How do I set up CradlePoint Secure Threat Management?

Jesse Rothschild

NOTE: Threat Management is only available for the AER 2100, and it requires a feature license. Enable this feature through Enterprise Cloud Manager.

CradlePoint Secure Threat Management leverages Trend Micro‘s security experience and expertise in this one-pass Deep Packet Inspection(DPI) solution. Threat Management includes settings for both IPS (intrusion prevention system) and IDS (intrusion detection system), as well as application identification logging. Use Threat Management to identify and prevent a wide variety of network threats.

This Threat Management solution examines network traffic for both signature matches from Trend Micro’s large signature database of known threats and statistical anomalies to detect previously unknown threats. Trend Micro regularly adds new signatures to its database: update your signature database version to ensure you’re defending yourself against the newest threats. You have the option to update manually or schedule regular updates.

Follow these steps to get started with Threat Management:

  1. To purchase a license or to begin a free trial, log into Enterprise Cloud Manager (ECM) and go to the Applications tab (this is only available to the primary account administrator). Once entitled, the router must be rebooted for Threat Management to begin working.
  2. For complete configuration options, go to Network Settings → Threat Management in the configuration pages (in ECM or locally). See configuration options below.
  3. Set up emailed or logged alerts in the Alerts tab in ECM.
  4. Set up regularly scheduled signature updates in the configuration pages, or update manually in ECM via the Devices or Groups page (click on Commands in the top toolbar and select Update IPS Signatures from the dropdown options).

NOTE: Updating the signature database version causes a network disruption for a couple of seconds. You can schedule these updates to occur during days/times when you expect less traffic on your network.


The Status section shows if Threat Management is enabled. It shows the current signature database version number, the timestamp for the most recent update, and the status of the most recent attempt to update signatures.


Click on the Update button to check for a new signature database version.


Customize your Threat Management implementation (choose between IPS and IDS, set up a signature update schedule, etc.).


Operation Mode: Choose IPSIDS, or neither.

  • Disabled
  • Detect and Prevent (default) – IPS mode
  • Detect Only – IDS mode

Engine Failure/Error Action: In the unlikely event of an error with the Threat Management engine, you have the following options:

  • Allow Traffic (default)
  • Deny Traffic

With Allow Traffic selected, the device will act like a typical router without Threat Management enabled and route traffic as usual. If security is a huge concern, however, you may wish to select Deny Traffic to stop all traffic when Threat Management isn’t working properly.

Application ID Logging: (Disabled by default.) The DPI engine can identify network traffic applications and send this information to the system logs. Depending on your network traffic uses, application ID logging may send huge amounts of data to the system logs. We recommend enabling a syslog server to manage this information.

To view the logs, go to Status → System Logs. For configuration options, including syslog server setup, go to System Settings → Administration and select the System Logging tab.

Signature Update Schedule

You can choose to have a different signature update schedule for modems than for other WANs. This is intended to protect against overages when data usage limits for 3G/4G modems are restricted. For both Non-Modem WANs and Modem WANs, first choose the Frequency for updates:

  • Never
  • Daily
  • Weekly
  • Monthly

Then choose the specifc day and time. These updates cause a minor network disruption, so schedule updates for times with less critical traffic.

Whitelisted Signatures

Specify individual signatures that the Threat Management engine is detecting/preventing when the traffic is actually desired. Click Add and manually input a signature ID to include that signature on the “whitelist.”