TotalSecure Configuration Task List
33
SonicWALL TZ 180 TotalSecure
To disable IPS, uncheck the Enable IPS check box. This will prevent blocking of traffic that matches
the IPS signatures. However, some signatures belong to Application Filter category sets as well as
other types of category sets such as GAV, IPS, Anti-Spyware, or Web Filters. If Application Filtering
is enabled, these signatures are blocked by the Application Filter process even when you configure
the other filters to allow them.
Caution Checking the Enable IPS check box does not automatically start SonicWALL IPS protection. You must
also update the IPS Global Settings section.You must specify a Prevent All action in the Signature
Groups table to activate Intrusion Prevention on the SonicWALL security appliance, and specify the
interface or zones you want to protect.
Specifying Global Attack Level Protection
SonicWALL IPS allows you to globally manage your network protection against attacks by simply
selecting the class of attacks: High Priority Attacks, Medium Priority Attacks, and Low Priority
Attacks. Selecting the Prevent All and Detect All check boxes for High Priority Attacks and
Medium Priority Attacks in the Signature Groups table, and then clicking Apply protects your
network against the most dangerous and disruptive attacks. For more detailed information on
configuring global signature groups, refer to “Configuring Global Signature Groups” in the
SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL
Resource CD or at<
http://www.sonicwall.com/us/3396.html>
Fine-tuning the IPS
To really take advantage of the SonicWALL IPS, it is sometimes necessary to fine-tune the behavior
of certain IPS Categories and/or IPS Signatures.
Since all network are not alike, it can be quite difficult to exactly tell what IPS Categories or IPS
Signatures should be Prevented or Detected.
However, what can be done is to create a Baseline Setup where as much hostile traffic as possible
is Prevented and Detected regardless of what traffic may flow in an individual network.
Refer to the descriptions in this document for instructions on how to change the behavior of a certain
IPS Category and/or IPS Signature.
A Baseline Setup can be accomplished in two different ways. The outcome is basically the same,
but involves somewhat different steps, both depends heavily on logging of the correct
Enable IPS Logging
To view IPS-related events in the log, ensure that the correct log categories are enabled.
The more categories enabled while fine-tuning, the better, although the logs fill fast. Always make
sure the categories Intrusion Prevention and Security Services are enabled.
The Brute-force Baseline Setup
The Brute-force Baseline setup is quite brutal and will in most cases break valid traffic flowing in the
network.
• Use the IPS Global Setting to enable the option Detect All for all three IPS Signature Groups.
