Understanding Intrusion Prevention Service Settings; Configuring Gateway Av/Ips - Watchguard Firebox X20E User Manual

Understanding Intrusion Prevention Service Settings

If you enable Gateway AntiVirus with the FTP proxy, it finds viruses in files that users try to
•
download from the external network. If a virus is found, the file is blocked.
You can view the name of a virus or infected file that Gateway AV has blocked in the log records. Select
Logging from the sidebar menu. You can also view general statistics for Gateway AV/IPS on the GAV/
IPS page, and trend reporting for Gateway AV/IPS in System Status > Security Services.
Understanding Intrusion Prevention Service Settings
The Intrusion Prevention Service includes a set of signatures associated with specific commands or
text found in commands that could be harmful. The Intrusion Prevention Service works together
with the SMTP, POP3, HTTP, and FTP proxies. If you have not configured these proxies, they are auto-
matically configured when you enable Gateway AV or IPS for that protocol.
You set the action you want the Intrusion Prevention Service to take based on the security level
assigned to each intrusion by the IPS signature database. There are three different levels:
High
Vulnerabilities that allow remote access or execution of code, such as buffer overflows, remote
command execution, password disclosure, key logging, backdoors, and security bypass.
Medium
Vulnerabilities that allow access, disclose server-side source code to attackers, and deny access
to legitimate users. Examples are directory traversal, file/source disclosure, Denial of Service, SQL
injection, and cross-site scripting.
Low
Vulnerabilities that do not allow the attacker to directly get access, but allow the attacker to get
information that can be used in an attack. For example, an attacker can send a command that
gets information about the operating system, IP addresses, or topology of a network. Signatures
that get access to software applications with vulnerabilities (such as signatures that do not have
very specific content) also get this level of severity.
You can see the name of an intrusion that IPS has blocked in the log records. Select Logging from the
sidebar menu. You can also view general statistics for Gateway AV/IPS on the GAV/IPS page, and trend
reporting for Gateway AV/IPS in System Status > Security Services.

Configuring Gateway AV/IPS

To configure Gateway AV/IPS, connect to the System Status page: type https:// in the browser address
bar, and the IP address of the Firebox® X Edge trusted interface. The default URL is: https://
192.168.111.1. From the navigation bar, select GAV/IPS > Settings.
192 Firebox X Edge e-Series