Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 24106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Difference between "Action" (IPS policy rules) & "Recommended Action" (IPS signatures)

cyberzeus

There is an action field found in both the IPS policy rules and the signatures that make up those rules.  Both fields have similar options (few more on the Rules side) which, per the Web manual, appear to have identical functions.

What is the difference here?

For example, let's say I have a rule set to Drop the Session but all of the signatures in that rule are set to Allow the Packets - what would happen?

Does one take precedence over the other?  If not, who wins?



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    The action field found in the IPS policy rule, is the global action taken for all of the selected IPS signature rules enabled within that individual IPS policy.
    Therefore if you were to select the global action Drop Session, the session will still be dropped even if the signatures contained within have a recommended action to Allow Packet.

    I hope that was able to clarify your inquiry. Please share a screenshot of your IPS policy rule you have configured if you would like further clarification.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Hello and thanks for the feedback...but this is still somewhat confusing...here's why...

    It seems that you are saying the setting at the Rule level supersedes that at the Signature level - fair enough.  Then why ever use the setting at the Signature level if it is going to be overruled by the Rule setting?

    I have tried to come up with a use-case where both settings would have an effect on the traffic but if the Rule level takes precedence, then I can find no such use-case...

  • 0 in reply to cyberzeus

    Hey  

    You would create an IPS policy with a rule configured at the bottom that covers all of the signatures and set with the "recommended" action. You would then configure additional rules on top with the signatures selected that you would like to explicitly allow/deny/drop. A top-down approach would be taken in determining what action to perform on the traffic.

    See my screenshot below:

    I hope this clarifies your inquiry.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    So are you saying that essentially, the Rule level setting acts as the default action if none of the other rules applies?  If so, then this setup is confusing especially when considering that a different approach for similar behavior is employed under the Application Filter settings.

    I will likely have some suggestions but will wait until you are able to confirm my default behavior question above.

    Thanks.

Reply
  • 0 in reply to FloSupport

    So are you saying that essentially, the Rule level setting acts as the default action if none of the other rules applies?  If so, then this setup is confusing especially when considering that a different approach for similar behavior is employed under the Application Filter settings.

    I will likely have some suggestions but will wait until you are able to confirm my default behavior question above.

    Thanks.

Children
  • 0 in reply to cyberzeus

    Hey  

    Yes, this setup is also used for the application filter settings. This top-down behavior with a default action performed if no matching rules is common for most configurations.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    So the top-down aspect of this is not in dispute - totally makes sense to have that approach in place.  What may be an issue however is the GUI.

    For example, on the App Filter side, there is a Default Action shown yet no place to actually change the Default Action setting - it is always set to Allow.  I think this makes sense for many if not most scenarios because I can see where folks will often want to block specific apps and then allow the rest. However, I do imagine there are potential situations where people might want to only allow a few apps and block the rest.  If so, then configuring that is more cumbersome without being able to switch the App Filter --> Default Action.

    If I am missing something here, please let me know - otherwise, I will submit a suggestion to add the ability to change the Default Action at the App Filter level.

    Also, it is confusing that the "Default" nomenclature is used under App Filter & Web Policies but not in the IPS Policy rules.  One would think it would be standard across the board for a given type of functionality.

    Again, if I am missing something here, please illuminate.

    Thanks.

  • 0 in reply to cyberzeus

    Hey  

    You can create an application filter policy with a default rule at the bottom to block all and allow only specific applications.
    Please see the screenshots I've provided where I created a test application policy with a default rule to deny all apps and an additional rule above to allow YouTube.

     

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    The first screen is found when adding applications to a given App Filter and the action field you see is only for a given application.  If you go ahead and set that to "Deny" and then "Save", go back and check the Default Action for the filter you were just modifying and note it still says "Allow".

    This discussion also begs the question, why even show the Default Action when it can't be modified?

  • 0 in reply to cyberzeus

    Hey  

    Could you PM me with your support access ID to your XG? I can further investigate your configuration and followup to clarify your desired implementation.

    Thanks,

    FloSupport | Community Support Engineer