Table Of Contents
Managing Zone Policies
Viewing Zone Policies
Modifying Policy Parameters
Modifying a Single Policy
Modifying Multiple Policies Simultaneously
Adding or Deleting an IP Address and Threshold
Adding an IP Address and Threshold
Deleting an IP Address and Threshold
Adding or Deleting a Service
Adding a Service
Deleting a Service
Managing Zone Policies
In addition to using the learning process to create policies tuned to the characteristics of the zone traffic, the Guard allows you to modify the policies of a zone configuration. This chapter describes how to manually fine-tune the protection capabilities of the zone configuration.
This chapter includes the following sections:
•
Viewing Zone Policies
•Modifying Policy Parameters
•Adding or Deleting an IP Address and Threshold
•Adding or Deleting a Service
Viewing Zone Policies
To view the policies of a zone configuration:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears (see Figure 8-1 and Table 8-1).
Step 3 (Optional) To set a screen filter, click Set screen filter in the Policies screen. The Policy Filter window opens.
Step 4 Configure the screen filters to use. Table 8-1 describes the screen filter parameters listed in the Policy Filter window. Select the desired display parameters from the corresponding drop-down lists. When changing multiple filter parameters, begin from the top and work your way down the parameters of the Policy Filter window. When you change one of the filtering parameters, all the parameters listed below it are automatically reset to their default setting.
Table 8-1 Policy Filter Parameters
Parameter
|
Restricts the display to . . .
|
Policy template
|
Policies created from the selected policy template.
|
Service
|
Policies created for the selected service.
|
Protection level
|
Policies of the selected protection level.
|
Type
|
Policies of the selected packet type.
|
Policy
|
Policies of the selected name.
|
State
|
Policies of selected operating state.
|
Action
|
Policies configured with the selected action.
|
Policies
|
Policies of the current running configuration or of a snapshot (if available)
|
Figure 8-1 contains a sample of the Policy screen.
Figure 8-1 Policy Table
Table 8-1Table 8-2 describes the fields in the Policy Table.
Table 8-2 Field Descriptions for Policy Table
Field
|
Description
|
Policy Template
|
Policy template the Guard used to construct the policy.
|
Service
|
Service in the traffic flow that the policy monitors. A service is either an application port or a protocol. You can add services to better tailor the policy configuration the Guard created for the zone during the learning process. See the "Adding or Deleting a Service" section.
The Guard displays a service value of any for all traffic that does not specifically match other services created from the same policy template.
|
Level
|
Protection level that the policy applies to the traffic flow.
There are three protection levels:
•Analysis
•Basic
•Strong
|
Type
|
Type of traffic flow packet or connection.
Packet type values:
•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.
•auth_tcp_pkts—Packets that underwent TCP handshake.
•auth_udp_pkts—Packets that underwent UDP authentication.
•in_conns—Zone incoming connections.
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
|
Type
(continued)
|
•num_sources—Number of TCP source IP addresses, destined to the zone, that have been authenticated by the Guard anti-spoofing features.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•syns—Synchronization packets—TCP SYN flagged packets.
•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
•unauth_pkts—Packets that did not undergo TCP handshake.
•pkts—All packet types that do not fall under any other category in the same detection level.
|
Key
|
Traffic characteristic that was used to aggregate the policies. Double-click the key name to view details.
Key name values:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—Ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—Ratio of SYN and FIN flagged packets destined to a specific port.
•global—Summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to source IP address.
•src_net—Traffic destined to the zone aggregated according to source subnet IP address.
•dst_port—Traffic destined to a specific zone port.
|
Key
(continued)
|
•protocol—Traffic destined to the zone aggregated according to protocol.
•src_ip_many_dst_ips—Key used for IP scanning. Traffic from a single IP destined to many zone IP addresses.
•src_ip_many_ports—Key used for port scanning. Traffic from one IP destined to many zone ports.
|
State
|
Operating state of the policy. The policy operates in one of the following states:
Active—The Guard applies the policy to the traffic flow. The policy executes an action when the traffic flow exceeds the policy threshold.
Inactive—The Guard applies the policy to the traffic flow. The policy does not execute an action when the traffic flow exceeds the policy threshold.
Disabled—The Guard does not apply the policy to the traffic flow.
|
Action
|
Action assigned to the policy. The policy executes the action in the event the traffic flow exceeds the policy threshold. See the "Modifying Policy Parameters" section for further details.
|
Threshold
|
Policy threshold traffic rate. When the traffic flow exceeds the policy threshold, the policy executes its assigned action. You can configure the policy threshold manually or let the Guard configure it during the threshold tuning phase of the learning process.
By default, the threshold is set to a value appropriate for on-demand protection.
|
Proxy Threshold
|
Threshold for the HTTP proxy client. The proxy threshold defines the traffic rate for clients that connect to the zone in HTTP by way of proxies. You configure the proxy threshold using the CLI.
|
Threshold List
|
Number of entries in a threshold list for a particular policy. A dash (-) indicates that it is not possible to configure the threshold for the policy.
|
Timeout
|
Minimum amount of time the policy applies its assigned action to the traffic flow. When the timeout expires, the Guard determines whether or not to deactivate the Dynamic filter produced by the policy. The timeout value can be set to never.
|
Fixed
|
Policy threshold operating status. A check mark indicates the threshold is a fixed value that cannot be modified during the threshold tuning phase of the learning process. An x indicates the threshold value is not fixed, which means the Guard can modify the policy threshold during the threshold tuning process.
|
Learning Multiplier
|
Factor the Guard multiplies the threshold by when it accepts the results of the threshold tuning phase.
|
Modifying Policy Parameters
The procedures in this section describe how to modify policy parameters. You can only modify a zone policy when the Guard is not learning zone traffic or protecting the zone. The WBM provides you with two different procedures for modifying policy parameters: one procedure to modify a single policy and another procedure to modify multiple policies with the same parameter change simultaneously. Table 8-3 lists the policy parameters you can modify with each procedure type.
Table 8-3 Policy Modification Procedures
Policy Parameter
|
Procedure
|
|
|
|
(Operating) State
|
X
|
X
|
Action
|
X
|
X
|
Threshold
|
X
|
|
Threshold multiplier
|
|
X
|
Timeout
|
X
|
X
|
Learning parameters:
•Set as fixed
•Learning multiplier
|
X
|
X
|
Note Changes you make to a policy parameter may be lost if you perform the policy construction phase after making the parameter change. When you accept the results of the policy construction phase, the Guard deletes the current policies of the zone configuration and replaces them with the new policies.
Caution Setting the policy state to
inactive or
disabled may compromise zone protection. When you set the policy state to
disable, the enabled zone policies assume responsibility for the traffic that was managed by the disabled policy. After you disable a policy and before the Guard performs zone protection, you must perform the threshold tuning phase to update the thresholds of the enabled policies.
This section contains the following procures:
•Modifying a Single Policy
•Modifying Multiple Policies Simultaneously
Modifying a Single Policy
To modify the parameters of a single policy:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.
Step 3 Click the Key of the desire policy. The Policy details screen appears.
Step 4 Click Configure (located under the Learning parameters table). The Config Policy screen appears with the current parameter values listed.
Step 5 Reconfigure the desired policy parameters. Table 8-4 describes the configured policy parameters in the Zone Policies Parameter Form.
Table 8-4 Zone Policy Parameter Form
Parameter
|
Description
|
State
|
The state of the policy. Possible values are:
•active—The Guard applies the policy to the traffic and the policy executes its assigned action when the traffic exceeds the policy threshold.
•inactive—The Guard applies the policy to the traffic, but the policy does not execute its assigned action when the traffic exceeds the policy threshold.
•disabled—The Guard does not apply the policy to the traffic.
|
Action
|
The action that the policy executes when the traffic exceeds the policy threshold. Choose a policy action from the drop-down list:
•notify—The policy notifies the user.
•block-unauthenticated—The policy adds a filter that blocks the traffic that the anti-spoofing feature cannot authenticate.
•to-user-filters—The policy adds a filter that directs the traffic to the User filters.
•filter/strong—The policy adds a filter that applies the the Strong protection level to the traffic.
•filter/drop—The policy drops the traffic.
•redirect/zombie—The policy adds a filter that enhances authentication for all User filters with an action of redirect.
|
Threshold
|
Threshold traffic rate for the policy. When the traffic exceeds the threshold, the policy executes an action to protect the zone. The threshold is measured in packets per second (pps) except for the following policies:
•tcp_connections—Measured in number of connections
•tcp_ratio—Measured as the ratio number
|
Timeout
|
Minimum time span for the policy to apply its action. Enter the timeout value in seconds.
|
Learning parameters
|
Manner in which the Guard accepts the results of a threshold tuning phase that pertain to the policy. To have the Guard accept the results of a threshold tuning phase without any modifications, leave the Learning Parameters check box unchecked.
Click the Learning parameters check box to choose one of the following options:
•Set as fixed—The Guard defines the current threshold of the policy as a fixed value. When the Guard accepts the results of a threshold tuning phase, it does not modify this policy threshold.
•Learning multiplier—The Guard multiplies the current threshold value of the policy by the value you enter here. The Guard also applies the multiplier to the results of subsequent threshold tuning phases. Enter a factor to raise or lower the threshold of the policy.
|
Modifying Multiple Policies Simultaneously
To modify multiple zone policies with the same parameter change:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.
Step 3 Click the check box next to the desired policy or policies to reconfigure, then click Config Selection. The Zone Policies Parameter Form appears. If you have selected two or more policies, the policy parameters with different values will display a value of multiple.
Step 4 Modify the desired policy parameters. Table 8-5 describes the configurable policy parameters in the Zone Policies Parameter Form.
Table 8-5 Zone Policies Parameter Form
Parameter
|
Description
|
State
|
Operating state of the policies. Choose an operating state from the drop-down list:
•active—The Guard applies the policies to the traffic. Each policy executes its assigned action when the traffic flow exceeds the threshold of the policy.
•inactive—The Guard applies the policies to the traffic, but the policies do not execute their assigned actions when the traffic flow exceeds their thresholds.
•disabled—The Guard does not apply the policies to the traffic.
|
|
Action
|
Action the policies execute when the traffic flow exceeds their threshold. Choose a policy action from the drop-down list:
•notify—The policies notify the user.
•block-unauthenticated—The policies add a filter that blocks traffic that the anti-spoofing feature cannot authenticate.
•to-user-filters—The policies add a filter that directs the traffic to the User filters.
•filter/strong—The policies add a filter that applies the Strong protection level to the traffic.
•filter/drop—The policies drop the traffic.
•redirect/zombie—The policies add a filter that enhances authentication for all User filters with an action of redirect.
|
Threshold multiplier
|
Factor by which the thresholds of the policies are increased or decreased. Enter a factor to increase or decrease the thresholds of the policies when the thresholds are not appropriate for the zone traffic.
|
Timeout
|
Minimum amount of time the policy applies its action to the traffic flow. Enter a timeout value in seconds.
|
Learning parameters
|
Manner in which the Guard accepts the results of a threshold tuning phase that pertain to the selected policies. To have the Guard accept the results of a threshold tuning phase without any modifications, leave the Learning Parameters check box unchecked.
Click the Learning parameters check box to choose one of the following options:
•Set as fixed—The Guard configures the current thresholds of the selected policies as fixed values. When the Guard accepts the results of a threshold tuning phase, it does not modify the thresholds of the policies.
•Learning multiplier—The Guard multiplies the current threshold values of the polices by the value you enter here. The Guard also applies the multiplier to the results of subsequent threshold tuning phases. Enter a factor to raise or lower the thresholds of the policies.
|
Step 5 Choose one of the following options:
•OK—Saves the configuration information. The Zone Policies Parameter Form closes and the Policies screen appears, displaying any policy configuration changes.
•Clear—Reverts the Zone Policies Parameter Form information back to the default values.
•Cancel—Exits the Zone Policies Parameter Form without making any changes to the policy parameters.
Adding or Deleting an IP Address and Threshold
To avoid false attack detections by theGuard when traffic increases on a known high traffic source or destination IP address, you can configure a policy with a threshold for traffic associated with the IP address. Add an IP address and threshold to a policy for the following network applications:
•High volume source IP address—When the zone normally receives a high volume of traffic from a specific source IP address, you can configure a policy with a threshold that the Guard applies to traffic originating from the source IP address.
•High volume destination IP address—When you define a zone with two or more IP addresses and sections of the zone normally receive a high volume of traffic, you can configure a policy with a threshold that the Guard applies to traffic targeting the destination IP address within the zone.
The WBM only allows you to configure IP thresholds for policies with the following characteristics:
•Policies with a Key type of src_ip (source IP address) and an Action type of drop
•Policies with a Key type of dst_ip (destination IP address) with an Action type of to-user, strong, notify, or drop
Each policy accepts up to five IP addresses and thresholds.
This sections contains the following procedures:
•Adding an IP Address and Threshold
•Deleting an IP Address and Threshold
Adding an IP Address and Threshold
To configure a policy with an IP address and threshold:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.
Step 3 Click the Key type (located under the Key column) of the desired policy. The Policy details screen appears.
Step 4 Click Add (located under the Threshold list table). The Add threshold entry screen appears.
Step 5 Define the source or destination IP address and threshold value. Table 8-6 describes the parameters in the Threshold IP Entry Form.
Table 8-6 Threshold IP Entry Form
Parameter
|
Description
|
IP
|
IP address. Enter the source or destination IP address.
|
Threshold
|
IP address threshold. When the traffic exceeds the threshold, the policy executes its configured action. Enter the threshold value in packets per second (pps) except for the following policy types:
•tcp_connections—Unit of measurement is number of connections
•tcp_ratio—Unit of measurement is the ratio number
|
Step 6 Choose one of the following options:
•OK—Saves the policy IP address information to the policy configuration and zone configuration. The Threshold IP Entry Form closes and the Policy details screen appears, displaying any policy configuration changes.
•Clear—Clears any information you added to the Threshold IP Entry Form.
•Cancel—Exits the Threshold IP Entry Form without making any changes to the policy configuration.
Deleting an IP Address and Threshold
To delete a policy IP address and threshold:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Configuration > Policy from the zone main menu. The Policies screen appears.
Step 3 Click the Key parameter of the desired policy. The Policy details screen appears.
Step 4 Check the check box of the IP listing or listings to delete from the Threshold list table.
Step 5 Click Delete (located under the Threshold list table). The modified policy configuration information is saved to the policy configuration and zone configuration.
Adding or Deleting a Service
You can manually add a service to the zone configuration that the Guard did not discover during the policy construction phase.When you add a service, the Guard creates new policies for the service based on the policy template you select for the service. You can add a new service to the following policy templates:
•http
•other protocols
•tcp_services
•tcp_services_ns
•udp_services
For http, tcp_services, tcp_services_ns and udp_services, the added service designates a port number. For other_protocols, the added service designates a protocol number.
When you add or delete a service from the zone configuration, the Guard marks the zone untuned. Because the zone is untuned, the Guard cannot protect the zone when you activate Protect and Learn until you perform one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")
•Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")
This section contains the following procedures:
•Adding a Service
•Deleting a Service
Adding a Service
To add a service to a policy type:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Use one of the following methods to initiate the Add Service process:
•Choose Configuration > Add Service from the zone main menu.
•Choose Configuration > Policy from the zone main menu, then click Add service from the Policies screen.
•Choose Configuration > Policy templates from the zone main menu, then click Add service from the Policies Templates screen.
The Add service step 1 screen appears.
Step 3 Select a policy template from the Policy Template list and click Next. (Refer to the "Policy Template Types"section in "Configuring Policy Templates" for details on policy template types.) The Add service step 2, Add Service Form appears.
Step 4 Enter the new service in the Add Service Form.
Step 5 Choose one of the following options:
•OK—Adds the new policies for service to the zone configuration. The Policies screen appears, displaying the policies of the added service, and the Guard marks the zone untuned.
•Clear—Clears the Add Service Form information.
•Cancel—Exits the Add Service Form without adding any new service to the zone configuration.
Step 6 (Optional) To change the zone configuration from untuned to tuned after adding a service, perform one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")
•Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")
The policies of the new service are configured with default threshold values. You can define the thresholds of each policy manually; however, we recommend that you run the threshold tuning phase to tune the policies to the zone traffic (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic").
Deleting a Service
You can delete a specific service related to a policy type. The Guard removes all of the policies that were created from the policy template you select.
Caution When you remove a service, zone protection may be compromised as the Guard policies can no longer relate to the traffic service that was removed.
To delete a service from a policy:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Use one of the following methods to initiate the Remove Service process:
•Choose Configuration > Add Service from the zone main menu.
•Choose Configuration > Policy from the zone main menu, then click Remove service from the Policies screen.
•Choose Configuration > Policy templates from the zone main menu, then click Remove service from the Policies Templates screen.
The Remove service screen appears.
Step 3 Select the service you want to remove from the list, then click Delete. The delete verification screen appears.
Step 4 Choose one of the following options:
•OK—Removes the selected service from the zone configuration. The Policies screen appears the Guard marks the zone untuned.
•Cancel—Exits the Remove Service Form without removing any new service to the zone configuration.
Step 5 (Optional) To change the zone configuration from untuned to tuned after deleting a service, perform one of the following actions:
•Perform the threshold tuning phase of the learning process and accept the phase results (see the "Starting the Threshold Tuning Phase" section in "Learning Zone Traffic")
•Mark the zone tuned (see the "Marking the Zone Policies as Tuned or Untuned" section in "Learning Zone Traffic")
