Configure Intrusion Prevention
Configure the Intrusion Prevention module (IDS/IPS) to define its behavior for a policy.
When designing the modules behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.
Policy objects contain two objects that you use to configure the Intrusion Prevention module:
IntrusionPreventionPolicyExtension
: Controls the module state (prevent, detect, or off), identifies the applied Intrusion Prevention rules, and identifies application types that are assigned to the module.PolicySettings
: Policy settings include many Intrusion Prevention-related settings that control the runtime behavior of the module, such as the application of recommendation scans, network engine settings, and the use of NSX security tags.
After you create these objects and add them to a Policy
object, you use the PoliciesApi
class to modify an existing policy based on the Policy
object.
The following JSON represents the data structure of an IntrusionPreventionPolicyExtension
object:
{ "state": "prevent", "moduleStatus": {...}, "ruleIDs": [...], "applicationTypeIDs": [...] }
The moduleStatus
property is read-only. It provides the runtime status of the Intrusion Prevention module. (See Report on Computer Status.)
General steps
Use the following steps to configure the Intrusion Prevention module:
- Create an
IntrusionPreventionPolicyExtension
object and configure the properties. - Create a
PolicySettings
object to configure runtime settings of the module. - Create a
Policy
object and add theIntrusionPreventionPolicyExtension
andPolicySettings
objects. - Use a
PoliciesApi
object to add or update the policy on Deep Security Manager.
If you only need to set a single Intrusion Prevention-related policy setting, see Configure a single policy or default policy setting.
Create an IntrusionPreventionPolicyExtension
object to set the module state and assign rules:
ip_policy_extension = api.IntrusionPreventionPolicyExtension() ip_policy_extension.state = "prevent" ip_policy_extension.rule_ids = rule_ids
const ipPolicyExtension = new api.IntrusionPreventionPolicyExtension(); ipPolicyExtension.state = api.IntrusionPreventionPolicyExtension.StateEnum.prevent; ipPolicyExtension.ruleIDs = ruleIDs;
IntrusionPreventionPolicyExtension ipPolicyExtension = new IntrusionPreventionPolicyExtension(); ipPolicyExtension.setState(StateEnum.PREVENT); ipPolicyExtension.setRuleIDs(ruleIDs);
Create a PolicySettings
object to configure Intrusion Prevention-related settings. (For detailed information about policy settings, see Configure policy and default policy settings.) For example, you can automatically apply Intrusion Prevention rules that are found via recommendation scans:
policy_settings = api.PolicySettings() setting_value = api.SettingValue() setting_value.value = "yes" policy_settings.intrusion_prevention_setting_auto_apply_recommendations_enables = setting_value
const policySettings = new api.PolicySettings(); const settingValue = new api.SettingValue(); settingValue.value = "yes"; policySettings.intrusionPreventionSettingAutoApplyRecommendationsEnabled = settingValue;
PolicySettings policySettings = new PolicySettings(); SettingValue settingValue = new SettingValue(); settingValue.setValue("Yes"); policySettings.setIntrusionPreventionSettingAutoApplyRecommendationsEnabled(settingValue);
At this point, the Intrusion Prevention policy extension and the policy settings are configured. Next, they are added to a Policy
object. Then,use a PoliciesApi
object to modify a policy on Deep Security Manager.
policy = api.Policy() policy.IntrusionPrevention = ip_policy_extension policy.policy_settings = policy_settings policies_api = api.PoliciesApi(api.ApiClient(configuration)) modified_policy = policies_api.modify_policy(policy_id, policy, api_version)
const policy = new api.Policy(); policy.IntrusionPrevention = ipPolicyExtension; policy.policySettings = policySettings; const policiesApi = new api.PoliciesApi(); return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Policy policy = new Policy(); policy.setIntrusionPrevention(ipPolicyExtension); policy.setPolicySettings(policySettings); PoliciesApi policiesApi = new PoliciesApi(); Policy modifiedPolicy = policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion);
The policy_id
(or policyID
) parameter of modifyPolicy
identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as the policy
parameter. Any properties of the policy
parameter that are not set remain unchanged on the actual policy.
Example
The following example code creates a PolicySettings
object and sets the module state, assigns rules, and sets the value of the intrusionPreventionSettingAutoApplyRecommendationsEnables
property to cause intrusion prevention to automatically apply rules found via recommendation scans. The object is added to a Policy
object that is used to modify a policy.
# Run in prevent mode ip_policy_extension = api.IntrusionPreventionPolicyExtension() ip_policy_extension.state = "prevent" # Assign rules ip_policy_extension.rule_ids = rule_ids # Add to a policy policy = api.Policy() policy.IntrusionPrevention = ip_policy_extension # Configure the setting policy_settings = api.PolicySettings() setting_value = api.SettingValue() setting_value.value = "yes" policy_settings.intrusion_prevention_setting_auto_apply_recommendations_enables = setting_value # Add the setting to a policy policy.policy_settings = policy_settings # Modify the policy on Deep Security Manager policies_api = api.PoliciesApi(api.ApiClient(configuration)) modified_policy = policies_api.modify_policy(policy_id, policy, api_version) return modified_policy.id
const policy = new api.Policy(); const policiesApi = new api.PoliciesApi(); const ipPolicyExtension = new api.IntrusionPreventionPolicyExtension(); // Run in prevent mode ipPolicyExtension.state = api.IntrusionPreventionPolicyExtension.StateEnum.prevent; // Assign rules ipPolicyExtension.ruleIDs = ruleIDs; // Add to the policy policy.IntrusionPrevention = ipPolicyExtension; // Configure the setting const policySettings = new api.PolicySettings(); const settingValue = new api.SettingValue(); settingValue.value = "yes"; policySettings.intrusionPreventionSettingAutoApplyRecommendationsEnabled = settingValue; // Add to a policy policy.policySettings = policySettings; // Modifies the policy on Deep Security Manager const modify = function() { return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false }); }; modify() .then(policy => { resolve(policy.ID); }) .catch(error => { reject(error); });
// Run in prevent mode IntrusionPreventionPolicyExtension ipPolicyExtension = new IntrusionPreventionPolicyExtension(); ipPolicyExtension.setState(StateEnum.PREVENT); // Assign rules ipPolicyExtension.setRuleIDs(ruleIDs); // Add to a policy Policy policy = new Policy(); policy.setIntrusionPrevention(ipPolicyExtension); // Create a setting object and turn on automatic application of recommendation scans PolicySettings policySettings = new PolicySettings(); SettingValue settingValue = new SettingValue(); settingValue.setValue("Yes"); policySettings.setIntrusionPreventionSettingAutoApplyRecommendationsEnabled(settingValue); // Add to a policy policy.setPolicySettings(policySettings); // Update the policy on Deep Security Manager PoliciesApi policiesApi = new PoliciesApi(); return policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion).getID();
Also see the Modify a Policy operation in the API Reference.
If you only need to add, remove, or list Intrusion Prevention rules for a policy, use the PolicyIntrusionPreventionRuleAssignmentsApi
class. The previous example uses the IntrusionPreventionPolicyExtension
, Policy
, and PoliciesApi
classes to add Intrusion Prevention rules, but this can also be done using only the PolicyIntrusionPreventionRuleAssignmentsApi
class. For more information, see Policy Intrusion Prevention Rule Assignments and Recommendations in the API Reference.
For information about authenticating API calls, see Authenticate with Deep Security Manager.
Create an Intrusion Prevention rule
Generally, to create a rule for the Intrusion Prevention module you perform the following steps:
- Create an
IntrusionPreventionRule
object. - Set the rule properties.The properties are described in the Deep Security Help Center.
- Use an
IntrusionPreventionRulesApi
object to add the rule to Deep Security Manager.
Although Log Inspection rules have different properties than Intrusion Prevention rules, the way you create the rules are similar. You might find the Create a basic Log Inspection rule example helpful.
Configuration options of Intrusion Prevention rules are not accessible using the API. To change these options, in the Deep Security Manager console open the rule properties and click the Configuration tab.