Creating New Adp Profiles; Traffic Anomaly Profiles - ZyXEL Communications NXC5200 User Manual
Hide thumbs
Also See for NXC5200:
- Specifications (6 pages) ,
- Specifications (4 pages) ,
- Quick start manual (136 pages)
Table of Contents
Advertisement
Chapter 22 ADP
These are the default base profiles at the time of writing.
Table 125 Base Profiles
BASE
PROFILE
none
all
OK
Cancel
22.3.2 Creating New ADP Profiles
You may want to create a new profile if not all rules in a base profile are applicable
to your network. In this case you should disable non-applicable rules so as to
improve NXC ADP processing efficiency.
You may also find that certain rules are triggering too many false positives or false
negatives. A false positive is when valid traffic is flagged as an attack. A false
negative is when invalid traffic is wrongly allowed to pass through the NXC. As
each network is different, false positives and false negatives are common on initial
ADP deployment.
You could create a new 'monitor profile' that creates logs but all actions are
disabled. Observe the logs over time and try to eliminate the causes of the false
alarms. When you're satisfied that they have been reduced to an acceptable level,
you could then create an 'inline profile' whereby you configure appropriate actions
to be taken when a packet matches a rule.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To
create a new profile, select a base profile and then click OK to go to the profile
details screen. Type a new profile name, enable or disable individual rules and
then edit the default log options and actions.
22.3.3 Traffic Anomaly Profiles
The traffic anomaly screen is the second screen in an ADP profile. Traffic anomaly
detection looks for abnormal behavior such as scan or flooding attempts. In the
Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the
Add icon and choose a base profile. If you made changes to other screens
342
DESCRIPTION
All traffic anomaly and protocol anomaly rules are disabled. No logs are
generated nor actions are taken.
All traffic anomaly and protocol anomaly rules are enabled. Rules with a
high or severe severity level (greater than three) generate log alerts
and cause packets that trigger them to be dropped. Rules with a very
low, low or medium severity level (less than or equal to three) generate
logs (not log alerts) and no action is taken on packets that trigger them.
Click OK to save your changes.
Click Cancel to exit this screen without saving your changes.
NXC5200 User's Guide
Advertisement
Table of Contents
Troubleshooting
