Skip to main content
Support

Firewall > NIDS

Evan L'Heureux
  • Updated

Who can modify this feature?

  • Partner
  • Company/Network Admins with write access
  • Meter Support

What is NIDS?

NIDS stands for Network Intrusion Detection System. NIDS is a tool that monitors network traffic for suspicious activity that could potentially be a threat. NIDS is split into IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). IDS monitors/logs traffic that may be suspicious, and provides the ability to manually block specific threats. IPS takes the next step to automatically block traffic.

Enabling NIDS

NIDS can be enabled under Firewall > NIDS > Config - This will reveal the configuration pane.

 

Detect Settings

Detect/Protect - By default, the toggle switch is set to ‘Detect’. This means only IDS runs. Events will be logged but not automatically prevented. Toggle to ‘Protect’ to enable IPS.

VLANs - Select which VLANs should be protected by NIDS.

East-West Detection and Prevention - If enabled, NIDS will run on interVLAN traffic as well as traffic from outside of the LAN. For example, if ‘Private’ and ‘Security’ VLANs are added and east-west is enabled, NIDs will also examine any traffic crossing to the other VLAN. If disabled, all traffic between VLANs is considered safe, and only traffic leaving or entering the Internet is reviewed.

Protect Settings

If Protect is toggled ON, additional configurations for Protect appear.

 

Protect rule duration - If Protect blocks traffic, an ACL rule will automatically be generated to block this traffic in the future for the set duration. After this expires, the rule is removed. If the traffic is blocked again, this rule will once again be created.

Global Protect Suppression - Internal and external IPs or IP ranges white-listed for Protect. Detect will still run and generate events for these IPs, but no traffic is blocked.

Categories and Signatures

You can further fine-tune your Detect or Protect settings with Categories or Signatures. Categories are groupings of Signatures that you can change your detection or protection settings on. Any setting on a signature will override the category setting. Click on the ‘Mode’ column to change the setting:

Supressions

Use a suppression to pause NIDS from running on certain traffic. This is useful if something is getting falsely flagged as a protected category. A suppression can be configured under Signatures > actions (...) > suppressions.


Here you can choose to suppress Detect or Protect. NOTE: Suppressing Detect also suppresses Protect. Add an IP with a subnet in slash notation to add a suppression for a host or range of hosts (ie, 10.103.0.20/32 or 10.103.0.0/24). If only events with that IP or range as a destination or source address should be suppressed, choose a direction. Otherwise, both directions will be suppressed.

Suppressions can later be reviewed/deleted by clicking on the suppression in the ‘suppressions’ column.

Logs and creating persistent ACL rules from events

The ‘Detection’ tab will display all events. The ‘Protection’ tab will only display events that were blocked.

 

Click on a timestamp to see more info on the event. Along with the info displayed in the main tab, more information about the connection is shown. This information can help tune the NIDS configuration as needed.

Also note that at the bottom of each event, there is a ‘Create ACL rule’ button. Click this button to create a persistent ACL rule to always block this traffic in the future. Edit the rule as needed to include additional IPs and port numbers.

If an ACL rule is created from a NIDs event, it can be found under Firewall > ACLs.


If an ACL was created via NIDS, it will be marked as such with the icon next to the enabled/disabled column (green check mark). Click the Icon to see more information about the NIDS event. At this point, the rule can be moved/edited like a regular ACL rule. Read more about ACL rules here.

FAQ

What exactly does Meter scan?

For unencrypted traffic: The Meter Security Appliance inspects both packet payloads and metadata to detect threats such as malware, command-and-control activity, and known intrusion signatures. This allows for deep packet inspection and signature-based threat detection.

For encrypted traffic (HTTPS, etc.): The Meter Security Appliance cannot decrypt encrypted content. Instead, it analyzes metadata and behavioral patterns (such as timing, frequency, destination, and packet sizes) to identify anomalies and potential threats using traffic analysis..

We maintain your privacy by never breaking encryption. The contents of your encrypted traffic remain completely private and secure, end to end. Meter NIDS never sends packets to the Meter cloud backend.

Where does this scanning happen?

Scanning occurs locally on the Meter Security Appliance. When a threat is detected, a log is generated indicating the category of the threat as well as any relevant metadata.

Does Meter support custom rule sets or signatures?

Meter NIDS leverages the Emerging Threats ruleset. We plan to add support for custom rule sets and signatures in the future.

How much does this cost?

NIDS is included with your Meter subscription as a software upgrade at no additional charge.

Will enabling NIDS impact my network performance?

Networks with the 1G Meter Security Appliance (mc06): No performance impact.

Networks with the 10G Meter Security Appliance (mc11): Overall throughput from the Security Appliance will be limited to under 5G.

Can I disable NIDS?

Yes. Navigate to Firewall > NIDS, click Config, click more actions in the top right (the ellipsis button), then Disable.

-

If you have any questions about NIDs or need further assistance, feel free to contact Meter Support at support@meter.com or submit a ticket at meter.com/support.

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.