How to exclude a user group from being blocked by Intrusion Prevention Service (IPS) signature

Description

How to exclude a user group from being blocked by Intrusion Prevention Service (IPS) signatures

Resolution

Feature/Application:

The IPS Global Settings is mainly an easy way to deploy the IPS when a Network Administrator does not want to invest time and effort to fine-tune the IPS of the SonicWall UTM appliance. In many circumstances this will suffice, but it does have drawbacks, since a network administrator may block too much, breaking valid traffic in the network.

This scenario based article provides step-by-step instructions to exclude certain users from being blocked by certain IPS signatures.

Caution: This configuration requires internet access to be authenticated. For more information on User Level Authentication please refer KB ID 4977

  • In this article the signature being used is ID 173 – Windows Live Messenger – Login Attempt.
  • Under IPS Global Settings High and Medium Priority Attacks are enabled for Prevent All and Detect All.
  • Low Priority Attacks are enabled only for Detect All.
  • Signature ID 173 needs to be enabled for prevention so users, except some, will be unable to login to the MSN Messenger client.
  • For this article user group has been imported from LDAP but even a local user group would do as well.

 

 Procedure:

Tasklist:

Enable IPS on LAN Zone
Create access rules
Select the User Group for exclusion
Intrusion Prevention settings

Enable IPS on LAN Zone

Step 1. Login to the Sonicwall Management interface.
Step 2. Check Enable IPS on the LAN Zone under Network > Zones.

 

ImageCreate access rules

Step 3. Create a LAN to WAN access rules with Users as Trusted Users under Firewall > Access Rules.


 

Select the User Group for exclusion

 Step 4. Import the user group to be allowed MSN Messenger access from MS Active Directory or create a local user group under the Users  > Local Groups page.


 

Intrusion Prevention settings

Step 5. Enter Signature ID 173 under Security Services > Intrusion Prevention > Lookup Signature ID



Step 6. On the IPS Signature Settings window, set Prevention to Low
Step 7. Set Included Group to All
Step 8. Under Excluded Group select the user group to be excluded from prevention. In this example, the user group is called Allow.
Step 8. Click on Ok.


Step 9. Test the configuration. Users belonging to the Allow group will be able to use MSN Messenger but everyone else will be blocked.

 

 

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community