Configuring the Illegal Zone
To configure the illegal zone for anomaly detection, follow these steps:
Step 1![](/c/dam/en/us/td/i/templates/blank.gif)
Log in to the IDM using an account with administrator or operator privileges.
Step 2
Choose
Configuration > Policies > Anomaly Detections > ad0 > Illegal Zone
.
Step 3
Click the
General
tab.
Step 4
To enable the illegal zone, check the
Enable the Illegal Zone
check box.
Note You must check the Enable the Illegal Zone check box or any protocols that you configure will be ignored.
Step 5
In the Service Subnets field, enter the subnets to which you want the illegal zone to apply. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Step 6
To configure TCP protocol, click the
TCP Protocol
tab.
Step 7
To enable TCP protocol, check the
Enable the TCP Protocol
check box.
Note You must check the Enable the TCP Protocol check box or the TCP protocol configuration will be ignored.
Step 8
Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 9
In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 10
To enable the service on that port, check the
Enable the Service
check box.
Step 11
To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 12
To add a histogram for the new scanner settings, click
Add
.
Step 13
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 14
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 15
Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 16
Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 17
To edit the destination port map, select it in the list, and click
Edit
.
Step 18
Make any changes to the fields and click
OK
. The edited destination port map appears in the list on the Destination Port Map tab.
Step 19
To delete a destination port map, select it, and click
Delete
. The destination port map no longer appears in the list Destination Port Map tab.
Step 20
To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 21
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 22
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the
Default Thresholds
tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 23
To configure UDP protocol, click the
UDP Protocol
tab.
Step 24
To enable UDP protocol, check the
Enable the UDP Protocol
check box.
Note You must check the Enable the UDP Protocol check box or the UDP protocol configuration will be ignored.
Step 25
Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 26
In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 27
To enable the service on that port, check the
Enable the Service
check box.
Step 28
To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 29
To add a histogram for the new scanner settings, click
Add
.
Step 30
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 31
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 32
Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 33
Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 34
To edit the destination port map, select it in the list, and click
Edit
.
Step 35
Make any changes to the fields and click
OK
. The edited destination port map appears in the list on the Destination Port Map tab.
Step 36
To delete a destination port map, select it, and click
Delete
. The destination port map no longer appears in the list on the Destination Port Map tab.
Step 37
To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 38
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 39
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
The edited threshold histogram appears in the list on the Default Thresholds tab.
Step 40
To configure Other protocols, click the
Other Protocol
s tab.
Step 41
To enable other protocols, check the
Enable Other Protocols
check box.
Note You must check the Enable Other Protocols check box or the other protocols configuration will be ignored.
Step 42
Click the
Protocol Number Map
tab, and then click
Add
to add a protocol number.
Step 43
In the Protocol Number field, enter the protocol number. The valid range is 0 to 255.
Step 44
To enable the service of that protocol, check the
Enable the Service
check box.
Step 45
To override the scanner values for that protocol, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 46
To add a histogram for the new scanner settings, click
Add
.
Step 47
From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 48
In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 49
Click
OK
. The new scanner setting appears in the list in the Add Protocol Number dialog box.
Tip To discard your changes and close the Add Protocol Number dialog box, click Cancel.
Step 50
Click
OK
. The new protocol number map appears in the list on the Protocol Number Map tab.
Step 51
To edit the protocol number map, select it in the list, and click
Edit
.
Step 52
Make any changes to the fields and click
OK
. The edited protocol number map appears in the list on the Protocol Number Map tab.
Step 53
To delete a protocol number map, select it, and click
Delete
. The protocol number map no longer appears in the list on the Protocol Number Map tab.
Step 54
To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 55
From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 56
In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 57
Click
Apply
to apply your changes and save the revised configuration.