Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I manage Reputation Filters from the SMS?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary

A Reputation filter associates an action set with one or more of entries in the Reputation Database. Possible actions include: block, permit, notify, and trace. When the profile containing the Reputation filter is distributed to a device, the specified actions are applied to traffic that matches the addresses of tagged entries in the Reputation Database that have been screened using specified tag criteria.

Creating a Reputation Filter consists of two steps. In the first step, you define the general settings: name for the filter, the state, locked status, action set, and the type of Reputation Database entries. In the second step, you specify the tag criteria to use when matching entries in the Reputation Database.

Details
Public

Edit Reputation settings

Reputation settings apply to all Reputation filters in a profile.

  1. Select Profiles -> Inspection Profiles -> [Profile Name] -> User Defined Filters -> Reputation/Geo.
  2. Click Edit Settings.
  3. Select Locked to lock the settings for all Reputation filters in the profile.
  4. Select a Filter Matching Address to specify which address of an incoming packet is used when it matches a Reputation filter.
  5. Select a Lookup Packet Handling option to specify what the device should do with incoming packets during a Reputation lookup.
  6. Click OK

Create or edit a Reputation filter

  1. Select Profiles -> Inspection Profiles -> [Profile Name] -> User Defined Filters -> Reputation/Geo.
  2. Do one of the following:
    • Click New Reputation to create a new Reputation filter.
    • Select an existing Reputation filter, and click Edit.
  3. Enter a filter title in the Name field, and then select the Locked check box if you want to prevent the ability to edit the filter.
  4. Select the appropriate block or permit action from the Action Set drop-down list, and select the Enabled check box to enable the filter. If you clear this check box, the Reputation filter will not be check box to enable the filter. If you clear this check box, the Reputation filter will not be distributed to the device.
  5. (Optional) Provide a brief description or comment about the Reputation filter in the Comments field.
  6. Click Entry Selection Criteria and specify the following items:
    1. Entry Criteria — Select the type of address entries (IPv4, IPv6, or DNS Domains) from the Reputation Database to include in the filter.
    2. Tag Criteria — Select the type of tag entries (tagged or untagged) from the Reputation Database to— Select the type of tag entries (tagged or untagged) from the Reputation Database to include in the filter and then select the check box next to any tag category you want to include.

Note: If the tag criteria contains Does not have this tag, when you distribute the profile, the SMS sends all entries that do not have this tag category to the device including Reputation DV, geographic, and user provided entries.

  1. Click OK.

Edit a Reputation filter

  1. On the Profiles navigation pane, expand Profiles, expand Inspection Profiles, expand Default, expand User Defined Filters, and then click Reputation/Geo. The Reputation Filters and Settings workspace appears.
  2. Select a Reputation filter from table, and then click Edit. Alternatively, double-click a filter in table to open it. The Edit Reputation Filter wizard opens.
  3. Update any fields as required.
  4. Click OK.

Change the precedence of a Reputation or Geographic filter (move up/down)

  1. On the Profiles navigation pane, expand Profiles, expand Inspection Profiles, expand Default, expand User Defined Filters, and then click Reputation/Geo. The Reputation Filters and Settings workspace appears.
  2. Select a Reputation or Geographic filter from the table, and then click the appropriate button:
    • Click Move Up to move the highlighted entry up.
    • Click Move Down to move the highlighted entry down.

Important: By default, the Reputation and Geographic filters display in the order in which they were created, and the Reputation engine matches the first filter and applies the selected action.

Note: Creating a Geographic filter for a country—that has a large range of IP addresses and a significant amount of traffic—and selecting the Notify action set can affect the device adversely by the large number of events generated.

The new order is automatically saved.


Delete a Reputation or Geographic filter

Important: Deleting a Reputation or Geographic filter will also remove all data relating to that filter; however, any events that were generated for the filter will still be visible. In circumstances in which you no longer need to deny a country but it is linked to events and reports, it may be better to disable the state of the filter rather than delete it.

  1. On the Profiles navigation pane, expand Profiles, expand Inspection Profiles, expand Default, expand User Defined Filters, and then click Reputation/Geo. The Reputation Filters and Settings workspace appears.
  2. Select a Reputation or Geographic filter from the table, and then click Delete. A dialog appears in which you can confirm the deletion.

Create or edit Reputation filter exceptions

  1. Go to Profiles -> Inspection Profiles -> Default -> User Defined Filters -> Reputation/Geo
  2. Click the Exceptions tab.
  3. To edit an existing Reputation filter exception, select an exception name, and then click Edit.
  4. To create a new Reputation filter exception, click Add.
  5. (Optional) Select Locked if you want to lock the settings.
  6. Type a name for the exception in the Name field.
  7. In the Source IP Address field, do one of the following:
    • Select Any IP to apply the restriction to all traffic sources.
    • Select IP Address, and provide or select an IP address to apply the restriction to that specific source.
  8. In the Destination IP Address field, enter an IP address and do one of the following:
    • Select Any IP to apply the restriction to all traffic destinations.
    • Select IP Address, and specify an IP address to apply the restriction to that specific destination.
  9. Click OK.

Create or edit domain name exceptions

  1. Go to Profiles -> Inspection Profiles -> Default -> User Defined Filters -> Reputation/Geo
  2. Click the Exceptions tab.
  3. To edit an existing domain name exception, select a domain name, and then click Edit.
  4. To create a new domain name exception, click Add.
  5. (Optional) Select Locked if you want to lock the settings.
  6. Type a name for the Reputation domain name in the Name field.
    • Important: You must explicitly list each domain name that you want to exclude from the filters. Wildcards, such as an asterisk (*), do not work.
  7.  Click OK.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000086236
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.