Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0)
Learning Zone Traffic
Download this chapter
Learning Zone TrafficLearning Zone Traffic
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL-Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL- (PDF - 3 MB)
give_us_feedback

Table Of Contents

Learning Zone Traffic

Learning Process Overview

Phases of the Learning Process

Detect and Learn Feature

Accept or Reject Learning Process Results

Performing the Learning Process

Starting the Policy Construction Phase

Stopping the Policy Construction Phase

Starting the Threshold Tuning Phase

Accepting the Current Threshold Tuning Phase Results

Stopping the Threshold Tuning Phase

Performing the Learning Process Using Detect and Learn

Configuring Automatic Learning Parameters

Activating Detect and Learn

Deactivating Detect and Learn

Marking the Zone Policies as Tuned or Untuned

Managing Learning Process Snapshots

Taking a Snapshot of Current Learning Process Results

Taking a Snapshot of the Zone Configuration Policies

Viewing, Modifying, or Saving Snapshot Results

Deleting a Snapshot

Comparing Policy Configurations of Two Zones or Snapshots

Viewing Policy Configuration Differences

Deleting Base Zone Services

Adding Base Zone Services

Copying Policy Parameters to the Base Zone


Learning Zone Traffic

This chapter describes how to use the Detector module learning process to analyze zone traffic and fine-tune the protection capabilities of the zone configuration.

This chapter includes the following sections:

Learning Process Overview

Performing the Learning Process

Performing the Learning Process Using Detect and Learn

Marking the Zone Policies as Tuned or Untuned

Managing Learning Process Snapshots

Comparing Policy Configurations of Two Zones or Snapshots

Learning Process Overview

The learning process allows the Detector module to analyze zone traffic and create a set of zone-specific policies that are based on the traffic flow services the Detector module detects. During the learning process, the Detector module also tunes the threshold value of each policy it creates. The policy thresholds are reference points the Detector module uses when detecting for zone traffic anomalies to determine when the traffic rate exceeds its normal volume, indicating an attack on the zone. While the Detector module is learning zone traffic, you monitor the learning process and decide whether to accept or reject the results of the learning process. When you accept the learning process results, the Detector module saves the policy information to the zone configuration and deletes all of the previous zone configuration policies. If you reject the learning process results, the Detector module deletes the learning process results and continues to use the policies already in place in the zone configuration.

This section contains the following learning process information:

Phases of the Learning Process

Detect and Learn Feature

Accept or Reject Learning Process Results

Phases of the Learning Process

The learning process consists of the following two phases, which you perform separately on the Detector module:

Policy construction phase—In this phase, the Detector module creates policies based on the services it detects in the traffic flow. Each policy is configured with an action that the Detector module executes when it detects a traffic anomaly. Policy templates provide the guide lines the Detector module follows when creating a policy. For example, a policy template can limit the number of policies the Detector module can produce from the template during the policy construction phase. Policy templates also configure each policy the Detector module creates from it with a default threshold value.

Threshold tuning phase—In this phase, the Detector module tunes the thresholds of the zone policies. The policy threshold value is set to a value that allows normal traffic to pass through the Detector module without activating the policy action. When protecting a zone, the Detector module applies the zone policies to the traffic flow and if a policy threshold is exceeded, the Detector module executes the policy action.

There are two exceptions as to when and how the policy construction and threshold tuning phases are used:

You cannot perform the policy construction phase on zones you create with a Guard_Link zone template.

When the zone configuration contains the worm_tcp policy template, the Detector module uses the threshold tuning phase to create policies from the template as well as tune the threshold of each policy it creates.

For the learning process to take place, you must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module.

You can save the current results of either learning phase at any time of the learning process using the Detector module snapshot feature. Taking a snapshot of the learning process allows you to view the policy information the Detector module has created up to the point of the snapshot. Saving the results of the learning phase in a snapshot does not affect the zone configuration. You can take as many learning process snapshots as you like. You can also update the zone configuration with the policy information saved in a snapshot. For more details on using the snapshot function, see the "Managing Learning Process Snapshots" section.

Detect and Learn Feature

After the Detector module performs the policy construction phase of the learning process, you can activate the Detect and Learn feature which allows the Detector module to look for traffic anomalies (Detect) while performing the threshold tuning phase (Learn) simultaneously. When the Detector module detects an attack, it suspends the learning process. When the attack is over, the Detector module resumes the learning process. The detect and learn operating state allows the Detector module to detect for anomalies while constantly updating the policy thresholds according to the zone traffic characteristics, and prevents the Detector module from learning the thresholds of malicious traffic.

Accept or Reject Learning Process Results

You have the option of accepting or rejecting the results of a policy construction or threshold tuning phase while the phase is running or when you stop the phase. During the learning process, the Detector module does not modify the policies of the zone configuration. Only after you accept the results of the learning phase does the Detector module update the zone configuration and begin operating with the new policies or policy thresholds.

Performing the Learning Process

The procedures in this section describe how to start and stop the two different phases of the learning process: policy construction and threshold tuning. Use the learning process to optimize zone protection in the following ways:

Fine-tune the policies of a new zone configured with the default policies and policy thresholds of the zone template you selected

Update an existing zone configuration when zone traffic patterns change

To ensure the results of the learning process are accurate and configured for normal zone traffic, activate the learning process when the following zone traffic conditions exist:

Zone traffic is normal (not experiencing an attack)—This ensures that the Detector module does not construct and tune the zone policies according to traffic characteristics of a DDoS attack. If you initiate the learning process when the zone is under attack, the Detector module will learn the traffic patterns of the attack and save the learning results as the base for future reference. This will prevent the Detector module from detecting future attacks because it may view them as normal traffic conditions.

Zone traffic is at its peak volume—This allows the Detector module to configure the policy thresholds to values that are appropriate for normal peak traffic and ensures that the Detector module does not perceive normal peak traffic conditions as an attack.

This section contains the following procedures:

Starting the Policy Construction Phase

Stopping the Policy Construction Phase

Starting the Threshold Tuning Phase

Accepting the Current Threshold Tuning Phase Results

Stopping the Threshold Tuning Phase

Starting the Policy Construction Phase

Use the policy construction phase after creating a new zone or anytime the zone configuration needs updating with new service policies. After performing the policy construction phase, execute the threshold tuning phase to fine-tune the thresholds of each policy.

Note You cannot perform the policy construction phase on a zone you created with one of the Guard_Link zone templates.

Note When the zone configuration uses the worm_tcp policy template, the Detector module uses the threshold tuning phase to create policies from the template as well as tune the threshold of each policy it creates (see the "Starting the Threshold Tuning Phase" section).

To start the policy construction phase:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Construct Policies from the zone main menu. The following actions occur:

The Policy Templates screen appears.

The Detector module begins analyzing the zone traffic copy for the services used in the traffic flow and creates policies relating to each service it detects.

The zone status icon changes to Learning.

Step 3 (Optional) Choose Learning > Snapshot to save and review the current results, or policy suggestions, of the policy construction phase at anytime during the phase. For details on using the snapshot function, see the "Managing Learning Process Snapshots" section.

To allow the Detector module enough time to receive and analyze an accurate representation of normal zone traffic, we recommend that you let the policy construction phase run for at least two hours before stopping this phase.

Stopping the Policy Construction Phase

To stop the policy construction phase:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 To accept or reject the current results of the policy construction phase, use one of the following options:

Choose Learning > Accept from the zone main menu to accept the results of the learning phase. The Detector module deletes all of the current policies of the zone configuration and replaces them with the suggested zone policies. The Detector module does not stop the policy construction phase and continues to learn the zone services.

Choose Learning > Stop Learning from the zone main menu. The Stop Learning window opens. Choose one of the following options and proceed to Step 3:

Reject—Rejects the suggested zone policies

Accept—Accepts the suggested zone policies

Step 3 This step is only required if you chose Learning > Stop Learning in Step 2. Select one of the following options:

OK—The results of this selection will vary depending on your choice to reject or accept the results of the policy construction phase:

If you select Reject, the Detector module deletes all of the suggested zone policies. No changes are made to the zone configuration.

If you select Accept, the Detector module deletes all of the current policies in the zone configuration and replaces them with the suggested zone policies, and the policy construction phase terminates.

Clear—The Stop Learning window reverts back to its default setting of Accept.

Cancel—The Stop Learning window closes and the policy construction phase continues.

We recommend activating the threshold tuning phase after accepting the results of the policy construction phase. The threshold tuning phase ensures that the threshold values of the accepted policies are configured to the characteristics of the zone traffic flow. Until you run the threshold tuning phase, the policies are configured with factory default threshold values.

Starting the Threshold Tuning Phase

Use the threshold tuning phase after performing the policy construction phase or anytime the thresholds of the zone policies need updating.

Note When the zone configuration contains the worm_tcp policy template, the Detector module uses the threshold tuning phase to create policies from the template as well as tune the threshold of each policy it creates.

To start the threshold tuning phase:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Tune Threshold from the zone main menu. The following actions occur:

The Detector module begins analyzing the zone traffic and adjusts the threshold values of the zone policies to the characteristics of the traffic flow.

The zone status learning icon appears in the work area and next to the zone name in the navigation panel.

We recommend that you let the threshold tuning phase run for at least 24 hours before terminating this phase.

Step 3 (Optional) Choose Learning > Snapshot to save and review the current results, or threshold suggestions, of the threshold tuning phase at anytime during the phase. For details on using the snapshot option, see the "Managing Learning Process Snapshots" section.

To allow the Detector module enough time to receive and analyze an accurate representation of normal zone traffic, we recommend that you let the threshold tuning phase run for at least 24 hours before terminating this phase.

Accepting the Current Threshold Tuning Phase Results

To accept the current results of the threshold tuning phase and allow the Detector module to continue the threshold tuning phase:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Accept from the zone main menu. The Accept Thresholds window opens.

Step 3 Define the threshold selection method to use. Table 7-1 describes the parameters listed in the Accept Thresholds window.

Table 7-1 Threshold Terminating Method 

Parameter
Description

Threshold selection method

Method for selecting the thresholds to accept. Select one of the following options from the drop-down list:

Accept new thresholds—The Detector module saves the results of the leaning process to the zone configuration.

Accept max. thresholds—The Detector module compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.

Accept weighted thresholds—The Detector module calculates the policy thresholds to save based on the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100

You define the weight value.

Keep current thresholds—The Detector module rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.

weight

This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Detector module to use in the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100


Step 4 Choose one of the following options:

OK— The Detector module updates the policies of the zone configuration with the current results of the threshold tuning phase and the threshold tuning phase continues.

Clear—The Accept Thresholds window reverts back to its default settings.

Cancel—The Accept Thresholds window closes and the threshold tuning phase continues.

Stopping the Threshold Tuning Phase

To accept or reject the current results of the threshold tuning phase and stop the the threshold tuning phase:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Stop Learning from the zone main menu. The Stop Learning window opens.

Step 3 Select one of the following options from the Stop Learning window:

Reject—Ignore the current results of the threshold tuning phase.

Accept—Use the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 7-1 describes the threshold selection method parameters.

Table 7-2 Threshold Terminating Method 

Parameter
Description

Threshold selection method

Method for selecting the thresholds to accept. Select one of the following options from the drop-down list:

Accept new thresholds—The Detector module saves the results of the leaning process to the zone configuration.

Accept max. thresholds—The Detector module compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.

Accept weighted thresholds—The Detector module calculates the policy thresholds to save based on the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100

You define the weight value.

Keep current thresholds—The Detector module rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.

weight

This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Detector module to use in the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100


Step 4 Choose one of the following options:

OK—The Detector module updates the policies of the zone configuration with the current results of the threshold tuning phase and the threshold tuning phase stops.

Clear—The Stop Learning window reverts back to its default settings.

Cancel—The Stop Learning window closes and the threshold phase continues.

Performing the Learning Process Using Detect and Learn

The procedures in this section describe how manage the Detect and Learn operation in which the Detector module analyses zone traffic for anomalies while learning zone traffic and making policy threshold adjustments. Prior to activating Detect and Learn, you can configure when and how the Detector module accepts the results of the learning process. Note that the Detector module suspends the learning process when it detects an attack on the zone and resumes the learning process when the attack has ended.

This section contains the following procedures:

Configuring Automatic Learning Parameters

Activating Detect and Learn

Deactivating Detect and Learn

Configuring Automatic Learning Parameters

Configuring the automatic learning parameters allows you to control when and how the Detector module automatically accepts the current results of the learning process (threshold tuning phase) when you activate Detect and Learn.

To configure automatic learning:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Learning parameters from the zone main menu. The Learning parameters screen appears.

Step 3 Click Config. The Config learning parameters screen appears.

Step 4 Define the automatic learning parameters. Table 7-3 describes the learning parameters.

Table 7-3 Learning Parameters 

Parameter
Description

Zone is tuned

Marks the zone policies as tuned or untuned. Select this option to mark the policies tuned, allowing the Detector module to immediately use the policies to detect zone anomalies. Deselect this option to mark the policies untuned, requiring you to accept the results of the threshold tuning phase before the Detector module can detect zone anomalies. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.

Set periodic learning

Enables the automatic learning process. Configure the following learning parameters when you select this option:

Learning cycle—Defines how often the Detector module is to save the results of the learning process. Define the time period between saves in terms of weeks, days, hours, and minutes. Enter an integer from 0 to 1000 for each of the time fields.

Learning results—Defines how the Detector module saves the results of the learning process. Select one of the following methods:

Automatic accept—Accept the learning process results (policy thresholds) that the Detector module suggests to the zone configuration at the specified interval. The Detector module saves a snapshot of the zone policies after accepting the newly suggested ones.

Snapshot only—Save a snapshot of the learning process (policy thresholds) at the specified interval. The Detector module does not accept the new policies and does not modify the policy thresholds in the zone configuration.

Threshold selection method

Method for selecting the thresholds to accept. Select one of the following options from the drop-down list:

Accept new thresholds—The Detector module saves the results of the leaning process to the zone configuration.

Accept max. thresholds—The Detector module compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.

Accept weighted thresholds—The Detector module calculates the policy thresholds to save based on the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100

You define the weight value.

Keep current thresholds—The Detector module rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.

weight

This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Detector module to use in the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100


Step 5 Choose one of the follow options:

OK—The Detector module saves the automatic learning parameters to the zone configuration.

Clear—The Learning Parameters form reverts back to its default settings.

Cancel—The Config learning parameters screen closes.

Activating Detect and Learn

Activating Detect and Learn allows the Detector module to detect zone anomalies while learning zone traffic and making policy threshold adjustments. Before activating Detect and Learn, you should verify whether the zone policies are marked as tuned or untuned as the Detector module functions differently depending on the tuned state of the zone policies. If the policies are marked as tuned when you activate Detect and Learn, the Detector module is able to detect attacks and learn zone traffic. If you activate Detect and Learn and the zone policies are marked as not tuned, the Detector module functions in the following ways:

The Detector module does not detect attacks in zone traffic until the zone policy thresholds are accepted once

The Detector module activates a threshold selection method of Accept new thresholds only (see the "Configuring Automatic Learning Parameters" section)

For more information on marking policies tuned or untuned, see the "Marking the Zone Policies as Tuned or Untuned" section.

To activate Detect and Learn:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Click Detect and Learn.

Step 3 The following actions occur:

The Detector module begins analyzing the traffic flow for traffic anomalies.

The Detector module begins the threshold tuning phase of the learning process.

The zone name is added to the Under Detection zone listing in the navigation pane.

The zone status icon changes from Standby to Detection .

The Recent Events table lists an event type of detection-start with a detail listing of Zone is under detection.

Deactivating Detect and Learn

When you deactivate Detect and Learn, the Detector module allows you to deactivate both anomaly detection and learning or just one of the two operations.

To deactivate Detect and Learn:

Step 1 Select a zone under detection from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to deactivate Detect and Learn:

From the zone status screen, click Deactivate.

From the zone main menu, choose Detection > Deactivate.

The Deactivate window opens.

Step 3 Click the check box next to the requested action. You can select one or both of the following actions:

Stop Detection—Stops anomaly detection.

Stop Learning—Stops the threshold tuning phase. Select one of the following options:

Reject—Ignores the current results of the threshold tuning phase.

Accept—Uses the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 7-1 describes the threshold selection method parameters.

Table 7-4 Threshold Terminating Method 

Parameter
Description

Threshold selection method

Accept new thresholds—The Detector module saves the results of the leaning process to the zone configuration.

Accept max. thresholds—The Detector module compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.

Accept weighted thresholds—The Detector module calculates the policy thresholds to save based on the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100

You define the weight value.

Keep current thresholds—The Detector module rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.

weight

This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Detector module to use in the following formula:

new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100


The following actions occur when you deactivate both anomaly detection and learning:

The zone name is removed from the Detected Zones listing in the navigation pane.

The zone status icon changes from Detection to Standby.

The Recent Events table lists an event type of protection-stop with a detail listing of Zone is not under detection.

Marking the Zone Policies as Tuned or Untuned

The Detector module considers zone policies to be either tuned or untuned depending on the following conditions:

Untuned—The Detector module marks the zone untuned when the zone configuration is using the default policy threshold values of the zone template. The zone configuration uses the default policy threshold values after you perform one of the following actions:

Create a new zone

Accept the policy construction phase results for a zone

Add a service to the zone policies or remove a service from the zone policies

Tuned—The Detector module marks the zone tuned after accepting the results of the threshold tuning phase, at which point the threshold values are tuned specifically to the zone traffic characteristics.

Knowing the tuned state of the zone is important when you activate Protect and Learn for the zone. If the tuned state of the zone is untuned when you activate Detect and Learn, the Detector module is unable to detect an attack on the zone until it accepts the results of the threshold tuning phase as determined by the automatic learning parameters (see the "Configuring Automatic Learning Parameters"). If you have the threshold selection method of automatic learning set to anything but Accept new thresholds, the Detector module uses the Accept new thresholds setting to accept the first results of the threshold tuning phase. From that point on, the Detector module uses the threshold selection method you selected.

You can manually change the tuned state of a zone and may consider changing the state to tuned when one of the following conditions applies:

You created the zone by copying an existing zone configuration with similar traffic characteristics

You have manually configured all policy thresholds

You may consider changing the tuned state of the zone to untuned when one of the following conditions applies:

A major change was made in the zone network

The zone IP address or subnet was modified

If you have not initiated the detect and learning operation state during peak traffic time (this is to prevent the Detector module from regarding the traffic during peak time as an attack)

When you mark the zone untuned, the Detector module will not relate to the current policy thresholds and will not detect an attack on the zone when these thresholds are exceeded.

To mark the zone as tuned or untuned:

Step 1 Select a zone from the navigation pane. The zone main menu appears.

Step 2 Choose Configuration > Learning parameters from the zone main menu. The Learning parameters screen appears.

Step 3 Click Config. The Config learning parameters screen appears.

Step 4 From the Learning Parameters form, select one of the following options:

Select Zone is tuned—The Detector module marks the policies as tuned and can immediately use the policies to detect zone anomalies.

Deselect Zone is tuned—The Detector module marks the policies untuned, requiring you to accept the results of the threshold tuning phase before the Detector module can detect zone anomalies.

Step 5 Choose one of the follow options:

OK—The Detector module saves the tuned setting to the zone configuration.

Clear—The Learning Parameters form reverts back to its default settings.

Cancel—The Config learning parameters screen closes.

For a complete description of the Learning Parameter Form options, see the "Configuring Automatic Learning Parameters" section.

Managing Learning Process Snapshots

The Detector module snapshot feature allows you to save zone policy information for viewing and policy comparison purposes. Using the snapshot feature, you can perform the following actions:

View the current results of the learning process

Save the snapshot policy information to the zone configuration

Compare the policy results of the snapshot with another snapshot or zone configuration (see the "Comparing Policy Configurations of Two Zones or Snapshots" section)

Backup the current zone policies contained in the zone configuration

At any stage of the learning process, you can save a snapshot of the current learning parameters (services, thresholds, and other policy-related data). The Detector module continues performing the current learning phase while it records the snapshot information and assigns a consecutive ID number to the snapshot.

This section contains the following procedures:

Taking a Snapshot of Current Learning Process Results

Taking a Snapshot of the Zone Configuration Policies

Viewing, Modifying, or Saving Snapshot Results

Deleting a Snapshot

Taking a Snapshot of Current Learning Process Results

To take a snapshot of the current learning process results (policy construction or threshold tuning):

Step 1 Select a zone currently in a learning phase from the navigation pane. The zone main menu.

Step 2 Choose Learning > Snapshot from the zone main menu. The Detector module saves the learning parameters and assigns a consecutive ID number to the snapshot.

Taking a Snapshot of the Zone Configuration Policies

When you take a snapshot of a zone that is not learning zone traffic (the zone is either in standby or detect mode), the Detector module creates a snapshot that contains the current policy information of the zone configuration. You can use this type of snapshot to create a backup of the zone policies or for comparison purposes.

To create a snapshot of the zone configuration policies:

Step 1 Select a zone from the navigation pane that is not currently in a learning phase. The zone main menu appears.

Step 2 Choose Learning > Snapshot from the zone main menu. The Detector module saves the policies contained in the zone configuration to the snapshot and assigns a consecutive ID number to the snapshot.

Viewing, Modifying, or Saving Snapshot Results

To view, modify, or save a snapshot result to the zone configuration:

Step 1 Select a zone currently in a learning phase from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Snapshot List from the zone main menu. The list of snapshots appears, displaying the ID number of each snapshot along with the date and time the snapshot was taken.

Step 3 Select the snapshot ID number or date to view. The Policies screen appears, displaying the policies the Detector module recorded at the time of the snapshot.

Step 4 (Optional) From the Policies screen of the snapshot, choose one of the following options:

Configure Selection—Reconfigure the parameters of one or more of the policies (see the "Modifying Policy Parameters" section in "Managing Zone Policies.")

Add service or Remove service—Add or remove a service to the list of services detected at the time of the snapshot (see the "Adding or Deleting a Service" section in "Managing Zone Policies.")

Accept Thresholds—Saves the policies of the snapshot to the zone configuration.

Deleting a Snapshot

To delete a snapshot:

Step 1 Select a zone currently in a learning phase from the navigation pane. The zone main menu appears.

Step 2 Choose Learning > Snapshot List from the zone main menu. The list of snapshots appears and displays the ID number of each snapshot along with the date and time the snapshot was taken.

Step 3 Check the check box next to the ID number of the snapshot to delete.

Step 4 Click Delete. The Detector module deletes the selected snapshots from the Snapshot list.

Comparing Policy Configurations of Two Zones or Snapshots

You can compare the policy configurations of two zones, two snapshots, or a zone and snapshot. The Detector module traces differences in policy configuration services, policies, and policy thresholds. When comparing the policy configurations of two zones or snapshots, you can perform the following actions:

Define the comparison sensitivity level

Delete or add policy configuration attributes to make the two compared zones more alike

Accept learned policy attributes selectively

This section contains the following procedures:

Viewing Policy Configuration Differences

Deleting Base Zone Services

Adding Base Zone Services

Copying Policy Parameters to the Base Zone

Viewing Policy Configuration Differences

To compare and display the policy differences of two zones or snapshots:

Step 1 Use one of the following methods to begin the policy comparison process:

From the Detector module summary main menu, choose Zones > Compare Zone policies.

From the zone main menu, choose Configuration > Compare policies.

The Policies Comparison query appears.

Step 2 Define the base and compare zones or snapshots. Table 7-5 describes the Policies Comparison query parameters.

Table 7-5 Policies Comparison Parameters 

Parameter 1
Parameter 2
Description

Base Zone

Zone

Name of the zone or snapshot. If you require configuration changes to correct differences between the two zone policy configurations being compared, you make the changes to the base zone. Choose the base zone from the drop-down list.

Policy Configuration

Policy configuration of the selected base zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display as well in the drop-down list. Choose the base zone policy configuration from the drop-down list.

Compared Zone

Zone

Name of the zone or snapshot being compared to the base zone. Choose the compared zone from the drop-down list.

Policy Configuration

Policy configuration of the selected compared zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display as well in the drop-down list. Choose the policy configuration from the drop-down list.

Minimal difference

Percentage of differences between the base and compared zone policy configurations. The Detector module traces any parameters that differ more than the percentage defined. By default, the Detector module traces every difference in the compared zone (100%). Enter the difference percentage value.


Step 3 Choose one of the following options:

OK—Compares the policy configurations of the two zones. The Policy Comparison screen appears and displays the differences in services and policy parameters (see Figure 7-1).

Cancel—Exits the Policies Comparison query without comparing any zone policies.

Figure 7-1 shows an example of the policy comparison tables. The policy configuration attributes specific to the base zone display in black and attributes specific to the compared zone display in red.

Figure 7-1 Policy Comparison Tables

The policy comparison screen is divided into two sections:

Difference in services—The two tables in this section display the following information:

Services present only in the base zone policies.

Services missing from the base zone. The services in this list are only defined in the compared zone.

Difference in policy parameters—Differences in the operational parameters of the policies (state, action, threshold, proxy-threshold) display. Each section in the table displays the differences found in a single policy. The first row in each section displays the base zone parameters. The second row of each section displays the compared zone parameters.

Note The Detector module only displays a check box next to the listed services that you can add to, or delete from the base zone. Some listed services cannot be added or deleted as they are not specific services, such as those of the type any.

Deleting Base Zone Services

To delete services from the base zone configuration:

Step 1 From the Services only in zone name table, click the check boxes next to the desired services to remove from the base zone configuration. To select all of the table entries, click the check box in the table header.

Step 2 Click Delete. The Detector module removes the selected services from the base zone policy configuration.

Adding Base Zone Services

To add services to the base zone configuration:

Step 1 From the Services missing from zone name table, click the check boxes next to the services to add to the base zone configuration. To select all of the table entries, click the check box in the table header.

Step 2 Click Add. The Detector module adds the selected services the base zone policy configuration.

Copying Policy Parameters to the Base Zone

To copy the policy parameters from the compared zone to the base zone:

Step 1 From the Difference in policy parameters table, click the check boxes next to the policies to copy to the base zone. To select all of the table entries, click the check box in the table header.

Step 2 Click Copy Parameters. The Detector module copies the selected policies from the compared zone (red) to the base zone (black) policy configuration.