Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 516 / 944 Scroll up to view Page 511 - 515

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

516

31.3

The Profile Summary Screen

Use this screen to:

•

Create a new profile using an existing base profile

•

Edit an existing profile

•

Delete an existing profile

Status

The activate (light bulb) icon is lit when the entry is active and

dimmed when the entry is inactive.

From, To

This is the direction of travel of packets to which an anomaly profile

is bound. Traffic direction is defined by the zone the traffic is coming

from and the zone the traffic is going to.

Use the

From

field to specify the zone from which the traffic is

coming. Select

ZyWALL

to specify traffic coming from the ZyWALL

itself.

Use the

To

field to specify the zone to which the traffic is going.

Select

ZyWALL

to specify traffic destined for the ZyWALL itself.

From

LAN1 To LAN1

means packets traveling from a computer on

one LAN1 subnet to a computer on another LAN1 subnet via the

ZyWALL’s LAN1 zone interfaces. The ZyWALL does not check packets

traveling from a LAN1 computer to another LAN1 computer on the

same subnet.

From

WAN To WAN

means packets that come in from the WAN

zone and the ZyWALL routes back out through the WAN zone.

Note: Depending on your network topology and traffic load,

applying every packet direction to an anomaly profile may

affect the ZyWALL’s performance.

Anomaly Profile

An anomaly profile is a set of anomaly rules with configured

activation, log and action settings. This field shows which anomaly

profile is bound to which traffic direction. Select an ADP profile to

apply to the entry’s traffic direction. Configure the ADP profiles in the

ADP profile screens.

Apply

Click

Apply

to save your changes.

Reset

Click

Reset

to return the screen to its last-saved settings.

Table 153

Configuration > Anti-X > ADP > General

(continued)

LABEL

DESCRIPTION

Page 517 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

517

31.3.1

Base Profiles

The ZyWALL comes with base profiles. You use base profiles to create new

profiles. In the

Configuration > Anti-X > ADP > Profile

screen, click

Add

to

display the following screen.

Figure 304

Base Profiles

These are the default base profiles at the time of writing.

31.3.2

Configuring The ADP Profile Summary Screen

Select

Configuration > Anti-X > ADP > Profile

.

Figure 305

Configuration > Anti-X > ADP > Profile

Table 154

Base Profiles

BASE

PROFILE

DESCRIPTION

none

All traffic anomaly and protocol anomaly rules are disabled. No logs are

generated nor actions are taken.

all

All traffic anomaly and protocol anomaly rules are enabled. Rules with a

high or severe severity level (greater than three) generate log alerts

and cause packets that trigger them to be dropped. Rules with a very

low, low or medium severity level (less than or equal to three) generate

logs (not log alerts) and no action is taken on packets that trigger them.

OK

Click

OK

to save your changes.

Cancel

Click

Cancel

to exit this screen without saving your changes.

Page 518 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

518

The following table describes the fields in this screen.

31.3.3

Creating New ADP Profiles

You may want to create a new profile if not all rules in a base profile are applicable

to your network. In this case you should disable non-applicable rules so as to

improve ZyWALL ADP processing efficiency.

You may also find that certain rules are triggering too many false positives or false

negatives. A false positive is when valid traffic is flagged as an attack. A false

negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As

each network is different, false positives and false negatives are common on initial

ADP deployment.

You could create a new ‘monitor profile’ that creates logs but all actions are

disabled. Observe the logs over time and try to eliminate the causes of the false

alarms. When you’re satisfied that they have been reduced to an acceptable level,

you could then create an ‘inline profile’ whereby you configure appropriate actions

to be taken when a packet matches a rule.

ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To

create a new profile, select a base profile (see

Table 154 on page 517

) and then

click

OK

to go to the profile details screen. Type a new profile name, enable or

disable individual rules and then edit the default log options and actions.

31.3.4

Traffic Anomaly Profiles

The traffic anomaly screen is the second screen in an ADP profile. Traffic anomaly

detection looks for abnormal behavior such as scan or flooding attempts. In the

Configuration > Anti-X > ADP > Profile

screen, click the

Edit

icon or click the

Add

icon and choose a base profile. If you made changes to other screens

Table 155

Anti-X > ADP > Profile

LABEL

DESCRIPTION

Add

Click this to create a new entry.

Edit

Select an entry and click this to be able to modify it.

Remove

Select an entry and click this to delete it.

#

This is the entry’s index number in the list.

Name

This is the name of the profile you created.

Base Profile

This is the base profile from which the profile was created.

Page 519 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

519

belonging to this profile, make sure you have clicked

OK

or

Save

to save the

changes before selecting the

Traffic Anomaly

tab.

Figure 306

Profiles: Traffic Anomaly

Page 520 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

520

The following table describes the fields in this screen.

Table 156

Configuration > ADP > Profile > Traffic Anomaly

LABEL

DESCRIPTION

Name

This is the name of the ADP profile. You may use 1-31 alphanumeric

characters, underscores(

_

), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

Scan/Flood

Detection

Sensitivity

(Scan detection only.) Select a sensitivity level so as to reduce false

positives in your network. If you choose low sensitivity, then scan

thresholds and sample times are set low, so you will have fewer logs and

false positives; however some traffic anomaly attacks may not be

detected.

If you choose high sensitivity, then scan thresholds and sample times are

set high, so most traffic anomaly attacks will be detected; however you

will have more logs and false positives.

Block

Period

Specify for how many seconds the ZyWALL blocks all packets from being

sent to the victim (destination) of a detected anomaly attack.

Activate

To turn on an entry, select it and click

Activate

.

Inactivate

To turn off an entry, select it and click

Inactivate

.

Log

To edit an item’s log option, select it and use the

Log

icon. Select

whether to have the ZyWALL generate a log (

log

), log and alert (

log

alert

) or neither (

no

) when traffic matches this anomaly rule. See

Chapter 46 on page 723

for more on logs.

Action

To edit what action the ZyWALL takes when a packet matches a rule,

select the signature and use the

Action

icon.

none

: The ZyWALL takes no action when a packet matches the

signature(s).

block

: The ZyWALL silently drops packets that matches the rule. Neither

sender nor receiver are notified.

#

This is the entry’s index number in the list.

Status

The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share