Views:
The SMS provides default action sets that can be customized for your security policy.

Procedure

  1. Select ProfilesShared SettingsAction Sets.
  2. Click New to create a new action set, or Edit to change an existing one.
  3. Under the Flow Control tab:
    1. Enter the name of the action set.
    2. Select the action from the Flow Control options.
    3. Select whether the option to reset a TCP connection is enabled. With TCP Reset enabled, the system resets the TCP connection for the source or destination IP when the Block action executes. You can configure this option on Block action sets.
  4. Under the Notifications tab, configure notification contacts (either human or machine) that get sent messages in response to a traffic-related event. You can configure any of the following notification contacts to be notified when the action is triggered:
    • Management Console – Sends messages to the SMS, and generates an event when a filter hits. This default contact is available in all action sets. If you select this contact, messages are sent to the Alert or IPS Block Log, depending on whether a permit or block action has executed.
    • Remote Syslog – Send filter alerts, which must be configured for every device using that contact, to a syslog server on your network.
    • SMS Response – Associate a Responder policy when a filter hits. The Responder policy must have Enable Policy selected.
  5. Under the Packet Trace tab, select whether to capture all or part of a suspicious packet for analysis. This should be set only for specific filters to avoid a performance issue with the device.
    • Level determines how much verbosity of a suspicious packet is logged for analysis. Full verbosity records the whole packet. Partial verbosity enables you to choose how many bytes of the packet (from 64 to 25,618 bytes) the packet trace log records.
    • Priority sets the relative importance of the information captured. Low priority items are discarded before medium priority items if there is a resource shortage.
  6. Under the Quarantine Settings tab, assign a quarantine action set to a filter. You can select the following quarantine options for the action set:
    • Configure the Hit Count (1-10,000) and threshold Period in minutes (1-60). You can determine whether to Permit or Block traffic before the threshold period is reached. If you select Permit as the action, you can select TCP Reset to enable the device to reset TCP flows (Source IP, the Destination IP, or both), which ends the session.
    • Select Web Requests to manage all HTTP traffic from the quarantined addresses. You can configure the SMS to:
      • Block the requests entirely.
      • Redirect the client to another Web server that you specify.
      • Display the quarantined Web page according to options you select.
        Do not use <frameset> or <form> HTML tags for the message.
    • Select other traffic to configure the response (Block or Permit) to other non-HTTP traffic from hosts listed in the Response History queue. Select ResponderResponse History to review the list.
  7. Under the Quarantine Exceptions tab, you can select the following quarantine exceptions for the action set if you enabled the Quarantine hosts that trigger this action option in the preceding step:
    • Restrictions – A list of IP address groups that are not permitted. This option limits the quarantine action to specific IP addresses within the address groups.
    • Exceptions – A list of excluded IP address groups that will be permitted. When a filter hits, the specific IP addresses within the address groups are not quarantined.
    • Quarantined Access – A list of IP address groups that hosts can still access regardless of being quarantined. For example, when a host is detected as malicious and is quarantined, you might need to allow access to a specific website to remedy the situation.
    To create an unnamed IP address group:
    • Click New to create a new unnamed IP address group, or Edit to change an existing one.
    • (Optional) Enter the name of the IP address group.
    • Enter the IP address in the Source field for a restriction or exception.
    • Enter the IP address in the Destination field for the quarantined host.
    To create a named IP address group:
    • Click New to create a new named IP address group, or Edit to change an existing one.
    • Click the Right arrow next to the Source field for a restriction or exception.
    • Click the Right arrow next to the Destination field for the quarantined host.
    • From here, you can search for, select, or create a new IP address group. For more information, see Create or edit named resource groups. After you create the action set, select AdminNamed ResourcesIP Address Groups to view this IP address group.
  8. Click Finish. To distribute the action set, distribute the profile.