ZyXEL Communications ZyWall 110 User Manual page 368

Table 154 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued)
LABELS
Scan/Flood Detection
Sensitivity
Block Period
Edit (Flood Detection
only)
Activate
Inactivate
Log
Action
#
Status
Name
Log
Action
Threshold (pkt/sec)
OK
Cancel
Save
Chapter 21 Security Policy
DESCRIPTION
Scan detection, such as port scanning, tries to find attacks where an attacker
scans device(s) to determine what types of network protocols or services a
device supports.
Flood detection tries to find attacks that saturate a network with useless data,
use up all available bandwidth, and so aim to make communications in the
network impossible.
(Scan detection only.) Select a sensitivity level so as to reduce false positives in
your network. If you choose low sensitivity, then scan thresholds and sample
times are set low, so you will have fewer logs and false positives; however some
traffic anomaly attacks may not be detected.
If you choose high sensitivity, then scan thresholds and sample times are set
high, so most traffic anomaly attacks will be detected; however you will have
more logs and false positives.
Specify for how many seconds the ZyWALL/USG blocks all packets from being
sent to the victim (destination) of a detected anomaly attack. Flood Detection
applies blocking to the destination IP address and Scan Detection applies
blocking to the source IP address.
Select an entry and click this to be able to modify it.
To turn on an entry, select it and click Activate.
To turn off an entry, select it and click Inactivate.
To edit an item's log option, select it and use the Log icon. Select whether to
have the ZyWALL/USG generate a log (log), log and alert (log alert) or neither
(no) when traffic matches this anomaly policy.
To edit what action the ZyWALL/USG takes when a packet matches a policy,
select the policy and use the Action icon.
none: The ZyWALL/USG takes no action when a packet matches the policy.
block: The ZyWALL/USG silently drops packets that matches the policy. Neither
sender nor receiver are notified.
This is the entry's index number in the list.
The activate (light bulb) icon is lit when the entry is active and dimmed when the
entry is inactive.
This is the name of the anomaly policy. Click the Name column heading to sort
in ascending or descending order according to the protocol anomaly policy
name.
These are the log options. To edit this, select an item and use the Log icon.
This is the action the ZyWALL/USG should take when a packet matches a policy.
To edit this, select an item and use the Action icon.
(Flood detection only.) Select a suitable threshold level (the number of packets
per second that match the flood detection criteria) for your network. If you
choose a low threshold, most traffic anomaly attacks will be detected, but you
may have more logs and false positives.
If you choose a high threshold, some traffic anomaly attacks may not be
detected, but you will have fewer logs and false positives.
Click OK to save your settings to the ZyWALL/USG, complete the profile and
return to the profile summary page.
Click Cancel to return to the profile summary page without saving any changes.
Click Save to save the configuration to the ZyWALL/USG but remain in the same
page. You may then go to the another profile screen (tab) in order to complete
the profile. Click OK in the final profile screen to complete the profile.
ZyWALL/USG Series User's Guide
368