-
Cisco Guard Configuration Guide (Software Version 5.0)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using the Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Configuring Traffic Diversion
-
Troubleshooting Diversion
-
Table Of Contents
Using Interactive Protect Mode
Activating Interactive Protect Mode
Deactivating Interactive Protect Mode
Using Interactive Protect Mode
When you enable zone protection, the Cisco Guard (Guard) analyses the zone traffic and searches for policy thresholds that have been exceeded. Once it detects a policy threshold that has been exceeded, it analyses the traffic and creates a set of filters (dynamic filters) to handle the traffic. The dynamic filters can either be activated automatically or interactively. This chapter describes the interactive protect mode and includes the following major sections:
•
Activating Interactive Protect Mode
•
Overview
When a DDoS attack begins, the Guard policies create dynamic filters. When the zone is in interactive protect mode, the Guard does not activate these dynamic filters automatically, but waits for you to decide what action to take. The filters that await your decision are called pending dynamic filters. The Guard groups the pending dynamic filters according to the policy that produced them in recommendations, which provide a summary of the pending filters and include information about the name of the policy that caused the creation of the pending dynamic filters, the data on the traffic anomaly that resulted in policy activation, the number of pending dynamic filters, and the recommended action. You decide which pending dynamic filters to accept, ignore, or direct to automatic activation, giving you greater control over which actions to take when an attack is in progress.
The Guard continues to produce pending dynamic filters as long as it is in interactive protect mode. You can activate interactive protect mode at any time during zone protection, but you can view recommendations and their pending dynamic filters only if the Guard is in interactive protect mode and a DDoS attack on the zone is in progress. You can configure the interactive protect mode when defining the zone, before or after activating zone protection.
When the Guard has more than 1,000 pending dynamic filters, it performs the following actions:
•
•
The Guard does not display a notification when new recommendations are available. To keep track of recommendations, do one of the following tasks:
•
•
•
You can stop interactive protect mode at any time and return to automatic protect mode. The Guard disregards any decisions made while in the interactive protect mode and accepts all currently pending dynamic filters. The policies resume their role of automatically producing and activating the dynamic filters. See "Configuring Policy Templates and Policies".
Activating Interactive Protect Mode
To activate interactive protect mode for an existing zone, enter the interactive command in zone configuration mode.
To create a new zone configured for interactive protect mode, enter the following command in configuration mode:
zone new-zone-name interactive
The new-zone-name argument specifies the name of the new zone. The zone name is an alphanumeric string that must start with a letter, cannot include any spaces, and can have no more than 63 characters.
The following example shows how to create a new zone configured for interactive protect mode:
user@GUARD-conf# zone scannew interactiveThe new zone is created with a default zone template that is configured for interactive protect mode. See "Configuring Zones" for more information.
Deactivating Interactive Protect Mode
To deactivate the interactive protect mode, enter the no interactive command in zone configuration mode. When you deactivate the interactive protect mode, the interactive status of the policies becomes always-accept.
The following example shows how to deactivate interactive protect mode for the zone scannet:
user@GUARD-conf-zone-scannet# no interactiveDisplaying Recommendations
You can display a list of all recommendations, a list of pending dynamic filters, or a specific recommendation for a zone by entering the following command in zone configuration mode:
show recommendations [recommendation-id] [pending-filters]
Table 8-1 provides the keywords and arguments for the show recommendations command.
The following example shows how to display a list of all recommendations:
user@GUARD-conf-zone-scannet# show recommendationsTable 8-2 describes the fields in the show recommendations command output.
To display a list of all recommendations with recommendation IDs before displaying pending filters for a specific recommendation, use the show recommendations command.
Table 8-3 describes the fields in the show recommendations pending-filters command output.
A value of * for any of the parameters indicates one of the following:
•
•
Note
The following example shows how to display the pending dynamic filters of recommendation 135:
user@GUARD-conf-zone-scannet# show recommendations 135 pending-filtersManaging Recommendations
You can decide whether or not to activate recommendations. You can make decisions for all recommendations, a specific recommendation, or for a specific pending dynamic filter. Your decisions determine whether or not the pending dynamic filters in a policy become dynamic filters and for how long.
You can instruct the Guard to automatically activate the pending dynamic filters of a specific policy. You can also instruct the Guard to prevent policies from producing recommendations. The Guard policies continue to produce recommendations if the zone is in interactive protect mode and a DDoS attack is in progress so we recommend that you view the zone status when you manage recommendations to verify the zone status and determine whether or not additional actions are required.
Note
To decide on recommendations for a zone, enter the following command in zone configuration mode:
recommendation recommendation-id [pending-filters pending-filter-id] decision [timeout]
Table 8-4 provides the arguments and keywords for the recommendation command.
Table 8-4 Arguments and Keywords for the recommendation
Commandrecommendation-id
The specific recommendation identification number. An asterisk (*) is a wildcard, indicating all recommendations.
(Optional) The ID for a specific pending dynamic filter.
The action taken on the recommendation. The following are possible values:
•
•
If you take this action, the Guard no longer displays such recommendations.
•
If you decide to always ignore a recommendation, the Guard no longer displays it.
timeout
(Optional) The length of time that the decision applies. The following are possible values:
•
•
You can configure the interactive status for a specific policy, or any part of it, and decide whether or not that part of the policy should produce recommendations and pending dynamic filters. Configuring the interactive status of a policy gives you control and enables you to improve how policies adapt to traffic flows. See "Configuring the Policy Interactive Status" section for more information.
The Guard does not display always-accept or always-ignore recommendations. When you decide to always ignore or accept a recommendation, your decision becomes part of the interactive-status of the policy that created the recommendation.
You can disable or inactivate a policy in order to prevent it from producing recommendations and their pending dynamic filters. Use the state command to disable or inactivate a policy. See the "Changing the Policy State" section for more information.
The following example configures the interactive status for dns_tcp policy templates with service 53, using the analysis protection level:
user@GUARD-conf-zone-scannet-policy-/dns_tcp/53/analysis/# interactive-status always-acceptSee the "Understanding Policy Path Sections" section for more information.
