How to exclude a user group from being blocked by Intrusion Prevention Service (IPS) signature
03/26/2020 
14 
11675
DESCRIPTION:
How to exclude a user group from being blocked by Intrusion Prevention Service (IPS) signatures
RESOLUTION:
Feature/Application:
The IPS Global Settings is mainly an easy way to deploy the IPS when a Network Administrator does not want to invest time and effort to fine-tune the IPS of the SonicWall UTM appliance. In many circumstances this will suffice, but it does have drawbacks, since a network administrator may block too much, breaking valid traffic in the network.
This scenario based article provides step-by-step instructions to exclude certain users from being blocked by certain IPS signatures.
Caution: This configuration requires internet access to be authenticated. For more information on User Level Authentication please refer KB ID 4977
- In this article the signature being used is ID 173 – Windows Live Messenger – Login Attempt.
- Under IPS Global Settings High and Medium Priority Attacks are enabled for Prevent All and Detect All.
- Low Priority Attacks are enabled only for Detect All.
- Signature ID 173 needs to be enabled for prevention so users, except some, will be unable to login to the MSN Messenger client.
- For this article user group has been imported from LDAP but even a local user group would do as well.
Procedure:
Tasklist:
Enable IPS on LAN Zone
Create access rules
Select the User Group for exclusion
Intrusion Prevention settings
Enable IPS on LAN Zone
Step 1. Login to the Sonicwall Management interface.
Step 2. Check Enable IPS on the LAN Zone under Network > Zones.
Create access rules
Step 3. Create a LAN to WAN access rules with Users as Trusted Users under Firewall > Access Rules.
Select the User Group for exclusion
Step 4. Import the user group to be allowed MSN Messenger access from MS Active Directory or create a local user group under the Users > Local Groups page.
Intrusion Prevention settings
Step 5. Enter Signature ID 173 under Security Services > Intrusion Prevention > Lookup Signature ID
Step 6. On the IPS Signature Settings window, set Prevention to Low
Step 7. Set Included Group to All
Step 8. Under Excluded Group select the user group to be excluded from prevention. In this example, the user group is called Allow.
Step 8. Click on Ok.
Step 9. Test the configuration. Users belonging to the Allow group will be able to use MSN Messenger but everyone else will be blocked.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
