Intrusion Detection and Prevention System

The Intrusion Detection and Prevention System (hereinafter referred to as IDPS) in Kaspersky NGFW analyzes traffic to detect attacks or threats of various types using the Kaspersky database of signatures. If an attack is detected in the traffic, the action specified by the administrator is applied to the traffic. To improve the accuracy of attack and threat detection and to minimize false positives, the signature databases are regularly updated.

The following IDPS profiles are used to identify vulnerabilities and protect against threats:

• Default profile.

  The default profile blocks all signatures contained in the Kaspersky database of signatures. The default IDPS profile is included in the default security profile group. The default action is Block, which blocks traffic. You can edit the default profile.

• Custom profiles.

  You can create, edit, or delete user profiles; you can also configure rules to exclude certain signatures from the action configured in the custom profile.

Encrypted traffic is scanned only when SSL decryption is enabled.

For traffic to be scanned by the IDPS mechanism, the following conditions must be satisfied:

• The traffic must match a security rule with the Inspect action.
• A security profile group must be added to the used rule.
• The security profile group must include an IDPS profile.

In this section Table of IDPS profiles Creating an IDPS profile Editing an IDPS profile Deleting an IDPS profile Configuring exclusion rules Enabling or disabling packet capture Managing network dump files when IDPS signatures are triggered Configuring Network scanning protection

Page top