Chapter 3 IPS Filtering
STEP D For Below Normal Minor, select the Enabled check box, enter a percentage amount of normal. Then, select the action to perform when the filter triggers.
STEP 8 Select either the protocol or application Type for the traffic to be monitored:
•Protocol — Select the type of protocol from the
•Application — Select the type of application: TCP or UDP; enter the Port. Then, select
one of the following to apply the type to: requests, replies, or both.
STEP 9 Click Save/Create.
Action Sets
Action Sets determine what the X family device does when a packet triggers a filter. An action set can contain more than one action, and can contain more than one type of action. The types of action that can be specified include the following:
•Flow Control — determines where a packet is sent after it is inspected. A permit action allows a packet to reach its intended destination. A block action discards a packet. A block action can also be configured to quarantine the host and/or perform a TCP reset. A rate limit action enables you to define the maximum bandwidth available for the traffic stream.
•Packet Trace — allows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority and packet trace verbosity for action sets.
oPriority — sets the relative importance of the information captured. Low priority items will be discarded before medium priority items if there is a resource shortage.
oVerbosity — determines how much of a suspicious packet will be logged for analysis. If you choose full verbosity, the whole packet will be recorded. If you choose partial verbosity, you can choose how many bytes of the packet (from 64 to 1600 bytes) the packet trace log records.
•Notification Contacts — indicate the contacts to notify about the event. These contacts can be systems, individuals, or groups.
Note You must create or modify a notification contact before configuring an Action Set that uses the contact. For details, see “Notification Contacts” on page 52.
TCP Reset and Quarantine actionsFor Block action sets, you can configure TCP Reset and Quarantine options.
•TCP reset allows the device to reset the TCP connection for the source or destination IP when the Block action executes.
Note Globally enabling the TCP Reset option may negatively impact system performance. We recommend using this option for issues related to mail clients and servers on email related filters.
•Quarantine allows the device to block packets based on the IP addresses in the packet that triggers the filter. When a filter with a quarantine option triggers, the device installs two blocks: one for the flow (as is normally done with Block actions) and another for the quarantined IP address. In addition to installing the two blocks, the device quarantines the IP address based on the instructions
44 X Family LSM User’s Guide V 2.5.1