IVO Networks · IngressGuard Series

IngressGuard Gateway

Multi-Layer Web Security Gateway Appliance

A unified web security gateway that integrates URL filtering, anti-malware inspection, intrusion prevention, application and network-layer firewalls, and full HTTP/HTTPS inspection — in a single purpose-built appliance.

See inside encrypted traffic without degrading performance. IngressGuard performs real-time TLS interception and content inspection with hardware-accelerated cryptography and a multi-stage inspection pipeline that catches threats hidden in HTTPS.

Contact Sales

View Models

IG-800

Branch

IG-2000

Mid-range

IG-4000

Performance

IG-6000

Enterprise

HTTPS INSPECTION

Real-time inspection across every layer

The majority of web traffic is now encrypted with TLS. This protects users from eavesdroppers — but it also hides malware downloads, command-and-control channels, and data exfiltration from your security infrastructure. If your gateway can't inspect HTTPS, it can't protect against the threats that use it.

IngressGuard performs real-time TLS interception — terminating the client's TLS connection, inspecting the decrypted content through the full security pipeline, and establishing a separate TLS connection to the destination server. To the client, the gateway appears to be the server. To the server, the gateway appears to be the client. The inspection is transparent.

The gateway generates substitute certificates signed by a CA deployed to managed devices through Group Policy. The CA private key is stored in hardware — HSM or TPM depending on the model — and never leaves the secure boundary. Certificate generation and TLS handshakes are accelerated by dedicated cryptographic hardware to maintain throughput at scale.

A configurable bypass policy excludes connections that shouldn't be inspected — financial services, healthcare, certificate-pinned applications — based on hostname, category, or destination. Bypassed connections pass through without decryption, while all other HTTPS traffic receives full content inspection.

TLS Interception Flow

Inspected Connection

TLS terminated · Content inspected · Re-encrypted to destination

Client → TLS 1 → IngressGuard → TLS 2 → Server

↕ Decrypted content flows through inspection pipeline ↕

URL filtering — category, path, parameters

Anti-malware — signatures & heuristics

Intrusion prevention — exploit & anomaly detection

Application firewall — method, header, content policy

Bypassed Connection

Financial · Healthcare · Certificate-pinned · Policy-excluded

Client → Pass-through → Server

Fast checks first. URL filtering executes before malware scanning — traffic blocked by category never reaches the expensive inspection layers.

CAPABILITIES

What IngressGuard delivers

Five security layers integrated in a single appliance — inspecting encrypted and unencrypted web traffic in real time with hardware-accelerated performance.

🔍

URL filtering

Category-based and path-level URL filtering on decrypted HTTPS traffic. Block, allow, or log access by category, specific URL patterns, or custom rules. Full-path visibility requires HTTPS inspection — hostname-only filtering from SNI is available for bypassed connections.

🦠

Anti-malware inspection

Signature-based and heuristic detection scanning on decrypted response bodies — file downloads, inline content, and streamed data. Handles chunked transfer encoding, gzip/brotli content encoding, and multi-part responses transparently.

🛡

Intrusion prevention

Signature-based and anomaly-based detection on decrypted traffic. Identifies exploit payloads, protocol anomalies, and known attack patterns that would be invisible inside encrypted connections. Inspects both requests and responses.

🔥

Application-layer firewall

HTTP method control, header inspection, content-type enforcement, and request/response pattern matching. Block file uploads by type, enforce content security policies, and detect data exfiltration patterns at the application layer.

🌐

Network-layer firewall

Stateful packet inspection with port, protocol, and IP-based access control. Provides the network-layer foundation that the application-layer inspection builds upon — blocking unauthorized traffic before it reaches the content pipeline.

🔐

TLS 1.3 & cipher enforcement

Full TLS 1.3 support on both client-facing and server-facing sides. Enforces minimum cipher strength — refusing to negotiate weak or deprecated algorithms — acting as a cipher policy enforcement point that improves organizational TLS posture.

ASAFE Integration

Cloud-based management and monitoring

Every IngressGuard deployment integrates with the ASAFE platform — IVO Networks' cloud-based monitoring, high-availability, and security management system.

High-availability failover (FC4AO)

Proprietary failover technology automatically redirects traffic to secondary gateways when the primary becomes unreachable — maintaining web security inspection without gaps in coverage or unprotected traffic passing through.

Real-time monitoring & reporting

Track inspection throughput, threat detection rates, blocked categories, active sessions, and gateway health — all from a cloud-based dashboard. View security events in real time without deploying separate monitoring infrastructure.

Centralized policy management

Manage URL filtering categories, inspection bypass lists, IPS signatures, firewall rules, and TLS interception policies from a single interface. Push policy changes across all deployed IngressGuard appliances without per-device configuration.

SIEM integration & logging

Stream inspection metadata — full URLs, HTTP methods, response codes, content types, threat verdicts — to your SIEM in real time. Selective content capture for malware quarantine and DLP match evidence.

ASAFE Platform

Monitoring, failover & security management

Threat dashboard HA failover Policy management Real-time alerts SIEM streaming Signature updates

IngressGuard ↔ ASAFE Cloud ↔ SOC / SIEM

Learn more about ASAFE →

ARCHITECTURE

Inspection pipeline layers

Five integrated security layers operating on decrypted traffic — ordered from fast to expensive so that traffic blocked early in the pipeline never reaches the costly inspection stages.

TLS interception engine

Terminates client TLS, establishes server TLS, and manages the certificate substitution lifecycle. CA private key stored in hardware (HSM/TPM). TLS session caching and certificate caching minimize per-connection overhead. Full TLS 1.3 support.

Content inspection pipeline

Decrypted HTTP streams pass through URL filtering, anti-malware, IPS, and application firewall layers in sequence. Fast checks (URL category) execute before expensive checks (full malware scan). First blocking verdict terminates the connection.

Hardware acceleration

Asymmetric crypto (RSA/ECDSA handshakes, certificate signing) offloaded to dedicated hardware. Symmetric crypto (AES session data) uses AES-NI. Pattern matching for IPS and anti-malware can leverage GPU coprocessors on higher-tier models.

Models

IngressGuard gateway models

Four appliance tiers from branch office to large enterprise — all built on the same hardened platform with full HTTPS inspection and ASAFE management..

Specification	IG-800	IG-2000	IG-4000	IG-6000
Form factor	1U compact	1U	1U	2U
Network interfaces	GbE	GbE	GbE / 10GbE	10GbE
HTTPS inspection	✓	✓	✓	✓
URL filtering	✓	✓	✓	✓
Anti-malware	✓	✓	✓	✓
IPS	✓	✓	✓	✓
App / network firewall	✓	✓	✓	✓
Crypto acceleration	AES-NI	AES-NI	AES-NI + HW offload	AES-NI + GPU
CA key storage	TPM	TPM	TPM / HSM	HSM
High availability	FC4AO	FC4AO	FC4AO	FC4AO
Management	ASAFE	ASAFE	ASAFE	ASAFE
Target deployment	Branch / SMB	Mid-size	Mid to large	Enterprise / Gov

GET STARTED

Ready to see inside your encrypted traffic?

Contact our sales team to discuss your deployment requirements, schedule a demo, or request a proof of concept.

Contact Sales

View Models

Or call us directly: +1 (650) 286-1300