Configuring a firewall to block IP addresses based on Symantec Network Security events

Article:TECH112529  |  Created: 2004-01-27  |  Updated: 2005-01-30  |  Article URL http://www.symantec.com/docs/TECH112529
Article Type
Technical Solution


Issue



Symantec Network Security 7100 Series and Symantec Network Security 4.0 can configure your firewall to block specific IP addresses that are determined by events received in Symantec Network Security.


Solution



Symantec Network Security includes a blacklisting tool that can be used to configure Symantec Enterprise Firewall (SEF) and Symantec Gateway Security (SGS) to block specified IP addresses. The tool works only with SEF and SGS, and blocks only IP addresses, not ports.

To use the blacklisting tool, create a custom Response Action that runs the blacklisting tool in response to an event.

To create a custom Response Action that runs the blacklisting tool
  1. Open the Network Security console with a SuperUser account and click Configuration > Response Rules.
  2. In Response Rules, click Action > Add Response Rule.
  3. In the new rule, click the Response Action column.
  4. In Configure Response Action, click Custom Response.
  5. In the Start Command box, type the command line that runs the blacklisting tool. For more information, read the "Command line for the blacklisting tool" section in this document.
  6. In the Maximum number of executions box, type the maximum number of times that you want this response action to execute for each incident.
  7. In the Delay between executions (mins) box, type the number of minutes.
    Symantec Network Security waits this number of minutes after executing the response action, before it executes the response action again for a given incident. The minimum value for this entry is 0.
  8. Click OK, and then click OK again.

Command line for the blacklisting tool
The command line for the blacklisting tool specifies the IP addresses that you want blocked. Use the following format for the command line:

/responses/blacklist.sh %d :,: %s :,:

In this format, the %d and %s variables indicate destination and source, respectively. They are followed by IP address and port pairs.

Though the command line requires both an IP address and a port to define which IP address to block, this tool blocks all traffic to or from the specified IP address (depending on whether the address follows the %d or %s variable). You cannot configure the tool to block only a specific port at that address.

Example
In the following example, the command line is configured to block all traffic that is sent to any of three destinations: IP address 10.9.127.213, IP address 10.9.127.214, and IP address 10.9.127.215.

/usr/SNS/responses/blacklist.sh %s 10.9.127.213:2600,10.9.127.214:2600,10.9.127.215:2600


References
The blacklisting tool has a readme file that is located in the /responses directory.

For SNS 7100, this directory is: /usr/SNS/responses/BLACKLIST-README




Legacy ID



2004082715533853


Article URL http://www.symantec.com/docs/TECH112529


Terms of use for this information are found in Legal Notices