How IPS engines and Layer 2 Engines respond to incidents

There are various responses that an IPS engine and a Layer 2 Engine can take when it detects traffic of interest. For example, they can log the connection or actively filter out the traffic.

Several responses are available:

As the mildest response, an event can be logged. The log entries can be used, for example, for generating statistical reports. Generating statistical reports might be appropriate, for example, for tracking trends in normal network traffic patterns.
A step up from a log entry is to generate an alert entry that can be escalated to administrators through multiple configurable alert channels. Alert channels include email, mobile phone text messaging (SMS), and SNMP, in addition to being used like log entries.
Also, logs and alerts can record the full packet headers and data payload for further analysis.

Note: Storing or viewing the packets’ payload can be illegal in some jurisdictions due to laws related to the privacy of communications.

Block Listing makes it possible to block unwanted network traffic for a specified time. IPS engines and Layer 2 Engines can add entries to their own Block Lists based on events in the traffic they inspect. They can also send Block List requests to other Secure SD-WAN Engines. Connections that match the Block List are mainly stopped (depending on the enforcing component’s policy).

The available responses on an IPS engine or Layer 2 Engine depend on the engine’s physical configuration.