Using Collaborative Detection and Response (CDR)
Use CDR to block client IP traffic when an unsafe connection is detected and reaches the pre-set threshold. See Collaborative Detection & Response for more information.
To configure CDR, do the following:
1 Go to Site-wide > Configure > Collaborative detection & response. Click Enable to activate CDR (refer to the A part in the below figure).
2 Configure the criteria (Occurrence, Duration) and the Containment action (Alert, Block, Quarantine) for each Category (Malware, IDP, Web Threat) (refer to the B part in the above figure). See Site-Wide > Configure > Collaborative Detection & Response for more information.
3 Configure the containment alert (Theme), customized pop-up (Notification message) for the client blocked by CDR, and the (Containment Period) time interval (refer to the C part in the above figure).
4 In Block, set how long a suspect client should be blocked or quarantined (1 minute to 1 day (1,440 minutes)). Enter 0 to block a suspect client until released in Site-wide > Monitor > Containment list. In Quarantine, configure a VLAN in order to isolate traffic from suspect clients (refer to the D part in the figure for step 1).
5 Enter the IPv4 and/or MAC addresses of client device(s) that are exempt from CDR checking in Exempt list (refer to the E part in the figure for step 1).
6 To unblock a suspect client, go to Site-wide > Monitor > Containment list. Select a client, then
click Release to free the client from CDR containment, or
select an IPv4 address or MAC address, click Add to Exempt List and then click OK to release the client device from CDR containment. The client device’s IP or MAC address is exempt from future CDR checking.