Configuring general settings for quarantine rules

Use the general settings area of the Quarantine Rules page for the Network IPS appliance to set the protocol type, the duration of the rule, and the VLAN tags for quarantine rules.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Response Tuning > Quarantine Rules

Note: You cannot apply quarantine rules to all traffic. You must specify a setting for at least one of the following options in order for the appliance to save the quarantine rule:
  • Protocol name
  • VLAN
  • Source address
  • Target address
  • Source port
  • Target port
The quarantine rule is invalid if you set all the previous options to Any.

Procedure

  1. Click the Add icon.
  2. Configure the following options:
    Option Description
    Issue ID Specifies the ID number that corresponds with the Event Name. This setting is a read-only field that the appliance generates to match selections made in the Event Name field on this page.
    Note: On the Quarantine Rules page, when you choose an Event Name, the appliance issues an Issue ID number that corresponds to the Event Name. After the appliance translates the Event Name into an Issue ID, the Event Name no longer is displayed on the Quarantine Rules page. The appliance shows the Issue ID only. To find out what Issue ID corresponds to a specific Event Name, use the text file issues.csv found on the appliance at /usr/lib/iss-pam/.
    Protocol Name Specifies a protocol for the rule (Any, TCP, UDP, ICMP, ICMPv6, and Number).
    Notes:
    • If you select Any as the protocol for a rule, the rule matches all IP protocols.
    • If you set a protocol value other than Any, the quarantine rule is set to that protocol only.
    • If you select ICMP or ICMPv6, leave All enabled, type the appropriate types or codes, or click Well Known to select types and codes.
    Expiration Time Shows the expiration date and time for the existing rule.
    Note: When you add a new rule, this field is blank until you save the policy and refresh the page. The appliance displays this option according to your local time zone. If you want to display the expiration time to conform to RC 3339, use the tuning parameter crm.quarantine.utc and set its value to true. For more information, see More tuning parameters.
    Duration Specifies how long the appliance applies the rule with a maximum duration of one month.
    Event Name

    Displays a truncated event name that you can choose by clicking the ellipsis button.

    Note: If you specify an event name, the rule blocks the traffic only if it also triggers the selected event. The rule blocks the matching traffic and does not report the event.
    Note: In some policies, you can apply the policy to events detected by X-Force®. In the Event Name list, filter the events by Issue Name, X-Force Assigned Risk, or IssueID numbers. Click the IssueID for details. If these events are triggered on the appliance, you can view the events in Monitor Health and Statistics > Security and in Review Analysis and Diagnostics > Logs > Security Alerts.
    Full Duplex Enables the rule to work in both directions by blocking sent and received packets.
    Rate Limit Specifies the maximum rate that the appliance allows packets to flow in kilobits/second.
    Note: Use smaller rates to lessen the impact of some denial-of-service attacks. The appliance drops any matching packet above the specified rate limit value
    VLAN Specifies the virtual LAN tags where you want to apply the rule.

What to do next

On the Add Quarantine Rules window, you can specify IP address and port settings for IPv4 or IPv6 networks.