Home

OmniVista 2500 - 2700 R3-3 Quarantine Manager

1. Genoa 080070 929726 10 252 201 76 Gohira O003fe ct aeb 10 252 201 232 Aug 16 2005 9 2 TDeiphit 080070 cf254b 10 252 201 197 r 23 2005 81 Larry s Computer 000111 447316 10 252 201 121 O58PM Storage 080070 cffae2 110 252 201 100 8 2005257 57PM AINDBDC1 080070 ccen46 10 252 211 157 Oct 19 2005 11 23 05 AM Ohmnpus OS0070 7224fe 10 252201 222 Jun 24 2005 8 57 13 AM Warehouse 0003cae4022 10 252 201 121 Jul 14 2005113436AM Ares 080070 70190e 10 252211 6 Oct 19 2005 1 insight 000252 648216 10 252211 111 Dee 5 2005 8 Saler NTOt 000112268453 10 252 201 89 Jun 24 2005 Sql 000051735491 10 252 201 244 Juli4 2005 11 4613 AM Faxi View Quarantine Object IP Address Reason Mac Address me _ ee ote um Adding a Device to the Never Banned List To add a device to the Never Banned List 1 Click the New button 2 Select the applicable radio button and enter the device s IP Address or host name or MAC Address Please note that you can enter the host name only if the IP Address radio button is selected If you ban a device by the MAC address the IP address will display a value of 0 0 0 0 If you ban a device by its IP address Quarantine Manager will use its Locator function to determine the MAC address 3 Enter a reason for placing the device on the Never Banned List in the Reason field 4 Click the OK button The device will appear in the list 11 Quarantine Manage
2. 20 Quarantine Manager Rules Tab Extraction Expressions As stated earlier an Extraction Expression is a regular Java expression that specifies the source address of the offending device Once a Syslog message matches a Trigger Expression Quarantine Manager must extract the source address of the suspect end station from the message In our the Fortinet example above the source address is preceded by the string src and then an IP address An IP address consists of 4 sets wo of numbers separated by the character Each set is 1 to 3 characters in length and the numbers are decimal 0 9 digits One way to express this is with the regular expression sro 0 9 1 3 0 9 1 3 0 9 1 3 0 9 1 3 Because we are only interested in the IP address and not the characters src place around the IP address to indicate which part you want to capture The 0 9 means any single character from 0 9 the 1 3 means that you are looking for a set of 1 to 3 numbers The says that you are looking for a character The backslash is an escape character that says take the literally normally is a special character that means any character Often there are a number regular expressions that you can use to achieve the same results In the Fortinet example above there is the string src followed by the IP address followed by either a space or a tab character The regular express for getting the IP address could be sr
3. Expert Secure View ACL Expert Wizard x Actions for Policy Quarantined a Accessibility i Shared Queue ol ignore queue on egress d Min Output Rate kbitsisec iv kiore minimum limit on egress Max Output Rate hitsisock iY ignore maximum limit on egress 8021p Priority Levet z ignore 802 1p on Egress iS Differemiated Services Code Point gt Z ignore DSCP in defining Policy Action TOS Precedence Z Ignore TOS Precedence in defining Policy Action Stati lt Back Next gt tmish Concor Hep _ EE 18 In the Access Control panel select DROP in the Accessibility field 19 Click the Next button 20 Review the policy and then click the Finish button to save the policy to the LDAP repository You will be returned to the Expert tab 21 Click the Notify button to allow the switches to recache their policies Quarantine Manager Responders Tab Quarantine Manager Responders Tab The Responders tab enables you to specify the response such as external emails or scripts to be run if any that you want OmniVista to provide when quarantine actions are taken This will provides a method to integrate with trouble ticket systems You can specify the events to which OmniVista will respond by using a trigger level OmniVista can make the following responses to the receipt of a specified event e OmniVista can send an e mail to any address you specify You can use variables to specify the information you
4. CJ bin 3 UninstallerData_Policyview _QoS Ci classes 5 UninstallerData_Quarantine_Manager C cltentdata C3 UninstalierData_SecureView_ACL cJ data 3 UninstallerData_SecureView_SA ire C backuprestore xmt C openidap CI UninstalierData File Name Files of Type XML files xml X Click the Open button 3 Browse to the xml file that you saved select the rule and click the Open button The Import window will close and the new rule will appear in the Rules table Note Imported rules are initially configured in the Disabled state You must change the Enabled status to True to enable the rules Rule Parameters The Quarantine Manager Rule parameters are described below Name The user defined name for the rule Description The user defined description for the rule Trigger Expression A regular Java expression that is used to determine if a Syslog message or SNMP trap should trigger a quarantine action If a Syslog message or SNMP Trap matches this regular expression the action is performed The regular expressions used by OmniVista are very similar to those used by programs such as PERL and AWK See http java sun com docs books tutorial extra regex intro html for more information on using regular expressions Click here for more information on Regular Expressions Extraction Expression A regular Java expression that specifies the source address of the suspect device Use the expression to capture the source IP or M
5. OmniVista 2500 Application Quarantine Manager Windows fit VLAN Name Mac Group Name Allow Port Disabling Quarantined QM MAC Group true View Object VLAN Name Mac Group Name Allow Port Disabling faise Edit VEANS appr tet To enable port disabling click the Allow Port Disabling checkbox You can also enable disable a port from the Topology application To do this right click the desired switch in the Topology application and select Edit The Edit Discovery Manager Entry window appears To enable port disabling check the Allow Port Disabling checkbox 27 Quarantine Manager Configuration Tab Edit Discovery Manager Entry IP Address TeinetFTP User Name O TememPPassword oO Trap Station User Name Secondary Passwort O Can Be Seen By SNMP Version L Administrators 7 SNMPV2 v L Defaut m Network Administrators Links Discovery L Writers Handte as an OEM Device Shell Window To enable port disabling click the Allow Port Disabling checkbox You can disable the ports for a switch that is on the Quarantine logical network and allows ports to be disabled By default all switches prohibit port disabling You must specifically enable this feature for all ports to be disabled 28 Setting Up an ACL Setting up an ACL To set up an ACL using the SecureView ACLs application follow the steps given below 1 Start th
6. Timestamp The date and time the event occurred Mac Address The device s MAC address Quarantine Manager Rules extract the IP address of the device Quarantine Manager then uses the OmniVista Locator function to determine the MAC address 14 Quarantine Manager Disabled Ports Tab State The state of the disabling or enabling action e Completed Disabling is complete e Failed Disabling enabling of a port failed Reason The reason a port was disabled 15 Quarantine Manager Rules Tab Quarantine Manager Rules Tab Quarantine Manager Rules determine which Syslog events or SNMP traps cause a device to be placed in the Candidates list or Banned list A rule consists of e A name e A description of the rule e A trigger expression that specifies the event or trap that will trigger an action e An extraction expression that is used to extract the source address from the event or trap e An action to be taken when the event or trap is received device is placed in the Candidates list or Banned list Rules Tab io Hie Applications View QMRules Help ai a s a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Ride List Name Description falaQoSTrap _ Aicatel Oenial of Service Trap Asuba 1 The switch has classified an AP a3 a Rogue AP Auba 2 The APIAM has detected a rogue AP as being active Aruba 3 The APIAM has detected a rogue AP as being active Fortinet Fortinet Signature For
7. 2AM lt 161 gt Jan 4 02 32 20 tejon date 2006 01 04 time 00011 2 264526 10 252 201 242 Jan 3 2006 1 10 55 PM_ lt 161 Jan 3 13 10 55 tejon date 2006 01 03 time 000252448208 10 252 201 17 Jan 3 20069 19 42PM lt 161 gt Jan 3 21 19 42 tejon date 2006 01 03 time 0003ca e40 FFl 10 252 211 119 Jan 3 2006 3 33 51 PM ene T gt Jan 3 15 33 51 tejon date 2006 01 03 times 0003c9 e85451 10 252 211 94 97 00 13 PM lt 161 gt Jan 3 19 00 13 tejon date 2006 01 03 time 080070 01240e 10 252 201 142 Jan 3 2006 4 34 54 PM_ lt 161 gt Jan 3 16 34 54 tejon date 2006 01 03 time 080070 b41765 10 252 201 37 55 45 51 PM lt 161 gt Jan 3 17 45 51 tejon date 2006 01 03 time OBO070cedb46 10 252 201 81 Jan 4 2006 1 19 51 PM lt 161 gt Jan 4 13 19 51 tejon date 2006 01 06 time 080070 cd0515 10 252 201 63 Jan 3 2006 5 23 52 PM_ lt 161 gt Jan 3 17 23 52 tejon date 2006 01 03 time 08007 0 cf255b 10 252 201 116 Jan 4 2006 9 35 31 AM lt 161 gt Jan 4 09 35 31 tejon date 2006 01 04 time 080070 f47 8 10 252 201 128 Jari 2 20062 51 55PM lt 161 gt Jan 2 14 51 56 tejon date 2006 01 02 time 08007017324 10 252 21 111 Jan 4 2006 8 08 31 AM lt 161 gt Jan 4 09 08 31 tejon date 2006 01 04 times 080070 cf7eSe 10 252 211 43 Jan 3 2006 1 46 39PM lt 161 gt Jan 3 13 46 39 tejon date 2006 01 03 time 080070 de9235 10 252 201 25 Jan 4 2006 11 2931 AM lt 161 gt Jan 4 11 29 31 tejon date 2006 01 06 times 080070 de9237 10 252 201 86 Jan3 6 2
8. 51 51 PM lt 161 gt Jan 3 14 51 51 tejon date 2006 01 03 time 06 10 252 201 176 Jan 4 2006 1159 45 AM 161 gt Jan 4 11 59 45 tejon date 2006 01 04 time i gt J Note When evaluating a candidate for Ban Release it is recommended that the Network Administrator check the quarantine log file in the Audit application to see if any more serious events have been logged by the same end station Releasing a Device from the Candidates List To remove a device from the Candidates list select the device and click the Release button The device is removed from the list A device may return to the list if another event triggers a configured quarantine rule Quarantine Manager Candidates Tab Banning a Device To ban a device from the network select the device and click the Ban button The device is removed from the network and placed in the Banned list Click here for more information on banning a device Placing a Device on the Never Banned List To place a device in the Never Banned list select the device and click the Never Ban button The device is placed in the Never Banned list An event will never trigger a quarantine rule for a device in the Never Ban list Click here for more information on the Never Banned List Candidates Tab Field Descriptions Candidates Tab field descriptions are provided below Mac Address The device s MAC address Quarantine Manager Rules extract the IP address of
9. ACL rule using the SecureView ACLs Expert Wizard which drops traffic if it finds a matching MAC address For instructions on setting up an ACL using the SecureView ACLs application click here Note The Quarantine Manager ACL feature is not currently supported for OS6200 devices Quarantine Manager support for these devices is based on creating VLAN MAC Rules The user creates a Quarantine VLAN and an associated MAC Group If Quarantine Manager needs to ban a MAC Address on the device it adds the new MAC Address to the Group specifying the Quarantine VLAN ID This will result in traffic moving to Quarantine VLAN based on the MAC Rule ACL has been extended to include ACL rules that have been stored in the OmniVista LDAP server through the SecureView ACLs application When Quarantine Manager attempts to quarantine a device it first checks the LDAP server for a MAC group with a specified name If the MAC group exists Quarantine Manager quarantines the device by adding the MAC address to the MAC group on the LDAP server If the MAC group does not exist Quarantine Manager adds the MAC address to the Quarantine MAC group you have created on the switch Note that Quarantine Manager does not support ACLs on XOS machines Note Quarantine Manager now has the ability to ban devices connected to an OmniAccess WLAN device using the device s Blacklist feature When devices are banned either through a Quarantine Manager rule or by the Network Administra
10. Fortinet In Depth Analysis page will appear describing the event in detail and providing any recommended actions 25 Fortinet NIDS Nets a Ble Edt Vew Go Bookmarks Took Window Help gt GP G aj Gama Ram 4 Home GE Pao Ne FERERTIMET REAL TINE HET One PROTECTION ABOUT US ID 107347972 Group HTTP Decoder Name Wegalhex MS Bulletin MS00 078 First Detected In FortiOS 2 50 2 264 Fotios 2 80 MRS i 2 264 FortiOS 2 80 MR6 2 264 PROOUCTS SUPPORT each ey D Eea Fortrused Carter gt vulnerability Encydopedia Quarantine Manager Reason Description PARTNERS SOLUTIONS NEWS LANGUAGE FORTIGUARD CENTER In Depth Analysis Description 8 ricotes detection of a Uniform Resource Locator URL with Segal hexadecimal characters The UTF 8 sequence for a character may take ore of six ditferert representations ard may contain invad values such as FE and FF Many unicode attacks take advantage of insut cient va dation of UTF S encoded Clueacter oF string and the interpretation of egw octet sequences A remote attacker Can execide arktrary code on 6 target system by passing a specesly cratied URL request impact An attacker can execide ark rary code on a victim system Vulnerability Any urerotected web server it wuineradia to the attack References hap anwar unicode orgier sionsicorrigendue Honi Recommended Actions SUBSCRIBE TO FORTINEWS CORPORATE e LETTER coc rane to mescrme SITEMAP LE
11. Jan 2 2006 2 51 56 PM lt 161 gt Jan 2 14 51 56 tejon date 2006 01 02 anes 51 56 _ 060070 ENI 140 252 211 111 Wan 4 2006 8 0831 AM 080070 offcBe 10 252 211 43 Nan 3 2006 1 46 39 PM 161 gt Jan 3 13 46 39 tejon datez 2006 o 03 tment 3 46 39 080070 de3235 10 252 201 25 isn 4 2006 11 29 31 AM lt 161 gt Jan 4 11 29 31 tejon dale 2006 01 04 tene 11 29 34 080070 e923 10 252 201 86 an 3 2006 2 51 51 PM 1612Jan 3 44 51 51 tejon date 2006 01 03 Sene 14 51 51 080070 2 906 100 252 201 176 Jan 4 2006 11 59 45AM 161 Jan 4 11 59 45 tejon date 2006 01 04 Srne 11 59 45 080070 90009 10 252 711 Er Nan 4 2006 1 53 00 PM 161 Jan 4135300 tejon dale 2006 0 01 04 tene 1 353 00 080070 46572e 0 252 211 139 an 3 2006 8 34 21 AM l lt 161 gt Jan 3 08 34 21 tejon date 2006 01 03 tene 08 34 21 080070 eberc 10 252 201 77 Jan 3 2006 2 16 26PM_ 161 gt Jan 314 16 26 tejon date 2006 01 03 Srne 14 16 26 080070 82900 10 252 201 115 Jan 3 200621207PM lt 140 Jan 3 14 1207 2006 192 168 249 6 ws 421 WAR 00070346300 10 252 201 153 van 3 2006 114 56 PM lt 140 gt Jan 31344 56 200611921682496 wns 423 ner Retease Ban Never Ban Help Getting Started with Quarantine Manager Quarantine Manager Tabs Quarantine Manger tabs are described below Click the link for each tab for detailed configuration instructions e Candidates The Candidates tab displays a list of devices that
12. Rules Tab Built In Rules There are seven Built In Rules that come with Quarantine Manager You must change the Enabled status to True to enable these rules The default action configured for all of the Built In Rules is to send the device to the Candidates list for review by the Network Administrator Although the rules are pre configured the Network Administrator can modify the them Built In Rules are initially configured in the Disabled state The Built In Rules are e Alcatel DOS Trap Rule Triggers an action based on an AOS trap AlaDosTrap The rule triggers an action in response to a Teardrop Ping of Death or Port Scan attack e Fortinet Anomaly Triggers an action on a Fortinet Attack Anomaly Event Ignores Anomaly attacks configured to Pass on Fortigate e Fortinet Signature Triggers an action on a Fortinet Syslog Signature event Ignores Signature attacks configured to Pass on Fortigate e Fortinet Virus Triggers an action on a Fortinet Virus Detection event Only triggers on sub type infected e OA WLAN Rogue AP Active Triggers an action when the switch classifies an Access Point as a Rogue AP e OA WLAN Rogue AP Detected Triggers an action when the Access Point detects an active Rogue AP e OA WLAN Station w Rogue AP Triggers an action when the Access Point detects traffic from a client through a Rogue AP Fortinet Anomaly and Signature attack events include a status attribute that ca
13. application 3 Enter a subject for the email that is to be sent in response 4 Define the body of the email in the E mail Body field by typing in the desired text and or the desired variables The variables you can use are explained in the Event Variables section below You can also accept the default email body which is the variable Details explained below 5 Click on the OK button The new automatic event responder is saved to the session memory and is listed in the Automatic Event Responders table as an unsaved change Click on the Apply button to save the new responder to the server 36 Quarantine Manager Responders Tab To Run an Application on the Server If you set the response action to Run an application on the server follow the steps below to define the application to be run OmniVista 2500 Application Quarantine Manager Windows Hie Applications View OMRules Help ea a a a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Automatic Event Responders Am Banned Released Response Deseription Create OM Condition and Response Condition Response Response Description Response Action i k S Standard input Help it j OK Defa Cancel When finished click OK 1 Enter a response description 2 Enter the command to be executed in the Command field 3 Enter the arguments to the command specified a
14. the VLAN you must add all the devices that you want to monitor with Quarantine Manager 2 Create the Quarantined MAC group using the Groups application Create a Source MAC group and associate it with a QoS rule to Deny any traffic originating from MAC addresses in this group using the SecureView ACLs application When a rule extracts an IP address from a device Omni Vista uses the Locator function to determine the MAC address of the device The device is then automatically added to the Quarantined MAC group Note For instructions on setting up an ACL using the SecureView ACLs application click here 3 Click the VLAN name in the Quarantine Action table and then click the Edit button 4 If necessary edit the name of the VLAN to match the name of the VLAN you created in Step 1 Then add or edit the MAC group name to match the name of the MAC group you created in Step 2 24 Quarantine Manager Configuration Tab 5 Click the Apply button to write the changes to the server Note Quarantine Manager cannot quarantine any devices on the EMP subnet because the EMP port has no mobility feature Editing the Quarantine VLAN MAC Group You can change the name of your Quarantined VLAN MAC group by selecting the name in the list and clicking the Edit button When you have completed the name change click the Apply button to write the change to the server Note The names you configure in this tab must match the names you use when you cre
15. the device Quarantine Manager then uses the OmniVista Locator Function to determine the MAC address IP Address The device s IP address All Quarantine Manager Rules must extract the IP address from the Syslog Message or SNMP Trap If the IPS sends a MAC address the IP address will have a value of 0 0 0 0 Timestamp The date and time the event occurred Reason The reason the event triggered a Quarantine Manager rule For all Fortinet generated events select the event in the table and right click to access a detailed description of the event Click here for more information Quarantine Switch List This field contains any switches that were not successfully included in a Quarantine sub network Quarantine Manager Reason Description Quarantine Manager Reason Description You can access the Fortinet web site for a detailed description of any any Fortinet event To access the description 1 Click on the event in the table to highlight it then right click on the event The Reason window will appear x lt 161 gt Jar a 3 14 22 54 tejon dale 2006 01 03 time t4 22 54 GTB002604400643 log_id 0420070000 fypesips Subtype signiature prisalert ja 107347972 rc 128 251 40 72 dst 193 206 187 100 Sr _port 3499 dst_port s080 src_int estemal dst_intirternal statusedetected prote 5 4 http www fortinet comhisiD 107347972 2 Click on the Fortinet web address button at the bottom of the Reason window A
16. want to include in the e mail Variables exist for information such as action reason MacAddress etc e OmniVista can execute an external program or script on the OmniVista server To configure an OmniVista event response select Responders in the Quarantine Manager window The Automatic Event Responders panel is displayed as shown below The upper part of the panel contains a table with all the current responders The lower part of the panel contains two tabs the Condition tab and the Response tab The Condition tab is used to specify the events that will trigger OmniVista s response and the Response tab is used to configure the response The user can create modify or delete the responders Responders Tab 21D x fee Applications View OMRufes Help Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Automatic Event Responders BIIH Banned Released Response Deseriptior View QM Condition and Response Condition Response Events which match these triggers Banned Releaset z For example when a specified event is received you can configure the following responses e OmniVista can automatically send an e mail to the MIS director The body of the e mail can contain the details of the event e OmniVista can automatically run an audio program that announces out loud You have received an event Note You must set the mail server in the Preferences application 33 Quar
17. AC address Quarantine Manager also supports the hex form of IP addresses Once Quarantine Manager receives a Syslog message or SNMP trap that matches a Trigger Expression it must extract from it the source address of the suspect end station Click here for more information on Regular Expressions Note You can check the server txt file to verify that your Extraction Expression is functioning properly 19 Quarantine Manager Rules Tab Action The action to be taken when the rule is triggered e Candidate List The device is added to the Candidates list The device can still send and receive traffic The Network Administrator reviews the list and determines what action to take e g remove the device from the list ban the device e Quarantine The device is moved to the Quarantined VLAN and or MAC Group and added to the Banned list While on the Banned list the device cannot send or receive traffic The device remains on the list until it is manually removed by the Network Administrator e Release The device is released from the Quarantined VLAN and or MAC Group This can be used to allow an external system e g Trouble Ticket System to send a syslog message or trap to OmniVista to automatically release a quarantine without having to access Omni Vista Note The Quarantine VLAN or MAC group must be properly set up for traffic to be quarantined If you do not first configure a Quarantine VLAN or MAC group even a device on the Ban
18. GAL NOTICES Quarantine Manager Banned Tab Quarantine Manager Banned Tab When a device is placed in the Banned List it is quarantined from the rest of the network Devices can automatically be added to the Banned List based on a Quarantine Manager rule or manually placed in the list by the Network Administrator Once a device is placed in the Banned List it remains quarantined until the Network Administrator manually releases it The Banned tab shown below displays a list of all devices than have been quarantined either by a Quarantine Manager rule or by the Network Administrator Field descriptions are provided below Banned Tab 0 xj fee Applications View QMRufes Help oo Bei B a a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Quarantine List bs S iHa Mac Address IP Address Timestamp State Reason 000112044708 10 252 201 241 Jan 3 2006 2 22 54 PM 161 gt Jan 314 2254 tejon dates 2006 01 090070e85209 1025220189 Jan 3 2006 1 40 12 PM lt 161 Jan 313 4012 tejon a 006 0 OSO07Oecdb48 10 252 201 110 Jan 3 2006 2 14 13 PM 161 gt Jan 314 1413 tion 106 0 000252948208 10 252 201140 Jan 3 2006 1 15 50 PM lt 161 gt Jan 3131550 tejon ca 006 01 0003ca e47321 10 252 201 24 Jan 2 2006 2 56 55 PM 161 gt Jan 2 1456 55 tejon Gate 2006 01 4 A View Quarantine Object WW Address Reason Mac Address News Help Note In Release 3 0 and later DHC
19. Getting Started with Quarantine Manager Getting Started with Quarantine Manager The Quarantine Manager application enables the network administrator to quarantine devices to protect the network from attacks The application works with an external Intrusion Prevention System IPS such as Fortinet or a network device such as an Alcatel AOS switch which sends either a Syslog message or SNMP trap to Quarantine Manager containing the IP or MAC address of the offending device If an IP address is received Quarantine Manager uses its Locator function to determine the device s MAC address These messages trigger Quarantine Manager Rules Depending on the rule that is written for the event the device can be immediately quarantined or placed in a Candidate List that can be reviewed by the Network Administrator for further action Note Quarantine Manager cannot quarantine any devices on the EMP subnet because the EMP port has no mobility feature The following sections describe the requirements for getting started with Quarantine Manager Hardware Software Requirements Quarantine Manager is an optional add on package to OmniVista 2500 It can be installed in the OmniVista 2540 Basic Single User environment or the OmniVista 2540 Basic Multi User environment The hardware requirements for Quarantine Manager are the same as for OmniVista 2500 Version 5 1 6 of the AOS software is required for Trap Notification to work correctly and Fortinet software
20. P requests from a banned device are sent to the Quarantine VLAN The Network Administrator can direct banned traffic from the Quarantined VLAN to a Remediation Server that will provide the user with information explaining why their device was banned and what steps to take to connect to the network Note Quarantine Manager now has the ability to ban devices connected to an OmniAccess WLAN device using the device s Blacklist feature However the enable password of the device must be entered in the Secondary Password field of Discovery Manager Entry window in the Topology application Quarantine Manager Banned Tab Adding a Device to the Banned List In addition to automatically quarantining devices based on a Quarantine Rule you can also manually quarantine a specific device by adding it to the Banned List To add a device to the Banned List 1 Click the New button 2 Select the applicable radio button and enter the device s IP Address or host name or MAC Address Please note that you can enter the host name only if the IP Address radio button is selected 3 Enter the reason you are placing the device on the Banned list in the Reason field 4 Click the OK button The device will appear in the list Editing a Device on the Banned List You can edit the Reason field for a device in the Banned list To edit the Reason field 1 Select the device in the list 2 Click on the Edit button and edit the Reason field 3 Click the OK
21. Rules Quarantine Manager Rules are configured for dealing with Syslog events and SNMP traps The easiest way to use Quarantine Manager is to enable one of the Built in Rules The Rules determine which events from an external IPS or switch are propagated through the network For example when the IPS notices an attack it generates a Syslog event After receiving a Syslog message Quarantine Manager uses the rules to determine what device generated the event and whether or not the offending device is immediately quarantined Banned or placed on the Candidate List to be reviewed by the Network Administrator The way in which a device is quarantined depends on the action that is configured for the rule If a device is placed in the Candidate list all traffic to the suspect device continues The Network Administrator reviews each event in the Candidate list and decides what action to take If a device is placed in the Banned list it is quarantined until it is manually removed by the Network Administrator Note There are a number of important devices in a network that a Network Administrator will never want to be quarantined Use the Never Ban List to ensure that important devices are never quarantined Configuring Quarantine Manager After initial set up is complete Quarantine Manager is configured and managed using the the tabs shown and described below Click the link for each tab for detailed configuration instructions Never Banned Disable
22. antine Manager Responders Tab How to Configure an Event Responder To configure a new event responder click the New button at the bottom of the Event Responder window and refer to the sections below The Condition Tab You can specify the events to which OmniVista will respond based on the trigger level The Condition tab allows you to select whether you want to be notified when devices are banned or released or both banned and released Condition Tab OmniVista 2500 Application Quarantine Manager Windows Hie Applications View OMRufes Help I a a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Atomatic Event Responders Banned Released Response Description Create OM Condition and Response a as Events which match these triggers a ee CSC sS Released ignore I9 OK Defaut Cancel Help ar The Response Tab To create the response first enter a description of the response in the Response Description field Set the Response Action field to Send an e mail or to Run an application on the server Continue as described in the appropriate section below 34 Quarantine Manager Responders Tab Response Tab OmniVista 2500 Application Quarantine Manager Windows Ese Applications View OM Rules Help GS oo a Candidates Banned Never Banned Disabled Ports Rules Configuration Responde
23. ate the VLAN MAC group In Quarantine Manager VLAN names are case insensitive Please note that switches discovered after the Quarantined VLAN is created cannot be added via VLANs Also there will be no warning message when you add the VLANs manually to the switches Add Quarantined VLAN to switches to protect them It is not necessary that all the switches should be included in the Quarantined VLAN It is a decision that is up to the Network Administrator If you want to include all the discovered switches in the Quarantined VLAN create a CLI script and run it periodically Configuring Quarantine Manager on OmniAccess WLAN Devices Quarantine Manger can ban wireless devices connected to an OmniAccess WLAN device by placing them in the OmniAccess Blacklist If wireless device s is found in a Quarantine Segment the MAC address of the Quarantined device is placed in the blacklist Due to limitations in the current OmniAccess device s SNMP implementation the banned device is placed on the blacklist using SSH to send CLI commands to OmniAccess SSH must be able to login to the OmniAccess device In addition the OmniAcess device s enable command must be executed and a secondary password is required to entry the privileges commands necessary to perform the blacklist To enable automatic login configure a valid user name and password for the OmniAccess device using the Topology application 1 Open the Topology application cl
24. bove in the Arguments field or accept the default argument which is the variable MacAddress explained in the Event Variables section below 4 Enter the directory in which the command should be executed in the Start Directory field 5 Enter the standard input for the command in the Standard Input field or accept the default standard input which is the variable Details explained in the Event Variables section below 6 Click on the OK button The new automatic event responder is saved to the session memory and is listed in the Automatic Event Responders table as an unsaved change Click on the Apply button to save the new responder to the server 37 Quarantine Manager Responders Tab Event Variables When sending an email you can specify the following variables in the E mail Body field Action The action being taken a ban or a release Reason The Reason field from the QM object MacAddress The MAC address of the device being banned or release IpAddress The IP address of the device being banned or release If the IP address is unknown it will be displayed as 0 0 0 0 VlanName The name of the vlan that the device was banned to or released from MacGroupName The MAC group that the device was banned to or released from Details Contains a message with the Action Mac IP address Vlan and MacGroupName 38
25. button The new information will display in the device s Reason field Releasing a Device from the Banned List To release a device from the Banned List 1 Select the device in the list You can select multiple devices using the SHIFT or CTRL keys 2 Click the Release button The device will be deleted from the list Redo Ban Click the Redo Ban button to poll the network for banned switches This is useful if you have banned switches without first creating a Quarantine VLAN or MAC Group Banned Tab Field Descriptions Banned tab field descriptions are provided below Mac Address The device s MAC address Quarantine Manager Rules extract the IP address of the device Quarantine Manager then uses the OmniVista Locator function to determine the MAC Address IP Address The device s IP address or the host name All Quarantine Manager rules must extract the IP address from the Syslog Message or SNMP Trap Quarantine Manager Banned Tab Timestamp The date and time the event occurred State The state of the banning action Scheduled to be Banned Ban is in process Completed Ban is complete Partially Banned Ban not completed for all devices Scheduled to Be Released Release is in process Partially Released Release not completed for all devices Reason The reason the event triggered a Quarantine Manager rule For all Fortinet generated events select the event in the table and right click to access a detailed descriptio
26. c The characters between the are a space character and a tab character This expressions says the string src followed by a sequence of characters that are not spaces or tabs This expression works well but is can be difficult to read because the space and tab character are not visible Another way to extract the IP address would be src 0 9 This says the string src followed by a sequence of characters that contain only numbers and the a inside of does not need to be escaped Note If an extraction expression is not working check the server txt file to troubleshoot the problem Useful Operators for Quarantine Manager Rules the not operator start of character list end of character list beginning of an expression end of an expression useful for escaping characters used as operators in regular expressions 21 Quarantine Manager Rules Tab Basic Regular Expressions Matches any single character Matches any one of the characters enclosed between the brackets If the first character is a circumflex then it matches any one character Not enclosed between the brackets A hyphen is used to indicate a range of characters Escape the special character that follows Matches any number including none of the single character that immediately precedes it Matches one or more occurrences of the preceding regular expression Matches zero or one occurrences o
27. cation to enable port disabling for each switch 13 Quarantine Manager Disabled Ports Tab Editing a Device in the Disabled Ports List You can edit the Reason and the Timestamp fields for a device in the Disabled Ports list To edit the Reason and the Timestamp fields 1 Select the device in the list 2 Click on the Edit button and edit the Reason and the Timestamp fields 3 Click the OK button The new information will display in the device s Reason and Timestamp fields Releasing a Device from the Disabled Ports List To release a device from the Disabled Ports list 1 Select the device in the list You can select multiple devices by using the SHIFT or CTRL keys 2 Click the Release button The device will be deleted from the list Retry the Failed Operation To retry the failed operation during the enabling disabling of a port 1 Select the device in the list 2 Click the Retry button The failed operation will be retried Disabled Ports Tab Field Descriptions Disabled Ports tab field descriptions are provided below Switch Address The device s IP address Quarantine Manager Rules extract the IP address from Syslog Message or SNMP trap Slot The disabled slot number Port The disabled port number IfIndex The value of the slot port numbers of the offending device that are disabled which equals 1000 times the slot number plus the port number This calculated value is applicable for Alcatel switches only
28. d Quarantine 2 Create a sub network or networks to segment the Quarantine network e g Quarantine Test Quarantine Engineering When Quarantine Manager is notified of an offending end station Quarantine Manager determines the device directly connected to that end station and applies the ban to all switches in that switch s Quarantine subnet s For example if a switch in the Quarantine Test subnet is connected to an offending device Quarantine Manager will apply the ban to all of the switches in the Quarantine Test subnet 26 Quarantine Manager Configuration Tab Note Network segmentation does not work if the SecureView ACLs application is used to create the ACLs for Quarantine Manager The SecureView ACLs application overrides the Quarantine Manager network segmentation setup Enabling Disabling the Quarantine Port You can enable or disable a port rather than create a VLAN or ACL rule In addition to the VLAN name and Mac group name an Allow Port Disabling check box is available for enabling or disabling a port in the Configuration tab By default this checkbox is disabled If the checkbox is checked it means that you want to disable the port when a Quarantine rule is matched Please note that you must turn on port disabling for each switch in addition to turning on global port disabling Note Port disabling looks for Locator Live Search information and does not look for historical information Configuration Tab
29. dPorts Rules Configuration Responders C MacAddress IPAddress Timestamp _080070 70190e 10 252 201 139 Jan 3 2006 1 49 08 PM 161 gt Jan 3 13 49 06 tejon dale 2006 01 03 Sene 12 49 08 00005 000104 10 252 201 27 Van 4 2006 247 36PM lt 161eJan 4 14 17 36 tejon date 2006 01 04 tne l4 17 ao 000111 735491 10 252 201 244 Jan 4 2006 2 32 22AM lt 161 gt Jan amp 0232 20 tejon date 2006 01 04 Brne 02 32 20 000112 269526 120 252 201 242 Nan 3 2006 1 1055 PM lt 1612Jan 3 13 10 55 tejon dato 2006 01 03 trno 13 10 55 0002757 48208 10 252 201 17 Jan 3 2006 9 19 42 PM 1614an 3214947 tejon date 2005 01 03 tene 21 19 42 0003ta 40227 190 252 211 119 an 3 2006 3 33 51 PM 161 gt Jan 3153751 tejon date 2006 01 03 trne 15 33 s1 0003cae85451 10 252 211 94 Jan 3 2006 7 00 13 PM lt 161 Jan 3 19 00 13 tejon date 2006 01 03 5me 1 9 00 13 08007001 240e 140 252 201 142 Jan 3 2006 4 34 54 PM lt 161 gt Jan 3 16 34 54 tejon date 2006 01 03 trne 16 34 s 08007041765 10 252 201 37 Jan 3 2006 5 45 51 PM lei6i gt Jan 3 17 4551 tejon dale 2006 01 03 Sene 17 45 51 G8OO7Hccdb46 10 252 20131 Jana 2006 1 19 51 PM lt 161 gt Jan 4 13 19 51 tejon date 2006 01 04 trne 13 19 51 _ 080070 c00515 10 252 201 63 Jan 3 2006 5 23 52 PM aietan 3 17 23 52 tejon date 2006 01 03 Srne 17 23 52 0800701N55b 110 252 201 116 Jan 4 20069 3531 AM lt 161 gt Jan 409 35 31 tejon date 2006 01 04 tm 080070 cra7e8 10 252 201 128
30. e Groups application and click the L2 MAC Groups tab 2 Click the New button The Create a MAC Group dialog box is displayed OmniVista 2500 Applicetion Groups Window t E lox Set Groups L2 MAC Groups L3 Network P Groups L4 Service Groups MAC Group Definition MAC Group Name MAC Group Status Create a MAC Group MAC Group Name Quarantined f Group Member MAC Address Mew Edit Delete Apply Help New J Eia Delete Apply Help 3 In the MAC Group Name field enter the name that is displayed in the MAC Group Name field of the Configuration tab in Quarantine Manager Note The MAC group names created in both the Quarantine Manager and Groups applications must match 4 In the Create a MAC Group dialog box click the New button 5 Enter a MAC address in the Group Member MAC Address field 6 Click the Apply button to apply the changes to the LDAP repository 7 Click the OK button to dismiss the dialog box 8 To create an ACL rule to drop traffic start the SecureView ACLs application and click the Expert tab 9 In the Existing ACL Policies panel click the New button to display the SecureView ACL Expert Wizard window 29 Setting Up an ACL Sy _ Configuration for Policy Policy Name Quarantined Policy Precedence 30 001 Enobte x ignore Policy Enable S w Wi ignore Policy Save Log Matches y ignore Policy Log Matches Renimave C 7 ignore P
31. elow displays a list of all devices whose ports have been disabled either by a Quarantine Manager Rule or by the Network Administrator Field descriptions are provided below Disabled Ports Tab Pie Hie Applications View QMRules Help D eS a 5 a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Disabled Ports List TEIRRI Switch Address Stot Pon Mndex Timestamp Mac Address 4 View Disabled Port Object Switch Address Slot Port Mndex Timestamp Jan 4 2006 3 30 00 PM H pe Mac Address Reasore State Help ar Note If you disable the port that was already disabled there will be two entries in the table The first entry will contain the MAC address of the offending end station The second entry will contain a null possibly 000000 000000 MAC address The reason for this second entry is that when you use the Banned tab to release a MAC address the port will not be re enabled The Network Administrator will have to manually re enable the port by releasing the port from the Disabled Ports tab Note When you delete an entry from the Disabled Ports List table the item will be removed If it is the last item with the specified IP address and slot port combination then that port will be enabled That is the port will not be enabled until every device that caused it to be banned has been released Note Use the Configuration tab to turn on port disabling then use the Topology appli
32. f the preceding regular expression For example abc Matches either an a b or c a z Matches all lower case letters a zA Z Matches all letters 0 9a fA F Matches all hex digits 0 9 Matches any character that is not a digit Quarantine Manager configures a maximum of 32 MAC rules when it is trying to ban 100 IP addresses on XOS devices Quarantining using XOS devices is limited by the number of MAC rules supported by these devices which is 32 This means that even if you attempt to quarantine 100 end stations only the first 32 will be quarantined on the XOS switches in the management domain To avoid this limitation release quarantines as soon as possible 22 Quarantine Manager Configuration Tab Quarantine Manager Configuration Tab The Configuration tab is used to configure the Quarantine VLAN and Quarantine MAC groups By default the name of the Quarantine VLAN is Quarantined However you can change the name as desired The VLAN is created using the OmniVista VLANs application which opens when you click the VLANs button at the bottom of the page The Quarantine MAC group is created using the Omnivista Groups and SecureView ACLs applications In order for Quarantine Manager to use SecureView ACL you first create an L2 MAC group which has a MAC group that matches the MAC group name specified in the Configuration tab of Quarantine Manager using the Groups application After creating the MAC group you create an
33. gging to Syslog produces 2 000 messages per 20 minutes Quarantine Manager Candidates Tab Quarantine Manager Candidates Tab When an external Intrusion Prevention System IPS such as Fortinet detects a possible attack on the network it generates either a Syslog Event or an SNMP Trap A Quarantine Manager rule can be configured Configuration Tab to trigger an action based on these events The action will either immediately quarantine the offending device or place the device on the Candidates List If the device is placed on the Candidates List traffic to and from that device will continue until the Network Administrator decides what action should take place The Candidates tab shown below displays all of the devices that have been placed in the Candidates list by Quarantine Manager field descriptions are provided below The Network Administrator can Release the device from the Candidates List Ban the device Place the device on the list of devices to never be banned Candidates Tab OmniVista 2500 Application Quarantine Manager Windows p O x Hie Applications View OMRules Help i es 2 Candidates Banned Never Banned Disabled Ports I Rules Configuration if Responders Quarantine List 168768 3 6 AE Mac Address IPAddress Timestamp Reason 080070 70190e 10 252 201 139 Jan 3 2006 1 49 08 PM 03 times la 00005f 000101 10 252 201 27 Jan 4 2006 2 5PM 0 04 time 000111 735491 10 252 201 244 Jan 4 2006 2
34. have been flagged by an IPS or switch The Network Administrator can release a device from the list ban a device or configure a device to never be banned e Banned The Banned tab displays a list of all devices that have been banned and isolated from the network e Never Banned The Never Banned tab displays a list of devices that have been configured never to be banned e g mail servers IPS Note that all switches discovered by OmniVista are implicitly on the Never Banned List even though they are not displayed e Disabled Ports The Disabled Ports tab displays a list of all devices whose ports have been disabled e Rules The Rules tab is used to configure the conditions that will trigger Quarantine Manager notifications and actions e Configuration The Configuration tab is used to configure the Quarantine VLAN and MAC group as well as the action that will be taken for the event e Responders The Responders tab enables you to specify the responses such as run an audio program or send an e mail to the MIS director based on the conditions given Quarantine Manager Logs The Audit application can be used to access the Quarantine log and Syslog The logs contain detailed information about Quarantine Manager and Syslog events Currently if Syslog is in use when launching Quarantine Manager a warning message is displayed in server txt that points to the Preferences application where you can change Syslog Note Aruba default lo
35. ick on the Switches node right click on the device you want to configure and select Edit The Edit Discovery Manager Entry window appears 25 Quarantine Manager Configuration Tab Configuring OmniAccess for Quarantine Manager OminiVista 2500 Application Topology Window 5 x Hie Applications Yiew Switches Help HES P e Aix BSL amp S swnches z a amp Devices Fit Discovery Manager Entry 2B Manual Links Generat SNMP Settings Atte Links Maps Name IP Address 5 Subnets Q Switches TeinetFTP User Name Tenet TP Password Logical Network i Trap Station User Name Secondary Password f Can Be Seen By SNMP Version Adeninistrators lif T Defaut ist S Network Administrators Links Discovery kad Writers __ Handie as an OEM Device Shea Winiow 2 Enter a user name in the Telnet FTP User Name field 3 Enter a password in the Telnet FTP Password field 4 Enter a secondary password in the Secondary Password field 5 Click the OK button Creating Quarantine Subnets If a device is banned either by the Network Administrator or Quarantine Manger the ban is applied to all devices in the network However you can segment your network by creating a logical Quarantine Network This will limit Quarantine Manager actions to only those switches in the Quarantine subnetwork s 1 Use the Topology application to create a Logical Network name
36. n be clear_session pass_session dropped reset or detected When Fortigate is configured to allow a particular attack using the GUI to set its action to Pass a Syslog event is still sent out for that attack but its status is detected meaning it is detected but not acted upon Our built in triggers are therefore designed to act on any value of status EXCEPT for detected This means you can use the Fortigate control panel to selectively enable or disable attack actions and Quarantine Manager will behave consistently without the need to change any of these triggers The Canned rules in Quarantine Manager for Fortigate have been modified as such in both the anomaly and signature rules log_id 0421073001 status p t log_id 0420070000 status p t The p was added to exclude any Syslog message starting with a p character as well as a t character This prevents quarantine for both detected and pass_session status The pass_session state was previously unknown Note The Audit application can be used to access the Quarantine log and Syslog The logs contain detailed information about Quarantine Manager and Syslog events 17 Quarantine Manager Rules Tab Custom Rules The Network Administrator can create Custom rules using Regular Expressions to configure the trigger event and extraction expression The rules can be based on an Intrusion Prevention System IPS event or an AOS SNMP tra
37. n of the event Click here for more information Partial Results The devices where the ban has either succeeded or for which the user has not configured enabled Quarantine Manager VLAN Name The user configured name for the Quarantine VLAN Mac Group Name The user configured name for the Quarantine Mac group Quarantine Switch List This field contains any switches that were not successfully included in a Quarantine sub network 10 Quarantine Manager Never Banned Tab Quarantine Manager Never Banned Tab A device placed on the Never Banned list can never be banned either manually or automatically by Quarantine Manager Important network servers should be placed in the Never Ban list The Never Banned tab shown below displays a list of all devices that have been added to the Never Banned list by the Network Administrator Field descriptions are provided below Note The OmniVista server and all switches discovered by OmniVista are implicitly placed in the Never Banned list Even though these devices do not appear in the list they cannot be banned Never Banned Tab ioj x Hie Applications View OMRules Help u ee a a Candidates Banned Newer Banned Disabled Ports Rules Configuration Responders Quarantine List e595 B FAIS Mac Address P Address Timestamp Reason Quarantine Switch List O80070 b61768 10 252 201 172 Jun 29 2005 7 47 19AM_ Pubs3 0003cae2915 10 252 201 129
38. ned list could still pass traffic The Quarantine VLAN or MAC group is configured in the Configuration tab Enabled Administrative state of the rule e True The rule is enabled e False The rule is disabled Event Type The type of triggering event Syslog or Trap Regular Expressions Overview Trigger Expressions As stated earlier a Trigger Expression is a regular Java expression that is used to determine if a Syslog message or SNMP Trap should trigger a quarantine action If a Syslog Message or SNMP Trap matches this regular expression the action is performed For example let s say that we are interested in a Fortinet Syslog Event that looks something like Fortinet Anomaly 03 08 200 14 09 34 device_id FG36002805033253 log _id 0421073001 type ips subtype anomaly pri critical attack_id 102039582 src 90 0 0 10 dst 10 10 10 100 src_port 2370 dst_port 139 src_int internal dst_int external status dropped proto 6 service 139 tcp msg netbios SMB NTLMSSP Attempt B Many Syslog messages appear similar However each message may have a different date device ID source and destination address etc What is unique about each Syslog message is the log _id value If you are interested in all Fortinet Syslog messages with a log id of 0421073001 then the regular expression is easy you can simply search for any message that contains the String log _id 0421073001 In the Trigger Expression Field you would type the value log _id 0421073001
39. olicy Reflexive Devices to receive this Policy Configuration Hawk_151_swi 10 255 11 151 Tr0 25511244 10 255 11 172 410 255 11 19 10 255 11 207 10 255 11 252 10 In the Policy Name field enter a policy name such as Quarantined 11 Select the switches to which you want to apply this policy and then click the Add button 12 Click the Next button to create a policy condition 13 Click the L2 MACs tab 30 Setting Up an ACL Applic ation Secure iew ACLs Windowntl r Set Conditions for Policy Quarantined Ltinterfaces L2 MACs L2VLANs L3Ps L4Services Validity Period Group MAC Address MAC Group Quarantined Ignore Source MACs in defining Policy Condition Single D Group MAC Address mcan Ignore Destination MACs in defining Policy Condition 14 In the Source MAC Addresses panel uncheck the Ignore Source MACs in defining Policy Condition checkbox This will enable the other controls in this section 15 Click the Group radio button 16 In the MAC Group dropdown list select the Quarantined MAC group This name should be the same as that entered in Step 3 17 Click the Next button to create a policy action Note If you select a switch in Step 11 that does not support the MAC group an error will be displayed You must go back and remove the switch from the selection list 31 Setting Up an ACL l One Touch
40. p notification Note You must be careful when creating a rule since a misconfigured rule could cause an important service to be inadvertently banned Creating a New Rule To create a new rule click the New Button and complete the Quarantine Rules Parameters When you have completed all the fields click the OK button then click the Apply button to write the rule to the server Editing an Existing Rule To edit an existing rule select the rule and click the Edit button Edit the applicable Quarantine Rules Parameter s click the OK button and then click the Apply button to write the changes to the server Deleting a Rule To delete a rule select the rule use the SHIFT or CTRL keys to select multiple rules click the Delete button and then click the Apply button Importing a Rule You can import a new rule from Alcatel without having to update the Quarantine Manager code New rules are sent by Alcatel as xml files 1 Save the xml file on your machine 2 Select Import from the QM Rules drop down menu or click the Import icon Select Import from the QM Rules Menu or click on the Import Rules Icon Omni ista 2500 Application Quarantine Manager File Applications View QM Rules Help a ef An Import window will open in the OmniVista directory 18 Quarantine Manager Rules Tab Use the Look In pulldown menu to browse and locate the XML file xj Look in C Alcatel Omnivista 2500 a3 22 a Bl
41. r Never Banned Tab Editing a Device in the Never Banned List You can edit the Reason field for a device in the Never Banned list To edit the Reason field 1 Select the device in the list 2 Click on the Edit button and edit the Reason field 3 Click the OK button The new information will display in the device s Reason field Deleting a Device from the Never Banned List To delete a device from the Never Banned List 1 Select the device in the list You can select multiple devices using the SHIFT or CTRL keys 2 Click the Delete button The device will be deleted from the list Never Banned Tab Field Descriptions Never Banned Tab field descriptions are provided below Mac Address The device s MAC address IP Address The device s IP address or host name If an Intrusion Prevention System IPS sends a MAC address the IP address will have a value of 0 0 0 0 Timestamp The date and time the device was placed on the Never Banned list Reason The reason the device is in the Never Banned list Quarantine Switch List This field contains any switches that were not successfully included in a Quarantine sub network 12 Quarantine Manager Disabled Ports Tab Quarantine Manager Disabled Ports Tab When a port is disabled an entry appears in the Disabled Ports List table If you attempt to ban multiple MAC addresses for the same switch s slot port multiple entries will appear in the table The Disabled Ports tab shown b
42. rs Automatic Event Responders Banned I Released I Response Description Create OM Condition and Response an e mail i Gor coe eco J ang To Send an E Mail If you set the Response Action field to Send an e mail follow the steps below to define the email to be sent It is important to note that all fields in the Sending E Mail window in the Preferences application MUST be complete or the emails you define will not be sent To display the Sending E Mail window select Sending E Mail in the Preferences application which is part of the Administration group of applications 35 Quarantine Manager Responders Tab Response Tab OmnmiVista 2500 Application Quarantine Manager Windows Hie Applications View QOMRufes Help i 2 a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Automatic Event Responders HIL Banned _ Released E Response Destripton Create OM Condition and Response Condition _ Respense Response Description Response Action Send an e mail i a E mail To E mail Subject ee a E mail Boy IL ar 1 Enter a response description 2 Enter the address to which the email will be sent in the E mail To field The From address in the responder emails is determined from the entry in the Use From Address field in the Sending E mail window of the Preferences
43. tinet Anomaly Fortinet Fortinet Signature Fortinet Fortinet Virus Anomaty S Signature Fortinet Virus Altack OA WLAN Rogu The switch has classified an AP as a Rogue AP OA WLAN Rogu fina S gt LF ES Trigger Expression TrapName alaDoSTrap FLAGGING AP with BSSID as an Unsecure lUnsecure AP detecled BSSIO STA with MAC associating with Rogue AP B log_id 0420070000 log _id 0421 073001 status ling_Id 0420070000 status liog_id 021 1060001 FLAGGING AP with a eo The APIAM has detected a rogue Al being active Unsecure AP detected BSSIO 4 gt View Quarantine Rutes Name Description Trigger Expression Extraction Expression Action Enabled Event Type New Edit mete h Help l ar 358510 as an Unsecure A Note Banned rules have precedence over Candidate rules If an event matches more than one rule Quarantine Manager will match the first rule that places a device on the Banned list If there is no rule that places the item on the Banned list Quarantine Manager will match the first rule that places the device on the Candidate list Rule Types There are two types of rules Built In Rules and Custom Rules The Built In Rules cannot be deleted although they can be modified or disabled Custom Rules are rules that the Network Administrator creates The Network Administrator can create a new rule edit a rule delete a rule or import a rule 16 Quarantine Manager
44. tor they are added to the Quarantined VLAN and or Quarantine MAC group These devices no longer route traffic The devices remain in the Banned list until removed by the Network Administrator Note You can create a logical Quarantine subnet to limit Quarantine Manager actions to a specific set of switches 23 Quarantine Manager Configuration Tab Configuration Tab jojxi Hie Applications View QMRules Help u B s a Candidates Banned Never Banned Disabled Ports Rules Configuration Responders Quarantine Action hS FEARG VLAN Name Mac Group Name Allow Pon Disabling Quarantined QM MAC Group true View Object VLAN Name Mac Group Name Allow Port Disabling VLANS pph Help Configuring the Quarantine VLAN MAC Group You must first use the VLANs application to configure a Quarantine VLAN containing the switches you want to monitor with Quarantine Manager In addition because VLANs cannot be used when Group Mobility is not enabled you must also configure an ACL by creating a Quarantined MAC group 1 Create the Quarantined VLAN using the OmniVista VLANs application e Click the VLANs button to open the VLAN application and the VLAN wizard e Create the Quarantined VLAN following the steps in the VLAN wizard You can accept the next available VLAN number or enter a new VLAN number however you cannot use a number for the VLAN You must give the VLAN a name e g Quarantined When adding devices to
45. version 2 3 is supported Quarantine Manager supports all platforms currently supported by OmniVista 2500 External Notification Device An external device must be set up to send notifications to the Quarantine Manager application For example a Fortinet IPS device must be set up to send Syslog messages to Quarantine Manager This set up includes specifying the IP address of the OmniVista server and the port address for the OmniVista Syslog daemon preset default is 514 and specifying what events received by the IPS will generate a Syslog Message The message either Syslog message or trap must include the IP or MAC address of the offending device In addition the Network Administrator must create a Quarantine VLAN and MAC group Note See the applicable user manual e g Fortinet IPS or the OmniVista Notifications Application help pages e g AOS switch for more information on configuring the external device used for Quarantine Manager Quarantine VLAN You must first use the VLANs application to configure a Quarantine VLAN containing the switches you want to monitor with Quarantine Manager In addition because VLANs cannot be used when Group Mobility is not enabled you must also configure an ACL by creating a Quarantined MAC group You can access the VLANs application by clicking the VLANs button in the Configuration tab Note Quarantine Manager does not support ACLs on XOS machines Getting Started with Quarantine Manager

OmniVista 2500 - 2700 R3-3 Quarantine Manager

Contents

Download Pdf Manuals

Related Search

Related Contents