Use the Block IP active response in SEM

Use the Block IP active response to block an IP address at your firewall using your SEM Manager. This action is useful for blocking port scanners, and can be automated in a SEM rule, or executed manually from the Respond menu in the SEM console.

Requirements

You can use the Block IP active response with the following firewalls/modules.

  • Cisco PIX
  • Cisco ASA
  • Cisco Firewall Services Module
  • Fortigate Firewalls
  • Juniper NetScreen
  • Check Point OPSEC
  • SonicWALL
  • WatchGuard Firebox (including Vclass)

Configure the Active Response tool for one of the firewalls listed above on your SEM Manager.

To configure the Active Response connector for your firewall:

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Manage > Appliances.

  3. To the left of the SEM Manager, click , and then select Connectors.

  4. From the Category list, select Firewalls, and then enter Active Response in the search box at the top of the Refine Results pane.

  5. Next to the connector for your firewall, click , and then select New.

  6. Complete the Connector Configuration form according to your firewall's specifications.

  7. Click Save.

  8. Next to the new connector, denoted by an icon in the Status column, click , and then select Start.

  9. To exit the Connector Configuration window, click Close.

To configure the Rule:

  1. Identify the type of data that would trigger the rule. If needed, perform an nDepth search or view the real-time data being received under Monitor in the Console (filters).
  2. Open the SEM console. See Log in to the SEM web console for steps.

  3. On the SEM toolbar, navigate to Build > Rules.

  4. To create a new rule, click in the upper-right corner, and then enter a descriptive name.
  5. Locate the event type in the Events tab, the desired fields from the Field tab, and then drag to the Correlations box.

  6. Click the Actions tab on the left, and then drag Block IP to the Actions box under the rule being created.

  7. Enter the IP address to be blocked, and then save the rule.

  8. Click Activate Rules.

Additional Information

The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.