About IPS Settings
About IPS Settings
On the IPS Settings page (Settings > Threat Protection > IPS Settings), you can enable Netskope Intrusion Prevention System (IPS) for your organization as well as create exceptions using allow lists and signature overrides.
Enable to inspect your organization’s traffic for any IPS violations.
Select the user notification you want to display when users visit websites that violate your IPS policy. You can use the default IPS notification or create a custom one. If you create a custom notification, ensure the action is set to Block.
When blocked, users will see a similar notification:
Under Allow List, you can see the following options:
- Source IP Allowlist: The Network Location profiles that contain the source IP addresses you want to bypass from IPS. Click Edit to add or remove profiles.
- Domain Allowlist: The domains, fully qualified domain names (FQDNs), and wildcards you want to bypass from IPS. Click Edit to enter domains or FQDNs separated by a comma.
- Destination IP Allowlist: The Network Location profiles that contain the destination IP addresses you want to bypass from IPS. Click Edit to add or remove profiles.
Under Signature Overrides, you can:
- Enable Alert Only Mode to allow all traffic with signature matches and only send alerts. If enabled:
- Netskope won’t block traffic. Netskope will change any enabled overrides from the Block action to the Alert action.
- Netskope won’t generate alerts for disabled overrides.
- Search for a signature name in the table.
- Create a signature override.
- View a list of configured signature overrides. For each override, you can see the following information:
- Signature ID: The ID of the signature.
- Signature Name: The name of the signature.
- Status: The signature is enabled or disabled for matching.
- Action: If you enabled signature matching, you can see one of the following actions when a match occurs.
- Alert: Netskope allows the traffic and generates an alert in Skope IT.
- Block: Netskope blocks the traffic.
- Last Edited: The last time the override was edited and by who.
- Sort the table by signature name, signature ID, or last edited.
- Select at least one override using the checkbox and click Remove to delete it.
- Click to customize table columns or restore the default ones.
- Click to edit or delete an override.
- View up to 100 overrides per page.
- View multiple pages of the table.
Viewing IPS Violation Alerts
After configuring the IPS settings, you then can view the detected IPS violations on the Skope IT About Alerts page (Skope IT > Alerts). To view the violations, select C2 and IPS for the Alert Type filter.