Configuring the Illegal Zone
To configure the illegal zone for anomaly detection, follow these steps:
Step 1 Log in to the IDM using an account with administrator or operator privileges.
Step 2 Choose
Configuration > Policies > Anomaly Detections > ad0 > Illegal Zone
.
Step 3 Click the
General
tab.
Step 4 To enable the illegal zone, check the
Enable the Illegal Zone
check box.
Note You must check the Enable the Illegal Zone check box or any protocols that you configure will be ignored.
Step 5 In the Service Subnets field, enter the subnets to which you want the illegal zone to apply. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Step 6 To configure TCP protocol, click the
TCP Protocol
tab.
Step 7 To enable TCP protocol, check the
Enable the TCP Protocol
check box.
Note You must check the Enable the TCP Protocol check box or the TCP protocol configuration will be ignored.
Step 8 Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 9 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 10 To enable the service on that port, check the
Enable the Service
check box.
Step 11 To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 12 To add a histogram for the new scanner settings, click
Add
.
Step 13 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 14 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 15 Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 16 Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 17 To edit the destination port map, select it in the list, and click
Edit
.
Step 18 Make any changes to the fields and click
OK
. The edited destination port map appears in the list on the Destination Port Map tab.
Step 19 To delete a destination port map, select it, and click
Delete
. The destination port map no longer appears in the list Destination Port Map tab.
Step 20 To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 21 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 22 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the
Default Thresholds
tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 23 To configure UDP protocol, click the
UDP Protocol
tab.
Step 24 To enable UDP protocol, check the
Enable the UDP Protocol
check box.
Note You must check the Enable the UDP Protocol check box or the UDP protocol configuration will be ignored.
Step 25 Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 26 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 27 To enable the service on that port, check the
Enable the Service
check box.
Step 28 To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 29 To add a histogram for the new scanner settings, click
Add
.
Step 30 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 31 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 32 Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 33 Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 34 To edit the destination port map, select it in the list, and click
Edit
.
Step 35 Make any changes to the fields and click
OK
. The edited destination port map appears in the list on the Destination Port Map tab.
Step 36 To delete a destination port map, select it, and click
Delete
. The destination port map no longer appears in the list on the Destination Port Map tab.
Step 37 To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 38 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 39 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
The edited threshold histogram appears in the list on the Default Thresholds tab.
Step 40 To configure Other protocols, click the
Other Protocol
s tab.
Step 41 To enable other protocols, check the
Enable Other Protocols
check box.
Note You must check the Enable Other Protocols check box or the other protocols configuration will be ignored.
Step 42 Click the
Protocol Number Map
tab, and then click
Add
to add a protocol number.
Step 43 In the Protocol Number field, enter the protocol number. The valid range is 0 to 255.
Step 44 To enable the service of that protocol, check the
Enable the Service
check box.
Step 45 To override the scanner values for that protocol, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 46 To add a histogram for the new scanner settings, click
Add
.
Step 47 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 48 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 49 Click
OK
. The new scanner setting appears in the list in the Add Protocol Number dialog box.
Tip To discard your changes and close the Add Protocol Number dialog box, click Cancel.
Step 50 Click
OK
. The new protocol number map appears in the list on the Protocol Number Map tab.
Step 51 To edit the protocol number map, select it in the list, and click
Edit
.
Step 52 Make any changes to the fields and click
OK
. The edited protocol number map appears in the list on the Protocol Number Map tab.
Step 53 To delete a protocol number map, select it, and click
Delete
. The protocol number map no longer appears in the list on the Protocol Number Map tab.
Step 54 To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 55 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 56 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 57 Click
Apply
to apply your changes and save the revised configuration.