-
Cisco Guard Configuration Guide (Software Version 5.0)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using the Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Configuring Traffic Diversion
-
Troubleshooting Diversion
-
Table Of Contents
Symbols - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - R - S - T - U - V - W - X - Z
Index
Symbols
#9-12
A
AAA
accounting3-16
authentication3-6
authorization3-13
configuring3-4
aaa accounting command3-16
aaa authentication command3-6
aaa authorization command3-13
accounting, configuring3-16
action command7-28
action flow9-16
activation-extent command5-39
activation interface5-37
activation-interface command5-38
activation method5-37
activation sensitivity5-38
add-service command7-14
admin privilege level2-10
always-accept7-30
always-ignore7-30
analysis protection level1-7, 7-16
anomaly
detected9-4
flow9-12
anti-spoofing drop statistics12-11
arp command10-34
attack-detection command5-42
attack report
detected anomalies9-4
dropped/replied packets9-3
exporting9-17
exporting automatically9-17
history11-7
layout9-2
mitigated attacks9-5
notify9-12
statistics9-3
timing9-2
attack statistics12-7
attack type
client9-8
malformed packets9-10
mitigated attack9-14
user defined9-9
authentication, configuring3-6
authorization, configuring3-10, 3-11
auth packet types7-17
automatic protection mode5-36
automatic protect mode1-5, 5-36
B
bad packets to proxy drop statistics12-11
basic
User filter actions6-21
basic protection level1-7, 7-16
Berkley Packet filter6-12
BGP
announcementA-20
Cisco router configuration example4-7
configuration4-3
configuration example4-6
diverting methodA-8
Guard configuratio4-11
Guard configuration4-4
Juniper router configuration example4-8
block Dynamic filter actions6-28
block-unauthenticated policy action7-29
burn flash11-12
Bypass filter
command6-17
configuring12-6
deleting6-19
viewing6-18
C
capture, packets10-17
caution
symbol overviewxxx
CFE11-12
clear log command10-12
CLI
changing prompt3-33
command shortcuts2-17
error messages2-15
getting help2-16
issuing commands2-13
TAB completion2-16
using2-10
client attack9-14
client attack mitigated attacks9-8
command line interface
See CLI2-10
command shortcuts2-17
config privilege level2-10
configuration
file
copying11-2
exporting11-2
importing11-3
viewing10-2
saving on supervisor4-1
configuration, accessing command mode3-15
configuration mode2-11
configure command2-18
console
connecting2-8
local connection2-9
constructing policies5-15
copy command
packet-dump10-22
copy commands
new-version11-9
reports9-19
running-config11-2
zone log10-11
copy-from-this5-7
copy-policies command7-41
counters
history10-4
counters, viewing10-4
cpu utilization10-34
D
date command3-28
DDoS
attack classification12-7
overview1-2
deactivating commands
commands, dedactivating2-14
deactivating protection5-41
default-gateway command2-27
default zone5-39
description command5-10
detected
anomalies9-4
flow9-16
disable command7-10
disk usage11-6
distributed denial of service
See DDoS
diversionA-2
BGP4-1
dynamic next hopA-10
layer 2 topologyA-5
layer 3 topologyA-4
static next hopA-9
troubleshooting12-2
Tunnel4-35
divert-from routerA-2
DNS
detected anomalies9-4
TCP policy templates7-4
drop
Dynamic filter action6-27
policy action7-29
statistics12-8
User filter action6-21
dropped packets
attack report9-3
learning5-13
drop-statistics command12-8
dst traffic characteristics7-18
Dynamic filter
deactivating6-34
definition1-7
inactivating12-5
preventing production of6-34
sorting6-31
terminating6-35
zone malicious rate6-35
Dynamic filters
1000 and more6-31
displaying events10-9
dynamic privilege level2-10
E
enable
password command3-12
enabling services3-3
even log
deactivating10-8
event log
activating10-7
event monitor command10-7
export command10-9
packet-dump10-21
exporting
configuration file11-2
log file10-11
reports automatically9-17
export packet-dump command10-21
export reports command9-18
extracting signatures10-27
F
facility10-8
FBF
Juniper router configuration example4-16
filter rate
termination threshold6-35
filters
overview6-2
filter-termination command6-35
first-hit3-20
fixed-threshold7-23
flash-burn command11-12
Flex-Content filter
configuring6-5
default configuration10-46
dropped12-8
renumbering6-5
viewing6-14
flex-content filter
displaying6-14
filtering criteria6-4
Layer 24-9
layer 2A-11
layer 3A-11
PBR-DST4-12
PBR -VLAN4-23
PBR VLANA-14
policy based routing4-12
VLAN VRFA-15
VPN routing4-19
VRFA-12
VRF-VLAN4-27
fragments
detected anomalies9-4
policy template7-4
front panel2-3
G
generating signatures10-27
global mode2-11
global traffic characteristics7-18
GRE
See tunnel2-24
Guard
self protection10-45
H
history command11-7
host, logging10-9
host keys
hostname
changing3-33
command3-33
HTTP
detected anomalies9-4
policy template7-5
hybrid9-14
I
in-band
configuring interface2-20
incoming TCP drop statistics12-9
injecting trafficA-23
inject-to routerA-2
in packet types7-17
install new-version command11-10
interactive
operation mode8-3
policy status7-31
interactive protection mode5-36
interactive protect mode1-5, 5-36
interactive-status command7-30
interface
configuration mode2-11
configuring2-20
configuring IP address2-20to 2-23, 2-24
out-of-band2-19
ip address
modifying, zone5-9
ip address command2-24
IPIP
See tunnel2-24
ip route command2-27
IP scan
detected anomalies9-4
policy template7-5
J
Juniper
routing instance4-31
routing instancesA-16
K
keepalive command2-25
key command
generate3-32
remove3-31
L
configuration4-11
router configuration4-12
land attack drop statistics12-11
layer 2 topologyA-5
layer 3 topologyA-4
learning
constructing policies5-15
dropped packets5-13
overview5-11
policy-construction command5-15
synchronizing results5-14
threshold-tuning command5-18
tuning thresholds5-17
learning accept command5-16, 5-19
learning params
threshold-selection command5-23
learning-params
deactivating periodic action5-19
deactivating periodic-action command5-16
periodic-action command5-16, 5-19, 5-22
threshold-multiplier command7-24
threshold-selection command5-19
threshold-tuned command5-9, 5-25
learning-params fixed-threshold command7-23
LINK templates5-15
log
displaying subzones5-41
log file
clearing10-12
history11-7
viewing10-10
logging, viewing configuration10-10
logging command10-8
Cisco router configuration4-41
Guard configuration4-40
M
malformed packets9-14
mitigated attacks9-10
malformed packets drop statistics12-11
malicious rate termination threshold6-34
management
overview2-30
SSH2-31
WBM2-30
max-services command7-9
memory consumption10-33
MIB, supported3-2
min-threshold command7-9
mitigated attacks
client attack9-8
malformed packets9-10
overview9-5
spoofed9-6
user defined9-9
modules
overview7-16
recognition10-33
monitoring
MPLS LSPA-22
N
netstat command10-37
new version
installing11-10
upgrading11-9
next hop discoveryA-24
IGPA-26
IGP + BGPA-27
routing protocolsA-24
next-hop routerA-2
non DNS drop statistics12-11
no proxy policy templates7-7
notify9-12
notify policy action7-29
ns policy templates7-7
NTP3-28
enable service3-29
permit3-29
server3-29
num_sources packet type7-17
O
on-demand5-42
other protocols
detected anomalies9-4
policy template7-5
other protocols drop statistics12-9
out_pkts packet types7-17
outgoing TCP drop statistics12-9
out-of-band
configuring interface2-20
out-of-band interface2-19
P
packet-dump
auto-capture command10-16
automatic
activating10-14
deactivating10-16
displaying settings10-16
signatures10-28
packet-dump command10-17
packets, capturing10-17
password
changing3-9
enabling3-12
encrypted3-8
password, recovering11-13
PBR-DST4-12
Cisco router configuration4-15
configuration4-13
example4-15
Guard configuration4-14
PBR -VLAN4-23
PBR -VLAN
Guard configuration4-24
PBR VLANA-14
pending Dynamic filters8-2
viewing8-6
periodic action
accepting policies automatically5-19
acepting policies automatically5-16
permit
User filter action6-21
ping command10-42
pkts packet type7-17
policy
activating7-20
adding services7-13
backing up current5-13, 7-37, 7-42
command7-19
configuration mode2-12
constructing1-5, 5-12, 5-15, 7-4
copying parameters7-41
copy-policies7-41
deleting services7-14
disabling7-20
inactivating7-20
learning-params, fixed-threshold command7-23
marking threshold as fixed7-23
multiplying thresholds7-25, 12-4, 12-5
navigating path7-19
packet types7-16
proxy threshold7-27
show statistics7-33
state7-20
structure7-2
threshold-list command7-26
traffic characteristics7-18
tuning thresholds1-5, 5-12, 5-17, 7-4
viewing12-5
viewing statistics5-21
Policy Based RoutingA-9
policy-based routing4-12
policy set-timeout command7-28
policy template
configuration command level7-8
configuration mode2-12
displaying list7-7
max-services7-9
min-threshold7-9
parameters7-7
state7-10
policy-template add-service command7-14
policy-template remove service command7-14
port scan
detected anomalies9-5
policy template7-5
poweroff command11-9
pPossible next-hop routersA-2
privilege levels2-10
assigning passwords3-12
moving between3-12
protect
activating2-29
command5-33
deactivating5-36
deactivating automatically5-41
entire zone5-33
inactivity timeout5-41
on-demand5-42
specific IP5-35
specific ip address5-35
specific zone IP5-34
specific zone ip address5-34
protect command5-36
protection-end-timer command5-41
protection level
protect learning command5-18
protect-packet command5-38
protocol traffic characteristics7-18
proxy
command2-29
configuring2-29
no proxy policy templates7-7
proxy-threshold command7-27
public-key
displaying3-32
R
rack mount specifications2-2
Rate Limiter
dropped12-8
rates
history10-4
rates, viewing10-4
reactivate-zones11-8
rear panel2-4
reboot command11-8
rebooting
parameters11-8
recognition module10-33
recommendations
accepting8-8
change decision7-30
command8-7
deactivating8-3
displaying8-2
ignoring8-8
overview8-2
receiving notification8-2
viewing8-4
viewing pending-filters8-6
redirect/zombie
Dynamic filter action6-28
policy action7-29
reload command11-8
remove service command7-14
renumbering Flex-Content filters6-5
renumbering User filters6-22
replied packets9-3
report
See attack report9-2
reports
details9-12
displaying subzones5-41
reqs packet type7-17
router configuration mode2-11
routing instance4-31
routing instancesA-16
routing table
GRMB-6
manipulation2-27
viewing2-28
zebra applicationB-6
running-config
copy11-2
show10-2
S
self-protection command10-45
service
adding7-13
copy7-41
deleting7-14
permissions3-3
snmp-trap3-33
wbm2-30
services
enabling3-3
set-action7-29
show commands
counters10-4
cpu10-34
diagnostic-info10-32
disk-usage11-6
drop-statistics12-8
flex-content-filter6-14
host-keys3-27
log10-10
log export-ip10-10
logging10-10
memory10-33
packet-dump10-16
packet-dump signatures10-28
public-key3-32
recommendations pending-filters8-6
reports12-6
reports details9-12
running-config10-2
show10-3
sorting dynamic-filters6-31
templates5-6
zone policies7-32
show privilege level2-10
show public-key command3-32
shutdown command2-21
signature
generating10-27
snapshot
backing up policies5-13, 7-37, 7-42
command7-36
comparing7-38
deleting7-37
displaying7-39
snapshot command7-35
SNMP
traps description3-35
SNMP,accessing3-2
SNMP, configuring trap generator3-34
snmp commands
community3-38
trap-dest3-34
source IP
tunnel2-24
specific IP threshold7-26
speed command2-21
spoofed attack9-14
spoofed attacks9-6
src traffic characteristics7-18
SSH
configuring2-31
deleting keys3-31
generating key3-32
service2-31
static route
adding2-27
strong
Dynamic filter action6-27
policy action7-29
User filter action6-21
subzone
displaying logs and attack reports5-41
supervisor module
saving configuration4-1
syn_by_fin packet type7-17
syns packet type7-17
syslog
configuring export parameters10-8
configuring server10-9
message format10-8
system log
message format10-8
T
TACACS+
authentication
key generate command3-24, 3-27
clearing statistics3-21
configuring search3-19
configuring server3-17
server connection timeout3-20
server encryption key3-19
server IP address3-18
viewing statistics3-21
tacacs-server commands
clear statistics3-21
show statistics3-21
TCP
detected anomalies9-5
no proxy policy templates7-7
policy templates7-5
templates
LINK5-15
viewing policies5-6
zone5-5
threshold
command7-22
configuring list7-26
configuring specific IP7-26
filter rate termination6-34
malicious rate termination6-34
multiplying before accepting7-24
selection7-36
setting as fixed7-22
threshold-list command7-26
threshold selection5-19
time, configuring3-28
timeout command7-28
timezone3-29
to-user-filters
Dynamic filter action6-28
policy action7-29
traceroute command10-40
traffic
traffic injectionA-23
trap10-8
trap-dest3-34
tuning policy thresholds5-17
tunnel
commands2-24
configuring2-24
GRE keepalive2-25
Cisco router configuration4-37
Guard configuration4-36
U
UDP
detected anomalies9-5
drop statistics12-10
policy templates7-6
unauthenticated drop statistics12-9
unauth_pkts packet type7-17
unauthenticated TCP detected anomalies9-5
upgrading11-9
USB
connecting mini cable2-7
user
detected anomalies9-5
user defined mitigated attacks9-9
User filter
configuring6-20
deleting6-26
renumbering6-22
viewing6-25
username
encrypted password3-8
username command3-8
users
adding3-8
adding new3-8
admin2-18
assigning privilege levels3-7
deleting3-10
riverhead2-18
V
VLAN
configuring2-22
VLAN policy based routing4-23
VLAN VPN routing forwarding4-27
VLAN VRFA-15
VPN Routing ForwardingA-9
VPN routing forwarding4-19
VRF - DST
Guard configuration4-20
VRF -DST
Cisco router configuration4-21
VRF - VLAN4-27
W
WBM
activating2-30
X
Z
zebra routing tableB-6
zombie9-14
packet counter10-5
zombie attack9-16
zone
blocking criteria12-4
comparing7-39
copying5-6
creating5-3
creating default5-39
deleting5-6
IP address5-8
learning5-11
LINK templates5-15
malicious rate5-42
modifying IP address5-9
operation mode5-4
protecting5-31
reconfiguring5-8
synchronize configuration5-27
synchronizing offline5-29
templates5-5
viewing configuration5-10
viewing policies7-31
viewing status10-3
zone-malicious-rate6-35
zone policy
zone protection