Configuring the host reputation-based filter rule
The aim of this rule is to block ICMP requests from internal hosts whose reputation scores are above a certain value. The script that generates these requests and which is found on each of the internal hosts will therefore detect the absence of a response and cause the SES agent to change its behavior (increased security).
- In the Configuration > Security policy > Filter - NAT module, select your active filter policy.
- In the Filtering tab, click on New rule and then choose Single rule.
- Double click on the Status field to enable the rule.
- Double click on the Source field to edit the rule.
- In the Geolocation / reputation tab, select Enable filtering based on reputation score.
- Select the operator ("higher than") and indicate the desired reputation score.
- Select the Destination section (menu on the left side of the rule editing window). For the Destination hosts field, select (or create) the host to which ICMP requests will be directed. This host must be contactable at all times. As in this example, it may be the interface of the firewall connected to internal networks (Firewall_in object). If this interface needs to be contactable at all times (e.g., for a network monitoring solution), you are advised to assign a second IP address to it dedicated to this rule.
- Select the section Port / Protocol. In Protocols, fill out the fields as follows:
- Protocol type: IP protocol.
- IP protocol: icmp,
- ICMP message: Echo request (Ping).
- Confirm by clicking on OK.
- Using this method, create a rule above this rule, allowing ICMP requests for all the other hosts.