Summary
Action Sets determine what the device does when a packet triggers a filter. An action set can contain more than one action, and can contain more than one type of action. The types of action that can be specified include the following:
| Actions | Permit | A permit action allows a packet to reach its intended destination. |
| Block | A block action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset. | |
| Rate Limit | A rate limit action enables you to define the maximum bandwidth available for the traffic stream. | |
| Trust | A trust action allows the designated traffic to bypass all inspection; the traffic is transmitted immediately. Trust has lower latency than Permit, and using it can reduce load on the CPU and processors. | |
| Packet Trace | Allows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets. | |
| Priority | Sets the relative importance of the information captured. Low priority items will be discarded before medium priority items if there is a resource shortage. | |
| Verbosity | Determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet will be recorded. If you choose partialverbosity, you can choose how many bytes of the packet (from 64 to 13330 bytes) the packet trace log records. | |
| Notification Contacts | Indicate the contacts to notify about the event. These contacts can be systems, individuals, or groups. Note: You must create or modify a notification contact before configuring an Action Set that uses the contact. | |
Details
Procedure:
- Select Policy > Objects > Action Sets.
- Click Add to create a new action set or Edit to change an existing one.
- Under the General tab:
- Enter the name of the action set.
- Select the action from the Action list.
- Select whether the option to reset a TCP connection is enabled. With TCP Reset enabled, the system resets the TCP connection for the source or destination IP when the Block action executes. This option can be configured on Block action sets.
- (Optional) Select Packet Trace. Packet Trace enables you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.
- Priority sets the relative importance of the information captured. Low priority items are discarded before medium priority items if there is a resource shortage.
- Verbosity determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet is recorded. If you choose partial verbosity, you can choose how many bytes of the packet (from 64 to 25,618 bytes) the packet trace log records.
- Under the Notification Contacts tab, configure notification contacts (either human or machine) that get sent messages in response to a traffic-related event. You can configure any of the following notification contacts to be notified when the action is triggered:
- Remote System Log – Sends messages to a syslog server on your network. This is a default contact available in all action sets.
- Management Console – Sends messages to the LSM device management application. This default contact is available in all action sets. If this contact is selected, messages are sent to the Alert or Block Log in the LSM, depending on whether a permit or block action has executed.
- Under the Quarantine tab, assign a quarantine action set to a filter. You can select the following quarantine options for the action set:
- (Optional) Select Quarantine hosts that trigger this action to quarantine the IP addresses that trigger this option.
- Select Quarantine hosts after first hit to quarantine the host after the first hit.
- Select Quarantine host after to activate the quarantine after the specified number of hits (2 – 10,000) during the specified number of minutes (1 – 60).
- Select Block non-HTTP traffic sent from quarantined hosts – To block the non-HTTP requests.
- Select an action from the Response to HTTP traffic sent from quarantined hosts list:
- Displaying quarantine info – Select Event that triggered the quarantine action to display the events that triggered the quarantine action and select Text below to insert custom text.
- Blocking it – To block the response to the HTTP traffic.
- Redirecting to the following site – To redirect the HTTP requests from the quarantined host to a website.
- (Optional) Select Quarantine hosts that trigger this action to quarantine the IP addresses that trigger this option.
- Under the Quarantine Exceptions tab, you can select the following quarantine exceptions for the action set if you enabled the Quarantine hosts that trigger this action option in the preceding step:
- Only quarantine these hosts – To quarantine specified hosts, enter the IP address/mask and click Add.
- Do not quarantine these hosts – To exclude the specified hosts from quarantine, enter the IP address/mask and click Add.
- Allow quarantined hosts to access these addresses – To allow the quarantined hosts to access the specified addresses, enter the IP address/mask and click Add.
- Click OK or OK/Continue to add another action set.
Reference: Local Security Manager User's Guide
