Configuring blacklisting for base event types with IDS/IPS on Symantec Gateway Security 5400 Series 2.x

Article:TECH81936  |  Created: 2004-01-15  |  Updated: 2009-01-12  |  Article URL http://www.symantec.com/docs/TECH81936
Article Type
Technical Solution


Issue



You are using the IDS/IPS component of your Symantec Gateway Security 5400 Series appliance. You decided that you need to blacklist all IP addresses that the IDS/IPS component determines are sending suspicious traffic. When blacklisting is enabled with the IDS/IPS component, any IP address that sends suspicious traffic is blocked for a configured period of time, by default 24 hours. This feature is different from the Gating feature in that, with Gating, only the suspicious traffic is dropped, while all other traffic, for which there are rules, is allowed. Gating is not required to configure blacklisting.


Solution



To configure blacklisting
  1. In the left pane of the Security Gateway Management Interface (SGMI), click Location Settings.
  2. In the right pane, on the Notifications tab, click New Notification > Notification through Blacklist.
    This creates a new, unconfigured Notification and selects it.
  3. Click Properties.
  4. In the Properties window, on the General tab, confirm that Enable is checked.
  5. On the Blacklist tab, click Local Firewall.
  6. On the Severity tab, check the severity levels to trigger the notification.
  7. Click OK.
  8. In the right pane of the SGMI, click Apply.
  9. On the Action menu, click Activate Changes.

Blacklisting is now enabled. In the Active Connections screen of the SGMI, you may view blacklisted IP addresses and, if needed, remove them by stopping the active connection.


To configure sending blacklists to other firewalls
  1. In the left pane of the Security Gateway Management Interface (SGMI), click Location Settings.
  2. In the right pane, on the Notifications tab, click New Notification > Notification through Blacklist.
    This creates a new, unconfigured Notification and selects it.
  3. Click Properties.
  4. In the Properties window, on the General tab, confirm that Enable is checked.
  5. On the Blacklist tab, click Remote Firewall.
  6. In the IP Address field, type the IP address of the remote firewall.
  7. Confirm that the Port field is populated with the value of 426.
  8. Type and confirm the password to use.
  9. On the Severity tab, check the severity levels to trigger the notification.
  10. Click OK.
  11. In the right pane of the SGMI, click Apply.
  12. On the Action menu, click Activate Changes.

After you configure the security gateway to send the notification, you must configure a Machine Account at the receiving firewall.

To configure the Machine Account
  1. Connect to the SGMI for the firewall at which notifications are received.
  2. In the left pane, click Location Settings.
  3. On the Advanced tab, click Machine Accounts.
  4. Click New Machine account.
    This creates a new, unconfigured Machine Account and opens a properties box for it.
  5. In the Address field, type the IP address of the firewall that sends notifications.
  6. In the Password field, type the password that you created in step 8 of the previous section.
  7. On the Privileges tab, confirm that Manage Blacklist is selected.
  8. On the Blacklist tab, confirm that the port is 426.
  9. In the Timeout field, type the number of minutes that blacklist entries are kept.
    The default setting is 1,440 minutes (24 hours).
  10. Click OK.
  11. In the right pane of the SGMI, click Apply.
  12. On the Action menu, click Activate Changes.


Note: You need to create a Machine Account only when you need one firewall to populate the blacklist of another. A Machine Account is not needed when using local notifications only.





References
For information and instructions to blacklist IP that trigger IDS/IPS alerts in SGS 3.x: How to blacklist IP addresses that trigger specific IDS/IPS alerts on Symantec Gateway Security 5000 Series 3.0 appliances





Legacy ID



2004011510073454


Article URL http://www.symantec.com/docs/TECH81936


Terms of use for this information are found in Legal Notices