Home » Symantec Manuals » Networking » Symantec 10521146 » Manual Viewer

Symantec 10521146 Administration Guide - Page 375

Enable IPv4 Header Checksum Validation, Echo Operational Log to Syslog

UPC - 037648268134

Add to My Manuals
Save this manual to your list of manuals

Page 375 highlights

Index 375 drill-down reports (cont.) events per hour 233 events per month 233 flows by destination address 236 flows by destination port 237 flows by protocol 237 flows by source address 236 flows by source port 237 incident details 236 incidents list 232 incidents per day 232 incidents per hour 232 incidents per month 232 source destinations 234 top events 231 top level 230 types 229 E Echo Operational Log to Syslog setting node parameters 262 editing flow alert rules 156 in-line pairs 100 interface groups 98 LiveUpdates 273 location objects 84 monitoring interfaces on appliance nodes 96 monitoring interfaces on software nodes 90 network segments 108 node numbers 280 node passphrases 280 objects in topology tree 81 port mappings 178 protection policies 121 report schedules 224 response rules 134 root password on serial consoles 58 secadm password 58 signature variables 184 Smart Agent interfaces 107 Smart Agents 105 software nodes 86 user passphrases 57 user-defined signatures 181 EDP about Event Dispatch Protocol 29 communicating with Smart Agents 106, 284 communication by proxy 284 EDP (cont.) detection architecture 29 Network Security node passphrase 284 setting passphrases 106 setting port numbers 284 EDP Port Number setting node parameters 284 email configuring incidents 211 format 237 incident data 212 initiation request failure 200 notification failure 201 notification messages 142 Enable Flow Statistics Collection setting sensor parameters 163 Enable Full Packet Capture setting sensor parameters 163 Enable IPv4 Header Checksum Validation setting sensor parameters 168 Enable TCP Checksum Validation setting sensor parameters 169 Enable UDP Checksum Validation setting sensor parameters 169 Enable Watchdog Process setting node parameters 294 enabling Symantec Decoy Server 285 EngineUpdates about 269 errors compiling signatures 183 email initiation request failure 200 email notification failure 201 iButton 199 SNMP alert failure 201 SNMP initiation request failure 201 truncated SNMP message 201 ESP about node architecture 36 ethernet deploying failover groups through 294 Event Correlation 'Destination IP' Weight setting node parameters 217 Event Correlation 'Destination Port' Weight setting node parameters 218 Event Correlation 'Name' Weight setting node parameters 215

Section	Page
Symantec™ Network Security Administration Guide	1
Overview	13
Introduction	15
About the Symantec Network Security foundation	15
About the Symantec Network Security 7100 Series	15
About other Symantec Network Security features	17
Finding information	20
About 7100 Series appliance documentation	20
About Network Security software documentation	21
About the Web sites	22
About the Knowledge Base	22
About the Hardware Compatibility Reference	22
About the Product Updates site	22
About this guide	23
Architecture	25
About Symantec Network Security	25
About the core architecture	25
About detection	26
About protocol anomaly detection	27
About Symantec signatures	28
About user-defined signatures	28
Monitoring traffic rate	29
About DoS detection	29
About external EDP	29
About analysis	30
About refinement	30
About correlation	30
About cross-node correlation	31
About response	31
About protection policies	31
About response rules	31
About management and detection architecture	32
About the Network Security console	32
About role-based administration	33
About the node architecture	34
About the alert manager	35
About the sensor manager	35
About the administration service	35
About analysis	35
About the databases	35
About Event Stream Provider	36
About sensor processes	36
About Smart Agents	37
About FlowChaser	37
About the 7100 Series appliance node	37
About detection on the 7100 Series	38
About interface grouping	38
About response on the 7100 Series	38
About in-line monitoring mode	38
About blocking or alerting mode	38
About fail-open	39
About management on the 7100 Series	39
About the LCD panel	39
About the serial console	40
About the compact flash	40
Getting started	41
Getting started	41
General checklist	42
General software and appliance checklist	42
Preparing to set up Symantec Network Security	42
Setting up Symantec Network Security	42
Using Symantec Network Security	43
Additional appliance-specific checklist	43
Preparing the appliance	43
Setting up appliance features in Symantec Network Security	44
About the management interfaces	44
Using the Network Security console	44
Launching the Network Security console	45
Viewing the Network Security console	46
Adjusting the Devices view	46
Adjusting the Incidents view	47
Adjusting the Policies view	47
Viewing node status	47
Restarting via the Network Security console	47
Rebooting nodes via the Network Security console	48
Stopping Symantec Network Security via the command line	48
Restarting sensors via the Network Security console	49
Checking and applying licenses	49
Using the serial console	49
Restarting via the serial console	50
Rebooting nodes via the serial console	50
Stopping via the serial console	51
Shutting down via the serial console	51
Using the LCD panel	51
Unlocking the LCD panel	52
Restarting from the LCD panel	53
Rebooting nodes via the LCD panel	53
Stopping via the LCD panel	54
Shutting down via the LCD panel	54
Managing user access	54
Managing user login accounts	55
Adding user login accounts	55
Editing user login accounts	56
Deleting user login accounts	56
Managing user passphrases	57
Changing user passphrases	57
Changing passwords on the 7100 Series node	58
Changing the root password via the serial console	58
Changing the secadm password via the serial console	58
Controlling user access	59
Setting Maximum Login Failures	59
Setting Lock LCD Screen	59
Tracking user actions	60
Planning the deployment	60
Deploying single nodes	61
Deploying a single Network Security software node	61
Deploying a single 7100 Series appliance node	62
About interface grouping	62
About in-line mode	62
About fail-open	63
Configuring single-node parameters	63
Deploying node clusters	64
Deploying software and appliance nodes in a cluster	65
Monitoring groups within a cluster	66
Creating a monitoring group	66
Assigning a monitoring group	67
Renaming a monitoring group	67
Deleting a monitoring group	68
Choosing monitoring groups	68
Initial Configuration	69
Populating the topology database	71
About the network topology	71
About the Devices tab	72
Types of objects	72
Viewing object details	74
About topology mapping	74
Mapping the existing network	75
Gathering information	76
Managing the topology tree	78
Viewing auto-generated objects	79
Viewing node details	79
Viewing node status	79
Adding objects for the first time	80
Editing objects	81
Deleting objects	81
Reverting changes	82
Saving changes	82
Forcing nodes to synchronize	83
Backing up	83
Adding nodes and objects	83
About location objects	83
Adding or editing location objects	84
About nodes and interfaces	85
About Network Security software nodes	86
Adding or editing software nodes	86
Viewing advanced network options	88
About monitoring interfaces on software nodes	89
Adding or editing monitoring interface on software nodes	90
About the Networks tab	91
About 7100 Series appliance nodes	92
Adding or editing 7100 Series nodes	92
Viewing advanced network options	94
About 7100 Series interfaces	95
Editing monitoring interfaces on 7100 Series nodes	96
About the Networks tab	97
Adding or editing interface groups	98
Adding or editing in-line pairs	100
About router objects	101
Adding or editing router objects	102
About router interfaces	103
Adding or editing router interface objects	103
About Smart Agents	104
Adding or editing Smart Agent objects	105
About Smart Agent interfaces	106
Adding or editing Smart Agent interface objects	107
About managed network segments	108
Editing network segment objects	108
Protection policies	111
About protection policies	111
Responding to malicious or suspicious events	112
Understanding the protection policy work area	112
Using protection policies	113
Selecting pre-defined policies	114
Setting policies to interfaces	115
Applying to save changes	115
Overriding blocking rules globally	115
Undoing policy settings	116
Unapplying protection policies	116
Removing policies set to interfaces	116
Reverting policy applications	117
Adjusting the view of event types	117
Searching to create a subset of event types	117
Adjusting the view by columns	119
Viewing event type details	119
Defining new protection policies	120
Adding or editing user-defined protection policies	121
Cloning existing protection policies	121
Enabling or disabling logging rules	122
Enabling or disabling blocking rules	123
Deleting user-defined protection policies	125
Updating policies automatically	125
Annotating policies and events	126
Annotating an entire policy	126
Annotating an event type in a policy	127
Annotating an instance of an event	127
Backing up protection policies	128
Responding	129
About response rules	129
About automated responses	131
Managing response rules	132
Viewing response rules	132
Interpreting color coding	133
Adding new response rules	133
Editing response rules	134
Searching event types	134
Deleting response rules	135
Saving or reverting changes	135
Backing up response rules	135
Setting response parameters	136
Setting event targets	136
Setting event types	136
Setting severity levels	137
Setting the severity level	138
Setting confidence levels	139
Setting event sources	139
Setting response actions	140
Setting next actions	140
Setting response actions	141
Setting no response action	142
Setting email notification	142
Setting email notification response actions	142
Setting email notification parameters	143
Setting From Address	143
Setting Subject Line	144
Setting SMTP Server	144
Setting Hostname Used for Email Notifications	145
Setting SNMP notification	145
Setting SNMP notification response actions	145
Setting SNMP notification parameters	146
SNMP Manager	146
SNMP Community String	146
Setting TrackBack response action	147
Setting TrackBack response actions	147
Setting a custom response action	147
Table of response variables	148
Preventing logging of passwords in cleartext	149
Escaping the % directive	150
Setting a TCP reset response action	150
Setting traffic record response action	150
Setting a console response action	152
Enabling console response actions	152
Setting export flow response action	153
Managing flow alert rules	154
Viewing flow alert rules	155
Adding flow alert rules	155
Editing flow alert rules	156
Deleting flow alert rules	156
Providing an appropriate mask	157
Using the permit rule type	157
Detecting	159
About detection	159
Configuring sensor detection	160
Configuring sensor parameters	161
Restarting or stopping sensors	161
Basic sensor parameters	162
Data collection parameters	163
Enable Flow Statistics Collection	163
Enable Full Packet Capture	163
Threshold parameters	164
TCP Flood Alert Threshold	164
UDP Flood Alert Threshold	165
Slow Scan Alert Threshold	165
Saturation parameters	165
ICMP Saturation Alert Threshold	166
UDP Saturation Alert Threshold	166
IP Fragment Saturation Alert Threshold	166
Bad Service Saturation Alert Threshold	166
Other Saturation Alert Threshold	167
Miscellaneous parameters	167
Event Delay Time	167
Traffic Mode	168
Checksum validation parameters	168
Enable IPv4 Header Checksum Validation	168
Enable TCP Checksum Validation	169
Enable UDP Checksum Validation	169
Advanced sensor parameters	169
Interval and flow parameters	170
Packet Counter Interval	170
Streak Interval	171
TCP Minimum Flows	171
UDP Minimum Flows	171
TCP Number of Streak Packets	172
UDP Number of Streak Packets	172
Counter Number of Streak Packets	172
Miscellaneous parameters	172
Saturation Counter Lapse Time	173
Maximum Time to Streak Analysis	173
Slow Scan Maximum IP Addresses Limit	173
Table element parameters	173
Maximum IPv4 Fragment Reassembly Table Elements	174
TCP Maximum Flow Table Elements (Fast Ethernet)	174
TCP Maximum Flow Table Elements (Gigabit)	174
UDP Maximum Flow Table Elements (Fast Ethernet)	175
UDP Maximum Flow Table Elements (Gigabit)	175
Segment parameters	175
TCP Keepalive Timeout	175
TCP Flow Max Queued Segments	176
TCP Global Max Queued Segments (Fast Ethernet)	176
TCP Global Max Queued Segments (Gigabit)	176
TCP 2MSL Timeout	177
TCP Default Window Size	177
Configuring port mapping	177
Adding or editing port mappings	178
Delete port mappings	178
Configuring signature detection	179
About Symantec signatures	179
About user-defined signatures	180
Managing signatures	180
Viewing signatures	181
Adding or editing user-defined signatures	181
Deleting user-defined signatures	183
Importing user-defined signatures	183
Resolving signature compile errors	183
Managing signature variables	184
Adding new signature variables	184
Editing signatures variables	184
Deleting signatures variables	185
Resetting signatures variables	185
Applying signatures variables	185
Reverting signatures variables	186
Using Symantec Network Security	187
Monitoring	189
About incident and event data	189
Viewing incident and event data	190
Adjusting the view	191
Setting font size	192
Sorting column data	192
Examining incident and event data	192
Examining incident data	193
Viewing top-level incident data	193
Viewing incident details	193
Viewing an incident’s top event	195
Loading cross-node correlated events	196
Examining event data	196
Viewing top-level event data	197
Interpreting severity and confidence levels	197
Viewing event details	197
Viewing an event’s detailed description	199
About operational event notices	199
Managing incident and event data	201
Selecting columns	202
Selecting incident columns	202
Selecting event columns	203
Selecting view filters	205
Selecting incident filters	205
Selecting event filters	206
Marking and annotating	207
Marking incidents as read	207
Annotating incident data	208
Customizing annotation templates	208
Saving, copying, and printing data	209
Saving incident data	209
Copying and pasting incidents	209
Copying an incident’s top event	210
Copying event details	210
Printing incident data	211
Emailing incident or event data	211
Configuring email	211
Emailing incident data	212
Tuning incident parameters	213
Setting Incident Idle Time	213
Setting Maximum Incidents	214
Setting Maximum Active Incident Life	214
Setting Incident Unique IP Limit	215
Setting Event Correlation ‘Name’ Weight	215
Event Correlation ‘Source IP’ Weight	216
Event Correlation ‘Destination IP’ Weight	217
Event Correlation ‘Source Port’ Weight	217
Event Correlation ‘Destination Port’ Weight	218
Monitoring flow statistics	219
Enabling flow data collection	219
Configuring FlowChaser	220
Setting FlowChaser Maximum Flows Per Device	220
Setting FlowChaser Router Flow Collection Threads	220
Setting FlowChaser Router Flow Collection Port	221
Setting FlowChaser Sensor Threads	222
Reporting	223
About reports and queries	223
Scheduling reports	224
Adding or editing report schedules	224
Refreshing the list of reports	225
Deleting report schedules	226
Managing scheduled reports	226
Viewing saved reports	226
Exporting saved reports	227
Deleting saved reports	228
Reporting top-level and drill-down	228
About report formats	228
About report types	229
About incident/event reports	229
Printing and saving reports	230
About top-level report types	230
Reports of top events	231
Reports per incident schedule	232
Reports per event schedule	233
Reports by event characteristics	233
Reports per Network Security device	235
Drill-down-only reports	236
Querying flows	237
Viewing current flows	238
Viewing Flow Statistics	239
Viewing exported flows	239
Playing recorded traffic	240
Replaying recorded traffic flow data	241
Managing log files	243
About the log files	243
About the install log	243
About the operational log	244
Managing logs	244
Viewing log files	244
Viewing live log files	245
Archiving log files	246
Copying log files	246
Deleting log files	247
Refreshing the list of log files	247
Configuring automatic archiving	248
Setting automatic logging levels	248
Archiving log files	249
Setting Size to Trigger Rotation	249
Setting Limit Size for Archive Directory	250
Setting Limit Size for Traffic Record Directory	251
Compressing log files	252
Setting Compression On/Off Switch	252
Setting Compression Command	253
Exporting data	254
Exporting to file	254
Setting Event Writer File	254
Exporting to SESA	255
Integrating with SESA	255
Setting SESA Bridge Export	256
Exporting to SQL	257
Setting Cluster ID	257
Setting JDBC Driver	258
Setting DB Connection String	258
Setting DB User	259
Setting DB Password	260
Exporting to syslog	260
Setting Syslog Event Export	261
Setting Echo Operational Log to Syslog	262
Setting Remote Syslog Destination Host	262
Setting Remote Syslog Destination Port	263
Setting Syslog Maximum Message Size	264
Transferring via SCP	264
Setting Flag for SCP Usage	265
Setting Destination Host for SCP	265
Setting User Account for SCP	266
Setting Destination Directory for SCP	266
Setting Location of SCP Binary	267
Advanced configuration	269
About advanced setup	269
Updating Symantec Network Security	269
About LiveUpdate	270
Scanning for available updates	271
Applying updates	271
Setting the LiveUpdate server	272
Scheduling live updates	273
Adding or editing automatic updates	273
Deleting automatic update schedules	274
Reverting automatic update schedules	274
Backing up LiveUpdate configurations	274
Managing node clusters	275
Creating a new cluster	275
Building a cluster	275
Establishing a master node	276
Adding slave nodes to clusters	277
Deleting nodes from clusters	277
Managing an established cluster	278
Licensing nodes in a cluster	278
Synchronizing clustered nodes	278
Automatic synchronization	279
Reapplying policy assignments after setting cluster master	279
Forcing synchronization	279
Changing node numbers	280
Changing node passphrases	280
Restarting sensors in a cluster	281
Setting a cluster-wide parameter	281
Setting QSP Port Number	281
Backup up cluster-wide data	282
Integrating third-party events	282
Integrating via Smart Agents	283
Setting EDP Port Number	284
Integrating with Symantec Decoy Server	285
Integrating with Symantec Decoy Server	285
Launching from a known location	287
Establishing high availability failover	287
Monitoring node availability	287
Configuring availability for single nodes	288
Setting Watchdog Process Restart Only	289
Configuring availability for multiple nodes	289
Configuring a failover group	290
Removing nodes from a failover group	292
Viewing incidents during failover	292
Configuring watchdog processes	293
Setting Enable Watchdog Process	294
Setting Watchdog Process Stop Window	295
Setting Watchdog Process Maximum Resets	295
Setting Watchdog Process Restart Only	296
Setting Watchdog Process Email	297
Backing up and restoring	297
Backing up and restoring on the Network Security console	298

Match case Limit results 1 per page

375

Index

drill-down reports (cont.)

events per hour

233

events per month

233

flows by destination address

236

flows by destination port

237

flows by protocol

237

flows by source address

236

flows by source port

237

incident details

236

incidents list

232

incidents per day

232

incidents per hour

232

incidents per month

232

source destinations

234

top events

231

top level

230

types 229

Echo Operational Log to Syslog

setting node parameters

262

editing

flow alert rules

156

in-line pairs

100

interface groups

LiveUpdates 273

location objects

monitoring interfaces on appliance nodes

monitoring interfaces on software nodes

network segments

108

node numbers

280

node passphrases

280

objects in topology tree

port mappings

178

protection policies

121

report schedules

224

response rules

134

root password on serial consoles

secadm password

signature variables

184

Smart Agent interfaces

107

Smart Agents

105

software nodes

user passphrases

user-defined signatures

181

EDP

about Event Dispatch Protocol

communicating with Smart Agents

106, 284

communication by proxy

284

EDP (cont.)

detection architecture

Network Security node passphrase

284

setting passphrases

106

setting port numbers

284

EDP Port Number

setting node parameters

284

configuring incidents

211

format 237

incident data

212

initiation request failure

200

notification failure

201

notification messages

142

Enable Flow Statistics Collection

setting sensor parameters

163

Enable Full Packet Capture

setting sensor parameters

163

Enable IPv4 Header Checksum Validation

setting sensor parameters

168

Enable TCP Checksum Validation

setting sensor parameters

169

Enable UDP Checksum Validation

setting sensor parameters

169

Enable Watchdog Process

setting node parameters

294

enabling

Symantec Decoy Server

285

EngineUpdates

about 269

errors

compiling signatures

183

email initiation request failure

200

email notification failure

201

iButton 199

SNMP alert failure

201

SNMP initiation request failure

201

truncated SNMP message

201

ESP

about node architecture

ethernet

deploying failover groups through

294

Event Correlation ±Destination IP° Weight

setting node parameters

217

Event Correlation ±Destination Port° Weight

setting node parameters

218

Event Correlation ±Name° Weight

setting node parameters

215