Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you
can investigate potential attacks and evaluate whether you should
allow any of the blocked traffic.
Developing a best practice security policy
is an iterative process. As soon as you Create
Data Center Traffic Block Rules, start monitoring traffic
that matches the block rules designed to identify policy gaps, unexpected
behaviors, and potential attacks. Tune your application allow rules
to account for traffic that matches the block rules but should be
allowed and investigate traffic that may indicate an attack.
on blocked traffic contain valuable information you can use to investigate
potential issues. Keep the block rules in the rulebase to protect
your valuable data center assets and provide that information when
traffic matches a block rule.
Create custom reports to monitor traffic that
matches the block rules designed to identify policy gaps and potential
Manage Custom Reports
a report and give it a
describes the report’s purpose, in this example
DC Best Practice
. This also changes the
list. If there are other
types of information you want to monitor, select those as well.
Set the desired
values. In this
example we set the
App Sub Category
Define the query to match traffic hitting the rules designed
to find policy gaps and potential attacks. You can create a single
report for traffic that matches any of the rules using the
or create individual reports to monitor each rule. In the
specify the name of each rule you want to include in the report.
This example uses the six blocking rules and uses the
to include information about traffic that matches any of the rules:
(rule eq ‘Discover-Unknown-Users’)
(rule eq ‘Block-Bad-Apps’)
(rule eq ‘Unexpected-App-from-User-Zone’)
(rule eq ‘Unexpected-App-from-Any-Zone’)
(rule eq ‘Unexpected-User-App-Any-Port’)
(rule eq ‘Unexpected-App-Any-Port’)
Review the report (or reports) regularly to make sure
you understand why traffic matches each block rule and either update
policy to include legitimate applications and users, or use the
information to assess the risk of traffic that matches the rules.