Procedure:

From the top navigation pane, click Profiles. The Profiles screen displays.

From the navigation pane on the left, click the + sign next to the Shared Settings to expand the category and select Action Sets.

To create an action set, do one of the following:

Select the Action Sets tab and click New.
Right-click an entry and click New.

To Edit an action set, do one of the following:

Select the Action Sets tab, select an action, and Edit.
Double-click the filter.
Right-click the filter and choose Edit.

The Create Action Set or Edit Action Set wizard displays.

Enter/change Name for the action set.

Select a Flow Control

Select Quarantine Used to quarantine a host IP (source or destination) address that triggers the filter. By selecting Quarantine, two more options become available Quarantine Settings and Quarantine Exceptions.

Click Next or select Notifications from the wizard navigation pane.

To have the SMS receive an alert, select Management Console.
To use an SMS Active Response action, select the SMS Response check box and then choose the Active Response policy from the drop-down list that is to be tied to this action set.
To enable remote Syslog, select Remote Syslog for the action set. The Syslog server that is defined on the device is the syslog server to use.
To add an email notification contact, Click Add in the Email area.
To add an SNMP notification contact, click Add in the SNMP area.

Note: For both Email and SNMP, you can select entries to add or click New to create new notification contacts. SNMP notification contacts require SNMPv2, and will not work when SNMPv2 is disabled.

Click Next or select Packet Trace from the wizard navigation pane. To return to a previous screen, click Previous.

To enable the packet trace, select the Packet Trace check box and complete the following items:

Select a Length: Full or Partial. If you select Partial, enter the number of bytes.
Select the Priority: High, Medium, or Low.

Click Next or select Quarantine Settings from the wizard navigation pane. To return to a previous screen, click Previous.

In Thresholds, select one of the following quarantine actions

Hit Count (1-10,000 hits) and the Period of time (1-60 minutes).
Permit or Block Action performed before the threshold is reached.
TCP Reset - select Source, Destination, or Both.

For Web Requests, select one of the following quarantine responses:

Block - web requests are blocked entirely.
Redirect - Redirect to a web server Enter a web server address. Any web requests are redirected to the URL specified.
Display - Display quarantine web page Displays according to the options you select. You can select to display:
- Show the filter causing the quarantine action
- Show the description of the filter causing the quarantine action
- Show customized HTML, specified below. You can include HTML code in this field with a maximum of 1500 characters.

Note: When entering HTML code for the message, do not use <frameset> and the < form. HTML tags.

For non-HTTP Other Traffic, choose an action: Block or Permit.

Click Next or select Quarantine Exceptions from the wizard navigation pane. To return to a previous screen, click Previous.

To add a restriction that limits the quarantine action to specified IP addresses, do the following:

Select the Restrictions tab and click New.
Enter a Name.
Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
Click OK. Repeat to add multiple IP addresses.

To add an exception that excludes IP addresses from quarantine actions, do the following:

Select the Exceptions tab and click New.
Enter a Name.
Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
Click OK. Repeat to add multiple IP addresses.

To allow quarantined access to other specific hosts while they are quarantined, do the following:

Select the Quarantined Access tab and click New.
Enter a Name.
Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
Click OK. Repeat to add multiple IP addresses.

To return to a previous screen, click Previous.

After entering information on the final screen, click Finish to save your entries.

How do I create or Edit a Quarantine Action Set on the SMS?

Product / Version includes:

TippingPoint SMSAll

Last updated: 2024/07/29

Solution ID: KA-0017244

Category: Configure , Troubleshoot , Deploy

Summary

The Quarantine option enhances your devices' ability to contain or remove offending network users or devices and provides the ability to automate sophisticated responses to security events. By enabling quarantine with a Block action set, you reduce your network's exposure to internal and external threats.

Procedure:

Log in to the SMS from a client.
From the top navigation pane, click Profiles. The Profiles screen displays.
From the navigation pane on the left, click the + sign next to the Shared Settings to expand the category and select Action Sets.
To create an action set, do one of the following:
- Select the Action Sets tab and click New.
- Right-click an entry and click New.
To Edit an action set, do one of the following:
- Select the Action Sets tab, select an action, and Edit.
- Double-click the filter.
- Right-click the filter and choose Edit.
The Create Action Set or Edit Action Set wizard displays.
Enter/change Name for the action set.
Select a Flow Control
Select Quarantine Used to quarantine a host IP (source or destination) address that triggers the filter. By selecting Quarantine, two more options become available Quarantine Settings and Quarantine Exceptions.
Click Next or select Notifications from the wizard navigation pane.
- To have the SMS receive an alert, select Management Console.
- To use an SMS Active Response action, select the SMS Response check box and then choose the Active Response policy from the drop-down list that is to be tied to this action set.
- To enable remote Syslog, select Remote Syslog for the action set. The Syslog server that is defined on the device is the syslog server to use.
- To add an email notification contact, Click Add in the Email area.
- To add an SNMP notification contact, click Add in the SNMP area.

Click Next or select Packet Trace from the wizard navigation pane. To return to a previous screen, click Previous.
To enable the packet trace, select the Packet Trace check box and complete the following items:
- Select a Length: Full or Partial. If you select Partial, enter the number of bytes.
- Select the Priority: High, Medium, or Low.
Click Next or select Quarantine Settings from the wizard navigation pane. To return to a previous screen, click Previous.
In Thresholds, select one of the following quarantine actions
- Hit Count (1-10,000 hits) and the Period of time (1-60 minutes).
- Permit or Block Action performed before the threshold is reached.
- TCP Reset - select Source, Destination, or Both.
For Web Requests, select one of the following quarantine responses:
- Block - web requests are blocked entirely.
- Redirect - Redirect to a web server Enter a web server address. Any web requests are redirected to the URL specified.
- Display - Display quarantine web page Displays according to the options you select. You can select to display:
  - Show the filter causing the quarantine action
  - Show the description of the filter causing the quarantine action
  - Show customized HTML, specified below. You can include HTML code in this field with a maximum of 1500 characters.

Note: When entering HTML code for the message, do not use <frameset> and the < form. HTML tags.

For non-HTTP Other Traffic, choose an action: Block or Permit.
Click Next or select Quarantine Exceptions from the wizard navigation pane. To return to a previous screen, click Previous.
To add a restriction that limits the quarantine action to specified IP addresses, do the following:
- Select the Restrictions tab and click New.
- Enter a Name.
- Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
- Click OK. Repeat to add multiple IP addresses.
To add an exception that excludes IP addresses from quarantine actions, do the following:
- Select the Exceptions tab and click New.
- Enter a Name.
- Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
- Click OK. Repeat to add multiple IP addresses.
To allow quarantined access to other specific hosts while they are quarantined, do the following:
- Select the Quarantined Access tab and click New.
- Enter a Name.
- Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
- Click OK. Repeat to add multiple IP addresses.
To return to a previous screen, click Previous.
After entering information on the final screen, click Finish to save your entries.

Reference: SMS User Guide

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

How do I create or Edit a Quarantine Action Set on the SMS?

Procedure:

How do I create or Edit a Quarantine Action Set on the SMS?

Product / Version includes:

Summary

Procedure: