Scheduled maintenance: Community available only in read-only mode until 6:00 AM (PT)
Reply
Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

IDS/IPS --anybody using and what are your thoughts?

Is anybody using the IDS/IPS functionality?  I have a USG-Pro-4 and am considering turning it on but all of the warnings about severely restricted performance are scaring me.  Bandwidth restrictions, hardware acceleration not working anymore...

 

I have a Comcast Business 95 Mb/s down and 17 Mb/s up Internet connection along with a standard gigabit network.  I use a USG-Pro-4, and two primary switches:  US-24-500W and US-16-150W.  

 

Am I going to get into serious trouble turning this thing on?

Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?

Do you have any VLANs you transfer alot of data between?

Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@learningman wrote:

Do you have any VLANs you transfer alot of data between?


Funny you should ask!  I have another forum post where I am trying to setup a Guest VLAN for Guest WLAN access in addition to the Guest Control Policies.  There will be no data going back and forth between the regular LAN/Management SSID WLAN and this Guest SSID WLAN.  

 

Thanks.

Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?

[ Edited ]

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.

 

Edit: That was with all options turned on, though some seem to complain about interesting things Man Tongue

Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@learningman wrote:

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.


Thanks.  That resolves my concerns.  I will enable it.  Since this is a hotel network where guests are logging in, the last thing I want is for some idiot guest to introduce something nasty.  Obviously, I would also like to avoid unsolicited outside attacks as well.

 

Oh, can you help with the very basic VLAN setup I need to do?  See post a couple of slots down in the forum.  It really is nothing more than needing to keep the guests on their own VLAN while anything wired or using the Management SSID on WLAN gets segregated from the rabble.  Guests only have access wirelessly.

 

I have done a lot of reading but came away a little more confused, although educated enough to ask the right questions I guess.

Senior Member
Posts: 3,163
Registered: ‎01-29-2015
Kudos: 523
Solutions: 131

Re: IDS/IPS --anybody using and what are your thoughts?

Watch this. He will step you through it.

 

https://www.youtube.com/watch?v=9dhmS237wsw

Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@learningman wrote:

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.

 

Edit: That was with all options turned on, though some seem to complain about interesting things Man Tongue


Haha.  Let me guess, somebody cannot use Tor anymore and they are mad....Smiley Happy

 

I have noticed the default options of Tor, Mobile Malware, and the like but is there anything I really absolutely should also enable from your perspective?  I noticed that P2P is not enabled for blocking, but shouldn't it be?  I do not allow P2P on the network, since I have seen what can happen with uTorrent out of control.  I setup a DPI Restriction Rule for that.  Would blocking it in IDS/IPS be redundant?

Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@RobbieH wrote:

Watch this. He will step you through it.

 

https://www.youtube.com/watch?v=9dhmS237wsw


Thanks, I will look at this.

Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?

The following is what i have setup and then you can setup guest control if you want and it will apply to anything connected the guest VLAN 

Network Config.JPG
Wifi.JPG
Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?


@donwschultz wrote:

@learningman wrote:

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.

 

Edit: That was with all options turned on, though some seem to complain about interesting things Man Tongue


Haha.  Let me guess, somebody cannot use Tor anymore and they are mad....Smiley Happy

 

I have noticed the default options of Tor, Mobile Malware, and the like but is there anything I really absolutely should also enable from your perspective?  I noticed that P2P is not enabled for blocking, but shouldn't it be?  I do not allow P2P on the network, since I have seen what can happen with uTorrent out of control.  I setup a DPI Restriction Rule for that.  Would blocking it in IDS/IPS be redundant?


No It was more like this:

09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<phone IP> : 42660	34.203.251.213 : 3478	
09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<Unifi Video IP> : 52112	34.203.251.213 : 3478

Where my phone is trying to connect to Unifi Video via the STUN and IPS was blocking it Man Tongue

 

and linux servers trying to acces apt 

ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@donwschultz wrote:

@RobbieH wrote:

Watch this. He will step you through it.

 

https://www.youtube.com/watch?v=9dhmS237wsw


Thanks, I will look at this.



@donwschultz wrote:

@RobbieH wrote:

Watch this. He will step you through it.

 

https://www.youtube.com/watch?v=9dhmS237wsw


Thanks, I will look at this.


Well, I watched the video and that was stupidly simple!  I feel like an idiot now!  I will implement the VLAN immediately.  Thanks again.

Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?

[ Edited ]

Make sure to turn on the DHCP guarding on the guest network, in case a friendly guest decides to turn on a DHCP server for some stupid reason Man Happy

 

Edit: Brain to fast for fingers

Established Member
Posts: 821
Registered: ‎05-08-2015
Kudos: 279
Solutions: 19

Re: IDS/IPS --anybody using and what are your thoughts?


@learningman wrote:

@donwschultz wrote:

@learningman wrote:

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.

 

Edit: That was with all options turned on, though some seem to complain about interesting things Man Tongue


Haha.  Let me guess, somebody cannot use Tor anymore and they are mad....Smiley Happy

 

I have noticed the default options of Tor, Mobile Malware, and the like but is there anything I really absolutely should also enable from your perspective?  I noticed that P2P is not enabled for blocking, but shouldn't it be?  I do not allow P2P on the network, since I have seen what can happen with uTorrent out of control.  I setup a DPI Restriction Rule for that.  Would blocking it in IDS/IPS be redundant?


No It was more like this:

09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<phone IP> : 42660	34.203.251.213 : 3478	
09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<Unifi Video IP> : 52112	34.203.251.213 : 3478

Where my phone is trying to connect to Unifi Video via the STUN and IPS was blocking it Man Tongue

 

and linux servers trying to acces apt 

ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management

Got it.  So, basically keep the default options checked but don't go experimenting unless I want to find out the hard way!

 

Thanks.

Regular Member
Posts: 459
Registered: ‎10-14-2015
Kudos: 179
Solutions: 63

Re: IDS/IPS --anybody using and what are your thoughts?


@donwschultz wrote:

@learningman wrote:

@donwschultz wrote:

@learningman wrote:

In that case there won't really be any performance issues as everything will be L2 within the primary VLAN and Guest VLAN.

 

The reason I was asking was that IDS/IPS also affects InterVLAN traffic and would limit traffic. Since it is all going to be WAN related going through the USG4 I have a 300/300 Fiber connection and have no issues hitting full speed with it and IPS enabled.

 

Edit: That was with all options turned on, though some seem to complain about interesting things Man Tongue


Haha.  Let me guess, somebody cannot use Tor anymore and they are mad....Smiley Happy

 

I have noticed the default options of Tor, Mobile Malware, and the like but is there anything I really absolutely should also enable from your perspective?  I noticed that P2P is not enabled for blocking, but shouldn't it be?  I do not allow P2P on the network, since I have seen what can happen with uTorrent out of control.  I setup a DPI Restriction Rule for that.  Would blocking it in IDS/IPS be redundant?


No It was more like this:

09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<phone IP> : 42660	34.203.251.213 : 3478	
09/14/2018 7:45 pm	Info	ET INFO Session Traversal Utilities for NAT (STUN Binding Request)	<Unifi Video IP> : 52112	34.203.251.213 : 3478

Where my phone is trying to connect to Unifi Video via the STUN and IPS was blocking it Man Tongue

 

and linux servers trying to acces apt 

ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management

Got it.  So, basically keep the default options checked but don't go experimenting unless I want to find out the hard way!

 

Thanks.


A few extra would probably be good, but ya I wouldn't go all out (that was just for testing)

Highlighted
Member
Posts: 245
Registered: ‎10-07-2017
Kudos: 97
Solutions: 1

Re: IDS/IPS --anybody using and what are your thoughts?

[ Edited ]

Ive had IPS turned on on our USG-3P's for 3 weeks now (USG on latest beta firmware 4.4.34 (reduces CPU/RAM usage for IPS), Controller on beta 5.9.32) and its blocking 99.9% of P2P attempts for us....no slowdowns, no drama. I have pretty much all the limited selection of IPS categories availabe on the 3P enabled

 

All i now see (apart from the .1%) in DPI stats are people trying every P2P client they can find to try and circumvent the block lol, but no clients listed

 

p2p.jpg

My Little Project: P2P Autoban/Autounban - Uses IPS logs to detect and automatically ban & unban problem P2P users
Reply