(1) Check if the USG5520s received IPS event. From the statistic, it can be seen that USG5520s did receive IPS event.
(2) Check if the USG5520s generated IPS logs. Login USG5520s with an audit user, it can be seen that USG5520s did generate IPS logs.
(3) Check if the VSM received IPS logs from USG5520s. From the following picture, it can be seen that VSM did receive IPS logs.
(4) Check the format of IPS logs. All the IPS logs received by VSM had the same format as follows.
<189>2014-09-17 15:10:24 USG5520S_ISB %%01IPS/5/PROIDF
(l): type="PROIDF passed" svrip=<x.x.2.1/vpn:Public> svrport=53 proto=DNS eventnum=1
But the IPS logs of this format type will not shown in Snapshot and Event Trend view. Only the following type of IPS logs can be shown in Snapshot and Event Trend view.
<6>2014-3-4 19:17:56 Eudemon8000E-X3 %%01IPS/4/DETECT
(l):proto=DNS action=Alert src=192.168.12.11 dst=10.27.209.21 srcport=3549 dstport=3754 direction=any eventnum=1 msg="DNS Tsig BO (1)" level=warning id=20001 classtype="Reconnaissance" classtype_id="1,1" reliability=high
But after checked the current IPS logs, there was no such type.
(5) After configured a IPS policy in USG5520S that can hit the IPS event, VSM can receive the IPS logs of Detect event, which can be shown in Snapshot and Event Trend view.