Understanding Action Objects and how to add them

05/11/2020 0 People found this article helpful 88,311 Views

Description

Action Objects define how the App Rules policy reacts to matching events. There are options to create a custom action object or select one of the predefined, default actions.

Resolution

There are a number of system-defined, default actions that are predefined by SonicOS. These default action objects cannot be edited or deleted. The default actions are displayed in the Edit App Rule Policy dialog when you add or edit policy from the Manage | Rules | App Rules page.

Several BWM action object options are available in the predefined, default action list. The BWM action options change depending on the Bandwidth Management Typesetting on the Firewall Settings | Bandwidth Management page. If the Bandwidth Management Type is set to Global, all eight priorities are selectable. If the Bandwidth Management Type is set to Advanced, no priorities are selectable, but the predefined priorities are available when adding a policy.

Several Bypass action options are available in the default action list. These are available if the indicated security services are licensed on the firewall.

Predefined Default Action Availability:

Always Available	If BWM Type =
Always Available	Global	Advanced
Reset / Drop	BWM Global-Realtime	Advanced BWM Low
No Action	BWM Global-Highest	Advanced BWM Medium
Bypass DPI	BWM Global-High	Advanced BWM High
Packet Monitor	BWM Global-Medium High
Bypass GAV	BWM Global-Medium
Bypass IPS	BWM Global-Medium Low
Bypass SPY	BWM Global-Low
Bypass Capture ATP	BWM Global-Lowest

Predefined Default Action Object Descriptions:

Action Type	Description
Reset / Drop	For TCP, the connection will be reset. For UDP, the packet will be dropped.
No Action	Policies can be specified without any action. This allows “log only” policy types.
Bypass DPI	Bypasses Deep Packet Inspection components IPS, GAV, Anti-Spyware and application control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel. Note that Bypass DPI does not stop filters that are enabled on the Firewall Settings > SSL Control page.
Packet Monitor	Use the SonicOS Packet Monitor capability to capture the inbound and outbound packets in the session, or if mirroring is configured, to copy the packets to another interface. The capture can be viewed and analyzed with Wireshark.
BWM Global-Realtime	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of zero.
BWM Global-Highest	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of one.
BWM Global-High	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 30%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of two.
BWM Global-Medium High	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of three.
BWM Global-Medium	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 50%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of four.
BWM Global-Medium Low	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of five.
BWM Global-Low	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 20%) and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of six.
BWM Global-Lowest	Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of seven.
Bypass GAV	Bypasses Gateway Anti-Virus inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel.
Bypass IPS	Bypasses Intrusion Prevention Service inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel.
Bypass SPY	Bypasses Anti-Spyware inspections of traffic matching the policy. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for application control inspection. This action supports proper handling of the FTP data channel.
Bypass Capture ATP	Provides a way to skip Capture Advanced Threat Protection (ATP) analysis in specific cases when you know the file is free of malware. This action persists for the duration of the entire connection as soon as it is triggered. This option does not prevent other anti-threat components, such as GAV and Cloud Anti-Virus, from examining the file.

Action Types for Custom Action Objects:

The Action types available for creating custom action objects are displayed in the Add/Edit Action Object dialog, which is displayed when you click Add at the top of the Manage | Objects | Action Objects page.

NOTE: You can create custom action objects using the Action types available under Action Object Settings in the Add/Edit Action Object dialog. The default predefined action objects cannot be edited or deleted. When you create a policy, the Edit App Control Policy dialog provides a way for you to select from the predefined action objects along with any custom actions that you have defined.

Action Types for Custom Action Objects:

Action Type	Description
Block SMTP Email - Send Error Reply	Blocks SMTP email and notifies the sender with a customized error message.
Disable Email Attachment - Add Text	Disables attachment inside of an email and adds customized text.
Email - Add Text	Appends custom text at the end of the email.
FTP Notification Reply	Sends text back to the client over the FTP control channel without terminating the connection.
HTTP Block Page	Allows a custom HTTP block page configuration with a choice of colors.
HTTP Redirect	Provides HTTP Redirect functionality. For example, if someone would like to redirect people to the Google Web site, the customizable part will look like: http://www.google.com If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost.
Bandwidth Management	Allows the definition of bandwidth management constraints with the same semantics as Access Rule BWM policy definition.

A priority setting of zero is the highest priority. Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.

Actions Using Bandwidth Management:

Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types.

If the Bandwidth Management Type on the Firewall Settings > Bandwidth Management page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available when adding a policy from the Rules > App Rules page.

All application bandwidth management is tied in with global bandwidth management, which is configured on the Manage | Firewall Settings | Bandwidth Management page.

TIP: As a best practice, configure the global Bandwidth Management settings on the Firewall Settings | Bandwidth Management page should always be done before configuring any BWM policies.

Add/Edit Action Objects Page with Bandwidth Management Type Global:

NOTE: All priorities are displayed (Realtime - Lowest) regardless of whether they have been configured. Refer to the Firewall Settings > Bandwidth Management page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (4 Medium).

With Advanced mode of BWM, the Advanced BWM action objects can be edited from Manage | Objects > Bandwidth Objects tab.

Bandwidth Management Methods:

The Bandwidth Management feature can be implemented in two separate ways:

Per Policy Method – The bandwidth limit specified in the policy is applied individually to each policy
EXAMPLE: Two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s.
Per Action Aggregate Method – The bandwidth limit action is applied (shared) across all policies to which it is applied.
EXAMPLE: Two policies share a BWM limit of 500kb/s, limiting the total bandwidth between the two policies to 500kb/s.

To configure an Action Object:

In the MANAGE view, navigate to Policies | Objects > Action Objects.
At the top of the page above the table, click Add.
In the Add/Edit Action Object dialog, type a descriptive name in the Action Name field.
In the Action drop-down menu, select the action type that you want.
In the Content field, type the text or URL to be used in the action.
If HTTP Block Page was selected as the action type, the options change.
a) In the Content field, enter the content to be displayed when a page is blocked.
b) From the Color drop-down menu, choose a background color for the block page: White, Yellow, Red, Blue
c) To preview the block page message, click the Preview button.
If Bandwidth Management was selected as the action type, the options change.
Click OK

NOTE: Action objects are used in conjunction with Match objects to create App rules. Please use the link Most Common Configurations For App Rules to look at the way these Match Objects can be used for specific scenarios.