Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
Most consoles are built for analyst triage queues. This one is built for the engineer defending a decision in a Slack thread or a security committee meeting. Open the event log. Click the event. There is your answer.
Built for the architect tuning the policy. Not for the analyst chasing the alert.
The console is three things: a chronological event stream of every block, a one-click forensic record per event, and CSV/Excel export for incident reports and audit. No alert priority scoring. No queue.
Representative view. Each row is a blocked connection with full forensic context one click away. Filter by platform, time, source, destination, threat category, or policy.
Most "investigation workflows" in security tooling are six clicks deep with custom queries. This one is two clicks. The forensic record is already attached to the block.
| The Question | The Path |
|---|---|
| "Why was 10.4.21.118 blocked from reaching 185.220.101.42?" | Open event log. Filter by source IP. Click the event. Reputation context, threat category, policy attribution, microsecond timestamp. |
| "What was blocked in the last hour across all platforms?" | Set time filter. Default view is all enforcement platforms. Filter by platform if needed. |
| "This looks like a false positive. How do I unblock?" | Click the event. Add destination to allowlist. Per-platform or global. Effective on platform refresh cycle. |
| "I need to give the audit team last week's blocks for this segment." | Filter by segment, set time range, export to CSV or Excel. |
| "How do I forward these events to my SIEM long-term?" | Configure Syslog forwarding once on Shield OnPremise. Events flow to your SIEM as they happen. |
Role-based access per group. Observer reads. User operates. Administrator governs. Each user gets a role per group; users can hold different roles in different groups.
If your evaluation criteria includes an alert prioritization workflow, a public API for programmatic queries, or SSO integration with your IdP, you need to know that up front.
No SSO or enterprise IdP integration. Local accounts with role-based access.
No public API. CSV and Excel export only. Syslog forwarding from Shield OnPremise to SIEM.
No native integrations with ticketing, PSA, RMM, or SOAR. Forward via SIEM for downstream automation.
No Shield Sentinel view. Sentinel runs independently. Three platforms enforce. One watches.
No alerts. Shield blocks. The console shows what was blocked, not what needs triage. If your team needs an alert queue, this is not the workflow.
30 minute walkthrough with a sales engineer. Real event log. Real policy tuning.
RECOMMENDED NEXT STEP