Chapter 3 IPS Filtering

STEP A In the Allow quarantined hosts to access the following IP address(es) table, enter a Destination Address.

STEP B

STEP C

Click add to table below.

Repeat to add multiple hosts.

STEP 11 Click Create/Save.

Notification Contacts

Configuring notification contacts allows you to send messages to a recipient (either human or machine) in response to a traffic-related event that occurs on the X family device. The traffic-related event can be the result of triggering an IPS filter configured with an action set that specifies a notification contact, or by triggering a Firewall Block rule with syslog logging enabled. A notification contact can be any of the following:

Remote System Log — Sends messages to a syslog server on your network. This is a default contact available in all IPS action sets. Before using this contact, configure the IP address and port for the syslog server (System > Configuration > Syslog Servers). The Remote System Log is also the destination for all messages from Firewall Block rules with the enable syslog logging option turned on.

Management Console — Sends messages to the LSM or the SMS device management application. This default contact is available in all action sets. If this contact is selected messages are sent to the Alert or IPS Block Log in the LSM, depending on whether a permit or block action has executed.

When the device is under SMS management, messages are also sent to the SMS client application. This notification contact does not require any configuration, although you can change the default name and aggregation period.

Email or SNMP — Sends messages to the email address or specified SNMP. All email or SNMP contacts must be added from the Notification Contacts page. If the default email server is not configured on the device, you will be prompted to configure it before adding a contact.

After configuring notification contacts, you can select them for IPS filter events when you create or edit the action set assigned to the filter. For Firewall Block rules, you can specify that messages be sent to the Remote System Log contact by selecting the enable syslog logging option when you edit the rule.

Alert Aggregation and the Aggregation Period

The X family uses Alert Aggregation to protect system performance. Because a single packet can trigger an alert, attacks with large numbers of packets could potentially flood the alert mechanism used to send out notifications. Alert aggregation allows you to receive alert notifications at intervals to prevent this flooding. For example, if the aggregation interval is 5 minutes, the device sends an alert at the first IPS filter trigger, collects subsequent alerts and sends them out every five minutes.

On the device, alert aggregation is controlled by the aggregation period that you configure when you create a notification contact. This setting is required for all notification contacts. For Email contacts, the aggregation period works in conjunction with the Email Threshold setting configured for the Email Server. By default, the device allows ten (10) email alerts per minute. On the first email alert, a one

52 X Family LSM User’s Guide V 2.5.1