You are asked to ensure that your IPS engine blocks attacks. You must ensure that your
system continues to drop additional malicious traffic without additional IPS processing for up
to 30 minutes. You must ensure that the SRX Series device does send a notification packet
when the traffic is dropped. Which statement is correct?
A.
Use the Drop Packet action.
B.
Use the Drop Connection action.
C.
Use the IP-Close action.
D.
Use the IP-Block action.
Drop Connection = Does not close the connection
IP-Close = any new session matching the rule are closed with a reset packet
IP-Block = all packets maching the condition are dropped silently
to me it looks like IP-Block
mmmm .. looks like ip-close ..
ip-close and ip-block are same .. except that ip-close send reset packet to both src and dst addr .
http://chimera.labs.oreilly.com/books/1234000001633/ch13.html#ips_policy_components
IP-Close is correct. We need to send a notification packet!
IP-Block
IP-Block allows you to silently block (drop) future connections made by hosts that were marked by IP-Block in a previous attack. This is tracked based on the target and timeout that are defined in the rule on which the attack was triggered.
IP-Close
IP-Close is similar to IP-Block, except TCP Resets will be sent in addition to dropping all of the packets as part of that flow. This is tracked based on the target and timeout that are defined in the rule on which the attack was triggered. If the Layer 4 protocol is not TCP, a silent Drop-Connection will be applied.
IP-Close as SRX has to send a notification packet when the traffic is dropped.