How to Configure Policy Enforcement Monitor & Prevention Modes for Edge Series Devices

Summary

The TXOne ICS products, EdgeIPS, EdgeIPS Pro and EdgeFire, support OT protocol allowlist/blocklist to secure your OT environments. Users create allowlists/blocklists, which are called “rules”, in Policy Enforcement function, and when the rules are matched, the Edge device will create logs for security evaluation. There are two operation modes for Policy Enforcement,“Monitor Mode” and “Prevention Mode”, aiming to decide whether or not the device will take action when a threat or an attack is detected.

If the Policy Enforcement operation mode is “Monitor Mode”, the device will not take any action but generate logs when the policy enforcement rules are matched. The monitor mode is recommended in the POC (Proof of Concept) or lab testing stage for security administrators to monitor threat detection results.

If the Policy Enforcement operation mode is “Prevention Mode”, the device will take action, either accept or deny the traffic, and generate logs when the policy enforcement rules are matched. The device could be switched to prevention mode in the production stage after the policy enforcement rules are verified by IT or OT team.

Applicable Version

All versions of EdgeIPS, EdgeIPS Pro and EdgeFire

Details

1. Configuring Monitor Mode for EdgeIPS/EdgeFire

1. Access the EdgeIPS/EdgeFire web-based management console.
2. Go to [Security] > [Policy Enforcement].
3. Use the toggle to enable [Policy Enforcement].
4. Select [Monitor Mode] from the [Policy Enforcement Operation Mode] drop-down menu.
5. Click the [Save] button to save the settings.
   

2. Configuring Prevention Mode for EdgeIPS/EdgeFire

1. Access the EdgeIPS/EdgeFire web-based management console.
2. Go to [Security] > [Policy Enforcement].
3. Use the toggle to enable [Policy Enforcement].
4. Select [Prevention Mode] from the [Policy Enforcement Operation Mode] drop-down menu.
5. Select one of the following options from the [Default Rule Action] drop-down menu:
   a. Deny and Log (Default): If the rules are matched, the device will deny the traffic and generate logs afterward.
   b. Accept and Log: If the rules are matched, the device will accept the traffic and generate logs afterward.
   c. Accept: If the rules are matched, the device will accept the traffic but will not generate logs.
6. Click the [Save] button to save the settings.
   

3. Configuring Monitor Mode for EdgeIPS Pro

1. Access the EdgeIPS Pro web-based management console.
2. Go to [Security] > [Port Security].
3. Click a specific interface, and then a pop-up window for configuring the interface settings will appear.
   
4. Select [Inline Mode] for [Security Operation Mode].
5. Select [Monitor Mode] for [Prevention/Monitor Mode].
6. Click the [Save] button to save the settings.
   

4. Configuring Prevention Mode for EdgeIPS Pro

1. Access the EdgeIPS Pro web-management console.
2. Go to [Security] > [Port Security].
3. Click a specific interface, and then a pop-up window for configuring the interface settings will appear.
   
4. Select [Inline Mode] for [Security Operation Mode].
5. Select [Prevention Mode] for [Prevention/Monitor Mode].
6. Click the [Save] button to save the settings.
   

For support assistance, please Contact Us at support@txone.com or your Support Provider.