Manage IPS

Umbrella's Intrusion Prevention System (IPS) works with the Umbrella cloud-delivered firewall (CDFW) to provide signature lists, containing thousands of unique signatures for malware and other threats. Using IPS signature lists with your firewall policy protects your network from known threats.


SSL Decryption

At this time, SSL decryption is not yet available for IPS. The Umbrella IPS does not decrypt messages before inspecting the network traffic.

Table of Contents

How IPS Works

Umbrella IPS uses signature-based detection and provides an added layer of protection against threats such as malware, botnets, phishing, and command and control call backs. When IPS is enabled, it's enabled for your entire environment, including all of your network tunnels.

IPS Signature Lists contain signatures filtered by three actions:

  • Block—Signatures are screened for threats on your network and recorded in Activity Search.
  • Log Only—Signatures are recorded in Activity Search, but not screened for threats.
  • Ignore—Signatures are completely ignored and not recorded in Activity Search.

Hit Counts

Hit counts represent the amount of times signatures were detected on your network for a certain period. By default, hit count durations for all lists are set to the last 24 hours. Each list's hit count duration can be changed to the last five minutes, last hour, yesterday, or the last 30 days. Hit counts may also be reset at any time.

Default IPS Signature Lists

The default IPS signature lists are constructed based on the balance between network connectivity and network security. The more a list is focused on security the more signatures are set to Blocked in that list rather than Log Only or Ignored.

  • Connectivity Over Security—This signature list places an emphasis on network connectivity and throughput at the possible expense of security. Traffic is inspected less deeply, and fewer rules are evaluated.
  • Balanced Security and Connectivity—This signature list attempts to balance network connectivity and security to keep users secure while being less obtrusive toward normal traffic. Less strict than Connectivity Over Security.
  • Security Over Connectivity—This signature list emphasizes security over network connectivity. Traffic is inspected more deeply and more rules are evaluated. The result is an increase in false positives and network latency.
  • Maximum Detection—This signature list places all emphasis on security, such that network connectivity and throughput are compromised. Only select this setting when total protection is required as alerts must be monitored and validated manually.

Configure IPS

Before you can use IPS signature lists to protect your network, you must configure Umbrella's IPS in your firewall policy. For more information, see Configure IPS Settings for Firewall Policy.

Check Protocol of Web Traffic < Manage IPS > Add a Custom Signature List