User guide
Chapter 7: Configuring Responses
72
Configuring Quarantine Responses
Introduction You can create quarantine responses that block intruders when the appliance detects
security, connection, or user-defined events. These responses also block worms and
trojans. Quarantine responses work only when you have configured the appliance to run
in Inline Protection mode.
Note: The Quarantined Intrusions page shows rules dynamically generated in response
to detected intruder events. For more information, see “Managing Quarantined
Intrusions” on page 92.
Pre-defined
quarantine
responses
The following table describes the three pre-defined responses that exist for the appliance:
Note: You can change the settings for these pre-defined responses, but you cannot rename
or remove them.
Adding or changing
quarantine
responses
To add or change quarantine responses:
1. Do one of the following:
■ In Proventia Manager, select Responses.
■ In SiteProtector, select Response Objects.
2. Select the Quarantine tab.
3. Click Add, or highlight the response you want to edit, and then click Edit.
4. Complete or change the settings as indicated in the following table.
5. Click OK.
6. Save your changes.
Quarantine objects Description
Quarantine Intruder Fully blocks both machines involved in an attack.
Quarantine Trojan Isolates any machine that is the victim of an attack.
Quarantine Worm Isolates the item the worm is trying to find; for example, a SQL port.
Table 30: Pre-defined response objects
Setting Description
Name Type a meaningful name for the response.
Tip: This name appears when you select event responses, so give the
response a name that users can easily identify.
Victim Address Block packets based on target IP address.
Victim Port Block packets based on target port.
Intruder Address Block packets based on source IP address.
Intruder Port Block packets based on source port.
ICMP Code Block packets based on the ICMP code number (if protocol is 1).
ICMP Type Block packets based on the ICMP type number (if protocol is 1).