Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic.
Developing a best practice security policy is an iterative process. As soon as you Create Data Center Traffic Block Rules, start monitoring traffic that matches the block rules designed to identify policy gaps, unexpected behaviors, and potential attacks. Tune your application whitelist rules to account for traffic that matches the block rules but should be allowed and investigate traffic that may indicate an attack.
Reports on blocked traffic contain valuable information you can use to investigate potential issues. Keep the block rules in the rulebase to protect your valuable data center assets and provide that information when traffic matches a block rule.
- Create custom reports to monitor traffic that matches the block rules designed to identify policy gaps and potential attacks.
- Select.MonitorManage Custom Reports
- Adda report and give it aNamethat describes the report’s purpose, in this exampleDC Best Practice Policy Tuning.
- Set theDatabasetoTraffic Summary. (This also changes the defaultSelected Columns; the default columns areSource Zone,Destination Zone,Sessions, andBytes.)
- Select theScheduledbox.
- FromAvailable Columns, addApplication,Risk of App,Rule, andThreatto theSelected Columnslist. If there are other types of information you want to monitor, select those as well.
- Set the desiredTime Frame,Sort By, andGroup Byvalues, in this exampleLast 7 Days,Apps, andApp Sub Category, respectively.
- Define the query to match traffic hitting the rules designed to find policy gaps and potential attacks. You can create a single report for traffic that matches any of the rules using theoroperator, or create individual reports to monitor each rule. In theQuery Builder, specify the name of each rule you want to include in the report. This example uses the names of the six blocking rules designed to find policy gaps and uses theOroperator to include information about traffic that matches any of the rules:
- (rule eq ‘Known user nonstandard ports’)
- (rule eq ‘Unknown user nonstandard ports’)
- (rule eq ‘Unexpected App from user Zone’)
- (rule eq ‘Unexpected App from any Zone’)
- (rule eq ‘Unexpected User App Any Port’)
- (rule eq ‘Unexpected App Any Port’)
- Review the report (or reports) regularly to make sure you understand why traffic matches each block rule and either update policy to include legitimate applications and users, or use the information to assess the risk of traffic that matches the rules.