|Actions||Permit||A permit action allows a packet to reach its intended destination.|
|Block||A block action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset.|
|Rate Limit||A rate limit action enables you to define the maximum bandwidth available for the traffic stream.|
|Trust||A trust action allows the designated traffic to bypass all inspection; the traffic is transmitted immediately. Trust has lower latency than Permit, and using it can reduce load on the CPU and processors.|
|Packet Trace||Allows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.|
|Priority||Sets the relative importance of the information captured. Low priority items will be discarded before medium priority items if there is a resource shortage.|
|Verbosity||Determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet will be recorded. If you choose partialverbosity, you can choose how many bytes of the packet (from 64 to 13330 bytes) the packet trace log records.|
|Notification Contacts||Indicate the contacts to notify about the event. These contacts can be systems, individuals, or groups.|
Note: You must create or modify a notification contact before configuring an Action Set that uses the contact.
- On the LSM menu, click IPS > Action Sets.
- On the Action Sets page, click Create Action Set. To edit an existing action set, click the action set name.
- Enter or edit the action set name.
- elect the parameters for the action set:
- Permit: Allows traffic. Can be used in conjunction with quarantine.
- Rate Limit: Limits the speed of traffic. You must select a Rate.
- Block: Blocks traffic from entering the network. Can be used in conjunction with quarantine.
- TCP Reset: Used with the Block action, resets the source, destination, or both IPs of an attack. This option resets blocked TCP flows.
- Trust: Allows traffic to pass without inspection.
- Packet Trace: Enables or disables packet tracing. Specify Priority and Verbosity; if you choose partial verbosity, enter the number of bytes to capture (between 64-13330).
- Select the contact that will be notified when the action occurs. If there are no contacts displayed, you must create an Email or SNMP Notification Contact first.
- If desired, select the quarantine options for the action set:
- No: The action set does not include a Quarantine action.
- Immediate: When the action set is triggered, the quarantine goes into immediate effect.
- Quarantine After: When the desired threshold is reached, the quarantine goes into effect.
- HTTP Traffic options: HTTP requests from the quarantined host can be blocked, redirected to a web server, or redirected to a custom page that displays information about the filter that triggered the quarantine action.
- Non-HTTP Traffic: Non-HTTP requests can be blocked or permitted.
- Limit quarantine to the following IP address (es): Enables the quarantine to be restricted to a limited set of hosts.
- Do not quarantine the following IP address (es): Enables a whitelist of hosts that will not be quarantined.
- Allow quarantined hosts to access the following IP address (es): Enables quarantined hosts to access selected IP addresses.
- Click Create or Save.
Reference: Local Security Manager User's Guide