This article discuses configuring your N/NX-Platform or TPS/vTPS device as an Intrusion Detection System (IDS).
When IDS mode is enabled, it adjusts the IPS/TPS device configuration such that the IPS/TPS operates in a manner suitable for Intrusion Detection scenarios and filter configurations. When in IDS mode the following areas are modified;
- Performance protection is disabled
- Adaptive Filtering is set to Manual
- Filters currently set to Block are not switched to Permit, and Block filters can still be set
- Configure network device for port mirroring/SPAN mode
- Connect IPS/TPS device "Segment A" to network device (mirroring/SPAN port), leave "Segment B” open
- Enable IDS mode
On the LSM; IDS mode is enabled on the IPS Preferences page (IPS -> Preferences) under the "Configure Threat Suppression Engine" section. When IDS Mode settings are changed, the device must be rebooted for the change to take effect.
On the LSM; IDS mode is enabled on the Settings preferences page (Policy -> Settings). When IDS Mode settings are changed, the device must be rebooted for the change to take effect.
Important: Changing IDS Mode does not change Performance Protection mode. For best results, when enabling IDS Mode, go to the System -> Settings -> Log Configuration -> Performance Protection page and change Performance Protection to Always log Alert and Block events mode.
On the SMS client go to Devices and then choose your device from the list on the left or the window on the right. Once selected choose "Device Configuration". Another windows will pop-up and in this window choose "TSE Settings" on the left. On the right side click the "IDS Mode" check box and press "OK" to continue. Once again this will require a reboot.
Note: Using the IPS/TPS device in a mixed configuration is not supported. If the IPS/TPS device will be used in an IDS configuration, then it is an IDS device. Use the IPS/TPS as either and IDS or IPS device but not both. Attempting to run in mixed mode will lead to performance issues.
Port Mirror / SPAN Mode: A port mirror is active packet duplication, meaning that a network device (switch/router) has to physically copy packets onto the mirrored port. This means that the device has to carry on this task by using some resources (e.g. CPU) and that both traffic directions will be copied into the same port.
Network TAP: This entails either electrically or optically coping packets from the tap port.