Define Action options for the Terminate action in Exception rules

The Terminate action options control connection termination, notifications, and the creation of blacklist entries.

Note: Virtual NGFW Engines cannot send blacklist requests to other Virtual NGFW Engines.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Action cell and select Terminate.
  2. Double-click the Action cell.
  3. Select the action options, then click OK.

Select Rule Action Options dialog box (Inspection Terminate)

Use this dialog box to override and specify the options for the Terminate action in the Inspection Policy.

Option Definition
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
Option Definition
Terminate tab
Terminates the Connection Select whether the connection is terminated.
  • Yes — Traffic is stopped.
  • No, just logs that termination could have occurred — A special “Terminate (passive)” log entry is created, but the traffic is allowed to continue. This option is useful for testing purposes to make sure that a new Terminate rule does not match traffic that you do not want to terminate. The log entry is generated regardless of the Logging options in the rule.
Notifies Client and Server With a Reset Select whether a TCP reset is sent to the client and the server.
  • Yes — A TCP reset is sent to both communicating parties, so that they are notified that the connection did not succeed (like the Refuse action in Access rules). Further options can be set on the Reset tab for terminated traffic that is not a TCP connection.
  • No, just silently terminates the connection — The connection is terminated without sending a TCP reset to the communicating parties.
Option Definition
Reset tab
Sends an ‘ICMP Destination Unreachable’ message if not a TCP connection (If Notifies Client and Server With a Reset is Yes on the Terminate tab)
  • Yes — The NGFW Engine sends an ICMP notification to communicating parties when non-TCP traffic is terminated.
  • No, takes no action if not a TCP connection — No notification is sent for non-TCP traffic.
Whether a notification is useful depends on the communicating application.
Option Definition
Blacklist Scope tab
Terminate the Single Connection Creates entries that stop matching current connections, but which are not stored for any time.
Block Traffic Between Endpoints Creates entries that stop matching connections and block traffic between the matching IP addresses for the set duration.
Duration Specifies how long the blacklist entry is stored on the NGFW Engine. If you leave the value as 0, the blacklist entry only cuts the current connections. Select the unit of time from the drop-down list on the right.
IP Protocol

To block traffic that uses a different protocol, click Select, then select an IP-proto Service. If you do not select an IP-proto Service, the blacklisting is applied to the protocol detected from the traffic.

This option is useful if you want to block traffic where the opening connection is, for example, TCP traffic, but the following connection then changes to using the UDP protocol.

If you select TCP or UDP as the protocol, we recommend that you set Endpoint 1 Port and Endpoint 2 Port to be Predefined TCP or Predefined UDP, respectively. For other protocols, set the ports to the Ignored option.

Endpoint 1 Address or Endpoint 2 Address
  • Any — Matches any IP address.
  • Attacker or Victim — Matches the IP address identified as the originator/target of an attack by the Situation element that is triggered.
  • IP Source or IP Destination — Matches the IP address that is the source/destination of the packets that trigger the detected Situation.
  • Connection Source or Connection Destination — Matches the IP address that is the source/destination of the TCP connection that triggers the detected situation.
  • Predefined — Matches only the fixed IP address you enter in the field to the right of the Address type list.
Endpoint 1 Port or Endpoint 2 Port
  • Ignored — Matches any IP traffic, regardless of the protocol or port.
  • From Traffic — Matches the IP protocol and the port number in the traffic that triggered the blacklist entry.
  • Predefined TCP — Matches only TCP traffic through the TCP port or the range of TCP ports that you enter in the fields on the right.
  • Predefined UDP — Matches only UDP traffic through the UDP port or the range of UDP ports that you enter in the fields on the right.
Blacklist Executors Select the NGFW Engines to which the blacklist requests are sent. Click Add to add an element to the list, or Remove to remove the selected element.
Include the Original Observer in the List of Executors Deselect this option if you do not want to include the NGFW Engine that detects the situation in the list of blacklist executors.
Option Definition
Response tab
User Response

(HTTP only)

Specifies the automatic response that is shown to the end user when a connection is discarded.

Click Select to select an element. You can use the default response or create a custom response.

User Responses are not supported on Virtual NGFW Engines.