Chapter 3 IPS Filtering

Configure Threat Suppression Engine (TSE)

On the IPS Preferences page, configure global settings for the TSE in the Configure Threat Suppression Engine table. Refer to the following table for a description of the TSE configuration parameters:

Table 3–10: IPS Preferences: TSE Configuration Parameters

Parameter

Description

 

 

Connection Table Timeout

Specifies the global timeout interval for the connection table. For

 

blocked streams in the connection table, this value determines

 

the time interval that elapses before the blocked connection is

 

cleared from the connection table. Before the timeout occurs,

 

any incoming packets for that stream are blocked at the device.

 

After the connection is cleared (the timeout interval expires), the

 

incoming connection is allowed until or unless traffic matches

 

another blocking filter.

 

Note Blocked streams can also be cleared from the

 

connection table manually from the Blocked Streams

 

page (Events > Managed Streams > Blocked

 

Streams).

 

 

Quarantine Timeout

The value for the quarantine timeout. This value applies to all

 

quarantined addresses and determines the amount of time that

 

elapses before the address is released from quarantine.

 

Note Quarantined streams can also be released

 

manually from the Quarantined Streams page (Events

 

> Managed Streams > Quarantined Streams).

 

 

Logging Mode

Configure settings to prevent traffic-related event notifications

 

(such as those generated when a triggered filter is configured

 

with a Block+Notify or Permit+ Notify action set) from causing

 

network congestion.

 

Logging Mode determines whether logging is enabled/

 

disabled when the network becomes congested. Always

 

indicates that the device continues logging even if traffic is

 

dropped under high load. Disable if congested indicates the

 

logging will be disabled when the device reaches the specified

 

congestion percentage.

 

Congestion Percentage can be configured if the disable

 

logging option is selected. This value specifies the amount of

 

network congestion that can occur before the device disables

 

logging functions.

 

Disable Time specifies the amount of time (default is10

 

minutes) that logging is disabled before the service is

 

restarted. When the downtime expires, the device re-enables

 

logging and displays the number of missed notifications.

 

 

58 X Family LSM User’s Guide V 2.5.1