Home » Symantec Manuals » Networking » Symantec 10521146 » Manual Viewer

Symantec 10521146 Administration Guide - Page 388

Slow Scan Maximum IP Addresses Limit, Slow Scan Alert Threshold

UPC - 037648268134

Add to My Manuals
Save this manual to your list of manuals

Page 388 highlights

388 Index signatures (cont.) user-defined 180 variables 184 viewing 181 size to trigger editing log rotation size 249 Size to Trigger Rotation setting node parameters 249 slave nodes adding 86 adding appliance 92 adding or editing software 86 creating topology tree 86 editing 86 editing appliance 92 setting passphrase 87, 93 synchronizing 275 Slow Scan Alert Threshold setting sensor parameters 165 Slow Scan Maximum IP Addresses Limit setting sensor parameters 173 Smart Agents about 37, 104 about interfaces 106 adding external sensor nodes 104 adding or editing 105 communicating via EDP proxy 284 communicating with Symantec Network Security 106, 284 third-party integration 283 SMTP Server node parameter 144 sniffer. See sensor processes SNMP alert failure 201 configuring notification 145 request failure 201 truncated message 201 SNMP Community String setting node parameters 146 SNMP Manager setting node parameters 146 software about parameters 309 about the node architecture 34 accessing Knowledge Base 22 adding nodes 86 adding or editing nodes 86 clustering with appliances 65 software (cont.) deleting nodes 277 documentation 21 node status indicator 79 queries from TrackBack 88 viewing Hardware Compatibility Reference 22 sorting incident data 192 source destination reports 234 SQL exporting parameters 325 setting up export 325 SSH keys generating 307 StandardUser pre-defined login account 200 StandardUsers about 320 standby nodes about failover 64 configuring high availability 289 creating failover groups 290 node numbers 280 watchdog process 289 stateful signatures. See signatures statistics devices with flow 235 stopping end time 194 incident response 142 nodes from the command line 48 nodes from the LCD panel 54 nodes from the Network Security console 47 nodes from the serial console 51 Streak Interval setting sensor parameters 171 Subject Line node parameter 144 SuperUsers about 320 Symantec Decoy Server external sensors 285 integrating with Symantec Network Security 104, 283 launching via Network Security 285 Symantec Decoy Server console launching from Network Security console 285

Section	Page
Symantec™ Network Security Administration Guide	1
Overview	13
Introduction	15
About the Symantec Network Security foundation	15
About the Symantec Network Security 7100 Series	15
About other Symantec Network Security features	17
Finding information	20
About 7100 Series appliance documentation	20
About Network Security software documentation	21
About the Web sites	22
About the Knowledge Base	22
About the Hardware Compatibility Reference	22
About the Product Updates site	22
About this guide	23
Architecture	25
About Symantec Network Security	25
About the core architecture	25
About detection	26
About protocol anomaly detection	27
About Symantec signatures	28
About user-defined signatures	28
Monitoring traffic rate	29
About DoS detection	29
About external EDP	29
About analysis	30
About refinement	30
About correlation	30
About cross-node correlation	31
About response	31
About protection policies	31
About response rules	31
About management and detection architecture	32
About the Network Security console	32
About role-based administration	33
About the node architecture	34
About the alert manager	35
About the sensor manager	35
About the administration service	35
About analysis	35
About the databases	35
About Event Stream Provider	36
About sensor processes	36
About Smart Agents	37
About FlowChaser	37
About the 7100 Series appliance node	37
About detection on the 7100 Series	38
About interface grouping	38
About response on the 7100 Series	38
About in-line monitoring mode	38
About blocking or alerting mode	38
About fail-open	39
About management on the 7100 Series	39
About the LCD panel	39
About the serial console	40
About the compact flash	40
Getting started	41
Getting started	41
General checklist	42
General software and appliance checklist	42
Preparing to set up Symantec Network Security	42
Setting up Symantec Network Security	42
Using Symantec Network Security	43
Additional appliance-specific checklist	43
Preparing the appliance	43
Setting up appliance features in Symantec Network Security	44
About the management interfaces	44
Using the Network Security console	44
Launching the Network Security console	45
Viewing the Network Security console	46
Adjusting the Devices view	46
Adjusting the Incidents view	47
Adjusting the Policies view	47
Viewing node status	47
Restarting via the Network Security console	47
Rebooting nodes via the Network Security console	48
Stopping Symantec Network Security via the command line	48
Restarting sensors via the Network Security console	49
Checking and applying licenses	49
Using the serial console	49
Restarting via the serial console	50
Rebooting nodes via the serial console	50
Stopping via the serial console	51
Shutting down via the serial console	51
Using the LCD panel	51
Unlocking the LCD panel	52
Restarting from the LCD panel	53
Rebooting nodes via the LCD panel	53
Stopping via the LCD panel	54
Shutting down via the LCD panel	54
Managing user access	54
Managing user login accounts	55
Adding user login accounts	55
Editing user login accounts	56
Deleting user login accounts	56
Managing user passphrases	57
Changing user passphrases	57
Changing passwords on the 7100 Series node	58
Changing the root password via the serial console	58
Changing the secadm password via the serial console	58
Controlling user access	59
Setting Maximum Login Failures	59
Setting Lock LCD Screen	59
Tracking user actions	60
Planning the deployment	60
Deploying single nodes	61
Deploying a single Network Security software node	61
Deploying a single 7100 Series appliance node	62
About interface grouping	62
About in-line mode	62
About fail-open	63
Configuring single-node parameters	63
Deploying node clusters	64
Deploying software and appliance nodes in a cluster	65
Monitoring groups within a cluster	66
Creating a monitoring group	66
Assigning a monitoring group	67
Renaming a monitoring group	67
Deleting a monitoring group	68
Choosing monitoring groups	68
Initial Configuration	69
Populating the topology database	71
About the network topology	71
About the Devices tab	72
Types of objects	72
Viewing object details	74
About topology mapping	74
Mapping the existing network	75
Gathering information	76
Managing the topology tree	78
Viewing auto-generated objects	79
Viewing node details	79
Viewing node status	79
Adding objects for the first time	80
Editing objects	81
Deleting objects	81
Reverting changes	82
Saving changes	82
Forcing nodes to synchronize	83
Backing up	83
Adding nodes and objects	83
About location objects	83
Adding or editing location objects	84
About nodes and interfaces	85
About Network Security software nodes	86
Adding or editing software nodes	86
Viewing advanced network options	88
About monitoring interfaces on software nodes	89
Adding or editing monitoring interface on software nodes	90
About the Networks tab	91
About 7100 Series appliance nodes	92
Adding or editing 7100 Series nodes	92
Viewing advanced network options	94
About 7100 Series interfaces	95
Editing monitoring interfaces on 7100 Series nodes	96
About the Networks tab	97
Adding or editing interface groups	98
Adding or editing in-line pairs	100
About router objects	101
Adding or editing router objects	102
About router interfaces	103
Adding or editing router interface objects	103
About Smart Agents	104
Adding or editing Smart Agent objects	105
About Smart Agent interfaces	106
Adding or editing Smart Agent interface objects	107
About managed network segments	108
Editing network segment objects	108
Protection policies	111
About protection policies	111
Responding to malicious or suspicious events	112
Understanding the protection policy work area	112
Using protection policies	113
Selecting pre-defined policies	114
Setting policies to interfaces	115
Applying to save changes	115
Overriding blocking rules globally	115
Undoing policy settings	116
Unapplying protection policies	116
Removing policies set to interfaces	116
Reverting policy applications	117
Adjusting the view of event types	117
Searching to create a subset of event types	117
Adjusting the view by columns	119
Viewing event type details	119
Defining new protection policies	120
Adding or editing user-defined protection policies	121
Cloning existing protection policies	121
Enabling or disabling logging rules	122
Enabling or disabling blocking rules	123
Deleting user-defined protection policies	125
Updating policies automatically	125
Annotating policies and events	126
Annotating an entire policy	126
Annotating an event type in a policy	127
Annotating an instance of an event	127
Backing up protection policies	128
Responding	129
About response rules	129
About automated responses	131
Managing response rules	132
Viewing response rules	132
Interpreting color coding	133
Adding new response rules	133
Editing response rules	134
Searching event types	134
Deleting response rules	135
Saving or reverting changes	135
Backing up response rules	135
Setting response parameters	136
Setting event targets	136
Setting event types	136
Setting severity levels	137
Setting the severity level	138
Setting confidence levels	139
Setting event sources	139
Setting response actions	140
Setting next actions	140
Setting response actions	141
Setting no response action	142
Setting email notification	142
Setting email notification response actions	142
Setting email notification parameters	143
Setting From Address	143
Setting Subject Line	144
Setting SMTP Server	144
Setting Hostname Used for Email Notifications	145
Setting SNMP notification	145
Setting SNMP notification response actions	145
Setting SNMP notification parameters	146
SNMP Manager	146
SNMP Community String	146
Setting TrackBack response action	147
Setting TrackBack response actions	147
Setting a custom response action	147
Table of response variables	148
Preventing logging of passwords in cleartext	149
Escaping the % directive	150
Setting a TCP reset response action	150
Setting traffic record response action	150
Setting a console response action	152
Enabling console response actions	152
Setting export flow response action	153
Managing flow alert rules	154
Viewing flow alert rules	155
Adding flow alert rules	155
Editing flow alert rules	156
Deleting flow alert rules	156
Providing an appropriate mask	157
Using the permit rule type	157
Detecting	159
About detection	159
Configuring sensor detection	160
Configuring sensor parameters	161
Restarting or stopping sensors	161
Basic sensor parameters	162
Data collection parameters	163
Enable Flow Statistics Collection	163
Enable Full Packet Capture	163
Threshold parameters	164
TCP Flood Alert Threshold	164
UDP Flood Alert Threshold	165
Slow Scan Alert Threshold	165
Saturation parameters	165
ICMP Saturation Alert Threshold	166
UDP Saturation Alert Threshold	166
IP Fragment Saturation Alert Threshold	166
Bad Service Saturation Alert Threshold	166
Other Saturation Alert Threshold	167
Miscellaneous parameters	167
Event Delay Time	167
Traffic Mode	168
Checksum validation parameters	168
Enable IPv4 Header Checksum Validation	168
Enable TCP Checksum Validation	169
Enable UDP Checksum Validation	169
Advanced sensor parameters	169
Interval and flow parameters	170
Packet Counter Interval	170
Streak Interval	171
TCP Minimum Flows	171
UDP Minimum Flows	171
TCP Number of Streak Packets	172
UDP Number of Streak Packets	172
Counter Number of Streak Packets	172
Miscellaneous parameters	172
Saturation Counter Lapse Time	173
Maximum Time to Streak Analysis	173
Slow Scan Maximum IP Addresses Limit	173
Table element parameters	173
Maximum IPv4 Fragment Reassembly Table Elements	174
TCP Maximum Flow Table Elements (Fast Ethernet)	174
TCP Maximum Flow Table Elements (Gigabit)	174
UDP Maximum Flow Table Elements (Fast Ethernet)	175
UDP Maximum Flow Table Elements (Gigabit)	175
Segment parameters	175
TCP Keepalive Timeout	175
TCP Flow Max Queued Segments	176
TCP Global Max Queued Segments (Fast Ethernet)	176
TCP Global Max Queued Segments (Gigabit)	176
TCP 2MSL Timeout	177
TCP Default Window Size	177
Configuring port mapping	177
Adding or editing port mappings	178
Delete port mappings	178
Configuring signature detection	179
About Symantec signatures	179
About user-defined signatures	180
Managing signatures	180
Viewing signatures	181
Adding or editing user-defined signatures	181
Deleting user-defined signatures	183
Importing user-defined signatures	183
Resolving signature compile errors	183
Managing signature variables	184
Adding new signature variables	184
Editing signatures variables	184
Deleting signatures variables	185
Resetting signatures variables	185
Applying signatures variables	185
Reverting signatures variables	186
Using Symantec Network Security	187
Monitoring	189
About incident and event data	189
Viewing incident and event data	190
Adjusting the view	191
Setting font size	192
Sorting column data	192
Examining incident and event data	192
Examining incident data	193
Viewing top-level incident data	193
Viewing incident details	193
Viewing an incident’s top event	195
Loading cross-node correlated events	196
Examining event data	196
Viewing top-level event data	197
Interpreting severity and confidence levels	197
Viewing event details	197
Viewing an event’s detailed description	199
About operational event notices	199
Managing incident and event data	201
Selecting columns	202
Selecting incident columns	202
Selecting event columns	203
Selecting view filters	205
Selecting incident filters	205
Selecting event filters	206
Marking and annotating	207
Marking incidents as read	207
Annotating incident data	208
Customizing annotation templates	208
Saving, copying, and printing data	209
Saving incident data	209
Copying and pasting incidents	209
Copying an incident’s top event	210
Copying event details	210
Printing incident data	211
Emailing incident or event data	211
Configuring email	211
Emailing incident data	212
Tuning incident parameters	213
Setting Incident Idle Time	213
Setting Maximum Incidents	214
Setting Maximum Active Incident Life	214
Setting Incident Unique IP Limit	215
Setting Event Correlation ‘Name’ Weight	215
Event Correlation ‘Source IP’ Weight	216
Event Correlation ‘Destination IP’ Weight	217
Event Correlation ‘Source Port’ Weight	217
Event Correlation ‘Destination Port’ Weight	218
Monitoring flow statistics	219
Enabling flow data collection	219
Configuring FlowChaser	220
Setting FlowChaser Maximum Flows Per Device	220
Setting FlowChaser Router Flow Collection Threads	220
Setting FlowChaser Router Flow Collection Port	221
Setting FlowChaser Sensor Threads	222
Reporting	223
About reports and queries	223
Scheduling reports	224
Adding or editing report schedules	224
Refreshing the list of reports	225
Deleting report schedules	226
Managing scheduled reports	226
Viewing saved reports	226
Exporting saved reports	227
Deleting saved reports	228
Reporting top-level and drill-down	228
About report formats	228
About report types	229
About incident/event reports	229
Printing and saving reports	230
About top-level report types	230
Reports of top events	231
Reports per incident schedule	232
Reports per event schedule	233
Reports by event characteristics	233
Reports per Network Security device	235
Drill-down-only reports	236
Querying flows	237
Viewing current flows	238
Viewing Flow Statistics	239
Viewing exported flows	239
Playing recorded traffic	240
Replaying recorded traffic flow data	241
Managing log files	243
About the log files	243
About the install log	243
About the operational log	244
Managing logs	244
Viewing log files	244
Viewing live log files	245
Archiving log files	246
Copying log files	246
Deleting log files	247
Refreshing the list of log files	247
Configuring automatic archiving	248
Setting automatic logging levels	248
Archiving log files	249
Setting Size to Trigger Rotation	249
Setting Limit Size for Archive Directory	250
Setting Limit Size for Traffic Record Directory	251
Compressing log files	252
Setting Compression On/Off Switch	252
Setting Compression Command	253
Exporting data	254
Exporting to file	254
Setting Event Writer File	254
Exporting to SESA	255
Integrating with SESA	255
Setting SESA Bridge Export	256
Exporting to SQL	257
Setting Cluster ID	257
Setting JDBC Driver	258
Setting DB Connection String	258
Setting DB User	259
Setting DB Password	260
Exporting to syslog	260
Setting Syslog Event Export	261
Setting Echo Operational Log to Syslog	262
Setting Remote Syslog Destination Host	262
Setting Remote Syslog Destination Port	263
Setting Syslog Maximum Message Size	264
Transferring via SCP	264
Setting Flag for SCP Usage	265
Setting Destination Host for SCP	265
Setting User Account for SCP	266
Setting Destination Directory for SCP	266
Setting Location of SCP Binary	267
Advanced configuration	269
About advanced setup	269
Updating Symantec Network Security	269
About LiveUpdate	270
Scanning for available updates	271
Applying updates	271
Setting the LiveUpdate server	272
Scheduling live updates	273
Adding or editing automatic updates	273
Deleting automatic update schedules	274
Reverting automatic update schedules	274
Backing up LiveUpdate configurations	274
Managing node clusters	275
Creating a new cluster	275
Building a cluster	275
Establishing a master node	276
Adding slave nodes to clusters	277
Deleting nodes from clusters	277
Managing an established cluster	278
Licensing nodes in a cluster	278
Synchronizing clustered nodes	278
Automatic synchronization	279
Reapplying policy assignments after setting cluster master	279
Forcing synchronization	279
Changing node numbers	280
Changing node passphrases	280
Restarting sensors in a cluster	281
Setting a cluster-wide parameter	281
Setting QSP Port Number	281
Backup up cluster-wide data	282
Integrating third-party events	282
Integrating via Smart Agents	283
Setting EDP Port Number	284
Integrating with Symantec Decoy Server	285
Integrating with Symantec Decoy Server	285
Launching from a known location	287
Establishing high availability failover	287
Monitoring node availability	287
Configuring availability for single nodes	288
Setting Watchdog Process Restart Only	289
Configuring availability for multiple nodes	289
Configuring a failover group	290
Removing nodes from a failover group	292
Viewing incidents during failover	292
Configuring watchdog processes	293
Setting Enable Watchdog Process	294
Setting Watchdog Process Stop Window	295
Setting Watchdog Process Maximum Resets	295
Setting Watchdog Process Restart Only	296
Setting Watchdog Process Email	297
Backing up and restoring	297
Backing up and restoring on the Network Security console	298

Match case Limit results 1 per page

388

Index

signatures (cont.)

user-defined 180

variables 184

viewing 181

size to trigger

editing log rotation size

249

Size to Trigger Rotation

setting node parameters

249

slave nodes

adding 86

adding appliance

adding or editing software

creating topology tree

editing 86

editing appliance

setting passphrase

87, 93

synchronizing 275

Slow Scan Alert Threshold

setting sensor parameters

165

Slow Scan Maximum IP Addresses Limit

setting sensor parameters

173

Smart Agents

about

37, 104

about interfaces

106

adding external sensor nodes

104

adding or editing

105

communicating via EDP proxy

284

communicating with Symantec Network

Security

106, 284

third-party integration

283

SMTP Server

node parameter

144

sniffer.

See

sensor processes

SNMP

alert failure

201

configuring notification

145

request failure

201

truncated message

201

SNMP Community String

setting node parameters

146

SNMP Manager

setting node parameters

146

software

about parameters

309

about the node architecture

accessing Knowledge Base

adding nodes

adding or editing nodes

clustering with appliances

software (cont.)

deleting nodes

277

documentation 21

node status indicator

queries from TrackBack

viewing Hardware Compatibility Reference

sorting

incident data

192

source

destination reports

234

SQL

exporting parameters

325

setting up export

325

SSH keys

generating 307

StandardUser

pre-defined login account

200

StandardUsers

about 320

standby nodes

about failover

configuring high availability

289

creating failover groups

290

node numbers

280

watchdog process

289

stateful signatures.

See

signatures

statistics

devices with flow

235

stopping

end time

194

incident response

142

nodes from the command line

nodes from the LCD panel

nodes from the Network Security console

nodes from the serial console

Streak Interval

setting sensor parameters

171

Subject Line

node parameter

144

SuperUsers

about 320

Symantec Decoy Server

external sensors

285

integrating with Symantec Network

Security

104, 283

launching via Network Security

285

Symantec Decoy Server console

launching from Network Security console

285