If I further filter on Client Rules: enabled, this rule is not shown, indicating it's not enabled.
The Client Rules option states that this signature will automatically create IPS exceptions when Host/Network IPS is put in Adaptive mode. Signature 3700 (TCP Port Scan) does not automatically create client rules in Adaptive mode....by default. This should be ignored though, as it's not relevant to what you are trying to accomplish.
Can anyone please help clear up my confusion?
To block TCP Port Scan events, you'll want to ensure the following on a system:
- This client has an IPS Options policy that enables Network IPS.
- This client has an IPS Protection policy that enables HIGH Severity to BLOCK.
- This client has an IPS Rules policy that has Signature 3700 set to HIGH Severity (it is by default).
- This client has an IPS Rules policy that has no IPS exceptions for Signature 3700 (there are none by default).
To test this on a client, you can use port scanner software (i.e. NMAP; I use the default scan task) to scan this system and Signature 3700 will trigger (does not matter if the HIPS Firewall is on or off).
Thanks, Kary, that is what I understood. To further refine my question, I still don't understand what the "enabled/disabled" filter on my IPS Rules policy is showing me. I navigated to a part of the tree where NIPS was enabled, protection was set to block high severity, and rule 3700 was set as high. We have no exception policies.
Yet when I set the search filters on the IPS rules page to "Network IPS" under "Type" and "Enabled" under "Client rules" I get no results.
If this rule is enabled for at least part of the system tree, why doesn't it show up as "enabled" when I search in the IPS rules screen?