Creating a Suspicious Activity Rule

SAM rules use CPU resources. Therefore, set an expiration time so you can inspect traffic but not negatively affect performance.

If you confirm that an activity is risky, edit the Security Policy, educate users, or handle the risk.

You can block suspicious activity based on source, destination, or service.

To block an activity:

1. In the SmartView Monitor, click the Suspicious Activity Rules icon in the toolbar.

   The Enforced Suspicious Activity Rules window opens.

2. Click Add.

   The Block Suspicious Activity window opens.

3. In Source and in Destination, select IP or Network:
   • To block all sources or destinations that match the other parameters, enter Any.
   • To block one suspicious source or destination, enter an IP Address and Network Mask.
4. In Service:
   • To block all connections that fit the other parameters, enter Any.
   • To block one suspicious service or protocol, click the button and select a service from the window that opens.
5. In Expiration, set a time limit.
6. Click Enforce.

To create an activity rule based on TCP or UDP use:

1. In the Block Suspicious Activity window , click Service.

   The Select Service window opens.

2. Click Custom Service.
3. Select TCP or UDP.
4. Enter the port number.
5. Click OK.

To define SmartView Monitor actions on rule match:

1. In the Block Suspicious Activity window, click Advanced.

   The Advanced window opens.

2. In Action, select the Firewall action for SmartView Monitor to do on rule match:
   • Notify - Send a message about the activity, but do not block it.
   • Drop - Drop packets, but do not send a response. The connection will time out.
   • Reject - Send an RST packet to the source and close the connection.
3. In Track, select No Log, Log or Alert.
4. If the action is Drop: To close the connection immediately on rule match, select Close connections.
5. Click OK.