Table Of Contents
Learning Zone Traffic and Taking Snapshots
Understanding the Learning Process
Learning Process Phases
Learning Process Results
Operating Options for the Learning Process
Learning Process Device Activation
Automatic Learning and Snapshot Features
Learning Traffic While Looking for Traffic Anomalies
Setting Up Learning Parameters and Selecting Zone Devices for Learning
Performing the Learning Process
Starting the Policy Construction Phase
Stopping the Policy Construction Phase
Starting the Threshold Tuning Phase
Accepting the Current Results of the Threshold Tuning Phase
Stopping the Threshold Tuning Phase
Combining Learning with the Detect and Protect Operations
Activating Threshold Tuning with Detect or Protect
Deactivating Threshold Tuning, Detect, and Protect
Marking the Zone Policies as Tuned or Untuned
Managing Learning Process Snapshots
Setting up the Device to Take Periodic Snapshots
Taking a Snapshot of Current Learning Process Results
Taking a Snapshot of the Policies in the Zone Configuration
Displaying and Modifying a Snapshot or Saving Snapshot Results to the Zone Configuration
Deleting a Snapshot
Comparing the Policies of Two Zone Configurations or Snapshots
Displaying the Differences Between Two Policy Sets
Adding or Deleting a Service to the Base Zone
Copying Policy Parameters to the Base Zone
Learning Zone Traffic and Taking Snapshots
This chapter describes how to activate the learning process on the Cisco DDoS MultiDevice Manager (MDM), where the Detector or Guard device analyzes zone traffic and adjusts the protection capabilities of the zone configuration. There are several options for performing the learning process, including activating the threshold tuning phase of the learning process with the Detect or Protect operations. The procedures for each learning process option are discussed in this chapter.
Note 
This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.
This chapter contains the following sections:
•Understanding the Learning Process
•Operating Options for the Learning Process
•Setting Up Learning Parameters and Selecting Zone Devices for Learning
•Performing the Learning Process
•Combining Learning with the Detect and Protect Operations
•Marking the Zone Policies as Tuned or Untuned
•Managing Learning Process Snapshots
•Comparing the Policies of Two Zone Configurations or Snapshots
Understanding the Learning Process
The learning process enables the device to analyze zone traffic for the purpose of creating a set of zone-specific policies and policy thresholds that are based on the characteristics of the zone's normal traffic flow. Use the learning process to optimize zone protection in the following ways:
•Adjust the policies of a new zone. A new zone configuration contains the default policies and policy thresholds of the zone template that you select when creating the new zone. The learning process adjusts the policies and policy thresholds to the characteristics of the zone's normal traffic flow.
•Update an existing zone configuration. When conditions within the network change and affect the characteristics of the normal zone traffic flow, the zone configuration becomes outdated. The learning process enables the device to update the policies and policy thresholds of the zone configuration to accommodate the traffic flow changes. Changes to normal traffic flow can include an increase in the traffic rate or the addition of new services.
Learning is executed in two phases; one phase for detecting the various services of the traffic flow, and another phase for detecting the volume of traffic associated with each service. The device modifies existing zone policies or creates new policies based on what it learns during each phase of the learning process.
This section contains the following topics:
•Learning Process Phases
•Learning Process Results
Learning Process Phases
The learning process consists of two phases, which you enable separately:
•Policy construction phase—The device analyzes the zone traffic to determine which services are contained in the traffic flow. The device creates a set of new policies for each service. Each new policy is based on a policy template associated with the zone configuration. Policy templates provide the guidelines that the device follows when creating a policy. For example, a policy template can limit the number of policies that the device can produce from the template during the policy construction phase. Policy templates also provide the default traffic threshold values and policy actions for each new policy that the device creates.
The device can perform threshold tuning only when the Detect or Protect functions are not activated.
Note You cannot perform the policy construction phase on zones that you create with a DECTECTOR_LINK_XXX or GUARD_LINK_XXX zone template.
•Threshold tuning phase—The device tunes the traffic rate thresholds of the zone policies. The policy thresholds are reference points that the device uses when protecting a zone to determine when the traffic rate exceeds its normal volume, indicating an attack on the zone. The policy threshold value is set to a value that allows normal traffic to pass through the device without activating the policy action. If the traffic flow exceeds a policy threshold, the device executes the action associated with the policy.
Learning Process Results
During the learning process, the device creates a set of suggested policies and policy thresholds based on the traffic that it is analyzing. These suggestions are referred to as the learning process results. No changes are made to the zone configuration until the results of the learning phase are accepted by you, or by the device if you have periodic learning enabled. When you accept the learning process results, the device saves the suggested policy changes to the zone configuration and deletes all of the previous zone configuration policies. If you reject the learning process results, the device deletes the learning process results and continues to use the policies already in place in the zone configuration. You have the option of accepting or rejecting the results of a policy construction or threshold tuning phase while the phase is running or when you stop the phase.
You can save a copy of the current learning phase results at any time of the process using the snapshot feature. A snapshot of the learning process allows you to view the policy information that the device has suggested up to the point of the snapshot. Saving the results of the learning phase in a snapshot does not affect the zone configuration that the device is currently using. However, you can update the current zone configuration with the policy configurations of a snapshot at a later time if needed. For more information on using the snapshot feature, see the "Managing Learning Process Snapshots" section.
Operating Options for the Learning Process
The MDM provides several operating options that are related to the learning process, such as selecting the zone device to learn zone traffic or activating the threshold tuning phase with the Detect or Protect functions.
This section contains the following topics:
•Learning Process Device Activation
•Automatic Learning and Snapshot Features
•Learning Traffic While Looking for Traffic Anomalies
Learning Process Device Activation
When the zone consists of multiple devices, you can specify which zone device performs the learning process when you activate either policy construction or threshold tuning. This learning configuration parameter, which is referred to as learning activation extent, provides the following options:
•Master device only—When you activate either policy construction or threshold tuning, the zone master device learns the traffic for the other zone devices. The MDM issues all learning related instructions (such as accept the results or stop learning) to the master device only. Configuration changes made as a result of the learning process are made to the zone configuration on the master device only. Synchronization of the new configuration information with the other zone devices is required. For example, when you accept the results of the learning phase and enable synchronization, the MDM immediately updates the zone devices with the master device's new policy information.
•All zone devices—When you activate either policy construction or threshold tuning, all of the zone devices learn the zone traffic and each device can maintain its own set of zone-specific policies. Typically, you do not enable synchronization for this type of application because the master device zone configuration will overwrite the zone configurations on the other zone devices during synchronization.
For more information, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section.
Automatic Learning and Snapshot Features
As a part of the zone configuration, you can configure the device to automatically accept the current suggested results of the learning phase that you have activated. The device accepts the results at the specific time intervals that you define. Automatic learning allows you to activate either phase of the learning process and not have to manually monitor and accept the results of the phase. Each time that the device accepts the learning phase results, it updates the zone configuration with the new policy information.
You can configure automatic learning so that the device takes a snapshot only at the specified time interval. Because the snapshot is a copy of the learning phase results at the time of the snapshot, it does not affect the current policies of the zone configuration. You can then review the contents of the various snapshots and select a snapshot to save to the zone configuration.
For more information, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section.
Learning Traffic While Looking for Traffic Anomalies
The devices can perform threshold tuning and at the same time, look for traffic conditions that indicate an attack on the zone. You can activate threshold tuning on the device that you have configured to learn zone traffic with the Detect (Detector) or Protect (Guard) function. The device looks for subtle changes in the traffic rate and suggests new policy thresholds based on the changes, which you either accept or reject. If the device detects a dramatic change in the traffic rate, it assumes the change is due to an attack on the zone and suspends threshold tuning. This action prevents the device from creating threshold suggestions based on the attack traffic. The device continues to analyze the attack traffic to determine the next action to take while in its Detect or Protect operating state. The action that the device takes will vary depending on the device type:
•If the device is a Detector, it issues an attack notification or activates the Guard responsible for mitigating the attack.
•If the device is a Guard, it begins mitigating the attack.
The device resumes threshold tuning after the attack on the zone ends.
When you enable automatic learning in addition to activating threshold tuning and the Detect or Protect function, the device continuously learns normal traffic patterns and safely makes minor adjustments to the policy thresholds (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section).
For more information, see the "Combining Learning with the Detect and Protect Operations" section.
Setting Up Learning Parameters and Selecting Zone Devices for Learning
The MDM provides you with several options for controlling the learning process operation. One option is to set up automatic learning where you configure the device to periodically accept the results of the current learning phase. When the device accepts the results, it saves the suggested policies or policy thresholds to the zone configuration and creates a snapshot. If you do not want to modify the zone configuration during automatic learning, you can configure the operation to create a snapshot only or copy the results. By periodically saving snapshots of the suggested policy changes, you can review the contents of each snapshot and select the most appropriate one to save to the zone configuration (see the "Managing Learning Process Snapshots" section).
The MDM also allows you to choose which device performs the learning process when you activate either policy construction or threshold tuning. This MDM option is referred to as the learning activation extent and allows you to choose between having the master device do the learning for the zone devices or allowing each zone device to perform its own learning process. If you decide that only the master device can learn the zone traffic, you must synchronize the results of the learning phase saved on the master device with the other zone devices.
To set up automatic learning or select the zone devices to perform the learning process, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Configuration > Policies > Learning Parameters. The Learning Parameters screen appears.
Step 3 Click Config. The Learning Parameters Form screen appears.
Step 4 (Optional) Mark the zone policies as tuned or untuned. Use this setting only when you plan to activate threshold tuning with Detect or Protect (see the "Combining Learning with the Detect and Protect Operations" section).
•Check the Zone is Tuned check box to mark the policies as tuned. This setting allows the device to immediately use the policies to detect anomalies when you activate threshold tuning with Detect or Protect.
•Uncheck the Zone is Tuned check box to mark the policies as untuned. This setting requires that the device accepts the results of the threshold tuning phase once before it can detect anomalies when you activate threshold tuning with Detect or Protect.
Note We recommend that you mark the zone as tuned only if you created the zone using another zone with similar traffic characteristics as the zone template. For more information, see the "Marking the Zone Policies as Tuned or Untuned" section.
Step 5 (Optional) Check the Set Periodic Learning check box to enable periodic learning, and then configure the following automatic learning parameters:
•Learning cycle—Defines how often the device saves the results of the activated learning phase. Define the time period between saves in weeks, days, hours, and minutes. Enter an integer from 0 to 1000 for each time field.
•Learning results—Defines how the device saves the results of the learning process. You can choose one of the following methods:
–Automatic accept—Accepts the suggested learning phase results at the specified interval, or learning cycle, replacing the policies in the zone configuration with the phase results. The device also saves a snapshot of the zone policies. If you choose this option and configure the zone so that the master device learns for the other zone device, you must enable synchronization if you want the MDM to update the other devices with new zone configuration information (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).
–Snapshot only—Saves a snapshot of the learning phase results at the specified interval. The device does not accept the suggested policies or modify the policies of the zone configuration.
Step 6 (Optional) Choose one of the following Threshold Selection Methods from the drop-down list (this option applies to the threshold tuning phase only):
•Accept new thresholds—Accepts the results of the threshold tuning phase and updates the zone configuration with the learned thresholds.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two values to the zone configuration. This is the default setting.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the weight value that you specify. Enter a weight value for the device to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
The weight value option is only active when you choose a threshold selection method of Accept weighted thresholds.
Step 7 (Optional) Choose the device to perform the learning process from the Learning Activation Extent field:
•Master Device—Only the zone master device learns the traffic. Zone synchronization is required to update the other zone devices with changes made to the master device zone configuration. This is the default setting.
•All Zone Devices—All of the zone devices learn the zone traffic. Each device maintains its own version of the zone configuration.
Step 8 Click OK. The MDM saves the learning parameters to the zone configuration on the master device.
Step 9 (Optional) Synchronize the new information with the other zone devices by using one of the following methods when the zone is inactive:
•Manually by choosing Activation > Sync from the zone menu.
•Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).
With the learning parameters defined, the device is now ready for you to activate either phase of the learning process as described in the "Performing the Learning Process" section.
Performing the Learning Process
This section describes how to start and stop the two different phases of the learning process; policy construction and threshold tuning. To ensure that the results of the learning process are accurate and configured for normal zone traffic, activate the learning process when the following zone traffic conditions exist:
•Zone traffic is normal (not experiencing an attack)—Ensures that the device that learns the zone traffic does not construct and tune the zone policies according to traffic characteristics of a DDoS attack. If you initiate the learning process while the zone is under attack, the device learns the traffic patterns of the attack, saves the learning results as the base for future reference, and prevents the device from detecting future attacks because it may view attack traffic patterns as normal traffic.
•Zone traffic is at its peak volume—Allows the device that learns the zone traffic to configure the policy thresholds to values that are appropriate for normal peak traffic and ensures that the device does not perceive normal peak traffic conditions as an attack.
Note When the device learning zone traffic is a Guard, it must divert the zone traffic to itself for analysis. You must have traffic diversion configured on the Guard before you can activate either phase of the learning process. Configure zone diversion using the Guard routing configuration, which can only be accessed using through the CLI. See the Anomaly Guard Module Configuration Guide for more information on configuring traffic diversion. A traffic diversion is not an issue if the device learning zone traffic is a Detector because this device type receives a copy of the zone traffic (the traffic does not flow through a Detector).
This section contains the following topics:
•Starting the Policy Construction Phase
•Stopping the Policy Construction Phase
•Starting the Threshold Tuning Phase
•Accepting the Current Results of the Threshold Tuning Phase
•Stopping the Threshold Tuning Phase
Starting the Policy Construction Phase
Use the policy construction phase after you create a new zone or when the zone configuration needs updating with new service policies. When you start this phase, the MDM initiates the policy construction phase on the zone devices that you have defined as the devices to perform the learning process. During the policy construction phase, the device creates suggested policy modifications that do not take effect until the results are accepted by you or the device (if you have automatic learning enabled). For more information on selecting the devices to perform the learning process or setting up automatic learning, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section.
Note You cannot perform the policy construction phase on a zone created with one of the DETECTOR_LINK_XXX or GUARD_LINK_XXX zone templates.
If you plan to initiate the policy construction phase, you should do the following:
•Allow the policy construction phase to run for at least 2 hours before stopping this phase to allow the device enough time to receive and analyze an accurate representation of normal zone traffic.
•Initiate the threshold tuning phase after completing the policy construction phase. During the policy construction phase, the device configures the new policies with the default threshold values as defined by the associated policy template. Running the threshold tuning phase allows you to adjust the threshold values to the particular characteristics of the zone traffic (see the "Starting the Threshold Tuning Phase" section).
To start the policy construction phase, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone main menu, choose Learning > Construct Policies. The following actions occur:
•The device begins analyzing the zone traffic for the services used in the traffic flow and creates policies that relate to the services that it detects.
•The zone status icon changes to Learning.
Step 3 (Optional) Choose one of the following operations:
• Learning > Snapshot—Saves a copy of the current phase results without affecting the zone configuration (see the "Managing Learning Process Snapshots" section).
•Learning > Accept—Saves a snapshot of the current phase results and updates the zone configuration with the suggested results. The MDM deletes all of the current policies of the zone configuration and replaces them with the suggested zone policies. The policy construction phase continues.
Stopping the Policy Construction Phase
To stop the policy construction phase, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Stop Learning. The Stop Learning screen opens. You can choose one of the following options:
•Reject—Rejects the suggested zone policies.
•Accept—Accepts the suggested zone policies.
Step 3 Click OK. The results of this selection will vary depending on your decision to reject or accept the results of the policy construction phase:
•If you choose Reject, the MDM deletes all of the suggested zone policies, terminates the policy construction phase, and makes no changes to the current zone configuration on the device.
•If you choose Accept, the MDM terminates the policy construction phase, deletes all of the current policies in the zone configuration on the device, and replaces them with the suggested zone policies.
The zone status icon changes to Inactive.
Step 4 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
•Manually by choosing Activation > Sync from the zone menu.
•Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).
Starting the Threshold Tuning Phase
Use the threshold tuning phase after performing the policy construction phase or when the thresholds of the zone policies need updating. When you start this phase, the MDM initiates threshold tuning on the zone devices that you have defined as the devices to perform the learning process. During the threshold tuning phase, the device creates suggested policy modifications that do not take effect until the results are accepted by you or the device (if you have automatic learning enabled). For more information, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section.
To allow the device enough time to receive and analyze an accurate representation of normal zone traffic, you should plan to let the threshold tuning phase run for at least 24 hours before terminating this phase.
To start the threshold tuning phase, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Tune Threshold. The following actions occur:
•The device begins analyzing the zone traffic and adjusts the threshold values of the zone policies to the characteristics of the traffic flow.
•The zone status Learning icon 
appears in the work area and next to the zone name in the navigation panel.
Step 3 (Optional) Choose Learning > Snapshot to save a copy of the current phase results without affecting the zone configuration (see the "Managing Learning Process Snapshots" section).
Step 4 (Optional) Click Detect or Protect to enable the device to look for traffic anomalies while performing the threshold tuning (see the "Combining Learning with the Detect and Protect Operations" section).
Accepting the Current Results of the Threshold Tuning Phase
While the device is performing the threshold tuning phase, you can manually accept the results or current threshold suggestions of the phase at any time. When you accept the results of the threshold tuning phase, the device can update the zone configuration with the current threshold suggestions. The device also continues with the threshold tuning phase by analyzing zone traffic and generating additional threshold suggestions.
To accept the current results of the threshold tuning phase, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Accept. The Accept Thresholds screen appears.
Step 3 Define the threshold selection method to use. Table 9-1 describes the parameters listed in the Accept Thresholds screen.
Table 9-1 Threshold Selection Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. You can choose one of the following options:
•Accept new thresholds—Saves the results of the learning process to the zone configuration on the learning device.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two to the zone configuration on the learning device. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
You define the weight value.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the zone policies retain their prethreshold tuning phase values.
|
weight
|
This option is active only when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the master device to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
|
Step 4 Click OK. The MDM updates the policies of the zone configuration on the device with the current results of the threshold tuning phase and the threshold tuning phase continues.
Step 5 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
–Manually by choosing Activation > Sync from the zone menu.
–Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).
Stopping the Threshold Tuning Phase
To accept or reject the current results of the threshold tuning phase and stop the threshold tuning phase, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Stop Learning. The Stop Learning screen opens.
Step 3 Choose one of the following options from the Stop Learning window:
•Reject—Ignores the current results of the threshold tuning phase.
•Accept—Uses the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 9-2 describes the threshold selection method parameters.
Table 9-2 Threshold Selection Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. You can choose one of the following actions:
•Accept new thresholds—Saves the results of the learning process to the zone configuration on the device.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two thresholds to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
You define the weight value.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the policies retain their prethreshold tuning phase values.
|
weight
|
This option is active only when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the MDM to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
|
Step 4 Click OK. The MDM updates the policies of the zone configuration on the device with the current results of the threshold tuning phase and stops the threshold tuning phase.
Step 5 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
–Manually by choosing Activation > Sync from the zone menu.
–Automatically according to how you configured the synchronization feature in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section on page 5-9).
Combining Learning with the Detect and Protect Operations
The MDM allows you to activate the threshold tuning phase of the learning process with the Detect and Protect operations to enable the device to create a set of suggested policy thresholds while looking for indications of an attack on the zone. If the device detects a traffic anomaly, it suspends threshold tuning. When the attack terminates, the device resumes threshold tuning while continuing to monitor for anomalies. (For more information on combining these operations, see the "Learning Traffic While Looking for Traffic Anomalies" section.)
Follow these general guidelines when planning to activate threshold tuning along with Detect or Protect:
•Perform the policy construction phase first to ensure that the zone configuration on each device has the required policies for detecting the services contained in the traffic flow. Note the following policy construction restrictions:
–When a device is performing policy construction, you cannot activate Detect or Protect.
–The device cannot perform policy construction on a zone that was created with one of the DETECTOR_LINK or GUARD_LINK zone templates.
•Activate threshold tuning with Detect if the zone consists of Detectors and Guards, and the Detector master device does the learning for the zone devices. Synchronization is required to update the zone devices with any modifications that the master device makes to the zone configuration when the results of the phase are accepted by you, or automatically, by the device.
•Activate threshold tuning with Detect and Protect if the zone consists of Detectors and Guards, and each device does its own learning. In this case, synchronization is not required. (If you synchronize the zone, the zone configuration on the master device overwrites the zone configuration on the other devices.) It is important that all of the zone devices perform threshold tuning during the same time period to ensure that each device evaluates the same traffic patterns and makes the same policy threshold suggestions.
•Activate threshold tuning and Protect if the zone consists of only Guards.
•Verify the tuned state of the zone policies. The tuned state of the zone policies affects the ability of the device to detect anomalies when you activate the threshold tuning with Detect or Protect. If the policies are marked as tuned, the device can learn zone traffic and detect anomalies immediately. If the zone policies are marked as not tuned when you activate threshold tuning with Detect or Protect, the device operates in the following ways:
–The device cannot detect traffic anomalies in the zone traffic until the learning phase results are accepted once by you, or automatically, by the device if you have automatic learning configured.
–If you have automatic learning configured, the device activates a threshold selection method of Accept new thresholds, regardless of how you have the selection method configured for automatic learning. After the device automatically accepts the threshold values for the first time, the threshold selection method reverts back to your original configuration setting.
For more information on automatic learning, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section. To view the current tuned status of the zone and for information on marking policies as tuned or untuned, see the "Marking the Zone Policies as Tuned or Untuned" section.
This section contains the following topics:
•Activating Threshold Tuning with Detect or Protect
•Deactivating Threshold Tuning, Detect, and Protect
Activating Threshold Tuning with Detect or Protect
To activate threshold tuning and Detect or Protect, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Tune Threshold to activate the threshold tuning phase on the device that you have selected to learn zone traffic (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section).
Step 3 Choose the anomaly detection operation to activate based on the device that you have selected to learn zone traffic (master device or all zone devices) and device type (Detector or Guard):
•Click Detect to activate anomaly detection on the zone Detectors.
•Click Protect to activate anomaly detection and zone protection on the zone Guards.
The following actions occur:
•The learning device begins analyzing the traffic flow for anomalies and begins the threshold tuning phase. If the device is a Guard, it must first divert zone traffic to itself.
•The zone status icon changes from Inactive
to Detection 
or Protection 
.
•The Zone Status table indicates which zone device type is learning traffic and which device type is looking for traffic anomalies.
Deactivating Threshold Tuning, Detect, and Protect
When you activate the threshold tuning, Detect, and Protect operations simultaneously, the MDM allows you to deactivate any combination of these operations.
To deactivate threshold tuning, Detect, and Protect, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu and the zone status screen appears.
Step 2 Open the Deactivate window by using one of the following methods:
•From the zone status screen, click Deactivate.
•From the zone menu, choose Activation > Deactivate.
•From the zone menu, choose Learning > Deactivate. This option is available only if you have all three operations activated.
Step 3 Click the check box next to the requested action. Depending on the operation that you want to deactivate, you can choose one or all of the following actions:
•Stop Protection—Deactivates anomaly detection by the zone Guards. This option is available only if you have all three operations activated.
•Stop Detection— Deactivates anomaly detection by the zone Detectors. This option is available only if you have all three operations activated.
•Stop Learning—Stops the threshold tuning phase. You can choose one of the following options:
–Reject—Ignores the current results of the threshold tuning phase.
–Accept—Uses the current results of the threshold tuning phase in the zone configuration. Define the threshold selection method to use. Table 9-3 describes the threshold selection method parameters.
Table 9-3 Threshold Selection Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. You can choose one of the following options:
•Accept new—Saves the results of the leaning process to the zone configuration.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two thresholds to the zone configuration. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight)))/ 100
You define the weight value.
•Accept current—The learning device rejects all of the suggested threshold values of the learning process and the policies retain their prethreshold tuning phase values.
|
weight
|
This option is active only when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the MDM to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
|
Step 4 Click OK. The MDM deactivates the selected operations. The following actions occur when you deactivate all three operations:
•If the deactivated device is a Guard, it stops diverting zone traffic to itself.
•The zone status icon changes from Detection 
and Protection 
to Inactive
.
•The Zone Status table indicates that both device types are no longer learning traffic or looking for traffic anomalies.
Marking the Zone Policies as Tuned or Untuned
A device marks each zone as tuned or untuned, depending on the state of the policies within each of the zone configurations. The tuned state of the policies indicates whether the threshold values of the policies are specific to the zone traffic or the thresholds are set to default values that should be tuned to the unique characteristics of the zone traffic. The following conditions determine when a device marks a zone as being tuned or untuned:
•Untuned—The device marks the zone as untuned when the policies of the zone configuration use the default threshold values defined by the zone template. The policies are configured with the default threshold values after you perform one of the following actions:
–Create a new zone
–Accept the results of the policy construction phase
–Add a service to the zone policies or remove a service from the zone policies
When a zone is marked as untuned, the device cannot detect zone anomalies.
•Tuned—The device marks the zone as tuned after accepting the results of the threshold tuning phase. At this point, the threshold values are tuned specifically to the characteristics of the zone traffic.
The tuned state of the zone polices affects only the operation of the device when you activate threshold tuning with Detect or Protect. If the tuned state of the zone is untuned when you activate these operations together, the device cannot detect an attack on the zone until the first time that it accepts the results of the threshold tuning phase. Accepting the results can be initiated by you or by the device if you enable automatic learning (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section). If you set the threshold selection method of automatic learning set to anything but Accept new thresholds, the device uses the Accept new thresholds setting to accept the first results of the threshold tuning phase. From that point on, the device uses the threshold selection method that you configured for automatic learning.
You can manually change the tuned state of a zone. You should change the state to tuned when one of the following conditions applies:
•You created the zone by copying an existing zone configuration with similar traffic characteristics.
•You have manually configured all policy thresholds.
You should change the tuned state of the zone to untuned when one of the following conditions applies:
•A major change was made in the zone network that would affect traffic rates.
•The zone IP address or subnet was modified.
•If you did not have the device perform the threshold tuning phase during peak traffic time. This situation can result in the policy threshold values being set too low and possibly cause the device to mistake peak traffic rates as an attack on the zone.
To mark the zone as tuned or untuned, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Configuration > Learning parameters. The Learning Parameters screen appears.
Step 3 Click Config. The Learning Parameters Form screen appears.
Step 4 From the Learning Parameters Form, choose one of the following options:
•Check the Zone is Tuned check box to mark the policies as tuned and ready for anomaly detection.
•Uncheck the Zone is Tuned check box to mark the policies as untuned and not ready for anomaly detection.
Step 5 Click OK. The MDM saves the tuned setting to the zone configuration on the master device.
Step 6 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
•Manually by choosing Activation > Sync from the zone menu.
•Automatically according to how you configured the synchronization feature in the zone configuration.
For more information about the Learning Parameter Form options, see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section.
Managing Learning Process Snapshots
The snapshot feature allows you to save a copy of the zone policy suggestions that the device creates during either phase of the learning process. The policy suggestions include services, thresholds, and other policy-related data. Using the snapshot feature, you can perform the following actions:
•Display the current results of the learning process
•Replace the policy information in the zone configuration with the snapshot policy information
•Compare the policy results of the snapshot with another snapshot or zone configuration (see the "Comparing the Policies of Two Zone Configurations or Snapshots" section)
•Create a copy of the zone policies contained in the zone configuration
At any stage of the learning process, you can manually initiate a snapshot or have the device automatically take a snapshot at regular intervals. The device continues performing the current learning phase while it saves the snapshot information and assigns a consecutive ID number to the snapshot.
A device is capable of saving 100 snapshots. Above this limit, the device overwrites the oldest snapshot saved with the most recent one taken.
When using the MDM to initiate a snapshot, follow these guidelines:
•The MDM initiates a snapshot on the devices that you have the zone configured with to learn traffic, which is either just the master device or all of the zone devices (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section).
•When the master device does the learning for the zone devices, snapshots are not included in the configuration information that is synchronized with the other zone devices.
•To display a snapshot on a zone device other than the master device, you must access the device directly using the device's CLI or Web-Based Manager (WBM).
This section contains the following topics:
•Setting up the Device to Take Periodic Snapshots
•Taking a Snapshot of Current Learning Process Results
•Taking a Snapshot of the Policies in the Zone Configuration
•Displaying and Modifying a Snapshot or Saving Snapshot Results to the Zone Configuration
•Deleting a Snapshot
Setting up the Device to Take Periodic Snapshots
You can configure the device to automatically take a snapshot at regular intervals during either phase of the learning process. The device assigns a consecutive ID number to each snapshot that it takes. Configuring the device to periodically take snapshots is a function of the Learning Parameters feature. See the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section for information on configuring periodic snapshots.
Taking a Snapshot of Current Learning Process Results
To take a snapshot of the current learning process results, follow these steps:
Step 1 Choose a zone from the navigation pane that is currently performing policy construction or threshold tuning. The zone menu appears.
Step 2 From the zone menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 From the Snapshot Name field, enter a name for the snapshot.
Step 4 From the Threshold Selection Method drop-down list, choose the threshold method to use. Table 9-4 describes the parameters listed in the Accept Thresholds window.
Table 9-4 Threshold Selection Method
Parameter
|
Description
|
Threshold selection method
|
Method for selecting the thresholds to accept. You can choose from the following options:
•Accept new thresholds—Saves the results of the leaning process to the zone configuration on the learning device. This is the only option available when the zone is marked as untuned (see the "Marking the Zone Policies as Tuned or Untuned" section).
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saves the higher of the two thresholds to the zone configuration on the learning device. This is the default method.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
You define the weight value.
•Keep current thresholds—Rejects all of the suggested threshold values of the learning process and the zone policies retain their prethreshold tuning phase values.
|
weight
|
This option is active only when you select a threshold selection method of Accept weighted thresholds. Enter a weight value for the master device to use in the following formula:
new-threshold = ((learned-threshold * weight + current-threshold * (100 - weight))) / 100
|
Step 5 Click OK. The MDM assigns a consecutive ID number to the snapshot and saves the snapshot on the devices that you have the zone configured with to learn traffic (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section).
Taking a Snapshot of the Policies in the Zone Configuration
When you take a snapshot of a zone when the device is not performing a phase of the learning process, the MDM creates a snapshot that contains the current policy information of the zone configuration. You can use this type of snapshot to create a backup of the zone policies or for comparison purposes.
To create a snapshot of the zone configuration policies, follow these steps:
Step 1 Choose a zone from the navigation pane that is not currently a phase of the learning process. The zone menu appears.
Step 2 From the zone menu, choose Learning > Snapshot. The Create Snapshot screen appears.
Step 3 From the Snapshot Name field, enter a name for the snapshot.
Step 4 Click OK. The MDM assigns a consecutive ID number to the snapshot and saves the policies contained in the zone configuration to the snapshot on the devices that you have the zone configured with to learn traffic (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section).
Displaying and Modifying a Snapshot or Saving Snapshot Results to the Zone Configuration
The MDM allows you to display the list of snapshots saved on the master device. From the snapshot list, you can select a snapshot to view the policies associated with the snapshot. From the Policy View screen, you can perform the following actions:
•Modify a snapshot policy.
•Display the policies associated with either the Detector or the Guard if you created the zone using a GUARD zone template.
•Add or remove a service.
•Save the policies to the zone configuration.
To view the list of snapshots, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Snapshot List. The list of snapshots appears, displaying the ID number of each snapshot with the date and time that the snapshot was taken. Table 9-5 describes each of the fields in the Snapshot List table.
Step 3 Click in any field of the snapshot that you wish to display. The Policies screen appears, displaying the policies that the device recorded at the time of the snapshot.
Step 4 (Optional) From the Policies screen of the snapshot, you can choose one of the following options:
•Configure Selection—Reconfigures the parameters of one or more of the policies (see the "Modifying a Policy Parameter" section on page 8-6)
•Add service or Remove service—Adds or removes a service to the list of services detected at the time of the snapshot (see the "Adding or Deleting a Service" section on page 8-10)
•Accept Thresholds—Saves the policies of the snapshot to the zone configuration.
•View Guard/View Detector—Displays the policies associated with the device type that you have selected using this toggle button.
Table 9-5 Field Descriptions for the Snapshot List Table
Field
|
Description
|
ID
|
Snapshot identification number assigned by the device when the snapshot was taken.
|
Name
|
Name that you assigned to the snapshot. The name filed is blank if you did not assign a name to the snapshot. The name field displays (automatic) for snapshots that were taken automatically by the device.
|
Creation Time
|
Date and time that the snapshot was taken.
|
Snapshot Type
|
Method that was used to take the snapshot. The method for taking the snapshot can be one of the following types:
•Manual—Snapshot was initiated by user action.
•Periodic—Snapshot was taken by the device automatically based on the configuration of the learning parameters (see the "Setting Up Learning Parameters and Selecting Zone Devices for Learning" section for more information).
•Automatic—Snapshot was taken by the device automatically when you activated a phase of the learning process. If you have the zone configured to take automatic snapshots without automatic accepts, and if the zone is attacked, you can use the last snapshot taken before the attack started as a baseline for providing zone protection.
|
Operation
|
Operation state of the zone when the snapshot was taken. The zone can be operating in of the following states:
•Threshold Tuning—Threshold tuning phase of the learning process.
•Policy Construction—Policy construction phase of the learning process.
•N/A—Zone was not performing either phase of the learning process when the snapshot was taken. The displayed policies are the policies contained in the zone configuration at the time that the snapshot was taken.
|
Accept Method
|
Method that the device used to accept the thresholds. The possible threshold selection methods are as follows:
•Accept new thresholds—Saves the results of the learning process to the zone configuration on the learning device.
•Accept max. thresholds—Compares the current policy threshold to the learned threshold and saved the higher of the two to the snapshot.
•Accept weighted thresholds—Calculates the policy thresholds to save based on the new-threshold, the current-threshold, and the weight that you defined.
•Accept current—Saves the current thresholds without modifying them.
|
Deleting a Snapshot
To delete a snapshot, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Learning > Snapshot List. The list of snapshots appears and displays the ID number of each snapshot with the date and time that the snapshot was taken.
Step 3 Check the check box next to the ID number of the snapshot to delete.
Step 4 Click Delete. The MDM deletes the selected snapshot from the Snapshot list on the master device.
Comparing the Policies of Two Zone Configurations or Snapshots
You can compare the policy configurations of two zone configurations, two snapshots, or a zone configuration and a snapshot. The MDM traces the differences in policy configuration services, policies, and policy thresholds. Using the MDM, you can compare the policy configurations of the zone configuration and snapshots on the master device only.
When comparing the policy configurations of two zone configurations or snapshots, you can perform the following actions:
•Define the level of comparison sensitivity
•Delete or add policy configuration attributes to make the two compared policy sets more alike
•Selectively accept learned policy attributes
This section contains the following topics:
•Displaying the Differences Between Two Policy Sets
•Adding or Deleting a Service to the Base Zone
•Copying Policy Parameters to the Base Zone
Displaying the Differences Between Two Policy Sets
To compare and display the differences between the two sets of policies contained in zone configurations or snapshots, follow these steps:
Step 1 Choose a zone from the navigation pane. The zone menu appears.
Step 2 From the zone menu, choose Configuration > Policies > Compare policies. The Policy Comparison screen appears.
Step 3 Define the two sets of policies to compare. Table 9-6 describes the policies comparison query parameters.
Table 9-6 Policies Comparison Parameters
Parameter 1
|
Description
|
Base Zone
|
Zone that contains one of the policy sets to compare. If you require configuration changes to correct differences between the two zone policy configurations being compared, you make the changes to the base zone.
|
Zone
|
Name of the zone or snapshot to use as the base zone. Choose the base zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected base zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display in the drop-down list. Choose the base zone policy configuration from the drop-down list.
|
Compared Zone
|
Zone that contains one of the policy sets to compare.
|
Zone
|
Name of the zone or snapshot being compared to the base zone. Choose the compared zone from the drop-down list.
|
Policy Configuration
|
Policy configuration of the selected compared zone. The default value is the current policy configuration of the zone configuration, but if snapshots are available, they display in the drop-down list. Choose the policy configuration from the drop-down list.
|
Minimal difference
|
Percentage of differences between the base and compared zone policy configurations. The device traces any parameters that differ more than the percentage defined. By default, the device traces each difference in the compared zone (100%). Enter the difference percentage value.
|
Step 4 Click OK. The master device compares the configuration of the two defined policy sets. The Policy Comparison screen appears and displays the differences in services and policy parameters (see Figure 9-1).
Figure 9-1 shows an example of the policy comparison tables. The policy configuration attributes specific to the base zone display in black text while the attributes specific to the compared zone display in red text.
Figure 9-1 Policy Comparison Screen
The Policy Comparison screen is divided into the following three sections:
•Policy Comparison—Names of the two policy sets that you selected for comparison. The base zone displays in black text and the compare zone displays in red text.
•Difference in services—The two tables in this section display the following information:
–Services present only in the base zone policies.
–Services missing from the base zone. The services in this list are defined only in the compared zone.
•Difference in policy parameters—Differences in the operational parameters of the policies (state, action, threshold, proxy-threshold) display. Each section in the table displays the differences found in a single policy. The first row in each section displays the base zone parameters in black text. The second row of each section displays the compared zone parameters in red text.
Note The MDM displays a check box next to the listed services that you can add to or delete from the base zone. Some listed services cannot be added or deleted as they are not specific services, such as those of the type any.
Adding or Deleting a Service to the Base Zone
When you compare the configurations of two policy sets, the MDM displays any differences in the services covered by each policy set. You can add or delete services from the base zone configuration to make this configuration match the services of the compared zone.
You perform the following procedure from the Policy Comparison screen, which displays when you compare the configurations of two policy sets (see the "Displaying the Differences Between Two Policy Sets" section).
To add services to the base zone configuration, follow these steps:
Step 1 From the Services Missing From zone name table, check the check boxes next to the services to add to the base zone configuration. To choose all of the table entries, click the check box in the table header.
Step 2 Click Add. The MDM adds the selected services to the base zone policy configuration.
To delete services from the base zone configuration, follow these steps:
Step 1 From the Services Only In zone name table, check the check boxes next to the desired services to remove from the base zone configuration. To choose all of the table entries, click the check box in the table header.
Step 2 Click Delete. The MDM removes the selected services from the base zone policy configuration.
Copying Policy Parameters to the Base Zone
When you compare the configurations of two policy sets, the MDM displays any differences in the policy parameters of each policy set. You can copy the parameters from the compared policy set to the base policy set to make the base policy parameters match the compared policy parameters.
You perform the following procedure from the Policy Comparison screen, which displays when you compare the configurations of two policy sets (see the "Displaying the Differences Between Two Policy Sets" section).
To copy the policy parameters from the compared zone to the base zone, follow these steps:
Step 1 From the Difference in Policy Parameters table, check the check boxes next to the policies to copy to the base zone. To choose all of the table entries, click the check box in the table header.
Step 2 Click Copy Parameters. The MDM copies the selected policies from the compared zone (red) to the base zone (black) policy configuration and removes the selected policies from the table.
