Configure quarantine rules and send quarantine responses
for events generated from suspicious activity identified by the integrated
SNORT system.
Quarantine responses
Set quarantine responses
for SNORT events in and in .
Important: - Quarantine responses work only when you configure the appliance
to run in inline protection mode.
- The Issue ID option in predefined and custom
quarantine responses works for security events only. This option does
not identify traffic for other events.
- You cannot change the settings of, rename, or remove predefined
quarantine responses. Define custom quarantine responses to meet specific
needs.
- Quarantine responses generate quarantine rules to block a single
IP protocol (the protocol of the offending traffic) and not all traffic.
- Quarantine rules generated by quarantine responses have a default
duration of one hour. You can set or change the duration for these
rules when you set up responses for events.
For
information about quarantine intruder, Trojan, Worm, and DDOS responses,
see Predefined quarantine responses for
descriptions.
Quarantine rules
The appliance displays
SNORT significant events in . Use the single-click feature on
the
Security Alerts page to create quarantine
rules for SNORT events. To generate a quarantine rule, click the event
and select
Block Intruder. This action does
not generate a block response. Edit quarantine rules in .
Tip: If you do not see SNORT events on the Security
Alerts page, see if the setting Send alert messages
to syslog is enabled on the SNORT Execution tab.
When this setting is enabled, the SNORT system does not send events
to the Security Alerts page.