Home » Symantec Manuals » Networking » Symantec 10521146 » Manual Viewer

Symantec 10521146 Administration Guide - Page 382

setting Limit Size for Archive Directory

UPC - 037648268134

Add to My Manuals
Save this manual to your list of manuals

Page 382 highlights

382 Index Oracle event table 328 exporting to 257 incident table 326 using tables 326 Other Saturation Alert Threshold setting sensor parameters 167 P Packet Counter Interval setting sensor parameters 170 PAD about 159 panel LCD 39 parameters about 63 about cluster 63 about clusters, nodes, and sensors 309 about node 63 about sensor 64 advanced 311 advanced sensor 169 basic sensor 162 configuring advanced 308 configuring sensors 161 configuring watchdog 293 Event Correlation 'Name' Weight 215 event source 139, 140 event target policy 136 event type 136 incident 213 Network Security console 311 operational logging level 248 response rules 136, 141 setting Bad Service Saturation Alert Threshold 166 setting Cluster ID 257 setting Compression Command 253 setting Compression On/Off Switch 252 setting Counter Number of Streak Packets 172 setting DB Connection String 258 setting DB Password 260 setting DB User 259 setting Destination Directory for SCP 266 setting Destination Host for SCP 265 setting Echo Operational Log to Syslog 262 setting EDP Port Number 284 setting email notification 143 parameters (cont.) setting Enable Flow Statistics Collection 163 setting Enable Full Packet Capture 163 setting Enable IPv4 Header Checksum Validation 168 setting Enable TCP Checksum Validation 169 setting Enable UDP Checksum Validation 169 setting Enable Watchdog Process 294 setting Event Correlation 'Destination IP' Weight 217 setting Event Correlation 'Destination Port' Weight 218 setting Event Correlation 'Source IP' Weight 216 setting Event Correlation 'Source Port' Weight 217 setting Event Delay Time 167 setting Event Destination Hashes 312 setting Event Message Hashes 312 setting Event Queue Length 313 setting Event Rate Throttle 314 setting Event Writer File 254 setting Flag for SCP Usage 265 setting FlowChaser Maximum Flows Per Device 220 setting FlowChaser Router Flow Collection Port 221 setting FlowChaser Router Flow Collection Threads 220 setting FlowChaser Sensor Threads 222 setting From Address 143 setting Hostname Used For Email Notifications 145 setting ICMP Saturation Alert Threshold 166 setting Incident Idle Time 213 setting Incident Unique IP Limit 215 setting IP Fragment Saturation Alert Threshold 166 setting JDBC Driver 258 setting Limit Size for Archive Directory 250 setting limit size for archive directory 250 setting Limit Size for Traffic Record Directory 251 setting Location of SCP Binary 267 setting Lock LCD Screen 59 setting Maximum Active Incident Life 214 setting Maximum Incidents 214 setting Maximum IPv4 Fragment Reassembly Table Elements 174

Section	Page
Symantec™ Network Security Administration Guide	1
Overview	13
Introduction	15
About the Symantec Network Security foundation	15
About the Symantec Network Security 7100 Series	15
About other Symantec Network Security features	17
Finding information	20
About 7100 Series appliance documentation	20
About Network Security software documentation	21
About the Web sites	22
About the Knowledge Base	22
About the Hardware Compatibility Reference	22
About the Product Updates site	22
About this guide	23
Architecture	25
About Symantec Network Security	25
About the core architecture	25
About detection	26
About protocol anomaly detection	27
About Symantec signatures	28
About user-defined signatures	28
Monitoring traffic rate	29
About DoS detection	29
About external EDP	29
About analysis	30
About refinement	30
About correlation	30
About cross-node correlation	31
About response	31
About protection policies	31
About response rules	31
About management and detection architecture	32
About the Network Security console	32
About role-based administration	33
About the node architecture	34
About the alert manager	35
About the sensor manager	35
About the administration service	35
About analysis	35
About the databases	35
About Event Stream Provider	36
About sensor processes	36
About Smart Agents	37
About FlowChaser	37
About the 7100 Series appliance node	37
About detection on the 7100 Series	38
About interface grouping	38
About response on the 7100 Series	38
About in-line monitoring mode	38
About blocking or alerting mode	38
About fail-open	39
About management on the 7100 Series	39
About the LCD panel	39
About the serial console	40
About the compact flash	40
Getting started	41
Getting started	41
General checklist	42
General software and appliance checklist	42
Preparing to set up Symantec Network Security	42
Setting up Symantec Network Security	42
Using Symantec Network Security	43
Additional appliance-specific checklist	43
Preparing the appliance	43
Setting up appliance features in Symantec Network Security	44
About the management interfaces	44
Using the Network Security console	44
Launching the Network Security console	45
Viewing the Network Security console	46
Adjusting the Devices view	46
Adjusting the Incidents view	47
Adjusting the Policies view	47
Viewing node status	47
Restarting via the Network Security console	47
Rebooting nodes via the Network Security console	48
Stopping Symantec Network Security via the command line	48
Restarting sensors via the Network Security console	49
Checking and applying licenses	49
Using the serial console	49
Restarting via the serial console	50
Rebooting nodes via the serial console	50
Stopping via the serial console	51
Shutting down via the serial console	51
Using the LCD panel	51
Unlocking the LCD panel	52
Restarting from the LCD panel	53
Rebooting nodes via the LCD panel	53
Stopping via the LCD panel	54
Shutting down via the LCD panel	54
Managing user access	54
Managing user login accounts	55
Adding user login accounts	55
Editing user login accounts	56
Deleting user login accounts	56
Managing user passphrases	57
Changing user passphrases	57
Changing passwords on the 7100 Series node	58
Changing the root password via the serial console	58
Changing the secadm password via the serial console	58
Controlling user access	59
Setting Maximum Login Failures	59
Setting Lock LCD Screen	59
Tracking user actions	60
Planning the deployment	60
Deploying single nodes	61
Deploying a single Network Security software node	61
Deploying a single 7100 Series appliance node	62
About interface grouping	62
About in-line mode	62
About fail-open	63
Configuring single-node parameters	63
Deploying node clusters	64
Deploying software and appliance nodes in a cluster	65
Monitoring groups within a cluster	66
Creating a monitoring group	66
Assigning a monitoring group	67
Renaming a monitoring group	67
Deleting a monitoring group	68
Choosing monitoring groups	68
Initial Configuration	69
Populating the topology database	71
About the network topology	71
About the Devices tab	72
Types of objects	72
Viewing object details	74
About topology mapping	74
Mapping the existing network	75
Gathering information	76
Managing the topology tree	78
Viewing auto-generated objects	79
Viewing node details	79
Viewing node status	79
Adding objects for the first time	80
Editing objects	81
Deleting objects	81
Reverting changes	82
Saving changes	82
Forcing nodes to synchronize	83
Backing up	83
Adding nodes and objects	83
About location objects	83
Adding or editing location objects	84
About nodes and interfaces	85
About Network Security software nodes	86
Adding or editing software nodes	86
Viewing advanced network options	88
About monitoring interfaces on software nodes	89
Adding or editing monitoring interface on software nodes	90
About the Networks tab	91
About 7100 Series appliance nodes	92
Adding or editing 7100 Series nodes	92
Viewing advanced network options	94
About 7100 Series interfaces	95
Editing monitoring interfaces on 7100 Series nodes	96
About the Networks tab	97
Adding or editing interface groups	98
Adding or editing in-line pairs	100
About router objects	101
Adding or editing router objects	102
About router interfaces	103
Adding or editing router interface objects	103
About Smart Agents	104
Adding or editing Smart Agent objects	105
About Smart Agent interfaces	106
Adding or editing Smart Agent interface objects	107
About managed network segments	108
Editing network segment objects	108
Protection policies	111
About protection policies	111
Responding to malicious or suspicious events	112
Understanding the protection policy work area	112
Using protection policies	113
Selecting pre-defined policies	114
Setting policies to interfaces	115
Applying to save changes	115
Overriding blocking rules globally	115
Undoing policy settings	116
Unapplying protection policies	116
Removing policies set to interfaces	116
Reverting policy applications	117
Adjusting the view of event types	117
Searching to create a subset of event types	117
Adjusting the view by columns	119
Viewing event type details	119
Defining new protection policies	120
Adding or editing user-defined protection policies	121
Cloning existing protection policies	121
Enabling or disabling logging rules	122
Enabling or disabling blocking rules	123
Deleting user-defined protection policies	125
Updating policies automatically	125
Annotating policies and events	126
Annotating an entire policy	126
Annotating an event type in a policy	127
Annotating an instance of an event	127
Backing up protection policies	128
Responding	129
About response rules	129
About automated responses	131
Managing response rules	132
Viewing response rules	132
Interpreting color coding	133
Adding new response rules	133
Editing response rules	134
Searching event types	134
Deleting response rules	135
Saving or reverting changes	135
Backing up response rules	135
Setting response parameters	136
Setting event targets	136
Setting event types	136
Setting severity levels	137
Setting the severity level	138
Setting confidence levels	139
Setting event sources	139
Setting response actions	140
Setting next actions	140
Setting response actions	141
Setting no response action	142
Setting email notification	142
Setting email notification response actions	142
Setting email notification parameters	143
Setting From Address	143
Setting Subject Line	144
Setting SMTP Server	144
Setting Hostname Used for Email Notifications	145
Setting SNMP notification	145
Setting SNMP notification response actions	145
Setting SNMP notification parameters	146
SNMP Manager	146
SNMP Community String	146
Setting TrackBack response action	147
Setting TrackBack response actions	147
Setting a custom response action	147
Table of response variables	148
Preventing logging of passwords in cleartext	149
Escaping the % directive	150
Setting a TCP reset response action	150
Setting traffic record response action	150
Setting a console response action	152
Enabling console response actions	152
Setting export flow response action	153
Managing flow alert rules	154
Viewing flow alert rules	155
Adding flow alert rules	155
Editing flow alert rules	156
Deleting flow alert rules	156
Providing an appropriate mask	157
Using the permit rule type	157
Detecting	159
About detection	159
Configuring sensor detection	160
Configuring sensor parameters	161
Restarting or stopping sensors	161
Basic sensor parameters	162
Data collection parameters	163
Enable Flow Statistics Collection	163
Enable Full Packet Capture	163
Threshold parameters	164
TCP Flood Alert Threshold	164
UDP Flood Alert Threshold	165
Slow Scan Alert Threshold	165
Saturation parameters	165
ICMP Saturation Alert Threshold	166
UDP Saturation Alert Threshold	166
IP Fragment Saturation Alert Threshold	166
Bad Service Saturation Alert Threshold	166
Other Saturation Alert Threshold	167
Miscellaneous parameters	167
Event Delay Time	167
Traffic Mode	168
Checksum validation parameters	168
Enable IPv4 Header Checksum Validation	168
Enable TCP Checksum Validation	169
Enable UDP Checksum Validation	169
Advanced sensor parameters	169
Interval and flow parameters	170
Packet Counter Interval	170
Streak Interval	171
TCP Minimum Flows	171
UDP Minimum Flows	171
TCP Number of Streak Packets	172
UDP Number of Streak Packets	172
Counter Number of Streak Packets	172
Miscellaneous parameters	172
Saturation Counter Lapse Time	173
Maximum Time to Streak Analysis	173
Slow Scan Maximum IP Addresses Limit	173
Table element parameters	173
Maximum IPv4 Fragment Reassembly Table Elements	174
TCP Maximum Flow Table Elements (Fast Ethernet)	174
TCP Maximum Flow Table Elements (Gigabit)	174
UDP Maximum Flow Table Elements (Fast Ethernet)	175
UDP Maximum Flow Table Elements (Gigabit)	175
Segment parameters	175
TCP Keepalive Timeout	175
TCP Flow Max Queued Segments	176
TCP Global Max Queued Segments (Fast Ethernet)	176
TCP Global Max Queued Segments (Gigabit)	176
TCP 2MSL Timeout	177
TCP Default Window Size	177
Configuring port mapping	177
Adding or editing port mappings	178
Delete port mappings	178
Configuring signature detection	179
About Symantec signatures	179
About user-defined signatures	180
Managing signatures	180
Viewing signatures	181
Adding or editing user-defined signatures	181
Deleting user-defined signatures	183
Importing user-defined signatures	183
Resolving signature compile errors	183
Managing signature variables	184
Adding new signature variables	184
Editing signatures variables	184
Deleting signatures variables	185
Resetting signatures variables	185
Applying signatures variables	185
Reverting signatures variables	186
Using Symantec Network Security	187
Monitoring	189
About incident and event data	189
Viewing incident and event data	190
Adjusting the view	191
Setting font size	192
Sorting column data	192
Examining incident and event data	192
Examining incident data	193
Viewing top-level incident data	193
Viewing incident details	193
Viewing an incident’s top event	195
Loading cross-node correlated events	196
Examining event data	196
Viewing top-level event data	197
Interpreting severity and confidence levels	197
Viewing event details	197
Viewing an event’s detailed description	199
About operational event notices	199
Managing incident and event data	201
Selecting columns	202
Selecting incident columns	202
Selecting event columns	203
Selecting view filters	205
Selecting incident filters	205
Selecting event filters	206
Marking and annotating	207
Marking incidents as read	207
Annotating incident data	208
Customizing annotation templates	208
Saving, copying, and printing data	209
Saving incident data	209
Copying and pasting incidents	209
Copying an incident’s top event	210
Copying event details	210
Printing incident data	211
Emailing incident or event data	211
Configuring email	211
Emailing incident data	212
Tuning incident parameters	213
Setting Incident Idle Time	213
Setting Maximum Incidents	214
Setting Maximum Active Incident Life	214
Setting Incident Unique IP Limit	215
Setting Event Correlation ‘Name’ Weight	215
Event Correlation ‘Source IP’ Weight	216
Event Correlation ‘Destination IP’ Weight	217
Event Correlation ‘Source Port’ Weight	217
Event Correlation ‘Destination Port’ Weight	218
Monitoring flow statistics	219
Enabling flow data collection	219
Configuring FlowChaser	220
Setting FlowChaser Maximum Flows Per Device	220
Setting FlowChaser Router Flow Collection Threads	220
Setting FlowChaser Router Flow Collection Port	221
Setting FlowChaser Sensor Threads	222
Reporting	223
About reports and queries	223
Scheduling reports	224
Adding or editing report schedules	224
Refreshing the list of reports	225
Deleting report schedules	226
Managing scheduled reports	226
Viewing saved reports	226
Exporting saved reports	227
Deleting saved reports	228
Reporting top-level and drill-down	228
About report formats	228
About report types	229
About incident/event reports	229
Printing and saving reports	230
About top-level report types	230
Reports of top events	231
Reports per incident schedule	232
Reports per event schedule	233
Reports by event characteristics	233
Reports per Network Security device	235
Drill-down-only reports	236
Querying flows	237
Viewing current flows	238
Viewing Flow Statistics	239
Viewing exported flows	239
Playing recorded traffic	240
Replaying recorded traffic flow data	241
Managing log files	243
About the log files	243
About the install log	243
About the operational log	244
Managing logs	244
Viewing log files	244
Viewing live log files	245
Archiving log files	246
Copying log files	246
Deleting log files	247
Refreshing the list of log files	247
Configuring automatic archiving	248
Setting automatic logging levels	248
Archiving log files	249
Setting Size to Trigger Rotation	249
Setting Limit Size for Archive Directory	250
Setting Limit Size for Traffic Record Directory	251
Compressing log files	252
Setting Compression On/Off Switch	252
Setting Compression Command	253
Exporting data	254
Exporting to file	254
Setting Event Writer File	254
Exporting to SESA	255
Integrating with SESA	255
Setting SESA Bridge Export	256
Exporting to SQL	257
Setting Cluster ID	257
Setting JDBC Driver	258
Setting DB Connection String	258
Setting DB User	259
Setting DB Password	260
Exporting to syslog	260
Setting Syslog Event Export	261
Setting Echo Operational Log to Syslog	262
Setting Remote Syslog Destination Host	262
Setting Remote Syslog Destination Port	263
Setting Syslog Maximum Message Size	264
Transferring via SCP	264
Setting Flag for SCP Usage	265
Setting Destination Host for SCP	265
Setting User Account for SCP	266
Setting Destination Directory for SCP	266
Setting Location of SCP Binary	267
Advanced configuration	269
About advanced setup	269
Updating Symantec Network Security	269
About LiveUpdate	270
Scanning for available updates	271
Applying updates	271
Setting the LiveUpdate server	272
Scheduling live updates	273
Adding or editing automatic updates	273
Deleting automatic update schedules	274
Reverting automatic update schedules	274
Backing up LiveUpdate configurations	274
Managing node clusters	275
Creating a new cluster	275
Building a cluster	275
Establishing a master node	276
Adding slave nodes to clusters	277
Deleting nodes from clusters	277
Managing an established cluster	278
Licensing nodes in a cluster	278
Synchronizing clustered nodes	278
Automatic synchronization	279
Reapplying policy assignments after setting cluster master	279
Forcing synchronization	279
Changing node numbers	280
Changing node passphrases	280
Restarting sensors in a cluster	281
Setting a cluster-wide parameter	281
Setting QSP Port Number	281
Backup up cluster-wide data	282
Integrating third-party events	282
Integrating via Smart Agents	283
Setting EDP Port Number	284
Integrating with Symantec Decoy Server	285
Integrating with Symantec Decoy Server	285
Launching from a known location	287
Establishing high availability failover	287
Monitoring node availability	287
Configuring availability for single nodes	288
Setting Watchdog Process Restart Only	289
Configuring availability for multiple nodes	289
Configuring a failover group	290
Removing nodes from a failover group	292
Viewing incidents during failover	292
Configuring watchdog processes	293
Setting Enable Watchdog Process	294
Setting Watchdog Process Stop Window	295
Setting Watchdog Process Maximum Resets	295
Setting Watchdog Process Restart Only	296
Setting Watchdog Process Email	297
Backing up and restoring	297
Backing up and restoring on the Network Security console	298

Match case Limit results 1 per page

382

Index

Oracle

event table

328

exporting to

257

incident table

326

using tables

326

Other Saturation Alert Threshold

setting sensor parameters

167

Packet Counter Interval

setting sensor parameters

170

PAD

about 159

panel

LCD 39

parameters

about 63

about cluster

about clusters, nodes, and sensors

309

about node

about sensor

advanced 311

advanced sensor

169

basic sensor

162

configuring advanced

308

configuring sensors

161

configuring watchdog

293

Event Correlation ±Name° Weight

215

event source

139, 140

event target policy

136

event type

136

incident 213

Network Security console

311

operational logging level

248

response rules

136, 141

setting Bad Service Saturation Alert

Threshold 166

setting Cluster ID

257

setting Compression Command

253

setting Compression On/Off Switch

252

setting Counter Number of Streak Packets

172

setting DB Connection String

258

setting DB Password

260

setting DB User

259

setting Destination Directory for SCP

266

setting Destination Host for SCP

265

setting Echo Operational Log to Syslog

262

setting EDP Port Number

284

setting email notification

143

parameters (cont.)

setting Enable Flow Statistics Collection

163

setting Enable Full Packet Capture

163

setting Enable IPv4 Header Checksum

Validation 168

setting Enable TCP Checksum Validation

169

setting Enable UDP Checksum Validation

169

setting Enable Watchdog Process

294

setting Event Correlation ±Destination IP°

Weight 217

setting Event Correlation ±Destination Port°

Weight 218

setting Event Correlation ±Source IP°

Weight 216

setting Event Correlation ±Source Port°

Weight 217

setting Event Delay Time

167

setting Event Destination Hashes

312

setting Event Message Hashes

312

setting Event Queue Length

313

setting Event Rate Throttle

314

setting Event Writer File

254

setting Flag for SCP Usage

265

setting FlowChaser Maximum Flows Per

Device 220

setting FlowChaser Router Flow Collection

Port 221

setting FlowChaser Router Flow Collection

Threads 220

setting FlowChaser Sensor Threads

222

setting From Address

143

setting Hostname Used For Email

Notifications 145

setting ICMP Saturation Alert Threshold

166

setting Incident Idle Time

213

setting Incident Unique IP Limit

215

setting IP Fragment Saturation Alert

Threshold 166

setting JDBC Driver

258

setting Limit Size for Archive Directory

250

setting limit size for archive directory

250

setting Limit Size for Traffic Record

Directory 251

setting Location of SCP Binary

267

setting Lock LCD Screen

setting Maximum Active Incident Life

214

setting Maximum Incidents

214

setting Maximum IPv4 Fragment Reassembly

Table Elements

174