Configuring the Illegal Zone
To configure the illegal zone for anomaly detection, follow these steps:
Step 1
Log in to the IME using an account with administrator or operator privileges.
Step 2 Choose Configuration > sensor_name > Policies > Anomaly Detections > ad0 > Illegal Zone .
Step 3 Click the General tab.
Step 4 To enable the illegal zone, check the Enable the Illegal Zone check box.
Note You must check the Enable the Illegal Zone check box or any protocols that you configure will be ignored.
Step 5 In the Service Subnets field, enter the subnets to which you want the illegal zone to apply. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Step 6 To configure TCP protocol, click the TCP Protocol tab.
Step 7 To enable TCP protocol, check the Enable the TCP Protocol check box.
Note You must check the Enable the TCP Protocol check box or the TCP protocol configuration will be ignored.
Step 8 Click the Destination Port Map tab, and then click Add to add a destination port.
Step 9 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 10 To enable the service on that port, check the Enable the Service check box.
Step 11 To override the scanner values for that port, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 12 To add a histogram for the new scanner settings, click Add .
Step 13 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 14 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 15 Click OK . The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 16 Click OK . The new destination port map appears in the list on the Destination Port Map tab.
Step 17 To edit the destination port map, select it in the list, and click Edit .
Step 18 Make any changes to the fields and click OK . The edited destination port map appears in the list on the Destination Port Map tab.
Step 19 To delete a destination port map, select it, and click Delete . The destination port map no longer appears in the list Destination Port Map tab.
Step 20 To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 21 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 22 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 23 To configure UDP protocol, click the UDP Protocol tab.
Step 24 To enable UDP protocol, check the Enable the UDP Protocol check box.
Note You must check the Enable the UDP Protocol check box or the UDP protocol configuration will be ignored.
Step 25 Click the Destination Port Map tab, and then click Add to add a destination port.
Step 26 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 27 To enable the service on that port, check the Enable the Service check box.
Step 28 To override the scanner values for that port, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 29 To add a histogram for the new scanner settings, click Add .
Step 30 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 31 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 32 Click OK . The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 33 Click OK . The new destination port map appears in the list on the Destination Port Map tab.
Step 34 To edit the destination port map, select it in the list, and click Edit .
Step 35 Make any changes to the fields and click OK . The edited destination port map appears in the list on the Destination Port Map tab.
Step 36 To delete a destination port map, select it, and click Delete . The destination port map no longer appears in the list on the Destination Port Map tab.
Step 37 To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 38 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 39 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
The edited threshold histogram appears in the list on the Default Thresholds tab.
Step 40 To configure Other protocols, click the Other Protocol s tab.
Step 41 To enable other protocols, check the Enable Other Protocols check box.
Note You must check the Enable Other Protocols check box or the other protocols configuration will be ignored.
Step 42 Click the Protocol Number Map tab, and then click Add to add a protocol number.
Step 43 In the Protocol Number field, enter the protocol number. The valid range is 0 to 255.
Step 44 To enable the service of that protocol, check the Enable the Service check box.
Step 45 To override the scanner values for that protocol, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 46 To add a histogram for the new scanner settings, click Add .
Step 47 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 48 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 49 Click OK . The new scanner setting appears in the list in the Add Protocol Number dialog box.
Tip To discard your changes and close the Add Protocol Number dialog box, click Cancel.
Step 50 Click OK . The new protocol number map appears in the list on the Protocol Number Map tab.
Step 51 To edit the protocol number map, select it in the list, and click Edit .
Step 52 Make any changes to the fields and click OK . The edited protocol number map appears in the list on the Protocol Number Map tab.
Step 53 To delete a protocol number map, select it, and click Delete . The protocol number map no longer appears in the list on the Protocol Number Map tab.
Step 54 To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 55 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 56 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 57 Click Apply to apply your changes and save the revised configuration.