Understanding Action Objects and how to add them
05/11/2020 
0 
3950
DESCRIPTION:
Action Objects define how the App Rules policy reacts to matching events. There are options to create a custom action object or select one of the predefined, default actions.
RESOLUTION:
There are a number of system-defined, default actions that are predefined by SonicOS. These default action objects cannot be edited or deleted. The default actions are displayed in the Edit App Rule Policy dialog when you add or edit policy from the Manage | Rules | App Rules page.
Several BWM action object options are available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Typesetting on the Firewall Settings | Bandwidth Management page. If the Bandwidth Management Type is set to Global, all eight priorities are selectable. If the Bandwidth Management Type is set to Advanced, no priorities are selectable, but the predefined priorities are available when adding a policy.
Several Bypass action options are available in the default action list. These are available if the indicated security services are licensed on the firewall.
Predefined Default Action Availability:
| Always Available | If BWM Type = |
| Global | Advanced |
| Reset / Drop | BWM Global-Realtime | Advanced BWM Low |
| No Action | BWM Global-Highest | Advanced BWM Medium |
| Bypass DPI | BWM Global-High | Advanced BWM High |
| Packet Monitor | BWM Global-Medium High |
|
| Bypass GAV | BWM Global-Medium |
|
| Bypass IPS | BWM Global-Medium Low |
|
| Bypass SPY | BWM Global-Low |
|
| Bypass Capture ATP | BWM Global-Lowest |
|
Predefined Default Action Object Descriptions:
| Action Type | Description |
| Reset / Drop | For TCP, the connection will be reset. For UDP, the packet will be dropped. |
| No Action | Policies can be specified without any action. This allows “log only” policy types. |
| Bypass DPI | Bypasses Deep Packet Inspection components IPS, GAV, Anti-Spyware and application control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel. Note that Bypass DPI does not stop filters that are enabled on the Firewall Settings > SSL Control page. |
| Packet Monitor | Use the SonicOS Packet Monitor capability to capture the inbound and outbound packets in the session, or if mirroring is configured, to copy the packets to another interface. The capture can be viewed and analyzed with Wireshark. |
| BWM Global-Realtime | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of zero. |
| BWM Global-Highest | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of one. |
| BWM Global-High | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 30%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of two. |
| BWM Global-Medium High | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of three. |
| BWM Global-Medium | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 50%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of four. |
| BWM Global-Medium Low | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of five. |
| BWM Global-Low | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 20%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of six. |
| BWM Global-Lowest | Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of seven. |
| Bypass GAV | Bypasses Gateway Anti-Virus inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel. |
| Bypass IPS | Bypasses Intrusion Prevention Service inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel. |
| Bypass SPY | Bypasses Anti-Spyware inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for
application control inspection. This action supports proper handling of the FTP data channel. |
| Bypass Capture ATP | Provides a way to skip Capture Advanced Threat Protection (ATP) analysis in specific cases when you know the file is free of malware. This action persists for the duration of the entire connection as soon as it is triggered. This option does not prevent other anti-threat components, such as GAV and Cloud Anti-Virus, from examining the file. |
Action Types for Custom Action Objects:
The Action types available for creating custom action objects are displayed in the Add/Edit Action Object dialog, which is displayed when you click Add at the top of the Manage | Objects | Action Objects page.
NOTE: You can create custom action objects using the Action types available under Action Object Settings in the Add/Edit Action Object dialog. The default predefined action objects cannot be edited or deleted. When you create a policy, the Edit App Control Policy dialog provides a way for you to select from the predefined action objects along with any custom actions that you have defined.
Action Types for Custom Action Objects:
| Action Type | Description |
| Block SMTP Email - Send Error Reply | Blocks SMTP email and notifies the sender with a customized error message. |
| Disable Email Attachment - Add Text | Disables attachment inside of an email and adds customized text. |
| Email - Add Text | Appends custom text at the end of the email. |
| FTP Notification Reply | Sends text back to the client over the FTP control channel without terminating the connection. |
| HTTP Block Page | Allows a custom HTTP block page configuration with a choice of colors. |
| HTTP Redirect | Provides HTTP Redirect functionality. For example, if someone would like to redirect people to the Google Web site, the customizable part will look like: http://www.google.com If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost. |
| Bandwidth Management | Allows the definition of bandwidth management constraints with the same semantics as Access Rule BWM policy definition. |
A priority setting of zero is the highest priority. Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.
Actions Using Bandwidth Management:
Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types.
If the Bandwidth Management Type on the Firewall Settings > Bandwidth Management page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available when adding a policy from the Rules > App Rules page.
All application bandwidth management is tied in with global bandwidth management, which is configured on the Manage | Firewall Settings | Bandwidth Management page.
TIP: As a best practice, configure the global Bandwidth Management settings on the Firewall Settings | Bandwidth Management page should always be done before configuring any BWM policies.
Add/Edit Action Objects Page with Bandwidth Management Type Global:
NOTE: All priorities are displayed (Realtime - Lowest) regardless of whether they have been configured. Refer to the Firewall Settings > Bandwidth Management page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (4 Medium).
With Advanced mode of BWM, the Advanced BWM action objects can be edited from Manage | Objects > Bandwidth Objects tab.
Bandwidth Management Methods:
The Bandwidth Management feature can be implemented in two separate ways:
- Per Policy Method – The bandwidth limit specified in the policy is applied individually to each policy
EXAMPLE: Two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s.
- Per Action Aggregate Method – The bandwidth limit action is applied (shared) across all policies to which it is applied.
EXAMPLE: Two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s.
To configure an Action Object:
- In the MANAGE view, navigate to Policies | Objects > Action Objects.
- At the top of the page above the table, click Add.
- In the Add/Edit Action Object dialog, type a descriptive name in the Action Name field.
- In the Action drop-down menu, select the action type that you want.
- In the Content field, type the text or URL to be used in the action.
- If HTTP Block Page was selected as the action type, the options change.
a) In the Content field, enter the content to be displayed when a page is blocked.
b) From the Color drop-down menu, choose a background color for the block page: White, Yellow, Red, Blue
c) To preview the block page message, click the Preview button.
- If Bandwidth Management was selected as the action type, the options change.
- Click OK
NOTE: Action objects are used in conjunction with Match objects to create App rules. Please use the link Most Common Configurations For App Rules to look at the way these Match Objects can be used for specific scenarios.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
