Views:
Responder controls involve the use of policies, action sets, and filters that identify and possibly react to security violations. Therefore, you must fully implement an action before it can take effect. To use Responder, you must first:
  • Manage devices.
  • Define actions.
  • Create an Active Responder policy to control how to trigger a response by setting initiation and timeout rules, selecting specific IP addresses, configuring a threshold period, executing and prioritizing responder actions, and selecting a device, if the policy contains an Intrusion Prevention System (IPS) action.
  • Create a Profile Action Set to control the flow (permit, block, quarantine, rate limit, or trust) and to determine which notification types a filter hit will send (management console, SMS response, remote syslog, email, and SNMP) for the active responder policy.
  • Select Profile Security and Application Filters to use that particular flow of traffic for the Action Set.
Learn more about these tasks in the SMS User Guide.
The SMS client defines the full implementation requirements for each action to ensure that your Responder policies are set up securely. All implementation requirements are located on the Implementation screen in the Response Action wizard.

Limitations

To ensure your continued success, note the following limitations when using Active Responder:
  • Actions — The SMS can support a maximum of 250 actions per minute.
  • Response History — There must be less than 20,000 active responses at any given time. The SMS does not have a limit on the number of closed responses.