Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I create or Edit a Quarantine Action Set on the SMS?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
The Quarantine option enhances your devices to contain or remove offending network users or devices and provides the ability to automate sophisticated responses to security events. By enabling quarantine with a Block action set, you reduce the exposure of your network to internal and external threats.
Details
Public

Procedure:

  1. Log in to the SMS from a client.
  2. From the top navigation pane, click Profiles. The Profiles screen displays.
  3. From the navigation pane on the left, click the + sign next to the Shared Settings to expand the category and select Action Sets.
  4. To Create an action set, do one of the following:
    • Select the Action Sets tab and click New.
    • Right click an entry and click New.
  5. To Edit an action set, do one of the following:
    • Select the Action Sets tab, select an action, and Edit.
    • Double-click the filter.
    • Right-click the filter and choose Edit.
  6. The Create Action Set or Edit Action Set wizard displays.
  7. Enter/change Name for the action set.
  8. Select a Flow Control
  9. Select Quarantine Used to quarantine a host IP (source or destination) address that triggers the filter. By selecting Quarantine, two more options become available Quarantine Settings and Quarantine Exceptions.
  10. Click Next or select Notifications from the wizard navigation pane.
    • To have the SMS receive an alert, select Management Console.
    • To use an SMS Active Response action, select the SMS Response check box and then choose the Active Response policy from the drop-down list that is to be tied to this action set.
    • To enable remote syslog, select Remote Syslog for the action set. The syslog server that is defined on the device is the syslog server to use.
    • To add an email notification contact, Click Add in the Email area.
    • To add a SNMP notification contact, click Add in the SNMP area.

Note: For both Email and SNMP, you can select entries to add or click New to create new notification contacts.
Note: SNMP notification contacts require SNMPv2, and will not work when SNMPv2 is disabled.

  1. Click Next or select Packet Trace from the wizard navigation pane. To return to a previous screen, click Previous.
  2. To enable the packet trace, select the Packet Trace check box and complete the following items:
    • Select a Length: Full or Partial. If you select Partial, enter the number of bytes.
    • Select the Priority: High, Medium, or Low.
  3. Click Next or select Quarantine Settings from the wizard navigation pane. To return to a previous screen, click Previous.
  4. In Thresholds, select one of the following quarantine actions
    • Hit Count (1-10,000 hits) and the Period of time (1-60 minutes).
    • Permit or Block Action performed before threshold is reached.
    • TCP Reset select source, destination or both.
  5. For Web Requests, select one of the following quarantine responses:
    • Block -web requests are blocked entirely.
    • Redirect to a web server Enter a web server address. Any web requests are redirected to the URL specified.
    • Display quarantine web page Displays according to the options you select. You can select to display:
      • Show the filter causing the quarantine action
      • Show the description of the filter causing the quarantine action
      • Show customized HTML, specified below. You can include HTML code in this field with a maximum of 1500 characters.

Note: When entering HTML code for the message, do not use <frameset> and the <form. HTML tags.

  1. For non-HTTP Other Traffic, choose an action: Block or Permit.
  2. Click Next or select Quarantine Exceptions from the wizard navigation pane. To return to a previous screen, click Previous.
  3. To add a restriction that limits the quarantine action to specified IP addresses, do the following:
    • Select the Restrictions tab and click New.
    • Enter a Name.
    • Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
    • Click OK. Repeat to add multiple IP addresses.
  4. To add an exception that excludes IP addresses from quarantine actions, do the following:
    • Select the Exceptions tab and click New.
    • Enter a Name.
    • Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
    • Click OK. Repeat to add multiple IP addresses.
  5. To allow quarantined access to other specific hosts while they are quarantined, do the following:
    • Select the Quarantined Access tab and click New.
    • Enter a Name.
    • Enter a Source Address and select the type: CIDR, IP Mask, or Any IP.
    • Click OK. Repeat to add multiple IP addresses.
  6. To return to a previous screen, click Previous. After entering information on the final screen, click Finish to save your entries.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087437
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.