Intrusion Detection & Prevention, built into the ZyWALL USG series security gateways, counteracts the effects of network worms, Trojans, backdoors, DoS and DDoS attacks, exploits that exploit operating system and application vulnerabilities and other malicious manifestations. More about the IDP functionality can found here.
The firmware v5.0 introduces an option to set the IDP Security service as Detection only, in which the attacks will be detected and reported by the Gateway. Still, no actions will be taken, and traffic will be forwarded.
This is especially useful when running tests before the deployment to reduce risks in the coming implementation.
1. To enable the detection mode, go to the following path:
Configuration > Security Service > IDP
2. Make sure to enable the IDP function, if it is disabled.
3. Under the "Scan Mode" section, you can now select "Detection" as the way the IDP signature matching behaves.
Under Detection mode, it is only possible to define the log level for each signature. On the other hand, Prevention mode enables/disables some signatures and defines an action when an attack matches it.
You can always check the logs generated by traffic that matches an IDP signature in the page:
Monitor > Logs > Category: IDP
Whether the IDP is enabled as Detection or Prevention mode, it can be identified in the logs as the action will be set to "No Action" in Detection mode while Prevention is set to "Reject" by default.