Table Of Contents
Learning Zone Traffic
Understanding the Learning Process
Understanding the Phases of the Learning Process
Understanding the Detect and Learn Feature
Managing the Results of the Learning Process
Performing the Learning Process
Starting the Policy Construction Phase
Accepting the Current Results of the Policy Construction Phase
Stopping the Policy Construction Phase
Starting the Threshold Tuning Phase
Accepting the Current Results of the Threshold Tuning Phase
Stopping the Threshold Tuning Phase
Performing the Learning Process Using Detect and Learn
Configuring the Automatic Learning Parameters
Activating Detect and Learn
Deactivating Detect and Learn
Marking the Zone Policies as Tuned or Untuned
Managing Learning Process Snapshots
Taking a Snapshot of the Learning Process Results
Taking a Snapshot of the Current Zone Policies
Displaying Snapshots
Modifying the Configuration of Snapshot Policies
Deleting Snapshots
Comparing Policy Configurations of Two Zones or Snapshots
Viewing Policy Configuration Differences
Deleting Services from the Base Zone
Adding Services to the Base Zone
Copying Policy Parameters to the Base Zone
Learning Zone Traffic
This chapter describes how to use the Cisco Traffic Anomaly Detector Module (Detector module) learning process to analyze zone traffic characteristics to create and tune the policies that the Detector module uses for zone anomaly detection.
This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.
This chapter contains the following sections:
•
Understanding the Learning Process
•Performing the Learning Process
•Performing the Learning Process Using Detect and Learn
•Marking the Zone Policies as Tuned or Untuned
•Managing Learning Process Snapshots
•Comparing Policy Configurations of Two Zones or Snapshots
Understanding the Learning Process
The learning process creates a baseline of normal zone traffic patterns. The baseline reference points are the zone policies, which enable the Detector module to determine when an anomaly exists in the zone traffic.
Use the learning process to optimize zone anomaly detection as follows:
•Create policies based on the services of the zone traffic.
•Tune the policy thresholds of a new zone that is configured with the default policies and policy thresholds of the zone template.
•Update an existing zone configuration when the zone traffic patterns change.
You activate the learning process during peak traffic times and when you are certain that there is no attack on the zone. During the learning process, the Detector module constructs the zone policies based on the traffic services and tunes the policy thresholds based on the traffic rates. While the Detector module learns the zone traffic, you can monitor the learning process and decide whether to accept or reject the current results of the learning process.
This section contains the following topics:
•Understanding the Phases of the Learning Process
•Understanding the Detect and Learn Feature
•Managing the Results of the Learning Process
Understanding the Phases of the Learning Process
The learning process consists of the following two phases:
•Policy construction phase—The Detector module analyzes the zone traffic to determine the services that the zone uses and then creates the zone policies using the policy templates for each service. The policy templates determine the default threshold value and policy action assigned to each new policy. The new policies override the existing ones.
The policy templates define the types of zone policies that the Detector module creates. The policy templates also define the maximum number of services that the Detector module monitors closely and the minimum threshold that triggers the Detector module to create new policies. To change the rules for constructing zone policies, you must modify the policy template parameters before you initiate the policy construction phase. For information about modifying a policy template, see Chapter 6, "Configuring Policy Templates."
Note You cannot perform the policy construction phase on zones you create with a Guard_Link and the Detector_Link zone template.
•Threshold tuning phase—The Detector module tunes the traffic rate thresholds of the zone policies to values that allow normal traffic to be analyzed by the Detector module without activating a policy action. When looking for anomalies in the zone traffic, the Detector module applies the zone policies to the traffic flow and if the traffic exceeds a policy threshold, the Detector module creates a dynamic filter with the policy action.
Note If the zone configuration contains the worm_tcp policy template, the Detector module uses the threshold tuning phase for both policy construction and threshold tuning.
To allow the learning process to take place, you must configure the switch to capture the traffic that is sent to the zone and pass a copy of it to the Detector module.
Understanding the Detect and Learn Feature
After the Detector module performs the policy construction phase of the learning process, you can activate the Detect and Learn feature that allows the Detector module to look for traffic anomalies (Detect) while performing the threshold tuning phase (Learn) simultaneously. With Detect and Learn activated, the Detector module can constantly update the policy thresholds based on normal zone traffic characteristics. When the Detector module detects an attack on the zone, it stops the learning process to prevent it from learning malicious traffic thresholds.
Managing the Results of the Learning Process
You can accept or reject the results of a policy construction or a threshold tuning phase when you stop the learning phase. You can also accept the current results and continue the learning phase. During either phase of the learning process, the Detector module does not modify the policies of the zone configuration until after you accept the results of the learning phase, at which time the Detector module updates the zone configuration and begins operating with the new policies or policy thresholds.
You can also save the current results of either learning phase at any time of the learning process by using the snapshot feature. A snapshot of the learning process allows you to save and view the policy information that the Detector module has created up to the point of the snapshot without affecting the current zone configuration. You can take as many snapshots as you like and you can update the zone configuration with the policy information saved in a snapshot at any time. For more information about using snapshots, see the "Managing Learning Process Snapshots" section.
Performing the Learning Process
This section describes how to start and stop the two different phases of the learning process; policy construction and threshold tuning. To ensure that the results of the learning process are accurate and configured for normal zone traffic, activate the learning process when the following zone traffic conditions exist:
•Zone traffic is normal (not experiencing an attack)—Ensures that the Detector module does not construct and tune the zone policies based on the traffic characteristics of a Distributed Denial of Service (DDoS) attack. If you initiate the learning process when the zone is under attack, the Detector module learns the traffic patterns of the attack and saves the learning results as the baseline for future reference. In this situation, the Detector module may not be able to detect future attacks because it may view the attacks as normal traffic conditions.
•Zone traffic is at its peak volume—Allows the Detector module to configure the policy thresholds to values that are appropriate for normal peak traffic and ensures that the Detector module does not perceive normal peak traffic conditions as an attack.
This section contains the following topics:
•Starting the Policy Construction Phase
•Accepting the Current Results of the Policy Construction Phase
•Stopping the Policy Construction Phase
•Starting the Threshold Tuning Phase
•Accepting the Current Results of the Threshold Tuning Phase
•Stopping the Threshold Tuning Phase
Starting the Policy Construction Phase
You can activate the policy construction phase after creating a new zone or when the zone configuration needs updating with new service policies. To allow the Detector module enough time to receive and analyze an accurate representation of normal zone traffic, we recommend that you let the policy construction phase run for at least 2 hours before terminating this phase.
Note You cannot perform the policy construction phase on a zone that you create with one of the Guard_Link or Detector_Link zone templates.
Note If the zone configuration uses the worm_tcp policy template, the Detector module uses the threshold tuning phase to construct worm policies and tune the threshold of each policy that it creates (see the "Starting the Threshold Tuning Phase" section).
After performing the policy construction phase, activate the threshold tuning phase to tune each policy threshold.
To start the policy construction phase, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Construct Policies.
The zone status icon changes to Learning.
The Detector module begins analyzing the copy of the zone traffic for the services in the traffic flow and creates policies for the services that it detects. The Detector module does not replace the current policies in the zone configuration with the new policies until you accept the results of the policy construction phase (see the "Accepting the Current Results of the Policy Construction Phase" section).
Step 3 (Optional) Choose Learning > Snapshot at any time during the phase to save and review the current results and policy suggestions of the policy construction phase. Saving a snapshot does not change the current zone configuration. For more information about using snapshots, see the "Managing Learning Process Snapshots" section.
Accepting the Current Results of the Policy Construction Phase
To accept the results of the learning process but allow the Detector module to continue learning the zone traffic characteristics, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Accept.
The Detector module deletes all of the current policies of the zone configuration and replaces them with the suggested zone policies. The Detector module does not stop the policy construction phase and continues to learn the zone services.
Stopping the Policy Construction Phase
To stop the policy construction phase, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Stop Learning. The Stop Learning window opens.
Step 3 Choose one of the following options:
•Reject—Rejects the suggested zone policies
•Accept—Accepts the suggested zone policies
Step 4 Choose one of the following options:
•OK—The results of this selection vary depending on your choice to reject or accept the results of the policy construction phase:
–If you chose Reject, the Detector module deletes all of the suggested zone policies. No changes are made to the zone configuration.
–If you chose Accept, the Detector module replaces the current policies in the zone configuration with the suggested zone policies and then terminates the policy construction phase.
•Clear—The Stop Learning window reverts to its default setting of Accept.
•Cancel—The Stop Learning window closes and the policy construction phase continues.
Activate the threshold tuning phase after you accept the results of the policy construction phase. The threshold tuning phase ensures that the threshold values of the accepted policies are configured specifically for the zone traffic rates. Until you run the threshold tuning phase, the policies are configured with factory-default threshold values. For more information, see the "Starting the Threshold Tuning Phase" section.
Starting the Threshold Tuning Phase
You can activate the threshold tuning phase after performing the policy construction phase or any time that the zone policy thresholds need updating.
Note To allow the Detector module enough time to receive and analyze an accurate representation of the normal zone traffic, we recommend that you allow the threshold tuning phase to run for at least 24 hours before terminating this phase.
To start the threshold tuning phase, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Tune Threshold.
The zone status learning icon 
appears in the work area next to the zone name in the navigation panel.
The Detector module begins analyzing the zone traffic and adjusts the threshold values of the zone policies to the characteristics of the traffic flow. The Detector module does not save the changes to the zone configuration until you accept the results of the threshold tuning phase (see the "Accepting the Current Results of the Threshold Tuning Phase" section).
Step 3 (Optional) From the zone main menu, choose Learning > Snapshot at any time during the phase to save and review the current results and threshold suggestions of the threshold tuning phase. Saving a snapshot does not change the current zone configuration.
For details about using snapshots, see the "Managing Learning Process Snapshots" section.
Accepting the Current Results of the Threshold Tuning Phase
To accept the current results of the threshold tuning phase and allow the Detector module to continue the threshold tuning phase, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Accept. The Accept Thresholds window opens.
Step 3 Define the threshold selection method to use. Table 7-1 describes the parameters listed in the Accept Thresholds window.
Table 7-1 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the policies retain their current thresholds.
|
Weight
|
Defines the weight that the Detector module uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Detector module to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 4 Choose one of the following options:
•OK— The Detector module updates the policies of the zone configuration with the current results of the threshold tuning phase and the threshold tuning phase continues.
•Clear—The Accept Thresholds window reverts to its default settings.
•Cancel—The Accept Thresholds window closes and the policy construction phase continues.
Stopping the Threshold Tuning Phase
To accept or reject the current results of the threshold tuning phase and stop the threshold tuning phase, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Stop Learning. The Stop Learning window opens.
Step 3 Choose one of the following options from the Stop Learning window:
•Reject—Ignores the current results of the threshold tuning phase.
•Accept—Uses the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use.
Table 7-2 describes the threshold selection method parameters.
Table 7-2 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the policies retain their current thresholds.
|
Weight
|
Defines the weight that the Detector module uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Detector module to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 4 Choose one of the following options:
•OK—The Detector module updates the policies of the zone configuration with the current results of the threshold tuning phase and stops the threshold tuning phase.
•Clear—The Stop Learning window reverts to its default settings.
•Cancel—The Stop Learning window closes and the threshold phase continues.
Performing the Learning Process Using Detect and Learn
This section describes how to manage the Detect and Learn operation in which the Detector module looks for anomalies in the zone traffic while learning the zone traffic and making policy threshold adjustments. The Detector module stops the learning process when it detects an attack on the zone.
Before you activate Detect and Learn, you can configure when and how the Detector module accepts the results of the learning process.
This section contains the following topics:
•Configuring the Automatic Learning Parameters
•Activating Detect and Learn
•Deactivating Detect and Learn
Configuring the Automatic Learning Parameters
You can configure the automatic learning parameters to control when and how the Detector module automatically accepts the current results of the learning process (threshold tuning phase) when you activate Detect and Learn.
To configure the automatic learning parameters, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > Learning Parameters. The Learning Parameters screen appears.
Step 3 Click Config. The Config Learning Parameters screen appears.
Step 4 Define the automatic learning parameters.
Table 7-3 describes the learning parameters.
Table 7-3 Learning Parameters
Parameter
|
Description
|
Zone is tuned
|
Marks the zone policies as follows:
•Tuned—Choose this option to mark the policies tuned, allowing the Detector module to immediately use the policies to detect anomalies in the zone traffic.
•Untuned—Deselect this option to mark the policies untuned, requiring you to accept the results of the threshold tuning phase before the Detector module can detect anomalies in the zone traffic. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
|
Set periodic learning
|
Enables the automatic learning process. Configure the following learning parameters when you choose this option:
•Learning cycle—Defines how often the Detector module saves the results of the learning process. Define the time period between saves in terms of weeks, days, hours, and minutes. Enter an integer from 0 to 1000 for each of the time fields.
•Learning results—Defines how the Detector module saves the results of the learning process. Choose one of the following methods:
–Automatic accept—Accepts the results of the learning process (policy thresholds) that the Detector module suggests at the specified interval. The Detector module saves a snapshot of the zone policies after accepting the newly suggested ones.
–Snapshot only—Saves a snapshot of the learning process (policy thresholds) at the specified interval. The Detector module does not accept the new policies and does not modify the policy thresholds in the zone configuration.
|
Threshold selection method
|
Defines the method that the Detector module uses to select the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
|
Weight
|
Defines the weight that the Detector module uses to calculate new thresholds. This option is active only when you select the Accept weighted thresholds method. Enter a weight value for the Detector module to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 5 Choose one of the following options:
•OK—The Detector module saves the automatic learning parameters to the zone configuration.
•Clear—The Learning Parameters form reverts to its default settings.
•Cancel—The Config learning parameters screen closes.
Activating Detect and Learn
Before activating Detect and Learn, you should verify whether the zone policies are marked as tuned or untuned because the Detector module functions differently depending on the tuned state of the zone policies. If the policies are marked as tuned when you activate Detect and Learn, the Detector module detects attacks and learns the zone traffic. If you activate Detect and Learn and the zone policies are marked as untuned, the Detector module functions in the following ways until the first time that the zone policy thresholds are accepted:
•The Detector module does not detect attacks in zone traffic.
•The Detector module activates a threshold selection method of Accept new thresholds (see the "Configuring the Automatic Learning Parameters" section).
After the first time that the zone policy thresholds are accepted, the Detector module marks the policies as tuned, which enables it to detect attacks while learning the zone traffic.
For more information about marking policies as tuned or untuned, see the "Marking the Zone Policies as Tuned or Untuned" section.
To activate Detect and Learn, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 Click Detect and Learn.
You can also activate the threshold tuning phase of the learning process (from the zone main menu, choose Learning > Tune Thresholds) and zone anomaly detection (click Detect) separately. The order in which you activate the two operations does not matter.
The following actions occur:
•The Detector module begins analyzing the traffic flow for traffic anomalies.
•The Detector module begins the threshold tuning phase of the learning process.
•The zone name is added to the Under Detection list in the navigation pane and the Recent Events table lists an event type of detection-start with a detail listing of Zone is under detection.
Deactivating Detect and Learn
When you deactivate Detect and Learn, the Detector module allows you to deactivate one or both of the operations.
To deactivate Detect and Learn, perform the following steps:
Step 1 From the navigation pane, choose a zone under detection. The zone main menu and the zone status screen appear.
Step 2 Deactivate Detect and Learn using one of the following methods:
•From the zone status screen, click Deactivate.
•From the zone main menu, choose Detection > Deactivate.
The Deactivate window opens.
Step 3 Check the check box next to the requested action. Choose one or both of the following actions:
•Stop Detection—Stops zone anomaly detection.
•Stop Learning—Stops the threshold tuning phase of the learning process. Choose one of the following options:
–Reject—Ignores the current results of the threshold tuning phase.
–Accept—Saves the current results of the threshold tuning phase to the zone configuration. Define the threshold selection method to use.
Table 7-4 describes the threshold selection method parameters.
Table 7-4 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Defines the method that the Detector module uses to select the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Accept current—Rejects the suggested threshold values of the learning process. The policies retain their prethreshold tuning phase values.
|
Weight
|
Defines the weight that the Detector module uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Detector module to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
The zone name is removed from the Protected Zones listing in the navigation pane and the Recent Events table lists an event type of detection-stop with a detail listing of Zone is not under detection. The zone status icon changes to Standby 
.
Marking the Zone Policies as Tuned or Untuned
The tuned state of the zone policies relates to the threshold values of the policies. The Detector module considers zone policies to be either tuned or untuned depending on the following conditions:
•Untuned—The zone policy thresholds may not be set to values that are appropriate for the zone traffic. The Detector module marks the zone policies untuned when you perform one of the following actions:
–Create a new zone
–Accept the policy construction phase results for a zone
–Add a service to the zone policies or remove a service from the zone policies
•Tuned—The zone policy thresholds are set to values that are appropriate for the zone traffic. The Detector module marks the zone tuned after accepting the results of the threshold tuning phase, at which point the threshold values are tuned specifically to the zone traffic characteristics.
Knowing the tuned state of the zone is important when you activate Detect and Learn for the zone. If the tuned state of the zone is untuned when you activate Detect and Learn, the Detector module is unable to detect attacks on the zone until after the first time that it accepts the results of the threshold tuning phase. The Detector module can accept the results of the threshold tuning phase based on the automatic learning parameters (see the "Configuring the Automatic Learning Parameters" section) or you can manually accept the results. The Detector module uses the Accept new thresholds setting to accept the first results of the threshold tuning phase regardless of the configuration of the threshold selection method. From that point on, the Detector module uses the threshold selection method that you selected.
You can manually change the tuned state of a zone and may consider changing the state to tuned when one of the following conditions applies:
•You created the zone by copying an existing zone configuration with similar traffic characteristics.
•You have manually configured all of the policy thresholds.
You may consider changing the tuned state of the zone to untuned when one of the following conditions applies:
•A major change was made to the zone network.
•The zone IP address or subnet was modified.
•You have not initiated the Detect and Learn function during peak traffic time and want to prevent the Detector module from considering the traffic during peak time as an attack on the zone.
When you mark the zone untuned, the Detector module does not monitor the traffic for policy threshold violations and therefore, does not detect attacks on the zone.
To mark the zone as tuned or untuned, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > Learning Parameters. The Learning parameters screen appears.
Step 3 Click Config. The Config learning parameters screen appears.
Step 4 From the Learning Parameters form, choose one of the following options:
•Check the Zone is tuned check box to mark the zone policies as tuned. The Detector module marks the policies as tuned and can immediately use the policies to detect anomalies in the zone traffic.
•Uncheck the Zone is tuned check box to mark the zone policies as untuned. The Detector module marks the policies as untuned, requiring that you accept the results of the threshold tuning phase before the Detector module can use the policies to detect anomalies in the zone traffic.
Step 5 Choose one of the following options:
•OK—The Detector module saves the tuned setting to the zone configuration.
•Clear—The Detector module discards your changes and the form displays the current configuration.
•Cancel—The Config learning parameters screen closes.
For more information about the Learning Parameter form options, see the "Configuring the Automatic Learning Parameters" section.
Managing Learning Process Snapshots
The Detector module snapshot feature allows you to save zone policy information so that you can view and compare policies. Using the snapshot feature, you can perform the following tasks:
•View the current results of the learning process.
•Save the snapshot policy information to the zone configuration.
•Compare the policy results of the snapshot with another snapshot or zone configuration (see the "Comparing Policy Configurations of Two Zones or Snapshots" section).
•Back up the current zone policies contained in the zone configuration.
At any stage of the learning process, you can save a snapshot of the current learning parameters (services, thresholds, and other policy-related data). The Detector module continues the learning phase while it records the snapshot information. You can also save a snapshot when the Detector module is not performing the learning process to create a copy of the current zone policies.
This section contains the following topics:
•Taking a Snapshot of the Learning Process Results
•Taking a Snapshot of the Current Zone Policies
•Displaying Snapshots
•Modifying the Configuration of Snapshot Policies
•Deleting Snapshots
Taking a Snapshot of the Learning Process Results
To take a snapshot of the current learning process results (policy construction or threshold tuning) perform the following steps:
Step 1 From the navigation pane, choose a zone currently in a learning phase. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name field.
Step 4 From the Threshold Selection Method drop-down list, choose the threshold selection method that the Detector module uses to accept the policy thresholds:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Accept current—Rejects the suggested threshold values of the learning process. The policies retain their prethreshold tuning phase values.
Step 5 If you chose the Accept weighted thresholds method, enter the weight value that the Detector module uses to calculate the thresholds in the Weight field.
Step 6 Click OK to save the snapshot. The Detector module saves the zone policies and assigns a consecutive ID number to the snapshot.
Taking a Snapshot of the Current Zone Policies
When you take a snapshot of a zone that is not learning zone traffic (the zone is either in standby or zone anomaly detection is enabled), the Detector module creates a snapshot that contains the current policy information of the zone configuration. You can use this type of snapshot to create a backup of the zone policies or for comparison purposes.
To create a snapshot of the zone configuration policies, perform the following steps:
Step 1 From the navigation pane, choose a zone that is not currently in a learning phase. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name field and then click OK. The Detector module saves the zone policies and assigns a consecutive ID number to the snapshot.
Displaying Snapshots
Display snapshots to get a comprehensive view of the zone learning results.
To display the snapshot results, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List. The Snapshot List table appears. Table 7-5 describes the fields in the Snapshot List table.
Step 3 Click on any one of the snapshot fields in the table to display a snapshot. The Policies screen appears, displaying the policies that the Detector module recorded at the time of the snapshot.
Table 7-5 Field Descriptions for the Snapshot List Table
Parameter
|
Description
|
ID
|
Snapshot identification number.
|
Name
|
Name of the snapshot. The Detector module displays (automatic) for snapshots that were taken automatically and do not have a name.
|
Creation Time
|
Date and time that the snapshot was taken.
|
Snapshot Type
|
Method that was used to take the snapshot. The snapshot types are as follows:
•Manual—Taken by you.
•Periodic—Taken by the Detector module automatically based on how you have the automatic learning parameters configured (see the "Configuring the Automatic Learning Parameters" section).
•Automatic—Taken by the Detector module automatically when the learning process was activated. You can use this snapshot as a backup when the zone is under attack.
|
Operation
|
Operation mode of the zone when the snapshot was taken. The operation mode can be one of the following:
•Threshold Tuning—Threshold tuning phase of the learning process.
•Policy Construction—Policy construction phase of the learning process.
•N/A—Neither phase of the learning process.
|
Accept Method
|
Method that was used to accept the thresholds. The method can be one of the following:
•Accept new thresholds—Accepts the new thresholds.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the new threshold, the current threshold, and the weight that you defined.
•Accept current—Saves the current thresholds without modifying them.
|
Modifying the Configuration of Snapshot Policies
You can use snapshots to perform the following tasks:
•Modify the policies in a snapshot.
•Copy zone policies from the snapshot to the zone configuration.
•Compare the learning parameters of two zone snapshots to verify the outcome of the learning process and trace the differences in policies, services, and thresholds (see the "Comparing Policy Configurations of Two Zones or Snapshots" section).
To configure the snapshot policies, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List. The Snapshot List table appears.
Step 3 Click on any one of the snapshot fields in the table to display the snapshot that you want to configure. The Policies screen appears, displaying the policies that the Detector module recorded at the time of the snapshot.
Step 4 (Optional) Click Configure Selection to reconfigure the parameters of one or more of the policies. See the "Modifying Policy Parameters" section in Chapter 8, "Managing Zone Policies" for more information.
Step 5 (Optional) Click Add service to add a service to the policies. See the "Adding a Service" section in Chapter 8, "Managing Zone Policies" for more information.
Step 6 (Optional) Click Remove service to remove a service from the policies. See the "Deleting a Service" section in Chapter 8, "Managing Zone Policies" for more information.
Step 7 Click Accept Thresholds to save the policies of the snapshot to the zone configuration.
Deleting Snapshots
You can delete old snapshots to free disk space.
To delete a snapshot, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List. The list of snapshots appears and displays the ID number and name of each snapshot with the date and time that the snapshot was taken.
Step 3 Check the check box next to the ID number of the snapshot that you want to delete or check the check box in the header row to select all the snapshots, and then click Delete.
The Detector module deletes the selected snapshots from the Snapshot list.
Comparing Policy Configurations of Two Zones or Snapshots
You can compare the policy configurations of two zones, two snapshots, or a zone and snapshot. The Detector module traces differences in policy configuration services, policies, and policy thresholds. When comparing the policy configurations, you select one zone or snapshot to be the base zone and the other zone or snapshot to be the compared zone. You can delete or add policy configuration attributes to the base zone. Modifying the configuration of the base zone enables you to selectively accept the learned policy attributes.
This section contains the following topics:
•Viewing Policy Configuration Differences
•Deleting Services from the Base Zone
•Adding Services to the Base Zone
•Copying Policy Parameters to the Base Zone
Viewing Policy Configuration Differences
To compare and display the policy differences of two zones or snapshots, perform the following steps:
Step 1 Use one of the following methods to begin the policy comparison process:
•From the Detector module summary main menu, choose Zones > Compare Zone policies.
•From the zone main menu, choose Configuration > Policies > Compare Policies.
The Policies Comparison Query screen appears.
Step 2 Define the base and compared zones.
Table 7-6 describes the Policies Comparison Query parameters.
Table 7-6 Policies Comparison Parameters
Parameter 1
|
Parameter 2
|
Description
|
Base Zone
|
Zone
|
Name of the zone or snapshot. To change the configuration of a zone, choose the zone as a base zone. Choose the base zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected base zone. The default value is the current policy configuration of the zone. You can choose snapshots of the zone policies from the drop-down list.
|
Compared Zone
|
Zone
|
Name of the zone or snapshot being compared to the base zone. You cannot modify the configuration of the compared zone. Choose the compared zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected compared zone. The default value is the current policy configuration of the zone. You can choose snapshots of the zone policies from the drop-down list.
|
Minimal difference
|
Percentage of differences between the policy configuration of the base zone and the compared zone. The Detector module compares the two zones and displays only differences in policy thresholds that are higher than the specified value. The default percentage is 100%, where the Detector module displays only policies in which one of the thresholds is at least two times greater than the other threshold.
|
Step 3 Choose one of the following options:
•OK—Compares the policy configurations of the two zones. The Policy Comparison screen appears and displays the differences in services and policy parameters (see Figure 7-1).
•Cancel—Exits the Policies Comparison query without comparing any zone policies.
Figure 7-1 shows an example of the policy comparison tables. The policy configuration attributes that are specific to the base zone display in black and the attributes that are specific to the compared zone display in red.
Figure 7-1 Policy Comparison Tables
The Policy Comparison screen is divided into two sections:
•Difference in services—The two tables in this section display the following information:
–Services present only in the base zone policies.
–Services missing from the base zone. The services in this list are defined only in the compared zone.
Note The Detector module displays a check box only next to the services that you can add to or delete from the base zone. Some services cannot be added or deleted because they are not specific services, such as those of the type any.
•Difference in policy parameters—Displays differences in the operational parameters of the policies (state, action, threshold, and proxy-threshold). Each section in the table displays the differences found in a single policy. The first row in each section displays the base zone parameters. The second row of each section displays the compared zone parameters.
Deleting Services from the Base Zone
To delete services from the base zone configuration, perform the following steps:
Step 1 From the Services Only In zonename table, check the check boxes next to the services that you want to delete from the base zone configuration. To choose all of the table entries, check the check box in the table header.
Step 2 Click Delete. The Detector module deletes the services from the base zone configuration.
Adding Services to the Base Zone
To add services to the base zone configuration, perform the following steps:
Step 1 From the Services Missing From zonename table, check the check boxes next to the services that you want to add to the base zone configuration. To choose all of the table entries, click the check box in the table header.
Step 2 Click Add. The Detector module adds the selected services to the base zone policy configuration.
Copying Policy Parameters to the Base Zone
To copy the policy parameters from the compared zone to the base zone, perform the following steps:
Step 1 From the Difference In Policy Parameters table, check the check boxes next to the policies that you want to copy to the base zone.
The policies of the base zone display in black and the policies of the compared zone display in red. To select all of the table entries, check the check box in the table header.
Step 2 Click Copy Parameters.
The Detector module copies the selected policies from the compared zone to the base zone policy configuration. The selected policies are removed from the table.
