How to configure an effective IPS

Recently, I don’t really understand. Under SASE pattern, why need configure source and destination IP? If I can just configure any to any(or just select users and select “any” for destination)

Second, I don’t know the specific scenarios that IPS can protect, and in which scenarios it can intercept to protect my end users.

I would appreciate it if you could answer this question.

We actually don’t recommend that you specify sources or destinations in your IPS rules. Simply select the IPS category you’d like to apply to all traffic.

We further recommend you select all all IPS categories for all traffic to get the full benefit of the managed security provided by ThreatLabZ and their threat monitoring and signature generation services. For a full list of threats protected, go to https://threatlibrary.zscaler.com/ (select the IPS engine to get the breakdown of web vs non-web IPS threats).

Other conditions in IPS rules can be applied to either phase in the use of IPS or exclude certain traffic from inspection.

3 Likes

Thanks a lot. This solved a big problem in my mind.

On this basis, I want to confirm whether I need to configure the source IP if all my users need to be authenticated(I just need select all my Users in “Who&Where&When” of IPS control policy). Can I leave the source IP field blank (default value is none)or do I need to select any?

Then, I want to know specific scenarios about how ips works. For example, in which traffic detection can IPS play a protective role. I understand that there are only two scenarios: Because Zscaler is acting for all my traffic, the server can’t know the real IP and port of my endpoints, so the server can only launch file and browser vulnerability attacks; In addition, when my endponit downloads some malicious scripts or attack tools, it will take the initiative to launch an attack. At this time, I understand that it can also be detected through IPS.

I don’t know if this is correct or not considered. Hope to get your reply as soon as possible.

The condition value “any” in Cloud-Gen Firewall policy essentially means “do not evaluate this condition” – so I’d recommend you do not select users or source IPs and simply apply IPS Control to all non-web traffic (Advanced Threat Protection or ATP applies similar IPS categories to web traffic) when possible.

Use these conditions only when you want to exclude endpoints and work with ThreatLabZ in the rare cases of false positives.

Zscaler Zero Trust security model is in play since in both SWG (web proxy) and Cloud-Gen Firewall sessions need to be initiated from your endpoints in an “outbound” manner but traffic flows bi-directionally once the session is established. IPS is applied to all traffic bi-directionally when rule conditions are met (so ideally all users/endpoints).

Then I have another question. How do Zscaler defines Web or non-Web traffic? Web traffic just includes HTTP/HTTPS? How do I differentiate Web/non-Web when I configure a IPS policy? Could you give me a screenshot for example?

“Advanced Threat Protection or ATP applies similar IPS categories to web traffic”——I 'm not clearly with that.

And I have seen ThreatLabZ, I select Inbound direction and IPS(non-Web) engine, there are no results. I’m so confused about it.

Web traffic is defined as HTTP/HTTPS traffic (and not just any traffic on dest:80/443, for example).

Advanced Threat Protection is where IPS rules for web traffic is invoked: Configuring the Advanced Threat Protection Policy | Zscaler

See the actual threats on web here: Zscaler Threat Library

IPS Control was initially just non-web IPS (so all ports and protocols) but will increasingly expand to address all threats regardless of port: About IPS Control | Zscaler

See the actual threat on non-web here: Zscaler Threat Library

IPS Control is included in the Advanced Cloud-Gen Firewall.
ATP is included with certain tiers of Secure Web Gateway and otherwise as selectable add-on.

1 Like

Then I’d like to know more. Why do I need to customize the threat types of security detection? Normally, shouldn’t I also choose “any”? Is it to reduce the erroneous judgement of IPS(false positive)?

In addition, in what scenario will there be the operation of customizing the source IP?

At the same time, I’m a little confused about the network service. If I choose “any”, that is to detect all protocols and ports. Are all the network services that IPS can detect based on Layer 7 protocol? What are the specific ones, or just ignore the specific service types?(Tradionally, HTTP/HTTPS, DNS all belongs to IPS detection range)

We have pre-configured rules for both ATP and IPS Control which enable all IPS signature categories for all traffic. We recommend simply using these (enabling) and only resort to adding other rule conditions in exceptional circumstances.

Again, using the default “any” value in a condition including network service means you do not want that particular condition to be evaluated as part of the rule. So “any” means that you do not want to restrict the rule to any particular protocol:port.

IPS detections are based on a variety of factors that change as attacks evolve or new attacks emerge. This is the value of the ThreatLabZ managed services when IPS Control and ATP are used. Limiting a threat category to a user or group or department or network service or source IP or destination means that the selected threat category is only applied when these limiting conditions are met (referring to IPS Control – ATP is either on/off by category globally for all web).

So when I need to configure User/Source/Destination(not select any)? In what scenario? Just in the rare cases of false positives?

And my collegues and I don’t know difference between “none” and “any” when configuring policy. (Like source/destination)