Chapter 45 Collaborative Detection & Response
ZyWALL Series CLI Reference Guide
416
cdr block url
{message|redirect}
Sets the notification web page that is displayed when a Block or
Quarantine action is triggered.
• message: The Zyxel Device displays the default Zyxel Device
notification page, with a message set by command cdr block
message.
• redirect: The Zyxel Device displays a custom external notification page,
set by command cdr block redirect.
cdr blocked-by {ip|mac}
Sets how CDR blocks suspected clients after a block or quanratine action is
triggered.
• IP: The suspect client’s IP address is blocked. However, the suspected
client can access network resources again if it changes IP addresses,
for example by picking up a new DHCP lease.
• MAC: The suspect client’s MAC address is blocked. However, the
suspected client can access network resources again if it changes
MAC address, for example by using a different source Ethernet port.
Note: If you have a switch between the client and the Zyxel
Device, then blocking by MAC address could block all traffic
from the switch if the client MAC address is not forwarded
through the switch.
cdr quarantine period
<0..1440>
Sets how long the client is quarantined after a quarantine action is
triggered. 0 means the client is quarantined forever.
cdr quarantine vlan-id
<1..4094>
Sets a previously configured VLAN as the quarantine VLAN. When a client is
quarantined, the client’s traffic is isolated and is broadcast only to
members in the VLAN.
cdr rule rule_id threshold
occurence duration duration
action {alert| block|
quarantine| block-alert|
quarantine-alert}
Edits a CDR policy with the following values:
• rule_id: The category of the policy. At the time of writing, 1 = Malware, 2
= IDP, 3 = Web Threat.
• Occurrence: The number of security events that need to occur within
the defined Duration to trigger a CDR containment action. The valid
range is 1 to 100.
• Duration: The length of time, in minutes, that events needs to occur
within the Occurrence number of times in order to trigger a CDR
containment action. The valid range is 1 to 1440.
• Action: The action to be taken when the number of security events
exceed the threshold within the defined duration.
A suspect client is the wired or WiFi device that is sending malicious
traffic in your network. A suspect client owner is the person who owns
the wired or WiFi device that is sending malicious traffic in your network.
- Alert: Send an email to the suspect client owner or Zyxel Device
admin. Please note that traffic from the suspect client will not be
blocked when this action is triggered.
- Block: Block traffic from a suspect client at the Zyxel Device, or from a
suspect WiFi client at the AP connected to the Zyxel Device. Please
note that no alert will be sent to the suspect client owner when the
suspect client is blocked. Traffic is still broadcast to other clients in the
same subnet. A ‘notification’ web page is displayed when this action is
triggered.
- Quarantine: Isolate traffic from a suspect client at the Zyxel Device in
a quarantine VLAN. Please note that no alert will be sent to the suspect
client owner when the suspect client is blocked. Traffic is not broadcast
to other clients in the same subnet. A ‘notification’ web page is
displayed to the client when this action is triggered.
- Block-Alert: Use this command if you want to both Block and Alert.
- Quarantine-Alert: Use this command if you want to both Quarantine
and Alert.
cdr send-alerts-to
email_address
Sets an email address in the user@domain.com format of the owner of the
suspect client or another person who should be informed that a CDR
action was triggered.
cdr unblock ipv4 ip_address
Unblocks an IP address that is currently being blocked or quarantined. This
removes the address from the CDR containment list.
Table 224 CDR General Commands
COMMAND DESCRIPTION
To Next Page
Loading...
