Cloud IPS FAQs | TrendAI™

Views:

What is alert mode?
What is the Zero Day Initiative (ZDI)?
Does Cloud IPS support TLS inspection?
What inspection engine does Cloud IPS use?
How are signatures updated?
Can I tune individual rules?
Can I create custom signatures?
How do I handle false positives?
What protocols are supported?
Can I use Cloud IPS with existing AWS Network Firewall deployments?
How do I monitor Cloud IPS?
What is the Cloud IPS performance impact?
Can I use TrendAI Vision One™ credits to pay for Cloud IPS?
How do I estimate my costs?
How do I get support for Cloud IPS?

What is alert mode?

Alert mode allows you to monitor detected threats without blocking traffic. By default, TrendAI Vision One™ managed rule groups block and alert on matching traffic. With alert mode enabled:

Traffic is inspected and alerts are generated.
No traffic is blocked.
Same cost as default behavior ($0.010/GB).

Use alert mode for initial testing, then disable alert mode for rule groups to block matching traffic.

What is the Zero Day Initiative (ZDI)?

ZDI is TrendAI™'s vulnerability research program. ZDI discovers approximately 73% of vulnerabilities globally and provides threat intelligence for Cloud IPS signatures.

Does Cloud IPS support TLS inspection?

TLS inspection is a feature of AWS Network Firewall, not Cloud IPS. If you have TLS inspection enabled in your AWS Network Firewall configuration, Cloud IPS rule groups inspect the decrypted traffic. Cloud IPS does not provide its own TLS inspection capabilities.

What inspection engine does Cloud IPS use?

Cloud IPS uses the Suricata-based inspection engine built into AWS Network Firewall. TrendAI Vision One™ provides the IPS signatures as Partner Managed Rules that run on this engine. This ensures native integration and optimal performance within the AWS Network Firewall infrastructure.

How are signatures updated?

Cloud IPS manages all signature updates automatically:

Automatic updates: Signatures are updated regularly by Cloud IPS.
No manual intervention: Updates are applied automatically to your rule groups.
Zero Day Initiative: Early threat intelligence from ZDI research.
Digital Vaccine: Signature technology from TrendAI™'s research labs.

You don't need to manage signature updates or schedule maintenance windows.

Can I tune individual rules?

No, individual rule tuning is not supported. You can only enable or disable entire rule groups. This is a limitation of AWS Network Firewall Partner Managed Rules. If you need more granular control, you can:

Create custom stateful rules in AWS Network Firewall.
Use alert mode to monitor without blocking traffic.

Can I create custom signatures?

No, you cannot create custom signatures within Cloud IPS rule groups. The rule groups are managed entirely by TrendAI™. However, you can create your own custom stateful rules directly in AWS Network Firewall to supplement Cloud IPS protection.

How do I handle false positives?

Since individual rule tuning is not available, you have these options for handling false positives:

Alert mode: Enable alert mode to monitor without blocking while you investigate.
AWS Network Firewall rules: Create pass rules in AWS Network Firewall to allow specific traffic before it reaches Cloud IPS rule groups.
Rule group selection: Disable specific rule groups if they generate too many false positives for your environment.
Contact support: Report persistent false positives to TrendAI Vision One™ support for signature refinement.

What protocols are supported?

Cloud IPS supports the protocols inspected by AWS Network Firewall's Suricata engine:

HTTP/HTTPS: Web traffic inspection (requires TLS inspection for HTTPS).
DNS: DNS query and response inspection.
SMTP: Email protocol inspection.
FTP: File transfer protocol inspection.
SSH: Secure shell protocol inspection.
SMB: Server Message Block protocol inspection.
Custom TCP/UDP: Additional protocols supported by Suricata.

The specific threats detected depend on the rule group (Malware, Client-Side CVE, or Server-Side CVE).

Can I use Cloud IPS with existing AWS Network Firewall deployments?

Yes, Cloud IPS integrates with existing AWS Network Firewall deployments. Add the Cloud IPS rule groups to your existing firewall policies. You can use Cloud IPS alongside:

AWS managed rule groups.
Your own custom stateful rules.
Domain filtering rules.
Other Partner Managed Rules.

How do I monitor Cloud IPS?

Monitor Cloud IPS through AWS Network Firewall's standard monitoring tools:

CloudWatch Metrics: View traffic statistics and rule group performance.
CloudWatch Logs: Review alert and block events in real-time.
AWS Network Firewall Console: View firewall policy status and rule group configuration.
S3 Logs: Analyze historical logs stored in S3.

See Configure rules, monitoring, and alerts for monitoring details.

What is the Cloud IPS performance impact?

Cloud IPS runs natively within AWS Network Firewall infrastructure, so performance characteristics match AWS Network Firewall:

Latency: Minimal additional latency (AWS Network Firewall's standard latency applies).
Throughput: Scales with AWS Network Firewall capacity.
Availability: Inherits AWS Network Firewall's high availability design.

Each TrendAI Vision One™ managed rule group consumes ~6,000 capacity units. All three rule groups together consume ~18,000 capacity units, leaving ~12,000 units for other rule groups and features.

Can I use TrendAI Vision One™ credits to pay for Cloud IPS?

No, Cloud IPS is billed exclusively through AWS Marketplace. TrendAI Vision One™ credits cannot be used.

How do I estimate my costs?

Determine your monthly traffic volume through AWS Network Firewall.
Multiply by $0.010/GB.
Add AWS Network Firewall costs (endpoints + data processing).

Use AWS Cost Explorer to view historical Network Firewall data processing to estimate TrendAI costs.

How do I get support for Cloud IPS?

Support channels depend on whether you're a TrendAI Vision One™ customer:

For TrendAI Vision One™ customers:

Create a support case directly from the TrendAI Vision One™ console.
Navigate to the support section in your TrendAI Vision One™ dashboard.
Include relevant details like AWS account ID, region, firewall policy configuration, and CloudWatch logs.

For non-TrendAI Vision One™ customers:

Email aws.marketplace@trendmicro.com.
In your email, include your AWS account ID, affected AWS region(s), AWS Network Firewall policy and rule group configuration, relevant CloudWatch logs showing the issue, and description of the problem and impact.

For AWS Marketplace subscription and billing issues:

Contact AWS Marketplace support directly through your AWS account.

When opening any support case, provide your AWS account ID, affected AWS region(s), AWS Network Firewall policy and rule group configuration, relevant CloudWatch logs showing the issue, and description of the problem and impact.

Comments (0)