Cisco Cisco Firepower Management Center 4000

See 

 for information on using the 

config response

 command to configure the active response interface to use and the number of TCP 

resets to attempt in a passive deployment.

Admin/Intrusion Admin

On the Create Rule page, select 

 in the drop-down list and click 

The 

resp

 keyword appears.

Specify any of the arguments in the 

 table in the 

 field; use a comma-separated list 

to specify multiple arguments.

Protection

You can use the 

react

 keyword to send a default HTML page to the TCP connection client when a packet 

triggers the rule; after sending the HTML page, the system uses TCP reset packets to initiate active 
responses to both ends of the connection. The 

react

 keyword does not trigger active responses for UDP 

traffic.

Optionally, you can specify the following argument:

msg

When a packet triggers a 

react

 rule that uses the 

msg

 argument, the HTML page includes the rule event 

message. See 

 for a description of the event message field.

If you do not specify the 

msg

 argument, the HTML page includes the following message:

 

Because active responses can be routed back, ensure that the HTML response page does not trigger a 

react

 rule; this could result in an unending sequence of active responses. Cisco recommends that you 

test 

react

 rules extensively before activating them in a production environment.

See 

 for information on using the 

config response

 command to configure the active response interface to use and the number of TCP 

resets to attempt in a passive deployment.

Admin/Intrusion Admin

On the Create Rule page, select 

 in the drop-down list and click 

The 

react

 keyword appears.

You have two choices:

To send an HTML page that includes the event message configured for the rule to the client before 
closing a connection, type 

msg

 in the 

 field.