Configure quarantine rules and send quarantine responses
for events that are generated from suspicious activity that is identified
by the integrated SNORT system.
Quarantine responses
Set quarantine responses
for SNORT events in and in .
Important: - Quarantine responses work only when you configure the appliance
to run in inline protection mode.
- The Issue ID option in predefined and custom
quarantine responses works for security events only. This option does
not identify traffic for other events.
- You cannot change the settings of, rename, or remove predefined
quarantine responses. Define custom quarantine responses to meet specific
needs.
- Quarantine responses generate quarantine rules to block a single
IP protocol (the protocol of the offending traffic) and not all traffic.
- Quarantine rules that are generated by quarantine responses have
a default duration of one hour. You can set or change the duration
for these rules when you set up responses for events.
For
information about quarantine intruder, Trojan, Worm, and DDOS responses,
see Predefined quarantine responsesfor
descriptions.
Quarantine rules
The appliance displays
SNORT significant events in . Use the single-click feature on
the
Security Alerts page to create quarantine
rules for SNORT events. To generate a quarantine rule, click the event
and select
Block Intruder. This action does
not generate a block response. Edit quarantine rules in .
Tip: If you do not see SNORT events on the Security
Alerts page, check whether the setting Send
alert messages to syslog is enabled on the SNORT
Execution tab. When this setting is enabled, the SNORT
system does not send events to the Security Alerts page.