Cisco Guard Configuration Guide (Software Version 6.1) - Index [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z

Index

Symbols

# (number sign) 11-9

* (wildcard) 2-6, 5-4, 11-9

A

AAA

accounting 3-14

authentication 3-6

authorization 3-11

configuring 3-4

aaa accounting command 3-14

aaa authentication command 3-6

aaa authorization command 3-11

accounting, configuring 3-13

action command 7-20

action flow 11-12

activation

activation-extent command 9-7

activation-interface command 9-5

interface 9-4

method 9-4

sensitivity 9-7

add-service command 7-9

admin privilege level 2-2, 3-7

always-accept 7-22

always-ignore 7-22

analysis protection level 1-5, 7-10

anomaly

detected 11-3

flow 11-9

anomaly detection engine memory usage 12-28, 12-29

anti-spoofing 1-2

anti-spoofing drop statistics 14-7

anti-zombie 1-3

arp command 12-30

attack-detection command 9-9

attack report

copying 11-13

detected anomalies 11-3

exporting 11-13

exporting automatically 11-13

history 12-27

layout 11-1

malicious packets statistics 11-2

mitigated attacks 11-4

notify 11-9

statistics 11-2

timing 11-1

viewing 11-9, 14-4

attack reports

exporting 13-6

attack statistics 14-5

attack type

client 11-5

malformed packets 11-6

mitigated attack 11-10

user defined 11-6

zombie 11-5, 11-8

authentication, configuring 3-6

authorization

configuring 3-9, 3-10

disabling zone command completion 3-13, 5-6

auth packet types 7-11

automatic protect mode 1-5, 9-4, 10-1

B

bad packets to proxy drop statistics 14-7

banner

configuring login 3-30

basic

user filter actions 6-14

basic protection level 1-5, 7-10

Berkeley Packet filter 6-8

BGP

announcement A-13

Cisco router configuration example 4-6

configuration 4-2

configuration example 4-4

diverting method A-5

Guard configuration 4-3, 4-8

block dynamic filter actions 6-19

block-unauthenticated policy action 7-20

burn flash 13-10

bypass filter

command 6-11

configuring 14-4

definition 1-5, 6-2

deleting 6-13

displaying 6-12

C

capture, packets 12-15

clear counters command 2-13, 12-5

clear log command 12-11

CLI

changing prompt 3-26

command shortcuts 2-6

error messages 2-5

getting help 2-5

issuing commands 2-3

TAB completion 2-5

using 2-1

client attack 11-10

client attack mitigated attacks 11-5

command completion 3-13

command line interface

See CLI 2-1

command shortcuts 2-6

Common Firmware Environment (CFE) 13-10

comparator 6-3

config privilege level 2-2, 3-7

configuration

saving 4-1

configuration, accessing command mode 3-12

configuration file

copying 13-3

exporting 13-3

importing 13-4

viewing 12-2

configuration mode 2-2

configure command 2-7

constructing policies 8-5

copy commands

ftp running-config 13-4

log 12-9, 12-10

new-version 13-8

packet-dump 12-18

reports 11-13

running-config 5-11, 13-3

zone log 12-10

copy-from-this 5-5

copy guard-running-config command 5-11

copy login-banner command 3-31

copy-policies command 8-17

copy wbm-logo command 3-32

counters

clearing 2-13, 12-5

history 12-4

counters, viewing 12-4

cpu utilization 12-28

D

date command 3-22, 3-23

DDoS

attack classification 14-5

nonspoofed attacks 1-2

overview 1-2

spoofed attacks 1-2

zombies 1-3

deactivate command 9-12

deactivating commands 2-4

deactivating protection 9-9

default-gateway command 2-13

default zone 9-6

description command 5-7

detected

anomalies 11-3

flow 11-12

diff command 8-14, 8-15

disable command 7-6

disabling

automatic export 13-7

disk usage 12-27

distributed denial of service

See DDoS

diversion A-2

BGP 4-1

BGP diverting method 4-3, A-5

dynamic next hop A-7

layer 2 topology A-4

layer 3 topology A-3

long diversion 4-22, A-4, A-12

static next hop A-6

troubleshooting 14-2

tunnel 4-20, A-11

divert-from router 4-6, A-1

DNS

detected anomalies 11-3

drop statistics 14-6, 14-7

TCP policy templates 7-2

drop

dynamic filter action 6-18

policy action 7-20

statistics 14-6

user filter action 6-14

dropped packets

learning 8-2

drop-statistics command 14-5

dst traffic characteristics 7-12

dynamic filter

1000 and more 6-20

actions 6-14, 6-18

command 6-21, 6-22

deactivating 6-23

definition 1-5

deleting 6-22, 14-3

displaying 6-19, 14-3

displaying events 12-8

inactivating 14-3

overview 6-2, 6-18

preventing production of 6-23

sorting 6-19

terminating 6-23

zone malicious rate 6-23

dynamic filters 10-2

dynamic privilege level 2-2, 3-7

E

enable

command 3-11, 7-6

password command 3-10

enabling services 3-2

even log

deactivating 12-9

event log

activating 12-9

event monitor command 12-9

export

disabling automatic 13-7

export command 13-6

packet-dump 12-18

reports 11-13

exporting

configuration file 13-3

log file 12-10

reports automatically 11-13

exporting GUARD configuration 5-11

extracting signatures 12-22

F

facility 12-9

file-server

command 13-2

configuring 13-2

deleting 13-2

displaying 13-3, 13-7

file server, displaying sync-config 13-7

filter rate

termination threshold 6-23

filters

bypass 1-5, 6-11

dynamic 1-5, 6-2, 6-18

flex-content 1-5, 6-3

overview 6-1

user 1-5, 6-13

filter-termination command 6-23

fixed-threshold 7-15

flash-burn command 13-10

flex-content filter

configuring 6-4

default configuration 12-37

definition 1-5, 6-2

displaying 6-9

dropped 14-6

filtering criteria 6-3

renumbering 6-4

forwarding 4-6, A-6

Layer 2 4-7

layer 2 A-7

layer 3 A-8

PBR-DST 4-9

PBR VLAN A-9

policy based routing 4-9

VLAN VRF A-10

VPN routing 4-11

VRF A-9

VRF-VLAN 4-17

fragments

detected anomalies 11-3

policy template 7-2

G

generating signatures 12-22

global mode 2-2

global traffic characteristics 7-12

GRE

See tunnel 2-11

Guard

self protection 12-37

GUARD_DEFAULT 5-2

GUARD_LINK 5-2

GUARD_TCP_NO_ PROXY 5-2

Guard configuration

resetting 13-12

GUARD configuration, exporting 5-11

GUARD configuration, importing 5-11

H

hijacking traffic A-1

history command 12-27

host, logging 12-9

host keys

deleting 3-21, 3-22

hostname

changing 3-26

command 3-26

HTTP

detected anomalies 11-3

policy template 7-2

hybrid 11-10

I

idle session, configuring timeout 3-33

idle session, displaying timeout 3-33

importing

configuration 13-4

GUARD configuration 5-11

in-band

configuring interface 2-8

incoming TCP drop statistics 14-6

injecting traffic A-1, A-15

inject-to router 4-6, A-1

in packet types 7-11

install new-version command 13-9

interactive

operation mode 10-4

policy status 7-22

interactive protect mode 1-5, 9-4, 10-1

interactive-status command 7-22

interface

activating 2-8, 2-9

clearing counters 2-13

command 2-8, 2-10, 2-11

configuration mode 2-2

configuring 2-8

configuring IP address2-8to 2-10, 2-11

loopback 2-10

out-of-band 2-8

IP address

modifying, zone 5-8

ip address command 2-11

deleting 5-9

excluding 5-8

interface2-8to 2-10

zone 5-8, 9-3

IPIP

See tunnel 2-11

ip route command 2-13

IP scan

detected anomalies 11-3

policy template 7-2

IP summarization 12-13, 12-15

IP threshold configuration 7-17

K

keepalive command 2-12

key command

add 3-22, 3-24

generate 3-25

remove 3-25

L

L2F 4-7, A-7

configuration 4-8

router configuration 4-9

land attack drop statistics 14-7

layer 2 topology A-4

layer 3 topology A-3

learning

command 8-6, 8-8

constructing policies 8-5

dropped packets 8-2

overview 8-2

policy-construction command 8-5

synchronizing results 8-4

terminating process 8-6, 8-8

threshold-tuning command 8-7

tuning thresholds 8-7

learning accept command 8-6, 8-7

learning params

threshold-selection command 8-10

learning-params

deactivating periodic action 8-8

deactivating periodic-action command 8-6

periodic-action command 8-6, 8-8, 8-9

threshold-multiplier command 7-16

threshold-selection command 8-7

threshold-tuned command 5-8, 8-11

learning-params fixed-threshold command 7-15

LINK templates 8-5

log

displaying subzones 9-8

log file

clearing 12-11

exporting 12-9, 12-10

history 12-27

viewing 12-10

logging, viewing configuration 12-10

logging command 12-9

logging parameters, configuring 12-7

login banner

configuring 3-30

deleting 3-32

importing 3-31

login-banner command 3-30

logo, adding WBM 3-32

logo, deleting WBM 3-33

long diversion 4-22, A-4, A-12

Cisco router configuration 4-24

Guard configuration 4-23

loopback interface 2-10

low rate zombie attack policies 7-13

M

malformed packets 11-10

mitigated attacks 11-6

malformed packets drop statistics 14-7

malicious packets statistics

attack report 11-2

malicious rate termination threshold 6-23

management

MDM 2-16

overview 2-15

SSH 2-17

WBM 2-15

max-services command 7-5

MDM

activating 2-16

memory consumption 12-27

memory usage, anomaly detection engine 12-28, 12-29

MIB, supported 3-2

min-threshold command 7-5

mitigated attacks

client attack 11-5

malformed packets 11-6

overview 11-4

spoofed 11-4

user defined 11-6

monitoring

network traffic 12-18

MP

upgrading 13-8

MPLS LSP A-13

mtu command 2-9, 2-10, 2-11

N

netstat command 12-31

network server

configuring 13-2

deleting 13-2

displaying 13-3, 13-7

network server, displaying sync-config 13-7

new version

installing 13-9

upgrading 13-8

next hop discovery A-16

IGP + BGP A-17

next-hop router 4-6, A-1

no learning command 8-6, 8-8

non DNS drop statistics 14-7

nonspoofed attacks 1-2

no proxy policy templates 7-4

notify 11-9

notify policy action 7-20

ns policy templates 7-4

NTP

enable service 3-23

permit 3-23

server 3-23

num_sources packet type 7-11

O

other protocols

detected anomalies 11-3

policy template 7-2

other protocols drop statistics 14-6

out_pkts packet types 7-11

outgoing TCP drop statistics 14-6

out-of-band

configuring interface 2-8

out-of-band interface 2-8

P

packet-dump

auto-capture command 12-14

automatic

activating 12-13

deactivating 12-15

displaying settings 12-15

exporting 12-18, 13-6

signatures 12-23

packet-dump command 12-15

packets, capturing 12-15

password

changing 3-7

enabling 3-10

encrypted 3-7

resetting 13-11

PBR A-6, A-8

PBR-DST 4-9

Cisco router configuration 4-11

configuration 4-10

example 4-11

Guard configuration 4-10

PBR -VLAN

Guard configuration 4-15

PBR VLAN A-9

pending 10-2

pending dynamic filters 10-2

displaying 10-3, 10-6

periodic action

accepting policies automatically 8-6, 8-8

deactivating 8-6, 8-8

permit

command 2-15, 2-17, 3-3

user filter action 6-14

permit ssh command 3-21

ping command 12-35

pkts packet type 7-11

policy

action 7-13, 7-20

activating 7-13

adding services 7-8

backing up current 7-25, 8-18

command 7-12

configuration mode 2-3

constructing 1-4, 8-2, 8-5

copying parameters 8-17

copy-policies 8-17

deleting services 7-9

disabling 7-13

inactivating 7-13

learning-params, fixed-threshold command 7-15

marking as tuned 5-8, 8-11

marking threshold as fixed 7-15

multiplying thresholds 7-17, 14-2, 14-3

navigating path 7-12

packet types 7-10

PPH policies 7-13

proxy threshold 7-18

show statistics 7-24

state 7-13

threshold 7-13, 7-15

threshold-list command 7-18

timeout 7-13, 7-19

traffic characteristics 7-12

tuning thresholds 1-4, 8-3, 8-7

using wildcards 7-13, 7-23, 7-24

viewing 14-3

viewing statistics 8-8

policy-based routing 4-9, A-6

policy set-timeout command 7-19

policy template

command 7-4, 7-6

configuration command level 7-4

configuration mode 2-3

displaying list 7-4

max-services 7-5

min-threshold 7-5

overview 7-2

parameters 7-4

state 7-6

policy-template add-service command 7-9

policy-template remove service command 7-9

port scan

detected anomalies 11-3

policy template 7-2

possible next-hop routers A-1

poweroff command 13-7

PPH policies 7-13

privilege levels 2-1

assigning passwords 3-10

moving between 3-11

protect

activating 2-14

automatic mode 1-5, 10-1

command 9-10

deactivating 9-12

deactivating automatically 9-9

entire zone 9-10

interactive mode 1-5, 9-4, 10-1

specific IP 9-11

specific ip address 9-11

specific zone IP 9-10

specific zone ip address 9-10

protect command 9-12

protection

activation sensitivity 9-7

protection-end-timer command 9-9

protection level

analysis 1-5, 7-10

basic 1-5, 7-10

strong 1-5, 7-10

protect learning command 8-7

protect-packet command 9-7

protocol traffic characteristics 7-12

proxy

command 2-14

configuring 2-14

no proxy policy templates 7-4

proxy-threshold command 7-18

public-key

displaying 3-25

R

rate-limit command 5-6, 6-11

Rate Limiter

dropped 14-6

rates

history 12-4

rates, viewing 12-4

reactivate-zones 13-7

reboot command 13-7

rebooting

parameters 13-7

recommendations 10-2

accepting 10-7

activating 10-4, 10-6

change decision 7-21

command 10-6

deactivating 10-3, 10-8

displaying 10-2

dynamic filters 10-2

ignoring 10-7

overview 10-2

receiving notification 10-2

viewing 10-4

viewing pending-filters 10-3, 10-6

redirect/zombie

dynamic filter action 6-19

policy action 7-20

reload command 13-7

remove service command 7-9

renumbering flex-content filters 6-4

renumbering user filters 6-15

replied IP summarization 12-13, 12-15

replied IP summarizations 11-7

replied packets 11-2

report

See attack report 11-1

reports

details 11-9

displaying subzones 9-8

exporting 13-6

reqs packet type 7-11

router configuration mode 2-2

routing table

GRM B-4

manipulation 2-13

viewing 2-14

zebra application B-4

RTP/RTCP 5-3

running-config

copy 5-11, 13-3, 13-4

show 12-2

S

saving configuration 4-1

self-protection command 12-37

service

adding 7-8

command 2-15, 2-16, 3-2

copy 8-17

deleting 7-9

MDM 2-16

permissions 3-3

snmp-trap 3-26

wbm 2-15

services

enabling 3-2

session, configuring timeout 3-33

session, displaying idle timeout 3-33

session timeout, disabling 3-33

session-timeout command 3-33

set-action 7-20

show commands

counters 12-4

cpu 12-28

diagnostic-info 12-25

disk-usage 12-27

drop-statistics 14-5

dynamic-filters 6-19, 14-3

file-servers 13-3, 13-7

flex-content-filter 6-9

host-keys 3-22

learning-params 7-16

log 12-10

log export-ip 12-10

logging 12-10

login-banner 3-31

memory 12-28

packet-dump 12-15

packet-dump signatures 12-23

policies 7-23, 14-2, 14-3

policies statistics 7-24, 8-8

public-key 3-25

rates 12-4, 14-1

recommendations 10-4, 10-5

recommendations pending-filters 10-3, 10-6

reports 14-4

reports details 11-9

running-config 12-2

show 12-3

sorting dynamic-filters 6-19

sync-config file-servers 13-7

templates 5-4

zone policies 7-23

show privilege level 2-2, 3-7

show public-key command 3-25

shutdown command 2-9

signature

generating 12-22

SIP

detected anomalies 11-3

drop statistics 14-7

malformed packets 11-7

policy template 7-3

spoofed attacks 11-5

user filter action 6-14

snapshot

backing up policies 7-25, 8-18

command 8-13

comparing 8-14

deleting 8-16

displaying 8-16

save periodically 8-9

saving 8-13, 8-14

snapshot command 8-13

SNMP

accessing 3-2

configuring trap generator 3-26

traps description 3-27

snmp commands

community 3-30

trap-dest 3-26

source IP

tunnel 2-11

specific IP threshold 7-17

speed command 2-9

spoofed attacks 1-2, 11-4, 11-10

src traffic characteristics 7-12

SSH

configuring 2-17

deleting keys 3-24

generating key 3-25

service 2-17

state command 7-14, 14-3

static route

adding 2-13

strong

dynamic filter action 6-18

policy action 7-20

protection level 1-5, 7-10

user filter action 6-14

sub zone 9-7, 9-8

subzone

displaying logs and attack reports 9-8

syn_by_fin packet type 7-11

syns packet type 7-11

syslog

configuring export parameters 12-9

configuring server 12-9

message format 12-9

system log

message format 12-9

T

TACACS+

authentication

key generate command 3-19, 3-21

clearing statistics 3-17

configuring server 3-14

server connection timeout 3-17

server encryption key 3-16

server IP address 3-15

viewing statistics 3-17

tacacs-server commands

clear statistics 3-17

first-hit 3-14

host 3-14, 3-15

key 3-14, 3-16

show statistics 3-17

timeout 3-15, 3-17

TCP

detected anomalies 11-3

drop statistics 14-6, 14-7

no proxy policy templates 7-4

policy templates 7-2

templates

LINK 8-5

viewing policies 5-4

zone 5-2

thresh-mult 7-17, 14-2, 14-3

threshold

command 7-15

configuring IP threshold 7-17

configuring list 7-18

configuring specific IP 7-17

filter rate termination 6-23

malicious rate termination 6-23

marking as tuned 5-8, 8-11

multiplying 14-2, 14-3

multiplying before accepting 7-16

selection 8-13

setting as fixed 7-15

tuning 1-4, 8-3

threshold-list command 7-18

threshold selection 8-7

threshold tuning

save results periodically 8-9

time, configuring 3-22

timeout command 7-19

timeout session, configuring 3-33

timeout session, disabling 3-33

timezone 3-23

to-user-filters

dynamic filter action 6-18

policy action 7-20

traceroute command 12-34

traffic

monitoring 12-18

traffic forwarding 4-6, A-6

traffic injection A-15

trap 12-9

trap-dest 3-26

tuning policy thresholds 8-7

tunnel

commands 2-11

configuring 2-11

GRE keepalive 2-12

tunnel diversion 4-20, A-11

Cisco router configuration 4-21

Guard configuration 4-21

U

UDP

detected anomalies 11-3

drop statistics 14-6

policy templates 7-3

unauthenticated drop statistics 14-6

unauth_pkts packet type 7-11

unauthenticated TCP detected anomalies 11-3

upgrading 13-8

MP 13-8

user

detected anomalies 11-3

user defined mitigated attacks 11-6

user filter

actions 6-14, 6-18

command 6-4, 6-15

configuring 6-13

definition 1-5, 6-1

deleting 6-18

displaying 6-17

renumbering 6-15

username

encrypted password 3-7

username command 3-7

users

adding 3-7

adding new 3-7

assigning privilege levels 3-6

deleting 3-8

privilege levels 2-1, 3-10

system users

admin 2-7

riverhead 2-7

username command 3-7

V

VLAN

configuring 2-9

VLAN VPN routing forwarding 4-17

VLAN VRF A-10

Voice over IP

See VoIP

VoIP

detected anomalies 11-3

drop statistics 14-7

malformed packets 11-7

policy template 7-3

spoofed attacks 11-5

user filter action 6-14

zone template 5-3

VPN routing forwarding 4-11, A-6

VRF A-6, A-9

VRF-DST

Cisco router configuration 4-13

Guard configuration 4-12

VRF - VLAN 4-17

W

WBM

activating 2-15

WBM logo

adding 3-32

deleting 3-33

X

XML schema11-13to 11-15, 13-6

Z

zebra routing table B-4

zombie 11-10

packet counter 12-5

zombie attack 11-12

zombies 1-3

zone

blocking criteria 14-3

blocking flows 14-2

clearing counters 12-5

command 5-4, 5-5, 10-4

command completion 3-13, 5-6

comparing 8-15

configuration mode 2-3, 5-6

copying 5-5

creating 5-4

creating default 9-6

defining IP address 5-8

definition 5-1

deleting 5-4

deleting IP address 5-9

duplicating 5-5

excluding IP address 5-8

IP address 5-8

learning 8-2

LINK templates 8-5

malicious rate 9-9

modifying IP address 5-8

operation mode 5-4

protecting 9-2

reconfiguring 5-6

sub 9-7, 9-8

synchronize configuration 5-9

synchronizing offline 5-10

templates 5-2

viewing configuration 5-7

viewing policies 7-22

viewing status 12-3

zone-malicious-rate 6-23

zone policy

marking as tuned 5-8, 8-11

zone protection

terminating 9-12

zone synchronization 8-4

	Cisco Guard Configuration Guide (Software Version 6.1)
	Index
Cisco Guard Configuration Guide (Software Version 6.1) Index Preface Product Overview Initializing the Guard Configuring the Guard Configuring Traffic Diversion Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Learning the Zone Traffic Characteristics Protecting Zones Using Interactive Protect Mode Using Attack Reports Using Guard Diagnostic Tools Performing Maintenance Tasks Analyzing Guard Mitigation Understanding Zone Traffic Diversion Troubleshooting Diversion	Download this chapter Index Download the complete book Cisco Guard Configuration Guide (Software Version 6.1) Book-Length PDF (PDF - 7 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z Index Symbols # (number sign) 11-9 * (wildcard) 2-6, 5-4, 11-9 A AAA accounting 3-14 authentication 3-6 authorization 3-11 configuring 3-4 aaa accounting command 3-14 aaa authentication command 3-6 aaa authorization command 3-11 accounting, configuring 3-13 action command 7-20 action flow 11-12 activation activation-extent command 9-7 activation-interface command 9-5 interface 9-4 method 9-4 sensitivity 9-7 add-service command 7-9 admin privilege level 2-2, 3-7 always-accept 7-22 always-ignore 7-22 analysis protection level 1-5, 7-10 anomaly detected 11-3 flow 11-9 anomaly detection engine memory usage 12-28, 12-29 anti-spoofing 1-2 anti-spoofing drop statistics 14-7 anti-zombie 1-3 arp command 12-30 attack-detection command 9-9 attack report copying 11-13 detected anomalies 11-3 exporting 11-13 exporting automatically 11-13 history 12-27 layout 11-1 malicious packets statistics 11-2 mitigated attacks 11-4 notify 11-9 statistics 11-2 timing 11-1 viewing 11-9, 14-4 attack reports exporting 13-6 attack statistics 14-5 attack type client 11-5 malformed packets 11-6 mitigated attack 11-10 user defined 11-6 zombie 11-5, 11-8 authentication, configuring 3-6 authorization configuring 3-9, 3-10 disabling zone command completion 3-13, 5-6 auth packet types 7-11 automatic protect mode 1-5, 9-4, 10-1 B bad packets to proxy drop statistics 14-7 banner configuring login 3-30 basic user filter actions 6-14 basic protection level 1-5, 7-10 Berkeley Packet filter 6-8 BGP announcement A-13 Cisco router configuration example 4-6 configuration 4-2 configuration example 4-4 diverting method A-5 Guard configuration 4-3, 4-8 block dynamic filter actions 6-19 block-unauthenticated policy action 7-20 burn flash 13-10 bypass filter command 6-11 configuring 14-4 definition 1-5, 6-2 deleting 6-13 displaying 6-12 C capture, packets 12-15 clear counters command 2-13, 12-5 clear log command 12-11 CLI changing prompt 3-26 command shortcuts 2-6 error messages 2-5 getting help 2-5 issuing commands 2-3 TAB completion 2-5 using 2-1 client attack 11-10 client attack mitigated attacks 11-5 command completion 3-13 command line interface See CLI 2-1 command shortcuts 2-6 Common Firmware Environment (CFE) 13-10 comparator 6-3 config privilege level 2-2, 3-7 configuration saving 4-1 configuration, accessing command mode 3-12 configuration file copying 13-3 exporting 13-3 importing 13-4 viewing 12-2 configuration mode 2-2 configure command 2-7 constructing policies 8-5 copy commands ftp running-config 13-4 log 12-9, 12-10 new-version 13-8 packet-dump 12-18 reports 11-13 running-config 5-11, 13-3 zone log 12-10 copy-from-this 5-5 copy guard-running-config command 5-11 copy login-banner command 3-31 copy-policies command 8-17 copy wbm-logo command 3-32 counters clearing 2-13, 12-5 history 12-4 counters, viewing 12-4 cpu utilization 12-28 D date command 3-22, 3-23 DDoS attack classification 14-5 nonspoofed attacks 1-2 overview 1-2 spoofed attacks 1-2 zombies 1-3 deactivate command 9-12 deactivating commands 2-4 deactivating protection 9-9 default-gateway command 2-13 default zone 9-6 description command 5-7 detected anomalies 11-3 flow 11-12 diff command 8-14, 8-15 disable command 7-6 disabling automatic export 13-7 disk usage 12-27 distributed denial of service See DDoS diversion A-2 BGP 4-1 BGP diverting method 4-3, A-5 dynamic next hop A-7 layer 2 topology A-4 layer 3 topology A-3 long diversion 4-22, A-4, A-12 static next hop A-6 troubleshooting 14-2 tunnel 4-20, A-11 divert-from router 4-6, A-1 DNS detected anomalies 11-3 drop statistics 14-6, 14-7 TCP policy templates 7-2 drop dynamic filter action 6-18 policy action 7-20 statistics 14-6 user filter action 6-14 dropped packets learning 8-2 drop-statistics command 14-5 dst traffic characteristics 7-12 dynamic filter 1000 and more 6-20 actions 6-14, 6-18 command 6-21, 6-22 deactivating 6-23 definition 1-5 deleting 6-22, 14-3 displaying 6-19, 14-3 displaying events 12-8 inactivating 14-3 overview 6-2, 6-18 preventing production of 6-23 sorting 6-19 terminating 6-23 zone malicious rate 6-23 dynamic filters 10-2 dynamic privilege level 2-2, 3-7 E enable command 3-11, 7-6 password command 3-10 enabling services 3-2 even log deactivating 12-9 event log activating 12-9 event monitor command 12-9 export disabling automatic 13-7 export command 13-6 packet-dump 12-18 reports 11-13 exporting configuration file 13-3 log file 12-10 reports automatically 11-13 exporting GUARD configuration 5-11 extracting signatures 12-22 F facility 12-9 file-server command 13-2 configuring 13-2 deleting 13-2 displaying 13-3, 13-7 file server, displaying sync-config 13-7 filter rate termination threshold 6-23 filters bypass 1-5, 6-11 dynamic 1-5, 6-2, 6-18 flex-content 1-5, 6-3 overview 6-1 user 1-5, 6-13 filter-termination command 6-23 fixed-threshold 7-15 flash-burn command 13-10 flex-content filter configuring 6-4 default configuration 12-37 definition 1-5, 6-2 displaying 6-9 dropped 14-6 filtering criteria 6-3 renumbering 6-4 forwarding 4-6, A-6 Layer 2 4-7 layer 2 A-7 layer 3 A-8 PBR-DST 4-9 PBR VLAN A-9 policy based routing 4-9 VLAN VRF A-10 VPN routing 4-11 VRF A-9 VRF-VLAN 4-17 fragments detected anomalies 11-3 policy template 7-2 G generating signatures 12-22 global mode 2-2 global traffic characteristics 7-12 GRE See tunnel 2-11 Guard self protection 12-37 GUARD_DEFAULT 5-2 GUARD_LINK 5-2 GUARD_TCP_NO_ PROXY 5-2 Guard configuration resetting 13-12 GUARD configuration, exporting 5-11 GUARD configuration, importing 5-11 H hijacking traffic A-1 history command 12-27 host, logging 12-9 host keys deleting 3-21, 3-22 hostname changing 3-26 command 3-26 HTTP detected anomalies 11-3 policy template 7-2 hybrid 11-10 I idle session, configuring timeout 3-33 idle session, displaying timeout 3-33 importing configuration 13-4 GUARD configuration 5-11 in-band configuring interface 2-8 incoming TCP drop statistics 14-6 injecting traffic A-1, A-15 inject-to router 4-6, A-1 in packet types 7-11 install new-version command 13-9 interactive operation mode 10-4 policy status 7-22 interactive protect mode 1-5, 9-4, 10-1 interactive-status command 7-22 interface activating 2-8, 2-9 clearing counters 2-13 command 2-8, 2-10, 2-11 configuration mode 2-2 configuring 2-8 configuring IP address2-8to 2-10, 2-11 loopback 2-10 out-of-band 2-8 IP address modifying, zone 5-8 ip address command 2-11 deleting 5-9 excluding 5-8 interface2-8to 2-10 zone 5-8, 9-3 IPIP See tunnel 2-11 ip route command 2-13 IP scan detected anomalies 11-3 policy template 7-2 IP summarization 12-13, 12-15 IP threshold configuration 7-17 K keepalive command 2-12 key command add 3-22, 3-24 generate 3-25 remove 3-25 L L2F 4-7, A-7 configuration 4-8 router configuration 4-9 land attack drop statistics 14-7 layer 2 topology A-4 layer 3 topology A-3 learning command 8-6, 8-8 constructing policies 8-5 dropped packets 8-2 overview 8-2 policy-construction command 8-5 synchronizing results 8-4 terminating process 8-6, 8-8 threshold-tuning command 8-7 tuning thresholds 8-7 learning accept command 8-6, 8-7 learning params threshold-selection command 8-10 learning-params deactivating periodic action 8-8 deactivating periodic-action command 8-6 periodic-action command 8-6, 8-8, 8-9 threshold-multiplier command 7-16 threshold-selection command 8-7 threshold-tuned command 5-8, 8-11 learning-params fixed-threshold command 7-15 LINK templates 8-5 log displaying subzones 9-8 log file clearing 12-11 exporting 12-9, 12-10 history 12-27 viewing 12-10 logging, viewing configuration 12-10 logging command 12-9 logging parameters, configuring 12-7 login banner configuring 3-30 deleting 3-32 importing 3-31 login-banner command 3-30 logo, adding WBM 3-32 logo, deleting WBM 3-33 long diversion 4-22, A-4, A-12 Cisco router configuration 4-24 Guard configuration 4-23 loopback interface 2-10 low rate zombie attack policies 7-13 M malformed packets 11-10 mitigated attacks 11-6 malformed packets drop statistics 14-7 malicious packets statistics attack report 11-2 malicious rate termination threshold 6-23 management MDM 2-16 overview 2-15 SSH 2-17 WBM 2-15 max-services command 7-5 MDM activating 2-16 memory consumption 12-27 memory usage, anomaly detection engine 12-28, 12-29 MIB, supported 3-2 min-threshold command 7-5 mitigated attacks client attack 11-5 malformed packets 11-6 overview 11-4 spoofed 11-4 user defined 11-6 monitoring network traffic 12-18 MP upgrading 13-8 MPLS LSP A-13 mtu command 2-9, 2-10, 2-11 N netstat command 12-31 network server configuring 13-2 deleting 13-2 displaying 13-3, 13-7 network server, displaying sync-config 13-7 new version installing 13-9 upgrading 13-8 next hop discovery A-16 IGP + BGP A-17 next-hop router 4-6, A-1 no learning command 8-6, 8-8 non DNS drop statistics 14-7 nonspoofed attacks 1-2 no proxy policy templates 7-4 notify 11-9 notify policy action 7-20 ns policy templates 7-4 NTP enable service 3-23 permit 3-23 server 3-23 num_sources packet type 7-11 O other protocols detected anomalies 11-3 policy template 7-2 other protocols drop statistics 14-6 out_pkts packet types 7-11 outgoing TCP drop statistics 14-6 out-of-band configuring interface 2-8 out-of-band interface 2-8 P packet-dump auto-capture command 12-14 automatic activating 12-13 deactivating 12-15 displaying settings 12-15 exporting 12-18, 13-6 signatures 12-23 packet-dump command 12-15 packets, capturing 12-15 password changing 3-7 enabling 3-10 encrypted 3-7 resetting 13-11 PBR A-6, A-8 PBR-DST 4-9 Cisco router configuration 4-11 configuration 4-10 example 4-11 Guard configuration 4-10 PBR -VLAN Guard configuration 4-15 PBR VLAN A-9 pending 10-2 pending dynamic filters 10-2 displaying 10-3, 10-6 periodic action accepting policies automatically 8-6, 8-8 deactivating 8-6, 8-8 permit command 2-15, 2-17, 3-3 user filter action 6-14 permit ssh command 3-21 ping command 12-35 pkts packet type 7-11 policy action 7-13, 7-20 activating 7-13 adding services 7-8 backing up current 7-25, 8-18 command 7-12 configuration mode 2-3 constructing 1-4, 8-2, 8-5 copying parameters 8-17 copy-policies 8-17 deleting services 7-9 disabling 7-13 inactivating 7-13 learning-params, fixed-threshold command 7-15 marking as tuned 5-8, 8-11 marking threshold as fixed 7-15 multiplying thresholds 7-17, 14-2, 14-3 navigating path 7-12 packet types 7-10 PPH policies 7-13 proxy threshold 7-18 show statistics 7-24 state 7-13 threshold 7-13, 7-15 threshold-list command 7-18 timeout 7-13, 7-19 traffic characteristics 7-12 tuning thresholds 1-4, 8-3, 8-7 using wildcards 7-13, 7-23, 7-24 viewing 14-3 viewing statistics 8-8 policy-based routing 4-9, A-6 policy set-timeout command 7-19 policy template command 7-4, 7-6 configuration command level 7-4 configuration mode 2-3 displaying list 7-4 max-services 7-5 min-threshold 7-5 overview 7-2 parameters 7-4 state 7-6 policy-template add-service command 7-9 policy-template remove service command 7-9 port scan detected anomalies 11-3 policy template 7-2 possible next-hop routers A-1 poweroff command 13-7 PPH policies 7-13 privilege levels 2-1 assigning passwords 3-10 moving between 3-11 protect activating 2-14 automatic mode 1-5, 10-1 command 9-10 deactivating 9-12 deactivating automatically 9-9 entire zone 9-10 interactive mode 1-5, 9-4, 10-1 specific IP 9-11 specific ip address 9-11 specific zone IP 9-10 specific zone ip address 9-10 protect command 9-12 protection activation sensitivity 9-7 protection-end-timer command 9-9 protection level analysis 1-5, 7-10 basic 1-5, 7-10 strong 1-5, 7-10 protect learning command 8-7 protect-packet command 9-7 protocol traffic characteristics 7-12 proxy command 2-14 configuring 2-14 no proxy policy templates 7-4 proxy-threshold command 7-18 public-key displaying 3-25 R rate-limit command 5-6, 6-11 Rate Limiter dropped 14-6 rates history 12-4 rates, viewing 12-4 reactivate-zones 13-7 reboot command 13-7 rebooting parameters 13-7 recommendations 10-2 accepting 10-7 activating 10-4, 10-6 change decision 7-21 command 10-6 deactivating 10-3, 10-8 displaying 10-2 dynamic filters 10-2 ignoring 10-7 overview 10-2 receiving notification 10-2 viewing 10-4 viewing pending-filters 10-3, 10-6 redirect/zombie dynamic filter action 6-19 policy action 7-20 reload command 13-7 remove service command 7-9 renumbering flex-content filters 6-4 renumbering user filters 6-15 replied IP summarization 12-13, 12-15 replied IP summarizations 11-7 replied packets 11-2 report See attack report 11-1 reports details 11-9 displaying subzones 9-8 exporting 13-6 reqs packet type 7-11 router configuration mode 2-2 routing table GRM B-4 manipulation 2-13 viewing 2-14 zebra application B-4 RTP/RTCP 5-3 running-config copy 5-11, 13-3, 13-4 show 12-2 S saving configuration 4-1 self-protection command 12-37 service adding 7-8 command 2-15, 2-16, 3-2 copy 8-17 deleting 7-9 MDM 2-16 permissions 3-3 snmp-trap 3-26 wbm 2-15 services enabling 3-2 session, configuring timeout 3-33 session, displaying idle timeout 3-33 session timeout, disabling 3-33 session-timeout command 3-33 set-action 7-20 show commands counters 12-4 cpu 12-28 diagnostic-info 12-25 disk-usage 12-27 drop-statistics 14-5 dynamic-filters 6-19, 14-3 file-servers 13-3, 13-7 flex-content-filter 6-9 host-keys 3-22 learning-params 7-16 log 12-10 log export-ip 12-10 logging 12-10 login-banner 3-31 memory 12-28 packet-dump 12-15 packet-dump signatures 12-23 policies 7-23, 14-2, 14-3 policies statistics 7-24, 8-8 public-key 3-25 rates 12-4, 14-1 recommendations 10-4, 10-5 recommendations pending-filters 10-3, 10-6 reports 14-4 reports details 11-9 running-config 12-2 show 12-3 sorting dynamic-filters 6-19 sync-config file-servers 13-7 templates 5-4 zone policies 7-23 show privilege level 2-2, 3-7 show public-key command 3-25 shutdown command 2-9 signature generating 12-22 SIP detected anomalies 11-3 drop statistics 14-7 malformed packets 11-7 policy template 7-3 spoofed attacks 11-5 user filter action 6-14 snapshot backing up policies 7-25, 8-18 command 8-13 comparing 8-14 deleting 8-16 displaying 8-16 save periodically 8-9 saving 8-13, 8-14 snapshot command 8-13 SNMP accessing 3-2 configuring trap generator 3-26 traps description 3-27 snmp commands community 3-30 trap-dest 3-26 source IP tunnel 2-11 specific IP threshold 7-17 speed command 2-9 spoofed attacks 1-2, 11-4, 11-10 src traffic characteristics 7-12 SSH configuring 2-17 deleting keys 3-24 generating key 3-25 service 2-17 state command 7-14, 14-3 static route adding 2-13 strong dynamic filter action 6-18 policy action 7-20 protection level 1-5, 7-10 user filter action 6-14 sub zone 9-7, 9-8 subzone displaying logs and attack reports 9-8 syn_by_fin packet type 7-11 syns packet type 7-11 syslog configuring export parameters 12-9 configuring server 12-9 message format 12-9 system log message format 12-9 T TACACS+ authentication key generate command 3-19, 3-21 clearing statistics 3-17 configuring server 3-14 server connection timeout 3-17 server encryption key 3-16 server IP address 3-15 viewing statistics 3-17 tacacs-server commands clear statistics 3-17 first-hit 3-14 host 3-14, 3-15 key 3-14, 3-16 show statistics 3-17 timeout 3-15, 3-17 TCP detected anomalies 11-3 drop statistics 14-6, 14-7 no proxy policy templates 7-4 policy templates 7-2 templates LINK 8-5 viewing policies 5-4 zone 5-2 thresh-mult 7-17, 14-2, 14-3 threshold command 7-15 configuring IP threshold 7-17 configuring list 7-18 configuring specific IP 7-17 filter rate termination 6-23 malicious rate termination 6-23 marking as tuned 5-8, 8-11 multiplying 14-2, 14-3 multiplying before accepting 7-16 selection 8-13 setting as fixed 7-15 tuning 1-4, 8-3 threshold-list command 7-18 threshold selection 8-7 threshold tuning save results periodically 8-9 time, configuring 3-22 timeout command 7-19 timeout session, configuring 3-33 timeout session, disabling 3-33 timezone 3-23 to-user-filters dynamic filter action 6-18 policy action 7-20 traceroute command 12-34 traffic monitoring 12-18 traffic forwarding 4-6, A-6 traffic injection A-15 trap 12-9 trap-dest 3-26 tuning policy thresholds 8-7 tunnel commands 2-11 configuring 2-11 GRE keepalive 2-12 tunnel diversion 4-20, A-11 Cisco router configuration 4-21 Guard configuration 4-21 U UDP detected anomalies 11-3 drop statistics 14-6 policy templates 7-3 unauthenticated drop statistics 14-6 unauth_pkts packet type 7-11 unauthenticated TCP detected anomalies 11-3 upgrading 13-8 MP 13-8 user detected anomalies 11-3 user defined mitigated attacks 11-6 user filter actions 6-14, 6-18 command 6-4, 6-15 configuring 6-13 definition 1-5, 6-1 deleting 6-18 displaying 6-17 renumbering 6-15 username encrypted password 3-7 username command 3-7 users adding 3-7 adding new 3-7 assigning privilege levels 3-6 deleting 3-8 privilege levels 2-1, 3-10 system users admin 2-7 riverhead 2-7 username command 3-7 V VLAN configuring 2-9 VLAN VPN routing forwarding 4-17 VLAN VRF A-10 Voice over IP See VoIP VoIP detected anomalies 11-3 drop statistics 14-7 malformed packets 11-7 policy template 7-3 spoofed attacks 11-5 user filter action 6-14 zone template 5-3 VPN routing forwarding 4-11, A-6 VRF A-6, A-9 VRF-DST Cisco router configuration 4-13 Guard configuration 4-12 VRF - VLAN 4-17 W WBM activating 2-15 WBM logo adding 3-32 deleting 3-33 X XML schema11-13to 11-15, 13-6 Z zebra routing table B-4 zombie 11-10 packet counter 12-5 zombie attack 11-12 zombies 1-3 zone blocking criteria 14-3 blocking flows 14-2 clearing counters 12-5 command 5-4, 5-5, 10-4 command completion 3-13, 5-6 comparing 8-15 configuration mode 2-3, 5-6 copying 5-5 creating 5-4 creating default 9-6 defining IP address 5-8 definition 5-1 deleting 5-4 deleting IP address 5-9 duplicating 5-5 excluding IP address 5-8 IP address 5-8 learning 8-2 LINK templates 8-5 malicious rate 9-9 modifying IP address 5-8 operation mode 5-4 protecting 9-2 reconfiguring 5-6 sub 9-7, 9-8 synchronize configuration 5-9 synchronizing offline 5-10 templates 5-2 viewing configuration 5-7 viewing policies 7-22 viewing status 12-3 zone-malicious-rate 6-23 zone policy marking as tuned 5-8, 8-11 zone protection terminating 9-12 zone synchronization 8-4
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.