11-34
Configuring Advanced Threat Protection
Using the Instrumentation Monitor
Operating Notes
■
To generate alerts for monitored events, you must enable the instru-
mentation monitoring log and/or SNMP trap. The threshold for each
monitored parameter can be adjusted to minimize false alarms (see
“Configuring Instrumentation Monitor” on page 11-35).
■
When a parameter exceeds its threshold, an alert (event log message
and/or SNMP trap) is generated to inform network administrators of
this condition. The following example shows an event log message
that occurs when the number of MAC addresses learned in the
forwarding table exceeds the configured threshold:
Figure 11-8. Example of Event Log Message generated by Instrumentation Monitor
■
Alerts are automatically rate limited to prevent filling the log file with
redundant information. The following is an example of alerts that
occur when the device is continually subject to the same attack (too
many MAC addresses in this instance):
Figure 11-9. Example of rate limiting when multiple messages are generated
In the preceding example, if a condition is reported 4 times (persists for
more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes
the condition still exists, the alerts cease for 30 minutes, then for 1 hour,
2 hours, 4 hours, 8 hours, and after that the persisting condition is reported
once a day. As with other event log entries, these alerts can be sent to a
syslog server.
■
Known Limitations:
The instrumentation monitor runs once every
five minutes. The current implementation does not track information
such as the port, MAC, and IP address from which an attack is
received.
Standard Date/Time Prefix
for Event Log Messages
Monitored
Parameter
Threshold
Value
“inst-mon” label indicates an
Instrumentation Monitor event
Current
Value
W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)
W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)
W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)
W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)
W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)
W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......