Skip to main content

Overview

This guide walks you through configuring Meter’s Network Intrusion Detection System (NIDS) to monitor and protect your network from security threats. You’ll learn how to enable detection and prevention, configure which VLANs to monitor, tune severity thresholds, manage categories and signatures, and respond to security events.

Prerequisites

  • Meter Security Appliance (mc06 or mc11) running a NIDS-capable NOS version
  • Dashboard access with Partner or Company/Network Admin write permissions
  • At least one configured VLAN on your network
  • Understanding of your network’s security requirements and risk tolerance

Use cases

  • Deploy intrusion detection across branch offices to identify compromised devices
  • Enable automatic blocking of known malware command-and-control traffic
  • Meet compliance requirements for network security monitoring
  • Detect and respond to suspicious traffic patterns in real time
  • Create custom responses to specific threat signatures

How-to

Enable NIDS

  1. Log in to Meter Dashboard at https://dashboard.meter.com
  2. Select the network you want to configure
  3. Navigate to Firewall > NIDS in the left sidebar
  4. Click the Config button in the top right
NIDS configuration interface
  1. The NIDS configuration drawer will open

Configure detect settings

NIDS detect settings configuration
  1. Mode toggle: Leave the toggle set to Detect for initial configuration
    • Detect mode only logs events without blocking traffic
    • This allows you to review detection behavior before enabling protection
  2. Select VLANs to monitor:
    • Click the VLANs dropdown
    • Select which VLANs should be monitored by NIDS
    • Start with business-critical VLANs or those with sensitive data
    • You can add more VLANs later
  3. East-West Detection and Prevention:
    • Toggle ON to monitor traffic between your selected VLANs
    • Toggle OFF (default) to only monitor traffic entering/leaving the internet
    • Enable this if you need to detect lateral movement from compromised devices
    • Keep disabled if inter-VLAN traffic is considered trusted
  4. Detection Severity:
    • Use the slider or dropdown to select the minimum severity level to log
    • Critical: Only log the most severe threats
    • High (recommended): Log significant security concerns and above
    • Medium: Include potentially unwanted activity
    • Low: Log all events including informational detections
    • Selecting “High” means both High and Critical events are logged
  5. Click Save to enable NIDS in detect mode

Monitor detection events

  1. After saving, navigate to the Detection tab
  2. Wait for network activity to generate events (this may take several minutes to hours depending on traffic)
  3. Review the events table showing:
    • Timestamp of each detection
    • Source and destination IP addresses
    • Threat category and signature
    • Severity level
    • Action taken (allowed in detect mode)
NIDS logs and events interface
  1. Click on any event timestamp to view detailed information:
    • Full signature description
    • Protocol and port numbers
    • HTTP metadata (hostname, URL, user agent) if applicable
    • Flow statistics (packets, bytes)
    • MAC addresses
NIDS event details and ACL rule creation
  1. Baseline period: Monitor for 1-2 weeks before enabling protect mode
    • Identify false positives (legitimate services flagged as threats)
    • Review which threat categories are most common
    • Verify detection is working correctly

Configure protect settings (IPS)

After monitoring detect mode, enable automatic blocking:
  1. Navigate to Firewall > NIDS
  2. Click Config to open the configuration drawer
  3. Toggle the mode switch from Detect to Protect
NIDS protect settings configuration
  1. Prevention Severity:
    • Set the minimum severity level for automatic blocking
    • Critical (recommended): Only block the most severe threats
    • High: Block significant security concerns and critical threats
    • This operates independently from Detection Severity
    • Example: Detect at “High” to log everything, Protect at “Critical” to only auto-block the worst threats
  2. Protect rule duration:
    • Set how long automatically-generated ACL rules remain active
    • Default: 24 hours (86400 seconds)
    • Range: 1 hour to 30 days
    • After expiration, rules are removed automatically
    • If the same threat is blocked again, a new rule is created
  3. Global Protect Suppression:
    • Add internal or external IP addresses that should never be blocked
    • Enter IPs in CIDR notation (e.g., 10.103.0.20/32 for a single host or 10.103.0.0/24 for a subnet)
    • Use this for critical internal services that may trigger false positives
    • Detect will still log events from these IPs, but Protect will not block them
  4. Click Save to enable protect mode

View and manage IPS rules

  1. Navigate to the Protection tab
  2. View the table of currently active IPS-generated ACL rules:
    • Source and destination IP addresses
    • Port numbers and protocols
    • When the rule was created
    • When it will expire
    • Associated threat signature
  3. To delete an IPS rule before it expires:
    • Click the (more actions) button for the rule
    • Select Delete
    • Confirm the deletion
    • The traffic will no longer be blocked

Tune categories and signatures

Fine-tune NIDS behavior by adjusting individual categories or signatures:
  1. Navigate to the Categories tab
  2. View the list of all threat categories with their current mode:
    • Detect: Generate events but don’t block
    • Protect: Block matching traffic
    • Disabled: Ignore traffic matching this category
    • Inherited: Use the global detect/protect setting
NIDS categories and signatures configuration
  1. To change a category’s mode:
    • Click on the Mode column for the category
    • Select the desired mode from the dropdown
    • Signature-level settings override category settings
  2. To configure individual signatures:
    • Navigate to the Signatures tab
    • Use filters to find specific signatures by ID, name, or category
    • Click the Mode column to set behavior for that signature
    • Any signature setting overrides its category setting

Create suppressions

Use suppressions to prevent false positives without disabling entire categories:
  1. Navigate to the Signatures tab
  2. Find the signature generating false positives
  3. Click the (more actions) button for that signature
  4. Select Suppressions
NIDS suppressions configuration
  1. In the suppression drawer:
    • Mode: Choose to suppress Detect, Protect, or both
    • IP address: Enter the IP in CIDR notation (e.g., 10.103.0.20/32)
    • Direction (optional): Choose if only specific traffic direction should be suppressed
      • Both: Suppress regardless of whether the IP is source or destination
      • Source: Only suppress when the IP is the source
      • Destination: Only suppress when the IP is the destination
    • Click Add to create the suppression
Note: Suppressing Detect also automatically suppresses Protect for the same traffic.
  1. Review existing suppressions:
    • Click on the count in the Suppressions column for any signature
    • View all suppressions configured for that signature
    • Delete suppressions that are no longer needed
NIDS suppressions management

Create permanent ACL rules from events

Convert detection events into permanent firewall rules:
  1. Navigate to the Detection or Protection tab
  2. Click on an event timestamp to view details
  3. At the bottom of the event details, click Create ACL rule
NIDS ACL rule creation from event
  1. Edit the ACL rule parameters:
    • Adjust source/destination IP ranges
    • Modify port numbers
    • Add a descriptive name
    • Set the rule priority
  2. Click Save to create the permanent ACL rule
  3. View NIDS-generated ACL rules:
    • Navigate to Firewall > ACLs
    • Rules created from NIDS events are marked with a NIDS icon
    • Click the icon to view the original detection event
NIDS ACL rule management interface

Disable NIDS

If you need to disable NIDS completely:
  1. Navigate to Firewall > NIDS
  2. Click Config
  3. Click the (more actions) button in the top right of the drawer
  4. Select Disable
  5. Confirm the action
  6. All monitoring and protection will stop immediately

Configuration options

Mode settings

SettingOptionsDescription
ModeDetect, ProtectDetect logs events only; Protect logs and blocks threats
VLANsMultiple selectionSelect which VLANs to monitor
East-West DetectionToggleEnable to monitor inter-VLAN traffic
Detection SeverityCritical, High, Medium, LowMinimum severity to generate detection events
Prevention SeverityCritical, High, Medium, LowMinimum severity to automatically block (Protect mode only)
Protect rule duration3600-2592000 secondsHow long IPS-generated ACL rules remain active

Category and signature modes

ModeBehavior
DetectGenerate events, don’t block traffic
ProtectGenerate events and block matching traffic
DisabledIgnore traffic matching this category/signature
InheritedUse the global detect/protect setting (categories only)

Best practices

Initial deployment:
  • Start with Detect mode for 1-2 weeks to establish baseline
  • Monitor only 1-2 critical VLANs initially
  • Set Detection Severity to “High” to reduce noise
  • Review events daily during the baseline period
Tuning for your environment:
  • Create suppressions for persistent false positives
  • Disable or set to “Detect” for categories that don’t apply to your business
  • Use category-level controls before adjusting individual signatures
  • Document all suppressions and category changes
Enabling Protect mode:
  • Set Prevention Severity to “Critical” initially
  • Add critical internal services to Global Protect Suppression
  • Monitor the Protection tab daily for the first week
  • Gradually lower Prevention Severity to “High” after validation
Ongoing maintenance:
  • Review detection events weekly for new threat patterns
  • Create permanent ACL rules for confirmed persistent threats
  • Delete expired IPS rules that are no longer relevant
  • Adjust severity thresholds based on event volume and analyst capacity

Troubleshooting

No events appearing in Detection tab

Possible causes:
  • NIDS may not yet be fully active (wait 5-10 minutes after enabling)
  • Network traffic volume is low
  • All traffic is benign and not triggering any signatures
  • Selected VLANs have no monitored traffic
Solutions:
  • Verify NIDS is enabled in the Config drawer
  • Check that VLANs are selected and have active traffic
  • Lower Detection Severity to “Low” temporarily to see if any events appear
  • Visit a known test site like testmyids.com to trigger a detection

Legitimate service being blocked by Protect mode

Solution:
  1. Find the signature blocking the service in the Protection tab
  2. Create a suppression for your internal server’s IP address
  3. Or change that signature’s mode from “Protect” to “Detect”
  4. If the entire category is problematic, adjust the category mode instead

Too many false positive events

Solutions:
  • Increase Detection Severity to “High” or “Critical”
  • Review the Categories tab and disable categories that don’t apply to your environment
  • For specific persistent false positives, create suppressions
  • Consider whether east-west detection is necessary for your use case

IPS rules persist after expiration

Known issue: IPS rules may still appear in Dashboard UI after reboot, even though they’re removed from the Security Appliance. Solution:
  • Manually delete the rules using the (more actions) menu
  • The rules are not actually active on the device despite appearing in the UI

Performance degradation on mc11 Security Appliance

Cause: NIDS limits throughput to under 5 Gbps on 10G Security Appliances. Solutions:
  • Disable east-west detection if not required
  • Monitor only the most critical VLANs
  • Contact Meter support to discuss upgrading hardware if needed

FAQ

For unencrypted traffic: The Security Appliance inspects both packet payloads and metadata to detect threats such as malware, command-and-control activity, and known intrusion signatures. This allows for deep packet inspection and signature-based threat detection.For encrypted traffic (HTTPS, etc.): The Security Appliance cannot decrypt encrypted content. Instead, it analyzes metadata and behavioral patterns (such as timing, frequency, destination, and packet sizes) to identify anomalies and potential threats using traffic analysis.We maintain your privacy by never breaking encryption. The contents of your encrypted traffic remain completely private and secure, end to end. Meter NIDS never sends packets to the Meter cloud backend.
Scanning occurs locally on the Meter Security Appliance. When a threat is detected, a log is generated indicating the category of the threat as well as any relevant metadata.
Meter NIDS leverages the Emerging Threats ruleset. We plan to add support for custom rule sets and signatures in the future.
NIDS is included with your Meter subscription as a software upgrade at no additional charge.
Networks with the 1G Security Appliance (mc06): No performance impact.Networks with the 10G Security Appliance (mc11): Overall throughput from the Security Appliance will be limited to under 5 Gbps.
Yes. Navigate to Firewall > NIDS, click Config, click the (more actions) button in the top right, then select Disable.
Yes. Meter supports exporting NIDS detection and protection events to your SIEM platform via AWS Kinesis Data Streams. See the SIEM integration technical overview for details.
IPS rules are temporary ACL rules automatically created by Protect mode. They have a configurable expiration time (default 24 hours) and appear in the Protection tab.Permanent ACL rules are created manually from NIDS events or directly in the Firewall > ACLs interface. They never expire and are managed like regular firewall rules.

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/30/2025
I