Action sets determine what the device does when a packet matches a filter. An action set can contain more than one action, and more than one type of action. When you modify or add an action set, the settings change enterprise-wide for all filters using the action set. The SMS provides default action sets that can be customized for your security policy.
|Action Set Type||Description|
|Block||Blocks a packet from being transferred to the network.|
|Block + Notify||Blocks a packet from being transferred and notifies the SMS management console in the form of an event listing.|
|Block + Notify + Trace||Blocks a packet from being transferred, notifies the SMS management console in the form of an event listing, and logs all information about the packet according to the packet trace settings.|
|Permit + Notify||Permits a packet and notifies the SMS management console in the form of an event listing.|
|Permit + Notify + Trace||Permits a packet, notifies the SMS management console in the form of an event listing, and logs all information about the packet according to the packet trace settings.|
|Trust||Allows the traffic stream to continue without comparing it with any other filter rules.|
- Log in to the SMS from a client.
- From the top navigation pane, click Profiles. The Profiles screen displays.
- From the navigation pane on the left, click the + sign next to the Profiles to expand the category.
- From the navigation pane on the left, select Shared Settings.
- To Create an action set, do one of the following:
- Select the Action Sets tab and click New.
- On the Menu Bar, select the File > New > Action Set menu item.
- Right click an entry and click New.
- To create Edit an action set, do one of the following:
- Select the Action Sets tab, select an action, and Edit.
- Double-click the filter.
- Right-click the filter and choose Edit.
- The Create Action Set wizard displays.
- Enter a Name for the action set.
- Select a Flow Control:
- Permit: Select to permit traffic associated with this action set.
- Block: Select to block traffic. TCP Reset - Used with the Block action, resets the source, destination, or both IP's of an attack. This option resets blocked TCP flows.
- Quarantine: Used to quarantine a host IP (source or destination) address that triggers the filter.
- Rate Limit: Select to limit the traffic rate and enter an amount for the bandwidth. See Action Sets: Flow Control Rate Limit Configurations. Select a rate for the rate limit setting.
- Trust: Select to trust traffic associated with this action set.
- Click Next or select Notifications from the wizard navigation pane.
- To have the SMS receive an alert, select Management Console.
- To use an SMS Active Response action, select the SMS Response check box and then choose the Active Response policy from the drop-down list that is to be tied to this action set.
- To enable remote syslog, select Remote Syslog for the action set. The syslog server that is defined on the device is the syslog server to use.
- To add an email notification contact, Click Add in the Email area.
- To add a SNMP notification contact, click Add in the SNMP area.
- Note: For both Email and SNMP, you can select entries to add or click New to create new notification contacts.
- Note: SNMP notification contacts require SNMPv2, and will not work when SNMPv2 is disabled.
- Click Next or select Packet Trace from the wizard navigation pane. To return to a previous screen, click Previous.
- To enable the packet trace, select the Packet Trace check box and complete the following items:
- Select a Length: Full or Partial. If you select Partial, enter the number of bytes.
- Select the Priority: High, Medium, or Low.
- To return to a previous screen, click Previous. After entering information on the final screen, click Finish to save your entries.
Reference: SMS User Guide