Home » Symantec Manuals » Networking » Symantec 10521146 » Manual Viewer

Symantec 10521146 Administration Guide - Page 385

Remote Syslog Destination Port

UPC - 037648268134

Add to My Manuals
Save this manual to your list of manuals

Page 385 highlights

Index 385 Q QSP query service proxy. See QSP secure communication 35 setting port number for cluster 281 QSP Port Number setting cluster parameter 281 queries about 223 event type list 134 replaying traffic flow data 241 traffic playback tool 240 viewing current flows 238 viewing exported flows 239 R read-only RestrictedUser partial permissions 320 StandardUser permissions 320 user login permissions 321 read-only See passphrases read-write Administrator partial permissions 320 SuperUser permissions 320 user login permissions 321 read-write See passphrases rebooting nodes from the LCD panel 53 nodes from the Network Security console 48 nodes from the serial console 50 redundancy watchdog process 289 refinement about 30 detection rules method 160 SecurityUpdates 270 Remote Syslog Destination Host setting node parameters 262 Remote Syslog Destination Port setting node parameters 263 renaming monitoring groups 67 reports about 223 about top-level and drill-down 228 adding or editing schedules 224 by event characteristics 233 deleting saved 228 reports (cont.) deleting schedules 226 drill-down 236 exporting saved 227 format 228 managing scheduled 226 per event schedule 233 per incident schedule 232 per Network Security device 235 printing 230 querying flows 237 refreshing list 225 replaying traffic flow 241 saving 230 scheduling 224 top events 231 top level 230 traffic playback 240 type 229 viewing current flows 238 viewing exported flows 239 viewing Flow Statistics 239 viewing saved 226 resetting signature variables 185 response actions command variables 148 enabling console 152 response rules 140 setting email notification parameters 143 TCP reset 150 using percent sign as argument 150 response rules 136 about automated 31 adding 133 color coding 133 configuring console response 152 custom response 147 database backup 135 editing 134 enabling SNMP notifications 145, 146 event source parameters 139, 140 event target parameter 136 event type parameters 136 export flow action 153 inserting 133 managing 132 next action parameter 140 none option 142

Section	Page
Symantec™ Network Security Administration Guide	1
Overview	13
Introduction	15
About the Symantec Network Security foundation	15
About the Symantec Network Security 7100 Series	15
About other Symantec Network Security features	17
Finding information	20
About 7100 Series appliance documentation	20
About Network Security software documentation	21
About the Web sites	22
About the Knowledge Base	22
About the Hardware Compatibility Reference	22
About the Product Updates site	22
About this guide	23
Architecture	25
About Symantec Network Security	25
About the core architecture	25
About detection	26
About protocol anomaly detection	27
About Symantec signatures	28
About user-defined signatures	28
Monitoring traffic rate	29
About DoS detection	29
About external EDP	29
About analysis	30
About refinement	30
About correlation	30
About cross-node correlation	31
About response	31
About protection policies	31
About response rules	31
About management and detection architecture	32
About the Network Security console	32
About role-based administration	33
About the node architecture	34
About the alert manager	35
About the sensor manager	35
About the administration service	35
About analysis	35
About the databases	35
About Event Stream Provider	36
About sensor processes	36
About Smart Agents	37
About FlowChaser	37
About the 7100 Series appliance node	37
About detection on the 7100 Series	38
About interface grouping	38
About response on the 7100 Series	38
About in-line monitoring mode	38
About blocking or alerting mode	38
About fail-open	39
About management on the 7100 Series	39
About the LCD panel	39
About the serial console	40
About the compact flash	40
Getting started	41
Getting started	41
General checklist	42
General software and appliance checklist	42
Preparing to set up Symantec Network Security	42
Setting up Symantec Network Security	42
Using Symantec Network Security	43
Additional appliance-specific checklist	43
Preparing the appliance	43
Setting up appliance features in Symantec Network Security	44
About the management interfaces	44
Using the Network Security console	44
Launching the Network Security console	45
Viewing the Network Security console	46
Adjusting the Devices view	46
Adjusting the Incidents view	47
Adjusting the Policies view	47
Viewing node status	47
Restarting via the Network Security console	47
Rebooting nodes via the Network Security console	48
Stopping Symantec Network Security via the command line	48
Restarting sensors via the Network Security console	49
Checking and applying licenses	49
Using the serial console	49
Restarting via the serial console	50
Rebooting nodes via the serial console	50
Stopping via the serial console	51
Shutting down via the serial console	51
Using the LCD panel	51
Unlocking the LCD panel	52
Restarting from the LCD panel	53
Rebooting nodes via the LCD panel	53
Stopping via the LCD panel	54
Shutting down via the LCD panel	54
Managing user access	54
Managing user login accounts	55
Adding user login accounts	55
Editing user login accounts	56
Deleting user login accounts	56
Managing user passphrases	57
Changing user passphrases	57
Changing passwords on the 7100 Series node	58
Changing the root password via the serial console	58
Changing the secadm password via the serial console	58
Controlling user access	59
Setting Maximum Login Failures	59
Setting Lock LCD Screen	59
Tracking user actions	60
Planning the deployment	60
Deploying single nodes	61
Deploying a single Network Security software node	61
Deploying a single 7100 Series appliance node	62
About interface grouping	62
About in-line mode	62
About fail-open	63
Configuring single-node parameters	63
Deploying node clusters	64
Deploying software and appliance nodes in a cluster	65
Monitoring groups within a cluster	66
Creating a monitoring group	66
Assigning a monitoring group	67
Renaming a monitoring group	67
Deleting a monitoring group	68
Choosing monitoring groups	68
Initial Configuration	69
Populating the topology database	71
About the network topology	71
About the Devices tab	72
Types of objects	72
Viewing object details	74
About topology mapping	74
Mapping the existing network	75
Gathering information	76
Managing the topology tree	78
Viewing auto-generated objects	79
Viewing node details	79
Viewing node status	79
Adding objects for the first time	80
Editing objects	81
Deleting objects	81
Reverting changes	82
Saving changes	82
Forcing nodes to synchronize	83
Backing up	83
Adding nodes and objects	83
About location objects	83
Adding or editing location objects	84
About nodes and interfaces	85
About Network Security software nodes	86
Adding or editing software nodes	86
Viewing advanced network options	88
About monitoring interfaces on software nodes	89
Adding or editing monitoring interface on software nodes	90
About the Networks tab	91
About 7100 Series appliance nodes	92
Adding or editing 7100 Series nodes	92
Viewing advanced network options	94
About 7100 Series interfaces	95
Editing monitoring interfaces on 7100 Series nodes	96
About the Networks tab	97
Adding or editing interface groups	98
Adding or editing in-line pairs	100
About router objects	101
Adding or editing router objects	102
About router interfaces	103
Adding or editing router interface objects	103
About Smart Agents	104
Adding or editing Smart Agent objects	105
About Smart Agent interfaces	106
Adding or editing Smart Agent interface objects	107
About managed network segments	108
Editing network segment objects	108
Protection policies	111
About protection policies	111
Responding to malicious or suspicious events	112
Understanding the protection policy work area	112
Using protection policies	113
Selecting pre-defined policies	114
Setting policies to interfaces	115
Applying to save changes	115
Overriding blocking rules globally	115
Undoing policy settings	116
Unapplying protection policies	116
Removing policies set to interfaces	116
Reverting policy applications	117
Adjusting the view of event types	117
Searching to create a subset of event types	117
Adjusting the view by columns	119
Viewing event type details	119
Defining new protection policies	120
Adding or editing user-defined protection policies	121
Cloning existing protection policies	121
Enabling or disabling logging rules	122
Enabling or disabling blocking rules	123
Deleting user-defined protection policies	125
Updating policies automatically	125
Annotating policies and events	126
Annotating an entire policy	126
Annotating an event type in a policy	127
Annotating an instance of an event	127
Backing up protection policies	128
Responding	129
About response rules	129
About automated responses	131
Managing response rules	132
Viewing response rules	132
Interpreting color coding	133
Adding new response rules	133
Editing response rules	134
Searching event types	134
Deleting response rules	135
Saving or reverting changes	135
Backing up response rules	135
Setting response parameters	136
Setting event targets	136
Setting event types	136
Setting severity levels	137
Setting the severity level	138
Setting confidence levels	139
Setting event sources	139
Setting response actions	140
Setting next actions	140
Setting response actions	141
Setting no response action	142
Setting email notification	142
Setting email notification response actions	142
Setting email notification parameters	143
Setting From Address	143
Setting Subject Line	144
Setting SMTP Server	144
Setting Hostname Used for Email Notifications	145
Setting SNMP notification	145
Setting SNMP notification response actions	145
Setting SNMP notification parameters	146
SNMP Manager	146
SNMP Community String	146
Setting TrackBack response action	147
Setting TrackBack response actions	147
Setting a custom response action	147
Table of response variables	148
Preventing logging of passwords in cleartext	149
Escaping the % directive	150
Setting a TCP reset response action	150
Setting traffic record response action	150
Setting a console response action	152
Enabling console response actions	152
Setting export flow response action	153
Managing flow alert rules	154
Viewing flow alert rules	155
Adding flow alert rules	155
Editing flow alert rules	156
Deleting flow alert rules	156
Providing an appropriate mask	157
Using the permit rule type	157
Detecting	159
About detection	159
Configuring sensor detection	160
Configuring sensor parameters	161
Restarting or stopping sensors	161
Basic sensor parameters	162
Data collection parameters	163
Enable Flow Statistics Collection	163
Enable Full Packet Capture	163
Threshold parameters	164
TCP Flood Alert Threshold	164
UDP Flood Alert Threshold	165
Slow Scan Alert Threshold	165
Saturation parameters	165
ICMP Saturation Alert Threshold	166
UDP Saturation Alert Threshold	166
IP Fragment Saturation Alert Threshold	166
Bad Service Saturation Alert Threshold	166
Other Saturation Alert Threshold	167
Miscellaneous parameters	167
Event Delay Time	167
Traffic Mode	168
Checksum validation parameters	168
Enable IPv4 Header Checksum Validation	168
Enable TCP Checksum Validation	169
Enable UDP Checksum Validation	169
Advanced sensor parameters	169
Interval and flow parameters	170
Packet Counter Interval	170
Streak Interval	171
TCP Minimum Flows	171
UDP Minimum Flows	171
TCP Number of Streak Packets	172
UDP Number of Streak Packets	172
Counter Number of Streak Packets	172
Miscellaneous parameters	172
Saturation Counter Lapse Time	173
Maximum Time to Streak Analysis	173
Slow Scan Maximum IP Addresses Limit	173
Table element parameters	173
Maximum IPv4 Fragment Reassembly Table Elements	174
TCP Maximum Flow Table Elements (Fast Ethernet)	174
TCP Maximum Flow Table Elements (Gigabit)	174
UDP Maximum Flow Table Elements (Fast Ethernet)	175
UDP Maximum Flow Table Elements (Gigabit)	175
Segment parameters	175
TCP Keepalive Timeout	175
TCP Flow Max Queued Segments	176
TCP Global Max Queued Segments (Fast Ethernet)	176
TCP Global Max Queued Segments (Gigabit)	176
TCP 2MSL Timeout	177
TCP Default Window Size	177
Configuring port mapping	177
Adding or editing port mappings	178
Delete port mappings	178
Configuring signature detection	179
About Symantec signatures	179
About user-defined signatures	180
Managing signatures	180
Viewing signatures	181
Adding or editing user-defined signatures	181
Deleting user-defined signatures	183
Importing user-defined signatures	183
Resolving signature compile errors	183
Managing signature variables	184
Adding new signature variables	184
Editing signatures variables	184
Deleting signatures variables	185
Resetting signatures variables	185
Applying signatures variables	185
Reverting signatures variables	186
Using Symantec Network Security	187
Monitoring	189
About incident and event data	189
Viewing incident and event data	190
Adjusting the view	191
Setting font size	192
Sorting column data	192
Examining incident and event data	192
Examining incident data	193
Viewing top-level incident data	193
Viewing incident details	193
Viewing an incident’s top event	195
Loading cross-node correlated events	196
Examining event data	196
Viewing top-level event data	197
Interpreting severity and confidence levels	197
Viewing event details	197
Viewing an event’s detailed description	199
About operational event notices	199
Managing incident and event data	201
Selecting columns	202
Selecting incident columns	202
Selecting event columns	203
Selecting view filters	205
Selecting incident filters	205
Selecting event filters	206
Marking and annotating	207
Marking incidents as read	207
Annotating incident data	208
Customizing annotation templates	208
Saving, copying, and printing data	209
Saving incident data	209
Copying and pasting incidents	209
Copying an incident’s top event	210
Copying event details	210
Printing incident data	211
Emailing incident or event data	211
Configuring email	211
Emailing incident data	212
Tuning incident parameters	213
Setting Incident Idle Time	213
Setting Maximum Incidents	214
Setting Maximum Active Incident Life	214
Setting Incident Unique IP Limit	215
Setting Event Correlation ‘Name’ Weight	215
Event Correlation ‘Source IP’ Weight	216
Event Correlation ‘Destination IP’ Weight	217
Event Correlation ‘Source Port’ Weight	217
Event Correlation ‘Destination Port’ Weight	218
Monitoring flow statistics	219
Enabling flow data collection	219
Configuring FlowChaser	220
Setting FlowChaser Maximum Flows Per Device	220
Setting FlowChaser Router Flow Collection Threads	220
Setting FlowChaser Router Flow Collection Port	221
Setting FlowChaser Sensor Threads	222
Reporting	223
About reports and queries	223
Scheduling reports	224
Adding or editing report schedules	224
Refreshing the list of reports	225
Deleting report schedules	226
Managing scheduled reports	226
Viewing saved reports	226
Exporting saved reports	227
Deleting saved reports	228
Reporting top-level and drill-down	228
About report formats	228
About report types	229
About incident/event reports	229
Printing and saving reports	230
About top-level report types	230
Reports of top events	231
Reports per incident schedule	232
Reports per event schedule	233
Reports by event characteristics	233
Reports per Network Security device	235
Drill-down-only reports	236
Querying flows	237
Viewing current flows	238
Viewing Flow Statistics	239
Viewing exported flows	239
Playing recorded traffic	240
Replaying recorded traffic flow data	241
Managing log files	243
About the log files	243
About the install log	243
About the operational log	244
Managing logs	244
Viewing log files	244
Viewing live log files	245
Archiving log files	246
Copying log files	246
Deleting log files	247
Refreshing the list of log files	247
Configuring automatic archiving	248
Setting automatic logging levels	248
Archiving log files	249
Setting Size to Trigger Rotation	249
Setting Limit Size for Archive Directory	250
Setting Limit Size for Traffic Record Directory	251
Compressing log files	252
Setting Compression On/Off Switch	252
Setting Compression Command	253
Exporting data	254
Exporting to file	254
Setting Event Writer File	254
Exporting to SESA	255
Integrating with SESA	255
Setting SESA Bridge Export	256
Exporting to SQL	257
Setting Cluster ID	257
Setting JDBC Driver	258
Setting DB Connection String	258
Setting DB User	259
Setting DB Password	260
Exporting to syslog	260
Setting Syslog Event Export	261
Setting Echo Operational Log to Syslog	262
Setting Remote Syslog Destination Host	262
Setting Remote Syslog Destination Port	263
Setting Syslog Maximum Message Size	264
Transferring via SCP	264
Setting Flag for SCP Usage	265
Setting Destination Host for SCP	265
Setting User Account for SCP	266
Setting Destination Directory for SCP	266
Setting Location of SCP Binary	267
Advanced configuration	269
About advanced setup	269
Updating Symantec Network Security	269
About LiveUpdate	270
Scanning for available updates	271
Applying updates	271
Setting the LiveUpdate server	272
Scheduling live updates	273
Adding or editing automatic updates	273
Deleting automatic update schedules	274
Reverting automatic update schedules	274
Backing up LiveUpdate configurations	274
Managing node clusters	275
Creating a new cluster	275
Building a cluster	275
Establishing a master node	276
Adding slave nodes to clusters	277
Deleting nodes from clusters	277
Managing an established cluster	278
Licensing nodes in a cluster	278
Synchronizing clustered nodes	278
Automatic synchronization	279
Reapplying policy assignments after setting cluster master	279
Forcing synchronization	279
Changing node numbers	280
Changing node passphrases	280
Restarting sensors in a cluster	281
Setting a cluster-wide parameter	281
Setting QSP Port Number	281
Backup up cluster-wide data	282
Integrating third-party events	282
Integrating via Smart Agents	283
Setting EDP Port Number	284
Integrating with Symantec Decoy Server	285
Integrating with Symantec Decoy Server	285
Launching from a known location	287
Establishing high availability failover	287
Monitoring node availability	287
Configuring availability for single nodes	288
Setting Watchdog Process Restart Only	289
Configuring availability for multiple nodes	289
Configuring a failover group	290
Removing nodes from a failover group	292
Viewing incidents during failover	292
Configuring watchdog processes	293
Setting Enable Watchdog Process	294
Setting Watchdog Process Stop Window	295
Setting Watchdog Process Maximum Resets	295
Setting Watchdog Process Restart Only	296
Setting Watchdog Process Email	297
Backing up and restoring	297
Backing up and restoring on the Network Security console	298

Match case Limit results 1 per page

385

Index

QSP

query service proxy.

See

QSP

secure communication

setting port number for cluster

281

QSP Port Number

setting cluster parameter

281

queries

about 223

event type list

134

replaying traffic flow data

241

traffic playback tool

240

viewing current flows

238

viewing exported flows

239

read-only

RestrictedUser partial permissions

320

StandardUser permissions

320

user login permissions

321

read-only

See

passphrases

read-write

Administrator partial permissions

320

SuperUser permissions

320

user login permissions

321

read-write

See

passphrases

rebooting

nodes from the LCD panel

nodes from the Network Security console

nodes from the serial console

redundancy

watchdog process

289

refinement

about 30

detection rules method

160

SecurityUpdates 270

Remote Syslog Destination Host

setting node parameters

262

Remote Syslog Destination Port

setting node parameters

263

renaming

monitoring groups

reports

about 223

about top-level and drill-down

228

adding or editing schedules

224

by event characteristics

233

deleting saved

228

reports (cont.)

deleting schedules

226

drill-down 236

exporting saved

227

format 228

managing scheduled

226

per event schedule

233

per incident schedule

232

per Network Security device

235

printing 230

querying flows

237

refreshing list

225

replaying traffic flow

241

saving 230

scheduling 224

top events

231

top level

230

traffic playback

240

type 229

viewing current flows

238

viewing exported flows

239

viewing Flow Statistics

239

viewing saved

226

resetting

signature variables

185

response actions

command variables

148

enabling console

152

response rules

140

setting email notification parameters

143

TCP reset

150

using percent sign as argument

150

response rules

136

about automated

adding 133

color coding

133

configuring console response

152

custom response

147

database backup

135

editing 134

enabling SNMP notifications

145, 146

event source parameters

139, 140

event target parameter

136

event type parameters

136

export flow action

153

inserting 133

managing 132

next action parameter

140

none option

142