How to check the operation of intrusion detection and prevention systems (IDP) in ZyWALL USG series security gateways?
Intrusion Detection & Prevention, built into the ZyWALL USG series security gateways, counteracts the effects of network worms, Trojans, backdoors, DoS and DDoS attacks, exploits that exploit operating system and application vulnerabilities and other malicious manifestations. Like antivirus, IDP uses a special, automatically updated signature database to detect malicious activity, analyzing packets passing through the ZyWALL USG gateway at 4-7 levels of the OSI model.
IDP can be checked independently. To do this, follow these steps:
1. IDP license must be activated, it can be either an annual license or a trial period. In the Configuration> UTM> IDP> General Settings section, create a rule in the From any To any direction and select the LAN_IDP profile.
2. Go to IDP> Profile> LAN_IDP and click the Switch to query view button.
3. In the Query Signatures> Name field, enter the name eicar and click the Search button.
4. Set the Log and Action fields of the found signature, as shown in the screenshot.
5. From a computer connected to the Internet via ZyWALL USG, go to http://www.eicar.org/and try to download test files.
6. Then check the log, it should appear messages about blocking. If they are, IDP works correctly.