How to verify historical use of quarantine rules

Technote (FAQ)


Question

How can you tell the history of what quarantine rules were used and when they were used on a Network IPS?

Answer

Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.




The current active quarantine rules can be viewed in the Local Management Interface (LMI) of the system.

  1. If using firmware 4.x, the rules will be located under Secure Protection Settings > Response Tuning > Quarantine Rules.

  2. If using firmwares 1.x, 2.x or 3.x, the rules will be located under Intrusion Prevention > Quarantined Intrusions.

This view does not show the history of the quarantine rules. If users need to review quarantine rules that are no longer present in the LMI, they can view the contents of the following file on the system:
  • If using firmware 4.x: /cache/ISS/quarantine_log
  • If using firmwares 1.x, 2.x or 3.x: /cache/ISS/event<xxxx>.log

This log file contains entries showing when quarantines are added, expired or deleted (manually removed). To view this file, you can use one of the following options:
  • Log in to the system with the root account via SSH or console connection. View the file using Linux command line commands such as cat.
  • Use a program such as WinSCP to download the file from the appliance and view it on your desktop in a text editor.



If the above information does not resolve your issue, contact IBM Security Systems Customer Support.


Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Firmware 3.3, 4.1, 4.3, 4.4, 4.5, 4.6

Historical Number

4542

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Network Intrusion Prevention System
Documentation

Software version:

4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.1

Operating system(s):

Firmware

Reference #:

1436112

Modified date:

2013-07-15

Translate my page

Machine Translation

Content navigation