Table Of Contents
Activating Zone Protection
Zone Protection Options
On-Demand Protection
Protect, Protect and Learn
Automatic and Interactive Zone Operation Modes
Managing Zone Protection
Activating Zone Protection
Activating On-Demand Protection
Verifying Zone Traffic Diversion and Protection
Deactivating Zone Protection
Managing Dynamic Filters
Viewing the Dynamic Filters List
Viewing the Dynamic Filter Details
Adding a Dynamic Filter
Deleting a Dynamic Filter
Preventing the Creation of Unwanted Dynamic Filters
Managing Guard Module Recommendations for Dynamic Filters
Viewing Guard Module Recommendations
Viewing and Acting on Guard Module Recommendations
Viewing the Pending Dynamic Filters of a Recommendation
Viewing Pending Dynamic Filter Details
Accepting a Pending Dynamic Filter
Changing Zone Operation Modes
Changing the Zone Operation Mode to Automatic
Changing the Zone Operation Mode to Interactive
Taking Action When the Number of Pending Dynamic Filters Exceeds 1000
Activating Zone Protection
You can activate zone protection on the Cisco Anomaly Guard Module in one of two ways:
•
Automatically, using an external triggering device, such as a Cisco Traffic Anomaly Detector Module
•Manually, using the Guard module CLI or the WBM
Depending on how you configured the zone, the Guard module activates zone protection based on the zone name or the information it extracts from the traffic you divert to it. The follow protection activation methods are available:
•Zone name—The Guard activates zone protection based on the zone name.
•IP address—The Guard activates zone protection when it receives an external indication that consists of an IP address or subnet that is part of the zone.
•Packet—The Guard activates zone protection when it receives packets for a zone in its database.
•IP Address or Packet—The Guard module activates zone protection when it receives traffic (packet) that is destined to the zone or when it receives an external indication that consists of an IP address or subnet that is part of the zone address range.
For more details on the protection activation methods, refer to the "Protection Activation Methods" section in "Creating and Configuring Zones."
When zone protection is activated, the Guard module applies the zone policies to the traffic flow. When a traffic anomaly triggers a policy action by exceeding the policy threshold (indicating an attack), the Guard module begins producing Dynamic filters to manage the attack. The Guard module determines the attack is over when it no longer needs to produce Dynamic filters for the traffic.
This chapter describes how to use the WBM to activate and manage zone protection on the Guard module.
This chapter includes the following sections:
•Zone Protection Options
•Managing Zone Protection
•Managing Dynamic Filters
•Changing Zone Operation Modes
Zone Protection Options
The Guard module provides you with several options for performing zone protection. For example, you can let the Guard module manage all aspects of the zone protection operation or you can monitor and direct the Guard module during an attack.
This section contains the following zone protection information:
•On-Demand Protection
•Protect, Protect and Learn
•Automatic and Interactive Zone Operation Modes
On-Demand Protection
On-demand protection is a the type of protection the Guard module provides as soon as you define a zone. The zone template that you select to begin the zone definition process includes a set of predefined policies and User filters for on-demand protection. Use on-demand protection for zone protection under the following circumstances:
•You do not have time to let the Guard module perform the learning process
•An attack occurs on a zone during the learning process
The default thresholds of the zone template policies are set to values that enable the Guard module anti-spoofing features to activate quickly when the Guard module identifies a traffic anomaly. Because the Guard module never learns the zone traffic when using on-demand protection, the Guard module has no specific knowledge of the zone traffic patterns. This means that the thresholds used to block (drop) traffic from source IP addresses are set to relatively high values. Because the Guard module lacks specific knowledge of zone traffic, on-demand protection requires user intervention when mitigating non-spoofed attacks. During an attack on a zone in which you use on-demand protection, monitor the zone legitimate and malicious traffic rates and view the Guard module mitigation actions.
When you allow the Guard module to learn the zone traffic, the Guard module replaces the zone configuration policies used for on-demand protection with policies it creates specifically for the zone.
Protect, Protect and Learn
When you manually activate zone protection using the WBM, the Guard module provides you with the following zone protection options:
•Protect—The Guard module analyzes the zone traffic and begins producing Dynamic filters when it detects a traffic anomaly.
•Protect and Learn—The Guard module analyzes zone traffic for traffic anomalies and at the same time begins the threshold tuning phase of the learning process. While analyzing the traffic for the threshold tuning phase, the Guard module automatically adjusts the policy thresholds of the zone configuration with new threshold information. If the Guard module detects an attack while analyzing the traffic, it suspends the threshold tuning phase while it manages the attack. When the attack on the zone ends, the Guard module resumes the threshold tuning phase along with zone protection.
Automatic and Interactive Zone Operation Modes
During an attack, the Guard module operates in one of two operation modes and either automatically activates the Dynamic filters it creates, or waits for you to decide whether or not to activate the Dynamic filters. When you define the zone configuration, you configure the zone operation mode by selecting one of the following settings:
•Automatic operation mode—The Guard module automatically activates the Dynamic filters it creates without any user intervention.
•Interactive operation mode—You choose to activate or ignore the Dynamic filters that the Guard module recommends. Using the interactive zone operation mode, the Guard module enables you to decide on zone protection measures as it continues to analyze the attack and queue suggested Dynamic filters.
You can change the zone operation mode setting of a zone configuration at any time.
Managing Zone Protection
The procedures in this section describe how to manually activate and deactivate zone protection.This section also contains information that enables you to verify traffic diversion and protection after zone protection has been activated.
This section contains the following procedures:
•Activating Zone Protection
•Activating On-Demand Protection
•Verifying Zone Traffic Diversion and Protection
•Deactivating Zone Protection
Activating Zone Protection
To activate zone protection:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to activate zone protection:
•From the zone status screen, click Protect & Learn or Protect.
•From the zone main menu, choose Protection > Protect.
The following actions occur:
•The Guard module diverts zones traffic to itself and begins analyzing the traffic flow for anomalies. Legitimate traffic is injected back into the network where it is forwarded to its intended destination. Malicious traffic is filtered by the Guard module and dropped.
•The zone name is added to the Protected Zones listing in the navigation pane.
•The zone status icon changes from Standby
to Protection 
.
•The Recent Events table lists an event type of protection-start with a detail listing of Zone is protected.
Activating On-Demand Protection
On-demand protection allows you to protect a zone before the Guard module can learn the zone-specific traffic patterns and make the necessary modifications to the zone configuration. When using on-demand protection, you create a new zone specifically to handle an attack using the default configuration values of the zone template you select.You may require on-demand protection for a zone if one of following conditions apply:
•The Guard module is currently performing the learning process, either policy construction or threshold tuning
•The Guard is in Protect and Learn mode but has not yet learned the zone traffic characteristics
•You have accepted policy thresholds that you think no longer represent the zone traffic
To activate on-demand protection:
Step 1 Create a new zone to handle the attack (see the "Creating a Zone from a Zone Template" section in "Creating and Configuring Zones").
Step 2 Select the zone you just created from the navigation pane. The zone main menu and the zone status screen appear.
Step 3 Use one of the following methods to activate zone protection:
•From the zone status screen, click Protect.
•From the zone main menu, choose Protection > Protect.
The following actions occur:
•The Guard module diverts zones traffic to itself and begins analyzing the traffic flow for anomalies. Legitimate traffic is injected back into the network where it is forwarded to its intended destination. Malicious traffic is filtered by the Guard module and dropped.
•The zone name is added to the Protected Zones listing in the navigation pane.
•The zone status icon changes from Standby
to Protection 
.
•The Recent Events table lists an event type of protection-start with a detail listing of Zone is protected.
Step 4 Analyze the zone traffic patterns (see the "Viewing the Zone Counters" section in "Monitoring Guard Module and Zone Operations").
Verifying Zone Traffic Diversion and Protection
From the zone status screen, you can view the traffic counters to verify that the zone traffic has been successfully diverted to the Guard module and the protection process is functioning properly.
Click on a zone from the navigation pane to display the zone status screen. Traffic diversion is functioning if the following items display in the zone status screen:
•The Traffic Rate table shows a Legitimate traffic rate greater than zero.
•The Recent Events table lists an event type of protection-start with a detail listing of Zone is protected.
If the malicious traffic rate is greater than zero, this is an indication that an attack is in progress. To verify that zone protection is functioning properly while an attack is in progress, check the following items in the zone status screen:
•The Zone Status table shows the number of active Dynamic filters as greater than zero.
•The Traffic Rate table shows the legitimate traffic rate as greater than zero.
When there is no attack on the zone and no indications of suspicious traffic, the Guard module considers all diverted traffic as legitimate traffic and forwards the traffic to the zone. The Legitimate traffic counter would then be equal to the Received traffic counter. See "Monitoring Guard Module and Zone Operations" for details on viewing the Received traffic counter and using other Guard module diagnostics tools.
Deactivating Zone Protection
When there is no attack on a zone and you rely on another source for detecting zone anomalies, you may want to deactivate zone protection and end traffic diversion to the Guard module.
To deactivate zone protection:
Step 1 Select a protected zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 From the zone status and attack reports screens, verify the zone is not currently being attacked before deactivating zone protection.
Step 3 Use one of the following methods to deactivate zone protection:
•From the zone status screen, click Deactivate.
•From the zone main menu, choose Protection > Deactivate.
The following actions occur:
•The Guard module stops diverting zone traffic to itself.
•The zone name is removed from the Protected Zones listing in the navigation pane.
•The zone status icon changes from Protection 
to Standby
.
•The Recent Events table lists an event type of protection-stop with a detail listing of Zone is not protected.
Managing Dynamic Filters
The Guard module creates Dynamic filters only after you activate zone protection and the Guard module detects a traffic anomaly. Thus, you can only view and manage Dynamic filters when an attack is taking place on the protected zone.
Dynamic filters have a limited life span. Once the Dynamic filter timeout expires, the Guard module determines whether or not the Dynamic filter should be deactivated. If the Guard module decides not to deactivate the Dynamic filter, the activation timeout of the filter resumes for another time span. The Guard module will deactivate the Dynamic filter if one of the following conditions applies:
•The total zone malicious traffic rate (equaling the sum of the spoofed and dropped traffic) is less than or equal to the malicious-rate termination threshold.
•The Dynamic filter does not have an action of to-user-filter (the filter rate counter does not display N/A) and the Filter-rate termination threshold is equal to or greater than both of the following conditions:
–The Dynamic filter current traffic rate
–The Dynamic filter average traffic rate during a user-configured time span
To manually control zone protection during an attack, you can add or delete a Dynamic filter during an attack. The Guard module removes all Dynamic filters when the attack ends.
This section contains the following procedures:
•Viewing the Dynamic Filters List
•Viewing the Dynamic Filter Details
•Adding a Dynamic Filter
•Deleting a Dynamic Filter
•Preventing the Creation of Unwanted Dynamic Filters
Viewing the Dynamic Filters List
To view the list of Dynamic filters:
Step 1 Select a protected zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to view the list of Dynamic filters:
•From the zone main menu, choose Protection > Dynamic filters.
•From the zone status table on the zone status page, click Active dynamic filters.
The Dynamic filters screen appears.
The Dynamic filters table displays the Dynamic filters according to the policy that created them and provides information about the ongoing attack. Table 9-1 describes the information displayed in the Dynamic filters table.
Table 9-1 Field Descriptions for Dynamic Filters Table
Field
|
Description
|
Created by
|
Policy that created the filter. Click on the policy name to display the Policy details.
|
Activation
|
Date and time the filter was activated.
|
Expiration
|
Filter expiration time. Once the filter expires, the Guard module decides whether or not to deactivate the Dynamic filter according to the Dynamic filter termination criteria. If the Guard module still requires the use Dynamic filter, the Dynamic remains active for another time period.
|
Src IP
|
Source IP address on which the Dynamic filter is applied.
|
Protocol
|
Protocol number on which the Dynamic filter is applied.
|
Dst Port
|
Destination port on which the Dynamic filter is applied.
|
Fragments
|
Indicates whether the attack stream contains fragmented packets.
|
Action
|
Action taken by the filter. The following actions apply for the Dynamic filters:
•to-user-filters—Forwards the traffic to the User filters. If you have modified the default User filters, you must make sure that there is a User filter to handle these Dynamic filter.
•filter/strong—Applies Strong protection anti-spoofing mechanisms to the specific traffic.
•filter/drop—Drops the traffic.
•block-unauthenticated-basic—Enhances the Basic anti-spoofing mechanisms so that they drop traffic flows that have not been authenticated.
•block-unauthenticated-strong—Enhances the Strong anti-spoofing mechanisms so that they drop traffic flows that have not been authenticated.
•block-unauthenticated-dns—Drops traffic flows, flowing to DNS UDP servers (protocol=UDP, port=53), that the DNS anti-spoofing mechanisms defined as unauthenticated.
•redirect/zombie—The policy enhances authentication for all User filters with an action of basic/redirect.
|
Rate (pps)
|
Approximate attack rate in packets-per-second.
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information.
|
A value of * for any of the parameters indicates:
•The value is undetermined.
•More than one value was measured for the filter parameter.
See the "Viewing the Dynamic Filter Details" section for information on viewing the details of a specific Dynamic filter.
Viewing the Dynamic Filter Details
To display detailed information for a specific Dynamic filter:
Step 1 Select a protected zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to view the list of Dynamic filters:
•From the zone main menu, choose Protection > Dynamic filters.
•From the zone status table on the zone status page, click Active dynamic filters (this link is only active when there are active Dynamic filters).
The Dynamic filters screen appears.
Step 3 Click i in the Details column of the desired Dynamic filter. The Dynamic filter details screen appears.
The Dynamic filter details screen includes three tables that describe the following attack information:
•The policy that created the filter.
•The attack that was mitigated. The mitigated flow can have a wider range than the detected attack flow. For example, a non-spoofed attack on port 80 blocks all TCP traffic from the originating source IP and not only port 80.
•The trigger that created the filter. Table 9-2 describes the trigger parameters.
Table 9-2 Field Descriptions for Triggers
Field
|
Description
|
Policy Threshold
|
The policy threshold that the attack traffic exceeded.
|
Triggering rate
|
The approximate attack rate that triggered the production of the filter.
|
Adding a Dynamic Filter
During an attack on the zone, you can add a Dynamic filter to manipulate zone protection.
To add a Dynamic filter:
Step 1 Select a protected zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to view the list of Dynamic filters:
•From the zone main menu, choose Protection > Dynamic filters.
•From the zone status table on the zone status page, click Active dynamic filters.
The Dynamic filters screen appears.
Step 3 Click Add. The Add Dynamic Filter screen appears.
Define the Dynamic filter parameters as described in Table 9-3.
Table 9-3 Field Descriptions for Dynamic Filters
Field
|
Description
|
Source IP
|
Directs traffic from a specific IP address to the Dynamic filter. Leave blank or enter * for any.
|
Source Subnet
|
Directs traffic from a specific subnet to the Dynamic filter. Choose the subnet from the Source Subnet drop-down list.
|
Protocol
|
Directs traffic from a specific protocol to the Dynamic filter. The protocol is denoted by its protocol number. Leave blank or enter * for any.
|
Dst Port
|
Directs traffic destined for a specific port to the Dynamic filter. Leave blank or enter * for any.
|
Fragments
|
Denotes a specific traffic type for the filter to operate on. Choose the desired traffic type from the Fragments drop-down list:
•without—The Dynamic filter acts on non-fragmented traffic.
•with—The Dynamic filter acts on fragmented traffic.
•*—The Dynamic filter acts on fragmented and non-fragmented traffic.
|
Action
|
Action the filter performs on the specific traffic type. Choose the filter action from the Action drop-down list:
•to-user-filters—Forwards the specific traffic to the user-configured User filters
•filter/strong—Applies strong the Strong protection level to the traffic specified.
•filter/drop—Drops the traffic.
•block-unauthenticated-basic—Drops unauthenticated traffic flows that the Basic protection level has not authenticated.
•block-unauthenticated-strong—Drops unauthenticated traffic flows that the Strong protection level has not authenticated.
•block-unauthenticated-dns—Drops unauthenticated traffic flows, flowing to DNS servers that have not been authenticated by the DNS anti-spoofing feature.
•redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.
|
Timeout (Sec)
|
The minimum time that the filter is active. Choose one of the following options:
•Click the Forever check box for an infinite amount of time.
•Check the seconds check box and enter the amount of time in seconds.
|
Step 4 Choose one of the following options:
•OK—Saves the Dynamic filter information. The Guard module activates the new Dynamic filter.
•Cancel—Exits the Add Dynamic filter screen without saving any information. The Dynamic Filters screen appears.
Deleting a Dynamic Filter
You can delete a Dynamic filter to prevent the Guard module from applying the Dynamic filter action on the traffic flow. Deleting a Dynamic filter is only effective for a limited period of time as the Guard continues to configure new Dynamic filters when there are changes in the attack traffic flow. To prevent the Guard module from producing unwanted Dynamic filters, refer to the "Preventing the Creation of Unwanted Dynamic Filters" section.
To delete a Dynamic filter:
Step 1 Select a protected zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to view the Dynamic filters:
•From the zone main menu, choose Protection > Dynamic filters.
•From the zone status table on the zone status screen, click Active dynamic filters.
The Dynamic filters screen appears.
Step 3 Click the check box next to the desired Dynamic filter to delete.
Step 4 Click Delete. The Guard module removes the Dynamic filter.
Preventing the Creation of Unwanted Dynamic Filters
If the Guard module is applying Dynamic filters to traffic that you want to forward to the zone, you can prevent the Guard module from producing unwanted Dynamic filters by performing one of the following actions:
•Deactivate the policy that produces them (see the "Modifying Policy Parameters" section in "Managing Zone Policies"). To view the list of Dynamic filters and find out which policy produced the unwanted Dynamic filters, refer to the "Viewing the Dynamic Filters List" section.
•Configure a Bypass filter for the desired traffic flow (see the "Managing Bypass Filters" section in "Configuring Zone Filters").
•Increase the threshold of the policy that produced the undesired Dynamic filter (see the "Modifying Policy Parameters" section in "Managing Zone Policies").
Managing Guard Module Recommendations for Dynamic Filters
When you perform zone protection in interactive operation mode, the Guard module creates a queue of the Dynamic filters it creates during an attack. The queued Dynamic filters are known as pending Dynamic filters. The Guard module groups the pending Dynamic filters according to the policies that produced them and presents them to you as Guard module recommendations. You can choose to act on a Guard module recommendation (including all of the pending Dynamic filters associated with it) or you can act on each pending Dynamic filter separately.
This section contains the following procedures:
•Viewing Guard Module Recommendations
•Viewing and Acting on Guard Module Recommendations
•Viewing the Pending Dynamic Filters of a Recommendation
•Viewing Pending Dynamic Filter Details
•Accepting a Pending Dynamic Filter
Viewing Guard Module Recommendations
The Guard module displays the Guard module recommendations icon 
when new recommendations are available. This icon appears in the following locations:
•The navigation pane, next to the zone icon in the All Zones list
•The navigation pane, next to the zone icon in the Protected Zones list
•The zone status page, in the zone status bar
•The zone list table
When the Guard module has new recommendations, the number of pending Dynamic filters the zone status screen displays is greater than zero.
To view the list of Guard module recommendations:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to display the list of recommendations:
•From the zone main menu, choose Protection > Recommendations.
•From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.
The Recommendations screen appears.
Table 9-4 describes the fields in the Recommendations table.
Table 9-4 Field Descriptions for Recommendations Table
Field
|
Description
|
ID
|
Identification number the Guard module assigned to the recommendation.
|
Recommendation
|
Action the Guard module recommends.
|
Created By
|
Policy that created the filter. Click on the policy name to view the policy details.
|
# of PFs
|
Number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that exceeded the policy threshold. Click on the number to view the pending Dynamic filters associated with the recommendation.
|
Attack flow
|
Attack flow information. The following information is provided:
•Src IP—Source IP address of the attack stream
•Protocol—Protocol number of the attack stream
•Dst Port—Destination port of the attack stream
•Dst IP—Destination IP address of the attack stream
|
Thr.
|
Policy threshold that the attack flow exceeded.
|
Min.
|
Minimum attack rate. The rate of the lowest pending Dynamic filter is displayed for recommendations that include several pending filters.
|
Max.
|
Maximum attack rate. The rate of the highest pending Dynamic filter is displayed for recommendations that include several pending filters.
|
Creation
|
Date and time the recommendation was created.
|
A value of * for any of the parameters indicates one of the following conditions:
•The Guard module is unable to determine the value.
•The Guard module measured more than one value for the filter parameter. To display the different values, view the complete list of pending Dynamic filters.
Viewing and Acting on Guard Module Recommendations
To view and act on the Guard module recommendations:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to display the list of recommendations:
•From the zone main menu, choose Protection > Recommendations.
•From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.
The Recommendations screen appears.
Step 3 In the Filters timeout box, enter the timeout value (in seconds) for the filter.
Step 4 Click the check box next to the desired recommendations.
Step 5 Select the required action:
•accept—Accept the specific recommendation. The Guard module activates the pending Dynamic filters associated with the recommendation.
•always-accept—Always accept the specific recommendation. During the current attack period, the Guard module automatically accepts the recommendations of the policy that produced the recommendation. The Guard module does not display always-accept recommendations.
•always-ignore—Always ignore the specific recommendation. During the current attack period, the Guard module automatically ignores the recommendations of the policy that produced the recommendation. To prevent a policy from producing recommendations in future attacks, disable or deactivate the policy (see the "Modifying Policy Parameters" section in "Managing Zone Policies").
You can change an always-ignore decision made on a specific recommendation by changing the interactive-status of the policy that created the pending Dynamic filters of the recommendation.
If necessary, you can selectively accept pending Dynamic filters instead of accepting all the Dynamic filters associated with a recommendation. See the "Viewing the Pending Dynamic Filters of a Recommendation" section for further details.
Viewing the Pending Dynamic Filters of a Recommendation
To view the pending Dynamic filters associated with a Guard module recommendation:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to display the list of recommendations:
•From the zone main menu, choose Protection > Recommendations.
•From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.
The Recommendations screen appears.
Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.
Table 9-5
Table 9-5 Field Descriptions for Pending Dynamic Filters
Field
|
Description
|
Created by
|
Policy that created the filter. Click on the policy name to display the Policy details. See "Managing Zone Policies" for further details.
|
Activation
|
Date and time the filter was created.
|
Src IP
|
Source IP address of the attack stream.
|
Protocol
|
Protocol number of the attack stream.
|
Dst Port
|
Destination port of the attack stream.
|
Fragments
|
Indicates whether or not the attack stream contains fragmented packets.
|
Action
|
Action taken by the filter.
|
Recent rate
|
Current attack rate measured by the filter.
|
Rate (pps)
|
Triggering rate. The approximate attack rate that triggered the production of the dynamic filter.
|
Details
|
Indicates whether or not additional information is available for this filter. Click i for additional information.
|
describes the fields in the pending dynamic filters table.
A value of * for any of the parameters indicates one of the following conditions:
•The value is undetermined.
•More than one value was measured for the filter parameter.
The Guard module activates the Managing Dynamic Filters produced by the policies for at least a user-defined time span (filter timeout).
Viewing Pending Dynamic Filter Details
To display the detailed information of a Dynamic filter:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to display the list of recommendations:
•From the zone main menu, choose Protection > Recommendations.
•From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.
The Recommendations screen appears.
Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.
Step 4 Click i in the details column of the desired pending Dynamic filter. The Filter details screen appears.
The pending dynamic filter details includes three tables that provide the following information:
•Policy that created the filter.
•Attack flow.
•Trigger for the filter creation. This table displays the policy threshold that the attack traffic exceeded and the approximate attack rate that triggered the production of the filter.
Accepting a Pending Dynamic Filter
To selectively accept a pending Dynamic filter:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Use one of the following methods to display the list of recommendations:
•From the zone main menu, choose Protection > Recommendations.
•From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.
The Recommendations screen appears.
Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.
Step 4 In the Filters timeout box, enter the Dynamic filter timeout value in seconds.
Step 5 Check the check box next to the desired pending Dynamic filter or filters to activate.
Step 6 Click Accept. The Guard module activates the selected pending Dynamic filters.
Changing Zone Operation Modes
The operation mode in which the Guard module operates when managing an attack on the zone determines how the Dynamic filters are activated during the attack. You can configure the Guard module to operate in either of the following operation modes:
•Automatic operation mode—The Guard module activates all Dynamic filters as it creates them.
•Interactive operation mode—You are required to act on the Dynamic filter recommendations that the Guard module produces during an attack. You can activate or ignore a Guard module recommendation.
You configure the zone operation mode as part of the zone configuration and can change the zone operation mode setting at any time, including when the Guard module is managing an attack on the zone.
This sections contains the following information:
•Changing the Zone Operation Mode to Automatic
•Changing the Zone Operation Mode to Interactive
•Taking Action When the Number of Pending Dynamic Filters Exceeds 1000
Changing the Zone Operation Mode to Automatic
To change the operation mode setting of a zone from interactive to automatic:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Choose Configuration > General from the zone main menu. The General screen appears.
Step 3 Click Config. The Config screen displays.
Step 4 From the Operation Mode parameter drop-down list, select automatic.
Step 5 Click OK. The Guard module updates the zone configuration with the new zone operation mode setting. If zone protection is currently active, the Guard module automatically activates all pending and new Dynamic filters.
Changing the Zone Operation Mode to Interactive
To change the operation mode setting of a zone from automatic to interactive:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Choose Configuration > General from the zone main menu. The General screen appears.
Step 3 Click Config. The Config screen displays.
Step 4 From the Operation Mode parameter drop-down list, select interactive.
Step 5 Click OK. The Guard module updates the zone configuration with the new zone operation mode setting. If zone protection is currently active, the Guard module produces recommendations when an attack is detected.
Taking Action When the Number of Pending Dynamic Filters Exceeds 1000
When the number of pending Dynamic filters the zone status screen displays exceeds 1000, the Guard module begins to discard any new recommendations after recording the recommendation information to the log file.We recommend that you change the zone operation mode to automatic when the number of pending Dynamic filters exceeds 1000 filters. When operating in automatic operation mode, the Guard module activates all Dynamic filters as it creates them.
Note When the number of pending Dynamic filters exceeds 1000 filters, you must first deactivate zone protection before making the recommended change to the operation mode. This is the only time you are required to deactivate zone protection before changing the zone operation mode.
To change the zone operation mode to automatic when the number of pending Dynamic filters exceeds 1000 filters:
Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Click Deactivate. The Guard module stops zone protection and deletes all pending Dynamic filters.
Step 3 Choose Configuration > General from the zone main menu. The General screen appears.
Step 4 Click Config. The Config screen displays.
Step 5 From the Operation Mode parameter drop-down list, select automatic.
Step 6 Click OK. The Guard module updates the zone configuration with the new operation mode setting.
Step 7 Click Protect. The Guard module begins zone protection and activates all Dynamic filters as it creates them.
