Contents

Registering Actions

Quick Tour > Registering Actions

---

---

What is Action

Action is a mechanism for AMF Security mini to decide how to treat (block, quarantine or allow) a particular device, based on various criterion such as device's MAC address, IPv4 address, ID, Tag, Location, OpenFlow Switch and Network. It can be used to selectively perform actions on individual devices without relying on the normal Device Authentication Data and UnAuth Group.
If you are using external security applications which are interacting with AMF Security mini, actions are automatically generated and executed when AMF Security mini receives instructions from those applications.
You can also manually create actions without using external applications.
In either case with TQ's AMF Application Proxy, the Action takes precedence over the Device Authentication Data and the UnAuth Group.
With the AMF Application Proxy, when the Action is registered, it is notified to the proxy node and processed by the proxy node and edge node side.


You can use the following data as conditions for an action.

• Device MAC Address
  
• Device IPv4 Address
  
• Device
  
• Device Tag
  

AMF Security performs the specified OpenFlow/TQ action (permit, quarantine or drop) when a device matches those conditions. For permit and quarantine actions, you can also specify a VLAN ID to assign a matched device to.

AW+ AMF Application Proxy Blacklist notifies proxy nodes of AMF Actions.

• When a Device MAC Address is specified → The MAC address is sent to the AMF Master
  
• When a Device IPv4 Address is specified → The IPv4 Address is sent to the AMF Master
  
• When a Device MAC Address and a Device IPv4 Address are specified → Only the IPv4 Address is sent to the AMF Master
  
• When a Device or a Device Tag is specified → The MAC address associated with the device is sent to the AMF Master
  

To specify an AMF action "IP-Filter", a Device IPv4 Address must be specified.

Manually Adding Action

Action can be registered on the Policy Settings > Add Action page.
With AW+ AMF Application Proxy Configuration, a suspicious packet was sent from the device with MAC address "00: 00: 5E: 00: 53: 01" connected to "AMF-Member_2" that provides the guest network to the UnAuth Group. The following is an example of discarding packets for this device.

1. Open the Policy Settings > Action List page.
   

   

   This page shows the list of actions. As you see, no action is registered at this point.
   
   
2. Click the "Add Action" button at the top right corner of the Policy Settings > Action List page to open Policy Settings > Add Action page.
   

   

   
   
3. Enter information for the action to add.
   

   

   As an example, configure the settings shown in the following table:
   
   

   Table 1: Sample Configuration Data

   Item Name	Value	Description
   Action ID (Mandatory)	Block suspicious device	ID (Name) of the action. Action ID must be unique. Max 255 characters
   Priority	10	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
   Reason	Port Scan	Administrative comment such as a reason for running this action. Max 255 characters

   
   
4. Enter conditions to trigger the action.
   

   

   In this example, specify the suspicious device as Device MAC Address.
   
   

   Table 2: Sample Configuration Data / Conditions

   Item Name	Value	Description
   Device MAC Address	00:00:5E:00:53:01	Unicast MAC address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
   Device IPv4 Address	(empty)	Unicast IPv4 Address of the target device.
   Device	(empty)	Device ID of the target device. Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.
   Device Tag	(empty)	Device Tag of the target device.

   
   
5. Select the action to perform when a device met the conditions.
   Select "Drop Packets" to drop the packet from the device.
   

   

   
   

   Table 3: Sample Configuration Data / Action

   Item Name	Value	Description
   AMF Action	Drop Packets	An action to be taken on the AMF network deploying AW+ AMF Application Proxy. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the device to the quarantine VLAN. Drop Packets: Block traffic from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffic from the device at the layer 3 (IP) level. Log-Only: Record the device information.

   
   
6. Click "Submit".
   Once the action was added, the Policy Settings > Action List page reflects the added information.
   

   

Now the action has been added.
After the action is activated, all traffic from the MAC address is dropped unless you delete the action or you add an action with higher priority (smaller priority value) to permit the MAC address.

---

(C) 2022 Allied Telesis, Inc. All rights reserved.

C613-04126-00 Rev A

28 Jan 2022 14:19