Custom quarantine responses

The Network IPS appliance supports custom quarantine responses if the predefined responses do not meet specific blocking requirements.

About this task

Important:
  • Quarantine responses work only when you configure the appliance to run in inline protection mode.
  • The Issue ID option in predefined and custom quarantine responses works for security events only. This option does not identify traffic for other events.
  • You cannot change the settings of, rename, or remove predefined quarantine responses. Define custom quarantine responses to meet specific needs.
  • Quarantine responses generate quarantine rules to block a single IP protocol (the protocol of the offending traffic) and not all traffic.
  • Quarantine rules that are generated by quarantine responses have a default duration of one hour. You can set or change the duration for these rules when you set up responses for events.

Procedure

  1. Click the Quarantine tab.
  2. Click the Add icon.
    Tip: You can edit some properties directly.
  3. Configure the following options:
    Option Description
    Name Specifies a meaningful name for the response.
    Victim Address Enables the appliance to block packets based on target IP address.
    Victim Port Enables the appliance to block packets based on target TCP or UDP port.
    Intruder Address Enables the appliance to block packets based on source IP address.
    Intruder Port Enables the appliance to block packets based on source TCP or UDP port.
    ICMP Code Enables the appliance to block packets based on the ICMP code number.
    ICMP Type Enables the appliance to block packets based on the ICMP type number.
    Issue ID Enables the appliance to block packets related to a specific security event.
    Note: This option functions for only security events and not for any other type of event.
  4. Click OK.