Table Of Contents
Learning Zone Traffic
Understanding the Learning Process
Understanding the Phases of the Learning Process
Understanding the Protect and Learn Feature
Managing the Results of the Learning Process
Performing the Learning Process
Starting the Policy Construction Phase
Accepting the Current Results of the Policy Construction Phase
Stopping the Policy Construction Phase
Starting the Threshold Tuning Phase
Accepting the Current Results of the Threshold Tuning Phase
Stopping the Threshold Tuning Phase
Performing the Learning Process Using Protect and Learn
Configuring the Automatic Learning Parameters
Activating Protect and Learn
Deactivating Protect and Learn
Marking the Zone Policies as Tuned or Untuned
Managing Learning Process Snapshots
Taking a Snapshot of the Learning Process Results
Taking a Snapshot of the Current Zone Policies
Displaying Snapshots
Modifying the Snapshot Policies
Deleting Snapshots
Comparing Policy Configurations of Two Zones or Snapshots
Viewing Policy Configuration Differences
Deleting Services from the Base Zone
Adding Services to the Base Zone
Copying Policy Parameters to the Base Zone
Learning Zone Traffic
This chapter describes how to use the Cisco Guard (Guard) learning process to analyze zone traffic characteristics to create and tune the policies that the Guard uses for zone protection.
This chapter contains the following sections:
•
Understanding the Learning Process
•Performing the Learning Process
•Performing the Learning Process Using Protect and Learn
•Marking the Zone Policies as Tuned or Untuned
•Managing Learning Process Snapshots
•Comparing Policy Configurations of Two Zones or Snapshots
Understanding the Learning Process
The learning process creates a baseline of normal zone traffic patterns. The baseline reference points are the zone policies, which enable the Guard to determine when an anomaly exists in the zone traffic.
Use the learning process to optimize zone protection as follows:
•Create policies based on the services of the zone traffic.
•Tune the policy thresholds of a new zone that is configured with the default policies and policy thresholds of the zone template.
•Update an existing zone configuration when the zone traffic patterns change.
You activate the learning process during peak traffic times and when you are certain that there is no attack on the zone. During the learning process, the Guard constructs the zone policies based on the traffic services and tunes the policy thresholds based on the traffic rates. While the Guard is learning the zone traffic, you can monitor the learning process and decide whether to accept or reject the current results of the learning process.
This section contains the following topics:
•Understanding the Phases of the Learning Process
•Understanding the Protect and Learn Feature
•Managing the Results of the Learning Process
Understanding the Phases of the Learning Process
The learning process consists of the following two phases:
•Policy construction phase—The Guard analyzes the zone traffic to determine the services that the zone uses and then creates the zone policies using the policy templates for each service. The policy templates determine the default threshold value and policy action assigned to each new policy. The new policies override the existing ones.
The policy templates define the types of zone policies that the Guard creates. The policy templates also define the maximum number of services that the Guard monitors closely and the minimum threshold that triggers the Guard to create new policies. To change the rules for constructing zone policies, you must modify the policy template parameters before you initiate the policy construction phase. For information about modifying a policy template, see Chapter 6, "Configuring Policy Templates."
Note You cannot perform the policy construction phase on zones that you create with a Guard_Link zone template.
•Threshold tuning phase—The Guard tunes the traffic rate thresholds of the zone policies to values that allows normal traffic to pass through the Guard without activating the policy action. When protecting a zone, the Guard applies the zone policies to the traffic flow and if the traffic exceeds a policy threshold, the Guard creates a dynamic filter with the policy action.
To learn the zone traffic characteristics, the zone traffic must be diverted to the Guard. You must configure traffic diversion before initiating the learning process or divert the zone traffic to the Guard manually by using an external device. You can configure traffic diversion by using the Guard CLI to configure the routing configuration. See the Guard Configuration Guide for more information.
Understanding the Protect and Learn Feature
After the Guard performs the policy construction phase of the learning process, you can activate the Protect and Learn feature that allows the Guard to look for traffic anomalies (Protect) while performing the threshold tuning phase (Learn) simultaneously. With Protect and Learn activated, the Guard can constantly update the policy thresholds based on normal zone traffic characteristics. When the Guard detects an attack on the zone, it suspends the learning process to prevent it from learning malicious traffic thresholds and begins protecting the zone from the attack. The Guard resumes the learning process after it determines that the attack has ended.
Managing the Results of the Learning Process
You can accept or reject the results of a policy construction or a threshold tuning phase when you stop the learning phase. You can also accept the current results and continue the learning phase. During either phase of the learning process, the Guard does not modify the policies of the zone configuration until after you accept the results of the learning phase, at which time the Guard updates the zone configuration and begins operating with the new policies or policy thresholds.
You can also save the current results of either learning phase at any time of the learning process by using the Guard snapshot feature. A snapshot of the learning process allows you to save and view the policy information that the Guard has created up to the point of the snapshot without affecting the current zone configuration. You can take as many snapshots as you like and you can update the zone configuration with the policy information saved in a snapshot at any time. For more information about using snapshots, see the "Managing Learning Process Snapshots" section.
Performing the Learning Process
This section describes how to start and stop the two different phases of the learning process of the learning process; policy construction and threshold tuning. To ensure that the results of the learning process are accurate and configured for normal zone traffic, activate the learning process when the following zone traffic conditions exist:
•Zone traffic is normal (not experiencing an attack)—Ensures that the Guard does not construct and tune the zone policies according to traffic characteristics of a DDoS attack. If you initiate the learning process when the zone is under attack, the Guard learns the traffic patterns of the attack and saves the learning results as the baseline for future reference. In this situation, the Guard may not be able to detect future attacks because it may view the attacks as normal traffic conditions.
•Zone traffic is at its peak volume—Allows the Guard to configure the policy thresholds to values that are appropriate for normal peak traffic and ensures that the Guard does not perceive normal peak traffic conditions as an attack.
This section contains the following topics:
•Starting the Policy Construction Phase
•Accepting the Current Results of the Policy Construction Phase
•Stopping the Policy Construction Phase
•Starting the Threshold Tuning Phase
•Accepting the Current Results of the Threshold Tuning Phase
•Stopping the Threshold Tuning Phase
Starting the Policy Construction Phase
You can activate the policy construction phase after creating a new zone or any time that the zone configuration needs updating with new service policies. To allow the Guard enough time to receive and analyze an accurate representation of the normal zone traffic, we recommend that you allow the policy construction phase to run for at least 2 hours before terminating this phase.
Note You cannot perform the policy construction phase on a zone that you create with one of the Guard_Link zone templates.
After performing the policy construction phase, activate the threshold tuning phase to tune each policy threshold.
To start the policy construction phase, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Construct Policies.
The zone status icon changes to Learning.
The Guard begins analyzing the diverted zone traffic for the services in the traffic flow and creates policies for the services that it detects. The Guard does not replace the current policies in the zone configuration with the new policies until you accept the results of the policy construction phase (see the "Accepting the Current Results of the Policy Construction Phase" section).
Step 3 (Optional) Choose Learning > Snapshot at any time during the phase to save and review the current results and policy suggestions of the policy construction phase. Saving a snapshot does not change the current zone configuration. For details about using the snapshot function, see the "Managing Learning Process Snapshots" section.
Accepting the Current Results of the Policy Construction Phase
To accept the results of the learning process but allow the Guard to continue learning the zone traffic characteristics, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Accept.
The Guard deletes all of the current policies of the zone configuration and replaces them with the suggested zone policies. The Guard does not stop the policy construction phase and continues to learn the zone services.
Stopping the Policy Construction Phase
To stop the policy construction phase, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Stop Learning. The Stop Learning window opens.
Step 3 Choose one of the following options:
•Reject—Rejects the suggested zone policies.
•Accept—Accepts the suggested zone policies.
Step 4 Choose one of the following options:
•OK—The results of this selection vary depending on your choice to reject or accept the results of the policy construction phase:
–If you chose Reject, the Guard deletes all of the suggested zone policies. No changes are made to the zone configuration.
–If you chose Accept, the Guard replaces the current policies in the zone configuration with the suggested zone policies and then terminates the policy construction phase.
•Clear—The Stop Learning window reverts back to its default setting of Accept.
•Cancel—The Stop Learning window closes and the policy construction phase continues.
Activate the threshold tuning phase after you accept the results of the policy construction phase. The threshold tuning phase ensures that the threshold values of the accepted policies are configured specifically for the zone traffic rates. Until you run the threshold tuning phase, the policies are configured with factory-default threshold values. For more information, see the "Starting the Threshold Tuning Phase" section.
Starting the Threshold Tuning Phase
You can activate the threshold tuning phase after performing the policy construction phase or any time the zone policy thresholds need updating.
Note To allow the Guard enough time to receive and analyze an accurate representation of the normal zone traffic, we recommend that you allow the threshold tuning phase to run for at least 24 hours before terminating this phase.
To start the threshold tuning phase, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Tune Threshold.
The zone status learning icon 
appears in the work area and next to the zone name in the navigation panel.
The Guard begins analyzing the zone traffic and adjusts the threshold values of the zone policies to the characteristics of the traffic flow. The Guard does not save the changes to the zone configuration until you accept the results of the threshold tuning phase (see the "Accepting the Current Results of the Threshold Tuning Phase" section).
Step 3 (Optional) From the zone main menu, choose Learning > Snapshot at any time during the phase to save and review the current results and threshold suggestions of the threshold tuning phase. Saving a snapshot does not change the current zone configuration.
For details about using the snapshot option, see the "Managing Learning Process Snapshots" section.
Accepting the Current Results of the Threshold Tuning Phase
To accept the current results of the threshold tuning phase and allow the Guard to continue the threshold tuning phase, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Accept. The Accept Thresholds window opens.
Step 3 Define the threshold selection method to use. Table 7-1 describes the parameters listed in the Accept Thresholds window.
Table 7-1 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the policies retain their current thresholds.
|
Weight
|
Defines the weight that the Guard uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Guard to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 4 Choose one of the following options:
•OK— The Guard updates the policies of the zone configuration with the current results of the threshold tuning phase and the threshold tuning phase continues.
•Clear—The Accept Thresholds window reverts back to its default settings.
•Cancel—The Accept Thresholds window closes and the policy construction phase continues.
Stopping the Threshold Tuning Phase
To accept or reject the current results of the threshold tuning phase and stop the threshold tuning phase, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Stop Learning. The Stop Learning window opens.
Step 3 Choose one of the following options from the Stop Learning window:
•Reject—Ignores the current results of the threshold tuning phase.
•Accept—Uses the current results of the threshold tuning phase in the zone configuration. You define the threshold selection method to use.
Table 7-2 describes the threshold selection method parameters.
Table 7-2 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the policies retain their current thresholds
|
Weight
|
Defines the weight that the Guard uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Guard to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 4 Choose one of the following options:
•OK—The Guard updates the policies of the zone configuration with the current results of the threshold tuning phase and stops the threshold tuning phase.
•Clear—The Stop Learning window reverts back to its default settings.
•Cancel—The Stop Learning window closes and the threshold phase continues.
Performing the Learning Process Using Protect and Learn
This section describe how to manage the Protect and Learn operation in which the Guard looks for anomalies in the zone traffic while learning the zone traffic and making policy threshold adjustments. The Guard suspends the learning process when it detects an attack on the zone and while it mitigates the attack. When the attack is over, the Guard resumes the learning process and continues to monitor the traffic for anomalies.
Before activating Protect and Learn, you can configure when and how the Guard accepts the results of the learning process.
This section contains the following topics:
•Configuring the Automatic Learning Parameters
•Activating Protect and Learn
•Deactivating Protect and Learn
Configuring the Automatic Learning Parameters
You can configure the automatic learning parameters to control when and how the Guard automatically accepts the current results of the learning process (threshold tuning phase) when you activate Protect and Learn.
To configure the automatic learning parameters, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > Learning Parameters. The Learning Parameters screen appears.
Step 3 Click Config. The Config Learning Parameters screen appears.
Step 4 Define the automatic learning parameters.
Table 7-3 describes the learning parameters.
Table 7-3 Learning Parameters
Parameter
|
Description
|
Zone is tuned
|
Marks the zone policies as follows:
•Tuned—Select this option to mark the policies as tuned, allowing the Guard to immediately use the policies to protect the zone.
•Untuned—Deselect this option to mark the policies as untuned, requiring you to accept the results of the threshold tuning phase before the Guard can protect the zone. See the "Marking the Zone Policies as Tuned or Untuned" section for more information.
|
Set periodic learning
|
Enables the automatic learning process. Configure the following learning parameters when you choose this option:
•Learning cycle—Defines how often the Guard saves the results of the learning process. You can define the time period between saves in weeks, days, hours, and minutes. Enter an integer from 0 to 1000 for each of the time fields.
•Learning results—Define how the Guard saves the results of the learning process. Choose one of the following methods:
–Automatic accept—Accepts the results of the learning process (policy thresholds) that the Guard suggests at the specified interval. The Guard saves a snapshot of the zone policies after accepting the newly suggested ones.
–Snapshot only—Saves a snapshot of the learning process (policy thresholds) at the specified interval. The Guard does not accept the new policies and does not modify the policy thresholds in the zone configuration.
|
Threshold selection method
|
Defines the method that the Guard uses to choose the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
|
Weight
|
Defines the weight that the Guard uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Guard to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
Step 5 Choose one of the following options:
•OK—The Guard saves the automatic learning parameters to the zone configuration.
•Clear—The Learning Parameters form reverts back to its default settings.
•Cancel—The Config learning parameters screen closes.
Activating Protect and Learn
Before activating Protect and Learn, you should verify whether the zone policies are marked as tuned or untuned because the Guard functions differently depending on the tuned state of the zone policies. If the policies are marked as tuned when you activate Protect and Learn, the Guard can immediately detect attacks and learn the zone traffic. If you activate Protect and Learn and the zone policies are marked as untuned, the Guard functions in the following ways until the first time that the zone policy thresholds are accepted:
•The Guard does not detect attacks in the zone traffic.
•The Guard activates the Accept new thresholds method (see the "Configuring the Automatic Learning Parameters" section).
After the first time that the zone policy thresholds are accepted, the Guard marks the policies as tuned, which enables it to detect attacks while learning the zone traffic.
For more information about marking policies as tuned or untuned, see the "Marking the Zone Policies as Tuned or Untuned" section.
To activate Protect and Learn, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 Click Protect and Learn.
You can also activate the threshold tuning phase of the learning process (from the zone main menu, choose Learning > Tune Thresholds) and zone protection (click Protect) separately. The order in which you activate the two operations does not matter.
The following actions occur:
•The Guard diverts the zones traffic to itself and begins analyzing the traffic flow for anomalies. The legitimate traffic is injected back into the network where it is forwarded to its intended destination. The malicious traffic is filtered by the Guard and dropped.
•The Guard begins the threshold tuning phase of the learning process.
•The zone name is added to the Protected Zones list in the navigation pane and the Recent Events table lists an event type of protection-start with a detail listing of Zone is protected.
Deactivating Protect and Learn
When you deactivate Protect and Learn, the Guard allows you to deactivate one or both of the operations.
To deactivate Protect and Learn, perform the following steps:
Step 1 Choose a zone that is under protection from the navigation pane. The zone main menu and the zone status screen appear.
Step 2 Deactivate Protect and Learn using one of the following methods:
•From the zone status screen, click Deactivate.
•From the zone main menu, choose Protection > Deactivate.
The Deactivate window opens.
Step 3 Check the check box next to the requested action. Choose one or both of the following actions:
•Stop Protection—Stops zone protection.
•Stop Learning—Stops the threshold tuning phase of the learning process. Choose one of the following options:
–Reject—Ignores the current results of the threshold tuning phase.
–Accept—Saves the current results of the threshold tuning phase to the zone configuration. You can define the threshold selection method to use.
Table 7-4 describes the threshold selection method parameters.
Table 7-4 Threshold Terminating Method
Parameter
|
Description
|
Threshold selection method
|
Defines the method that the Guard uses to choose the thresholds to accept. Choose one of the following options from the drop-down list:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Accept current—Rejects the suggested threshold values of the learning process. The policies retain their prethreshold tuning phase values.
|
Weight
|
Defines the weight that the Guard uses to calculate new thresholds. This option is active only when you choose the Accept weighted thresholds method. Enter a weight value for the Guard to use in the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
|
If you deactivate both zone protection and learning, the Guard stops diverting zone traffic to itself. The zone name is removed from the Protected Zones listing in the navigation pane and the Recent Events table lists an event type of protection-stop with a detail listing of Zone is not protected. The zone status icon changes from Protection 
to Standby 
.
Marking the Zone Policies as Tuned or Untuned
The tuned state of the zone policies relates to the threshold values of the policies. The Guard considers zone policies to be either tuned or untuned depending on the following conditions:
•Untuned—The zone policy thresholds may not be set to values that are appropriate for the zone traffic. The Guard marks the zone policies as untuned when you perform one of the following actions:
–Create a new zone.
–Accept the policy construction phase results for a zone.
–Add a service to the zone policies or remove a service from the zone policies.
•Tuned—The zone policy thresholds are set to values that are appropriate for the zone traffic. The Guard marks the zone as tuned after accepting the results of the threshold tuning phase, at which point the threshold values are tuned specifically to the zone traffic characteristics.
You must know the tuned state of the zone when you activate Protect and Learn for the zone. If the zone is untuned when you activate Protect and Learn, the Guard is unable to detect attacks on the zone until after the first time that it accepts the results of the threshold tuning phase. The Guard can accept the results of the threshold tuning phase based on the automatic learning parameters (see the "Configuring the Automatic Learning Parameters" section) or you can manually accept the results. The Guard uses the Accept new thresholds setting to accept the first results of the threshold tuning phase regardless of the configuration of the threshold selection method. From that point on, the Guard uses the threshold selection method that you selected.
You can manually change the tuned state of a zone and may consider changing the state to tuned when one of the following conditions applies:
•You created the zone by copying an existing zone configuration with similar traffic characteristics.
•You manually configured all of the policy thresholds.
You may consider changing the tuned state of the zone to untuned when one of the following conditions applies:
•A major change was made to the zone network.
•The zone IP address or subnet was modified.
•You have not initiated the protect and learn function during peak traffic time and want to prevent the Guard from considering the traffic during peak time as an attack.
When you mark the zone as untuned, the Guard does not monitor the traffic for policy threshold violations and therefore, does not detect attacks on the zone.
To mark the zone as tuned or untuned, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Configuration > Policies > Learning Parameters. The Learning parameters screen appears.
Step 3 Click Config. The Config learning parameters screen appears.
Step 4 From the Learning Parameters form, choose one of the following options:
•Check the Zone is tuned check box to mark the zone policies as tuned. The Guard marks the policies as tuned and can immediately use the policies to protect the zone.
•Uncheck the Zone is tuned check box to mark the zone policies as untuned. The Guard marks the policies as untuned, requiring you to accept the results of the threshold tuning phase before the Guard can use the policies to protect the zone.
Step 5 Choose one of the following options:
•OK—The Guard saves the tuned setting to the zone configuration.
•Clear—The Guard discards your changes and the form displays the current configuration.
•Cancel—The Config learning parameters screen closes.
For details about the Learning Parameter Form options, see the "Configuring the Automatic Learning Parameters" section.
Managing Learning Process Snapshots
You can use a snapshot to allow you to save zone policy information so that you can view and compare policies. You can perform the following tasks with a snapshot:
•View the current results of the learning process.
•Save the snapshot policy information to the zone configuration.
•Compare the policy results of the snapshot with another snapshot or zone configuration (see the "Comparing Policy Configurations of Two Zones or Snapshots" section).
•Back up the current zone policies contained in the zone configuration.
At any stage of the learning process, you can save a snapshot of the current learning parameters (services, thresholds, and other policy-related data). The Guard continues the learning phase while it records the snapshot information. You can also save a snapshot when the Guard is not performing the learning process to create a copy of the current zone policies.
This section contains the following topics:
•Taking a Snapshot of the Learning Process Results
•Taking a Snapshot of the Current Zone Policies
•Displaying Snapshots
•Modifying the Snapshot Policies
•Deleting Snapshots
Taking a Snapshot of the Learning Process Results
To take a snapshot of the current learning process results (policy construction or threshold tuning), perform the following steps:
Step 1 Choose a zone that is currently in a learning phase from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name field.
Step 4 From the Threshold Selection Method drop-down list, choose the threshold selection method that the Guard uses to accept the policy thresholds:
•Accept new thresholds—Saves the results of the learning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = (learned-threshold * Weight + current-threshold * (100 - Weight)) / 100
Enter the weight value in the Weight field.
•Accept current—Rejects the suggested threshold values of the learning process. The policies retain their pre-threshold tuning phase values.
Step 5 If you have selected the Accept weighted thresholds method, enter the weight value that the Guard uses to calculate the thresholds in the Weight field.
Step 6 To save the snapshot, click OK. The Guard saves the zone policies and assigns a consecutive ID number to the snapshot.
Taking a Snapshot of the Current Zone Policies
When you take a snapshot of a zone that is not learning zone traffic (the zone is either in standby or zone anomaly detection is enabled), the Guard creates a snapshot that contains the current policy information of the zone configuration. You can use this type of snapshot to create a backup of the zone policies or for comparison purposes.
To create a snapshot of the zone configuration policies, perform the following steps:
Step 1 From the navigation pane, choose a zone that is not currently in a learning phase. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 Enter a name for the snapshot in the Snapshot name field and then click OK. The Guard saves the zone policies and assigns a consecutive ID number to the snapshot.
Displaying Snapshots
You can display snapshots to get a comprehensive view of the zone learning results.
To display the snapshot results, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List. The Snapshot List table appears.
Table 7-5 describes the fields in the Snapshot List table.
Step 3 Click on any one of the snapshot fields in the table to display a snapshot. The Policies screen appears, displaying the policies that the Guard recorded at the time of the snapshot.
Table 7-5 Field Descriptions for the Snapshot List Table
Parameter
|
Description
|
ID
|
Snapshot identification number.
|
Name
|
Name of the snapshot. The Guard displays (automatic) for snapshots that were taken automatically and do not have a name.
|
Creation Time
|
Date and time that the snapshot was taken.
|
Snapshot Type
|
Method that was used to take the snapshot. The snapshot types are as follows:
•Manual—Taken by you.
•Periodic—Taken by the Guard automatically based on how you have the automatic learning parameters configured (see the "Configuring the Automatic Learning Parameters" section).
•Automatic—Taken by the Guard automatically when the learning process was activated. You can use this snapshot as a backup when the zone is under attack.
|
Operation
|
Operation mode of the zone when the snapshot was taken. The operation mode can be one of the following:
•Threshold Tuning—Threshold tuning phase of the learning process.
•Policy Construction—Policy construction phase of the learning process.
•N/A—Zone is not performing the learning process.
|
Accept Method
|
Method that was used to accept the thresholds. The method can be one of the following:
•Accept new thresholds—Accepts the new thresholds.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the new threshold, the current threshold, and the weight that you defined.
•Accept current—Saves the current thresholds without modifying them.
|
Modifying the Snapshot Policies
You can use snapshots to perform the following tasks:
•Modify the policies in a snapshot.
•Copy zone policies from the snapshot to the zone configuration.
•Compare the learning parameters of two zone snapshots to verify the outcome of the learning process and trace the differences in policies, services, and thresholds (see the "Comparing Policy Configurations of Two Zones or Snapshots" section).
To configure snapshot policies, perform the following steps:
Step 1 From the navigation pane, choose a zone. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List. The Snapshot List table appears.
Step 3 Click on any one of the snapshot fields in the table to display the snapshot that you want to configure. The Policies screen appears, displaying the policies that the Guard recorded at the time of the snapshot.
Step 4 (Optional) Click Configure Selection to reconfigure the parameters of one or more of the policies. See the "Modifying Policy Parameters" section in Chapter 8, "Managing Zone Policies" for more information.
Step 5 (Optional) Click Add service to add a service to the policies. See the "Adding a Service" section in Chapter 8, "Managing Zone Policies" for more information.
Step 6 (Optional) Click Remove service to remove a service from the policies. See the "Deleting a Service" section in Chapter 8, "Managing Zone Policies" for more information.
Step 7 Click Accept Thresholds to save the policies of the snapshot to the zone configuration.
Deleting Snapshots
You can delete old snapshots to free disk space.
To delete a snapshot, perform the following steps:
Step 1 Choose a zone from the navigation pane. The zone main menu appears.
Step 2 From the zone main menu, choose Learning > Snapshot List.
The list of snapshots appears and displays the ID number and name of each snapshot with the date and time that the snapshot was taken.
Step 3 Check the check box next to the ID number of the snapshot that you want to delete or check the check box in the header row to choose all the snapshots, and then click Delete.
The Guard deletes the selected snapshots from the Snapshot list.
Comparing Policy Configurations of Two Zones or Snapshots
You can compare the policy configurations of two zones, two snapshots, or a zone and snapshot. The Guard traces differences in policy configuration services, policies, and policy thresholds. When comparing the policy configurations, you select one zone or snapshot to be the base zone and the other zone or snapshot to be the compared zone. You can delete or add policy configuration attributes to the base zone. Modifying the configuration of the base zone enables you to selectively accept the learned policy attributes.
This section contains the following topics:
•Viewing Policy Configuration Differences
•Deleting Services from the Base Zone
•Adding Services to the Base Zone
•Copying Policy Parameters to the Base Zone
Viewing Policy Configuration Differences
To compare and display the policy differences of two zones or snapshots, perform the following steps:
Step 1 Use one of the following methods to begin the policy comparison process:
•From the Guard summary main menu, choose Zones > Compare Zone policies.
•From the zone main menu, choose Configuration > Policies > Compare Policies.
The Policies Comparison Query screen appears.
Step 2 Define the base and compared zones.
Table 7-6 describes the Policies Comparison Query parameters.
Table 7-6 Policies Comparison Parameters
Parameter 1
|
Parameter 2
|
Description
|
Base Zone
|
Zone
|
Name of the zone or snapshot. To change the configuration of a zone, choose the zone as a base zone. Choose the base zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected base zone. The default value is the current policy configuration of the zone. You can choose snapshots of the zone policies from the drop-down list.
|
Compared Zone
|
Zone
|
Name of the zone or snapshot being compared to the base zone. You cannot modify the configuration of the compared zone. Choose the compared zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected compared zone. The default value is the current policy configuration of the zone. You can choose snapshots of the zone policies from the drop-down list.
|
Minimal difference
|
Percentage of differences between the policy configuration of the base zone and the compared zone. The Guard compares the two zones and displays only differences in policy thresholds that are higher than the specified value. The default percentage is 100%, where the Guard displays only policies in which one of the thresholds is at least two times greater than the other threshold.
|
Step 3 Choose one of the following options:
•OK—Compares the policy configurations of the two zones. The Policy Comparison screen appears and displays the differences in services and policy parameters (see Figure 7-1).
•Cancel—Exits the Policies Comparison query without comparing any zone policies.
Figure 7-1 shows an example of the policy comparison tables. The policy configuration attributes that are specific to the base zone display in black and the attributes that are specific to the compared zone display in red.
Figure 7-1 Policy Comparison Tables
The Policy Comparison screen is divided into two sections:
•Difference in services—The two tables in this section display the following information:
–Services present only in the base zone policies.
–Services missing from the base zone. The services in this list are only defined in the compared zone.
Note The Guard displays a check box only next to the services that you can add to or delete from the base zone. Some services cannot be added or deleted because they are not specific services, such as those of the type any.
•Difference in policy parameters—Displays differences in the operational parameters of the policies (state, action, threshold, and proxy-threshold). Each section in the table displays the differences found in a single policy. The first row in each section displays the base zone parameters. The second row of each section displays the compared zone parameters.
Deleting Services from the Base Zone
To delete services from the base zone configuration, perform the following steps:
Step 1 From the Services Only In zonename table, check the check boxes next to the services that you want to delete from the base zone configuration. To choose all of the table entries, check the check box in the table header.
Step 2 Click Delete. The Guard deletes the services from the base zone configuration.
Adding Services to the Base Zone
To add services to the base zone configuration, perform the following steps:
Step 1 From the Services Missing From zonename table, check the check boxes next to the services that you want to add to the base zone configuration. To choose all of the table entries, click the check box in the table header.
Step 2 Click Add. The Guard adds the selected services to the base zone policy configuration.
Copying Policy Parameters to the Base Zone
To copy the policy parameters from the compared zone to the base zone, perform the following steps:
Step 1 From the Difference In Policy Parameters table, check the check boxes next to the policies that you want to copy to the base zone. The policies of the base zone display in black and the policies of the compared zone display in red. To choose all of the table entries, check the check box in the table header.
Step 2 Click Copy Parameters. The Guard copies the selected policies from the compared zone to the base zone policy configuration. The selected policies are removed from the table.
