User guide
Chapter 8: Working with Security Events
86
Configuring Response Filters
Introduction A response filter lets you refine the security policy by controlling the number of events to
which the appliance responds and the number of events reported to the management
console.
You use response filters to do the following:
● configure responses for security events that trigger based off network criteria
specified in the filter
● reduce the number of security events an appliance reports to the console
For example, if you have hosts on the network that are secure and trusted or hosts that
you want the appliance to ignore for any other reason, you can use a response filter with
the IGNORE response enabled.
Attributes of
response filters
Response filters have the following configurable attributes:
● adapter
● virtual LAN (VLAN)
● source or target IP address
● source or target port number (all ports or a port associated with a particular service)
or ICMP type/code (one or the other will be used)
Filters and other
events
When the appliance detects traffic that matches a response filter, the appliance executes
the responses specified in the filter. Otherwise, the appliance executes the responses as
specified in the event itself.
Note: If a security event is disabled, its corresponding response filters are also disabled.
Response filter
order
The response filters follow rule ordering. For example, if you add more than one filter for
the same security event, the appliance executes the responses for the first match. The
appliance reads the list of filters from top to bottom.
Adding response
filters
To add response filters:
Note: The settings that appear in this procedure correspond to the columns that appear
on the Response Filters tab.
1. Select Security Events.
2. Select the Response Filters tab.
3. Click Add.