An active responder policy controls the security response state of a host. A policy
defines a number of actions that occur during a response. These actions can potentially
interact with a variety of networking equipment, including an NMS and ingress switches,
to enforce a response. A policy also handles reversing these actions when a response
is closed. You can initiate Active responder using these mechanisms:
- By correlating the event stream from a subset of managed IPS devices, and responding when threshold criteria are met.
- Manually, by choosing and entering an IP address.
- Via a Web service call from an external NMS (Network Management System).
- By escalating an IPS Quarantine - which is local to that IPS - to a potentially network-wide SMS response.
 |
Note Limit SMS Policies that escalate the IPS Quarantine to one SMS active responder policy.
If there is already a host in SMS active responder and that host shares the same
identity with an incoming IPS Quarantine escalation, the SMS does not escalate the
IPS Quarantine into a new response event.
|