Use the general settings area of the Security
Events page to enable security events, apply protection
domains, and to set how to display information.
About this task
Navigating in IPS Local Management Interface:
Navigating
in SiteProtector™ Management:
select the Security Events policy
Procedure
- Click the Add icon.
- Complete the following settings:
Option |
Description |
Enabled |
Enables the event as part of your security policy.
|
Protection Domain |
Applies a protection domain to one event. Notes: - You can apply only one event to one domain at a time.
- If you have not configured (or are not using) protection domains,
the protection domain appears as "Global" in the list
Tips: - To configure this event for another domain, copy and rename the
event, and then assign it to the other domain.
- If the protection domain you want does not appear in the list,
you can configure protection domains in .
|
Attack/Audit |
Specifies whether the event is an attack or an audit. - Audit: Events that match network traffic seeking information
about your network.
- Attack: Events that match network traffic seeking to harm
your network.
Note: This area is unavailable when you are creating a custom
event.
|
Event Name |
Specifies a truncated name for the event. You can click
the ellipsis button to choose from a list of names. Note: If you are
editing an existing event, the event name appears. Click Signature
Information to view a brief description of the event.
Note: In some
policies, you can apply the policy to events detected by X-Force. In
the Event Name list, filter the events using,
Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the
IssueID for details. If these events are triggered on the appliance,
see them in and in .
|
Severity |
Specifies a severity level for the event: low, medium,
or high.
|
Protocol |
Specifies a protocol for the event. Note: For existing
events, this field displays the protocol type, which is not editable.
|
Ignore Events |
Instructs the appliance to ignore events that match the
criteria set for the event.
|
Display |
Specifies how you want to display the event in the management
console. - No Display: Does not display the detected event.
- Without Raw: Logs a summary of the event.
- With Raw: Logs a summary and the associated packet capture.
|
Block |
Instructs the appliance to block the attack by dropping
packets and sending resets to TCP connections.
|
Log Evidence |
Determines
the type of packets to capture when suspicious traffic triggers events.
The appliance logs files to the /var/iss/ directory. - None: The appliance captures no traffic.
- Offending Packet: When an event occurs,
the appliance captures the suspicious traffic.
- Connection: When an event occurs, the appliance
captures all traffic that matches the event protocol, source and destination
address, source and destination port, or VLan ID.
- Interface: When an event occurs, the appliance
captures all traffic that passes through specified interfaces.
- All Interfaces: When an event occurs, the
appliance captures all traffic that passes through all interfaces.
|
What to do next
On the
Add Security Events window, you
can configure responses along with other miscellaneous settings like
applicable XPU, event throttling, and default protection.