For Network IPS appliances,
configure quarantine rules
and send quarantine responses for events that are generated from suspicious
activity that is identified by the integrated SNORT system.
Quarantine
responses
Set quarantine responses
for SNORT events in and in .
Important: - Quarantine responses work only when you configure the appliance
to run in inline protection mode.
- The Issue ID option in predefined and custom
quarantine responses works for security events only. This option does
not identify traffic for other events.
- You cannot change the settings of, rename, or remove predefined
quarantine responses. Define custom quarantine responses to meet specific
needs.
- Quarantine responses generate quarantine rules to block a single
IP protocol (the protocol of the offending traffic) and not all traffic.
- Quarantine rules that are generated by quarantine responses have
a default duration of one hour. You can set or change the duration
for these rules when you set up responses for events.
For
information about quarantine intruder, Trojan, Worm, and DDOS responses,
see Predefined quarantine responses for
descriptions.
Quarantine rules
The
appliance displays
SNORT significant events in . Use the single-click feature on
the
Security Alerts page to create quarantine
rules for SNORT events. To generate a quarantine rule, click the event
and select
Block Intruder. This action does
not generate a block response. Edit quarantine rules in .
Tip: If you do not see SNORT events on the Security
Alerts page, check whether the setting Send
alert messages to syslog is enabled on the SNORT
Execution tab. When this setting is enabled, the SNORT
system does not send events to the Security Alerts page.