Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0) - Learning the Zone Traffic Characteristics [Cisco Services Modules]

Table Of Contents

Learning the Zone Traffic Characteristics

Understanding the Learning Process and Related Options

Understanding the Phases of the Learning Process

Verifying the Results of the Learning Process

Understanding the Protect and Learn Function

Synchronizing the Zone Learning Process Results with a Detector

Activating the Policy Construction Phase

Activating the Threshold Tuning Phase

Configuring Learning Parameters

Configuring Periodic Actions

Configuring the Threshold Selection Method

Marking the Policies as Tuned

Enabling the Protect and Learn Function

Using Snapshots to Verify the Results of the Learning Process

Creating Snapshots

Comparing Learning Results

Comparing Snapshots

Comparing Zones

Displaying Snapshots

Deleting Snapshots

Copying Policies to the Zone Configuration

Backing Up the Zone Policies

Learning the Zone Traffic Characteristics

This chapter describes how to use the Cisco Anomaly Guard Module (Guard module) learning process to analyze zone traffic characteristics to create and tune the policies that the Guard module uses for zone protection.

This chapter refers to the Cisco Detector (Detector), the companion product of the Guard. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.

This chapter contains the following topics:

•Understanding the Learning Process and Related Options

•Activating the Policy Construction Phase

•Activating the Threshold Tuning Phase

•Configuring Learning Parameters

•Enabling the Protect and Learn Function

•Using Snapshots to Verify the Results of the Learning Process

•Backing Up the Zone Policies

Understanding the Learning Process and Related Options

The learning process allows the Guard module to analyze normal zone traffic conditions to establish a baseline for determining when traffic is normal and when traffic contains anomalies that indicate an attack on the zone. During the learning process, the Guard module creates new zone policies and modifies the policy thresholds based on the normal traffic patterns to produce the reference baseline.

To learn the zone traffic characteristics, the Guard module analyzes zone traffic that is diverted from its normal network path to Guard module. As the Guard module analyzes the traffic, it injects the traffic back into the network. You must configure traffic diversion before initiating the learning process or divert the zone traffic to the Guard module manually using an external device. You can configure zone traffic diversion using the routing configuration of the Guard module. See Chapter 5, "Configuring Traffic Diversion" for more information.

Note During the learning process, the Guard module drops packets if one of the following fields in the packet equals zero: source IP address, protocol number, UDP source or destination port, and TCP source or destination port.

If there is an attack on the zone before the learning process has been completed, use on-demand protection to protect the zone if one of the following conditions apply:

•The Guard module is in the process of learning the zone traffic.

•You enabled the protect and learn function but the Guard module has not learned the zone traffic characteristics (see "Understanding the Protect and Learn Function" section on page 1-6).

•You have accepted policy thresholds that no longer represent the zone traffic.

For more information about on-demand protection, see the "Activating On-Demand Protection" section on page 10-3.

You can enter learning-related commands for several zones at the same time. Enter the command in global mode and use an asterisk (*) as a wildcard. For example, to initiate the policy construction phase for all zones, enter the learning policy-construction * command in global mode. To accept the results of the policy construction phase for all Guard module zones with names that begin with scan (such as scannet and scanserver), enter the no learning scan* accept command in global mode.

This section contains the following topics:

•Understanding the Phases of the Learning Process

•Verifying the Results of the Learning Process

•Understanding the Protect and Learn Function

•Synchronizing the Zone Learning Process Results with a Detector

Understanding the Phases of the Learning Process

The learning process consists of these two phases:

•Policy Construction—The Guard module uses the zone configuration's policy templates to create new policies for the services that it detects in the zone traffic. The new policies override the existing policies.

The policy templates define the types of zone policies that the Guard module creates, the maximum number of services that the Guard module monitors closely, and the minimum threshold that triggers the Guard module to create new policies. To change the rules for constructing zone policies, you must change the policy template parameters before you initiate the policy construction phase. See Chapter 8, "Configuring Policy Templates and Policies," for more information.

Note You cannot perform the policy construction phase for zones that you created using the GUARD_LINK zone templates.

For more information about using the policy construction phase, see the "Activating the Policy Construction Phase" section.

•Threshold Tuning—The Guard module tunes the thresholds of the zone policies to the traffic rates of the zone services. The new thresholds override the existing thresholds.

You can activate the threshold tuning phase and activate zone protection simultaneously (the protect and learn function) to prevent the Guard module from learning malicious traffic thresholds. You can enable the Guard module to constantly tune the zone policies and define the intervals in which the Guard module updates the policy thresholds.

Note When you activate the protect and learn function, the Guard module constantly diverts the zone traffic to itself.

For information about using the threshold tuning phase, see the "Activating the Threshold Tuning Phase" section.

During both phases of the learning process, the Guard module does not modify the current zone policies until the results of a learning phase are accepted as follows:

•Manually—You accept the results of a learning phase.

•Automatically—You configure the Guard module to automatically accept the learning phase results.

After the policies are created, you can add and delete policies or change policy parameters such as thresholds, services, timeouts, and actions.

Verifying the Results of the Learning Process

You can save the current results of either learning phase at any stage during the learning process and review it later by using the snapshot command. Taking a snapshot of the learning process allows you to view the policy information that the Guard module has created up to the point of the snapshot and decide whether to not to accept the results of the learning process. Saving the results of the learning phase in a snapshot does not affect the zone configuration. You can update the zone configuration with the policy information in a snapshot.

For more information about using the snapshot command, see the "Creating Snapshots" section.

Understanding the Protect and Learn Function

After the Guard module has performed the policy construction phase, you can activate the threshold tuning phase of the learning process and enable zone protection simultaneously using the protect and learn function. The Guard module tunes the policy thresholds while monitoring the traffic for anomalies using the last saved policy thresholds. The protect and learn function enables the Guard module to protect the zone, constantly update the policy thresholds based on the zone traffic characteristics, and prevents the Guard module from learning malicious traffic thresholds.

Before you activate the protect and learn function, you can configure when and how the Guard module accepts the results of the threshold tuning phase by configuring the learning parameters.

See the "Enabling the Protect and Learn Function" section for more information.

Synchronizing the Zone Learning Process Results with a Detector

You can configure a Detector to perform threshold tuning and to update the corresponding zone configuration on the Guard module using a process called zone synchronization, For example, when you enable the detect and learn function on the Detector and it detects an anomaly, it stops the learning process, updates the Guard module with the latest zone configuration using zone synchronization, and then activates the Guard module's attack mitigation services. Zone synchronization enables you to use the Detector to continuously adjust the zone policy thresholds to changes in the traffic for both the Detector and the Guard module. Because the Detector analyzes a copy of the zone traffic, you avoid having to constantly divert the zone traffic to the Guard module for the learning process.

Note You configure zone synchronization on the Detector only. See the Cisco Trafiic Anomaly Detector Module Configuration Guide or the Cisco Traffic Anomaly Detector Configuration Guide for more information.

To synchronize the Detector learning process results with the Guard module, you must perform the following tasks:

1. Add the Guard module to a remote Guard list on the Detector and define the communication method as Secure Socket Layer (SSL).

2. Establish an SSL communication channel with the Detector module. See the "Configuring the SSL Communication Channel Parameters" section on page 4-17.

Create the zone on the Detector using a Guard zone template.You can synchronize the zone configuration with the Detector module manually or configure the Detector to synchronize the zone configuration with the Guard module automatically. See the "Synchronizing a Guard Module with a Detector Zone Configuration" section on page 6-8 for more information.

Activating the Policy Construction Phase

Use the policy construction phase of the learning process after creating a new zone or any time that the zone configuration needs updating with new service policies. When you enable the policy construction phase, the Guard module diverts the zone traffic from the traffic's normal network path so that the traffic flows through the Guard module, enabling it to discover the main services (ports and protocols) that the zone uses. The Guard module creates the zone policies using the rules established by the policy templates.

Note You can reconfigure the policy construction rules by modifying the policy templates before you initiate the policy construction phase. For example, you can prevent the Guard module from creating policies of a certain type by disabling the relevant policy template. You can also modify the default values for the policy parameters (timeout, action, and threshold). See Chapter 8, "Configuring Policy Templates and Policies" for information.

The new policies that the Guard module creates during the policy construction phase replace the existing policies when you accept the results of the phase.

Note You cannot perform the policy construction phase of the learning process for zones that are based on these bandwidth-limited link zone templates: GUARD_LINK_128K, GUARD_LINK_1M, GUARD_LINK_4M, and GUARD_LINK_512K.

Caution Before you activate the policy construction phase, make sure that no attack on the zone is in progress so that the Guard does not construct the policies based on the traffic characteristics of a DDoS attack. If you allow the Guard module to learn the traffic characteristics of a DDoS attack and save the results of the attack as the reference baseline, you may prevent the Guard module from detecting future attacks because the Guard module may view the attack traffic as normal traffic.

To enable the policy construction phase of the learning process construct the zone policies, perform the following steps:

Step 1 Activate the policy construction phase by entering the following command in zone configuration mode:
learning policy-construction
Step 2 Check that the Guard module is diverting the zone traffic. Wait at least 10 seconds after initiating policy construction or threshold tuning and enter the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a traffic diversion problem.

Step 3 (Optional) Display the policies that the Guard module is constructing.

You can save a snapshot of the learning parameters (services, thresholds, and other policy-related data) by using the snapshot command at any stage during the policy construction phase, and review it later. You can save a single snapshot or save a periodic snapshot at specified intervals. For more information, see the "Backing Up the Policy Configuration" section on page 8-24.

Step 4 (Optional) After you have run the policy construction phase long enough for the Guard module to analyze a complete sample of the network traffic, you can accept the policies that the Guard module suggested without stopping the policy construction phase. You can accept the policies once, or define that the Guard module automatically accept the suggested policies at specified intervals. You can ensure that the zone has the most updated policies and continues to learn the zone traffic.

To accept the policies that the Guard module suggested and continue the policy construction phase, use the following command:
learning accept
To automatically accept the policies that the Guard module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours 
learn_params_minutes
See the "Configuring Learning Parameters" section for more information.

Use the no learning-params periodic-action command to terminate the periodic action.

Step 5 After allowing the Guard module enough time to analyze a complete sample of the network traffic, terminate the policy construction phase and accept or reject the current suggested policies.

Note We recommend that you let the policy construction phase continue for at least 2 hours before terminating it to allow the Guard module enough time to discover the main services (ports and protocols) that the zone uses.

You can perform one of the following actions:

•Accept the suggested policies—Terminate the policy construction phase and accept the policies that the Guard module suggests by entering the following command in zone configuration mode:
no learning accept
The Guard module erases any previously learned policies and thresholds with the new policies that it configures with default threshold values.

After accepting the newly constructed policies, you can manually add or remove policies. See Chapter 8, "Configuring Policy Templates and Policies," for more information.

•Reject the suggested policies—Terminate the policy construction phase and reject the policies that the Guard module suggests by entering the following command in zone configuration mode:
no learning reject
The Guard module stops the policy construction phase and makes no changes to the current policies. The policies of the zone are the policies that the Guard module had prior to initiating the learning process or prior to the last time that you accepted the results of the policy construction phase.

After performing the policy construction phase, enable the threshold tuning phase to tune the thresholds of each policy (see the "Activating the Threshold Tuning Phase" section).

The following example shows how to initiate the policy construction phase and accept the suggested policies at 12-hour intervals. The example also shows how to stop the policy construction phase and accept the suggested policies.
user@GUARD-conf-zone-scannet# learning policy-construction
user@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 12 0
user@GUARD-conf-zone-scannet# no learning accept
Activating the Threshold Tuning Phase

Use the threshold tuning phase to enable the Guard module to analyze the zone traffic and define thresholds for the zone policies. We recommend that you run the threshold tuning phase during peak traffic time (the busiest part of the day) for a minimum of 24 hours to allow the Guard module enough time to properly tune the policy thresholds. However, if the Guard module is constantly diverting the zone traffic, you should keep the protect and learn function active and do not terminate the threshold tuning phase.

Note The following procedure includes the command for enabling the protect and learn function which enables the Guard module to perform threshold tuning and zone protection simultaneously. We recommend that you enable the protect and learn function when you need to perform the threshold tuning phase (see the "Understanding the Protect and Learn Function" section).

To activate the threshold tuning phase of the learning process, perform the following steps:

Step 1 Initiate the threshold tuning phase by entering one of the following commands in zone configuration mode:

•learning threshold-tuning—Enables the threshold tuning phase only.

•protect learning—Enables the protect and learn function in which the threshold tuning phase and zone protection perform simultaneously. You can also activate the protect and learn function by entering the learning threshold-tuning command and the protect command (the order is not important).

Note If you activate the protect and learn function when traffic to the zone is moderate, the Guard module may consider the traffic during peak time as an attack. In this case, you can perform one of the following tasks:

•Set the state of the zone policy thresholds to untuned by entering the no learning-params threshold-tuned command in zone configuration mode. See the "Marking the Policies as Tuned" section for more information.

•Deactivate zone protection and continue to learn the zone policy thresholds by entering the no protect command in zone configuration mode.

Step 2 Verify that the Guard module is diverting the zone traffic. Wait at least 10 seconds after initiating the threshold tuning phase and enter the show rates details command. Verify that the value of the Received traffic rate is greater than zero. A value of zero indicates a diversion problem.

Step 3 (Optional) Display the zone policies that the Guard module is tuning by using the snapshot command (see the "Using Snapshots to Verify the Results of the Learning Process" section).

Step 4 Accept the suggested thresholds. You can accept the thresholds that the Guard module currently suggests and continue the threshold tuning phase, or configure the Guard module to automatically accept the suggested thresholds at specified intervals to ensure that the zone has the most updated thresholds and continues to learn the zone traffic.

To accept the current thresholds that the Guard module suggests and continue the threshold tuning phase, use the following command:
learning accept [threshold-selection {new-thresholds | max-thresholds | weighted weight}]
See Table 9-2 for a description of the threshold-selection arguments and keywords.

To automatically accept the thresholds that the Guard module suggests at specified intervals, use the following command:
learning-params periodic-action auto-accept learn_params_days learn_params_hours 
learn_params_minutes
See the "Configuring Learning Parameters" section for more information.

Use the no learning-params periodic-action command to terminate the periodic action.

Step 5 Terminate the threshold tuning phase and accept or reject the current suggested thresholds after allowing the Guard module enough time to properly tune the policy thresholds.

Note If you have the protect and learn function enabled, we recommend that you do not terminate the threshold tuning phase.

Perform one of the following actions:

•Accept the current suggested thresholds—Terminate the learning process and accept the policy thresholds that the Guard module suggests by entering the following command in zone configuration mode:
no learning accept [threshold-selection {new-thresholds | max-thresholds | weighted 
weight}]
See Table 9-2 for a description of the threshold-selection arguments and keywords.

The Guard module replaces the previously learned thresholds with the new thresholds. After accepting the newly tuned policies, you can manually change the policy parameters. See Chapter 8, "Configuring Policy Templates and Policies" for more information.

•Reject the current suggested thresholds—Terminate the learning process and reject the policy thresholds that the Guard module suggests by entering one of the the following commands in zone configuration mode:

–no learning reject

The Guard module stops tuning the thresholds and makes no changes to the current thresholds. This process may result in a situation in which new zone policies have thresholds that were obtained based on past traffic characteristics. We recommend that you enable the threshold tuning phase at a later time or that you configure the thresholds manually.

–deactivate

If you have the protect and learn function enabled, use the deactivate command to terminate zone protection and the threshold tuning phase without saving the current suggested thresholds.

The following example shows how to initiate the threshold tuning phase and accept the suggested policies at 1-hour intervals. The Guard module then stops the threshold tuning phase and accepts the suggested policies if the threshold values are higher than the current values (the max-thresholds method).
user@GUARD-conf-zone-scannet# learning threshold-tuning
user@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0
user@GUARD-conf-zone-scannet# no learning accept threshold-selection max-thresholds
After performing the threshold tuning phase, you can perform the following tasks:

•Display the learning process results—Use the show policies statistics command to view the results of the threshold tuning phase. See the "Displaying Policies" section on page 8-21.

•Modify the learning process results—Change policy parameter values that may not accurately represent normal traffic characteristics. See the "Configuring Policy Parameters" section on page 8-12 for more information.

•Set the policy threshold as fixed—The next time you enable the threshold tuning phase, the Guard module ignores new thresholds and maintains the current ones. See the "Setting the Threshold as Fixed" section on page 8-15 for more information.

•Set a fixed multiplier for the policy—The next time you enable the threshold tuning phase, the Guard module calculates new policy thresholds by multiplying the learned threshold by the specified multiplier and then applying the threshold selection method on the result. See the "Configuring a Threshold Multiplier" section on page 8-15 for more information.

Configuring Learning Parameters

This section shows how to configure the learning parameters to manage the following functions that affect all of the zone policies:

•Period Guard module actions—Configure the Guard module to automatically accept the zone policies and save a snapshot of the zone policies at specified intervals.

•Threshold selection method—Configure the default method that the Guard module uses to generate new policy thresholds after it accepts the results of the threshold tuning phase.

•Tuned state of the zone policies—Set the state of the current zone polices to tuned or untuned.

To display the current configuration of the learning parameters, use the show learning-params command in zone configuration mode.

This section contains the following topics:

•Configuring Periodic Actions

•Configuring the Threshold Selection Method

•Marking the Policies as Tuned

Configuring Periodic Actions

You configure set the Guard module to perform one of the following actions at specified intervals:

•Automatically accept the zone policies and save a snapshot of the policies

•Save a snapshot of the zone policies only

See the "Verifying the Results of the Learning Process" section for more information about snapshots.

To set the periodic action that the Guard module performs, use the following command in zone configuration mode:

learning-params periodic-action {auto-accept | snapshot-only} learn_params_days learn_params_hours learn_params_minutes
Table 9-1 provides the arguments and keywords for the learning-params command.

Table 9-1 Arguments and Keywords for the learning-params periodic-action Command

Parameter

Description

auto-accept

Accepts the policies that the Guard module suggested at the specified interval. The Guard module saves a snapshot of the zone policies after accepting the newly suggested ones.

snapshot-only

Saves a snapshot of the policies at the specified interval. The Guard module does not accept the new policies and does not modify the policy thresholds.

learn_params_days

Interval in days. Enter an integer from 0 to 1000.

learn_params_hours

Interval in hours. Enter an integer from 0 to 1000.

learn_params_minutes

Interval in minutes. Enter an integer from 0 to 1000.

The value of the interval is the sum of the learn_params_days value, the learn_params_hours value, and the learn_params_minutes value.

To display the current period action that you have configured for the zone, use the show learning-params command in zone configuration mode.

The following example shows how to set the Guard module to accept the policies at 1-hour intervals:
user@GUARD-conf-zone-scannet# learning-params periodic-action auto-accept 0 1 0
Configuring the Threshold Selection Method

You can define the default method that the Guard module uses to generate new thresholds to accept during the threshold tuning phase. You can accept the results of the threshold tuning phase manually or configure the Guard module to automatically accept the results of the threshold tuning phase at specified intervals.

To configure the threshold selection method, use the following command in zone configuration mode:

learning-params threshold-selection {new-thresholds | max-thresholds | weighted weight}
Table 9-2 provides the arguments and keywords for the learning-params threshold-selection command.

Table 9-2 Arguments and Keywords for the learning-params threshold-selection Command

Parameter

Description

new-thresholds

Saves the results of the leaning process to the zone configuration.

max-thresholds

Compares the current policy threshold to the learned threshold and saves the higher threshold to the zone configuration. This method is the default.

weighted weight

Calculates the policy thresholds to save based on the following formula:

new-threshold = (learned-threshold * weight + current-threshold * (100 -weight)) / 100

To display the current threshold selection method that you have configured for the zone, use the show learning-params command in zone configuration mode.

This example shows how to configure the Guard module to accept the suggested policies if the learned threshold values are higher than the current policy threshold values:
user@GUARD-conf-zone-scannet# learning-params threshold-selection max-thresholds
Marking the Policies as Tuned

The tuned state of the zone policies refers to whether the policies are marked as tuned or untuned. The Guard module marks the policies of a zone untuned after you perform one of the following actions because the policy thresholds may not be configured specifically for the zone traffic:

•Create a new zone using a zone template—The zone template configures the zone with default policies and policy thresholds which are set to values that allow the Guard module to activate the anti-spoofing functions quickly if it identifies a traffic anomaly in the zone traffic.

•Create a new zone by copying an existing zone—The new zone contains the same policies and policy thresholds of the zone that you copied.

•Enable the policy construction phase on an existing zone—The policy templates that create the new policies configure the policies with default threshold values.

The tuned state of the zone policies affects the Guard module's ability to protect the zone when you enable the protect and learn function (see the "Understanding the Protect and Learn Function" section) as follows:

•Tuned policies—The Guard module can immediately detect attacks on the zone while performing the threshold tuning phase.

•Untuned polices—The Guard module cannot detect attacks on the zone until after the first time that you accept the results of the threshold tuning phase, at which time theGuard module marks the polices tuned. This behavior prevents a situation in which the default thresholds may be set too low for normal traffic volume and cause the Guard module to stop the learning portion of the protect and learn function because it believes that the zone is under attack.

To display the current tuned state of the zone policies before you enable the protect and learn function, use the show learning-params command in zone configuration mode.

If the zone policies are untuned when you enable the protect and learn function, the Guard module activates a threshold selection method of accept-new even if you have the threshold selection method configured for max-threshold or weighted. After the first time that you accept the learning phase results, the Guard module uses the threshold selection method that you have configured. See the "Configuring the Threshold Selection Method" section for more information on the threshold selection method.

You can manually change the tuned state of the zone policies and may want to change the status of the zone policies to tuned when one of the following conditions applies:

•The new zone was duplicated from an existing zone or snapshot that has similar traffic characteristics.

•You have manually configured all policy thresholds.

You may want to change the status of the zone policies to untuned when one of the following conditions applies:

•A major change was made in the zone network.

•The zone IP address or subnet was modified.

•You have not initiated the protect and learn function during the peak traffic time. Change the status of the zone policies to untuned to prevent the Guard module from identifying the traffic during the peak time as an attack.

To mark the zone policies as tuned, use the following command in zone configuration mode:

learning-params threshold-tuned
To mark the zone policies as untuned, use the no form of this command.

Caution Do not change the status of the zone policies to untuned if there is an attack on the zone because that prevents the Guard module from detecting the attack and causes the Guard module to learn malicious traffic thresholds.

The following example shows how to mark the status of the zone policies as tuned:
user@GUARD-conf-zone-scannet# learning-params threshold-tuned
Enabling the Protect and Learn Function

You can enable the threshold tuning phase of the learning process and zone protection simultaneously by using the protect and learn function. The Guard module continuously tunes the policy thresholds and at the same time monitors the traffic for anomalies using the last saved policy thresholds. If the Guard module detects an attack on the zone, it stops the learning process to prevent it from learning malicious traffic thresholds and begins mitigating the attack. After the attack ends, the Guard module resumes the threshold tuning phase along with zone protection.

Perform the following actions before you activate the protect and learn function:

•Activate the policy construction phase of the learning process to construct zone-specific policies (see the "Activating the Policy Construction Phase" section)

•Display the current tuned state of the zone policies by using the show learning-params command in zone configuration mode. If the policies are tuned, then the Guard module is ready to perform the protect and learn operation.

Caution If the zone policies are untuned when you enable the protect and learn function, the Guard module is unable to provide zone protection until the first time that you accept the results of the threshold tuning phase.

If the policies are untuned when you enable the protect and learn function, the Guard module operates as follows:

–Performs the threshold tuning phase of the learning process only. The Guard module does not perform zone protection because it does not monitor the traffic for policy threshold violations. After the first time that you accept the results of the threshold tuning phase, the Guard module marks the policies as tuned and performs zone protection.

–Activates a threshold selection method of accept-new even if you have the threshold selection method configured for max-threshold or weighted (see the "Configuring the Threshold Selection Method" section). After the first time that you accept the results of the threshold tuning phase, the Guard module uses the threshold selection method that you have configured.

See the "Marking the Policies as Tuned" section for more information.

You can accept the results of the threshold tuning phase manually or configure the Guard module to accept the results automatically. You can also configure when and how the Guard module accepts the results of the learning process (see the "Configuring Learning Parameters" section).

To activate the learning process and zone protection simultaneously, use the protect learning command or enter both the learning threshold-tuning command and the protect command (the order is not important).

For more information about the threshold tuning phase, see the "Activating the Threshold Tuning Phase" section. For more information about zone protection, see Chapter 10, "Protecting Zones."

Using Snapshots to Verify the Results of the Learning Process

The snapshot function allows you to save a copy of the learning parameters (services, thresholds, and other policy-related data) at any stage of the learning process. You can use snapshots to perform the following tasks:

•Compare the learning parameters of two zones.

•Compare two of the zone snapshots to verify the outcome of the learning process and trace the differences in policies, services, and thresholds.

•Use the policies of a snapshot taken during normal traffic conditions to provide zone protection if an attack occurs during the learning process.

•Copy zone policies from a snapshot to configure the zone according to previous learning results.

We recommend that you save a snapshot every few hours during the learning process. You can take the snapshot manually or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module can save up to 100 snapshots for each zone. New snapshots replace the previous ones.

This section contains information on the following topics:

•Creating Snapshots

•Comparing Learning Results

•Displaying Snapshots

•Deleting Snapshots

•Copying Policies to the Zone Configuration

Creating Snapshots

You can save a single snapshot of the zone learning parameters or configure the Guard module to automatically take a snapshot at specified intervals. The Guard module continues the learning process while taking the snapshot.

To configure the Guard module to automatically take a snapshot at specified intervals, see the "Configuring Periodic Actions" section for more information.

To save a single snapshot of the zone learning parameters, use the following command in zone configuration mode:

snapshot [threshold-selection {cur-thresholds | max-thresholds | new-thresholds | weighted calc-weight}]
Table 9-3 provides the arguments and keywords for the snapshot command.

Table 9-3 Arguments and Keywords for the snapshot Command

Parameter

Description

threshold-selection

(Optional) Specifies the method that the Guard module uses to calculate the snapshot thresholds. By default, the Guard module uses the zone threshold-selection method that is defined by the learning-params threshold-selection command. The default zone threshold-selection method is max-thresholds.

cur-thresholds

Ignores the new thresholds of the learning process and saves the current policy thresholds to the snapshot. You can use this method to create a backup of the current zone policies and policy thresholds.

max-thresholds

Compares the current policy threshold to the learned threshold and saves the higher threshold to the zone configuration. This is the default method.

new-thresholds

Saves the results of the leaning process to the zone configuration.

weighted calc-weight

Calculates the policy thresholds to save based on the following formula:

threshold = (new-threshold * calc-weight + current-threshold * (100 - calc-weight)) / 100

The following example shows how to create a snapshot in which the thresholds are the highest value between the current policy threshold and the new threshold of the learning process:
user@GUARD-conf-zone-scannet# snapshot threshold-selection max-thresholds
To save a single snapshot in global mode, use the following command:

snapshot zone-name [threshold-selection {new-thresholds | max-thresholds | cur-thresholds | weighted weight}]

Comparing Learning Results

You can compare the learning results of two snapshots or two zones to trace the differences in policies, services, and thresholds.

This section contains the following topics:

•Comparing Snapshots

•Comparing Zones

Comparing Snapshots

To compare two snapshots, use the following command in zone configuration mode:

diff snapshots snapshot-id1 snapshot-id2 [percent]
Table 9-4 provides the arguments for the diff command.

Table 9-4 Arguments for the diff Command

Parameter

Description

snapshot-id1

Identifier of the first snapshot to compare. To display a list of the zone snapshots, use the show snapshots command.

snapshot-id2

Identifier of the second snapshot to compare.

percent

(Optional) Percentage of difference. The Guard module compares the two snapshots and displays only the differences in policy thresholds that are greater than the specified value. The default percentage is 100%, which means that the Guard module displays all the differences between the two snapshots.

The following example shows how to display the zone snapshots and compare the two most recent snapshots:
user@GUARD-conf-zone-scannet# show snapshots
ID   Time
1    Feb 10 10:32:04
2    Feb 10 10:49:12
3    Feb 10 11:01:50
user@GUARD-conf-zone-scannet# diff 2 3
To compare snapshots in global mode, use the following command:

diff zone-name snapshots snapshot-id1 snapshot-id2 [percent]

Comparing Zones

You can compare the learning parameters of two zones by using the following command in global mode or in configuration mode:

diff zone-name1 zone-name2 [percent]
Table 9-5 provides the arguments for the diff command.

Table 9-5 Arguments for the diff Command

Parameter

Description

zone-name1

Name of the first zone with learning parameters that is to be compared.

zone-name2

Names of the second zone with learning parameters that is to be compared.

percent

(Optional) Percentage of difference. The Guard module compares the two zones and displays only differences in policy thresholds that are higher than the specified value. The default percentage is 100%, which means that the Guard module displays all differences between the two zones.

The following example shows how to compare the learning parameters of two zones:
user@GUARD# diff scannet scannet-mailserver
Displaying Snapshots

You can display a list of the zone snapshots or the snapshot parameters to get a comprehensive view of the zone learning results by entering the following command in zone configuration mode:

show snapshots [snapshot-id [policies policy-path]]
Table 9-6 provides the arguments and keywords for the show snapshots command.

Table 9-6 Arguments and Keywords for the show snapshots Command

Parameter

Description

snapshot-id

(Optional) Identifier of the snapshot to display. If you do not specify a snapshot, the Guard module displays a list of all the zone snapshots.

policies policy-path

(Optional) Specifies a group of policies to display. See the "Understanding Zone Policies" section on page 8-1 for more information.

To compare snapshots in global mode, use the the following command:

show zone zone-name snapshots [snapshot-id [policies policy-path]]
The fields of the show zone zone-name snapshots snapshot-id policies policy-path command output are identical to the fields in the output of the show policies command. See the "Displaying Policies" section on page 8-21 for more information.

Table 9-7 describes the fields in the show snapshots command output.

Table 9-7 Field Descriptions for show snapshots Command Output

Field

Description

ID

Snapshot ID.

Time

Date and time that the snapshot was taken.

The following example shows how to display a list of the zone snapshots and the policies that are related to dns_tcp in snapshot 2:
user@GUARD-conf-zone-scannet# show snapshots
ID   Time
1    Feb 10 10:32:04
2    Feb 10 10:49:12
user@GUARD-conf-zone-scannet# show snapshots 2 policies dns_tcp
Deleting Snapshots

You can delete old snapshots to free disk space by using the following command in zone configuration mode:

no snapshot snapshot-id
The snapshot-id argument specifies the ID of an existing snapshot. Enter an asterisk (*) to delete all the zone snapshots. To view the details of a snapshot, use the show snapshots command.

The following example shows how to delete all the zone snapshots:
user@GUARD-conf-zone-scannet# no snapshot *
Copying Policies to the Zone Configuration

You can copy a complete policy configuration or a partial configuration to the current zone.

You can copy the following information:

•Copy services—You can copy services from a source zone to the zone, which allows you to configure the zone policies without applying the policy construction phase to discover these services. Before you copy services to the zone, verify that the zones have similar traffic patterns.

•Copy policy parameters—You can replace the zone policy parameters with the policy parameters of one of the zone snapshots, which allows you to revert to prior learning results. The Guard module copies parameters of existing policies only.

To copy the zone policies, use the following command in zone configuration mode:

copy-policies {snapshot-id | src-zone-name [service-path]}
Table 9-8 provides the arguments and keywords for the copy-policies command.

Table 9-8 Arguments and Keywords for the copy-policies Command

Parameter

Description

snapshot-id

Identifier of the snapshot from which the policies are copied. To view the snapshot ID, use the show snapshots command.

src-zone-name

Name of the zone for which service policies are copied.

service-path

(Optional) Service to be copied. A service path can have one of the following formats:

•policy-template—Copies all policies that relate to the policy template.

•policy-template/service-num—Copies all policies that relate to the policy template and the specified service.

The default is to copy all policies and services.

The following example shows how to copy all services that relate to the policy template tcp_connections from the zone webnet to the current zone, scannet:
user@GUARD-conf-zone-scannet# copy-policies webnet tcp_connections/ 
The following example shows how to display a list of the zone snapshots and then copy the policies from the snapshot with ID 2:
user@GUARD-conf-zone-scannet# show snapshots
ID   Time
1    Feb 10 10:32:04
2    Feb 10 10:49:12
user@GUARD-conf-zone-scannet# copy-policies 2 
Backing Up the Zone Policies

You can create a backup the current zone policies at any time by using the following command in zone configuration mode:

snapshot threshold-selection cur-thresholds
The following example shows how to back up the current zone policies:
user@GUARD-conf-zone-scannet# snapshot threshold-selection cur-thresholds