How to configure intrusion prevention system (IPS) settings in QuWAN Orchestrator to automatically detect and block malicious network activity?

Applicable Products

Software

• QuWAN Orchestrator 2.8 and later versions
• QuRouter 2.6 and later versions
• QuWAN vRouter 2.8 and later versions

Hardware

• QHora-301W
• QHora-321
• QHora-322

Overview

Starting with QuWAN Orchestrator 2.8 and QuRouter 2.6, intrusion prevention system (IPS) functions are available to help you actively defend your network against cyberattacks. Integrated into QuRouter devices, IPS uses deep packet inspection (DPI) and a continuously updated Signature ID database maintained by Lionic Corp. It acts as a proactive security control to prevent unauthorized access, service disruptions, and exploitation attempts targeting internal devices.

When enabled, IPS works with QuWAN Orchestrator to let users review detected threats, manage IPS policies, and analyze activity based on signature IDs across multiple network sites.

A signature ID is a unique identifier assigned to a specific threat detection pattern in the IPS database. Each identifier represents a known malicious behavior or network attack signature. These IDs allow IPS to track, log, and manage threats efficiently by referencing their specific detection patterns for auditing, analysis, and protection.

This improves overall network security by adding a detection and enforcement layer beyond basic firewall filtering.

Key features

• IPS continuously monitors network traffic, comparing packet contents against a regularly updated database of known signature IDs. Packets matching an identified threat are immediately blocked before they reach internal systems.
• IPS examines packet payloads beyond header information to detect application-layer attacks, unauthorized protocol behavior, and non-standard traffic patterns.
• The signature ID database updates automatically with the latest known vulnerabilities and threat patterns. This ensures that detection capabilities stay current without manual maintenance.
• QuWAN Orchestrator consolidates IPS events from devices, providing a single interface for reviewing threat activity, adjusting IPS policies, and analyzing network trends based on Signature ID.
• After configuration, IPS runs automatically in the background, enforcing policies and blocking detected threats without requiring additional user intervention.

Procedure

Read and accept the IPS free trial terms of use

To enable IPS features, you must review and agree to the free trial terms of use. This agreement is required before enabling IPS on supported devices.

1. Log in to QuWAN Orchestrator.
2. Select your organization in the top-left section of the website banner.
3. Click Intrusion Prevention System in the side panel.
   The IPS Trial Version Terms of Use window appears.
4. Read the terms of use, and then click Agree and Proceed.
   The terms of use window closes.

Configure email alert settings

Configure the email alert settings to automatically send IPS threat reports to specified recipients. You can choose which events trigger alerts based on severity levels and reporting frequency.

1. Log in to QuWAN Orchestrator.
2. Select your organization in the top-left section of the website banner.
3. Click Intrusion Prevention System in the side panel.
4. Click Email Alert Settings.
   The Email Alert Settings window appears.
5. Set the frequency for sending IPS threat reports.
   Note

   Daily reports are sent at 1:00 A.M. (UTC+0) every day. Weekly reports are sent every Monday at 1:00 A.M. (UTC+0).
6. Select one or more severity levels to define which threat events are included in the alert.
7. Under Manage Email Recipients, click Add Email Recipient.
8. Enter the recipient name and their email address.
9. Click .
10. Click Save.
    QuWAN Orchestrator saves the email alert settings.

View dashboard analytics

1. Log in to QuWAN Orchestrator.
2. Select your organization in the top-left section of the website banner.
3. Click Intrusion Prevention System in the side panel.
4. Perform any of the following tasks.

   Task	Action
   View threat counts by signature ID	View the number of detected threats grouped by their signature IDs over a selected period.
   View the top 10 threats by signature ID	See the 10 most frequently detected threats, ranked by their signature IDs.
   Enable IPS for a specific device	Enable IPS protection for a specific device managed in QuWAN Orchestrator.

Perform IPS functions on a specific device

To manage and monitor IPS functions on individual devices, perform the following steps.

1. Log in to QuWAN Orchestrator.
2. Select your organization.
3. Click Intrusion Prevention System in the side panel.
4. Identify the device you want to manage or monitor.
5. Click the device name.
   The device dashboard page appears.
   Note

   If you need to view IPS threat information for a different device, choose the appropriate region and device from the drop-down menus to update the displayed data.
6. Perform any of the following tasks in the Dashboard page.

   Task	Action
   Enable IPS on the device	Click next to Enable IPS to monitor and block potential network threats in real time.
   Check the number of inspected packets	Under Inspection History, you can check the total number of network packets inspected by IPS since it was enabled.
   View the number of threats detected based on signature IDs	Under Signature ID-based Threat Count, view the number of threats detected in the last 24 hours.
   View the top 10 signature ID-based threats	Under Top 10 Signature ID-based Threats, view the list of the ten most frequently detected threats along with their corresponding signature IDs and detection counts.

7. Click Rules.
8. Perform any of the following tasks.

   Task	Action
   Log an allowed threat signature ID	Identify a signature ID, and under Log Threat, enable the toggle switch to record the event in the log file.
   View IPS information of an allowed signature ID	Identify a signature ID, and under Action, click  to view the summary, details, and recommended solutions for the detected signature ID on the QNAP website.
   Delete an allowed signature ID	Identify a signature ID, and under Action, click  to permanently remove details of the detected signature ID from QuWAN Orchestrator.

9. Click Threats.
10. Perform any of the following tasks.

    Task	Action
    Download the IPS threat logs	Click Download CSV File to download the IPS threat logs for analysis.
    Allow a signature ID and log the threat	Under Action, click +, and select Allow and Log Threat to record the signature ID in the logs.
    Allow a signature ID and do not log the threat	Under Action, click +, and select Allow and Do Not Log Threat to exclude the signature ID from the logs.
    Filter logs	Click the search field or Advanced Search to enter keywords and filter specific logs based on your criteria.
    View IPS information of the detected threat	Identify a detected threat, and under Action, click to view the summary, details, and recommended solutions for the detected threat.
    View IPS logs for a specific time range	To filter logs by time, choose a predefined range or enter a custom start and end date and time to display the corresponding IPS logs.