Cisco Anomaly Guard Module Web-Based Management Configuration Guide (Software Version 4.0)
Operating and Monitoring Events on the Guard Module
Download this chapter
Operating and Monitoring Events on the Guard ModuleOperating and Monitoring Events on the Guard Module
Download the complete book
Cisco Anomaly Guard Module Web-Based Management Configuration Guide (Software Version 4.0) Book-Length PDFCisco Anomaly Guard Module Web-Based Management Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Operating and Monitoring Events on the Guard Module

Guard Module Summary (Home) Page

Viewing Guard Module Diagnostics

Counters

Event Log

Configuring Access Control

Managing User Authentication

Creating Users

Users List

Changing a Password

Configuring Authorization

Assigning Privilege Levels


Operating and Monitoring Events on the Guard Module

This chapter describes how to use Web-Based Management (WBM) to operate and monitor events on the Cisco Anomaly Guard Module.

This chapter includes the following sections:

Guard Module Summary (Home) Page

Viewing Guard Module Diagnostics

Configuring Access Control

For information on managing and creating zones, see "Creating and Configuring Zones."

Note You can only configure the Guard module, network, and diversion using the CLI. Refer to the Cisco Anomaly Guard Module Configuration Guide for further details.

Guard Module Summary (Home) Page

The Guard module Summary (Home) page shown in Figure 3-1 provides a summary of the current Guard module activity. It appears automatically after connecting to the Guard module WBM.

You can also reach the Guard module Summary Home page from a number of locations on the interface (Figure 1-1):

Select Guard Module Summary from the navigation pane.

Select Home from the information area.

Select Home from the navigation path displayed in the zone pages.

Figure 3-1 Guard Module Summary (Home) Page

The Guard Module Summary includes two sections:

Guard Module SummaryProvides a graphical summary of the traffic that was handled by the Guard module over the last two hours in bits per second (bps). Legitimate traffic passed by the Guard module to the protected zones appears in green. Malicious traffic handled by the Guard module appears in red.

Table 3-1 describes the information that appears below the graph.

Table 3-1 Field Descriptions for Guard Module Summary Graph 

Field
Description

Min

The minimum traffic rate measured during the last two hours in bits per second (bps).

Max

The maximum traffic rate measured during the last two hours in bits per second (bps).

Avg

The average traffic rate measured during the last two hours in bits per second (bps).

Cur

The current traffic rate in bits per second (bps).


The information appears separately for legitimate traffic and for malicious traffic.

Currently Protected Zones—Provides a list of the currently protected zones and a short summary of the status of each one of them. The zones appear in the attack order. The most recently attacked zone appears at the top of the list.

Table 3-2 describes the fields for currently protected zones.

Table 3-2 Field Descriptions for Currently Protected Zones

Fields
Description

Zone

The zone name. The zone name also provides a link to the home page of the specific zone.

Activation Time

The date and time that zone protection was activated.

Attack Start Time

The date and time the most recent attack on the zone was detected.

Legitimate Rate

The current rate of legitimate traffic passed by the Guard module to the zone in bits per second (bps).

Malicious Rate

The current rate of malicious traffic, to the zone in bits per second (bps).

Thumbnail of the Zone traffic summary

A graph displaying a summary of the traffic to the zone in the last half hour. The traffic rate appears in bits per second (bps). Legitimate traffic rate appears in green. Malicious traffic rate appears in red.


Viewing Guard Module Diagnostics

The Guard module provides diagnostic information to assist with troubleshooting and monitoring events.

To view the Guard module diagnostics, select Diagnostics from the main menu.

The following diagnostics are available:

Counters

Event Log

Counters

The Guard module Global Current Counters report (Figure 3-2) provides additional information to information that is displayed in the Guard module summary.

To display the Guard module global counters, select Diagnostics > Counters from the main menu.

The following counters appear:

Legitimate—Legitimate traffic forwarded by the Guard module to the zones.

Malicious—Malicious traffic destined to the zone. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).

Received—Packets received and handled by the Guard module. Received packets are the sum of legitimate traffic and malicious traffic.

Dropped—Packets that were identified by the Guard module as part of an attack and dropped.

Replied—Packets to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify whether they are part of authentic traffic or part of an attack.

Spoofed—Packets that were identified by the Guard module as Spoofed packets and were not forwarded to the zone. Spoofed packets are replied (bounced) packets to which no replies were received. Spoofed packets include zombie packets.

Figure 3-2 Guard Module Global Counters/Rates

Table 3-3 describes the fields for each of the counters.

Table 3-3 Field Descriptions for Counters in Counter Report

Field
Description

Shown in Graph

Specifies whether the counter is shown in the graph.

Packets

The total number of packets since the Guard module was reactivated.

Bits

The total number of bits since the Guard module was reactivated.

pps

The current traffic rate measured in packets per second.

bps

The current traffic rate measured in bits per second.


By default, the graph displays the legitimate and malicious traffic over the last two hours, measured in bits per second (bps). You can display additional counters in the graph and change the time period and graph type.

To change the graph settings, perform the following steps:

Step 1 Check the boxes to display more counters in the graph.

Step 2 Choose a time period for the graph from the drop-down list.

Step 3 Choose a unit type from the drop-down list.

Step 4 Click Update Graph (see Figure 3-3) to update the graph with the new settings.

A legend identifying the counters appears below the graph and the minimum, maximum and average rates for each counter appear for the time period and rate units selected.

For a detailed explanation on interpreting the significance of the counters, refer to the Cisco Anomaly Guard Module Configuration Guide.

Event Log

The Event log (Figure 3-3) displays monitoring and troubleshooting information for events that relate to the protected zones and to Guard module operation.

To display the event log, select Diagnostics > Event log from the Guard module's main menu.

Figure 3-3 Event Log

Table 3-4 shows the possible severity levels for events.

Table 3-4 Event Severity Levels 

Event Level
Description

Emergencies

System is unusable

Alerts

Immediate action required

Critical

Critical condition

Errors

Error condition

Warnings

Warning condition

Notifications

Normal but significant condition

Informational

Informational messages

Debugging

Debugging messages


To filter events according to their severity level, check the boxes next to the severity levels and click Filter Events.

Note The event logs only display zone related events with a severity level of Emergency, Alert, Critical, Error, Warning and Notification. See "Zone Statistics and Diagnostics," for further details on zone event logs.

Configuring Access Control

Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication and Authorization network security services provide the primary framework through which you set up access.

Authentication—The way a user is identified prior to being allowed access the system and system services.

Authorization—The process of determining what a user is allowed to perform once access to a system is obtained. This is usually done once the user is authenticated and begins to manipulate the system.

Managing User Authentication

The Guard module initially has a preconfigured user name with administration privileges, which enables you to create new users. User definition enables you to divide the Guard module user community into domains, and to assign passwords as required for secure management access.

The Administrator can set which authentication method the Guard module uses when a user tries to log into the Guard module. Local authentication uses locally configured login passwords for authentication. This is the default authentication method.

Creating Users

A user with Administration privileges can configure local users.

To create a new user, select Users > Create user from the main menu.

Define the parameters in Table 3-5 for each user.

Table 3-5 User Parameter Description 

Parameter
Description

User name

The user name. An alphanumeric string from 1 to 63 characters that starts with a letter. The string cannot hold spaces but can contain underscores.

Initial password

From 6 to 24 characters long with no spaces.

Type

The user's privilege level. Choose a value from the drop-down list to assign a privilege level. See Table 3-6 for further details.


You can also create a new user by clicking Add on the Users List page.

Users List

To view the list of users defined on the Guard module, select Users > Users list from the main menu.

The list of users is divided into two categories:

System users—Users defined by the system. System users cannot be deleted. The system users are admin and riverhead.

Users—Users defined by the operator.

To delete a user, check the box next to the user name and click Delete.

To add a user click Add.

The privilege level is displayed for each user (see Table 3-6).

To reconfigure a user, click on the user name and change the parameters.

Changing a Password

To change the password, perform the following steps:

Step 1 From the Guard module main menu select Users > Change password. The Change Password window appears.

Step 2 Enter the existing password in the Old Password dialog box.

Step 3 Enter a new password in the New Password dialog box, re-enter the new password to verify your choice and click OK.

Step 4 If you enter an invalid password or the new password is not verified correctly, an error message appears. Click Go Back to try again.

Users that have Administration privileges can configure and change the password for all users defined on the Guard module.

To reconfigure or change the passwords of users, other than the current user, perform the following steps:

Step 1 From the main menu select Users > Users list and click on the user name.

Step 2 Click Config.

Step 3 Enter the new password and click OK.

Configuring Authorization

Access to Guard module services depends on the user privilege level. You can limit the services available to a user. The Guard module checks the user's profile, which is located in the local user database, to verify the user's access rights. Once authorized, the user is granted access to the requested service only if the information in the user's profile allows it.

Local authorization uses locally configured user profiles for command group access control. Authorization is defined for all commands at the specific privilege level. This is the default authorization method.

Assigning Privilege Levels

The Guard module is pre-configured with an Administration privilege level, enabling you to define the different user types. Defining users enables you to divide the Guard module user community into groups with different access privileges.

Table 3-6 shows the privilege levels and the corresponding operations.

Table 3-6 User Privilege Levels 

User Privilege Level
Description

Administration (admin)

Full access to all operations.

Configuration (config.)

Full access to all operations except the operations relating to user definition, deletion, and modification.

Dynamic

Access to monitoring and diagnostics operations, detection, and learning related operations. Users with Dynamic privileges can also configure the Flex and Dynamic filters (see the note below).

Show

Access to monitoring and diagnostics operations.


We recommend that only users with a privilege level of Administration or Configuration configure filters. Users with lower privileges can add and remove Dynamic filters.

The user name admin grants Administration privileges. The user name riverhead grants Dynamic privileges. The Cisco Traffic Anomaly Detector Module uses this user name for remote activation of the Guard module.

The privilege level is assigned to the user when it is initially created. See the "Creating Users" section for more details.

To change the user privilege level delete the user from the Users List and add the user again.