Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5) - Index [Cisco DDoS Multidevice Management System]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - R - S - T - U - V - W - Z

Index

Symbols

# (number sign) 11-24, 11-26

* (wildcard) 11-24, 11-26

A

accepting pending dynamic filter 10-17

Accept Thresholds screen

Threshold selection method parameter 9-10, 9-18

weight parameter 9-10, 9-18

Action parameter

flex-content filter 6-8

Policy Filter screen 8-4

user filter 6-17

Zone Policy Form and Zone Policy Parameter Form 8-12

activating

anomaly detection and zone protection 10-1, 10-4

dst-ip-by-ip Protect-IP state 5-11

dst-ip-by-name Protect-IP state 5-11

dynamic filter automatically 5-10

dynamic filter interactively 5-10

entire zone Protect-IP state 5-11

IP address protection 10-6

ondemand protection 10-5

policy-type Protect-IP state 5-11

threshold tuning with Detect or Protect 9-13

zone protection based on zone name 5-13

zone protection by Guard 5-13

zone protection by IP address 5-13

zone protection by packet 5-13

activation options for Guard 10-2

activation parameter

Activation extent 5-13

Activation interface 5-13

active dynamic filters 11-10

Add Bypass Filter screen 6-11

Add Dynamic Filter Form 10-11

adding

bypass filter 6-11

Detector or Guard to the MDM 3-3

Detector or Guard to zone device list 5-20

dynamic filter to Guard 10-11

flex-content filter 6-6

IP address and threshold to policy 8-14

IP address to zone 5-18

service to base zone 9-23

service to policy 7-9

service to zone 8-16

user filter 6-15

users and user groups 2-5

analyzing traffic flow through zone counters 11-13

anomaly detection and zone protection

activating 10-1, 10-4

managing 10-4

options 10-2

attack detection/termination parameters

Filter-rate-pph termination threshold 5-12

Filter-rate termination threshold 5-12

malicious-rate detection threshold 5-11

malicious-rate termination threshold 5-12

protection-end time 5-12

attack report

deleting 11-30

detected anomalies 11-23, 11-24

displaying current details 11-19

displaying details 11-19

displaying past details 11-19

dropped/bounced packets 11-22

exporting 11-29

general information 11-21

HTTP detected zombies 11-28

mitigated attack details 11-26

mitigated attacks 11-25

statistics 11-21

understanding report details 11-21

attack statistics table fields 11-21

attack summary 11-17

automatic learning, configuring 9-5

automatic learning and snapshot overview 9-4

automatic operation mode 10-3

Auto Packet Dump parameter 5-17

B

back-end service problem 12-2

backing up and restoring the MySQL database 2-15

backing up MDM server configuration information 2-15

base zone

adding or deleting service 9-23

copying policy parameters 9-24

Base Zone Policy Comparison screen parameter 9-22

Berkley Packet filter 6-5

Burst parameter

user filter 6-17

zone general 5-11

bypass filter

adding 6-11

definition 6-2

deleting 6-13

displaying 6-12

match criteria parameters 6-11

Bypass Filter Form parameters

Dst Port 6-12

Fragments 6-12

Protocol 6-12

Source IP 6-11

Source subnet 6-11

Bypass Filters table fields 6-13

C

caution, symbol overview xiii

certificate, initiating exchange 3-9

changing

zone operation mode to automatic 10-18

zone operation mode to interactive 10-19

zone operation mode when dynamic filters exceeds 1000 10-19

clearing

Guard global counters 11-6

zone counters 11-14

client, launching MDM 2-18

Compared Zone Policy Comparison screen parameter 9-22

comparing snapshot or policies in zones 9-21

Config Device screen

Description parameter 3-4

Enable parameter 3-4

Hostname parameter 3-3

IP Address parameter 3-3

Config Policy Template screen 7-6

Config screen 5-10

configuring

attack detection/termination parameter 5-11

automatic learning 9-5

bypass filter match criteria parameters 6-11

flex-content filter match criteria parameters 6-7

packet-dump parameters 5-17

server firewall 2-3

snapshot interval of learning process 9-17

snapshots of current learning process results 9-17

synchronization parameters 5-14

zone general attributes 5-10

Conflicts Resolution screen 4-2

consolidation, MDM 1-9

copying policy parameters to base zone 9-24

counters

clearing Guard global 11-6

displaying device-specific 11-14

displaying zone 11-11

Counters screen 11-4

creating

snapshot of policy 9-18

zone 5-3

zone from existing zone 5-8

zone from template 5-6

zone policies snapshot 8-9

D

database connection problem 12-2

DDoS

nonspoofed attacks 1-3

overview 1-3

spoofed attacks 1-3

zombies 1-3

Deactivate window

opening 9-14

Threshold selection method parameter 9-14

weight parameter 9-15

deactivating

Detect or Protect operations 10-7

threshold tuning, Detect, and Protect 9-14

delayed time synchronization 5-14

deleting

attack report 11-30

bypass filter 6-13

Detector or Guard from MDM device list 3-11

Detector or Guard from zone device list 5-21

dynamic filter 10-12

flex-content filter 6-10

IP address and threshold from policy 8-15

IP address from zone 5-19

service from base zone 9-23

service from policy 7-10

snapshot 9-21

user filter 6-18

zone 5-23

Description parameter

Config Device screen 3-4

flex-content filter 6-7

zone general screen 5-10

Detect and Protect, deactivating operations 10-7

detected anomalies 11-24

Detected Anomalies Details table fields 11-24

Detected Anomalies table fields 11-23

Detection Time

field 8-7

Detection Time, setting

Detection Time

setting 8-13

Detector

adding to MDM device list 3-3

adding to zone device list 5-20

deleting from MDM device list 3-11

deleting from zone device list 5-21

disabling or enabling communication with MDM 3-11

managing remote guards defined with a zone detector 5-21

overview 1-4

preparing for operation with MDM 3-2

DETECTOR_WORM zone template 5-4

device

changing device for a zone policy 8-3, 8-10, 9-19

communication problem 12-4

Device List screen 3-5, 3-6

Device List table fields 3-5, 11-15

Device Resource table 3-7

disconnected problem 12-4

initialization problem 12-5

resource information, displaying 3-6

device recommendations

displaying 10-14

displaying dynamic filters 10-15

device resources

Device Resource table fields 3-7

Device Resources table 3-7

Devices and Master table fields 5-7

device suspended problem 12-4

disabling communication with Detector or Guard 3-11

displaying

bypass filter 6-12

current zone attack 11-19

device recommendations 10-14

device-specific counter information 11-14

drop statistics table 11-31

dynamic filters 10-9

flex-content filters 6-8

global Guard counters 11-4

HTTP zombies list 11-31

MDM device list 3-5

network event log 11-6

past zone attack 11-19

pending dynamic filters of recommendation 10-15

policy differences in zone configuration or snapshot 9-21

policy templates 7-5

snapshot 9-19

traffic counter and zone status information 10-7

user filter 6-17

zone attacks summary report 11-16

zone counters 11-11

zone event log 11-16

zone policies 8-2, 8-8

zone status 11-7, 11-8

dns_tcp policy template 7-2

dns_udp policy template 7-2

documentation, related xii

dropped/bounced packets 11-22

Dropped/Bounced table fields 11-22

Drop Statistics table fields 11-32

Dst Port Bypass Filter Form parameter 6-12

Dst Port Flex-Content filter parameter 6-7

Dst Port User filter parameter 6-16

dynamic filter

accepting pending 10-17

activating automatically 5-10

activating interactively 5-10

active 11-10

adding to Guard 10-11

definition 6-2

deleting 10-12

displaying 10-9

displaying pending dynamic filters of a recommendation 10-15

managing 10-8

managing recommendations 10-13

pending 10-13

preventing unwanted 10-13

Dynamic Filters Form fields 10-11

Dynamic filters screen 10-9

Dynamic Filter table fields 10-9

E

elements used in flex-content filter expression 6-3

Enable Config Device parameter 3-4

enabling

communication with Detector or Guard 3-11

MDM service 3-2

End Offset Flex-Content filter parameter 6-8

exchanging certificates and keys 3-9

excluding IP address from zone 5-18

exporting

attack report from Attack Summary screen 11-29

attack report from zone menu option 11-30

data files from the MDM server 2-14

Expression Flex-Content filter parameter 6-7

expression rules for flex-content filter 6-4

F

filter

bypass 6-2

dynamic 6-2

flex-content 6-2

user 6-2

Filter consolidation error

Bypass Filters table 6-13

Flex-Content Filters table 6-9

User Filters table 6-18

Filter-rate-pph termination threshold attack detection/termination parameter 5-12

Filter-rate termination threshold attack detection/termination parameter 5-12

flex-content filter

Action parameter 6-8

adding 6-6

definition 6-2

deleting 6-10

Description parameter 6-7

displaying 6-8

Dst Port parameter 6-7

elements 6-3

End Offset parameter 6-8

Expression parameter 6-7

expression rules 6-4

expression syntax 6-3

Match Case parameter 6-7

match criteria parameters 6-7

modifying 6-10

Pattern parameter 6-7

pattern syntax 6-5

Protocol parameter 6-7

qualifiers 6-3

special characters used in pattern 6-6

Start Offset parameter 6-7

State parameter 6-8

Flex-Content Filter Form 6-7

Flex-Content Filters table fields 6-9

Fragments Bypass Filter Form parameter 6-12

fragments policy template 7-2

Fragments User filter parameter 6-16

G

Global Current Counters/Rates table fields 11-5

Guard

activating dst-ip-by-ip Protect-IP state 5-11

activating dst-ip-by-name Protect-IP state 5-11

activating entire zone Protect-IP state 5-11

activating ondemand protection 10-5

activating policy-type Protect-IP state 5-11

activating zone protection 5-13

activation options 10-2

adding dynamic filter 10-11

adding to MDM device list 3-3

adding to zone device list 5-20

clearing global counters 11-6

deleting from MDM device list 3-11

deleting from zone device list 5-21

disabling or enabling communication with MDM 3-11

displaying global counters 11-4

managing remote guards defined with a zone detector 5-21

ondemand protection overview 10-2

overview 1-5

preparing for operation with MDM 3-2

remote Guard list, excluding during synchronization (Detector only) 4-7, 5-15

subzones created by 10-3

GUARD_DEFAULT zone template 5-4

GUARD_LINK zone template 5-5

GUARD_TCP_NO_ PROXY zone template 5-5

GUARD_VOIP zone template 5-5

H

Hostname Config Device parameter 3-3

http_ns policy template 7-4

http policy template 7-2

HTTP zombie attack 11-28

HTTP zombies list, displaying 11-31

HTTP Zombies table fields 11-31

I

icons 2-23

immediate distribution 4-4

overview 1-8

Immediate synchronization parameter 5-14

initiating synchronization manually 4-7

installing MDM 2-2

interactive operation mode 10-3

interactive protection mode 10-3

ip_scanpolicy template 7-2

IP address

activating protection 10-6

adding to zone 5-18

Config Device screen parameter 3-3

deleting from zone 5-19

excluding from zone 5-18

list, specifying for zone 5-6

Protect IP screen parameter 10-6

specifying for zone 5-6

updating zone policies after modifying 5-19

IP mask Protect IP screen parameter 10-6

IP Threshold IP Entry Form parameter 8-15

L

launching MDM from the client 2-18

learning activation extent 9-3

Learning parameters for Zone Policy Form and Zone Policy Parameter Form 8-13

learning process

accepting the threshold tuning phase results 9-10

automatic snapshots of 9-17

device activation 9-3

overview 1-6

performing 9-7

phase 9-2

results of 9-3

snapshot, managing 9-16

snapshots of current results 9-17

starting policy construction phase 9-8

starting threshold tuning phase 9-9

stopping policy construction phase 9-9

stopping threshold tuning phase 9-11

learning process phase

policy construction 9-2

threshold tuning 9-2

learning traffic overview 9-5

M

malicious-rate detection threshold attack detection/termination parameter 5-11

malicious-rate termination threshold 10-8

attack detection/termination parameter 5-12

managing

anomaly detection and zone protection 10-4

Detector and Guard devices on the MDM network 3-1

device recommendations for dynamic filters 10-13

dynamic filter 10-8

learning process snapshot 9-16

network statistical and status information 1-9

time-differentiation with devices in network 3-10

zone configurations 1-7

marking zone policies tuned or untuned 9-15

Match Case Flex-Content filter parameter 6-7

match criteria parameters

bypass filter 6-11

flex-content filter 6-7

Max. disk space packet dump parameter 5-17

Max. rate zone general parameter 5-11

Max Services policy template parameter 7-8

MDM

backing up server configuration information 2-15

backing up the MySQL database 2-15

consolidation 1-9

disabling or enabling communication with Detector or Guard 3-11

enabling service 3-2

exporting data files 2-14

installing 2-2

managing network statistical and status information 1-9

managing zone configurations 1-7

network 1-1

overview 1-1, 1-6

permitting network access to a device 3-2

providing security 2-2

removing related information from the server 2-17

resolving database conflicts 4-2

tracking device-to-zone associations 1-6

uninstalling 2-16

MDM browser window

navigating 2-20

overview 2-18

zone icons 2-23

MDM device list

adding Detector or Guard 3-3

deleting Detector or Guard 3-11

displaying 3-5

MDM network, managing Detector and Guard devices 3-1

MDM service, enabling 3-2

MDM system requirements 2-1

Minimal difference Policy Comparison screen parameter 9-22

Min Threshold policy template parameter 7-7

mitigated attack details 11-26

Mitigated Attack Details table fields 11-26

mitigated attacks 11-25

Mitigated Attacks table fields 11-25

modifying

current zone automatic synchronization parameters 4-5

flex-content filter 6-10

policy 8-10

policy template 7-6

zone general configuration 5-10

MultiDevice 2-1

MySQL and user accounts, hardening 2-14

MySQL database, backing up and restoring 2-15

N

navigating the MDM browser window 2-20

network, MDM 1-1

network event log

displaying 11-6

severity levels 11-6

Network Summary table fields 11-4

nonspoofed attacks 1-3

note, symbol overview xiii

O

ondemand protection overview 10-2

Operation mode zone general parameter 5-10

other_protocols policy template 7-2

overview

automatic learning and snapshot 9-4

Detector 1-4

Guard 1-5

learning process device activation 9-3

learning traffic 9-5

MDM 1-1, 1-6

MDM browser window 2-18

ondemand protection by Guard 10-2

policy template 7-1

user filter 6-14

zone 1-5, 5-1

zone filters 6-1

P

packet dump parameter

Auto Packet Dump 5-17

Max. disk space 5-17

Pattern Flex-Content filter parameter 6-7

pattern syntax used by flex-content filter 6-5

Pending Dynamic Filters screen 10-16

Pending Dynamic filters table fields 10-16

Per Attack Summary table fields 11-17

performing

learning process 9-7

state preserving removal operation 2-16

permitting network access to a device from the MDM 3-2

pinging a Detector or Guard device 3-10

Policies, Policy Filter screen parameter 8-4

Policies screen 8-2

policy

adding IP address and threshold 8-14

adding service 7-9

comparing in two zone configurations 9-21

creating snapshot 9-18

deleting IP address and threshold 8-15

deleting service 7-10

displaying differences in zone configurations or snapshots 9-21

excluding during synchronization 4-7, 5-15

modifying 8-10

Policy, Policy Filter screen parameter 8-4

Policy Comparison screen

Base Zone parameter 9-22

Compare Zone parameter 9-22

Minimal difference parameter 9-22

opening 9-21

policy comparison table 9-23

policy construction phase

definition 9-2

starting 9-8

stopping 9-9

Policy Filter screen parameters

Action 8-4

Policies 8-4

Policy 8-4

Policy template 8-3

Protection level 8-4

Service 8-3

State 8-4

Type 8-4

policy parameter, copying to base zone 9-24

Policy table fields 8-4, 8-8

policy template

displaying 7-5

dns_tcp 7-2

dns_udp 7-2

fragments 7-2

http 7-2

http_ns 7-4

ip_scan 7-2

Max Services parameter 7-8

Min Threshold parameter 7-7

modifying 7-6

other_protocols 7-2

overview 7-1

port_scan 7-2

sip_udp 7-4

State parameter 7-7

tcp_connections 7-2

tcp_connections_ns 7-4

tcp_not_auth 7-2

tcp_outgoing_ns 7-4

tcp_ratio 7-2

tcp_services 7-3

tcp_services_ns 7-3

tcp-outgoing 7-2

types 7-2

udp_services 7-3

Policy template, Policy Filter screen parameter 8-3

Policy Template table fields 7-5

port_scan policy template 7-2

pph policies

Detection Time field 8-7

MDM software restrictions 8-4

reqs_pph 8-5, 8-13

syns_pph 8-5

preparing Detector and Guard devices 3-2

preventing unwanted dynamic filters 10-13

protection-end time attack detection/termination parameter 5-12

Protection level, Policy Filter screen parameter 8-4

Protect IP screen

IP address parameter 10-6

IP mask parameter 10-6

opening 10-6

Protect-IP state zone general parameter 5-11

Protocol parameter

Bypass Filter Form 6-12

flex-content filter 6-7

User filter 6-16

R

Rate User filter parameter 6-16

Real-Time Transport Protocol/Real-Time Control Protocol 5-5

Recommendations screen 10-14

Recommendations table fields 10-14

Remote Guards table, fields 5-22

removing

all MDM-related information from the server 2-17

old reports 2-16

reports, removing 2-16

reqs_pph 8-5

resolving

back-end service problem 12-2

database connection problem 12-2

device disconnected problem 12-4

device initialization problem 12-5

device suspended problem 12-4

MDM database conflicts 4-2

Tomcat server problem 12-3

S

screen

Add Bypass Filter 6-11

Config 5-10

Config Device 3-3

Config Policy Template 7-6

Conflicts Resolution 4-2

Counters 11-4

Device List 3-5, 3-6

Dynamic filters 10-9

Pending Dynamic Filters 10-16

Policies 8-2

Policy Comparison 9-21

Protect IP 10-6

Recommendations 10-14

Zombie List 11-31

Secure Copy Protocol, using to export data files 2-14

security

configuring server firewall 2-3

defining users and user groups 2-5

exporting data files 2-14

hardening MySQL and user accounts 2-14

using TACACS+ 2-5

selecting zones to perform the learning process 9-5

service

adding to base zone 9-23

adding to policy 7-9

deleting from base zone 9-23

deleting from policy 7-10

restart problem 12-1

Service, Policy Filter screen parameter 8-3

Session Initiated Protocol (SIP) 5-5

severity levels for network event log 11-6

severity levels for zone event log 11-16

sip_udp policy template 7-4

SIP User filter action 6-15

snapshot

comparing 9-21

current learning process results 9-17

deleting 9-21

displaying 9-19

displaying policy differences 9-21

regular intervals of learning process 9-17

viewing, modifying, or saving to the zone configuration 9-19

zone configuration policies 9-18

Snapshot List table fields 9-20

Source IP parameter

Bypass Filter Form 6-11

User filter 6-16

Source subnet parameter

Bypass Filter Form 6-11

User filter 6-16

spoofed attacks 1-3

Spoofed Statistics table fields 11-34

SSH File Transfer Protocol, using to export data files 2-14

starting

policy construction phase

	Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5)
	Index
Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5) Index Preface Product Overview Getting Started Managing Devices on the MDM Network Resolving Conflicts and Synchronizing Zones Creating and Configuring Zones Managing Zone Filters Managing Zone Policy Templates Managing Zone Policies Learning Zone Traffic and Taking Snapshots Activating Anomaly Detection and Zone Protection Monitoring Zone and Device Operations Troubleshooting Problems with the MDM	Download this chapter Index Download the complete book Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF (PDF - 4 MB) Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - L - M - N - O - P - R - S - T - U - V - W - Z Index Symbols # (number sign) 11-24, 11-26 * (wildcard) 11-24, 11-26 A accepting pending dynamic filter 10-17 Accept Thresholds screen Threshold selection method parameter 9-10, 9-18 weight parameter 9-10, 9-18 Action parameter flex-content filter 6-8 Policy Filter screen 8-4 user filter 6-17 Zone Policy Form and Zone Policy Parameter Form 8-12 activating anomaly detection and zone protection 10-1, 10-4 dst-ip-by-ip Protect-IP state 5-11 dst-ip-by-name Protect-IP state 5-11 dynamic filter automatically 5-10 dynamic filter interactively 5-10 entire zone Protect-IP state 5-11 IP address protection 10-6 ondemand protection 10-5 policy-type Protect-IP state 5-11 threshold tuning with Detect or Protect 9-13 zone protection based on zone name 5-13 zone protection by Guard 5-13 zone protection by IP address 5-13 zone protection by packet 5-13 activation options for Guard 10-2 activation parameter Activation extent 5-13 Activation interface 5-13 active dynamic filters 11-10 Add Bypass Filter screen 6-11 Add Dynamic Filter Form 10-11 adding bypass filter 6-11 Detector or Guard to the MDM 3-3 Detector or Guard to zone device list 5-20 dynamic filter to Guard 10-11 flex-content filter 6-6 IP address and threshold to policy 8-14 IP address to zone 5-18 service to base zone 9-23 service to policy 7-9 service to zone 8-16 user filter 6-15 users and user groups 2-5 analyzing traffic flow through zone counters 11-13 anomaly detection and zone protection activating 10-1, 10-4 managing 10-4 options 10-2 attack detection/termination parameters Filter-rate-pph termination threshold 5-12 Filter-rate termination threshold 5-12 malicious-rate detection threshold 5-11 malicious-rate termination threshold 5-12 protection-end time 5-12 attack report deleting 11-30 detected anomalies 11-23, 11-24 displaying current details 11-19 displaying details 11-19 displaying past details 11-19 dropped/bounced packets 11-22 exporting 11-29 general information 11-21 HTTP detected zombies 11-28 mitigated attack details 11-26 mitigated attacks 11-25 statistics 11-21 understanding report details 11-21 attack statistics table fields 11-21 attack summary 11-17 automatic learning, configuring 9-5 automatic learning and snapshot overview 9-4 automatic operation mode 10-3 Auto Packet Dump parameter 5-17 B back-end service problem 12-2 backing up and restoring the MySQL database 2-15 backing up MDM server configuration information 2-15 base zone adding or deleting service 9-23 copying policy parameters 9-24 Base Zone Policy Comparison screen parameter 9-22 Berkley Packet filter 6-5 Burst parameter user filter 6-17 zone general 5-11 bypass filter adding 6-11 definition 6-2 deleting 6-13 displaying 6-12 match criteria parameters 6-11 Bypass Filter Form parameters Dst Port 6-12 Fragments 6-12 Protocol 6-12 Source IP 6-11 Source subnet 6-11 Bypass Filters table fields 6-13 C caution, symbol overview xiii certificate, initiating exchange 3-9 changing zone operation mode to automatic 10-18 zone operation mode to interactive 10-19 zone operation mode when dynamic filters exceeds 1000 10-19 clearing Guard global counters 11-6 zone counters 11-14 client, launching MDM 2-18 Compared Zone Policy Comparison screen parameter 9-22 comparing snapshot or policies in zones 9-21 Config Device screen Description parameter 3-4 Enable parameter 3-4 Hostname parameter 3-3 IP Address parameter 3-3 Config Policy Template screen 7-6 Config screen 5-10 configuring attack detection/termination parameter 5-11 automatic learning 9-5 bypass filter match criteria parameters 6-11 flex-content filter match criteria parameters 6-7 packet-dump parameters 5-17 server firewall 2-3 snapshot interval of learning process 9-17 snapshots of current learning process results 9-17 synchronization parameters 5-14 zone general attributes 5-10 Conflicts Resolution screen 4-2 consolidation, MDM 1-9 copying policy parameters to base zone 9-24 counters clearing Guard global 11-6 displaying device-specific 11-14 displaying zone 11-11 Counters screen 11-4 creating snapshot of policy 9-18 zone 5-3 zone from existing zone 5-8 zone from template 5-6 zone policies snapshot 8-9 D database connection problem 12-2 DDoS nonspoofed attacks 1-3 overview 1-3 spoofed attacks 1-3 zombies 1-3 Deactivate window opening 9-14 Threshold selection method parameter 9-14 weight parameter 9-15 deactivating Detect or Protect operations 10-7 threshold tuning, Detect, and Protect 9-14 delayed time synchronization 5-14 deleting attack report 11-30 bypass filter 6-13 Detector or Guard from MDM device list 3-11 Detector or Guard from zone device list 5-21 dynamic filter 10-12 flex-content filter 6-10 IP address and threshold from policy 8-15 IP address from zone 5-19 service from base zone 9-23 service from policy 7-10 snapshot 9-21 user filter 6-18 zone 5-23 Description parameter Config Device screen 3-4 flex-content filter 6-7 zone general screen 5-10 Detect and Protect, deactivating operations 10-7 detected anomalies 11-24 Detected Anomalies Details table fields 11-24 Detected Anomalies table fields 11-23 Detection Time field 8-7 Detection Time, setting Detection Time setting 8-13 Detector adding to MDM device list 3-3 adding to zone device list 5-20 deleting from MDM device list 3-11 deleting from zone device list 5-21 disabling or enabling communication with MDM 3-11 managing remote guards defined with a zone detector 5-21 overview 1-4 preparing for operation with MDM 3-2 DETECTOR_WORM zone template 5-4 device changing device for a zone policy 8-3, 8-10, 9-19 communication problem 12-4 Device List screen 3-5, 3-6 Device List table fields 3-5, 11-15 Device Resource table 3-7 disconnected problem 12-4 initialization problem 12-5 resource information, displaying 3-6 device recommendations displaying 10-14 displaying dynamic filters 10-15 device resources Device Resource table fields 3-7 Device Resources table 3-7 Devices and Master table fields 5-7 device suspended problem 12-4 disabling communication with Detector or Guard 3-11 displaying bypass filter 6-12 current zone attack 11-19 device recommendations 10-14 device-specific counter information 11-14 drop statistics table 11-31 dynamic filters 10-9 flex-content filters 6-8 global Guard counters 11-4 HTTP zombies list 11-31 MDM device list 3-5 network event log 11-6 past zone attack 11-19 pending dynamic filters of recommendation 10-15 policy differences in zone configuration or snapshot 9-21 policy templates 7-5 snapshot 9-19 traffic counter and zone status information 10-7 user filter 6-17 zone attacks summary report 11-16 zone counters 11-11 zone event log 11-16 zone policies 8-2, 8-8 zone status 11-7, 11-8 dns_tcp policy template 7-2 dns_udp policy template 7-2 documentation, related xii dropped/bounced packets 11-22 Dropped/Bounced table fields 11-22 Drop Statistics table fields 11-32 Dst Port Bypass Filter Form parameter 6-12 Dst Port Flex-Content filter parameter 6-7 Dst Port User filter parameter 6-16 dynamic filter accepting pending 10-17 activating automatically 5-10 activating interactively 5-10 active 11-10 adding to Guard 10-11 definition 6-2 deleting 10-12 displaying 10-9 displaying pending dynamic filters of a recommendation 10-15 managing 10-8 managing recommendations 10-13 pending 10-13 preventing unwanted 10-13 Dynamic Filters Form fields 10-11 Dynamic filters screen 10-9 Dynamic Filter table fields 10-9 E elements used in flex-content filter expression 6-3 Enable Config Device parameter 3-4 enabling communication with Detector or Guard 3-11 MDM service 3-2 End Offset Flex-Content filter parameter 6-8 exchanging certificates and keys 3-9 excluding IP address from zone 5-18 exporting attack report from Attack Summary screen 11-29 attack report from zone menu option 11-30 data files from the MDM server 2-14 Expression Flex-Content filter parameter 6-7 expression rules for flex-content filter 6-4 F filter bypass 6-2 dynamic 6-2 flex-content 6-2 user 6-2 Filter consolidation error Bypass Filters table 6-13 Flex-Content Filters table 6-9 User Filters table 6-18 Filter-rate-pph termination threshold attack detection/termination parameter 5-12 Filter-rate termination threshold attack detection/termination parameter 5-12 flex-content filter Action parameter 6-8 adding 6-6 definition 6-2 deleting 6-10 Description parameter 6-7 displaying 6-8 Dst Port parameter 6-7 elements 6-3 End Offset parameter 6-8 Expression parameter 6-7 expression rules 6-4 expression syntax 6-3 Match Case parameter 6-7 match criteria parameters 6-7 modifying 6-10 Pattern parameter 6-7 pattern syntax 6-5 Protocol parameter 6-7 qualifiers 6-3 special characters used in pattern 6-6 Start Offset parameter 6-7 State parameter 6-8 Flex-Content Filter Form 6-7 Flex-Content Filters table fields 6-9 Fragments Bypass Filter Form parameter 6-12 fragments policy template 7-2 Fragments User filter parameter 6-16 G Global Current Counters/Rates table fields 11-5 Guard activating dst-ip-by-ip Protect-IP state 5-11 activating dst-ip-by-name Protect-IP state 5-11 activating entire zone Protect-IP state 5-11 activating ondemand protection 10-5 activating policy-type Protect-IP state 5-11 activating zone protection 5-13 activation options 10-2 adding dynamic filter 10-11 adding to MDM device list 3-3 adding to zone device list 5-20 clearing global counters 11-6 deleting from MDM device list 3-11 deleting from zone device list 5-21 disabling or enabling communication with MDM 3-11 displaying global counters 11-4 managing remote guards defined with a zone detector 5-21 ondemand protection overview 10-2 overview 1-5 preparing for operation with MDM 3-2 remote Guard list, excluding during synchronization (Detector only) 4-7, 5-15 subzones created by 10-3 GUARD_DEFAULT zone template 5-4 GUARD_LINK zone template 5-5 GUARD_TCP_NO_ PROXY zone template 5-5 GUARD_VOIP zone template 5-5 H Hostname Config Device parameter 3-3 http_ns policy template 7-4 http policy template 7-2 HTTP zombie attack 11-28 HTTP zombies list, displaying 11-31 HTTP Zombies table fields 11-31 I icons 2-23 immediate distribution 4-4 overview 1-8 Immediate synchronization parameter 5-14 initiating synchronization manually 4-7 installing MDM 2-2 interactive operation mode 10-3 interactive protection mode 10-3 ip_scanpolicy template 7-2 IP address activating protection 10-6 adding to zone 5-18 Config Device screen parameter 3-3 deleting from zone 5-19 excluding from zone 5-18 list, specifying for zone 5-6 Protect IP screen parameter 10-6 specifying for zone 5-6 updating zone policies after modifying 5-19 IP mask Protect IP screen parameter 10-6 IP Threshold IP Entry Form parameter 8-15 L launching MDM from the client 2-18 learning activation extent 9-3 Learning parameters for Zone Policy Form and Zone Policy Parameter Form 8-13 learning process accepting the threshold tuning phase results 9-10 automatic snapshots of 9-17 device activation 9-3 overview 1-6 performing 9-7 phase 9-2 results of 9-3 snapshot, managing 9-16 snapshots of current results 9-17 starting policy construction phase 9-8 starting threshold tuning phase 9-9 stopping policy construction phase 9-9 stopping threshold tuning phase 9-11 learning process phase policy construction 9-2 threshold tuning 9-2 learning traffic overview 9-5 M malicious-rate detection threshold attack detection/termination parameter 5-11 malicious-rate termination threshold 10-8 attack detection/termination parameter 5-12 managing anomaly detection and zone protection 10-4 Detector and Guard devices on the MDM network 3-1 device recommendations for dynamic filters 10-13 dynamic filter 10-8 learning process snapshot 9-16 network statistical and status information 1-9 time-differentiation with devices in network 3-10 zone configurations 1-7 marking zone policies tuned or untuned 9-15 Match Case Flex-Content filter parameter 6-7 match criteria parameters bypass filter 6-11 flex-content filter 6-7 Max. disk space packet dump parameter 5-17 Max. rate zone general parameter 5-11 Max Services policy template parameter 7-8 MDM backing up server configuration information 2-15 backing up the MySQL database 2-15 consolidation 1-9 disabling or enabling communication with Detector or Guard 3-11 enabling service 3-2 exporting data files 2-14 installing 2-2 managing network statistical and status information 1-9 managing zone configurations 1-7 network 1-1 overview 1-1, 1-6 permitting network access to a device 3-2 providing security 2-2 removing related information from the server 2-17 resolving database conflicts 4-2 tracking device-to-zone associations 1-6 uninstalling 2-16 MDM browser window navigating 2-20 overview 2-18 zone icons 2-23 MDM device list adding Detector or Guard 3-3 deleting Detector or Guard 3-11 displaying 3-5 MDM network, managing Detector and Guard devices 3-1 MDM service, enabling 3-2 MDM system requirements 2-1 Minimal difference Policy Comparison screen parameter 9-22 Min Threshold policy template parameter 7-7 mitigated attack details 11-26 Mitigated Attack Details table fields 11-26 mitigated attacks 11-25 Mitigated Attacks table fields 11-25 modifying current zone automatic synchronization parameters 4-5 flex-content filter 6-10 policy 8-10 policy template 7-6 zone general configuration 5-10 MultiDevice 2-1 MySQL and user accounts, hardening 2-14 MySQL database, backing up and restoring 2-15 N navigating the MDM browser window 2-20 network, MDM 1-1 network event log displaying 11-6 severity levels 11-6 Network Summary table fields 11-4 nonspoofed attacks 1-3 note, symbol overview xiii O ondemand protection overview 10-2 Operation mode zone general parameter 5-10 other_protocols policy template 7-2 overview automatic learning and snapshot 9-4 Detector 1-4 Guard 1-5 learning process device activation 9-3 learning traffic 9-5 MDM 1-1, 1-6 MDM browser window 2-18 ondemand protection by Guard 10-2 policy template 7-1 user filter 6-14 zone 1-5, 5-1 zone filters 6-1 P packet dump parameter Auto Packet Dump 5-17 Max. disk space 5-17 Pattern Flex-Content filter parameter 6-7 pattern syntax used by flex-content filter 6-5 Pending Dynamic Filters screen 10-16 Pending Dynamic filters table fields 10-16 Per Attack Summary table fields 11-17 performing learning process 9-7 state preserving removal operation 2-16 permitting network access to a device from the MDM 3-2 pinging a Detector or Guard device 3-10 Policies, Policy Filter screen parameter 8-4 Policies screen 8-2 policy adding IP address and threshold 8-14 adding service 7-9 comparing in two zone configurations 9-21 creating snapshot 9-18 deleting IP address and threshold 8-15 deleting service 7-10 displaying differences in zone configurations or snapshots 9-21 excluding during synchronization 4-7, 5-15 modifying 8-10 Policy, Policy Filter screen parameter 8-4 Policy Comparison screen Base Zone parameter 9-22 Compare Zone parameter 9-22 Minimal difference parameter 9-22 opening 9-21 policy comparison table 9-23 policy construction phase definition 9-2 starting 9-8 stopping 9-9 Policy Filter screen parameters Action 8-4 Policies 8-4 Policy 8-4 Policy template 8-3 Protection level 8-4 Service 8-3 State 8-4 Type 8-4 policy parameter, copying to base zone 9-24 Policy table fields 8-4, 8-8 policy template displaying 7-5 dns_tcp 7-2 dns_udp 7-2 fragments 7-2 http 7-2 http_ns 7-4 ip_scan 7-2 Max Services parameter 7-8 Min Threshold parameter 7-7 modifying 7-6 other_protocols 7-2 overview 7-1 port_scan 7-2 sip_udp 7-4 State parameter 7-7 tcp_connections 7-2 tcp_connections_ns 7-4 tcp_not_auth 7-2 tcp_outgoing_ns 7-4 tcp_ratio 7-2 tcp_services 7-3 tcp_services_ns 7-3 tcp-outgoing 7-2 types 7-2 udp_services 7-3 Policy template, Policy Filter screen parameter 8-3 Policy Template table fields 7-5 port_scan policy template 7-2 pph policies Detection Time field 8-7 MDM software restrictions 8-4 reqs_pph 8-5, 8-13 syns_pph 8-5 preparing Detector and Guard devices 3-2 preventing unwanted dynamic filters 10-13 protection-end time attack detection/termination parameter 5-12 Protection level, Policy Filter screen parameter 8-4 Protect IP screen IP address parameter 10-6 IP mask parameter 10-6 opening 10-6 Protect-IP state zone general parameter 5-11 Protocol parameter Bypass Filter Form 6-12 flex-content filter 6-7 User filter 6-16 R Rate User filter parameter 6-16 Real-Time Transport Protocol/Real-Time Control Protocol 5-5 Recommendations screen 10-14 Recommendations table fields 10-14 Remote Guards table, fields 5-22 removing all MDM-related information from the server 2-17 old reports 2-16 reports, removing 2-16 reqs_pph 8-5 resolving back-end service problem 12-2 database connection problem 12-2 device disconnected problem 12-4 device initialization problem 12-5 device suspended problem 12-4 MDM database conflicts 4-2 Tomcat server problem 12-3 S screen Add Bypass Filter 6-11 Config 5-10 Config Device 3-3 Config Policy Template 7-6 Conflicts Resolution 4-2 Counters 11-4 Device List 3-5, 3-6 Dynamic filters 10-9 Pending Dynamic Filters 10-16 Policies 8-2 Policy Comparison 9-21 Protect IP 10-6 Recommendations 10-14 Zombie List 11-31 Secure Copy Protocol, using to export data files 2-14 security configuring server firewall 2-3 defining users and user groups 2-5 exporting data files 2-14 hardening MySQL and user accounts 2-14 using TACACS+ 2-5 selecting zones to perform the learning process 9-5 service adding to base zone 9-23 adding to policy 7-9 deleting from base zone 9-23 deleting from policy 7-10 restart problem 12-1 Service, Policy Filter screen parameter 8-3 Session Initiated Protocol (SIP) 5-5 severity levels for network event log 11-6 severity levels for zone event log 11-16 sip_udp policy template 7-4 SIP User filter action 6-15 snapshot comparing 9-21 current learning process results 9-17 deleting 9-21 displaying 9-19 displaying policy differences 9-21 regular intervals of learning process 9-17 viewing, modifying, or saving to the zone configuration 9-19 zone configuration policies 9-18 Snapshot List table fields 9-20 Source IP parameter Bypass Filter Form 6-11 User filter 6-16 Source subnet parameter Bypass Filter Form 6-11 User filter 6-16 spoofed attacks 1-3 Spoofed Statistics table fields 11-34 SSH File Transfer Protocol, using to export data files 2-14 starting policy construction phase