Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 521 / 944 Scroll up to view Page 516 - 520

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

521

31.3.5

Protocol Anomaly Profiles

Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules

check for protocol compliance against the relevant RFC (Request for Comments).

Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder,

and ICMP Decoder where each category reflects the packet type inspected.

Protocol anomaly rules may be updated when you upload new firmware.

31.3.6

Protocol Anomaly Configuration

In the

Configuration > Anti-X > ADP > Profile

screen, click the

Edit

icon or

click the

Add

icon and choose a base profile, then select the

Protocol Anomaly

tab. If you made changes to other screens belonging to this profile, make sure you

have clicked

OK

or

Save

to save the changes before selecting the

Protocol

Anomaly

tab.

Name

This is the name of the traffic anomaly rule. Click the

Name

column

heading to sort in ascending or descending order according to the rule

name.

Log

These are the log options. To edit this, select an item and use the

Log

icon.

Action

This is the action the ZyWALL should take when a packet matches a rule.

To edit this, select an item and use the

Action

icon.

Threshold

For flood detection you can set the number of detected flood packets per

second that causes the ZyWALL to take the configured action.

OK

Click

OK

to save your settings to the ZyWALL, complete the profile and

return to the profile summary page.

Cancel

Click

Cancel

to return to the profile summary page without saving any

changes.

Save

Click

Save

to save the configuration to the ZyWALL but remain in the

same page. You may then go to the another profile screen (tab) in order

to complete the profile. Click

OK

in the final profile screen to complete

the profile.

Table 156

Configuration > ADP > Profile > Traffic Anomaly (continued)

LABEL

DESCRIPTION

Page 522 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

522

Figure 307

Profiles: Protocol Anomaly

Page 523 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

523

The following table describes the fields in this screen.

Table 157

Configuration > ADP > Profile > Protocol Anomaly

LABEL

DESCRIPTION

Name

This is the name of the profile. You may use 1-31 alphanumeric

characters, underscores(

_

), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder

Activate

To turn on an entry, select it and click

Activate

.

Inactivate

To turn off an entry, select it and click

Inactivate

.

Log

To edit an item’s log option, select it and use the

Log

icon. Select whether

to have the ZyWALL generate a log (

log

), log and alert (

log alert

) or

neither (

no

) when traffic matches this anomaly rule. See

Chapter 46 on

page 723

for more on logs.

Page 524 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

524

Action

To edit what action the ZyWALL takes when a packet matches a signature,

select the signature and use the

Action

icon.

original setting

: Select this action to return each signature in a service

group to its previously saved configuration.

none

: Select this action on an individual signature or a complete service

group to have the ZyWALL take no action when a packet matches a rule.

drop

: Select this action on an individual signature or a complete service

group to have the ZyWALL silently drop a packet that matches a rule.

Neither sender nor receiver are notified.

reject-sender

: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the sender

when a packet matches the signature. If it is a TCP attack packet, the

ZyWALL will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack

packet, the ZyWALL will send an ICMP unreachable packet.

reject-receiver

: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the receiver

when a packet matches the rule. If it is a TCP attack packet, the ZyWALL

will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack

packet, the ZyWALL will do nothing.

reject-both

: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to both the sender and

receiver when a packet matches the rule. If it is a TCP attack packet, the

ZyWALL will send a packet with a ‘RST’ flag to the receiver and sender. If

it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP

unreachable packet.

#

This is the entry’s index number in the list.

Status

The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Name

This is the name of the protocol anomaly rule. Click the

Name

column

heading to sort in ascending or descending order according to the

protocol anomaly rule name.

Activation

Click the icon to enable or disable a rule or group of rules.

Log

These are the log options. To edit this, select an item and use the

Log

icon.

Action

This is the action the ZyWALL should take when a packet matches a rule.

To edit this, select an item and use the

Action

icon.

Log

Select whether to have the ZyWALL generate a log (

log

), log and alert

(

log alert

) or neither (

no

) when traffic matches this anomaly rule. See

Chapter 46 on page 723

for more on logs.

Action

Select what the ZyWALL should do when a packet matches a rule.

none

: The ZyWALL takes no action when a packet matches the

signature(s).

block

: The ZyWALL silently drops packets that matches the rule. Neither

sender nor receiver are notified.

Table 157

Configuration > ADP > Profile > Protocol Anomaly (continued)

LABEL

DESCRIPTION

Page 525 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

525

31.4

ADP Technical Reference

This section is divided into traffic anomaly background information and protocol

anomaly background information.

Traffic Anomaly Background Information

The following sections may help you configure the traffic anomaly profile screen

(

Section 31.3.4 on page 518

).

Port Scanning

An attacker scans device(s) to determine what types of network protocols or

services a device supports. One of the most common port scanning tools in use

today is Nmap.

Many connection attempts to different ports (services) may indicate a port scan.

These are some port scan types:

•

TCP Portscan

•

UDP Portscan

•

IP Portscan

An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the

remote computer, but also additional IP protocols such as EGP (Exterior Gateway

Protocol) or IGP (Interior Gateway Protocol). Determining these additional

protocols can help reveal if the destination device is a workstation, a printer, or a

router.

OK

Click

OK

to save your settings to the ZyWALL, complete the profile and

return to the profile summary page.

Cancel

Click

Cancel

to return to the profile summary page without saving any

changes.

Save

Click

Save

to save the configuration to the ZyWALL but remain in the

same page. You may then go to the another profile screen (tab) in order

to complete the profile. Click

OK

in the final profile screen to complete the

profile.

Table 157

Configuration > ADP > Profile > Protocol Anomaly (continued)

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share