an IDS configuration, then it is an IDS device. Use the IPS/TPS as either and IDS or IPS device but not both. Attempting to run in mixed mode will lead to performance issues.

Definitions:

Port Mirror / SPAN Mode: A port mirror is active packet duplication, meaning that a network device (switch/router) has to physically copy packets onto the mirrored port. This means that the device has to carry on this task by using some resources (e.g. CPU) and that both traffic directions will be copied into the same port.

Network TAP: This entails either electrically or optically coping packets from the tap port.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000086950
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.