Define Action options for the Permit action in Exception rules

The options for the Permit action in Exception rules allow you to set additional options for traffic that has been allowed.

On the Firewall, the options for the Permit action in Exception rules allow you to control the inspection options in further detail and set a User Response for malware scanning or Situation matches.

Note: Malware scanning is not supported on Virtual Engines.

On the IPS and the Layer 2 Firewall, the options for the Permit action in Exception rules allow you to blacklist traffic.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Action cell, then select Permit.
  2. Double-click the Action cell.
  3. Set the options, then click OK.

Select Rule Action Options dialog box (Inspection Permit)

Use this dialog box to override and specify the options for the permit action.

Option Definition
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
Terminate the Single Connection Creates entries that stop matching current connections, but which are not stored for any time.
Block Traffic Between Endpoints Creates entries that stop matching connections and block traffic between the matching IP addresses for the set duration.
Duration Specifies how long the blacklist entry is stored on the Engine. If you leave the value as 0, the blacklist entry only cuts the current connections. Select the unit of time from the drop-down list on the right.
IP Protocol

To block traffic that uses a different protocol, click Select, then select an IP-proto Service. If you do not select an IP-proto Service, the blacklisting is applied to the protocol detected from the traffic.

This option is useful if you want to block traffic where the opening connection is, for example, TCP traffic, but the following connection then changes to using the UDP protocol.

If you select TCP or UDP as the protocol, we recommend that you set Endpoint 1 Port and Endpoint 2 Port to be Predefined TCP or Predefined UDP, respectively. For other protocols, set the ports to the Ignored option.

Endpoint 1 Address or Endpoint 2 Address
  • Any — Matches any IP address.
  • Attacker or Victim — Matches the IP address identified as the originator/target of an attack by the Situation element that is triggered.
  • IP Source or IP Destination — Matches the IP address that is the source/destination of the packets that trigger the detected Situation.
  • Connection Source or Connection Destination — Matches the IP address that is the source/destination of the TCP connection that triggers the detected situation.
  • Predefined — Matches only the fixed IP address you enter in the field to the right of the Address type list.
Endpoint 1 Port or Endpoint 2 Port
  • Ignored — Matches any IP traffic, regardless of the protocol or port.
  • From Traffic — Matches the IP protocol and the port number in the traffic that triggered the blacklist entry.
  • Predefined TCP — Matches only TCP traffic through the TCP port or the range of TCP ports that you enter in the fields on the right.
  • Predefined UDP — Matches only UDP traffic through the UDP port or the range of UDP ports that you enter in the fields on the right.
Blacklist Executors Select the Engine Engines to which the blacklist requests are sent. Click Add to add an element to the list, or Remove to remove the selected element.
Include the Original Observer in the List of Executors Deselect this option if you do not want to include the Engine that detects the situation in the list of blacklist executors.