Table Of Contents

Configuring Zones

Overview

Using Zone Templates

Creating a New Zone

Creating a New Zone from a Zone Template

Creating a New Zone by Duplicating an Existing Zone

Configuring Zone Attributes

Configuring the Zone IP Address Range

Synchronizing a Detector with Cisco Guard Zone Configuration

Configuration Guidelines

Configuring Zones for Synchronization

Configuring the Automatic Zone Synchronization and Export Parameters

Synchronizing a Zone Configuration Automatically

Synchronizing a Zone Configuration to the Detector

Synchronizing a Zone Configuration from the Detector

Synchronizing a Zone Configuration Offline

Exporting a Zone Configuration Automatically

Exporting the Zone Configuration Manually

Example Scenario

Configuring Zones

---

This chapter describes how to create and manage zones on the Cisco Traffic Anomaly Detector (Detector). These procedures are required to enable zone detection.

This chapter contains the following sections:

•Overview

•Using Zone Templates

•Creating a New Zone

•Configuring Zone Attributes

•Configuring the Zone IP Address Range

•Synchronizing a Detector with Cisco Guard Zone Configuration

Overview

A zone is a network element that the Detector monitors for Distributed Denial of Service (DDoS) attacks. A zone can be any combination of the following elements:

•A network server, client, or router

•A network link or subnet or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

When the Detector identifies a DDoS attack, it can activate a Cisco Guard (Guard) automatically to protect the zone against the attack, or it can notify the user to activate the Guard manually. The Detector can analyze the traffic for different zones simultaneously, as long as their network address ranges do not overlap.

You assign a name to the zone and use this name to refer to it.

The zone configuration process consists of the following tasks:

•Creating a zone—You can create a zone and configure the zone name and the zone description. See the "Creating a New Zone" section for more information.

•Configuring the zone network definition—You can configure the zone network definitions that include the network IP address and subnet mask. See the "Configuring Zone Attributes" section for more information.

•Configuring the zone filters—You can configure the zone filters. The zone filters apply the required detection level to the zone traffic and define the way the Detector handles specific traffic flows. See "Configuring Zone Filters," for more information.

•Learning the zone traffic characteristics—You can create the zone detection policies that enable the Detector to analyze a particular traffic flow and take action if the traffic flow exceeds a policy threshold. The Detector constructs the policies in a learning process that consists of two phases: policy construction and threshold tuning. See "Learning the Zone Traffic Characteristics," for more information.

Using Zone Templates

A zone template defines the default configuration of a zone.

The Detector contains two sets of zone templates with the following prefixes:

•DETECTOR_—Zone templates designed for Detector use only. Select the DETECTOR_ version of the zone template when you are not going to share the zone configuration with a Guard.

•GUARD_—Zone templates designed for use on the Detector and the Guard. You can configure both Detector and Guard attributes for zones that were created from these templates, and copy the zone configuration to the Guard. Select the GUARD_ version of the zone template when you plan to synchronize the zone configuration with a Guard.

See the "Configuring Zones for Synchronization" section for more information on how to configure zones that were created from these templates.

Table 5-1 displays the zone templates.

Table 5-1 Zone Templates 

Template	Description
DETECTOR_DEFAULT	Default zone template. You can use this zone template to protect a VoIP1 server. If you create a zone using this zone template you cannot detect TCP worm attacks on the zone.
DETECTOR_WORM	A zone template that enables to detect TCP worm attacks on the zone. Zones that are created from the DETECTOR_WORM zone template contain policies that are produced from the worm_tcp policy template (see the "Understanding Worm Policies" section for more information).
DETECTOR_LINK Templates	Zone templates designed for detection of large subnets segmented according to zones with known bandwidth. You can activate zone detection for zones defined by these zone templates without undergoing the learning process. To enable the Detector to activate zone protection on a Guard for the attacked IP address or subnet only, use the protect-ip-state dst-ip-by-name command. See the "Configuring Guard-Protection Activation Methods" section for more information on the protect-ip-state command. The following bandwidth-limited link zone templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links: DETECTOR_LINK_128K DETECTOR_LINK_1M DETECTOR_LINK_4M DETECTOR_LINK_512K You cannot perform the policy construction phase of the learning process for zones that were created from these templates.
GUARD_DEFAULT	Default zone template.
GUARD_LINK templates	Zone templates designed for zones with a known bandwidth. The following templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links: GUARD_LINK_128K, GUARD_LINK_1M, GUARD_LINK_4M, GUARD_LINK_512K You cannot perform policy construction for zones that were created from these templates. You can activate zone detection for zones that were created from the GUARD_LINK zone templates without undergoing the threshold tuning phase. We recommend that you define such a zone with a Guard protection activation method of dst-ip-by-name (the Detector activates a Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address) by using the protect-ip-state command. See the "Configuring Guard-Protection Activation Methods" section for more information.
GUARD_ TCP_NO_PROXY	A zone template designed for a zone for which no TCP proxy is to be used. You may use this zone template if the zone is controlled based on IP addresses, such as an IRC2 server-type zone, or if you do not know the type of services running on the zone.

1 VoIP = Voice over IP 2 IRC = Internet Relay Chat

Creating a New Zone

You can create a zone and configure the zone name, description, network address, operation definitions, and networking definitions.

When you create a new zone, you can use an existing zone as a template or you can create a zone from system-defined zone templates. The zone template defines the initial policy and filter configuration of the zone.

You can create a new zone in two ways:

•Create a new zone—You can create a new zone from system-defined zone templates. Use this method to create a new zone with the default policies and filters.

After you create a new zone, you must configure the zone attributes.

•Duplicate a zone—You can create a zone from an existing zone. Use this method if the new zone has traffic patterns that are similar to those of an existing zone.

See the "Configuring Zone Attributes" section for information on how to modify the zone configuration settings.

Creating a New Zone from a Zone Template

To create a new zone from system-defined zone templates, use one of the following commands:

•zone new-zone-name [template-name] [interactive]—Creates a new zone. If you do not enter the template-name argument, the new zone is created from the DETECTOR_DEFAULT zone template.

•zone zone-name [template-name] [interactive]—Deletes the existing zone and creates a new zone with the same name.

When using a system-defined zone template, the Detector applies the default settings to all zone attributes.

If the command is performed successfully, the Detector enters the configuration mode of the new zone.

If you enter the name of an existing zone without specifying a zone template, the Detector enters the configuration mode of the specified zone.

Table 5-2 provides the arguments and keywords for the zone command.

Table 5-2 Arguments and Keywords for the zone Command 

Parameter	Description
new-zone-name	The name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter, can contain underscores, but cannot contain any spaces.
zone-name	The name of an existing zone.
template-name	(Optional) A zone template that defines the zone configuration. The default is to create the zone using the DETECTOR_DEFAULT zone template. The zone template can be one of the following: •GUARD_DEFAULT •GUARD_LINK_128K •GUARD_LINK_1M •GUARD_LINK_4M •GUARD_LINK_512K •GUARD_TCP_NO_PROXY •DETECTOR_DEFAULT •DETECTOR_LINK_128K •DETECTOR_LINK_1M •DETECTOR_LINK_4M •DETECTOR_LINK_512K •DETECTOR_WORM See the "Using Zone Templates" section for more information on the zone templates.
interactive	(Optional) Sets the Detector to perform zone anomaly detection in an interactive manner. The dynamic filters that the policies create appear as recommendations. You must decide whether or not to activate each dynamic filter. See "Using Interactive Detect Mode," for more information.

The following example shows how to create a new zone configured for interactive detect mode:

user@DETECTOR-conf# zone scannet interactive 

user@DETECTOR-conf-zone-scannet#

To delete a zone, use the no zone command. When deleting a zone, you can use an asterisk (*) as a wildcard character at the end of the zone name. The wildcard allows you to remove several zones with the same prefix in one command.

To display the zone templates, use the show templates command in global or configuration mode. To display the zone template default policies, use the show templates template-name policies command in global or configuration mode.

Creating a New Zone by Duplicating an Existing Zone

You can create a new zone based on an existing zone. When using an existing zone as a template for the new zone, all properties of the existing zone are copied to the newly defined zone. If you specify a snapshot, the zone policies are copied from the snapshot.

To duplicate a zone, use one of the following commands:

•zone new-zone-name copy-from-this [snapshot-id]—Use this command in zone configuration mode to create a new zone with the configuration of the current zone.

•zone new-zone-name copy-from zone-name [snapshot-id]—Use this command in configuration mode to create a new zone with the configuration of the specified zone.

Table 5-3 provides the arguments and keywords for the zone command.

Table 5-3 Arguments and Keywords for the zone Command 

Parameter	Description
new-zone-name	Name of a new zone. The name is an alphanumeric string from 1 to 63 characters. The string must start with an alphabetic letter and can contain underscores but cannot contain any spaces.
copy-from-this	Creates a new zone by copying the configuration of the current zone.
copy-from	Creates a new zone by copying the configuration of the specified zone.
zone-name	Name of an existing zone.
snapshot-id	ID of an existing snapshot. See the "Displaying Snapshots" section for more information.

The following example shows how to create a new zone from the current zone:

user@DETECTOR-conf-zone-scannet# zone mailserver copy-from-this 

user@DETECTOR-conf-zone-mailserver#

If the command is performed successfully, the Detector enters the configuration mode of the new zone.

The policies of the new zone are marked as untuned. We recommend that you perform the threshold tuning phase of the learning process to tune the policy thresholds to the zone traffic. If the traffic characteristics of the new zone are identical or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned. See the "Marking the Policies as Tuned" section for more information.

Configuring Zone Attributes

After you create the zone, you can configure the zone attributes.

To configure the zone attributes, perform the following steps:

---

Step 1 Enter zone configuration mode. Skip this step if you are in zone configuration mode already.

To enter zone configuration mode, use one of the following commands:

•conf zone-name (from global mode)

•zone zone-name (from configuration mode or zone configuration mode)

The zone-name argument specifies the name of an existing zone.

---

Note You can disable tab completion for zone names in the zone command by using the aaa authorization commands zone-completion tacacs+ command. See the "Disabling Tab Completion of Zone Names" section for more information.

---

Step 2 Define the zone IP address by using the ip address command. You must define at least one IP address that is not excluded to enable the Detector to learn the zone traffic and detect the zone.

See the "Configuring the Zone IP Address Range" section for more information.

Step 3 (Optional) Add a description to the zone for identification purposes by entering the following command in zone configuration mode:

description string

The maximum string length is 80 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

To modify a zone description, reenter the zone description. The new description overrides the previous description.

Step 4 Display the configuration of the newly configured zone by entering the show running-config command in zone configuration mode.

The configuration information consists of CLI commands that are executed to configure the Detector with the current settings. Refer to the specific command entries for more information.

---

The following example shows how to create a new zone and configure the zone attributes. The zone IP address range is configured to 192.168.100.32/27, but the IP address 192.168.100.50 is excluded from the zone IP address range.

user@DETECTOR-conf# zone scannet

user@DETECTOR-conf-zone-scannet# ip address 192.168.100.32 
255.255.255.224

user@DETECTOR-conf-zone-scannet# ip address exclude 192.168.100.50

user@DETECTOR-conf-zone-scannet# description Demonstration zone

user@DETECTOR-conf-zone-scannet# show running-config

Configuring the Zone IP Address Range

You must configure at least one IP address that is not excluded before you can activate zone anomaly detection, but you can add or delete IP addresses from the zone IP address range at any time. You can configure a large subnet and then exclude specific IP addresses from that subnet so that they are not part of the zone IP address range.

To configure the zone IP address, use the following command in zone configuration mode:

ip address [exclude] ip-addr [ip-mask]

Table 5-4 provides the arguments and keywords for the ip address command.

Table 5-4 Arguments and Keywords for the ip address Command 

Parameter	Description
exclude	Excludes the IP address from the zone IP address range.
ip-addr	IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1). By default, the IP address is included in the zone IP address range. The IP address must match the subnet mask. If you enter a Class A, Class B, or Class C subnet mask, the host bits in the IP address must be 0.
ip-mask	(Optional) IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0). The default subnet mask is 255.255.255.255.

The following example shows how to configure the zone IP address range to 192.168.100.32/27 but exclude IP address 192.168.100.50 from the zone IP address range.

user@DETECTOR-conf-zone-scannet# ip address 192.168.100.32 
255.255.255.224

user@DETECTOR-conf-zone-scannet# ip address exclude 192.168.100.50

If you modify the zone IP address range, perform one of the following tasks:

•If the new IP address or subnet consists of a new service that was not previously defined in the zone network, activate the policy construction phase before activating zone detection or add the service manually. See the "Constructing Policies" section and the "Adding a Service" section for more information.

•If you enabled the detect and learn function, use the no learning-params threshold-tuned command to mark the zone policies as untuned. Do not change the status of the zone policies to untuned if there is an attack on the zone. Changing the status prevents the Detector from detecting the attack and causes the Detector to learn malicious traffic thresholds. See the "Marking the Policies as Tuned" section for more information.

•If you are not using the detect and learn function, you should activate the threshold tuning phase before activating zone anomaly detection. See the "Tuning Policy Thresholds" section.

To delete zone IP addresses, use the no form of the command.

To delete exclude IP addresses, use the no ip address exclude command.

To delete all zone IP address and exclude IP addresses, use the no ip address * command.

Synchronizing a Detector with Cisco Guard Zone Configuration

You can synchronize the zone configuration and policies with the zone on the Guard. The Detector copies the complete zone configuration to the Guard. This process allows you to configure the zone once but maintain the same configuration and policies on both the Detector and the Guard.

Communication between the Detector and the Guard requires the Secure Sockets Layer (SSL) protocol, which provides authentication and encryption. You must configure the SSL communication connection channel before you synchronize the zone. See the "Establishing Communication with the Cisco Guard" section for more information.

You can set the Detector to continuously learn the zone traffic characteristics to keep the zone policies updated and avoid constantly diverting the zone traffic to the Guard.

This section contains the following topics:

•Configuration Guidelines

•Configuring Zones for Synchronization

•Configuring the Automatic Zone Synchronization and Export Parameters

•Synchronizing a Zone Configuration Automatically

•Synchronizing a Zone Configuration to the Detector

•Synchronizing a Zone Configuration from the Detector

•Synchronizing a Zone Configuration Offline

•Exporting a Zone Configuration Automatically

•Exporting the Zone Configuration Manually

•Example Scenario

Configuration Guidelines

To synchronize zones between a Guard and a Detector, use the following guidelines:

•Create the new zone on the Detector using zone templates that are appropriate for both the Guard and the Detector (Guard zone templates).

See the Table 5-1 for more information.

•Ensure that the same type of traffic flows to both the Guard, when it is diverting traffic, and the Detector for proper synchronization of zone policies. Otherwise, the zone global policies may be too high or too low to guarantee proper protection for spoofed DDoS attacks.

•Use the Detector as the central configuration point because you can create new zones on the Detector only and the configuration file of the Detector contains the configuration of both the Detector zones and the Guard zones. Configure the zones on the Detector and maintain a backup of the Detector configuration. Copy the zone configuration from the Detector to the Guard.

•If you replace a device or change the IP address of the interface that the Detector and the Guard use to communicate, you must regenerate the SSL certificates that the Detector and the Guard use for secure communication.

•Verify the zone configuration on the Guard. If the activation extent is ip-address-only and the activation method is not zone-name-only, we recommend that you configure the timer that the Detector uses to identify that an attack on the zone has ended by entering the protection-end-timer command. If you configure the value of the protection-end-timer to forever, the Detector does not terminate zone protection when the attack ends and does not delete the subzone that it had created to protect the specific IP address.

Configuring Zones for Synchronization

To synchronize zones between the Guard and the Detector, you must create the new zone on the Detector using Guard zone templates because a zone that is created from a Guard zone template has two sets of definitions, one for the Guard, and one for the Detector. See Table 5-1 for more information on the zone templates.

You can configure the zone in the following configuration modes:

•Zone configuration mode—Configures definitions that are unique to the Detector, such as remote Guards. To enter zone configuration mode, use the zone command in configuration mode. The command prompt is as follows:

user@DETECTOR-conf-zone-scannet#

•Guard configuration mode—Configures definitions that are unique to the Guard, such as user filters. To enter guard configuration mode, use the guard-conf command in zone configuration mode. The command prompt is as follows:

user@DETECTOR-conf-zone-scannet(guard)#

•Zone configuration mode or guard configuration mode—Configures definitions that are common to both the Guard and the Detector, such as IP addresses.

If you modify a configuration that is common to both the Guard and the Detector, the change applies to both sets of definitions. For example, if you modify the zone IP address in zone configuration mode, the new IP address is also modified in the zone definition for the Guard. You can display the new zone definition for the Guard in guard configuration mode. If you change the operation state of a policy in guard configuration mode, the operation state is also modified in the zone definition of the Detector.

To create and configure a zone for synchronization, perform the following steps:

---

Step 1 Create a new zone on the Detector using one of the Guard zone templates.

The Detector displays (Guard/Detector) next to the zone ID field in the output of the show command in zone configuration mode.

See the "Creating a New Zone from a Zone Template" section.

Step 2 Configure the zone characteristics.

See the "Configuring Zone Attributes" section.

Step 3 To configure characteristics that are unique to the Guard, enter guard configuration mode by entering one of the following commands:

•guard-conf (from zone configuration mode)

•configure zone-name guard-conf (from global mode)

•zone zone-name guard-conf (from configuration mode)

The zone-name argument specifies the name of an existing zone.

The Detector enters the guard configuration mode. The CLI prompt indicates the mode by adding the word guard in parenthesis (guard) to the prompt.

The following example shows how to enter guard configuration mode:

user@DETECTOR-conf-zone-scannet# guard-conf

user@DETECTOR-conf-zone-scannet(guard)#

The guard configuration mode allows you to configure all zone attributes that are unique to the Guard, such as user filters, filter termination, and a policy or a filter action of drop. See the Cisco Guard Configuration Guide for more information.

---

Configuring the Automatic Zone Synchronization and Export Parameters

You can configure the Detector to automatically synchronize the zone configuration with remote Guards or automatically export the zone configuration to a network server.

The Detector performs the following actions:

•The Detector synchronizes the zone configuration with all the remote Guards that are defined in the zone remote Guard list. If the zone remote Guard list is empty, the Detector synchronizes the zone configuration with the remote Guards that are defined in the Detector default remote Guard list. If synchronization with one of the remote Guards fails, the Detector continues to the next remote Guard in the list.

If both the zone remote Guard list and the Detector default remote Guard list are empty, the Detector does not synchronize the zone configuration.

If a zone with the same name exists on the Guard, the new configuration replaces the existing one.

•The Detector exports the zone configuration when the results of the threshold-tuning phase are accepted to all the network servers that are listed in the zone remote server list. If the list is empty, the Detector searches the default remote list. See the "Exporting a Zone Configuration Automatically" section for more information.

If both the zone remote server list and the Detector default remote server list are empty, the Detector does not export the zone configuration.

To enable automatic synchronization and export of zone configuration, use the following command in zone configuration mode:

learning-params sync {accept | remote-activate}

Table 5-5 provides the keywords for the learning-params sync command.

Table 5-5 Keywords for the learning-params sync Command 

Parameter	Description
accept	Synchronizes and exports the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted.
remote-activate	Synchronizes the zone configuration before activating a remote Guard. The Detector synchronizes the zone configuration if the configuration on the remote Guard is not up-to-date only. The Detector does not export the zone configuration to a network server.

The following example shows how to automatically synchronize and export the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted:

user@DETECTOR-conf-zone-scannet# learning-params sync accept

To disable automatic synchronization and export, use the no learning-params sync command.

Synchronizing a Zone Configuration Automatically

You can configure the Detector to synchronize the zone configuration with remote Guards automatically. The Detector copies the zone configuration to the Guard. If a zone with the same name exists on the Guard, the new configuration replaces the existing one.

The Detector synchronizes the zone configuration with all remote Guards in the zone remote Guard lists. If a zone remote Guard list is empty, The Detector synchronizes the zone configuration with the remote Guards that are defined in the Detector default remote Guard list. If synchronization with one of the remote Guards fails, the Detector continues to the next remote Guard in the list.

If both the zone remote Guard list and the Detector default remote Guard list are empty, the Detector does not synchronize the zone configuration.

Use the learning-params sync command to define when the Detector synchronizes the zone configuration. See the "Configuring the Automatic Zone Synchronization and Export Parameters" section for more information.

Synchronizing a Zone Configuration to the Detector

You can copy the zone configuration from a Guard to the Detector and in that way synchronize the zone configuration on the Guard with that of the Detector. Synchronizing the zone configuration from the Guard to the Detector may be required if you have manually modified the zone policies on the Guard to adjust the zone policies to attack characteristics and would like to update the Detector with the changes. You can set certain policy thresholds as fixed or set a fixed multiplier for policy thresholds to ensure the following:

•The Detector has the correct policy thresholds and can detect future DDoS attacks correctly.

•The correct zone configuration on the Guard is maintained if you synchronize the zone configuration from the Detector in the future, which may be required if the Detector continues to learn the zone traffic characteristics.

See the "Setting the Threshold as Fixed" section and the "Configuring a Threshold Multiplier" section for more information.

The Detector copies the configuration of the zone from the Guard. The new configuration overrides the existing one.

To synchronize the zone configuration and policies from the Guard to the Detector, perform the following steps:

---

Step 1 If the zone is currently active, deactivate the zone by using the deactivate command in zone configuration mode.

Step 2 Synchronize the zone configuration from the Detector to the Guard. Enter one of the following commands:

•sync zone zone-name remote-guard-address local (in global mode)

•sync remote-guard-address local (in zone configuration mode)

Table 5-6 provides the arguments for the sync command.

Table 5-6 Arguments and Keywords for the sync Command 

Parameter	Description
zone	Synchronizes the configuration of the specified zone.
zone-name	Name of an existing zone.
remote-guard-address	Synchronize the zone configuration with the specified remote Guard. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).
local	Synchronizes the zone configuration from the Detector to the Guard.

Step 3 If the zone was active before you initiated the synchronization process, reactivate the zone by using the detect command or the learning command in zone configuration mode.

For more information, see "Detecting Zone Traffic Anomalies," and the "Synchronizing a Detector with Cisco Guard Zone Configuration" section.

---

The following example shows how to deactivate the zone scannet and synchronize the zone configuration from a Guard with an IP address of 192.168.55.10 to the Detector. It then shows how to reactivate the zone.

user@DETECTOR-conf-zone-scannet# deactivate

user@DETECTOR-conf-zone-scannet# sync 192.168.55.10 local

user@DETECTOR-conf-zone-scannet# detect learning

Synchronizing a Zone Configuration from the Detector

You can synchronize the zone configuration and policies with the zone on the Guard to ensure that the zone configuration and policies on the Guard are updated when the Guard activates zone protection. This process allows you to configure the zone once on the Detector, continuously learn the zone traffic characteristics, and maintain the same zone configuration and policies on the Guard without constantly diverting the zone traffic to the Guard.

The Detector copies the configuration of the zone to the Guard. If a zone with the same name exists on the Guard, the new configuration replaces the existing one.

---

Note Before you initiate the synchronization process you must deactivate the zone on the Guard.

---

To synchronize the zone configuration and policies from the Detector, use one of the following commands:

•sync zone zone-name local {remote-guards | remote-guard-address-to}
(in global mode)

•sync local {remote-guards | remote-guard-address-to}
(in zone configuration mode)

Table 5-7 provides the arguments and keywords for the sync command.

Table 5-7 Arguments and Keywords for the sync Command 

Parameter	Description
zone	Synchronizes the configuration of the specified zone.
zone-name	Name of an existing zone.
local	Synchronizes the zone configuration and policies from the Detector to the Guard.
remote-guards	Synchronizes the zone configuration with all remote Guards in the zone remote Guard list. If the zone remote Guard list is empty, synchronizes the zone configuration with the remote Guards that are defined in the Detector default remote Guard list.
remote-guard-address-to	Ip address of remote Guard. The Detector synchronizes the zone configuration with the specified remote Guard. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

The following example shows how to synchronize the zone configuration to all remote Guards in the zone remote Guard list:

user@DETECTOR# sync zone scannet local remote-guards

The following example shows how to synchronize the zone configuration to a remote Guard with an IP address of 192.168.100.5:

user@DETECTOR-conf-zone-scannet# sync local 192.168.100.5

Synchronizing a Zone Configuration Offline

You can synchronize a zone configuration on the Detector a the zone configuration on the Guard even if you cannot establish a secure communication channel between the Detector and a Guard. You may need to synchronize a zone configuration offline if one of the following conditions applies:

•The Guard does not have access to the Detector.

•The Detector does not have access to the Guard.

•The Detector communicates with the Guard across a Network Address Translation (NAT) device.

To synchronize a zone configuration on the Detector with a zone configuration on the Guard offline, you must first export the zone configuration from the Detector to a network server using FTP, Secure FTP (SFTP), or Secure Copy (SCP), and then manually import the zone configuration to the Guard. Because there is no secure communication channel between the Guard and the Detector, you must manually activate the Guard to protect the zone when the Detector detects anomalies in the zone traffic.

To enable the Detector to synchronize the zone configuration, you must perform the following tasks:

•Create the zone on the Detector using one of the Guard zone templates (see the "Creating a New Zone from a Zone Template" section).

•To export the configuration automatically to a network server using SFTP or SCP, configure the SSH key that the Detector uses for SFTP communication (see the "Configuring the Keys for SFTP and SCP Connections" section).

To synchronize the zone on the Detector a the zone configuration on the Guard configuration offline, perform the following steps:

---

Step 1 Export the zone configuration from the source device (Guard or Detector) in one of the following ways:

•Automatically—Configure the Detector to export the zone configuration whenever a specific condition occurs. See the "Exporting a Zone Configuration Automatically" section for more information.

•Once—Export the zone configuration by entering one of the following commands in global mode:

–copy zone zone-name guard-running-config ftp server remote-path [login password]]

–copy zone zone-name guard-running-config {sftp | scp} server remote-path login

See the "Exporting the Zone Configuration Manually" section for more information.

Step 2 Import the zone configuration from a network server to the target device by entering one of the following commands in global mode:

---

Note Deactivate a zone before importing the zone configuration.

---

•copy ftp running-config server full-file-name [login [password]]

•copy {sftp | scp} running-config server full-file-name login

•copy file-server-name running-config source-file-name

See the "Importing and Updating the Configuration" section for more information.

---

Exporting a Zone Configuration Automatically

You can configure the Detector to export the zone configuration automatically to a network server. The Detector exports the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted (see the "Configuring Periodic Actions" section for more information on when the results of the threshold-tuning phase of the learning process are accepted).

To export the zone configuration automatically, you must configure the network server, which can be an FTP, Secure FTP (SFTP), or Secure Copy (SCP) network server. You can configure the network server in the following lists:

•Zone remote server list—A list of network servers to which the Detector exports the zone configuration.

•Detector default remote server list—The default list of network servers. The Detector exports the zone configuration to the servers on this list if the zone remote server list is empty.

To configure the Detector to automatically export the zone configuration to a network server, perform the following steps:

---

Step 1 Define the network server by entering the file-server command.

If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector uses for SFTP and SCP communication.

See the "Exporting Files Automatically" section for more information.

---

Note To enable the Detector to export the zone configuration to a specific network server automatically, you must configure the server in either the Detector default remote server list or the zone remote server list.

---

Step 2 (Optional) Add a network server to a zone remote server list by entering the following command in zone configuration mode:

export sync-config file-server-name

The file-server-name argument specifies the name of a network server. You must configure the network server using the file-server command.

To remove a network server from the remote server list, use the no form of the command.

Step 3 (Optional) Add a network server to the Detector default remote server list by entering the following command in zone configuration mode:

export sync-config file-server-name

The file-server-name argument specifies the name of a network server. You must configure the network server using the file-server command.

To remove a network server from the remote server list, use the no form of the command.

Step 4 Configure the Detector to automatically export the zone configuration to a network server each time the results of the threshold-tuning phase of the learning process are accepted by entering the learning-params sync accept command.

See the "Configuring the Automatic Zone Synchronization and Export Parameters" section for more information.

---

The following example shows how to add a network server to the zone remote server list:

user@DETECTOR-conf-zone-scannet# export sync-config Corp-FTP-Server

To display the default list of network servers to which the Detector exports zone configuration, use the show sync-config file-servers command in configuration mode.

To display the zone remote server list, use the show sync-config file-servers command in zone configuration mode.

Exporting the Zone Configuration Manually

You can export the zone configuration to a network server. The Detector exports the portion of the zone configuration that is required to configure the zone on a Guard.

To export the zone configuration to a network server, use one of the following commands in global mode:

•copy zone zone-name guard-running-config ftp server full-file-name [login password]] (Export the zone configuration to an FTP server.)

•copy zone zone-name guard-running-config {sftp | scp} server full-file-name login (Export the zone configuration to a network server using SFTP or SCP.)

•copy zone zone-name guard-running-config file-server-name dest-file-name (Export the zone configuration to a network server.)

•copy zone zone-name guard-running-config * (Export zone configuration to the network servers that are defined in the zone file server list and the default file server list.)

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector uses for secure communication.

Table 5-8 provides the arguments for the copy guard-running-config command.

Table 5-8 Arguments and Keywords for the copy guard-running-config Command 

Parameter	Description
zone zone-name	Name of an existing zone. The Detector exports the portion of the specified zone configuration that applies to the Guard.
guard-running-config	Exports the portion of the zone configuration that is required to configure the zone on a Guard.
ftp	Exports the zone configuration to a network server using FTP.
sftp	Exports the zone configuration to a network server using SFTP.
scp	Exports the zone configuration to a network server using SCP.
server	IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
full-file-name	Complete name of the file. If you do not specify a path, the server saves the file in your home directory.
login	Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) Password for the remote FTP server. If you do not enter the password, the Detector prompts you for it.
file-server-name	Name of a network server to export the configuration file to. You must configure the network server using the file-server command. If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector uses for SFTP and SCP communication. See the "Configuring File Servers" section for more information.
destination-file- name	Name of the configuration file on the remote server. The Detector saves the configuration file on the network server using the destination filename in the directory that you defined for the network server when you entered the file-server command.
*	Exports only the portion of the zone configuration that is required to configure the zone on the Guard to all the network servers that are defined in the zone remote server list and the default remote server list. See the "Exporting a Zone Configuration Automatically" section for more information.

The following example shows how to export the zone configuration to an FTP server:

user@DETECTOR-conf# copy zone scannet guard-running-config ftp 
10.0.0.191 /root/ConfigFiles/scannet.txt <user> <password>

Example Scenario

This example scenario shows how to synchronize a zone configuration on the Detector with a zone configuration on the Detector to protect the zone and continue to learn the zone traffic characteristics:

1. Create and configure a new zone on the Detector using one of the Guard zone templates.

The Detector displays (Guard/Detector) next to the zone ID field in the output of the show command in zone configuration mode.

For more information, see the "Creating a New Zone from a Zone Template" section.

2. Add the Guard to the zone SSL remote Guard list or the default SSL remote Guard list on the Detector.

For more information, see the "Configuring the Default Remote Guard List" section and the "Configuring the Zone Remote Guard Lists" section.

3. Set the Detector to construct the zone policies by entering the learning policy-construction command.

4. Set the Detector to learn the zone traffic and tune the policy thresholds while detecting traffic anomalies by entering the detect learning command.

For more information, see "Detecting Zone Traffic Anomalies."

5. Configure the Detector to accept the policy thresholds every 24 hours to ensure that the zone policies are updated with the changing traffic patterns by using the learning-params periodic-action auto-accept command.

For more information, see the "Configuring Periodic Actions" section.

6. Configure the Detector to synchronize the zone configuration with the Guard each time that it accepts the new learned policy thresholds to ensure that when the Detector learns new zone policy thresholds, the zone policies on the Guard are also updated.

Use the learning-params sync command to configure the Detector to synchronize the zone configuration with the Guard. For more information, see the "Configuring the Automatic Zone Synchronization and Export Parameters" section.

7. Configure the Detector to synchronize the zone configuration with the configuration on the Guard before activating the Guard to protect the zone to ensure that the zone configuration and policies on the Guard are updated when the Guard activates zone protection.

Use the learning-params sync command.

For more information, see the "Configuring the Automatic Zone Synchronization and Export Parameters" section.

8. When the Detector detects an attack on the zone, it performs the following actions:

•Verifies that the zone configuration on the Guard is updated. If the zone configuration on the Guard is not the same as the zone configuration on the Detector, the Detector synchronizes the zone configuration with the Guard.

•Activates the Guard to protect the zone (the Guard activates zone protection).

•Stops the learning process for the zone but continues to detect anomalies in the zone traffic to prevent the Detector from learning malicious traffic thresholds.

You can modify the zone policies on the Guard when the attack is in progress.

The Detector polls the Guard constantly. When the Detector identifies that the Guard has deactivated zone protection (the Guard deactivates zone protection when the attack ends) and additional traffic anomalies do not exist, then the Detector reactivates zone anomaly detection and the learning process.

9. If you manually modify the zone policies on the Guard to adjust the zone policies to the attack characteristics, you can synchronize the new policies with the Detector. This action is important if the zone traffic requires that you set certain policy thresholds as fixed or set a fixed multiplier for policy thresholds. Synchronizing the zone configuration with the Detector ensures that the Detector has the correct policy thresholds, calculates the thresholds correctly in future threshold tuning phases, and updates the Guard policies with the correct thresholds.

For more information, see the "Setting the Threshold as Fixed" section and the "Configuring a Threshold Multiplier" section.

To synchronize the zone configuration and policies from the Guard, perform the following actions:

•Deactivate the zone by entering the deactivate command.

•Synchronize the zone configuration from the Guard to the Detector by entering the sync command.

•Reactivate zone detection by entering the detect command.

For more information, see the "Synchronizing a Zone Configuration to the Detector" section and "Detecting Zone Traffic Anomalies."