Table of Contents
Advertisement
About automated responses
Symantec Network Security's automated rule-based response system includes
alerting, pinpoint traffic recording, flow tracing, session resetting, and custom
responses on both the software and appliance nodes and the Network Security
console. Symantec Network Security generates responses based on multiple
criteria such as event targets, attack types or categories, event sources, and
severity or confidence levels. Multiple responses can be configured for the same
event type, as well as the order in which Symantec Network Security executes
the responses.
Symantec Network Security reviews each event, and iterates through the list of
response rules configured by the user. It compares each event against
configurable match parameters. If a match occurs on all parameters, it then
executes the specified action. After Symantec Network Security processes one
rule, it proceeds to one of three alternatives: to the rule indicated by the Next
parameter, to a following rule beyond the Next rule, or it stops policy
application altogether for this event.
Some automated responses also use node parameters through Configuration >
Node > Network Security Parameters. Symantec Network Security installs with
some of the response rule parameters defaulted; however, they require more
information from you to run successfully.
Note: Response policy configurations are not immediately propagated. If you
establish a response rule in the master node of a cluster, all subsequent nodes
will automatically synchronize when you restart them. You can also force the
resynchronization by clicking Admin > Force Database Sync.
This section describes the following:
Setting response parameters
■
Setting response actions
■
Note: SuperUsers and Administrators can read and write response rules;
StandardUsers and RestrictedUsers can view only. See
on page 319 for more about permissions.
Responding
About automated responses
"User groups reference"
131
Advertisement
Table of Contents
