Cisco Guard Web-Based Management Configuration Guide (Software Version 3.08)
Cisco Guard Operation and Diagnostics
Download this chapter
Cisco Guard Operation and DiagnosticsCisco Guard Operation and Diagnostics
Download the complete book
Cisco Guard Web-Based Management (WBM) User Guide (Software Version 3.08), Book-Length PDFCisco Guard Web-Based Management (WBM) User Guide (Software Version 3.08), Book-Length PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Cisco Guard Operation and Diagnostics

Guard Summary (Home) Screen

Guard Diagnostics

Counters

Event Log

User Management

Assigning Privilege Level Procedure

Creating Users

Users List

Changing a Password

Changing the Privilege Level


Cisco Guard Operation and Diagnostics

This chapter describes how to perform common monitoring and operational tasks on the Cisco Guard using the Web-Based Management (WBM).

This chapter includes the following sections:

Guard Summary (Home) Screen

Guard Diagnostics

User Management—Creating users and viewing users list

For information on zone management, creating zones and viewing zones' status, see, "Zone Creation and Configuration."

Note Guard configuration and Networking and Diversion configuration can only be assumed using the CLI. Refer to the Cisco Guard User Guide for further details.

Guard Summary (Home) Screen

The Guard's Summary (Home) screen (Figure 3-1) provides a summary of the current Guard activity.

To navigate to the Guard's summary (home) screen:

Select Guard Summary from the navigation pane.

Select Home from the upper right side of the header area.

Select Home from the location bar on the zone pages.

Figure 3-1 Guard Summary (Home) Page

The Guard Summary includes two sections.

Guard Summary—Provides a summary of the traffic, displayed in bits per second (bps), handled by the Guard in the past two hours. Legitimate traffic passed by the Guard to the protected zones, is displayed in green. Malicious traffic handled by the Guard, is displayed in red.

Below the graph, the following information is displayed:

Parameter
Description
Min

Indicates the minimum traffic rate in bps measured in the past two hours

Max

Indicates the maximum traffic rate in bps measured in the past two hours

Avg

Indicates the average traffic rate in bps measured in the past two hours

Cur

Indicates the current traffic rate in bps


The information is displayed separately for legitimate traffic and for malicious traffic.

Zones Under Detection—Provides a list of the currently protected zones and a short summary of the status of each one of them. The zones are displayed according to the attack order. The most recently attacked zone is displayed at the top of the list.

The following information is provided for each zone:

Parameter
Description
Zone

Indicates the zone name. The zone name also provides a link to the zone's "home page."

Activation Time

Indicates the date and time detection for the zone was initiated.

Attack Start Time

Indicates the date and time the most recent attack on the zone was detected.

Legitimate Rate

Indicates the current rate legitimate traffic passed by the Guard to the zone, measured in bits per second (bps).

Malicious Rate

Indicates the current rate of malicious traffic, destined to the zone, measured in bps.

Thumbnail of the Zone traffic summary

A graph displaying a summary of the traffic destined to the zone in the past half hour. The traffic rate is displayed in bps. Legitimate traffic rate is displayed in green. Malicious traffic rate is displayed in red.


Guard Diagnostics

You may obtain diagnostics information on the Guard for troubleshooting and monitoring purposes.

To view the Guard's diagnostics:

From the Guard's main menu, select Diagnostics.

The following diagnostics are available:

Counters

Event Log

Counters

The Guard global counters report (Figure 3-2) provides additional information to the Guard summary displayed in the Guard's "home page".

To display the Guard global counters:

From the Guard's main menu, select Diagnostics > Counters.

The following counters are displayed:

Legitimate—Legitimate traffic forwarded by the Guard to the zones.

Malicious—Malicious traffic, destined to the zone, handled by the Guard. Malicious traffic is the sum of Dropped packets and Spoofed packets (which also include the Zombie packets).

Received—Packets received and handled by the Guard. Received packets are the sum of legitimate traffic and malicious traffic.

Dropped—Packets that were identified by the Guard as part of an attack and therefore dropped.

Replied—Replied—Packets, destined to the zone, to which replies were sent to the initiating client as part of the anti-spoofing or anti-zombie mechanisms in order to verify if they are part of authentic traffic or part of an attack.

Spoofed—Packets, destined to the zone, that were identified by the Guard as Spoofed packets and therefore not forwarded to the zone. Spoofed packets are Replied (bounced) packets to which no replies were received. The Spoofed packets include zombie packets.

Figure 3-2 Guard Global Counters/Rates

For each of the counters, the following information is provided:

Parameter
Description
Shown in Graph

Specifies whether the counter will be shown in the graph below.

Packets

Indicates the total amount of packets since the Guard was reloaded.

Bits

Indicates the total amount of bits since the Guard was reloaded.

pps

Indicates the current traffic rate measured in packets per second.

bps

Indicates the current traffic rate measured in bits per second.


By default, Legitimate and Malicious traffic are displayed for a period of the past two hours, measured in bits per second (bps).

Choose the period of time to be displayed and the graph units.

To update the graph according to the settings chosen:

Click Update Graph (see Figure 3-2).

Below the graph is a legend that identifies the counters. For each counter in the graph the minimum, maximum and average rate are displayed for the period of time and rate units chosen.

For a detailed explanation on interpreting the counters' significance, refer to Chapter 6 "On-Demand Protection," in the Cisco Guard User Guide.

Event Log

The Event log (Figure 3-3) displays monitoring and troubleshooting information. Logs are displayed for events that relate to the protected zones and to the Guard operation.

To display the event log:

From the Guard's main menu, select Diagnostics > Event log.

Figure 3-3 Event Log

The event severity levels are:

Event Level
Description
Emergencies

System is unusable

Alerts

Immediate action required

Critical

Critical condition

Errors

Error condition

Warnings

Warning condition

Notifications

Normal but significant condition

Informational

Informational messages

Debugging

Debugging messages


You may choose to filter the events according to their severity level.

To filter events according to their severity level:

1. Select the check boxes next to the severity levels.

2. Click Filter Events.

Note The event logs display zone related event logs only with a severity level of Emergency, Alert, Critical, Error, Warning and Notification. See "Zone Statistics and Diagnostics," for further details on zone event logs.

User Management

The access to the Guard is mapped according to user privilege levels. Each user privilege level is granted with a corresponding set of command group operations. Table 3-1 displays the Guard user privilege levels and their corresponding command operation groups.

Table 3-1 User Privilege Levels

User Group
Command Group
Administrator (Admin)

Full access to all operations.

Configuration (Config.)

Full access to all operations except the operations relating to user definition, deletion, and modification.

Dynamic

The entire monitoring and diagnostics operations group, the detection, and the learning related operations. Dynamic privileged-users may also configure the Flex and Dynamic filters (see the note below).

Show

The entire monitoring and diagnostics operations group.


Note We recommend that Administrator and Configuration privilege level users perform all filter configuration procedures. Lower privileged users can also perform dynamic filter addition and removal.

The Guard enables the Administrator to configure which authentication method the Guard utilizes when a user tries to log into the Guard. The Guard offers the following authentication options:

Guard local authentication—Local authentication uses locally configured login passwords for authentication. This is the default authentication method.

TACACS+ authentication—TACACS+ authentication authenticates users through a TACACS+ server or a list of TACACS+ servers.

Note TACACS+ authentication can only be configured from the CLI. Refer to the "TACACS+ and Local Authentication Methods" section in Chapter 2, "Initial Procedures," in the Cisco Guard User Guide.

Assigning Privilege Level Procedure

A preconfigured Administrator's privilege level is provided, enabling you to define the Guard user types. Defining users enables you to divide the Guard user community into privilege levels.

Note The admin user name grants Administrator's privilege level. The riverhead user name grants the Dynamic privilege level. The Detector uses this user name for remote activation of the Guard.

Creating Users

An administrator-privileged user may configure local users.

Note If TACACS+ authentication is configured, the TACACS+ user database is used for user authentication rather than the local database. Refer to the "TACACS+ and Local Authentication Methods" section in Chapter 2, "Initial Procedures," in the Cisco Guard User Guide.

To create a new user:

From the main menu, select Users > Create user.

For each user define the following:

Parameter
Description
User name

The User's user name.

Initial password

6-24 characters long excluding spaces.

Type

The user's privilege level. From the drop-down list choose: admin, config, dynamic or show, as defined above.


Alternatively, to create a new user:

On the Users list screen (see the "Users List" section), click Add.

Users List

You may view the list of users defined on the Guard.

To view the list of users defined on the Guard:

From the main menu, select Users > Users list.

The list of users is divided into two categories:

System users—Users defined by the system. System users cannot be deleted. The system users are admin and riverhead.

Users—Users defined by the operator.

To remove a user:

1. Select the check box next to the user name.

2. Click Delete.

To add a user:

Click Add.

The user's privilege level is displayed for each user (see Table 3-1).

To reconfigure a user:

Click on the user name.

Changing a Password

To change the password:

1. From the Guard's main menu select Users > Change password.

The Change Password window appears.

2. Enter the existing password in the Old Password box.

3. Enter a new password in the New Password box, and re-enter the new password to verify your choice.

4. Click OK.

5. If an invalid password is entered or the new password is not verified correctly, an error message is displayed. Click Go Back to try again.

Users that have an Administrator privilege level may configure and change the password of all users defined on the Guard.

To reconfigure or change the passwords of users, other than the current one:

1. From the main menu select Users > Users list.

2. Click on the required user name.

3. Click Config.

4. Enter the new password.

5. Click OK.

Changing the Privilege Level

To change the user privilege level:

Delete the user (see the "Users List" section).

Re-create the user (see the "Creating Users" section).