Procedure:

Select Policy > Objects > Action Sets.

Click Add to create a new action set or Edit to change an existing one.

Under the General tab:

Enter the name of the action set.
Select the action from the Action list.
Select whether the option to reset a TCP connection is enabled. With TCP Reset enabled, the system resets the TCP connection for the source or destination IP when the Block action executes. This option can be configured on Block action sets.
(Optional) Select Packet Trace. Packet Trace enables you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.
- Priority sets the relative importance of the information captured. Low priority items are discarded before medium priority items if there is a resource shortage.
- Verbosity determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet is recorded. If you choose partial verbosity, you can choose how many bytes of the packet (from 64 to 25,618 bytes) the packet trace log records.

Under the Notification Contacts tab, configure notification contacts (either human or machine) that get sent messages in response to a traffic-related event. You can configure any of the following notification contacts to be notified when the action is triggered:

Remote System Log - Sends messages to a Syslog server on your network. This is a default contact available in all action sets.
Management Console - Sends messages to the LSM device management application. This default contact is available in all action sets. If this contact is selected, messages are sent to the Alert or Block Log in the LSM, depending on whether a permit or block action has been executed.

Under the Quarantine tab, assign a quarantine action set to a filter. You can select the following quarantine options for the action set:

(Optional) Select Quarantine hosts that trigger this action to quarantine the IP addresses that trigger this option.
- Select Quarantine hosts after the first hit to quarantine the host after the first hit.
- Select Quarantine host to activate the quarantine after the specified number of hits (2 - 10,000) during the specified number of minutes (1 - 60).
Select Block non-HTTP traffic sent from quarantined hosts - To block the non-HTTP requests.
Select an action from the Response to HTTP traffic sent from the quarantined host's list:
- Displaying quarantine info - Select the Event that triggered the quarantine action to display the events that triggered the quarantine action and select Text below to insert custom text.
- Blocking it - To block the response to the HTTP traffic.
- Redirecting to the following site - To redirect the HTTP requests from the quarantined host to a website.

Under the Quarantine Exceptions tab, you can select the following quarantine exceptions for the action set if you enabled the Quarantine hosts that trigger this action option in the preceding step:

Only quarantine these hosts - To quarantine specified hosts, enter the IP address/mask and click Add.
Do not quarantine these hosts - To exclude the specified hosts from quarantine, enter the IP address/mask and click Add.
Allow quarantined hosts to access these addresses - To allow the quarantined hosts to access the specified addresses, enter the IP address/mask and click Add.

Click OK or OK/Continue to add another action set.

Reference: Local Security Manager User's Guide

How do I create or edit a TPS Action Set via the LSM?

Product / Version includes:

TippingPoint Virtual TPS All

Last updated: 2025/05/08

Solution ID: KA-0008059

Category: Configure

Summary

Action sets determine what the device does when a packet matches a rule or triggers a filter. An action set can contain more than one action and can contain more than one type of action. The types of action that determine where a packet is sent after it is inspected include the following:

A permit action enables a packet to reach its intended destination.
A block action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset.
A rate limit action enables you to define the maximum bandwidth available for the traffic stream.
A trust action enables the designated traffic to bypass all inspection; the traffic is transmitted immediately. Trust has lower latency than Permit, and using it can reduce the load on the CPU and processors.

The Action Sets page lists the following actions:

Action Name	Description
Recommended	The default action set, as determined by the filter’s category settings. When you assign this action set to a filter, the filter uses the recommended action setting for the default category settings. The recommended action set can enable different configurations for filters within the same category. Under a recommended category setting, some filters are disabled while others are enabled; some might have permit actions assigned while others are set to block.
Block (+TCP Reset)	Blocks a packet from being transferred to the network. You can use the TCP Reset option for resetting blocked TCP flows.
Block + Notify (+TCP Reset)	Blocks a packet from being transferred. Notifies all selected contacts of the blocked packet. You can use the TCP Reset option for resetting blocked TCP flows. When you create an action set with Block + Notify + TCP Reset Destination, when a Reputation filter is hit, the TCP Reset to the Destination IP does not work properly. To resolve this problem, do not use the 'tcp reset' feature or only use 'tcp reset both' when the trigger reason is Reputation.
Block + Notify + Trace (+TCP Reset)	Blocks a packet from being transferred. Notifies all selected contacts of the blocked packet. Logs all information about the packet according to the packet trace settings. You can use the TCP Reset option for resetting blocked TCP flows.
Permit + Notify	Permits a packet and notifies all selected contacts of the packet.
Permit + Notify + Trace	Permits a packet. Notifies all selected contacts of the packet, and logs all information about the packet according to the packet trace settings.
Trust	Not configured on the device by default; you must create a Trust action set for this action to be displayed on the table. Enables trusted traffic to pass without inspection. Lower latency than Permit. Cannot be used with DDoS or IP Reputation filters.

Procedure:

Select Policy > Objects > Action Sets.
Click Add to create a new action set or Edit to change an existing one.
Under the General tab:
1. Enter the name of the action set.
2. Select the action from the Action list.
3. Select whether the option to reset a TCP connection is enabled. With TCP Reset enabled, the system resets the TCP connection for the source or destination IP when the Block action executes. This option can be configured on Block action sets.
4. (Optional) Select Packet Trace. Packet Trace enables you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.
  - Priority sets the relative importance of the information captured. Low priority items are discarded before medium priority items if there is a resource shortage.
  - Verbosity determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet is recorded. If you choose partial verbosity, you can choose how many bytes of the packet (from 64 to 25,618 bytes) the packet trace log records.
Under the Notification Contacts tab, configure notification contacts (either human or machine) that get sent messages in response to a traffic-related event. You can configure any of the following notification contacts to be notified when the action is triggered:
- Remote System Log - Sends messages to a Syslog server on your network. This is a default contact available in all action sets.
- Management Console - Sends messages to the LSM device management application. This default contact is available in all action sets. If this contact is selected, messages are sent to the Alert or Block Log in the LSM, depending on whether a permit or block action has been executed.
Under the Quarantine tab, assign a quarantine action set to a filter. You can select the following quarantine options for the action set:
- (Optional) Select Quarantine hosts that trigger this action to quarantine the IP addresses that trigger this option.
  - Select Quarantine hosts after the first hit to quarantine the host after the first hit.
  - Select Quarantine host to activate the quarantine after the specified number of hits (2 - 10,000) during the specified number of minutes (1 - 60).
- Select Block non-HTTP traffic sent from quarantined hosts - To block the non-HTTP requests.
- Select an action from the Response to HTTP traffic sent from the quarantined host's list:
  - Displaying quarantine info - Select the Event that triggered the quarantine action to display the events that triggered the quarantine action and select Text below to insert custom text.
  - Blocking it - To block the response to the HTTP traffic.
  - Redirecting to the following site - To redirect the HTTP requests from the quarantined host to a website.
Under the Quarantine Exceptions tab, you can select the following quarantine exceptions for the action set if you enabled the Quarantine hosts that trigger this action option in the preceding step:
- Only quarantine these hosts - To quarantine specified hosts, enter the IP address/mask and click Add.
- Do not quarantine these hosts - To exclude the specified hosts from quarantine, enter the IP address/mask and click Add.
- Allow quarantined hosts to access these addresses - To allow the quarantined hosts to access the specified addresses, enter the IP address/mask and click Add.
Click OK or OK/Continue to add another action set.

Reference: Local Security Manager User's Guide

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

How do I create or edit a TPS Action Set via the LSM?

Procedure:

How do I create or edit a TPS Action Set via the LSM?

Product / Version includes:

Summary

Procedure: