Documentation forSecurity Event Manager

Use the Block IP active response in SEM

Use the Block IP active response to block an IP address at your firewall using your SEM Manager. This action is useful for blocking port scanners, and can be automated in a SEM rule, or executed manually from the Respond menu in the SEM console.

Requirements

You can use the Block IP active response with the following firewalls/modules:

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • FortiGate Firewalls
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure the Active Response connector for one of the firewalls listed above on your SEM manager.

Configure the Active Response connector for your firewall

  1. In the SEM Events Console, navigate to Nodes > Manager Connectors.
  2. In the search box, enter active response.
  3. Select your firewall active response connector, and then click Add Connector.
  4. Complete the connector configuration form according to your firewall specifications, and then click Add.
  5. Under Configured connectors, select the connector, and then click Start.

Configure the rule

  1. In the SEM Events Console, click the Rules tab.
  2. On the Rules toolbar, click Create new rule.
  3. Drag one or more values into the rule definition builder. The drag panel on the left contains searchable filter values that you can drag into the rule definition builder. Expand a rule values group to select a value, or locate your value by entering a term in the search field.

    When you drag a value into the filter builder, the correct drop location is illuminated with a blue line. Learn more here.

  4. Click Next.
  5. Under details and actions, add a descriptive rule name.
  6. To add the Active Response tag to your rule, click Add tag, and then select it from the Activity Types list.
  7. Click a toggle button to enable the rule after saving, or to enable in test mode.
  8. Click Add new action, select Block IP, and then click Next.
  9. Enter the IP address to be blocked, click Add, and then click Create.

Additional Information

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.