Define Action options for the Permit action in Exception rules

The options for the Permit action in Exception rules allow you to set additional options for traffic that has been allowed.

On the Engine, the options for the Permit action in Exception rules allow you to control the inspection options in further detail and set a User Response for malware scanning or Situation matches.

Note: Malware scanning is not supported on Virtual Engines.

On the IPS and the Layer 2 Engine, the options for the Permit action in Exception rules allow you to block list traffic.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Action cell, then select Permit.
  2. Double-click the Action cell.
  3. Set the options, then click OK.

Select Rule Action Options dialog box (Inspection Permit)

Use this dialog box to override and specify the options for the permit action.

Option Definition
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
Terminate the Single Connection Creates entries that stop matching current connections, but which are not stored for any time.
Block Traffic Between Endpoints Creates entries that stop matching connections and block traffic between the matching IP addresses for the set duration.
Duration Specifies how long the Block list entry is stored on the Secure SD-WAN Engine. If you leave the value as 0, the Block list entry only cuts the current connections. Select the unit of time from the drop-down list on the right.
IP Protocol

To block traffic that uses a different protocol, click Select, then select an IP-proto Service. If you do not select an IP-proto Service, the block listing is applied to the protocol detected from the traffic.

This option is useful if you want to block traffic where the opening connection is, for example, TCP traffic, but the following connection then changes to using the UDP protocol.

If you select TCP or UDP as the protocol, we recommend that you set Endpoint 1 Port and Endpoint 2 Port to be Predefined TCP or Predefined UDP, respectively. For other protocols, set the ports to the Ignored option.
Endpoint 1 Address or Endpoint 2 Address
  • Any — Matches any IP address.
  • Attacker or Victim — Matches the IP address identified as the originator/target of an attack by the Situation element that is triggered.
  • IP Source or IP Destination — Matches the IP address that is the source/destination of the packets that trigger the detected Situation.
  • Connection Source or Connection Destination — Matches the IP address that is the source/destination of the TCP connection that triggers the detected situation.
  • Predefined — Matches only the fixed IP address you enter in the field to the right of the Address type list.
Endpoint 1 Port or Endpoint 2 Port
  • Ignored — Matches any IP traffic, regardless of the protocol or port.
  • From Traffic — Matches the IP protocol and the port number in the traffic that triggered the block list entry.
  • Predefined TCP — Matches only TCP traffic through the TCP port or the range of TCP ports that you enter in the fields on the right.
  • Predefined UDP — Matches only UDP traffic through the UDP port or the range of UDP ports that you enter in the fields on the right.
Block List Executors Select the Secure SD-WAN Engines to which the block list requests are sent. Click Add to add an element to the list, or Remove to remove the selected element.
Include the Original Observer in the List of Executors Deselect this option if you do not want to include the Secure SD-WAN Engine that detects the situation in the list of block list executors.