Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic.
Developing a best practice security policy is an iterative process. As soon as you Create Data Center Traffic Block Rules, start monitoring traffic that matches the block rules designed to identify policy gaps, unexpected behaviors, and potential attacks. Tune your application whitelist rules to account for traffic that matches the block rules but should be allowed and investigate traffic that may indicate an attack.
Reports on blocked traffic contain valuable information you can use to investigate potential issues. Keep the block rules in the rulebase to protect your valuable data center assets and provide that information when traffic matches a block rule.
- Create custom reports to monitor traffic that
matches the block rules designed to identify policy gaps and potential
- Select MonitorManage Custom Reports.
- Add a report and give it a Name that describes the report’s purpose, in this example DC Best Practice Policy Tuning.
- Set the Database to Traffic Summary. (This also changes the default Selected Columns; the default columns are Source Zone, Destination Zone, Sessions, and Bytes.)
- Select the Scheduled box.
- From Available Columns, add Application, Risk of App, Rule, and Threat to the Selected Columns list. If there are other types of information you want to monitor, select those as well.
- Set the desired Time Frame, Sort By, and Group By values, in this example Last 7 Days, Apps, and App Sub Category, respectively.
- Define the query to match traffic hitting the rules designed to find policy gaps and potential attacks. You can create a single report for traffic that matches any of the rules using the or operator, or create individual reports to monitor each rule. In the Query Builder, specify the name of each rule you want to include in the report. This example uses the names of the six blocking rules designed to find policy gaps and uses the Or operator to include information about traffic that matches any of the rules:
- (rule eq ‘Known user nonstandard ports’)
- (rule eq ‘Unknown user nonstandard ports’)
- (rule eq ‘Unexpected App from user Zone’)
- (rule eq ‘Unexpected App from any Zone’)
- (rule eq ‘Unexpected User App Any Port’)
- (rule eq ‘Unexpected App Any Port’)
- Review the report (or reports) regularly to make sure you understand why traffic matches each block rule and either update policy to include legitimate applications and users, or use the information to assess the risk of traffic that matches the rules.
Monitor and Fine Tune the Policy Rulebase
Monitor and Fine Tune the Policy Rulebase A best practice security policy is iterative. It is a tool for safely enabling applications, users, and content ...
Follow Post-Deployment Data Center Best Practices
This checklist shows you how to monitor and maintain your best practice data center deployment to keep your network safe as applications and circumstances evolve. ...
Step 3: Create the Application Block Rules
Step 3: Create the Application Block Rules Although the overall goal of your security policy is to safely enable applications using application whitelist rules (also ...
Create Data Center Traffic Block Rules
Block traffic you know you don’t want in your data center and use block rules to discover unknown applications and users. ...
Step 4: Create the Temporary Tuning Rules
Step 4: Create the Temporary Tuning Rules The temporary tuning rules are explicitly designed to help you monitor the initial best practice rulebase for gaps ...
Log and Monitor Data Center Traffic
Use logging and monitoring tools to find out which applications are in use, how they behave, and who is really on your data center network ...
Log Data Center Traffic that Matches No Interzone Rules
By default, the firewall denies traffic between data center zones (interzone traffic) that matches no Security policy allow rule. Log and examine this traffic to ...
How Do I Deploy a Data Center Best Practice Security Policy
Learn how to create and implement a best practice data center security policy that protects your most valuable assets. ...
Log Intra Data Center Traffic That Matches the Intrazone Al...
Data centers are a good place for attackers to hide because security often focuses on users and overlooks servers. Log east-west traffic between servers and ...