-
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using the Guard Module Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Table Of Contents
Configuring Policy Templates and Policies
Understanding Policy Templates
Configuring Policy Template Parameters
Configuring the Maximum Number of Services
Configuring the Minimum Threshold
Configuring Policy Template States
Configuring All Policy Template Parameters Simultaneously
Understanding Policy Path Sections
Configuring the Policy Threshold
Setting the Threshold as Fixed
Configuring a Threshold Multiplier
Multiplying a Threshold by a Factor
Configuring Specific IP Thresholds
Configuring the Proxy-Threshold
Configuring the Policy Timeout
Configuring the Policy Interactive Status
Using Snapshots to Verify the Results of the Learning Process
Backing Up Policy Configuration
Configuring Policy Templates and Policies
This chapter describes the Cisco Anomaly Guard Module (Guard module) zone policies, policy structure, and policy templates, and it describes how to configure the zone policy and the policy template parameters.
This chapter contains the following sections:
•
Understanding Policy Templates
•
•
•
•
Understanding Zone Policies
To perform statistical analysis of traffic flow, the Guard module has definitions that handle specific types of traffic, which are called zone policies, that are the building blocks of the Guard module and are the basis to which the Guard module compares the zone traffic. The zone policies constantly measure traffic flows and take action against a particular traffic flow if they identify that flow as malicious or abnormal, which occurs when the flow exceeds the policy threshold, and configure a set of filters (dynamic filters) dynamically to apply the appropriate protection level to the traffic flow according to the severity of the attack.
To create the zone policies, the Guard module learns the zone traffic in a two-phase learning process: it uses pre-defined policy templates to construct the policies, and then learns the policy thresholds. Each policy template is used to create policies that contain specific protection aspects that the Guard module requires to protect against a specific DDoS threat.
After the Guard module creates and tunes the zone policies, you can add and delete policies or change policy parameters.
Using Policy Paths
A zone policy defines the characteristics that the Guard module uses to analyze and measure the zone traffic flow. The name of the policy is composed of sections that describe the traffic characteristic it measures. For example, the policy http/80/analysis/syns/src_ip measures traffic flows of HTTP SYN packets destined to port 80 that were authenticated by the Guard module Analysis protection level functions and aggregated according to source IP addresses.
Figure 8-1 provides an example of a zone policy name.
Figure 8-1 Policy Name
Table 8-1 describes the policy name sections.
Table 8-1 Policy Name Sections
Policy template
Denotes which policy template was used to construct the policy. Each policy template deals with the aspects that the Guard module requires to protect against a specific DDoS threat. See the "Understanding Policy Templates" section for more information.
Denotes the port number or protocol number to which the zone policy relates. See the "Service" section for more information.
Denotes the protection level that the Guard module applies on the traffic flow. See the "Protection Level" section for more information.
Denotes the packet types that the Guard module monitors. See the "Packet Types" section for more information.
Denotes the traffic characteristics that the Guard module uses to aggregate the policy. See the "Traffic Characteristics" section for more information.
The first four sections of the policy name (policy template, service, protection level and packet type) define the type of traffic that is analyzed. The last section of the policy path (traffic characteristics) defines how to analyze the flow.
Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Guard module analyzes the flow using the policy that is more specific. For example, policies relating to TCP services exclude the HTTP services that are handled by the HTTP-related policies.
You can configure the policy operational aspects, which define the policy triggers and the action that the policy takes once it is activated. See the "Configuring Policy Parameters" section for more information.
Creating Policies
The Guard module creates the zone policies in a learning process that consists of the following two phases during which the Guard module learns the zone traffic and adapts itself to the particular zone traffic characteristics. The following are the phases:
1.
2.
During the learning process, the traffic flows transparently through the Guard module. See the "Learning the Zone Traffic Characteristics" section for more information.
Understanding Policy Templates
A policy template is a collection of policy construction rules that the Guard module uses during the policy construction phase to create the zone policies. At the end of the policy construction phase, the output of each template is a group of policies. The name of the policy template is derived from the characteristics that are common to all the policies it creates, and can be a protocol (such as DNS), an application (such as HTTP), or the objective (such as ip_scan). For example, the policy template tcp_connections produces policies that relate to connection, such as the number of concurrent connections. When you create a new zone, the Guard module includes a set of policy templates in the zone configuration.
Table 8-2 describes the Guard module policy templates. The Guard module includes these policy templates when you create a new zone using the GUARD_DEFAULT zone template.
Table 8-2 Policy Templates
dns_tcp
DNS-TCP protocol traffic.
dns_udp
DNS-UDP protocol traffic.
fragments
Fragmented traffic.
http
HTTP traffic that flows, by default, through port 80 (or other user-configured ports).
ip_scan
IP scanning. A situation in which a client from a specific source IP address tries to access many destination IP addresses in the zone. This policy template is designed primarily for zones in which the IP address definition is a subnet.
By default, this policy template is disabled. The default action for this policy template is notify.
Note
other_protocols
Non-TCP and non-UDP protocols.
port_scan
Port scanning. A situation in which a client from a specific source IP address tries to access many ports in the zone.
By default, this policy template is disabled. The default action for this policy template is notify.
Note
tcp_connections
TCP connection characteristics.
tcp_not_auth
TCP connections that have not been authenticated by the Guard module anti-spoofing functions.
tcp_outgoing
TCP connections initiated by the zone.
tcp_ratio
Ratios between different types of TCP packets. For example, SYN packets as opposed to FIN/RST packets.
tcp_services
TCP services on ports other than HTTP-related, such as ports 80 and 8080.
tcp_services_ns
TCP services. By default, the policies created from this policy template monitor IRC ports (666X), SSH, and Telnet. This policy template does not create policies with actions that require the Guard module to apply the strong protection level to the traffic flow. See the "Understanding the Protection Process" section for more information on the strong protection level.
udp_services
UDP services.
Note
•
•
You can add services to policies that were created from the tcp_services_ns policy template.
The Guard module includes additional policy templates that are designed for protecting zones for which you do not want to use the TCP proxy anti-spoofing functions. You can use these policy templates if the zone is moderated according to IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services that are running on the zone.
If you define a zone with the GUARD_TCP_NO_PROXY zone template, the Guard module uses the policy templates described in Table 8-3. The Guard module replaces the policy templates http, tcp_connections and tcp_outgoing with the policy templates http_ns, tcp_connections_ns and tcp_outgoing_ns policies respectively. The http_ns, tcp_connections_ns and tcp_outgoing_ns policy templates do not create policies with actions that require the Guard module to apply the strong protection level to the traffic flow.
Table 8-3 details the Guard policy templates for GUARD_TCP_NO_PROXY.
To view a list of all policy templates, enter the policy-template command in zone configuration mode and press TAB twice.
Configuring Policy Template Parameters
During the learning process, zone traffic flows transparently through the Guard module. Each active policy template produces a group of policies according to the zone traffic characteristics. The Guard module ranks the services (protocol and port numbers) that the policy template relates to by the level of traffic volume. The Guard module then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold, and it creates a policy for each service. Some of the policy templates create an additional policy to handle all traffic flows for which a specific policy was not added with a service of any.
You can configure the following policy template parameters:
•
•
•
To configure the policy template parameters, enter the policy template configuration mode by entering the following command in zone configuration mode:
policy-template policy-template-name
The policy-template-name argument specifies the name of the policy template. See Table 8-2 for more information.
After executing the command, the Guard module enters the policy template configuration mode.
The following example shows how to enter http policy template configuration mode:
user@GUARD-conf-zone-scannet# policy-template httpuser@GUARD-conf-zone-scannet-policy_template-http#To display the parameters of a specific policy template, use the show command in policy template configuration mode.
Configuring the Maximum Number of Services
The maximum number of services parameter defines the maximum number of services (protocol numbers or port numbers) for which the policy template selects and creates policies. The Guard module ranks the services that the policy template relates to by the level of traffic volume for each service. The Guard module then selects the services that have the highest traffic volume and that have exceeded the defined minimum threshold (as defined by the min-threshold parameter), and it creates policies for each service. The Guard module may add an additional policy with a service of any to handle all other traffic flows with the characteristics of the policy template.
Note
You can only define this parameter for policy templates that detect services: tcp_services, tcp_services_ns, udp_services, and other protocols. You cannot configure it for policy templates that relate to a specific service, such as dns_tcp, which relates to service 53, or for policy templates that relate to a specific traffic characteristic, such as fragments.
The Guard measures the traffic rate to the service according to the policy traffic characteristics. The traffic characteristic can be the source IP addresses, or the destination IP addresses. A policy that monitors to the service any measures the rate of source IP addresses on all services that are not handled by a specific policy, so it is less precise.
By limiting the service number, you can configure the Guard module policies to your preferred traffic flow requirements.
To configure the maximum number of services, enter the following command in policy template configuration mode:
max-services max-services
The max-services argument is an integer greater than 1 that defines the maximum number of services that the Guard module selects. We recommend that you do not exceed the maximum of 10 services.
The following example show how to configure the maximum number of services the Guard module monitors to 5:
user@GUARD-conf-zone-scannet-policy_template-tcp_services# max-services 5Configuring the Minimum Threshold
The minimum threshold parameter defines the minimum traffic volume for a service. When the threshold is exceeded, the Guard module constructs policies that relate to the service traffic according to the particular traffic flow that exceeded the threshold.
You cannot configure this parameter for policy templates that are essential for proper zone protection and always construct a policy such as the following: tcp_services, tcp_services_ns, udp_services, other_protocols, http and fragments.
By setting the threshold, you can better adapt the protection operation to the traffic volume of the zone services.
To configure the minimum threshold, enter the following command in policy template configuration mode:
min-threshold min-threshold
The threshold argument is a real number (a floating point number with 2 decimal places), equal to or greater than 0, that defines the minimum threshold rate in pps. When measuring concurrent connections and SYN/FIN ratio, the threshold is an integer that defines the total number of connections.
The following example shows how to configure the minimum threshold of policy template http:
user@GUARD-conf-zone-scannet-policy_template-http# min-threshold 12.3Configuring Policy Template States
The policy template state parameter defines whether the policy template is enabled or disabled. If you disable a policy template, it is prevented from producing policies when the Guard module is in the policy construction phase.
Caution
To disable a policy template, use the disable command.
To enable a policy template, use the enable command.
Configuring All Policy Template Parameters Simultaneously
You can configure all policy template operational parameters with a single command by entering the following command:
policy-template policy-template-name max-services min-threshold {disabled | enabled}
Table 8-4 provides the arguments and keywords for the policy-template command.
Table 8-4 Arguments and Keywords for the policy-template Command
policy-template-name
The policy template name. See Table 8-1 for more information.
max-services
The maximum number of services for which the Guard selects and constructs policies from the specific policy template.
To prevent the Guard module from changing the current value, enter a value of -1.
See the "Configuring the Maximum Number of Services" section for more information.
min-threshold
The minimum threshold that must be exceeded for the Guard module to rank the service.
To prevent the Guard module from changing the current value, enter a value of -1.
See the "Configuring the Minimum Threshold" section for more information.
disabled
Disables the policy template from producing policies. See the "Configuring Policy Template States" section for more information.
enabled
Enables the policy template. See the "Configuring Policy Template States" section for more information.
The following example shows how to set the parameters of the tcp_services policy template. The maximum number of services is set to 3, the policy state is set to enabled, and the minimum threshold is unchanged (-1) and.
user@GUARD-conf-zone-scannet# policy-template tcp_services 3 -1 enabledUnderstanding Policy Path Sections
The policy path consists of the following sections:
•
•
•
•
•
This section contains the following topics:
Policy Template
A policy template is a collection of policy construction rules that the Guard module uses during the policy construction phase to create the zone policies. See the "Understanding Policy Templates" section for more information.
Service
The service section defines the zone application port or protocol to which each policy relates. Policies have cross dependencies and priorities. If there are two policies that define the same traffic flow, the Guard module analyzes the flow using the policy that is more specific. The service any relates to all traffic that does not specifically match other services created from the same policy template.
We recommend that you define specific policies for the zone main services to obtain protection that is most suited to your individual needs.
Caution
When you add or delete a service from the zone policies, the Guard module marks the zone policies as untuned. If you enabled zone protection and the learning process, the Guard module cannot detect anomalies in the zone traffic until you perform one of the following actions:
•
•
This section includes the following topics:
Adding a Service
You can add services to all policies that were created from a specific policy template. The new service is an addition to the services that were discovered during the policy construction phase and is defined with default values. You can define the threshold manually, yet we recommend that you run the threshold tuning phase of the learning process to tune the policies to the zone traffic. See the "Tuning Thresholds" section for more information.
You can add a new service to policies that were created from the following policy templates:
•
The service designates a port number.
•
The service designates a protocol number.
Note
If you do not reissue policy construction, you may need to add a service manually in the following situations:
•
•
To add a service, enter one of the following commands:
•
•
Table 8-5 provides the arguments for the add-service command.
Table 8-5 Arguments for the add-service Command
The policy template name. See Table 8-2 for more information.
service-num
The protocol or port number.
The following example shows how to add a service to all the policies that were created from the policy template tcp_services:
user@GUARD-conf-zone-scannet-policy_template-tcp_services# add-service 25Deleting a Service
You can delete a specific service for any policy template. The Guard module will delete the service from all policies that were created from the specific policy template.
To delete a service, enter one of the following commands:
•
•
Table 8-6 provides the arguments for the remove-service command.
Table 8-6 Arguments for the remove-service Command
The policy template name. See Table 8-2 for more information.
service-num
The protocol or port number to remove.
Caution
You can remove services from the following policy templates:
•
The service is a port number.
•
The service is a protocol number.
If you do not activate the policy construction phase of the learning process you may need to remove a service manually in the following situations:
•
•
Note
The following example shows how to delete service from all policies that were created from the policy template tcp_services:
user@GUARD-conf-zone-scannet-policy_template-tcp_services# remove-service 25Protection Level
The Guard module applies three protection levels in which it applies different processes to the traffic flow. The Guard has the following three protection levels:
•
•
•
After activating a protection function, the Guard module continues to analyze the traffic. If the Guard module can still spot traffic abnormalities in traffic destined to the zone, it applies a stronger protection level.
Note
Packet Types
The Guard module monitors packet characteristics, which can be one of the following:
•
•
•
Table 8-7 describes the packet types that the Guard module monitors.
Traffic Characteristics
Traffic characteristics define how to analyze the traffic flow and what characteristics was used to aggregateb the policies, so there can be different policies that analyze the same traffic flow but that measure the rate according to different characteristics, as shown in this example:
dns_tcp/53/analysis/pkts/dst_ip and dns_tcp/53/analysis/pkts/src_ip.
Table 8-8 describes the traffic characteristics that the Guard module monitors.
Configuring Policy Parameters
After completing the learning process, you can display specific policy parameters to help you decide whether or not the policy parameters suit the zone traffic. If necessary, you can configure the policy parameters of a a single policy or a group of policies to adapt to zone traffic requirements.
To display the configuration of the policy parameters, use the show command in policy configuration mode.
To enter policy configuration mode, enter the following command in zone configuration mode:
policy policy-path
The policy-path argument specifies the policy path sections. The path can be a partial path that includes only part of the policy sections. See the "Using Policy Paths" section for more information.
Note
The following example shows how to enter the dns_tcp/53/analysis/syns/global policy configuration mode:
user@GUARD-conf-zone-scannet# policy dns_tcp/53/analysis/syns/global user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/syns/global#You can configure the following parameters:
•
•
•
•
•
You can change the policy action, timeout, threshold, and learning parameters at every section of the policy path. However, more policies are affected if you change these parameters at the higher-level policy sections (such as policy template or service sections). If you configure these parameters at a high-level policy path hierarchy, these parameters change in all the sub-policy paths.
You can use an asterisk (*) as a wildcard character in each policy path section. If you do not specify a policy path section, the Guard module relates to the unspecified section as a wildcard (*).
For example, the policy: tcp_services//analysis//global.Changing the Policy State
The zone policies have three possible states:
•
•
•
Caution
To change the policy state, enter the following command in policy configuration mode:
state {active | disabled | inactive}
The following example shows how to set the policy state:
user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/syns# state disabled
Caution
If you activate the policy construction phase after disabling a zone policy, all zone policies are reconfigured according to the current traffic flow and the policy may be reactivated.
Configuring the Policy Threshold
The policy threshold defines the threshold traffic rate for a specific policy and is adjusted by the threshold tuning phase and is set, by default, to a value that is appropriate for on-demand protection. When this threshold is exceeded, the policy takes action to protect the zone.
. The threshold is measured in pps except for policies that are constructed from the following policy templates:
•
•
•
You can configure the policy threshold in the following ways:
•
You can set the value of the policy threshold. See the "Setting the Policy Threshold" section.
•
The Guard module multiplies the current policy thresholds by a factor. The new value may change in subsequent threshold tuning phases if you do not set it as fixed. See the "Multiplying a Threshold by a Factor" section.
•
The Guard module sets thresholds for specific IP source address within the zone address range. See the "Configuring Specific IP Thresholds" section.
•
The Guard module sets a threshold for traffic of clients that connect to the zone in HTTP through proxies. See the "Configuring the Proxy-Threshold" section.
The policy threshold may change if you perform additional threshold tuning phases. You can modify the way a threshold may change in subsequent threshold tuning phases in the following ways:
•
The Guard module will not change the value of the policy threshold, proxy-threshold, and threshold-list in subsequent threshold tuning phases. See the "Setting the Threshold as Fixed" section.
•
The Guard module calculates the policy threshold in subsequent threshold tuning phases based on the current policy threshold, the learned threshold, and the fixed multiplier. See the "Configuring a Threshold Multiplier" section.
Setting the Policy Threshold
To configure the policy threshold, enter the following command in policy configuration mode:
threshold threshold
The threshold argument is a positive number that specifies the policy threshold.
The following example shows how to set the threshold value of the policy dns_tcp/53/analysis/syns/global to 300:
user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/syns/global# threshold 300Setting the Threshold as Fixed
You can set a policy threshold, proxy-threshold, and threshold-list as fixed. The Guard module ignores new thresholds in the threshold tuning phase of the learning process and maintains the current thresholds. Setting a threshold as fixed enables you to configure the thresholds of a policy but continue learning the thresholds of other policies.
To set a policy thresholds as fixed, enter the following command in policy configuration mode:
learning-params fixed-threshold
The following example shows how to set the threshold of the policy dns_tcp/53/analysis/syns/global as fixed:
user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/syns/global# learning-params fixed-thresholdYou can set the threshold of several policies as fixed in a single command by entering the command in zone configuration mode. To set a policy threshold as fixed in zone configuration mode, enter the following command:
policy policy-path learning-params fixed-threshold
The policy-path argument specifies the policy path. The path can be a partial path that includes only part of the policy sections. See the "Using Policy Paths" section for more information.
The following example shows how to the set the thresholds of all policies that were created from the dns_tcp policy template as fixed:
user@GUARD-conf-zone-scannet# policy dns_tcp learning-params fixed-thresholdTo display the policy learning parameters, use the show learning-parameters command in policy configuration mode, or use the show policies policy-path learning-parameters command in zone configuration mode.
Configuring a Threshold Multiplier
You can set a multiplier for a policy threshold. The Guard module will calculate the policy threshold by multiplying the learned threshold by the specified multiplier before accepting the result of subsequent threshold tuning phases. The Guard module accepts the results of the threshold tuning phase using the configured threshold selection method. See the "Configuring the Threshold Selection Method" section.
To set a multiplier for the policy threshold, enter the following command in zone configuration mode:
policy policy-path learning-params threshold-multiplier threshold-multiplier
Table 8-9 provides the arguments for the policy learning-params threshold-multiplier command.
Table 8-9 Arguments for the policy learning-params threshold-multiplier Command
policy-path
The policy path whose thresholds are multiplied. The path can be a partial path that includes only part of the policy sections. See the "Using Policy Paths" section for more information.
learning-params
Configures the learning parameters.
threshold-multiplier threshold-multiplier
A real positive number (a floating point number with 2 decimal places) by which the policy threshold is multiplied. Enter a number less than 1 to decrease the policy threshold.
To set a multiplier for the policy threshold in policy configuration mode, use the learning-params threshold-multiplier threshold-multiplier command.
The following example shows how to configure a threshold multiplier so that the Guard module decreases in subsequent threshold tuning phases the thresholds of policies that were created from the policy template dns_tcp by half:
user@GUARD-conf-zone-scannet# policy dns_tcp learning-params threshold-multiplier 0.5To display the policy learning parameters, use the show learning-parameters command in policy configuration mode, or use the show policies policy-path learning-parameters command in zone configuration mode.
Multiplying a Threshold by a Factor
You can multiply the thresholds of a policy or a group of policies by a factor, which enables you to increase or decrease the threshold of a policy or a group of policies if the traffic volume does not represent the zone traffic. You can enable the Guard module to multiply the policy thresholds, the proxy thresholds, and the thresholds that were defined by the policy threshold-list command.
To multiply policy thresholds by a factor, enter the following command in zone configuration mode:
policy policy-path thresh-mult threshold-multiply-factor
Table 8-10 provides the arguments for the policy thresh-mult command.
Table 8-10 Arguments for the policy thresh-mult Command
The policy template name. See Table 8-2 for more information.
A real positive number (a floating point number with 4 decimal places) to multiply the threshold by. Enter a number less than 1 to decrease the policy threshold.
The following example shows how to decrease the thresholds of policies that were created from the policy template dns_tcp by half:
user@GUARD-conf-zone-scannet# policy */*/*/*/src_ip thresh-mult 0.5The Guard module might change the threshold value in subsequent threshold tuning phases. To prevent the Guard module from changing the threshold value, set the threshold value as fixed. See the "Setting the Threshold as Fixed" section.
To display the policy learning parameters, use the show learning-parameters command in policy configuration mode, or use the show policies policy-path learning-parameters command in zone configuration mode.
Configuring Specific IP Thresholds
You should consider configuring a specific IP threshold if one of the following situations occur:
•
•
You can configure specific IP thresholds only for the following policies:
•
•
To configure a specific IP threshold, enter one of the following commands:
•
•
Table 8-11 provides the arguments for the threshold-list command.
Table 8-11 Arguments for the policy threshold-list Command
The policy template name. See Table 8-2 for more information.
The specific IP address.
The threshold traffic rate in pps, except for policies measuring concurrent connections and SYN-by-FIN ratio, where the threshold is the number of connections.
You can add a maximum of 10 specific IP thresholds for each policy. You can enter all specific IP thresholds in a single command.
The Guard module might change the policy thresholds in subsequent threshold tuning phases if the threshold selection method is set to new-thresholds. See the "Configuring the Threshold Selection Method" section for more information.
The following example shows how to set specific IP thresholds for IP addresses 10.10.10.2 and 10.10.15.2 for the policy http/80/analysis/syns/src_ip:
user@GUARD-conf-zone-scannet-policy-/http/80/analysis/syns/src_ip# threshold-list 10.10.10.2 500 10.10.15.2 500Configuring the Proxy-Threshold
The proxy threshold parameter defines the traffic rate for clients that connect to the zone in HTTP through proxies and enables the Guard module and you to adapt the policy to traffic volumes that come from different sources. The Guard module uses the proxy thresholds to block traffic only, so you can configure them only for policies in the DEFAULT zone template with a strong protection level and for policies in the TCP_NO_PROXY zone template with a basic protection level.
A proxy threshold is available for the http, http_ns, tcp_connections, and tcp_connections_ns policies only and is effective for tcp_connections or tcp_connections_ns policy templates if the zone has active http or http_ns policies only.
To configure the proxy-threshold, enter the following command in policy configuration mode:
proxy-threshold proxy-threshold
The proxy-threshold argument specifies the proxy-threshold traffic rate in pps for http and http_ns policies. It specifies the proxy-threshold in the number of connections for tcp_connections and tcp_connections_ns policies.
Because proxy servers typically handle much more traffic than network clients that are part of the zone, we recommend that when you configure a proxy threshold, you configure the proxy-threshold argument with a higher value than the threshold argument.
The following example shows how to set the proxy threshold for the policy tcp_ratio/any/basic/syn_by_fin/dst_ip_ratio to 20:
user@GUARD-conf-zone-scannet-policy-/tcp_ratio/any/basic/syn_by_fin/ dst_ip_ratio# proxy-threshold 20Configuring the Policy Timeout
The timeout parameter defines the minimum time for dynamic filters that are produced by the policy to apply their action.
When the timeout expires, the Guard module runs a procedure to determine whether or not to deactivate the dynamic filters that were produced by the policy. If the Guard module decides not to deactivate the dynamic filters, the filter activation timeout resumes for another time span. To change the criteria for dynamic filter deactivation, use the filter-termination command. See the "Deactivating Dynamic Filters" section for more information.
To configure the policy timeout, enter the following command in policy configuration mode:
timeout {forever | timeout}
Table 8-12 provides the arguments and keywords for the timeout command.
To change the timeout of a group of policies simultaneously, use the policy set-timeout command in zone configuration mode.
Configuring the Policy Action
The action parameter defines the type of action the policy takes once its threshold is exceeded. To configure the policy action, enter the following command in policy configuration mode:
action policy-action
Table 8-13 describes the policy actions.
To change the action of a group of policies simultaneously, use the policy set-action command in zone configuration mode.
Note
The following example shows how to set the action of all policies that relate to dns_tcp:
user@GUARD-conf-zone-scannet# policy dns_tcp/ set-action filter/dropset action of dns_tcp/ to filter/drop:16 policy actions set.Configuring the Policy Interactive Status
The interactive status parameter defines the interactive status that the pending dynamic filters, which are created by the zone policy, will assume. The interactive status applies only to zones if you enable zone protection, and the zone is in interactive protect mode. See "Using Interactive Protect Mode" for more information.
To modify the status of the policy pending dynamic filters if you have set the interactive status of a recommendation to always-accept or always-ignore, use the interactive-status command.
For example, if you have defined the status of a recommendation to always-accept, the recommendation and the pending dynamic filters of the recommendation are no longer displayed. To ignore the recommendation or the pending dynamic filters that the recommendation produces, change the policy interactive status to interactive or always-accept.
To configure the policy interactive status, enter the following command in policy configuration mode:
interactive-status {always-ignore | always-accept | interactive}
Table 8-14 provides the keywords for the interactive-status command.
The following example shows how to configure the interactive status of policy dns_tcp/53/analysis/pkts/src_ip to always-accept:
user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/pkts/src_ip# interactive-status always-acceptMonitoring Policies
You can monitor the policies to see how well they are suited to the zone traffic volume and services.
This section describes the following topics:
Displaying Policies
You can display the zone policies to verify that they are adapted to the zone traffic characteristics. You might want to view the zone constructed policies to verify that these policies are customized for the zone traffic characteristics. You can configure only policies that appear in this list.
The Guard module displays only current zone policies. If a policy template was disabled during the policy construction phase, the Guard module does not create policies from that policy template, and you do not see these policies when you enter the show policies command.
To view the zone policies, enter the following command in zone configuration mode:
show policies policy-path
The policy-path argument specifies a group of policies. You can use an asterisk (*) as a wildcard character in each policy path section. If you do not specify a policy path section, the Guard module relates to the unspecified section as a wildcard (*). For example, the policy: tcp_services//analysis//global.
To display the statistics of all policies, enter an asterisk (*) for the policy-path. See the "Using Policy Paths" section for more information.Table 8-15 provides a description of the fields in the show policies command output.
Table 8-15 Field Descriptions of the show policies Command
OutputPolicy
Specifies the policy name. See the "Using Policy Paths" section for more information.
State
Specifies the policy state. See the "Changing the Policy State" section for more information.
act = active, inact = inactive, disab= disabled
IStatus
Specifies the policy interactive status. See the "Configuring the Policy Interactive Status" section for more information.
a-accept = always-accept, a-ignor = always-ignore,
interac = interactiveThreshold
Specifies the policy threshold. When this threshold is exceeded, the Guard module takes action to protect the zone. See the "Configuring the Policy Threshold" section for more information.
Proxy
Specifies the policy proxy-threshold. See the "Configuring the Proxy-Threshold" section for more information.
List
Specifies the number of specific IP thresholds defined for the policy. See the "Configuring Specific IP Thresholds" section for more information.
Action
Specifies the action that the policy takes when the threshold is exceeded. See the "Configuring the Policy Action" section for more information.
Timeout
Specifies the minimum time span that the policy action is valid. The Guard module determines, according to the filter-termination thresholds, whether or not the dynamic filter that was produced by the policy is to be inactivated. See the "Configuring the Policy Timeout" section for more information.
Displaying Policy Statistics
You can display the rate of the traffic flowing through a zone policy or a group of zone policies. You can determine whether the type of services and volume represent the zone traffic. The Guard module displays the traffic flows forwarded to the zone, with the highest rates as measured by the policies. The rate is calculated based on traffic samples.
To display the policy statistics, enter the following command in zone configuration mode:
show policies policy-path statistics [num-entries]
Table 8-16 provides the arguments for the show policies statistics command output.
Table 8-16 Arguments for the show policies statistics
CommandSpecifies a group of policies for which to display statistics. You can use an asterisk (*) as a wildcard character in each policy path section. If you do not specify a policy path section, the Guard module relates to the unspecified section as a wildcard (*).
For example, the policy: tcp_services//analysis//global.
To display the statistics of all policies, enter an asterisk (*) for the policy-path.
See the "Using Policy Paths" section for more information.
Specifies the number of entries to display. Enter a number from 1 to 100. The Guard module displays the policies with the highest values.
The Guard module displays the information in three tables. The information in each table is sorted by value, with the highest values appearing at the top.
Table 8-17 displays the fields in the tables in the show policies statistics command output.
Table 8-17 Field Descriptions of the show policies statistics Command Output Tables
Key
Specifies the key, which is the traffic characteristic that was used to aggregate the policies.
For example, in the tcp_services/any/analysis/syns/dst_ip policy, the key is the destination IP address (dst_ip). If the traffic characteristic that was used to aggregate the policies is global, the key displays N/A.
See Table 8-7 for more information.
Policy
Specifies the policy name.
See the "Using Policy Paths" section for more information.
Rate
Specifies the rate of the traffic that flows through the policy and is measured in pps. The rate is calculated based on traffic samples.
Connection
Specifies the number of concurrent connections.
This information is available for tcp_connections policies and for the following packet types:
•
•
Ratio
Specifies the ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available for syn_by_fin policies only.
Note
Using Snapshots to Verify the Results of the Learning Process
You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) at any stage during the learning process, and you can review it later. You can compare the learning parameters of two zones or compare two of the zone snapshots to verify the outcome of the learning process and trace differences in policies, services, and thresholds.
We recommend that you save a snapshot every few hours during the learning process. If an attack occurs during the learning process, you can use the snapshot policies for the zone. You can take the snapshot manually or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module saves up to 100 snapshots for each zone. New snapshots replace the previous ones.
You can copy zone policies from the snapshot to configure the zone according to previous learning results if necessary.
This section provides information on the following topics:
Creating Snapshots
You can save a single snapshot of the zone learning parameters or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module continues the learning process while the snapshot is taken.
To set the Guard module to automatically take a snapshot at specified intervals, see the "Configuring Periodic Actions" section for more information.
To save a single snapshot of the zone learning parameters, enter the following command in zone configuration mode:
snapshot [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted calc-weight}]
Table 8-18 provides the arguments and keywords for the snapshot command.
The snapshot command saves the results of the zone learning process. The results include the zone policies, services, and thresholds. After you have verified the snapshot parameters and compared two snapshots or copied the snapshot parameters to a new zone, you can delete the snapshot.
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command.
This example shows how to create a snapshot in which the thresholds are the highest value between the current policy threshold and the new threshold of the learning process:
user@GUARD-conf-zone-scannet# snapshot threshold-selection max-thresholdsTo save a single snapshot in global mode, use the snapshot zone-name [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted weight}] command.
To delete a snapshot, use the no snapshot command.
Comparing Learning Results
You can compare the learning results of two snapshots or two zones to trace differences in policies, services, and thresholds.
This section includes the following topics:
Comparing Snapshots
To compare two snapshots, enter the following command in zone configuration mode:
diff snapshots snapshot-id snapshot-id [percent]
Table 8-19 provides the arguments for the diff command.
The following example shows how to display the zone snapshots and compare the two most recent snapshots:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:123 Feb 10 11:01:50user@GUARD-conf-zone-scannet# diff 2 3To compare snapshots in global mode, use the diff zone-name snapshots snapshot-id snapshot-id [percent] command.
Comparing Zones
To compare the learning parameters of two zones, enter the following command in global mode or in configuration mode:
diff zone-name zone-name [percent]
Table 8-20 provides the arguments for the diff command.
The following example shows how to compare the learning parameters of two zones:
user@GUARD# diff scannet scannet-mailserverDisplaying Snapshots
You can display a list of the zone snapshots or the snapshot parameters to get a comprehensive view of the zone learning results.
To display the zone snapshots, enter the following command:
show snapshots [snapshot-id [policies policy-path]]
Table 8-21 provides the arguments and keywords for the show snapshots command.
Table 8-21 Arguments and Keywords for the show snapshots
Commandsnapshots
Displays the zone snapshots. If you do not specify the snapshot ID, the default is to display a list of all zone snapshots.
The ID of the snapshot with learning parameters that are to be displayed. If you do not specify policies, the default is to display a list of all the zone snapshots. To view the snapshot ID use the show snapshots command.
Specifies a group of policies to display. See the "Using Policy Paths" section for more information.
To compare snapshots, in global mode, use the show zone zone-name snapshots [snapshot-id [policies policy-path]] command.
The following example shows how to display a list of the zone snapshots, and then display the policies that relate to dns_tcp of snapshot 2:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@GUARD-conf-zone-scannet# show snapshots 2 policies dns_tcpThe fields of the show zone zone-name snapshots snapshot-id policies policy-path command output are identical to the fields in the output of the show policies command. See the "Displaying Policies" section for more information.
Table 8-22 describes the fields in the show snapshots command output.
Table 8-22 Field Descriptions for show snapshots
Command OutputThe snapshot ID.
The date and time the snapshot was taken.
Copying Policies
You can copy a complete policy configuration or a partial configuration to the current zone.
You can copy the following information:
•
•
To copy the zone policies, enter the following command in zone configuration mode:
copy-policies {snapshot-id | src-zone-name [service-path]}
Table 8-23 provides the arguments and keywords for the copy-policies command.
The following example shows how to copy all services that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet:
user@GUARD-conf-zone-scannet# copy-policies webnet tcp_connections/The following example shows how to display a list of the zone snapshots and then copy the policies from the snapshot with ID 2:
user@GUARD-conf-zone-scannet# show snapshotsID Time1 Feb 10 10:32:042 Feb 10 10:49:12user@GUARD-conf-zone-scannet# copy-policies 2Backing Up Policy Configuration
You can back up the current zone policies at all times by using the snapshot threshold-selection cur-thresholds command.
The following example shows how to create a snapshot to back up the current policy configuration:
user@GUARD-conf-zone-scannet# snapshot threshold-selection cur-thresholds
