Alongside Cisco AMP, you can configure the IDS/IPS feature set for even further security monitoring. When enabled, the IDS/IPS feature set inspects all routed traffic passing through the MX while looking for potentially malicious traffic patterns. These traffic patterns are referred to as signatures and are grouped into specific rulesets based on a determined severity score for each signature. When configuring IDS/IPS (see Figure 5-4), you can choose from three rulesets, composed of different signatures based on threat level, depending on your deployment and security needs: Connectivity, Balanced, and Security. Each of these rulesets provides increasingly more strict or potentially impactful signatures, allowing you to tailor your IDS/IPS functionality based on the specific needs of each site.
Figure 5-4 IDS/IPS Configuration Section of the Threat Protection Page in the Dashboard
The IDS and IPS systems function identically other than the specific action each takes when a malicious signature is detected. When configured in IDS (Detection) mode, an alert is generated in the Security & SD-WAN > Security Center page and event details are logged, but the traffic is not actually blocked by the MX and is allowed to flow.
When configured for IPS (Prevention) mode, when a malicious signature is detected, the MX will actively block the remaining traffic related to that flow in an attempt to disrupt the malicious activity, in addition to generating an alert in the Security Center on the Dashboard.
Pro Tip
With the introduction of subscription licensing, security functions like AMP and IDS/IPS become foundational for all license tiers.