Contents

Registering Actions

Quick Tour > Registering Actions

---

---

What is Action

Action is a mechanism for AMF Security mini to decide how to treat (block, quarantine or allow) a particular device, based on various criterion such as device's MAC address, IPv4 address, ID, Tag, Location, OpenFlow Switch and Network. It can be used to selectively perform actions on individual devices without relying on the normal Device Authentication Data and UnAuth Group.
If you are using external security applications which are interacting with AMF Security mini, actions are automatically generated and executed when AMF Security mini receives instructions from those applications.
You can also manually create actions without using external applications.
In either case, the action takes precedence over the Device Authentication Data and the UnAuth Group.

You can use the following data as conditions for an action.

• Device MAC Address
  
• Device IPv4 Address
  
• Device
  
• Device Tag
  

If the conditions are met, the device's connection performs the specified AMF actions, such as AMF Dependency, Quarantine, and Drop Packets.

Actions with the conditions including Device MAC Address, Device IPv4 Address, Device or Device Tag are also used by the AMF Application Proxy.

• When a Device MAC Address is specified → The MAC address is sent to the AMF Master
  
• When a Device IPv4 Address is specified → The IPv4 address is sent to the AMF Master
  
• When a Device MAC Address and a Device IPv4 Address are specified → Only the IPv4 Address is sent to the AMF Master
  
• When a Device or a Device Tag is specified → The MAC address associated with the device is sent to the AMF Master
  

To specify an AMF action "IP-Filter", a Device IPv4 Address must be specified.

Manually Adding Action

To add an action manually, follow those steps.
Action can be registered on the Policy Settings > Add Action page.
A suspicious packet was sent from the device with MAC address "00: 00: 5E: 00: 53: 01" connected to "AMF-Member_2" that provides the guest network to the UnAuth Group. The following is an example of discarding packets for this device.

1. Open the Policy Settings > Action List page.
   

   

   This page shows the list of actions. As you see, no action is registered at this point.
   
   
2. Click the "Add Action" button at the top right corner of the Policy Settings > Action List page to open Policy Settings > Add Action page.
   

   

   
   
3. Enter information for the action to add.
   

   

   As an example, configure the settings shown in the following table:
   
   

   Table 1: Sample Configuration Data

   Item Name	Value	Description
   Action ID (Mandatory)	Block suspicious device	ID (Name) of the action. Action ID must be unique. Max 255 characters
   Priority	10	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
   Reason	Port Scan	Administrative comment such as a reason for running this action. Max 255 characters

   
   
4. Enter conditions to trigger the action.
   

   

   In this example, specify the suspicious device as Device MAC Address.
   
   

   Table 2: Sample Configuration Data / Conditions

   Item Name	Value	Description
   Device MAC Address	00:00:5E:00:53:01	Unicast MAC address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
   Device IPv4 Address	(empty)	Unicast IPv4 address of the target device.
   Device	(empty)	Device ID of the target device. Maximum 100 device IDs are shown in the drop-down list. If you enter text in the field, device IDs in the drop-down list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the drop-down list, select a Device ID for the device.
   Device Tag	(empty)	Device Tag of the target device.

   
   
5. Select the action to perform when a device met the conditions.
   Select "Drop Packets" to drop the packet from the device.
   

   

   
   

   Table 3: Sample Configuration Data / Action

   Item Name	Value	Description
   AMF Action	Drop Packets	An action to be taken on the AMF network deploying the AMF Application Proxy feature. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the port where the device is connected to the quarantine VLAN. Drop Packets: Block traffic from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffic from the device at the layer 3 (IP) level. Log-Only: Record the device information.

   
   
6. Click the "Submit" button.
   Once the action was added, the Policy Settings > Action List page reflects the added information.
   

   

Now the action has been added.
After the action is activated, all traffic from the MAC address is dropped unless you delete the action or you add an action with higher priority (smaller priority value) to permit the MAC address.

---

(C) 2020 Allied Telesis, Inc. All rights reserved.

C613-04087-00 Rev A

18 Jan 2021 10:56