Configuring the Illegal Zone
To configure the illegal zone for anomaly detection, follow these steps:
Step 1
Log in to the IDM using an account with administrator or operator privileges.
Step 2
Choose Configuration > Policies > Anomaly Detections > ad0 > Illegal Zone .
Step 3
Click the General tab.
Step 4
To enable the illegal zone, check the Enable the Illegal Zone check box.
Note You must check the Enable the Illegal Zone check box or any protocols that you configure will be ignored.
Step 5
In the Service Subnets field, enter the subnets to which you want the illegal zone to apply. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Step 6
To configure TCP protocol, click the TCP Protocol tab.
Step 7
To enable TCP protocol, check the Enable the TCP Protocol check box.
Note You must check the Enable the TCP Protocol check box or the TCP protocol configuration will be ignored.
Step 8
Click the Destination Port Map tab, and then click Add to add a destination port.
Step 9
In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 10
To enable the service on that port, check the Enable the Service check box.
Step 11
To override the scanner values for that port, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 12
To add a histogram for the new scanner settings, click Add .
Step 13
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 14
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 15
Click OK . The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 16
Click OK . The new destination port map appears in the list on the Destination Port Map tab.
Step 17
To edit the destination port map, select it in the list, and click Edit .
Step 18
Make any changes to the fields and click OK . The edited destination port map appears in the list on the Destination Port Map tab.
Step 19
To delete a destination port map, select it, and click Delete . The destination port map no longer appears in the list Destination Port Map tab.
Step 20
To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 21
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 22
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 23
To configure UDP protocol, click the UDP Protocol tab.
Step 24
To enable UDP protocol, check the Enable the UDP Protocol check box.
Note You must check the Enable the UDP Protocol check box or the UDP protocol configuration will be ignored.
Step 25
Click the Destination Port Map tab, and then click Add to add a destination port.
Step 26
In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 27
To enable the service on that port, check the Enable the Service check box.
Step 28
To override the scanner values for that port, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 29
To add a histogram for the new scanner settings, click Add .
Step 30
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 31
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 32
Click OK . The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 33
Click OK . The new destination port map appears in the list on the Destination Port Map tab.
Step 34
To edit the destination port map, select it in the list, and click Edit .
Step 35
Make any changes to the fields and click OK . The edited destination port map appears in the list on the Destination Port Map tab.
Step 36
To delete a destination port map, select it, and click Delete . The destination port map no longer appears in the list on the Destination Port Map tab.
Step 37
To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 38
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 39
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
The edited threshold histogram appears in the list on the Default Thresholds tab.
Step 40
To configure Other protocols, click the Other Protocol s tab.
Step 41
To enable other protocols, check the Enable Other Protocols check box.
Note You must check the Enable Other Protocols check box or the other protocols configuration will be ignored.
Step 42
Click the Protocol Number Map tab, and then click Add to add a protocol number.
Step 43
In the Protocol Number field, enter the protocol number. The valid range is 0 to 255.
Step 44
To enable the service of that protocol, check the Enable the Service check box.
Step 45
To override the scanner values for that protocol, check the Override Scanner Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 46
To add a histogram for the new scanner settings, click Add .
Step 47
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 48
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 49
Click OK . The new scanner setting appears in the list in the Add Protocol Number dialog box.
Tip To discard your changes and close the Add Protocol Number dialog box, click Cancel.
Step 50
Click OK . The new protocol number map appears in the list on the Protocol Number Map tab.
Step 51
To edit the protocol number map, select it in the list, and click Edit .
Step 52
Make any changes to the fields and click OK . The edited protocol number map appears in the list on the Protocol Number Map tab.
Step 53
To delete a protocol number map, select it, and click Delete . The protocol number map no longer appears in the list on the Protocol Number Map tab.
Step 54
To edit the default thresholds, click the Default Thresholds tab, select the threshold histogram you want to edit, and then click Edit .
Step 55
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 56
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 57
Click Apply to apply your changes and save the revised configuration.