Scenarios

With NGFW, the attack detection to response time can be reduced considerably thanks to a concept called SOAR (Security Orchestration, Automation, and Response). NGFW implements this concept using a scenario-based mechanism. A scenario is an additional condition in the firewall and traffic shaping rules that allows the administrator to configure NGFW's response to certain events that have occurred within a prolonged time frame. Here are examples of the problems that can be solved using scenarios:

  • Block a user or limit their bandwidth for 30 minutes if they are found to have made 5 attempts to use a torrent application in the past 10 minutes.

  • Block or limit the bandwidth for the user or user group specified in the rule if one of the following triggers occur: the user opens websites from the "Threats" category; the user's traffic triggers high-risk IDPS signatures; a virus is blocked in the user's traffic.

  • Block the user or limit their bandwidth if they have exceeded a traffic limit of 10GB per month.

Note A scenario is an additional condition in the firewall and traffic shaping rules. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered.

To get started with scenarios, follow these steps:

Name

Description

Step 1. Create the desired scenarios.

In the Security policies ➜ Scenarios section, create the desired scenarios.

Step 2. Add the scenarios you created to the firewall or traffic shaping rules.

Add the scenario you created to the firewall or traffic shaping rules. For more details on working with firewall and traffic shaping rules, see the Network Policies section.

When creating a scenario, provide the following settings:

Name

Description

Enabled

Enables or disables the scenario.

Name

The name of the scenario.

Description

A description of the scenario.

Trigger for

The available options are:

  • one user: the rule that uses the scenario will be applied only to the user for whom the scenario was triggered

  • all users: the rule that uses the scenario will be applied to all users listed in the rule's Users/Groups field.

Duration

The time in minutes for which the scenario will remain activated. This is also how long the firewall or traffic shaping rule that uses this scenario will work for.

Conditions

Set the conditions that will trigger the scenario. For each condition, you can specify the number of triggered events required during a certain time for the scenario to be triggered. If several conditions are set, specify whether the scenario should be triggered on matching any one of the conditions or all of them.

Triggering conditions

The following trigger conditions can be used in a scenario:

  • URL category: the user's traffic matches the specified UserGate URLF categories

  • Virus detection.

  • Application: the specified application has been detected in the user's traffic

  • IDPS: the intrusion prevention system has been triggered

  • Content types: the specified content types have been detected in the user's traffic

  • Packet size: the packet size in the user's traffic has exceeded the set value

  • Session per IP: the number of sessions from a single IP address has exceeded the set value

  • Traffic limit: the user's traffic has exceeded the limit set in the specified time frame

  • Health check: the result of a health check for a certain resource that needs to be accessible from NGFW. (Checking can be done using the ICMP ping command, a DNS query, or an HTTP GET request).