Table Of Contents
Creating and Configuring Zones
Understanding Zones and Zone Attributes
Creating a Zone
Creating a Zone Using a Zone Template
Creating a Zone from an Existing Zone
Modifying the Zone General Configuration Attributes
Adding, Excluding, or Deleting a Zone IP Address
Adding an IP Address to the Zone
Excluding an IP Address from a Zone Subnet
Deleting an IP Address from the Zone
Updating the Zone Policies After Modifying the Zone IP Address Range
Managing a Zone Device
Adding a Device to the Zone Device List
Deleting a Device from the Zone Device List
Deleting a Zone
Creating and Configuring Zones
This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to create, define, and manage the network zones that you want to protect against DDoS attacks.
Note 
This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.
This chapter contains the following sections:
•Understanding Zones and Zone Attributes
•Creating a Zone
•Modifying the Zone General Configuration Attributes
•Adding, Excluding, or Deleting a Zone IP Address
•Managing a Zone Device
•Deleting a Zone
Understanding Zones and Zone Attributes
A zone is a network element that your Detector and Guard devices protect against DDoS attacks by looking for anomalies in the traffic that flows to the network element. A zone can be any combination of the following elements:
•A network server, client, or router
•A network link, a subnet, or an entire network
•An individual Internet user or a company
•An Internet Service Provider (ISP)
To define a zone and configure the operation of the devices used to protect the zone, you create a zone configuration that includes the following attributes:
•Zone identification—Identifier that you assign to the zone.
•Network definition—Attributes of the network elements such as the IP address and subnet mask.
•Zone devices—Detector and Guard devices that you associate with the zone to monitor the zone traffic for anomalies and to protect the zone against attacks.
•Zone master device—Zone device that the MDM accesses for zone configuration information. The master device is also used for synchronizing configuration information with other zone devices if you have the synchronization function enabled. You choose one device as the zone master device.
•Policy templates—Collection of policy construction rules that the device uses during the policy construction phase to create the zone policies. During the policy construction phase, the device learns the behavioral patterns of normal zone traffic and creates zone traffic policies from this information.
•Policies—Reference points that the device uses to detect the existence of anomalies in the zone traffic. When a traffic anomaly is detected, the policy applies the specified zone filter to the traffic.
•User, bypass, and flex-content traffic filters—Filters that define how a device handles specific traffic flows.
When you create a zone configuration, the MDM propagates the information to all of the zone devices. The MDM maintains a record that associates a zone name with the devices that you specify. The MDM sessions with the zone master device to access and display configuration information when you want to display or modify a zone configuration. If you modify a zone configuration, the zone configuration information stored on the master device can be synchronized with other zone devices manually, or you can configure the zone so that the MDM performs synchronization automatically. You enable or disable the automatic synchronization operation when defining the zone configuration.
The process of creating and modifying a zone configuration consists of the following tasks:
•Creating a zone—Create a new zone (or copy an existing zone) and configure the basic attributes, such as the zone name, IP address, and devices, that protect the zone. See the "Creating a Zone" section for more information.
•Configuring the zone general configuration attributes—(Optional) Configure additional zone attributes such as the protect-IP state, the activation extent, or the synchronization feature. See the "Modifying the Zone General Configuration Attributes" section for more information.
•Configuring the zone filters—(Optional) Configure the user, bypass, and flex-content zone filters that define how a device handles specific traffic flows. See Chapter 6, "Managing Zone Filters," for more information.
•Configuring the zone policy templates—(Optional) Control the policies developed during the learning process. See "Modifying a Policy Template" section on page 7-6 for more information.
•Modifying the zone policies manually—(Optional) Manually modify the policies of a zone configuration to adjust the attack detection and protection capabilities of the zone devices. Policy modification includes adding or deleting services or adjusting policy threshold levels. See the "Modifying a Policy Parameter" section on page 8-6 for more information.
•Modifying the zone policies using the learning feature—(Recommended) Enable learning and allow the device to analyze normal traffic flow and fine tune the policies of the zone configuration. Learning consists of two phases:
–Policy construction—The device creates new policies for services that it discovers that were not included in the current zone configuration. The policies that the device creates are based on the policy templates associated with the zone.
–Threshold tuning—The device adjusts the policy thresholds to reflect the actual traffic rates of normal traffic.
See Chapter 9, "Learning Zone Traffic and Taking Snapshots," for more information about the learning process.
Creating a Zone
You can create a zone with one of the following methods:
•Use a zone template—Create a new zone from system-defined zone templates. Use this method to create a new zone with the default policies and filters. After you create a new zone, you must configure the zone general configuration attributes to define the scope of the network elements to protect and the operation of the devices (see the "Modifying the Zone General Configuration Attributes" section).
•Copy an existing zone—Create a new zone by copying the configuration (including the zone general configuration attributes) of an existing zone. Use this method if the new zone has traffic patterns that are similar to the patterns of an existing zone.
This section contains the following topics:
•Creating a Zone Using a Zone Template
•Creating a Zone from an Existing Zone
Creating a Zone Using a Zone Template
A zone template defines the default configuration of a new zone. The MDM contains two sets of zone templates with the following prefixes:
•DETECTOR_—Designed for Detector use only. Choose the DETECTOR_ version of the zone template when the zone contains only Detectors (no Guards).
•GUARD_—Designed for use on both Detectors and Guards. If the zone contains both Detector and Guard devices, you must create the zone using a GUARD_ template, which contains the zone configuration attributes for both device types. Creating a zone with a GUARD_ template allows you to activate the learning process on the Detector master device and to synchronize the results of the learning process with the associated zone Guards.
Note Zones that you create with a GUARD_ template consume more memory than zones that you create with a DETECTOR_ template and reduce the possible number of concurrent active zones on the Detector. If the zone contains only Detectors and you do not plan to add any Guards in the future, we recommend that you use a DETECTOR_ zone template.
Table 5-1 displays the available zone templates.
Table 5-1 Zone Templates
Template
|
Description
|
DETECTOR_DEFAULT
|
Default Detector zone template. This template applies to all Detector applications unless the application requires a DECODER_ zone template (DETECTOR_LINK or DETECTOR_WORM).
|
DETECTOR_LINK Templates
|
Zone templates that detect anomalies on large subnets segmented according to zones with known bandwidths. You can activate anomaly detection for zones defined with one of these templates without performing the learning process. To enable the Detector to activate zone protection on a Guard for the attacked IP address or subnet only, configure the Protect-IP State parameter to Only Dst IP (see the "Modifying the Zone General Configuration Attributes" section for more information).
The following bandwidth-limited link zone templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
DETECTOR_LINK_128K
DETECTOR_LINK_1M
DETECTOR_LINK_4M
DETECTOR_LINK_512K
The Detector can perform only the threshold tuning phase of the learning process on zones that you create with a link template. It cannot perform the policy construction phase.
|
DETECTOR_WORM
|
Zone template that enables the Detector to detect TCP worm attacks. Zones that you create using the DETECTOR_WORM zone template contain policies that are produced from the worm_tcp policy template.
|
GUARD_DEFAULT
|
Default Guard zone template. This template applies to all Guard, or Guard and Detector applications, unless the application requires a GUARD_ template (GUARD_LINK, GUARD_TCP_NO_PROXY, or GUARD_VOIP).
The Guard may change the packet source IP address to the Guard TCP-proxy IP address. Use this zone template if you do not use access control lists (ACLs), access policies, or load-balancing policies that are based on the incoming IP address for the zone network.
|
GUARD_LINK templates
|
Zone templates designed for ondemand protection of large subnets segmented according to zones with a known bandwidth. To focus on the zone protection requirements and save Guard resources, we recommend that you activate zone protection on these zones for the attacked address range only. Configure the method that the Guard uses to activate zone protection for the attacked subnet or range by setting the activation-extent parameter to IP address only (see Table 5-5 for more information). To enable a Detector to activate zone protection on the Guard for the attacked IP address or subnet only, configure the Detector Protect-IP State parameter to Only Dst IP (see the "Modifying the Zone General Configuration Attributes" section for more information).
The following templates are available for 128-Kb, 1-Mb, 4-Mb, and 512-Kb links:
•GUARD_LINK_128K
•GUARD_LINK_1M
•GUARD_LINK_4M
•GUARD_LINK_512K
The Guard can perform only the threshold tuning phase of the learning process on zones that you create with a link template. It cannot perform the policy construction phase.
|
GUARD_TCP_NO_
PROXY
|
Zone template that protects a zone in which no TCP proxy is used. Use this zone template if the zone is controlled based on the IP addresses, such as an Internet Relay Chat (IRC) server-type zone, or if you do not know the type of services running on the zone.
|
GUARD_VOIP
|
Zone template that protects a zone containing a VoIP server using the following protocols:
•Session Initiation Protocol (SIP) over UDP to establish VoIP sessions
•Real-Time Transport Protocol/Real-Time Control Protocol (RTP/RTCP) to transmit voice data between SIP end points after sessions are established
Zones that you create using the GUARD_VOIP zone template contain policies for mitigating attacks on a VoIP server. These policies are produced using the sip_udp policy template.
Note The GUARD_VOIP zone template contains special policies for mitigating an attack on a VoIP server. No special policies are required for detecting such an attack. If the zone consists of only Detectors that can detect an attack on the VoIP server, use the DETECTOR_DEFALUT zone template.
|
When you create a zone using a predefined zone template, the MDM applies the default settings of the template to all of the zone attributes.
To create a zone using a zone template, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, use one of the following methods to open the Zone Form:
•Choose Zones > Create Zone.
•Choose Zones > Zone list, and then click Add.
Step 3 In the Name field, enter a name for the zone. Enter an alphanumeric string that starts with a letter and contains from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.
Step 4 From the Zone Template drop-down list, choose the desired zone template (see Table 5-1 for information on each of the zone templates).
Step 5 In the IP Address field, enter the zone IP address.
Enter the IP address in dotted-decimal notation (for example, 192.168.100.1). The IP address must match the subnet mask. If you enter a Class A, Class B, or Class C subnet mask, the host bits in the IP address must be 0.
Step 6 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0).
Step 7 In the Devices and Master table, check the check box next to the devices to use for anomaly detection or zone protection. See Table 5-2 for details on the fields displayed in the Devices and Master table.
Step 8 From the Master column in the Devices and Master table, choose a master device from the devices that you associated with the zone in Step 7. If the zone contains both device types, you must choose a Detector as the master device.
Step 9 Click OK. The MDM performs the following actions:
•Creates a new entry in its database that associates the zone with the devices that you specified in the zone configuration (the MDM does not save a copy of the zone configuration).
•Creates the new zone on the master device and then synchronizes the zone configuration with the other zone devices.
Table 5-2 describes the fields in the Devices and Master table.
Table 5-2 Field Description for Devices and Master Table
Field
|
Description
|
Hostname
|
Hostname of the device.
|
IP Address
|
IP address of the device.
Note We recommend that you use the out-of-band channel to connect to the MDM and this IP address should be the management address.
|
Type
|
Device type: Guard or Detector.
|
State
|
Connection state between the device and the MDM. Possible states are as follows:
•Connected—A session with the device exists.
•Disconnected—A session with the device cannot be created.
•Initializing—A session with the device is being established. This state frequently displays while the MDM is upgrading the Remote Agent on the device.
•Suspended—A user-disabled communication with the device.
|
Master
|
Master device for the zone. Choose the master device using the following guidelines:
•If the zone contains both device types, the master device must be a Detector because you can synchronize zone configuration information from a Detector to a Guard only (you cannot synchronize configuration information from a Guard to a Detector).
•A device must have a Connected state before you can choose it as the master device.
|
#DF
|
Number of dynamic filters that are currently active. Because the device only creates a dynamic filter when it detects an anomaly, a #DF value greater that zero indicates that the device is currently handling one or more attacks.
|
Mem Usage
|
Statistical anomaly engine memory usage. The memory usage of the device is affected by the number of active zones associated with the device and the number of services that each of the associated zones monitors. If the memory usage for a Guard is higher than 90 percent and you plan to immediately activate zone protection, we recommend that you reduce the memory usage before you associate the device with the zone. You can reduce Guard memory usage by deactivating other zones associated with the device.
|
Legitimate Rate
|
Current rate of legitimate traffic (in bps) forwarded by the device to the zones.
|
Malicious Rate
|
Current rate of malicious traffic (in bps) that the device is handling.
|
After you create a zone, you can do the following tasks:
•Add additional IP addresses to the zone configuration (see the "Adding an IP Address to the Zone" section).
•Modify the zone attributes, such as the protect-IP state, activation extent, or synchronization parameters (see the "Modifying the Zone General Configuration Attributes" section).
•(Recommended) Perform the learning process to adjust the policies to the characteristics of the zone's normal traffic (see Chapter 9, "Learning Zone Traffic and Taking Snapshots").
Creating a Zone from an Existing Zone
Using the Save as feature, you can use an existing zone as a template for creating a new zone. The new zone contains the same configuration attributes as the template zone with the following exceptions:
•The MDM marks the policies of the new zone as untuned. We recommend that you tune the policy thresholds to the zone traffic by performing the threshold tuning phase. If, however, the traffic characteristics of the new zone are identical, or very similar to the traffic characteristics of the originating zone, you can mark the policy thresholds as tuned (see the "Marking the Zone Policies as Tuned or Untuned" section on page 9-15).
•The MDM sets the value of the Activation Interface parameter of the new zone to Zone Name, regardless of the configuration of the source zone (see the "Modifying the Zone General Configuration Attributes" section).
To create a new zone from an existing zone, follow these steps:
Step 1 From the navigation pane, choose a zone that you want to use as a template for the new zone. The zone menu appears.
Step 2 From the zone menu, choose Main > Save as. The Save Zone As New Zone Form screen appears.
Step 3 In the Name field, enter a zone name.
The name is an alphanumeric string from 1 to 63 characters that begins with an alphabetic character. The string can contain underscores but cannot contain any spaces.
Step 4 From the Policy Threshold drop-down list, choose the policy threshold model to use. The MDM sets the policy threshold values to the model that you select, which by default is the current policy configuration. If previously recorded zone snapshots are available, the MDM adds them to the list of policy threshold model options.
Step 5 Click OK. The MDM performs these actions:
•Creates a new entry in its database that associates the zone with the devices that you specified in the zone configuration (the MDM does not save a copy of the zone configuration).
•Creates the new zone on the master device and then synchronizes the zone configuration with the other zone devices.
After creating a zone, you can perform the following optional zone configuration tasks:
•Add additional IP addresses to the zone configuration (see the "Adding an IP Address to the Zone" section).
•Modify the zone attributes, such as the protect-IP state, activation extent, or synchronization parameters (see the "Modifying the Zone General Configuration Attributes" section).
•(Recommended) Perform the learning process to adjust the policies to the characteristics of the zone's normal traffic (see Chapter 9, "Learning Zone Traffic and Taking Snapshots").
Modifying the Zone General Configuration Attributes
Each zone is configured with a set of general configuration attributes that you define as follows:
•General zone setup parameters, including:
–Template used to create the zone
–Protect-IP state
–Rate and burst limits
•Attack and termination parameters, including:
•Protection-end timer
•Thresholds for malicious-rate detection, malicious-rate termination, and filter-rate termination
•Activation parameters, including:
–Activation interface
–Activation extent
•Synchronization parameters, including:
–Synchronization before manual protection
–Synchronization after manual learning accepted
–Amount of time to wait after a configuration change before synchronizing
•Packet dump attributes—State of packet dump feature (on or off)
When you create a zone using a zone template, these attributes are set to the default values of the template that you select. If you create the zone by creating a copy of an existing zone, the zone attributes are set to the values of the source zone configuration.
Not all zone attributes apply to all device types or to just the MDM, which is why each attribute is classified as one of the following types:
•Guard—Attributes that apply to Guards only. These zone attributes are not copied to any Detectors within the zone.
•Detector—Attributes that apply to Detectors only. These zone attributes are not copied to any Guards within the zone.
•Shared—Attributes that apply to both Guards and Detectors. These zone attributes are copied to the zone Guards and Detectors.
•MDM—Attributes that apply to the zone configuration on the MDM. These zone attributes are not copied to the zone Guards or the Detectors.
To modify the zone attributes, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 Click Config (located below the first table). The Config screen appears.
Step 4 (Optional) Configure the zone general attributes. Table 5-3 describes the fields in the general parameters section.
Table 5-3 General Parameters
Field
|
Description
|
Attribute Type
|
Description
|
Text that describes the zone. Enter an alphanumeric string from 1 to 80 characters.
|
Shared
|
Operation mode
|
Mode that defines how the Guard performs zone protection and the Detector performs zone anomaly detection. The operation modes are as follows:
•Automatic—After creating a dynamic filter, the device automatically activates the filter.
•Interactive—After creating a dynamic filter, the device groups the filter with other filters that it created and presents them as recommended actions. You decide whether to accept, ignore, or direct the recommendations to automatic activation.
|
Shared
|
Protect-IP state
|
Guard-protection method that the Detector uses to activate the remote Guards associated with it. The Guard-protection method that you select can save Guard resources by allowing the Guard to focus on specific zone protection requirements.
The Protect-IP state can be one of the following:
•entire-zone—Activates the Guard to protect the entire zone.
•policy-type—Activates the Guard to protect the entire zone or to protect a particular IP address within the zone address range. The Detector activates the Guard based on the policy that caused the Detector to activate the Guard.
•dst-ip-by-name—Activates the Guard to protect a particular IP address when it detects an anomaly in the zone traffic that is destined to that IP address.
•dst-ip-by-ip—Activates the Guard to protect a specific IP address when it detects an anomaly in the zone traffic that is destined to the IP address. The IP address must be in the address range of a zone that you have defined on the Guard.
|
Detector
|
Max. Rate
|
Amount of traffic that the Guard is allowed to inject back into the network. Enter an integer greater than 64 for the maximum rate, and then choose the unit of measurement from the drop-down list. The maximum rate limit can be up to 10 times greater than the burst limit (Burst).
|
Guard
|
Burst
|
Highest traffic peak that the Guard is allowed to inject back into the network. Enter an integer greater than 64 for the burst size. The units are bits, kilobits, kilopackets, megabits, and packets that correspond to the rate units that are specified by the maximum rate (Max. Rate) unit of measurement. The burst limit can be up to eight times greater than the maximum rate limit.
|
Guard
|
Step 5 (Optional) Configure the attack detection/termination parameters. Table 5-4 describes the fields in the general details section.
Table 5-4 Attack Detection/Termination Parameters
Field
|
Description
|
Attribute Type
|
Malicious-rate detection threshold
|
Minimum rate of zone packets that are dropped. If the rate goes lower than this threshold, the Guard may end zone protection. If the rate exceeds this threshold, the Guard identifies an attack on the zone and creates an attack report.
|
Guard
|
Protection-end Timer
|
Inactivity timeout that the Guard uses to terminate zone protection when there is no attack on the zone. The Guard measures the inactivity based on the inactivity of the dynamic filters and the dropped traffic. Enter a value from seconds to an infinite amount of time.
|
Guard
|
Filter-rate termination threshold
|
Threshold value. This value and the malicious-rate termination threshold specify when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps). See the "Managing a Dynamic Filter" section on page 10-8 for more information.
|
Guard
|
Malicious-rate termination threshold
|
Threshold value. This value and the filter-rate termination threshold specify when the Guard can deactivate dynamic filters. Define this threshold in packets per second (pps). See the "Managing a Dynamic Filter" section on page 10-8 section for more information.
|
Guard
|
Step 6 (Optional) Configure the activation parameters. Table 5-5 describes the fields in the Activation Parameters section.
Table 5-5 Activation Parameters
Field
|
Description
|
Attribute Type
|
Activation interface
|
Protection activation method that defines how the Guard identifies the zone for which it activates zone protection when it receives an external indication. This indication can be a command from an external device, such as a Detector, or traffic that is destined to the zone (packet). The activation method can be one of the following:
•Zone name—Activates zone protection based on the zone name. This is the default activation method.
To configure the activation method to zone name, uncheck the By packet and By IP address check boxes.
•By packet—Activates zone protection when it receives traffic that is destined to the zone.
To configure the activation method to by packet, check the By packet check box.
•By IP address—Activates zone protection when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone.
To configure the activation method by packet, check the By IP address check box.
•By IP Address or By Packet—Activates zone protection when it receives traffic (a packet) that is destined to the zone or when it receives a command from an external device, such as a Detector, that consists of an IP address or subnet that is part of the zone address range.
To configure the activation method to By IP Address or By Packet, check both the By IP address check box and the By packet check box.
When you configure the Activation Interface to By Packet or By IP Address or By Packet, you must manually divert traffic to the Guard when the zone is attacked.
|
Guard
|
Activation extent
|
Method that defines whether the Guard activates zone protection for the entire zone or for a part of the zone when the Guard receives an external indication to activate zone protection. The activation extent options are as follows:
•IP address only—Activate protection only for the specified IP address or subnet within the zone. This is the default setting.
•Entire zone—Activate protection for the entire zone.
|
Guard
|
Step 7 (Optional) Configure the synchronization parameters that define when the master device synchronizes zone configuration information with the other zone devices. Enabling synchronization causes the zone configuration information on the zone devices to be overwritten by the configuration on the master device.
Table 5-6 describes the fields in the synchronization parameters section.
Table 5-6 Synchronization Parameters
Field
|
Description
|
Attribute Type
|
Immediate synchronization
|
Defines which event causes the MDM to synchronize the zone configuration information on the master device with the other zone devices. The event can be one of the following:
•Before Manual Protection—Synchronizes the zone devices before activating the device to protect the zone.
•After Manual Learning Accept—Synchronizes the zone configuration each time that the results of the learning process (policy construction or threshold tuning) are accepted by you or automatically by the master device.
Check the check box next to the events that you want to use. By default, both event choices are not enabled.
|
MDM
|
Periodic synchronization time:
|
Defines the amount of time that the MDM waits after the zone configuration was changed before synchronizing the devices. The values are as follows:
•never—Enter this value to disable this function.
•minutes—Enter the number of minutes for the MDM to wait. There is no limit on the number of minutes that you can enter. The default is 5 minutes.
|
MDM
|
Step 8 (Optional) Configure the packet dump parameters. The packet dump parameters enable the devices to record traffic directly from the network through nonintrusive taps and to create a database from the recorded traffic. By querying the recorded traffic database, you can analyze past events, generate signatures of an attack, or compare current network traffic patterns with traffic patterns that the devices recorded previously under normal traffic conditions.
To view the contents of the packet-dump or compare the contents of two packet dumps, you must use the Web-Based Manager (WBM) to log into the device that captured the traffic. See the appropriate documentation for more information and the "Obtaining Documentation, Obtaining Support, and Security Guidelines" section for a list of the related documentation.
Table 5-7 describes the fields in the packet dump parameters section.
Table 5-7 Packet Dump Parameters
Field
|
Description
|
Type
|
Auto Packet Dump
|
Defines whether the automatic packet-dump feature is enabled or disabled on the devices.
Note When enabled, packets dumps are created on each of the devices and cannot be displayed or managed using the MDM.
Choose one of the following options:
•On—Enable the automatic packet dump
•Off—Disable the automatic packet dump
|
Shared
|
Max. disk space
|
Maximum amount of disk space (in MB) that the device is to use for auto packet dumps.
|
Shared
|
Step 9 Click OK. The MDM saves the zone configuration on the master device.
Step 10 (Optional) Synchronize the new information with the other zone devices by using one of the following methods:
•Manually by choosing Activation > Sync from the zone menu.
•Automatically according to how you configured the synchronization feature in the zone configuration.
Adding, Excluding, or Deleting a Zone IP Address
You define each zone with at least one IP address. Using MDM, you can add or delete a zone configuration IP address. If a zone configuration contains an IP address for a subnet, you can exclude specific IP addresses from within the subnet. Excluding an IP address removes the associated network element from the zone and the protection services of the associated Detector or Guard.
This section contains the following topics:
•Adding an IP Address to the Zone
•Excluding an IP Address from a Zone Subnet
•Deleting an IP Address from the Zone
•Updating the Zone Policies After Modifying the Zone IP Address Range
Adding an IP Address to the Zone
To add an IP address to the zone configuration, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the zone IP Address table, click Add. The Add Zone IP screen appears.
Step 4 In the IP Address field, enter the IP address that you want to add. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
Step 5 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224).
Step 6 Click OK. The MDM saves the information to the master device.
Step 7 (Optional) Repeat Steps 3 though 5 for each IP address that you want to add to a zone.
Step 8 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Excluding an IP Address from a Zone Subnet
If you configure the zone with a subnet IP address, you can exclude specific IP addresses from that subnet so that the associated network elements are not included as part of the zone IP address range.
To exclude an IP address from an IP address range, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the zone IP Address table, click Add. The Add Zone IP screen appears.
Step 4 In the IP Address field, enter the IP address that you want to exclude. Enter the IP address in dotted-decimal notation (for example, 192.168.100.32).
Step 5 In the IP Mask field, enter the IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.224).
Step 6 Check the Exclude check box.
Step 7 Click OK. The MDM saves the information to the master device.
Step 8 (Optional) Repeat Steps 3 though 5 for each IP address that you want to exclude from the subnet.
Step 9 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Deleting an IP Address from the Zone
To delete an IP address from the zone IP address range, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 Check the check box next to each IP address that you want to delete.
Step 4 Click Delete. The MDM saves the information to the master device.
Step 5 Update the zone policies. See the "Updating the Zone Policies After Modifying the Zone IP Address Range" section for more information.
Note If you delete all of the IP addresses configured with the zone, the device cannot provide any protection services.
Updating the Zone Policies After Modifying the Zone IP Address Range
If you modify the zone IP address or subnet, perform one of the following tasks:
•If the new IP address or subnet consists of a new service that was not previously defined in the zone configuration, perform one of the following actions before activating zone anomaly detection or zone protection:
–Activate the policy construction phase and accept the results of the phase (see the "Starting the Policy Construction Phase" section on page 9-7).
–Add the service manually (see the "Adding or Deleting a Service" section on page 8-10).
•If you made a modification while the device is performing the threshold tuning phase and actively detecting for anomalies (Detector) or protecting the zone (Guard), mark the zone policies as untuned.
Caution Do not mark the policies as untuned if the zone is currently under attack. If you change the zone policies status to untuned during an attack, the devices cannot detect the attack and will learn the thresholds of malicious traffic.
See the "Marking the Zone Policies as Tuned or Untuned" section on page 9-15.
•If you made the modification while the device was not performing the threshold tuning phase and also actively detecting for anomalies (Detector) or protecting the zone (Guard) and you do not plan to activate these functions, you should activate the threshold tuning phase and accept the results of the phase before you activate zone protection or zone anomaly detection. See the "Starting the Threshold Tuning Phase" section on page 9-9 for more information.
After you update the zone policies on the master device using one of the methods in this section, the MDM updates the zone devices with the new configuration information if you enable synchronization in the zone configuration (see the "Modifying the Zone General Configuration Attributes" section). To manually synchronize the zone configuration information, choose Activation > Sync from the zone menu.
Managing a Zone Device
With the exception of the zone master device, you can add or delete a device from a zone configuration. You manage the zone devices from the Device List table on the zone General Configuration screen. For a complete description of the information that the Device List table provides, see the "Displaying the Device Status and Device-Specific Counter Information" section on page 11-13.
This section contains the following topics:
•Adding a Device to the Zone Device List
•Deleting a Device from the Zone Device List
Adding a Device to the Zone Device List
To add a device to the zone configuration, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General Configuration screen appears.
Step 3 From the Device List table, click Add. The Add Device to Zone screen appears, displaying the devices you have defined on the MDM device list. See Table 5-2 for a description of the fields in the Add Device to Zone screen.
Step 4 Verify that the memory usage (statistical anomaly engine memory usage) of the device that you want to add is lower than 90 percent if you plan to immediately activate the device.
The memory usage of the device is affected by the number of active zones associated with the device and the number of services that each of the associated zones monitors. If the memory usage for a Guard is higher than 90 percent and you plan to immediately activate zone protection, we recommend that you reduce the memory usage before you associate the device with the zone. You can reduce Guard memory usage by deactivating other zones associated with the device.
Step 5 Check the check box next to the device to add to the zone device list. To add all the devices in the table, check the check box in the table header.
Step 6 Click Add (located below the table). The MDM modifies its database to show an association between the device and the zone. The MDM also pushes the zone configuration out to the new device.
Deleting a Device from the Zone Device List
Caution When you delete a device from the zone device list, the device cannot provide protection services for the zone.
To delete a device from the zone device list, follow these steps:
Step 1 From the navigation pane, choose a zone. The zone menu appears.
Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.
Step 3 In the Devices and Master table, check the check boxes next to the device that you want to delete.
Step 4 Click Delete (located below the table). The MDM modifies its database to remove the association between the device and the zone. The MDM also removes the zone configuration from the device.
Deleting a Zone
Caution When you delete a zone, the devices associated with the zone cannot provide protection services for the the defined network.
To delete one or more zones, follow these steps:
Step 1 From the navigation pane, click Network Summary. The Network Summary menu appears.
Step 2 From the Network Summary menu, choose Zones > Zone list. The Zone list screen appears.
Step 3 Check the check box next to each zone that you want to delete. To select all the zones, check the check box in the header (next to Zone). The Validation Form screen appears.
Step 4 Click OK. The MDM removes the zone configuration from the master device and all of the other devices that you had associated with the zone.
