Security Services
Configuring Intrusion Prevention
Cisco ISA500 Series Integrated Security Appliances Administration Guide 321
Configuring Intrusion Prevention
Intrusion Prevention System (IPS) is a network-based platform that inspects
network traffic for malicious or unwanted activity such as worms, spyware, and
policy violations. When IPS detects a threat, it reacts in real-time by taking actions
such as blocking or dropping connections, logging the detected activities, and
sending notifications about these activities. You can use the default actions for
each signature or customize the actions to suit your requirements.
IMPORTANT: IPS uses signatures to identify the attacks in progress. You must
update the IPS signatures frequently to keep the protection current. See Updating
IPS Signature Database, page 324.
After setting up IPS, you have these options for monitoring the activity:
• Enable the IPS report from the Security Services > Security Services
Reports page or from the Status > Security Services Reports page to see
the number of packets detected and the number of packets dropped by
IPS. See Viewing IPS Report, page 300.
• Enable the IPS Alert feature to send an alert email to a specified email
address if an attack is detected by IPS. See Configuring Email Alert
Settings, page 408.
NOTE You must install licenses on the License Management page before you can
configure IPS.
STEP 1 Click Security Services > Intrusion Prevention (IPS) > IPS Policy and Protocol
The IPS Policy and Protocol Inspection window opens.
STEP 2 At the top of the page, enable or disable IPS by clicking On or Off.
STEP 3 In the Zone area, chose the zones to be inspected. IPS inspects inter-zone traffic
• To add a zone: In the Zones Available list, click a zone, and then click Add to
move it to the Selected Zones list. All incoming and outgoing traffic for the
selected zones is inspected.
• To remove a zone: In the Selected Zones list, click a zone, and then click
Remove to move it to the Zones Available list.