Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I create or edit an IPS Action Set via the LSM?

    • Updated:
    • 7 Dec 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SecBlade All
    • Platform:
Summary
Action Sets determine what the IPS device does when a packet triggers a filter. An action set can contain more than one action, and can contain more than one type of action. The types of action that can be specified include the following:
   
ActionsPermitpermit action allows a packet to reach its intended destination.
Blockblock action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset.
Rate Limitrate limit action enables you to define the maximum bandwidth available for the traffic stream.
Trusttrust action allows the designated traffic to bypass all inspection; the traffic is transmitted immediately. Trust has lower latency than Permit, and using it can reduce load on the CPU and processors.
Packet TraceAllows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.
PrioritySets the relative importance of the information captured. Low priority items will be discarded before medium priority items if there is a resource shortage.
VerbosityDetermines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet will be recorded. If you choose partialverbosity, you can choose how many bytes of the packet (from 64 to 13330 bytes) the packet trace log records.
Notification ContactsIndicate the contacts to notify about the event. These contacts can be systems, individuals, or groups.
Note: You must create or modify a notification contact before configuring an Action Set that uses the contact.
Details
Public

Procedure:

  1. On the LSM menu, click IPS > Action Sets.
  2. On the Action Sets page, click Create Action Set. To edit an existing action set, click the action set name.
  3. Enter or edit the action set name.
  4. elect the parameters for the action set:
    • Permit: Allows traffic. Can be used in conjunction with quarantine.
    • Rate Limit: Limits the speed of traffic. You must select a Rate.
    • Block: Blocks traffic from entering the network. Can be used in conjunction with quarantine.
    • TCP Reset: Used with the Block action, resets the source, destination, or both IPs of an attack. This option resets blocked TCP flows.
    • TrustAllows traffic to pass without inspection.
    • Packet Trace: Enables or disables packet tracing. Specify Priority and Verbosity; if you choose partial verbosity, enter the number of bytes to capture (between 64-13330).
  5. Select the contact that will be notified when the action occurs. If there are no contacts displayed, you must create an Email or SNMP Notification Contact first.
  6. If desired, select the quarantine options for the action set:
    • No: The action set does not include a Quarantine action.
    • Immediate: When the action set is triggered, the quarantine goes into immediate effect.
    • Quarantine After: When the desired threshold is reached, the quarantine goes into effect.
    • HTTP Traffic optionsHTTP requests from the quarantined host can be blocked, redirected to a web server, or redirected to a custom page that displays information about the filter that triggered the quarantine action.
    • Non-HTTP Traffic: Non-HTTP requests can be blocked or permitted.
    • Limit quarantine to the following IP address (es): Enables the quarantine to be restricted to a limited set of hosts.
    • Do not quarantine the following IP address (es): Enables a whitelist of hosts that will not be quarantined.
    • Allow quarantined hosts to access the following IP address (es): Enables quarantined hosts to access selected IP addresses.
  7. Click Create or Save.

 

Reference: Local Security Manager User's Guide

Premium
Internal
Rating:
Category:
Configure
Solution Id:
TP000096752
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.