Configuring a firewall to block IP addresses based on Symantec Network Security events
|Article:TECH112529|||||Created: 2004-01-27|||||Updated: 2005-01-30|||||Article URL http://www.symantec.com/docs/TECH112529|
Symantec Network Security 7100 Series and Symantec Network Security 4.0 can configure your firewall to block specific IP addresses that are determined by events received in Symantec Network Security.
Symantec Network Security includes a blacklisting tool that can be used to configure Symantec Enterprise Firewall (SEF) and Symantec Gateway Security (SGS) to block specified IP addresses. The tool works only with SEF and SGS, and blocks only IP addresses, not ports.
To use the blacklisting tool, create a custom Response Action that runs the blacklisting tool in response to an event.
To create a custom Response Action that runs the blacklisting tool
- Open the Network Security console with a SuperUser account and click Configuration > Response Rules.
- In Response Rules, click Action > Add Response Rule.
- In the new rule, click the Response Action column.
- In Configure Response Action, click Custom Response.
- In the Start Command box, type the command line that runs the blacklisting tool. For more information, read the "Command line for the blacklisting tool" section in this document.
- In the Maximum number of executions box, type the maximum number of times that you want this response action to execute for each incident.
- In the Delay between executions (mins) box, type the number of minutes.
Symantec Network Security waits this number of minutes after executing the response action, before it executes the response action again for a given incident. The minimum value for this entry is 0.
- Click OK, and then click OK again.
Command line for the blacklisting tool
The command line for the blacklisting tool specifies the IP addresses that you want blocked. Use the following format for the command line:
Article URL http://www.symantec.com/docs/TECH112529