8.6. Scenarios

UserGate allows for much faster responses to detected attacks thanks to the SOAR concept (Security Orchestration, Automation, and Response). UserGate implements this concept based on scenarios. A scenario is an additional condition in the firewall and bandwidth rules that allows administrators to set up UTM's behavior in response to certain events within a long time period. For example, scenarios can be used for the following tasks:

  • Block or limit the bandwidth for 30 minutes when a user tried to use a torrent application 5 times within the last 10 minutes.

  • Block or limit the bandwidth for a user or user group specified in a rule when any of the following triggers has been activated: a user is viewing sites from the Threats category, high-risk IPS signatures are triggered for the traffic utilized by a user, or a virus is blocked in the traffic utilized by a user.

  • Block or limit the bandwidth for a user who has already consumed their traffic limit of 10 GB/month.

Important! A scenario represents an additional condition in the firewall rules and bandwidth rules. If the scenario is not activated (i.e. one or more its triggers are not launched), the rule will not be applied.

To get started with the scenarios, perform the following steps:

Name

Description

Step 1. Create the necessary scenarios.

Create the necessary scenarios in Security policies-->Scenarios.

Step 2. Specify the created scenarios in the firewall rules or bandwidth rules.

Add the scenarios that you have created to the firewall rules or bandwidth rules. For more details on firewall rules or bandwidth rules, please refer to Network policies.

Provide the following parameters when creating a new scenario:

Name

Description

Enabled

Enable or disable the scenario

Name

Name of the scenario

Description

Description of the scenario

Trigger for

Possible options:

  • Single user --- when a scenario is triggered, a rule in which this scenario is used will be applied only to the user for which the scenario has been triggered

  • All users --- when a scenario is triggered, a rule in which this scenario is used will be applied to all users specified in the Users/Group field for this rule.

Duration

A time period in minutes during which the triggered scenario will remain active. The same time period will be applied for the firewall rule or bandwidth rule in which this scenario is used.

Conditions

Define the triggering conditions for a scenario. You can specify the minimum number of triggering events within a time period that are required for triggering a scenario. When multiple conditions are selected, make sure to specify whether the scenario must be triggered when any or all of these conditions are met.

Triggering conditions

The following conditions can be used in scenarios:

  • URL category --- matches with the UserGate URLF categories in the user traffic

  • A virus has been detected

  • Application --- the specified application has been detected in the user traffic

  • СОВ --- the intrusion prevention system has been triggered

  • MIME types --- the specified MIME types have been detected in the user traffic

  • Packet size --- the size of a packets in the user traffic has exceeded the allowed value

  • Sessions per IP --- the number of sessions per IP address has exceeded the allowed value

  • Traffic volume --- the volume of the user traffic has exceeded the allowed value per time period.