Use the general settings area on the Response
Filters tab to configure attributes such as protection
domain, event name, severity, virtual LAN, and event throttling.
About this task
Navigating in IPS Local Management Interface:
Navigating
in SiteProtector™ Management:
select the Response Filters policy
Procedure
- Click the Add icon.
- Configure the following options:
Option |
Description |
Enabled |
Enables response filters. |
Protection Domain |
Specifies the protection domain for the response filter. |
Event Name |
Displays a truncated event name.- Click the ellipsis to show events.
- You can add multiple events at one time. Use the filter settings
to sort through the list.
Note: In some
policies, you can apply the policy to events detected by X-Force. In
the Event Name list, filter the events using,
Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the
IssueID for details. If these events are triggered on the appliance,
see them in and in .
|
Comment |
Specifies a unique description for the event filter or set
of filters. |
Severity |
Specifies a severity level to filter by: high, medium, or
low. |
Interface |
Specifies the appliance ports or interfaces where you want
to apply the response filter. Note: Not all interfaces are available
on every appliance. The appliance ignores port configurations that
do not apply to the appliance model.
|
VLAN |
Specifies the range of virtual LAN tags where you want to
apply the response filter. |
Event Throttling |
Sets a time window (in seconds) during which multiple events
are reported once. Tip: Use this feature to prevent your
console from being overrun with duplicate events that potentially
mask a more dangerous event.
Note: The default value is 0 (zero),
which disables event throttling.
|
ICMP Version |
Specifies ICMP or ICMPv6 types or codes for either side of
the packet. Note: Click the applicableWell Known option
to select often-used types and codes.
|
Ignore Events |
Ignores events that match the criteria you set for this event. |
Display |
Specifies the display of the event in the management console:- No Display Does not display the detected event.
- Without Raw Logs a summary of the event
- With Raw Logs a summary and the associated packet capture.
|
Block |
Blocks an attack by dropping packets and sending resets to
TCP connections. |
Log Evidence |
Determines
the type of packets to capture when suspicious traffic triggers events.
The appliance logs files to the /var/iss/ directory. - None: The appliance captures no traffic.
- Offending Packet: When an event occurs,
the appliance captures the suspicious traffic.
- Connection: When an event occurs, the appliance
captures all traffic that matches the event protocol, source and destination
address, source and destination port, or VLan ID.
- Interface: When an event occurs, the appliance
captures all traffic that passes through specified interfaces.
- All Interfaces: When an event occurs, the
appliance captures all traffic that passes through all interfaces.
|
What to do next
On the
Add Response Filters window,
you can specify IP address and port settings for IPv4 and IPv6 networks
and you can enable responses.