Contents

Registering Actions

Quick Tour > Registering Actions

---

---

What is Action

AMF Security mini has an authentication rule called Action. In addition to processing by device authentication data and the UnAuth Group, this device individually isolates or blocks devices that meet specific conditions, or connects to a network different from the device authentication data registration.
If you are using external security applications which are interacting with AMF Security, actions are automatically generated and executed when AMF Security receives instructions from those applications.
You can also manually create actions without using external applications.
With the AMF Application Proxy, when the Action is registered, it is notified to the proxy node and processed by the proxy node and edge node side.


You can use the following data as conditions for an action.

• Device MAC Address
  
• Device IPv4 Address
  
• Device
  
• Device Tag
  

AMF Security performs the specified AMF Actions (AMF Dependency, Quarantine or Drop Packets) when a device matches those conditions.

Actions with the conditions including Device MAC Address, Device IPv4 Address, Device or Device Tag are also used by the AMF Application Proxy.

• When a Device MAC Address is specified → The MAC address is sent to the AMF Master
  
• When a Device IPv4 Address is specified → The IPv4 Address is sent to the AMF Master
  
• When a Device MAC Address and a Device IPv4 Address are specified → Only the IPv4 Address is sent to the AMF Master
  
• When a Device or a Device Tag is specified → The MAC address associated with the device is sent to the AMF Master
  

To specify an AMF action "IP-Filter", a Device IPv4 Address must be specified.

Manually Adding Action

Action can be registered on the Policy Settings > Add Action page.
A suspicious packet was sent from the device with MAC address "00:00:5E:00:53:01" connected to the AMF Member "AMF-Member_2" that provides the guest network to the UnAuth Group. The following explains how to drop packets from this device. To add an action manually, follow those steps:

1. Open the Policy Settings > Action List page.
   

   

   This page shows the list of actions registered in AMF Security mini. As you see, no action is registered at this point.
   
   
2. Click the "Add Action" button at the top right corner of the Policy Settings > Action List page to open Policy Settings > Add Action page.
   

   

   
   
3. Enter information for the action to add.
   

   

   As an example, configure the settings shown in the following table:
   
   

   Table 1: Sample Configuration Data

   Item Name	Value	Description
   Action ID (Mandatory)	Block suspicious device	ID (Name) of the action to register. Action ID must be unique. Max 255 characters
   Priority	10	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
   Reason	Port Scan	Administrative comment such as a reason for running this action. Max 255 characters

   
   
4. Enter conditions to trigger the action.
   

   

   In this example, specify the suspicious device as Device MAC Address.
   
   

   Table 2: Sample Configuration Data / Conditions

   Item Name	Value	Description
   Device MAC Address	00:00:5E:00:53:01	Unicast MAC address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
   Device IPv4 Address	(empty)	Unicast IPv4 Address of the target device.
   Device	(empty)	Device ID of the target device. Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.
   Device Tag	(empty)	Device Tag of the target device.

   
   
5. Select the action to perform when a device met the conditions.
   In this example, the packet from the device is discarded, so select "Drop Packets".
   

   

   
   

   Table 3: Sample Configuration Data / Action

   Item Name	Value	Description
   AMF Action	Drop Packets	An action to be taken on the AMF network deploying AMF Application Proxy feature. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the port where the device is connected to the quarantine VLAN. Drop Packets: Block traffic from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffic from the device at the layer 3 (IP) level. Log-Only: Record the device information.

   
   
6. Click "Submit".
   Once the action was added, the Policy Settings > Action List page reflects the added information.
   

   

Now the action has been added.
After the action is activated, all traffic from the MAC address is dropped unless you delete the action or you add an action with higher priority (smaller priority value) to permit the MAC address.

---

(C) 2021 Allied Telesis, Inc. All rights reserved.

C613-04108-00 Rev B

09 Jul 2021 12:05