Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Sensor Event Policies (NSM Procedure)

    You can specify one or more rules that specify the actions the Infranet Controller takes when it receives attack alert messages from an IDP device.

    To create an IDP rule:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the Infranet Controller for which you want to specify sensor event policies.
    3. Click the Configuration tab. In the configuration tree, select System > Configuration > Sensors > Sensor Event Policies.
    4. Add or modify settings as specified in Table 1.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.

    Table 1: Sensor Event Policies Configuration Details

    Option

    Function

    Your Action

    Name

    Specifies a unique name for the event.

    Enter a name for the event.

    Event

    Specifies an existing event.

    Select an existing event.

    Event Count

    Determines the number of times an event must occur before action is taken.

    Enter a number between 1 and 256.

    Action to be taken

    Specifies the action to be taken when an event has occurred.

    Select one of the following actions:

    • Ignore (just log the event)—Specifies that the Infranet Controller should log the event, but take no further action against the user profile to which this rule applies. This option is best used to deal with very minor “informational” attack alert messages that come from the IDP device.
    • Terminate user session—Specifies that the Infranet Controller should immediately terminate the user session and require the user to sign in to the Infranet Controller again.
    • Disable user account—Specifies that the Infranet Controller should disable the user profile associated with this attack alert message, thus rendering the client unable to sign in to the Infranet Controller until the administrator reenables the user account. (This option is only applicable for users who have a local Infranet Controller user account.)
    • Replace user’s role with this one—Specifies that the role applied to this user’s profile should change to the role you select from the associated drop-down list. This new role remains assigned to the user profile until the session terminates. This feature allows you to assign a user to a specific controlled role of your choice, based on specific IDP events. For example, if the user performs attacks, you might assign the user to a restricted role that limits the user’s access and activities.

    Replace user role with this role

    Specifies that the role applied to the user’s profile should change to the role selected from this list.

    Select a role from this list.

    Replace user role

    Specifies whether the role assignment is permanent or only for a session.

    Select a role assignment option:

    • Permanent—User remains in the quarantined state across subsequent logins until the administrator releases the user from the quarantined state.
    • For this session only—Default. User can log in to another session.

    Applies to role

    Specifies the roles to which the policy is applicable.

    Select one of the following options:

    • All—To apply this policy to all users.
    • Selected—To apply this policy only to users who are mapped to roles in the Members list. Make sure to add roles to this list from the Non-members list.
    • Except for those selected—To apply this policy to all users except for those who are mapped to the roles in the Members list. Make sure to add roles to this list from the Non-members list.

    Role Selection

    Specifies the selected roles.

    Select roles from the Non-members list and click Add to move them to the Members list.

    Published: 2012-11-28