Action sets determine what the device does when a packet matches a filter. An
action set can contain more than one action, and more than one type of action.
When you
modify or add an action set, the settings change enterprise-wide for all filters
using
the action set. The types of action that determine where a packet is sent after
it is
inspected include the following:
- A permit action enables a packet to reach its intended destination.
- A block action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset.
- A quarantine action enables you to manage internal and
external threats by quarantining network connections. This option provides the
ability to automate sophisticated responses to security events.
When an IP address (address group)/system is quarantined, select to review the list and manage the status of these systems.
- A rate limit action enables you to define the maximum
bandwidth available for the traffic stream. Incoming traffic exceeding this
bandwidth is dropped.
If two or more filters use the same Rate Limit action set, then all packets matching those filters share the bandwidth. For example, filters 164 (ICMP Echo Request) and 161 (ICMP Redirect Undefined Code) use the same 10 Mbps pipe instead of each filter getting a dedicated 10Mbps pipe.Supported rates are subject to restrictions according to device model. Any of the predefined rates can be used as long as it does not exceed 25 percent of the total bandwidth of the product.
- A trust action enables the designated traffic to bypass all inspection; the traffic is transmitted immediately. Trust has lower latency than Permit, and using it can reduce load on the CPU and processors.
| Action Name | Description |
| Recommended | The default action set, as determined by the filter’s
category settings. When you assign this action set to a filter, the
filter uses the recommended action setting for the default category
settings.
The recommended action set can enable different
configurations for filters within the same category.
Under a
recommended category setting, some filters are disabled while others
are enabled; some might have permit actions assigned while others
are set to block.
|
| Block (+TCP Reset) | Blocks a packet from being transferred to the network. You can use the TCP Reset option for resetting blocked TCP flows. |
| Block + Notify (+ TCP Reset) | Blocks a packet from being transferred and notifies the SMS
management console in the form of an event listing.
Blocks a packet from being transferred. Notifies all selected
contacts of the blocked packet. You can use the TCP Reset option for
resetting blocked TCP flows.
When you create an
action set with Block + Notify + TCP Reset Destination, when a
Reputation filter is hit, the TCP Reset to the Destination IP does
not work properly. To resolve this problem, do not use the 'tcp
reset' feature or only use 'tcp reset both' when the trigger reason
is Reputation.
|
| Block + Notify + Trace (+TCP Reset) | Blocks a packet from being transferred, notifies the SMS
management console in the form of an event listing, and logs all
information about the packet according to the packet trace settings.
Blocks a packet from being transferred. Notifies all
selected contacts of the blocked packet.
Logs all
information about the packet according to the packet trace settings.
You can use the TCP Reset option for resetting
blocked TCP flows.
|
| Permit + Notify | Permits a packet and notifies the SMS management console in the form of an event listing and all selected contacts of the packet. |
| Permit + Notify + Trace | Permits a packet, notifies the SMS management console in the form of an event listing, and logs all information about the packet according to the packet trace settings. |
| Trust | Allows the traffic stream to continue without comparing it with any other filter rules. |