Configuring the Internal Zone
To configure the internal zone for anomaly detection, follow these steps:
Step 1 Log in to the IME using an account with administrator or operator privileges.
Step 2 Choose
Configuration >
sensor_name
> Policies > Anomaly Detections > ad0 > Internal Zone
, and then click the
General
tab.
Step 3 To enable the internal zone, check the
Enable the Internal Zone
check box.
Note You must check the Enable the Internal Zone check box or any protocols that you configure will be ignored.
Step 4 In the Service Subnets field, enter the subnets to which you want the internal zone to apply. The valid format is 10.10.5.5,10.10.2.1-10.10.2.30.
Step 5 To configure TCP protocol, click the
TCP Protocol
tab.
Step 6 To enable TCP protocol, check the
Enable the TCP Protocol
check box.
Note You must check the Enable the TCP Protocol check box or the TCP protocol configuration will be ignored.
Step 7 Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 8 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 9 To enable the service on that port, check the
Enable the Service
check box.
Step 10 To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 11 To add a histogram for the new scanner settings, click
Add
.
Step 12 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 13 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 14 Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 15 Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 16 To edit the destination port map, select it in the list, and click
Edit
.
Step 17 Make any changes to the fields and click
OK
.
The edited destination port map appears in the list on the Destination Port Map tab.
Step 18 To delete a destination port map, select it, and click
Delete
.
The destination port map no longer appears in the list Destination Port Map tab.
Step 19 To edit the default thresholds, click the
Default Thresholds
tab.
Step 20 Select the threshold histogram you want to edit, and click
Edit
.
Step 21 From the Number of Destination IP Addresses the drop down list, change the value (High, Medium, or Low).
Step 22 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 23 To configure UDP protocol, click the
UDP Protocol
tab.
Step 24 To enable UDP protocol, check the
Enable the UDP Protocol
check box.
Note You must check the Enable the UDP Protocol check box or the UDP protocol configuration will be ignored.
Step 25 Click the
Destination Port Map
tab, and then click
Add
to add a destination port.
Step 26 In the Destination Port Number field, enter the destination port number. The valid range is 0 to 65535.
Step 27 To enable the service on that port, check the
Enable the Service
check box.
Step 28 To override the scanner values for that port, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 29 To add a histogram for the new scanner settings, click
Add
.
Step 30 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 31 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 32 Click
OK
. The new scanner setting appears in the list in the Add Destination Port dialog box.
Tip To discard your changes and close the Add Destination Port dialog box, click Cancel.
Step 33 Click
OK
. The new destination port map appears in the list on the Destination Port Map tab.
Step 34 To edit the destination port map, select it in the list, and click
Edit
.
Step 35 Make any changes to the fields and click
OK
. The edited destination port map appears in the list on the Destination Port Map tab.
Step 36 To delete a destination port map, select it, and click
Delete
. The destination port map no longer appears in the list on the Destination Port Map tab.
Step 37 To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 38 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 39 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Step 40 To configure Other protocols, click the
Other Protocols
tab.
Step 41 To enable other protocols, check the
Enable Other Protocols
check box.
Note You must check the Enable Other Protocols check box or the other protocols configuration will be ignored.
Step 42 Click the
Protocol Number Map
tab, and then click
Add
to add a protocol number.
Step 43 In the Protocol Number field, enter the protocol number. The valid range is 0 to 255.
Step 44 To enable the service of that protocol, check the
Enable the Service
check box.
Step 45 To override the scanner values for that protocol, check the
Override Scanner
Settings check box. You can use the default scanner values, or you can override them and configure your own scanner values.
Step 46 To add a histogram for the new scanner settings, click
Add
.
Step 47 From the Number of Destination IP Addresses drop-down list, choose the value (High, Medium, or Low).
Step 48 In the Number of Source IP Addresses field, enter the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096.
Tip To discard your changes and close the Add Histogram dialog box, click Cancel.
Step 49 Click
OK
. The new scanner setting appears in the list in the Add Protocol Number dialog box.
Tip To discard your changes and close the Add Protocol Number dialog box, click Cancel.
Step 50 Click
OK
. The new protocol number map appears in the list on the Protocol Number Map tab.
Step 51 To edit the protocol number map, select it in the list, and click
Edit
.
Step 52 Make any changes to the fields and click
OK
. The edited protocol number map appears in the list on the Protocol Number Map tab.
Step 53 To delete a protocol number map, select it, and click
Delete
. The protocol number map no longer appears in the list on the Protocol Number Map tab.
Step 54 To edit the default thresholds, click the
Default Thresholds
tab, select the threshold histogram you want to edit, and then click
Edit
.
Step 55 From the Number of Destination IP Addresses drop-down list, change the value (High, Medium, or Low).
Step 56 In the Number of Source IP Addresses field, edit the number of source IP addresses you want associated with this histogram. The valid range is 0 to 4096. The edited threshold histogram appears in the list on the Default Thresholds tab.
Tip To discard your changes and close the Edit Histogram dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 57 Click
Apply
to apply your changes and save the revised configuration.