Cisco Guard Configuration Guide (Software Version 3.08)
Interactive Recommendations Mode
Download this chapter
Interactive Recommendations ModeInteractive Recommendations Mode
Download the complete book
Cisco Guard User Guide (Software Version 3.0.8), Book-Length PDFCisco Guard User Guide (Software Version 3.0.8), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Interactive Recommendations Mode

Overview

Process Flow

Recommendation and Pending Filter Structure

Launching the Interactive Recommendation Mode

Activating the Interactive Recommendation Mode

Deactivating the Interactive Recommendation Mode

Viewing the Guard Recommendations

Viewing all Recommendations

Viewing Recommendations' Pending Filters

Viewing a Specific Recommendation

Viewing a Specific Recommendation's Pending Filters

Deciding on the Guard Recommendations

Accepting all Recommendations

Viewing Zone Status

Deciding on a Specific Recommendation

Viewing Zone Status

Deciding on Specific Recommendation Pending Filters

Deciding on the Policies Interactive Status

Viewing a Policy Interactive Status


Interactive Recommendations Mode

This chapter describes the Interactive Recommendation operation mode. The chapter details the Guard protection recommendations, the user decision options, and the policy interactive status.

Overview

In the Interactive Recommendation mode the Guard enables the user to decide on the activation of the filters the policies launch (see Chapter 10, "Advanced Policy Procedures," for details). The Guard functions in accordance with the user's decision to accept, ignore, or time the filter's activation. In this way the Guard lets the user decide on the production of its protection measures in real time. The Guard in an interactive mode enhances the user's control over the activation of the Guard's protective measures as a DDoS attack progresses.

Process Flow

The user can apply the interactive recommendation mode over a desired Zone or zones at various times. This can be as early as when a zone is defined, or later, either before or after initiating zone protection. As a DDoS attack begins, the Guard policies launch their actions. These actions are filters known in the interactive recommendation mode as Pending Filters (or Dynamic filters when the Guard is not in the interactive mode). The Guard then clusters the pending filters under their launching policies (referred to as Recommendation Policies). The recommendation (or recommendations) and its pending filters await the user's decision. The user may decide to instruct the Guard to accept a specific recommendation (or all recommendations) produced by its policies (the accept parameter). This implies instructing the Guard to activate the pending filter of that specific recommendation (or recommendations). The user may decide to instruct the Guard to automatically accept a recommendation produced by a specific policy. This implies that whenever a specific policy produces a recommendation the Guard will activate its pending filter or filters (the always-accept parameter). The user may also decide to automatically ignore a specific recommendation. That specific policy will not produce recommendations (the always-ignore parameter). Finally, the user may select a specific pending filter from a recommendation's pending filters and instruct the Guard to activate it. The Guard also enables the user to decide as for how long the decisions would imply. This time span may range from indefinite (the forever parameter) to a predefined number of seconds.

As the DDoS attack continues the Guard policies continuously produce recommendations and the user should verify the zone status to view and decide on any new recommendation that might appear.

Note Based on experience, the user may view the zone Status (see the "Viewing Zone Status" section for further details) to keep track of any changes in recommendations' status. The user can also issue the event monitor command to get a notification when a new pending filter (if the zone is in the Interactive mode) or dynamic filter (if the zone is in automatic mode) is created. The user may also view or use an external syslog server to get such notifications.

The user may end the interactive mode of operation at any time and thus return to the automatic operation mode. This results in the Guard disregarding the user's decisions made while in the interactive mode and accepting all currently pending filters. The policies resume their role of automatically producing and activating their filters (see Chapter 10, "Advanced Policy Procedures").

Note The user should note that when the number of pending filters is higher than 1000, the newly added recommendations are recorded in the Guard's log-file and then discarded. The Guard prompts the user with the following message:

There are too many pending filters. Please deactivate zone, and reactivate it in automatic mode.

As a result, perform the following:

1. Deactivate the zone by issuing the no protect command.

2. Change the operation mode to automatic (see the "Deactivating the Interactive Recommendation Mode" section in Chapter 5, "Zone Configurations," for further details).

3. Reactivate zone protection by issuing the protect command .

Recommendation and Pending Filter Structure

The Guard recommendation data consists of the policy name that recommends it, data on the traffic anomaly that resulted in a policy reaction, the number of pending filters, and the recommended action. Figure 11-1 displays a recommendation's content and structure:

Figure 11-1 Recommendation Content and Structure

The previous figure displays the content of recommendation 305. The figure indicates that the recommendation policy threshold value (50 pps) was first violated at the displayed time and date. This figure displays a case in which five protocol flows violated the recommendation policy threshold resulting in the production of five pending filters. The attack flow data indicates an attack of five different protocols, five different source IPs, and five different destination and source ports. However, the attack was addressed to a specific destination IP address by all five flows.

Note The * is also a symbol of an unidentified parameter (i.e. unidentified source IP, port, etc.).

The pending filters measured each flow that violated a threshold. The minimum violating flow measured 104.24 pps and the maximum flow 432.43 pps. The recommended action is directing the flow to the user filters (see the "User Filters" section in Chapter 9, "Advanced Filter Procedures," for details). Viewing the recommendation in detail (see the "Viewing a Specific Recommendation's Pending Filters" section in this chapter for further details) shows the recommendation's pending filters.

The following figure displays a pending filter:

Figure 11-2 Pending Filter Content and Structure

The previous figure displays pending filter numbered 15. This filter was produced by recommendation policy identification number 137. The figure indicates that the specific traffic flow that violated the recommendation policy threshold (5 pps) was detected at the specified date and time. The Triggering rate measures 36 pps indicating the traffic rate at the time the policy launched its recommended action. The traffic flow (denoted here by the Action Flow) protocol is TCP and is flowing from IP address 192.168.100.35. The Guard recommendation (denoted here by the Action Flow) is to issue a filter designed to catch traffic coming from this source IP address, TCP protocol, destined to any zone port and having no fragments. The user should decide on the recommendation and its pending filter (see the "Deciding on the Guard Recommendations" section in this chapter for further details).

Launching the Interactive Recommendation Mode

The user controls the activation and deactivation of the Guard's interactive recommendation mode. The user may activate the interactive recommendations mode for any desired zone and continue to apply the procedure over a number of zones. The user may activate the interactive mode when a zone is defined, or later, either before or after initiating zone protection. The user may deactivate the interactive recommendations mode for any desired zone or zones at any time. Deactivating this mode results in the Guard disregarding any recommendations and assuming an automatic protection functioning such as automatically producing dynamic filters, etc.

Activating the Interactive Recommendation Mode

The Guard enables the user to apply the interactive recommendations mode from the Configuration or from the desired Zone's command group levels.

To activate the interactive recommendation mode, perform the following:

1. From the Zone command group level, type the following (sample): 

admin@GUARD-conf-zone-<zone-name># interactive

2. Choose ENTER.

To create a new zone with interactive recommendations mode, perform the following:

1. From the Configuration command group level, type the following: 

admin@GUARD-conf# zone <new-zone-name> interactive

2. Choose ENTER.

The new zone is created with a DEFAULT zone template configured for interactive recommendations mode. See the "Defining a New Zone" section in Chapter 5, "Zone Configurations," for further details.

Deactivating the Interactive Recommendation Mode

The user may deactivate the interactive recommendations mode from the Configuration or from the desired zone's command group levels.

Note Once deactivating the interactive mode the policies assume the status of always-accept. See the note in the"Viewing Zone Status" section that follows the "Deciding on a Specific Recommendation" section.

To deactivate the interactive recommendation mode, perform the following:

1. Type the following (sample): 

admin@GUARD-conf-zone-<zone-name># no interactive

2. Choose ENTER.

Viewing the Guard Recommendations

The user may view the Guard recommendations. The Guard offers the following viewing options:

Viewing all the recommendations—The user views a list of all the Guard protection recommendations.

Viewing recommendations' pending filters—The user views a list of all recommendations' pending filter or filters.

Viewing a specific recommendation—The user views a desired recommendation.

Viewing a specific recommendation in detail—The user views a desired recommendation's pending filter.

Note The user may issue the viewing commands from Global, the Configuration or from the desired zone's command group levels.

Viewing all Recommendations

The user may view a list of all the recommendations relevant to a desired zone.

To view a list of all recommendations relevant to a desired zone, perform the following:

1. From the Configuration or the desired Zone command group levels, type the following (sample): 

admin@GUARD-conf-zone-<zone-name># show recommendations

2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show recommendations

ID 15 udp_services/any/analysis/pkts/global Threshold: 100.00

     Detected in Oct 20 13:58:49

     Attack flow: 17    *    *     192.168.100.34  *  no fragments

     Min current rate: 7643.31; Max current rate: 7643.31; 

     No. of pending-filters: 1

     Recommended action: to-user-filters



ID 17 udp_services/any/analysis/pkts/dst_ip Threshold: 100.00

     Detected in Oct 20 13:58:49

     Attack flow: 17    *    *     192.168.100.34  *  no fragments

     Min current rate: 7643.31; Max current rate: 7643.31; 

     No. of pending-filters: 1

     Recommended action: to-user-filters

... ... ... 

admin@GUARD-conf-zone-scannet#

Viewing Recommendations' Pending Filters

The user may view a list of all recommendations' pending filters.

To view a list of all recommendations' pending filters in detail, perform the following:

1. From the Zone command group level, type the following (sample): 

admin@GUARD-conf-zone-<zone-name># show recommendations 
pending-filters

2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show recommendations pending-filters


ID 17 udp_services/any/analysis/pkts/dst_ip Threshold: 100.00

   5    Detected in       : Oct 20 13:58:49

        Attack flow       : 17  *  *  192.168.100.34  * no 
fragments

        Triggering rate   : 7643.31

        Current    rate   : 8099.33

        Recommended action: to-user-filters

        Action flow       : SrcIP: *, SrcMask: 255.255.255.255,   

                            Protocol: 17, DstPort: *, no-fragments



ID 88 tcp_services/any/analysis/syns/dst_ip Threshold: 30.00

   3    Detected in       : Oct 20 13:58:48

        Attack flow       : 6  *  *  192.168.100.34  *  no 
fragments

        Triggering rate   : 8411.21

        Current    rate   : 8096.27

        Recommended action: to-user-filters

        Action flow       : SrcIP: *, SrcMask: 255.255.255.255, 

                            Protocol: 6, DstPort: *, no-fragments

... ... ...

admin@GUARD-conf-zone-scannet#

Viewing a Specific Recommendation

The user may view a specific recommendation.

To view a specific recommendation, perform the following:

1. From the Zone command group level, type the following: 

admin@GUARD-conf-zone-<zone-name># show recommendations 
<recommendation-id>

Where:

Parameters
Description

<recommendation-id>

The desired protection recommendation ID number.


2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show recommendations 15


ID 15 udp_services/any/analysis/pkts/global Threshold: 100.00

        Detected in Oct 20 14:12:02

        Attack flow: 17    *   *    192.168.100.34  *   no 
fragments

        Min current rate: 7453.42; Max current rate: 7453.42; 

        No. of pending-filters: 1

        Recommended action: to-user-filters


admin@GUARD-conf-zone-scannet#

Viewing a Specific Recommendation's Pending Filters

The user may view a specific recommendation's pending filter or filters.

To view a specific recommendation's pending filters in detail, perform the following:

1. From the Zone command group level, type the following: 

admin@GUARD-conf-zone-<zone-name># show recommendations 
<recommendation-id> pending-filters

Where:

Parameters
Description

<recommendation-id>

The desired protection recommendation ID number.


2. Choose ENTER. The following partial sample screen appears: 

admin@GUARD-conf-zone-scannet#show recommendations 266 
pending-filters


ID 266 tcp_connections/any/analysis/in_nodata_conns/global 
Threshold: 50.00

   10   Detected in       : Oct 20 14:21:59

        Attack flow       : 6  *  *  192.168.100.34  *  no 
fragments

        Triggering rate   : 36570.00

        Current    rate   : 4631.19

        Recommended action: to-user-filters

        Action flow       : SrcIP: *, SrcMask: 255.255.255.255, 

                            Protocol: 6, DstPort: *, no-fragments


admin@GUARD-conf-zone-scannet#

See the "Recommendation and Pending Filter Structure" section in this chapter for further details.

Deciding on the Guard Recommendations

The Guard enables the user to decide on its policies recommendations. The user's decisions determine whether a policy (or policies) pending filters will turn to be dynamic filters and for how long. The user also has the option of instructing the Guard to automatically turn a specific policy (or policies) pending filters into dynamic. This results in the Guard no longer displaying that policy (or policies) for the user to decide on. The user may, alternatively, decide to instruct the Guard to prevent a policy (or policies) from producing recommendations (and their pending filters). Similarly, this results in the Guard no longer displaying that policy (or policies) for the user to decide on. As the DDoS attack continues and changes its characteristics so the Guard's policies continue to produce recommendations and the user would have to view and decide on.

Note The user should take into consideration the policies that the Guard does not display due to its former decisions.

The user may apply the procedures described above on all recommendations, a specific recommendation, or may decide to a specific pending filter and turn it into dynamic filter. The last procedure may be repeated as many times as required.

The user should view the zone status after performing its decisions for verification.

Note When the user accepts a recommendation, additional recommendations that match both of the following criteria will be deleted:

A flow that is contained in the accepted recommendation's flow

The same action

Accepting all Recommendations

Accepting all Recommendations

The user may decide to accept all recommendations with an option of defining how long the decision applies.

To decide on all recommendations and their applying time, perform the following:

1. From the Zone command group level, type the following: 

admin@GUARD-conf-zone-<zone-name># recommendation * accept 
[<time-out>]

Where:

Parameters
Description

*

The asterisk (*) indicates the selection of all recommendations.

[<timeout>]

(Optional) This defines the user's decision applying time. This parameter consists of the following:

forever—The Guard activates the Dynamic Filters (see the "The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the recommendations until protection ends. This happens as a result of either user's protection termination or the protection termination by the Protection Termination Timeout (see the "Protection Termination Timer" section in Chapter 5, "Zone Configurations," for further details).

new-timeout—The Guard activates the Dynamic Filters (see the"The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the policies for a user-defined time span. The new-timeout is in seconds.

Note If no timeout is entered, the Guard activates the Dynamic Filters produced by the policies for a time span indicated by their Timeout parameter or for a default period of ten minutes applies.

When the timeout expires the Guard performs a checkout procedure to decide whether to end the dynamic filter or not (see the "Advanced Dynamic Filters Configuration" section in Chapter 9, "Advanced Filter Procedures," for further details).


2. Choose ENTER.

Viewing Zone Status

The user may wish to check on the zone status to view the zone status after executing all the recommendations' pending filters.

To view the zone status and how the Guard has implemented its recommendations, perform the following:

1. From the Zone command group level, type the following: 

admin@GUARD-conf-zone-<zone-name># show

2. Choose ENTER. The following partial sample screen appears: 

admin@GUARD-conf-zone-scannet#show

Zone is PROTECTED

Operation Mode: INTERACTIVE

Activation start time: Oct 20 14:06:17

Description: On-Demand protection Zone

Zone ID: 1006

Template: DEFAULT

Protection-End Timer: forever

RATE: 200000 BURST: 200000 UNITS: pps

FLEX-FILTER:

FLEX-FILTER ACTION: disable

FLEX-FILTER COUNTER: 0

SINGLE IP: 192.168.100.34

                    pps              bps

Legitimate traffic: 8102             4244277

Malicious  traffic: 15304            10237147


**** BYPASS FILTERS ****

Row  Source IP       Source Mask     Proto DPort Frg RxRate(pps)


3    *               255.255.255.255 6     44    no  0

10   1.1.1.1         255.255.255.255 6     24    no  0

20   1.1.1.4         255.255.255.255 6     27    no  0

30   1.1.1.5         255.255.255.255 6     66    no  0


There are 6 dynamic filters

There are no recommendations

... ... ...

admin@GUARD-conf-zone-scannet#

Note that there is no indication of unaccepted (new) recommendations and all of the recommendations' pending filters have been turned into Dynamic filters.

Deciding on a Specific Recommendation

The user may select a specific recommendation, decide on it, and utilize the option of determining how long the decision applies.

To decide on a specific recommendation, perform the following:

1. From the Zone command group level, type the following (sample): 

admin@GUARD-conf-zone-<zone-name># recommendation 
<recommendation-id> <action> [<timeout>]

Where:

Parameters
Description

<recommendation-id>

The specific recommendation identification number.

<action>

The user's decisions on the specific recommendations. These consist of the following:

accept—The user decides to accept the specific recommendation. The recommendation pending filters turn to dynamic filters.

always-accept—The user decides to accept the specific recommendation, however, the user decision applies automatically whenever the recommendation policy produces new recommendations. Their pending filters will automatically turn to dynamic.

Note The Guard doesn't display the `always-accept' recommendations.

always-ignore—The user decides to ignore the specific recommendation. No dynamic filter or filters will be produced by that a recommendation. The user decision automatically applies to all future recommendations produced by the recommendation's policy.

Note The Guard doesn't display the `always-ignore' recommendations.

[<timeout>]

(Optional) Defines how much time the user decision applies. This parameter consists of the following:

forever—The Guard activates the Dynamic Filters (see "The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the recommendations until protection ends. This happens as a result of either user's protection termination or the protection termination by the Protection Termination Timeout (see the "Protection Termination Timer" section in Chapter 5, "Zone Configurations," for further details).

new-timeout—The Guard activates the Dynamic Filters (see "The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the policies for a user-defined time span. The new-timeout is in seconds.

Note If no timeout is entered, the Guard activates the dynamic filters for their configured timeout (if applicable). If no timeout is configured, a default period of ten minutes applies. When the default timeout expires the Guard performs a checkout procedure to decide whether to end the dynamic filter or not (see the "Advanced Dynamic Filters Configuration" section in Chapter 9, "Advanced Filter Procedures," for further details).


2. Choose ENTER.

Note The user may change an always-ignore decision made on a specific recommendation by changing the interactive-status of the policy that created the recommendation's pending filters. See the "Deciding on the Policies Interactive Status" section in this chapter for further details.

Viewing Zone Status

The user may wish to check on the zone status to view how the Guard has implemented the recommendations.

To check on the zone status and how the Guard has implemented its recommendations, perform the following:

1. From the Zone command group level, type the following: 

admin@GUARD-conf-zone-<zone-name># show

2. Choose ENTER. The following partial sample screen appears: 

admin@GUARD-conf-zone-scannet#show

Zone is PROTECTED

Operation Mode: INTERACTIVE

Activation start time: Oct 20 14:06:17

Description: On-Demand protection Zone

Zone ID: 1006

Template: DEFAULT

Protection-End Timer: forever

RATE: 200000 BURST: 200000 UNITS: pps

FLEX-FILTER:

FLEX-FILTER ACTION: disable

FLEX-FILTER COUNTER: 0

SINGLE IP: 192.168.100.34

                    pps              bps

Legitimate traffic: 8102             4244277

Malicious  traffic: 15304            10237147


**** BYPASS FILTERS ****

Row  Source IP       Source Mask     Proto DPort Frg RxRate(pps)


3    *               255.255.255.255 6     44    no  0

10   1.1.1.1         255.255.255.255 6     24    no  0

20   1.1.1.4         255.255.255.255 6     27    no  0

30   1.1.1.5         255.255.255.255 6     66    no  0


There are 4 dynamic filtersThere are 2 RECOMMENDATIONS!!!

The sample screen indicates that the protected zone has four Dynamic Filters and two recommendations. This results from the implementation of two recommendations. The remaining two recommendations have not been implemented and so their recommended Dynamic filters will not be produced.

Note The always-ignore-ed recommendations (as well as other user-decided recommendations) can be viewed by issuing the show command from the policy prompt, as the below sample screen displays: 

admin@GUARD-conf-zone-scannet-policy-/tcp_outgoing/any/analysis/syns/s
rc_ip#show


Policy: tcp_outgoing/any/analysis/syns/src_ip

State             : active

Interactive-Status: always-ignore

Action            : to-user-filters

Timeout           : 600

Threshold         : 2.0

Note the Interactive-Status field in the above screen indicates the always-ignore decision on the specific policy's recommendation. The Interactive-Status changes to always-accept when a user decides to always accept a recommendation, and to interactive when a user decides to accept a recommendation.

Deciding on Specific Recommendation Pending Filters

The user may select a desired recommendation and decide on one or more of its pending filters. The user may decide on how long the decision applies for.

To decide on specific recommendation pending filters, perform the following:

1. From the desired Zone command group level, type the following (sample): 

admin@GUARD-conf-zone-<zone-name># show recommendations 
<recommendation-id> pending-filters

Where:

Parameters
Description

<recommendation-id>

The specific recommendation identification number.


2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#show recommendations 349 pending-filters


ID 349 http/80/analysis/syns/src_ip Threshold: 2.10

   29   Detected in       : Oct 20 16:26:50

        Attack flow       : 6  192.168.100.44  *  192.168.100.34  80    

                            no fragments

        Triggering rate   : 4.98

        Current    rate   : 4.98

        Recommended action: to-user-filters

        Action flow       : SrcIP: 192.168.100.44, SrcMask: 

               255.255.255.255, Protocol: 6, DstPort: *, no-fragments


   28   Detected in       : Oct 20 16:26:32

        Attack flow       : 6  192.168.100.49  *  192.168.100.34  80    

                            no fragments

        Triggering rate   : 33.06

        Current    rate   : 33.06

        Recommended action: to-user-filters

        Action flow       : SrcIP: 192.168.100.49, SrcMask: 

               255.255.255.255, Protocol: 6, DstPort: *, no-fragments


admin@GUARD-conf-zone-scannet#

The sample screen displays a detailed view of a specific recommendation (349). This recommendation consists of two recommended pending filters designed to answer a TCP, non-spoofed SYN-ACK attack coming from several source IP addresses aimed at zone port 80. The user may now decide on a specific pending filter (or filters) so the next step is:

3. From the Zone command group level, type the following (sample): 

admin@GUARD-conf-zone-scannet# recommendation  <recommendation-id> 
pending-filter <pending-filter-id> accept [<timeout>]

Where:

Parameters
Description

<recommendation -id>

The specific recommendation identification number.

<pending-filter-id>

The specific pending-filter identification number.

[<timeout>]

(Optional) Defines how much time the user decision applies. This parameter consists of the following:

forever—The Guard activates the Dynamic Filters (see "The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the recommendations until protection ends. This happens as a result of either user's protection termination or the protection termination by the Protection Termination Timeout (see the"Protection Termination Timer" section in Chapter 5, "Zone Configurations," for further details).

new-timeout—The Guard activates the Dynamic Filters (see"The Guard Dynamic Filters" section in Chapter 9, "Advanced Filter Procedures," for further details) produced by the policies for a user-defined time span. The new-timeout is in seconds.

Note The Guard assumes the policy timeout as default or a default period of ten minutes if no timeout is configured. When the timeout expires, the Guard performs a checkout procedure to decide whether to end the dynamic filter or not (see the "Advanced Dynamic Filters Configuration" section in Chapter 9, "Advanced Filter Procedures," for further details).


4. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet#recommendation 349 pending-filter 28 
accept

admin@GUARD-conf-zone-scannet#

The result is a specific pending filter turning into a dynamic filter.

5. The user repeats steps three and four for every desired pending filter.

The user may check the zone status to view how the Guard has implemented the selected recommendation's pending filter. See the "Viewing Zone Status" section in this chapter for further details.

Deciding on the Policies Interactive Status

The Guard enables the user to decide on whether a specific policy would produce recommendations and pending-filters or not. The user is thus able to access any desired section of a policy and decide whether it would function under the interactive recommendation mode or not. This option enhances the user's ability to improve the policies adaptation to its traffic flows.

Note The user may use the below procedure to change a former decision on a recommendation.

To decide on recommendations produced by a desired policy section, perform the following:

1. From the desired policy section prompt, type the following: 

admin@GUARD-conf-zone-<zone-name>-policy-<policy-path># 
interactive-status <status>

Where:

Parameters
Description

<policy-path>

The policy path consists of:

<policy-template-name><port><protection module><packet-type><traffic-characteristics>

See the "Concept Overview" section in Chapter 10, "Advanced Policy Procedures" for further details.

<status>

This indicates the desired policy status. The status consists of the following options:

always-accept—The user decides to accept the specific Dynamic filters the policy will produce. The user decision applies automatically whenever the recommendation policy produces new recommendations. Their pending filters will automatically turn to dynamic. See the"Deciding on a Specific Recommendation" section in this chapter for further details.

always-ignore—The user decides to ignore the specific Dynamic filters created by the policy. No dynamic filter or filters will be produced by the policy. The user decision automatically applies to all recommendations produced by the recommendation's policy. See the"Deciding on a Specific Recommendation" section in this chapter for further details.

interactive—The Guard produces the filters (pending filters) and waits for user decisions. See the"Deciding on a Specific Recommendation" section in this chapter for further details.


2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet-policy-/fragments/any# 
interactive-status interactive

admin@GUARD-conf-zone-scannet-policy-/fragments/any#

Viewing a Policy Interactive Status

The user may view the interactive status of a desired policy section.

To view the interactive status of a desired policy section, perform the following:

1. From the desired policy section prompt, type the following: 

admin@GUARD-conf-zone-<zone-name>-<policy-path># show

Where:

Parameters
Description

<policy-path>

The policy path consists of:

<policy-template-name><port><protection module><packet-type><traffic-characteristics>

See the Concept overview section in Chapter 10, "Advanced Policy Procedures" for further details


2. Choose ENTER. The following sample screen appears: 

admin@GUARD-conf-zone-scannet-policy-/fragments/any#show

Policy: fragments/any

States: 

       active

Interactive-Status:

        interactive