Table Of Contents
Learning Zone Traffic
Learning Process Overview
Phases of the Learning Process
Protect and Learn Feature
Accept or Reject Learning Process Results
Performing the Learning Process
Starting the Policy Construction Phase
Stopping the Policy Construction Phase
Starting the Threshold Tuning Phase
Accepting the Current Results of the Threshold Tuning Phase
Stopping the Threshold Tuning Phase
Performing the Learning Process Using Protect and Learn
Configuring Automatic Learning Parameters
Activating Protect and Learn
Deactivating Protect and Learn
Marking the Zone Policies as Tuned or Untuned
Managing Learning Process Snapshots
Taking a Snapshot of Current Learning Process Results
Taking a Snapshot of the Zone Configuration Policies
Viewing, Modifying, or Saving Snapshot Results
Deleting a Snapshot
Comparing Policy Configurations of Two Zones or Snapshots
Viewing Policy Configuration Differences
Deleting Base Zone Services
Adding Base Zone Services
Copying Policy Parameters to the Base Zone
Learning Zone Traffic
The information in this chapter describes how to use the Guard learning process to analyze zone traffic and fine-tune the protection capabilities of the zone configuration.
This chapter includes the following sections:
•
Learning Process Overview
•Performing the Learning Process
•Performing the Learning Process Using Protect and Learn
•Marking the Zone Policies as Tuned or Untuned
•Managing Learning Process Snapshots
•Comparing Policy Configurations of Two Zones or Snapshots
Learning Process Overview
The learning process allows the Guard to analyze zone traffic and create a set of zone-specific policies that are based on the traffic flow services the Guard detects. During the learning process, the Guard also tunes the threshold value of each policy it creates. The policy thresholds are reference points the Guard uses when protecting a zone to determine when the traffic rate exceeds its normal volume, indicating an attack on the zone. While the Guard is learning zone traffic, you monitor the learning process and decide whether to accept or reject the results of the learning process. When you accept the learning process results, the Guard saves the policy information to the zone configuration and deletes all of the previous zone configuration policies. If you reject the learning process results, the Guard deletes the learning process results and continues to use the policies already in place in the zone configuration.
This section contains the following learning process information:
•Phases of the Learning Process
•Protect and Learn Feature
•Accept or Reject Learning Process Results
Phases of the Learning Process
The learning process consists of the following two phases, which you perform separately on the Guard:
•Policy construction phase—In this phase, the Guard creates policies based on the services it detects in the traffic flow. Each policy is configured with an action that the Guard executes when it detects a traffic anomaly. Policy templates provide the guide lines the Guard follows when creating a policy. For example, a policy template can limit the number of policies the Guard can produce from the template during the policy construction phase. Policy templates also configure each policy the Guard creates from it with a default threshold value.
•Threshold tuning phase—In this phase, the Guard tunes the thresholds of the zone policies. The policy threshold value is set to a value that allows normal traffic to pass through the Guard without activating the policy action. When protecting a zone, the Guard applies the zone policies to the traffic flow and if a policy threshold is exceeded, the Guard executes the policy action.
You cannot perform the policy construction phase on zones you create with a Guard_Link zone template.
To learn the zone traffic characteristics, the zone traffic must be diverted to the Guard. You must configure diversion before initiating the learning process, or divert the zone traffic to the Guard manually, using an external device. Configure zone diversion using the Guard routing configuration. You can configure the Guard routing configuration using the CLI only. See the Cisco Guard Configuration Guide for more information.
You can save the current results of either learning phase at any time of the learning process using the Guard snapshot feature. Taking a snapshot of the learning process allows you to view the policy information the Guard has created up to the point of the snapshot. Saving the results of the learning phase in a snapshot does not affect the zone configuration. You can take as many learning process snapshots as you like. You can also update the zone configuration with the policy information saved in a snapshot. For more details on using the snapshot function, see the "Managing Learning Process Snapshots" section later in this chapter.
Protect and Learn Feature
After the Guard performs the policy construction phase of the learning process, you can activate the Protect and Learn feature which allows the Guard to look for traffic anomalies (Protect) while performing the threshold tuning phase (Learn) simultaneously. When the Guard detects an attack, it suspends the learning process and begins protecting the zone from the attack. The Guard resumes the learning process after it determines the attack has ended. The protect and learn operating state enables the Guard to protect the zone while constantly updating the policy thresholds according to normal zone traffic characteristics, and prevents the Guard from learning the thresholds of malicious traffic.
Accept or Reject Learning Process Results
You have the option of accepting or rejecting the results of a policy construction or threshold tuning phase while the phase is running or when you stop the phase. During the learning process, the Guard does not modify the policies of the zone configuration. Only after you accept the results of the learning phase does the Guard update the zone configuration and begin operating with the new policies or policy thresholds.
Performing the Learning Process
The procedures in this section describe how to start and stop the two different phases of the learning process: policy construction and threshold tuning. Use the learning process to optimize zone protection in the following ways:
•Fine-tune the policies of a new zone configured with the default policies and policy thresholds of the zone template you selected
•Update an existing zone configuration when zone traffic patterns change
To ensure the results of the learning process are accurate and configured for normal zone traffic, activate the learning process when the following zone traffic conditions exist:
•Zone traffic is normal (not experiencing an attack)—This ensures that the Guard does not construct and tune the zone policies according to traffic characteristics of a DDoS attack. If you initiate the learning process when the zone is under attack, the Guard will learn the traffic patterns of the attack and save the learning results as the base for future reference. This will prevent the Guard from detecting future attacks because it may view them as normal traffic conditions.
•Zone traffic is at its peak volume—This allows the Guard to configure the policy thresholds to values that are appropriate for normal peak traffic and ensures that the Guard does not perceive normal peak traffic conditions as an attack.
This section contains the following procedures:
•Starting the Policy Construction Phase
•Stopping the Policy Construction Phase
•Starting the Threshold Tuning Phase
•Accepting the Current Results of the Threshold Tuning Phase
•Stopping the Threshold Tuning Phase
Starting the Policy Construction Phase
Use the policy construction phase after creating a new zone or anytime the zone configuration needs updating with new service policies. After performing the policy construction phase, execute the threshold tuning phase to fine-tune the thresholds of each policy.
Note You cannot perform the policy construction phase on a zone you create with one of the Guard_Link zone templates.
To start the policy construction phase:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Construct Policies from the zone main menu. The following actions occur:
•The Guard begins analyzing the diverted zone traffic for the services used in the traffic flow and creates policies relating to the services it detects.
•The zone status icon changes to Learning.
Step 3 (Optional) Choose Learning > Snapshot to save and review the current results, or policy suggestions, of the policy construction phase at anytime during the phase. For details on using the snapshot function, see "Managing Learning Process Snapshots".
To allow the Guard enough time to receive and analyze an accurate representation of normal zone traffic, we recommend that you let the policy construction phase run for at least two hours before stopping this phase.
Stopping the Policy Construction Phase
To stop the policy construction phase:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 To accept or reject the current results of the policy construction phase, use one of the following options:
•Choose Learning > Accept from the zone main menu to accept the results of the learning phase. The Guard deletes all of the current policies of the zone configuration and replaces them with the suggested zone policies. The Guard does not stop the policy construction phase and continues to learn the zone services.
•Choose Learning > Stop Learning from the zone main menu. The Stop Learning window opens. Choose one of the following options and proceed to Step 3:
–Reject—Rejects the suggested zone policies
–Accept—Accepts the suggested zone policies
Step 3 This step is only required if you chose Learning > Stop Learning in Step 2. Select one of the following options:
•OK—The results of this selection will vary depending on your choice to reject or accept the results of the policy construction phase:
–If you selected Reject, the Guard deletes all of the suggested zone policies. No changes are made to the zone configuration.
–If you selected Accept, the Guard deletes all of the current policies in the zone configuration and replaces them with the suggested zone policies, and the policy construction phase terminates.
•Clear—The Stop Learning window reverts back to its default setting of Accept.
•Cancel—The Stop Learning window closes and the policy construction phase continues.
We recommend activating the threshold tuning phase after accepting the results of the policy construction phase. The threshold tuning phase ensures that the threshold values of the accepted policies are configured to the characteristics of the zone traffic flow. Until you run the threshold tuning phase, the policies are configured with factory default threshold values.
Starting the Threshold Tuning Phase
Use the threshold tuning phase after performing the policy construction phase or anytime the thresholds of the zone policies need updating.
To start the threshold tuning phase:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Tune Threshold from the zone main menu. The following actions occur:
•The Guard begins analyzing the zone traffic and adjusts the threshold values of the zone policies to the characteristics of the traffic flow.
•The zone status learning icon 
appears in the work area and next to the zone name in the navigation panel.
We recommend that you let the threshold tuning phase run for at least 24 hours before terminating this phase.
Step 3 (Optional) Choose Learning > Snapshot to save and review the current results, or threshold suggestions, of the threshold tuning phase at anytime during the phase. For details on using the snapshot option, see the "Managing Learning Process Snapshots" section.
To allow the Guard enough time to receive and analyze an accurate representation of normal zone traffic, we recommend that you let the threshold tuning phase run for at least 24 hours before terminating this phase.
Accepting the Current Results of the Threshold Tuning Phase
To accept the current results of the threshold tuning phase and allow the Guard to continue the threshold tuning phase:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Accept from the zone main menu. The Accept Thresholds window opens.
Step 3 Define the threshold selection method to use. Table 7-1 describes the parameters listed in the Accept Thresholds window.
Table 7-1 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. Select one of the following options from the drop-down list:
•Accept new thresholds—The Guard saves the results of the leaning process to the zone configuration.
•Accept max. thresholds—The Guard compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—The Guard calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
You define the weight value.
•Keep current thresholds—The Guard rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.
|
weight
|
This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Guard to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
|
Step 4 Choose one of the following options:
•OK— The Guard updates the policies of the zone configuration with the current results of the threshold tuning phase and the threshold tuning phase continues.
•Clear—The Accept Thresholds window reverts back to its default settings.
•Cancel—The Accept Thresholds window closes and the policy construction phase continues.
Stopping the Threshold Tuning Phase
To accept or reject the current results of the threshold tuning phase and stop the the threshold tuning phase:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Stop Learning from the zone main menu. The Stop Learning window opens.
Step 3 Select one of the following options from the Stop Learning window:
•Reject—Ignore the current results of the threshold tuning phase.
•Accept—Use the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 7-1 describes the threshold selection method parameters.
Table 7-2 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
•Accept new thresholds—The Guard saves the results of the leaning process to the zone configuration.
•Accept max. thresholds—The Guard compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—The Guard calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
You define the weight value.
•Keep current thresholds—The Guard rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.
|
weight
|
This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Guard to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
|
Step 4 Choose one of the following options:
•OK—The Guard updates the policies of the zone configuration with the current results of the threshold tuning phase and stops the threshold tuning phase.
•Clear—The Stop Learning window reverts back to its default settings.
•Cancel—The Stop Learning window closes and the threshold phase continues.
Performing the Learning Process Using Protect and Learn
The procedures in this section describe how manage the Protect and Learn operation in which the Guard provides protection for the zone while learning zone traffic and making policy threshold adjustments. Prior to activating Protect and Learn, you can configure when and how the Guard accepts the results of the learning process. Note that the Guard suspends the learning process when it detects an attack on the zone and resumes the learning process when the attack has ended.
This section contains the following procedures:
•Configuring Automatic Learning Parameters
•Activating Protect and Learn
•Deactivating Protect and Learn
Configuring Automatic Learning Parameters
Configuring the automatic learning parameters allows you to control when and how the Guard automatically accepts the current results of the learning process (threshold tuning phase) when you activate Protect and Learn.
To configure automatic learning:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Learning parameters from the zone main menu. The Learning parameters screen appears.
Step 3 Click Config. The Config learning parameters screen appears.
Step 4 Define the automatic learning parameters. Table 7-3 describes the learning parameters.
Table 7-3 Learning Parameters
Parameter
|
Description
|
Zone is tuned
|
Marks the zone policies as tuned or untuned. Select this option to mark the policies tuned, allowing the Guard to immediately use the policies to protect the zone. Deselect this option to mark the policies untuned, requiring you to accept the results of the threshold tuning phase before the Guard can protect the zone. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
|
Set periodic learning
|
Enables the automatic learning process. Configure the following learning parameters when you select this option:
•Learning cycle—Defines how often the Guard is to save the results of the learning process. Define the time period between saves in terms of weeks, days, hours, and minutes. Enter an integer from 0 to 1000 for each of the time fields.
•Learning results—Defines how the Guard saves the results of the learning process. Select one of the following methods:
–Automatic accept—Accept the learning process results (policy thresholds) that the Guard suggests to the zone configuration at the specified interval. The Guard saves a snapshot of the zone policies after accepting the newly suggested ones.
–Snapshot only—Save a snapshot of the learning process (policy thresholds) at the specified interval. The Guard does not accept the new policies and does not modify the policy thresholds in the zone configuration.
|
Threshold selection method
|
Method for selecting the thresholds to accept. Select one of the following options from the drop-down list:
•Accept new thresholds—The Guard saves the results of the leaning process to the zone configuration.
•Accept max. thresholds—The Guard compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—The Guard calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
You define the weight value.
•Keep current thresholds—The Guard rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.
|
weight
|
This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Guard to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
|
Step 5 Choose one of the following options:
•OK—The Guard saves the automatic learning parameters to the zone configuration.
•Clear—The Learning Parameters form reverts back to its default settings.
•Cancel—The Config learning parameters screen closes.
Activating Protect and Learn
Activating Protect and Learn allows the Guard to protect the zone while learning zone traffic and making policy threshold adjustments. Before activating Protect and Learn, you should verify whether the zone policies are marked as tuned or untuned as the Guard functions differently depending on the tuned state of the zone policies. If the policies are marked as tuned when you activate Protect and Learn, the Guard is able to detect attacks and learn zone traffic. If you activate Protect and Learn and the zone policies are marked as not tuned, the Guard functions in the following ways:
•The Guard does not detect attacks in zone traffic until the zone policy thresholds are accepted once
•The Guard activates a threshold selection method of Accept new thresholds only (see the "Configuring Automatic Learning Parameters" section)
For more information on marking policies tuned or untuned, see the "Marking the Zone Policies as Tuned or Untuned" section.
To activate Protect and Learn:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Click Protect and Learn.
The following actions occur:
•The Guard diverts zones traffic to itself and begins analyzing the traffic flow for anomalies. Legitimate traffic is injected back into the network where it is forwarded to its intended destination. Malicious traffic is filtered by the Guard and dropped.
•The Guard begins the threshold tuning phase of the learning process.
•The zone name is added to the Protected Zones listing in the navigation pane.
•The zone status icon changes from Standby
to Protection 
.
•The Recent Events table lists an event type of protection-start with a detail listing of Zone is protected.
Deactivating Protect and Learn
When you deactivate Protect and Learn, the Guard allows you to deactivate both zone protection and learning or just one of the two operations.
To deactivate Protect and Learn:
Step 1 Select a zone under protection from the navigation pane. The zone main menu and the zone status screen appears.
Step 2 Use one of the following methods to deactivate Protect and Learn:
•From the zone status screen, click Deactivate.
•From the zone main menu, choose Protection > Deactivate.
The Deactivate window opens.
Step 3 Click the check box next to the requested action. You can select one or both of the following actions:
•Stop Protection—Stops zone protection.
•Stop Learning—Stops the threshold tuning phase. Select one of the following options:
–Reject—Ignores the current results of the threshold tuning phase.
–Accept—Uses the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 7-1 describes the threshold selection method parameters.
Table 7-4 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
•Accept new thresholds—The Guard saves the results of the leaning process to the zone configuration.
•Accept max. thresholds—The Guard compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—The Guard calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
You define the weight value.
•Keep current thresholds—The Guard rejects all of the suggested threshold values of the learning process and the policies retain their pre-threshold tuning phase values.
|
weight
|
This option is only active when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the Guard to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)) / 100
|
The following actions occur when you deactivate both zone protection and learning:
•The Guard stops diverting zone traffic to itself.
•The zone name is removed from the Protected Zones listing in the navigation pane.
•The zone status icon changes from Protection 
to Standby
.
•The Recent Events table lists an event type of protection-stop with a detail listing of Zone is not protected.
Marking the Zone Policies as Tuned or Untuned
The Guard considers zone policies to be either tuned or untuned depending on the following conditions:
•Untuned—The Guard marks the zone untuned when the zone configuration is using the default policy threshold values of the zone template. The zone configuration uses the default policy threshold values after you perform one of the following actions:
–Create a new zone
–Accept the policy construction phase results for a zone
–Add a service to the zone policies or remove a service from the zone policies
•Tuned—The Guard marks the zone tuned after accepting the results of the threshold tuning phase, at which point the threshold values are tuned specifically to the zone traffic characteristics.
Knowing the tuned state of the zone is important when you activate Protect and Learn for the zone. If the tuned state of the zone is untuned when you activate Protect and Learn, the Guard is unable to detect an attack on the zone until it accepts the results of the threshold tuning phase as determined by the automatic learning parameters (see the "Configuring Automatic Learning Parameters" section). If you have the threshold selection method of automatic learning set to anything but Accept new thresholds, the Guard uses the Accept new thresholds setting to accept the first results of the threshold tuning phase. From that point on, the Guard uses the threshold selection method you selected.
You can manually change the tuned state of a zone and may consider changing the state to tuned when one of the following conditions applies:
•You created the zone by copying an existing zone configuration with similar traffic characteristics
•You have manually configured all policy thresholds
You may consider changing the tuned state of the zone to untuned when one of the following conditions applies:
•A major change was made in the zone network
•The zone IP address or subnet was modified
•If you have not initiated the detect and learning operation state during peak traffic time (this is to prevent the Guard from regarding the traffic during peak time as an attack)
When you mark the zone untuned, the Guard will not relate to the current policy thresholds and will not detect an attack on the zone when these thresholds are exceeded.
To mark the zone as tuned or untuned:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Learning parameters from the zone main menu. The Learning parameters screen appears.
Step 3 Click Config. The Config learning parameters screen appears.
Step 4 From the Learning Parameters form, select one of the following options:
•Select Zone is tuned—The Guard marks the policies as tuned and can immediately use the policies to protect the zone.
•Deselect Zone is tuned—The Guard marks the policies untuned, requiring you to accept the results of the threshold tuning phase before the Guard can activate zone protection in protect and learn mode.
Step 5 Choose one of the follow options:
•OK—The Guard saves the tuned setting to the zone configuration.
•Clear—The Learning Parameters form reverts back to its default settings.
•Cancel—The Config learning parameters screen closes.
For a complete description of the Learning Parameter Form options, see the "Configuring Automatic Learning Parameters" section.
Managing Learning Process Snapshots
The Guard snapshot feature allows you to save zone policy information for viewing and policy comparison purposes. Using the snapshot feature, you can perform the following actions:
•View the current results of the learning process
•Save the snapshot policy information to the zone configuration
•Compare the policy results of the snapshot with another snapshot or zone configuration (see the "Comparing Policy Configurations of Two Zones or Snapshots" section)
•Backup the current zone policies contained in the zone configuration
At any stage of the learning process, you can save a snapshot of the current learning parameters (services, thresholds, and other policy-related data). The Guard continues performing the current learning phase while it records the snapshot information and assigns a consecutive ID number to the snapshot.
This section contains the following procedures:
•Taking a Snapshot of Current Learning Process Results
•Taking a Snapshot of the Zone Configuration Policies
•Viewing, Modifying, or Saving Snapshot Results
•Deleting a Snapshot
Taking a Snapshot of Current Learning Process Results
To take a snapshot of the current learning process results (policy construction or threshold tuning):
Step 1 Select a zone currently in a learning phase from the navigation pane. The zone main menu.
Step 2 Choose Learning > Snapshot from the zone main menu. The Guard saves the zone policies and assigns a consecutive ID number to the snapshot.
Taking a Snapshot of the Zone Configuration Policies
When you take a snapshot of a zone that is not learning zone traffic (the zone is either in standby or protect mode), the Guard creates a snapshot that contains the current policy information of the zone configuration. You can use this type of snapshot to create a backup of the zone policies or for comparison purposes.
To create a snapshot of the zone configuration policies:
Step 1 Select a zone from the navigation pane that is not currently in a learning phase. The zone main menu appears.
Step 2 Choose Learning > Snapshot from the zone main menu. The Guard saves the policies contained in the zone configuration to the snapshot and assigns a consecutive ID number to the snapshot.
Viewing, Modifying, or Saving Snapshot Results
To view, modify, or save a snapshot result to the zone configuration:
Step 1 Select a zone currently in a learning phase from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Snapshot List from the zone main menu. The list of snapshots appears, displaying the ID number of each snapshot along with the date and time the snapshot was taken.
Step 3 Select the snapshot ID number or date to view. The Policies screen appears, displaying the policies the Guard recorded at the time of the snapshot.
Step 4 (Optional) From the Policies screen of the snapshot, choose one of the following options:
•Configure Selection—Reconfigure the parameters of one or more of the policies (see the "Modifying Policy Parameters" section in "Managing Zone Policies")
•Add service or Remove service—Add or remove a service to the list of services detected at the time of the snapshot (see the "Adding a Service"or "Deleting a Service" sections in "Managing Zone Policies")
•Accept Thresholds—Saves the policies of the snapshot to the zone configuration.
Deleting a Snapshot
To delete a snapshot:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Learning > Snapshot List from the zone main menu. The list of snapshots appears and displays the ID number of each snapshot along with the date and time the snapshot was taken.
Step 3 Check the check box next to the ID number of the snapshot to delete.
Step 4 Click Delete. The Guard deletes the selected snapshot from the Snapshot list.
Comparing Policy Configurations of Two Zones or Snapshots
You can compare the policy configurations of two zones, two snapshots, or a zone and snapshot. The Guard traces differences in policy configuration services, policies, and policy thresholds. When comparing the policy configurations of two zones or snapshots, you can perform the following actions:
•Define the comparison sensitivity level
•Delete or add policy configuration attributes to make the two compared zones more alike
•Accept learned policy attributes selectively
This section contains the following procedures:
•Viewing Policy Configuration Differences
•Deleting Base Zone Services
•Adding Base Zone Services
•Copying Policy Parameters to the Base Zone
Viewing Policy Configuration Differences
To compare and display the policy differences of two zones or snapshots:
Step 1 Use one of the following methods to begin the policy comparison process:
•From the Guard summary main menu, choose Zones > Compare Zone policies.
•From the zone main menu, choose Configuration > Compare policies.
The Policies Comparison query screen appears.
Step 2 Define the base and compare zones or snapshots. Table 7-5 describes the Policies Comparison query parameters.
Table 7-5 Policies Comparison Parameters
Parameter 1
|
Parameter 2
|
Description
|
Base Zone
|
Zone
|
Name of the zone or snapshot. If you require configuration changes to correct differences between the two zone policy configurations being compared, you make the changes to the base zone. Choose the base zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected base zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display as well in the drop-down list. Choose the base zone policy configuration from the drop-down list.
|
Compared Zone
|
Zone
|
Name of the zone or snapshot being compared to the base zone. Choose the compared zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected compared zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display as well in the drop-down list. Choose the policy configuration from the drop-down list.
|
Minimal difference
|
Percentage of differences between the base and compared zone policy configurations. The Guard traces any parameters that differ more than the percentage defined. By default, the Guard traces every difference in the compared zone (100%). Enter the difference percentage value.
|
Step 3 Choose one of the following options:
•OK—Compares the policy configurations of the two zones. The Policy Comparison screen appears and displays the differences in services and policy parameters (see Figure 7-1).
•Cancel—Exits the Policies Comparison query without comparing any zone policies.
Figure 7-1 shows an example of the policy comparison tables. The policy configuration attributes specific to the base zone display in black and attributes specific to the compared zone display in red.
Figure 7-1 Policy Comparison Tables
The policy comparison screen is divided into two sections:
•Difference in services—The two tables in this section display the following information:
–Services present only in the base zone policies.
–Services missing from the base zone. The services in this list are only defined in the compared zone.
•Difference in policy parameters—Differences in the operational parameters of the policies (state, action, threshold, proxy-threshold) display. Each section in the table displays the differences found in a single policy. The first row in each section displays the base zone parameters. The second row of each section displays the compared zone parameters.
Note The Guard only displays a check box next to the listed services that you can add to, or delete from the base zone. Some listed services cannot be added or deleted as they are not specific services, such as those of the type any.
Deleting Base Zone Services
To delete services from the base zone configuration:
Step 1 From the Services only in zone name table, click the check boxes next to the desired services to remove from the base zone configuration. To select all of the table entries, click the check box in the table header.
Step 2 Click Delete. The Guard removes the selected services from the base zone policy configuration.
Adding Base Zone Services
To add services to the base zone configuration:
Step 1 From the Services missing from zone name table, click the check boxes next to the services to add to the base zone configuration. To select all of the table entries, click the check box in the table header.
Step 2 Click Add. The Guard adds the selected services the base zone policy configuration.
Copying Policy Parameters to the Base Zone
To copy the policy parameters from the compared zone to the base zone:
Step 1 From the Difference in policy parameters table, click the check boxes next to the policies to copy to the base zone. To select all of the table entries, click the check box in the table header.
Step 2 Click Copy Parameters. The Guard copies the selected policies from the compared zone (red) to the base zone (black) policy configuration and removes the selected policies from the table.
