How to exclude a user group from being blocked by Intrusion Prevention Service (IPS) signatures
The IPS Global Settings is mainly an easy way to deploy the IPS when a Network Administrator does not want to invest time and effort to fine-tune the IPS of the SonicWall UTM appliance. In many circumstances this will suffice, but it does have drawbacks, since a network administrator may block too much, breaking valid traffic in the network.
This scenario based article provides step-by-step instructions to exclude certain users from being blocked by certain IPS signatures.
Caution: This configuration requires internet access to be authenticated. For more information on User Level Authentication please refer KB ID 4977
In this article the signature being used is ID 173 – Windows Live Messenger – Login Attempt.
Under IPS Global Settings High and Medium Priority Attacks are enabled for Prevent All and Detect All.
Low Priority Attacks are enabled only for Detect All.
Signature ID 173 needs to be enabled for prevention so users, except some, will be unable to login to the MSN Messenger client.
For this article user group has been imported from LDAP but even a local user group would do as well.
Step 1. Login to the Sonicwall Management interface. Step 2. Check Enable IPS on the LAN Zone under Network > Zones.
Create access rules
Step 3. Create a LAN to WAN access rules with Users as Trusted Users under Firewall > Access Rules.
Select the User Group for exclusion
Step 4. Import the user group to be allowed MSN Messenger access from MS Active Directory or create a local user group under the Users > Local Groups page.
Intrusion Prevention settings
Step 5. Enter Signature ID 173 under Security Services > Intrusion Prevention > Lookup Signature ID
Step 6. On the IPS Signature Settings window, set Prevention to Low Step 7. Set Included Group to All Step 8. Under Excluded Group select the user group to be excluded from prevention. In this example, the user group is called Allow. Step 8. Click on Ok.
Step 9. Test the configuration. Users belonging to the Allow group will be able to use MSN Messenger but everyone else will be blocked.