Freedom9 freeGuard Slim 100, User Manual

Page: 120 / 170

M O N I T O R I N G T R A F F I C
7
7-14
User Guide
Alert Configuration
Policy Alerting
To configure the Policy Alert with appropriate values for your network, you must first establish a
baseline of typical traffic flows. In order to do this you can run a sniffer on eth0-the interface
bound to the Untrust zone-to monitor the number of new connection requests arriving every
second for the server sitting on your eth1- the interface bound to the Trust zone.
This section provides instructions on how to configure your appliance for the
following applications:
1.
Alerts when flow bandwidth thresholds are exceeded.
2.
Alerts when connection rate thresholds are exceeded.
Policy alerting enables the setting of various trigger levels on any policy to monitor traffic fluctu-
ations commonly seen during network anomalies (i.e. Worm propagation, DDOS attacks etc.) or
during high bandwidth consumption (P2P, file serving).
To use this function, the user will have to first configure the alert type and its threshold parameter.
The alert mechanism currently supports three configuration options; connections per interval,
aggregate bandwidth per interval, and connection bandwidth per interval. Once an alert type and
its threshold settings are configured, the user then has the option to send the alert in syslog
format.
Connection Rate
In this configuration the system will count the individual connection attempts from the combined
source zone/IP Address to destination zone/IP Address configured on the policy.
After the specified interval threshold is reached an alarm will be triggered with the configured
alert action. The alert message content will specify which source IP address to which destination
IP address the connection threshold was met
.
set alert conn-rate <alert-name> threshold <conn-cnt> interval <interval-
in-sec> action [log] [once | always]
Aggregate Bandwidth
In this configuration the system will count the entire bandwidth being utilized for the specific
policy. For example, if a policy is configured with an aggregate bandwidth of 100Kbps, once the
traffic upload or download (depending on the direction of the policy) surpasses 100Kbps cumula-
tively, an alert is triggered. The alert message content will show only the Policy ID which triggered
the alert.
set alert aggr-bandwidth <alert-name> threshold <k-bps> interval
<interval-in-sec> action [log] [once | always]
Connection Bandwidth
In this configuration the bandwidth count is based on a per-flow or per-connection basis. For
example: if 4 hosts were consecutively accessing a web-server and a policy definition of conn-
bandwidth 100 Kbps interval 1 second is configured. The specific host exceeding the 100 K-bps
per second threshold will trigger the alarm. In this case the alert will specify the src-ip of the
offending host.
set alert conn-bandwidth <alert-name> threshold <k-bps> interval
<interval-in-sec> action [log] [once | always]