Specifying IP Action (NSM Procedure)
If the IDP device matches an attack, it can take action not only against the current session but also against future network traffic that uses the same IP address. Such actions are called IP actions. By default, the IP action persists permanently (timeout = 0). If you prefer, you can set a timeout period in seconds. Table 1 describes IDP rulebase actions.
To modify settings:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy you want to edit.
- In the security policy pane, click the IDP tab to display the IDP rulebase table.
- Modify IP action settings by right-clicking the table cell for the setting and making your selection.
- Click OK to save your changes.
Table 1: IDP Rulebase IP Actions
IP Action | Function |
|---|---|
IP Block | Blocks the matching connection and future connections that match combinations of the following properties you specify:
Note: You can reset the IP block table when a security policy is (re)loaded. In NSM Device Manager, select Sensor Settings > Run-Time Parameters and select the Reset block table with policy load/unload option. |
IP Close | Closes the matching connection and future connections that match combinations of the following properties you specify:
Note: The IP Close action might not work as expected for MPLS traffic. In MPLS traffic, when a rule triggers an IP Close action, the IDP engine cannot send a TCP reset packet to the source with a correct server-to-client label. The IDP engine sends a TCP reset packet without an MPLS label. Some MPLS routers can add packets without a label to an existing MPLS tunnel; others drop such packets. |
IP Notify | Logs the event or sends an alert. |
