Procedure
- 1. On the Responder navigation pane, click Policies.
- On the Active Response Policies screen, click New, or select an existing policy from the Active Response Policies list, and then click Edit.
- In the Active Response Policy wizard, specify the following on the Initiation and
Timeout screen:
- Specify a Policy Name.
- Specify the mechanism to use to initiate the policy. Learn more.
- To set the timeout option, select the
Enable Automatic Timeout checkbox and enter the number of minutes, hours, or days.
Setting this option automatically closes the response action for an end-station after the prescribed time limit even if remediation has not occurred.
- Click Next, or select Inclusions and Exclusions from the wizard navigation tree.
- On the
Inclusions and Exclusions screen, specify the hosts or networks to
Allow Active Response or
Never Respond.
Click the arrow next to a field to add an existing Named Resource or to create a new Named Resource. Learn more.
- Click Next, or select Correlation and Thresholding from the wizard navigation pane.
- For Correlation and Thresholding, enter the following settings:
Automatic Response Configuration:
- Qualified filter hits — The number of hits to enact the policy.
- Threshold period — The period of time in seconds or minutes for the hit count threshold.
- Quiet period — The Quiet Period begins when the automatic response action is initiated. A new Threshold Period will not begin until the Quiet Period is over.
Qualified Filter Hit Notifications :- Select Send Syslog Notification to send a message to the syslog. Enter a server and select a port and facility for the syslog.
- Select Send SNMP Trap Notification to send a message to the SNMP trap. Enter a destination and select a port.
- Select Actions from the wizard navigation pane.
- The
Actions screen lists the actions that are associated with the policy and the following information:
- Priority — The order in which the actions are to be performed.
- Action — Name assigned to the action that you created. Learn more.
- Condition — Trigger for running the action. This option is set when you add a new action to the Active Responder policy. You can change it by editing a select action through this screen.
- Dependency — Specify what other action must take place for this action to be triggered.
- In the
Actions screen, click
Add to add a new Response action or select an existing action entry, and then click
Edit.
Note
The SMS supports multiple IPS action sets. You must set up a Profile action set with IPS Quarantine defined before you set up an Active Responder policy. - On the Response Action screen, select an action to add from the menu.
You created these actions in the Actions screen for Active Response. When adding additional actions, you can create dependencies between the actions:
- Select an action to add.
- Select an option: success on or failure on.
- Select the action to connect for dependency.
For example, the added action called Email Admin (email type) could have a dependency on the previously added action of Switch Down (switch disconnect type). In this situation, when the switch went down, the email action sends a message informing the network administrator. - Click OK to return to the setup wizard.
- On the
Actions screen, review the listed actions.
To change the priority of a selected action, use the up and down arrows to change the location of the selected action in the list.
- Click Next.
- In the
IPS Destinations screen, you can select which devices will receive the Active Responder policy.
- To send an IPS action to all devices with qualified hits, select Send IPS Action only to the device which triggered the threshold.
- To send the IPS action to one or more devices, select one or more devices.
When you configure an IPS Quarantine action for a stack, propagate the policy to the stack so that any stack member that inspects the traffic can also quarantine the traffic when necessary. - On the Active Response Policy setup wizard, click Finish to save your settings.