beautypg.com

Idp rules – Amer Networks E5Web GUI User Manual

Page 471

background image

> Update Center.

Updating in High Availability Clusters

Updating the IDP databases for both the units in an HA Cluster is performed automatically by
cOS Core. In a cluster there is always an active unit and an inactive unit. Only the active unit in the
cluster will perform regular checking for new database updates. If a new database update
becomes available the sequence of events will be as follows:

1.

The active unit determines there is a new update and downloads the required files for the
update.

2.

The active unit performs an automatic reconfiguration to update its database.

3.

This reconfiguration causes a failover so the passive unit becomes the active unit.

4.

When the update is completed, the newly active unit also downloads the files for the update
and performs a reconfiguration.

5.

This second reconfiguration causes another failover so the passive unit reverts back to being
active again.

These steps result in both Clavister Security Gateways in a cluster having updated databases and
with the original active/passive roles. For more information about HA clusters refer to Chapter 11,
High Availability.

6.5.3. IDP Rules

Rule Components

An IDP Rule defines what kind of traffic, or service, should be analyzed. An IDP Rule is similar in
makeup to an IP Rule. IDP Rules are constructed like other security policies in cOS Core such as IP
Rules. An IDP Rule specifies a given combination source/destination interfaces/addresses as well
as being associated with a service object which defines the IDP rules that will be used during
traffic scanning. A time schedule can also be associated with an IDP Rule. Most importantly, an
IDP Rule specifies the Action to take on detecting an intrusion in the traffic targeted by the rule.

Action Options

After pattern matching recognizes an intrusion in traffic subject to an IDP Rule, the Action
associated with that Rule is taken. The administrator can associate one of three Action options
with an IDP Rule:

Ignore - Do nothing if an intrusion is detected and allow the connection to stay open.

Audit - Allow the connection to stay open but log the event.

Protect - This option drops the connection and logs the event (with the additional option to
blacklist the source of the connection as described below).

IDP Signature Selection

When using the Web Interface or InControl, all IDP signatures in the local signature database are
shown under the selection choice IDP Signatures. This displays a two level tree of all signatures

Chapter 6: Security Mechanisms

471

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: