Configuring Advanced Threat Protection
Using the Instrumentation Monitor
Operating Notes
■
To generate alerts for monitored events, you must enable the instru
mentation monitoring log and/or SNMP trap. The threshold for each
monitored parameter can be adjusted to minimize false alarms (see
“Configuring Instrumentation Monitor” on page 10-25).
■
When a parameter exceeds its threshold, an alert (event log message
and/or SNMP trap) is generated to inform network administrators of
this condition. The following example shows an event log message
that occurs when the number of MAC addresses learned in the
forwarding table exceeds the configured threshold:
Standard Date/Time Prefix
for Event Log Messages
Monitored
Parameter
Threshold
Value
“inst-mon” label indicates an
Instrumentation Monitor event
Current
Value
W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)
Figure 10-13.Example of Event Log Message generated by Instrumentation Monitor
■
Alerts are automatically rate limited to prevent filling the log file with
redundant information. The following is an example of alerts that
occur when the device is continually subject to the same attack (too
many MAC addresses in this instance):
W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)
W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)
W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)
W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)
W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes
Figure 10-14.Example of rate limiting when multiple messages are generated
In the preceding example, if a condition is reported 4 times (persists for
more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes
the condition still exists, the alerts cease for 30 minutes, then for 1 hour,
2 hours, 4 hours, 8 hours, and after that the persisting condition is reported
once a day. As with other event log entries, these alerts can be sent to a
syslog server.
■
Known Limitations:
The instrumentation monitor runs once every
five minutes. The current implementation does not track information
such as the port, MAC, and IP address from which an attack is
received.
10-24
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......