-
Cisco Anomaly Guard Module Configuration Guide (Software Version 6.1 and 6.1-XG)
-
Index
-
Preface
-
Product Overview
-
Configuring the Guard Module on the Supervisor Engine
-
Initializing the Guard Module
-
Configuring the Guard Module
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Using Attack Reports
-
Using Guard Module Diagnostic Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Module Mitigation
-
Feedback
Table Of Contents
Symbols - Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z
Index
Symbols
# (number sign) 12-9
Numerics
1 Gbps and 3 Gbps bandwidth options
configuration differences 1-8
displaying software license key 13-2
displaying software version 13-2
understanding 1-7
upgrading to 3 Gbps 14-16
3 Gbps operation upgrade
configuring proxies 14-18
regenerating SSL certificates 14-19
updating existing port interface configurations 14-18
A
AAA
accounting 4-13
authentication 4-6
authorization 4-11
configuring 4-4
aaa accounting command 4-13
aaa authentication command 4-6
aaa authorization command 4-11
accounting, configuring 4-13
action command 8-20
action flow 12-13
activation
activation-extent command 10-7
activation-interface command 10-5
interface 10-4
method 10-4
sensitivity 10-7
add-service command 8-9
admin privilege level 3-2, 4-7
advertised routes, viewing 5-7, 5-10, 5-14
always-accept 8-23
always-ignore 8-23
analysis protection level 1-5, 8-10
anomaly
detected 12-3
flow 12-9
anomaly detection engine memory usage 13-27, 13-29
anti-spoofing 1-3
anti-spoofing drop statistics 15-8
anti-zombie 1-3
AP
booting to 2-9
clearing configuration 14-19
clearing passwords 14-19, 14-22
upgrading 14-10
upgrading, inline 14-14
application partition
See AP
attack-detection command 10-9
attack report
detected anomalies 12-3
exporting 12-14
exporting automatically 12-14
layout 12-1
malicious packets statistics 12-2
mitigated attacks 12-4
notify 12-9
statistics 12-2
timing 12-1
attack reports
exporting 14-6
attack statistics 15-6
attack type
client 12-5
malformed packets 12-6
mitigated attack 12-11
user defined 12-6
authentication, configuring 4-6
authorization
disabling zone command completion 4-13, 6-7
authorization, configuring 4-9
auth packet types 8-11
automatic protection mode 10-4
automatic protect mode 1-5, 10-4, 11-1
B
bad packets to proxy drop statistics 15-8
bandwidth options
configuration differences 1-8
displaying software license key 13-2
displaying software version 13-2
understanding 1-7
upgrading to 3 Gbps 14-16
banner
configuring login 4-30
basic
user filter actions 7-14
basic protection level 1-5, 8-10
Berkeley Packet filter 7-9
block dynamic filter actions 7-20
block-unauthenticated policy action 8-21
boot command 2-9
burn flash 14-15
bypass filter
command 7-12
configuring 15-4
deleting 7-14
displaying 7-13
C
capture, packets 13-17
clear ap config command 14-19
clear ap password command 14-19, 14-22
clear counters command 3-10, 13-6
clear log command 13-13
CLI
changing prompt 4-25
command shortcuts 3-6
error messages 3-5
getting help 3-5
issuing commands 3-3
TAB completion 3-6
using 3-1
client attack 12-11
client attack mitigated attacks 12-5
command completion 4-13
command line interface
See CLI 3-1
command shortcuts 3-6
comparator 7-3
config privilege level 3-2, 4-7
configuration
file
copying 14-3
exporting 14-3
importing 14-4
viewing 13-3
importing 14-4
saving supervisor engine 2-1
configuration, accessing command mode 4-12
configuration mode 3-2
constructing policies 9-5
copy command
packet-dump 13-19
copy commands
ftp running-config 14-4
zone log 13-12
copy-from-this 6-5
copy guard-running-config command 6-11
copy login-banner command 4-30
copy-policies command 9-17
copy wbm-logo command 4-32
counters
history 13-5
counters, viewing 13-5
cpu utilization 13-28
D
DDoS
attack classification 15-6
nonspoofed attacks 1-3
overview 1-2
spoofed attacks 1-2
zombies 1-3
deactivate command 10-12
deactivating commands 3-4
deactivating protection 10-9
default configuration, returning to 14-19
default-gateway command 3-11
default zone 10-6
description command 6-7
detected
anomalies 12-3
flow 12-13
diff command 9-15
disable command 8-6
disabling
automatic export 14-7
distributed denial of service
See DDoS
diversion
configuring inline 5-8
configuring out-of-path 5-11
definition 5-1
hijacking 5-4
mechanism 5-3
network configuration 5-2
restoring default values 5-5
troubleshooting 15-2
viewing advertised routes 5-7, 5-10, 5-14
DNS
detected anomalies 12-3
TCP policy templates 8-2
drop
dynamic filter action 7-19
policy action 8-21
statistics 15-7
user filter action 7-15
dropped packets
learning 9-2
drop-statistics command 15-6
dst traffic characteristics 8-12
dynamic filter
1000 and more 7-21
actions 7-19
deactivating 7-24
definition 1-5
displaying events 13-9
inactivating 15-4
preventing production of 7-24
sorting 7-21
terminating 7-25
zone malicious rate 7-25
dynamic filters 11-2
dynamic privilege level 3-2, 4-7
E
enable
password command 4-10
enabling services 4-2
even log
deactivating 13-10
event log
activating 13-10
event monitor command 13-10
export
disabling automatic 14-7
export command 14-6
reports 12-14
exporting
configuration file 14-3
log file 13-12
reports automatically 12-14
exporting GUARD configuration 6-11
extracting signatures 13-23
F
facility 13-11
file server
configuring 14-2
file-server
command 14-2
configuring 14-2
deleting 14-2
file server, displaying sync-config 14-7
filter rate
termination threshold 7-25
filters
filter-termination command 7-25
fixed-threshold 8-16
flash-burn command 14-16
flex-content filter
configuring 7-4
default configuration 13-37
displaying 7-10
dropped 15-7
filtering criteria 7-4
renumbering 7-4
fragments
detected anomalies 12-3
policy template 8-2
G
generating signatures 13-23
global mode 3-2
global traffic characteristics 8-12
Guard
configuring multiple 2-10
self protection 13-36
GUARD_DEFAULT 6-3
GUARD_LINK 6-3
GUARD_TCP_NO_ PROXY 6-3
GUARD_VOIP 6-3
GUARD configuration, exporting 6-11
GUARD configuration, importing 6-12
Guard module configuration
resetting 14-23
H
high availability 2-11
host, logging 13-11
host keys
hostname
changing 4-25
command 4-25
HTTP
detected anomalies 12-3
policy template 8-2
hw-module command 14-10, 14-11, 14-12, 14-14, 14-19, 14-22
hw-module commands 2-8
hybrid 12-11
I
idle session, configuring timeout 4-33
idle session, displaying timeout 4-33
importing
configuration 14-4
importing GUARD configuration 6-12
incoming TCP drop statistics 15-7
injecting
VRF 5-17
injecting, tunnel 5-19
inline upgrade 14-13
in packet types 8-11
installation
verifying 2-2
interactive
operation mode 11-4
policy status 8-23
interactive protection mode 10-4
interactive protect mode 1-6, 10-4, 11-1
interactive-status command 8-22
interface
clearing counters 3-10
configuration mode 3-2
configuring IP address 3-8
ip address
modifying, zone 6-9
IP address command
excluding 6-8
ip address command
deleting 6-9
interface 3-8
ip route command 3-11
IP scan
detected anomalies 12-3
policy template 8-2
IP threshold configuration 8-18
K
key
generating for license 14-17
key command
add 4-22
generate 4-24
remove 4-23
L
land attack drop statistics 15-8
layer 3 interface
configuring on VLAN 2-6
learning
constructing policies 9-5
dropped packets 9-2
policy-construction command 9-5
synchronizing results 9-4
threshold-tuning command 9-7
tuning thresholds 9-7
learning accept command 9-6, 9-8
learning params
threshold-selection command 9-10
learning-params
deactivating periodic action 9-8
deactivating periodic-action command 9-6
periodic-action command 9-6, 9-8, 9-10
threshold-multiplier command 8-16
threshold-selection command 9-8
threshold-tuned command 6-9, 9-12
learning-params fixed-threshold command 8-16
licenses
generating key 14-17
ordering XG upgrade license 14-17
LINK templates 9-5
load sharing 2-10
log file
clearing 13-13
viewing 13-11
logging, viewing configuration 13-11
logging command 13-11
logging parameters, configuring 13-8
login banner
configuring 4-30
deleting 4-31
importing 4-30
login-banner command 4-30
logo, adding WBM 4-32
logo, deleting WBM 4-33
low rate zombie attack policies 8-8, 8-13, 8-22
M
maintenance partition
See MP
malformed packets 12-11
mitigated attacks 12-6
malformed packets drop statistics 15-8
malicious packets statistics
attack report 12-2
malicious rate termination threshold 7-24
management
MDM 3-15
overview 3-13
port 3-7
SSH 3-15
WBM 3-13
max-services command 8-5
MDM
activating 3-15
memory consumption 13-27
memory usage, anomaly detection engine 13-27, 13-29
MIB, supported 4-2
min-threshold command 8-6
mitigated attacks
client attack 12-5
malformed packets 12-6
overview 12-4
spoofed 12-4
user defined 12-6
monitoring
MP
booting to 2-9
upgrading 14-12
upgrading, inline 14-14
multiple Guards
configuring 2-10
N
netstat command 13-30
network server
configuring 14-2
deleting 14-2
network server, displaying sync-config 14-7
non DNS drop statistics 15-8
nonspoofed attacks 1-3
no proxy policy templates 8-4
notify 12-9
notify policy action 8-21
ns policy templates 8-4
num_sources packet type 8-11
O
other protocols
detected anomalies 12-3
policy template 8-2
other protocols drop statistics 15-7
out_pkts packet types 8-11
outgoing TCP drop statistics 15-7
P
packet-dump
auto-capture command 13-16
automatic
activating 13-14
deactivating 13-16
displaying settings 13-16
signatures 13-24
packet-dump command 13-17
packets, capturing 13-17
password
changing 4-8
enabling 4-10
encrypted 4-7
recovering from a lost password condition 14-20
password, recovering 14-20
pending 11-2
pending dynamic filters 11-2
periodic action
accepting policies automatically 9-6, 9-8
permit
user filter action 7-14
permit ssh command 4-21
ping command 13-34
pkts packet type 8-12
policy
activating 8-14
adding services 8-9
command 8-13
configuration mode 3-3
copying parameters 9-17
copy-policies 9-17
deleting services 8-9
disabling 8-14
displaying zone policies 8-12
inactivating 8-14
learning-params, fixed-threshold command 8-16
marking threshold as fixed 8-16
multiplying thresholds 8-17, 15-3
navigating path 8-13
packet types 8-11
PPH policies, configuring detection time 8-22
proxy threshold 8-19
show statistics 8-24
state 8-14
threshold-list command 8-18
traffic characteristics 8-12
tuning thresholds 1-4, 9-3, 9-7
using wildcards 8-13, 8-23, 8-25
viewing 15-3
viewing statistics 9-9
policy set-timeout command 8-20
policy template
configuration command level 8-4
configuration mode 3-3
displaying list 8-4
max-services 8-5
min-threshold 8-6
overview 8-2
parameters 8-4
state 8-6
policy-template add-service command 8-9
policy-template remove service command 8-10
port scan
detected anomalies 12-3
policy template 8-2
power enable command 2-9
PPH policies, configuring detection time 8-22
privilege levels 3-2
assigning passwords 4-10
moving between 4-10
protect
activating 3-12
automatic mode 1-5, 10-4, 11-1
command 10-10
deactivating 10-12
deactivating automatically 10-9
entire zone 10-10
interactive mode 1-6, 10-4, 11-1
specific IP 10-11
specific ip address 10-11
specific zone IP 10-10
specific zone ip address 10-10
protect command 10-12
protection
activation sensitivity 10-7
protection-end-timer command 10-9
protection level
protection levels
overview 8-10
protect learning command 9-7
protect-packet command 10-7
protocol traffic characteristics 8-12
proxy
command 3-13
configuring 3-12
displaying usage 13-7
no proxy policy templates 8-4
proxy-threshold command 8-19
public-key
displaying 4-24
R
Rate Limiter
dropped 15-7
rates
history 13-5
rates, viewing 13-4
reactivate-zones 14-8
rebooting
parameters 14-8
recommendations 11-2
accepting 11-8
change decision 8-22
command 11-7
displaying 11-5
dynamic filters 11-2
ignoring 11-8
overview 11-2
receiving notification 11-5
viewing 11-5
viewing pending-filters 11-3, 11-7
redirect/zombie
dynamic filter action 7-20
policy action 8-21
reload command 14-7
remove service command 8-9
renumbering flex-content filters 7-4
renumbering user filters 7-15
replied IP summarization 13-14, 13-16
replied ip summarizations
contained in attack reports 12-7
contained in packet-dump captures 13-22
replied packets 12-2
report
See attack report 12-1
reports
details 12-10
displaying subzones 10-8
exporting 14-6
reqs packet type 8-11
reset command 2-8
routing table
manipulation 3-11
viewing 3-12
RTP/RTCP 6-3
running-config
show 13-3
S
self-protection command 13-36
service
adding 8-9
copy 9-17
deleting 8-9
MDM 3-15
permissions 4-3
snmp-trap 4-25
WBM 3-14
services
enabling 4-2
session, configuring timeout 4-33
session, displaying idle timeout 4-33
session timeout, disabling 4-33
session-timeout command 4-33
set-action 8-21
show commands
counters 13-5
cpu 13-28
diagnostic-info 13-26
drop-statistics 15-6
flex-content-filter 7-10
host-keys 4-22
learning-params 8-16
log 13-11
log export-ip 13-11
logging 13-11
login-banner 4-30
memory 13-27
packet-dump 13-16
packet-dump signatures 13-24
public-key 4-24
recommendations pending-filters 11-3, 11-7
reports 15-5
reports details 12-10
running-config 13-3
show 13-4
sorting dynamic-filters 7-21
sync-config file-servers 14-7
templates 6-5
zone policies 8-23
show public-key command 4-24
shutdown command 3-8
signature
generating 13-23
SIP
detected anomalies 12-3
drop statistics 15-8
malformed packets 12-7
policy template 8-3
spoofed attacks 12-5
user filter action 7-15
zone template 6-3
snapshot
backing up policies 8-26, 9-18
command 9-14
comparing 9-15
deleting 9-17
displaying 9-16
saving 9-14
snapshot command 9-13
snapshots
save periodically 9-9
SNMP
accessing 4-2
configuring trap generator 4-25
traps description 4-26
snmp commands
community 4-29
trap-dest 4-25
software license key
displaying key information 13-2
software version number, displaying 13-2
specific IP threshold 8-18
spoofed attack 12-11
src traffic characteristics 8-12
SSH
configuring 3-15
deleting keys 4-23
generating key 4-24
service 3-15
static route
adding 3-11
strong
dynamic filter action 7-19
policy action 8-21
user filter action 7-15
subzone 10-8
supervisor engine
booting 2-9
configuring 2-1
configuring VLANs 2-4
powering off 2-9
resetting 2-8
saving configuration 2-1
shutting down 2-8
verifying configuration 2-9
supervisor module
supported versions 14-8
syn_by_fin packet type 8-11
syns packet type 8-11
syslog
configuring export parameters 13-11
configuring server 13-11
message format 13-10
system log
message format 13-10
T
TACACS+
authentication
key generate command 4-19, 4-21
clearing statistics 4-17
configuring server 4-14
server connection timeout 4-16
server encryption key 4-16
server IP address 4-15
viewing statistics 4-17
tacacs-server commands
clear statistics 4-17
first-hit 4-14
show statistics 4-17
TCP
detected anomalies 12-3
no proxy policy templates 8-4
policy templates 8-2
templates
LINK 9-5
viewing policies 6-5
zone 6-3
threshold
command 8-15
configuring IP threshold 8-18
configuring list 8-18
configuring specific IP 8-18
filter rate termination 7-24
malicious rate termination 7-24
multiplying 15-3
multiplying before accepting 8-16
selection 9-14
setting as fixed 8-16
threshold-list command 8-18
threshold selection 9-8
threshold tuning
save results periodically 9-9
timeout command 8-19
timeout session, configuring 4-33
timeout session, disabling 4-33
to-user-filters
dynamic filter action 7-19
policy action 8-21
traceroute command 13-33
traffic
trap 13-11
trap-dest 4-25
tuning policy thresholds 9-7
U
UDP
detected anomalies 12-3
drop statistics 15-7
policy templates 8-3
unauthenticated drop statistics 15-7
unauth_pkts packet type 8-12
unauthenticated TCP detected anomalies 12-3
upgrade command 14-20
upgrade license 14-17
upgrading
AP 14-10
inline 14-13
MP 14-12
user
detected anomalies 12-3
user defined mitigated attacks 12-6
user filter
configuring 7-14
deleting 7-19
displaying 7-18
renumbering 7-15
username
encrypted password 4-7
username command 4-7
users
adding 4-7
adding new 4-7
assigning privilege levels 4-6
deleting 4-8
system users
admin 2-7
riverhead 2-7
username command 4-7
V
version, upgrading 14-20
VLAN
administrative 2-5
assigning 2-4
configuring 3-9
configuring layer 3 interface 2-6
configuring on supervisor engine 2-4
Voice over IP
See VoIP
VoIP
detected anomalies 12-3
drop statistics 15-8
malformed packets 12-7
policy template 8-3
spoofed attacks 12-5
user filter action 7-15
zone template 6-3
VPN Routing and Forwarding, See VRF
VRF, configuring injection 5-17
W
WBM
activating 3-13
WBM logo
adding 4-32
deleting 4-33
X
XG software image for 3 Gbps operation
obtaining software image 14-17
XG software license key 14-17
XG software version, 3 Gbps operation 14-16
Z
zombie 12-11
packet counter 13-5
zombie attack 12-13
zombies 1-3
zone
blocking criteria 15-3
blocking flows 15-2
clearing counters 13-6
comparing 9-15
copying 6-5
creating 6-4
creating default 10-6
defining IP address 6-8
definition 6-2
deleting 6-5
deleting IP address 6-9
duplicating 6-5
excluding IP address 6-8
IP address 6-8
LINK templates 9-5
malicious rate 10-9
modifying IP address 6-9
operation mode 6-5
protecting 10-2
reconfiguring 6-6
sub 10-8
synchronize configuration 6-9
synchronizing offline 6-11
templates 6-3
viewing configuration 6-7
viewing policies 8-23
viewing status 13-4
zone-malicious-rate 7-25
zone policies
displaying 8-12
zone policy
zone protection
terminating 10-12
zone synchronization 9-4