Rules
Navigate to Policy > Rules to see an overview of all rules currently configured in the system. Rules are flow-specific, i.e. they are only applied to traffic flows matching the conditions specified in the rule.
The overview table displays the rules that are defined in the system and gives a summary of their configuration (for further information, see Rules Settings).
The slider switch in the first column allows you to enable (
) or disable (
) the respective rule. The icons in last column allow you to edit, copy or delete the rule.
Tip
You can hover the mouse on the entries in the table to see a tooltip displaying the defined options, where applicable.
Global rules, which are applied to all traffic, are placed at the top of the table. Rules used in correlation scenarios are grouped by scenario (see Advanced Correlation).
Note
The rules are processed from top to bottom. It is therefore recommended to place more specific rules at the top of the table and rules that apply to a broader range of traffic at the bottom. To reorder global rules, click the ACTIVATE GLOBAL RULES REORDER button above the table. Move the rules to the desired positions using drag and drop. Correlation scenarios can be reordered under Policy > Advanced Correlation.
To add a new global rule to the system, click the Add Global Rule button above the overview table.
Note
Global rules cannot be added to advanced correlation scenarios. To create rules for Advanced Correlation scenarios, you need to create them directly in the respective scenario. Click the name of the scenario to access its settings screen (see Advanced Correlation Scenario Settings). In the Rules tab, click Add.
Rules Settings
When you add a new rule or edit an existing one, the settings screen is displayed.
The General section provides the following options:
Field |
Description |
|---|---|
|
The slider switch indicates whether rule is enabled or disabled. |
Name |
Enter the name of the rule. |
Note |
Optional: Add a short description of the rule. |
Statistics |
This section displays the number of hits per second of this rule in a time chart. By mouseover you can see the individual values in a tooltip. |
In the Schedule section, you can specify a time frame during which the rule is active:
Field |
Description |
|---|---|
|
Click the slider switch to enable a time schedule for the rule. |
Include |
Click this button if you want the rule to be active during the selected period of time. Outside of this time period, the rule is inactive. |
Exclude |
Click this button if you want the rule to be inactive during the selected period of time. Outside of this time period, the rule is active. |
Schedule |
From the drop-down list, select the schedule you want to activate for the rule. You can only select one schedule at a time. |
ADD SCHEDULE |
Click this button to open the schedule settings screen and create a new time schedule (see Schedules). |
The Source & Destination section provides the following options:
Field |
Description |
|---|---|
Source Networks |
Specify the source networks of the traffic flows to which the rule is to be applied. The default setting is |
Destination Networks |
Specify the destination networks of the traffic flows to which the rule is to be applied. The default setting is |
ADD DYNAMIC NETWORK OBJECT |
Click this button to open the dynamic network objects settings screen and create a new dynamic network object (see Dynamic Network Objects). If you click this button in a global rule, you create a global dynamic network object. If the rule belongs to an advanced correlation scenario, the dynamic network object will be created inside the scenario. |
ADD STATIC NETWORK OBJECT |
Click this button to open the static network objects settings screen and create a new static network object (see Static Network Objects). |
The Advanced Correlation Conditions section is only available for rules that are created in advanced correlation scenarios. It contains the following elements:
Field |
Description |
|---|---|
Event in Event Tracking Table |
Enable this option to compare the traffic to the events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to use for comparison. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Select the elements you want to compare to the primary and secondary attributes of the events from the respective drop-down lists. The rule only matches the traffic if the comparison is successful. |
Number of Similar Events in Event Tracking Table |
Enable this option to count the number of events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to count the events in. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Under Count all Entries with Primary Attribute equal to, specify which entries you want to count. Under Minimum Number of Entries, specify the minimum number of entries that have to be counted for the rule to match. |
In the Conditions section, click the slider switches to enable the conditions you want to activate for the rule.
Note
You can enable any number of rule conditions. Conditions are AND-connected. This means, if you activate multiple conditions in a rule, the rule only matches if the traffic fulfills all active conditions. If you select multiple elements within a condition, those elements are OR-connected.
When you enable a condition, dedicated input fields are displayed for this condition:
Field |
Description |
|---|---|
Assets |
Enable this option to apply the rule to traffic generated by specific assets. Select the asset tags that you want to use as source and/or destination in the rule. You can create new tags by entering them in the fields. Click |
Users |
Enable this option to apply the rule to traffic generated by specific users. Click into the field and select the respective users from the list. You can also type in the input field to narrow down the list to the users whose names contain the characters you are typing. Click |
GeoIP |
Enable this option to check the traffic by Source Countries and/or Destination Countries. Click into the field and select the required countries from the list. You can also type in the input field to narrow down the list to the countries whose names contain the characters you are typing. Click |
Layer 4 Protocol |
Enable this option to check the traffic by layer 4 protocols used. Click into the field and select the required protocols from the list. You can also type in the input field to narrow down the list to the protocols whose names contain the characters you are typing. Click |
Layer 4 Port |
Enable this option to check the traffic by layer 4 ports used. Enter the Source Ports and/or Destination Ports into the fields. The port numbers have to be separated by commas. |
Classification |
Enable this option to explicitly include or exclude applications and protocols in/from the rule. Click into the respective field and select the applications (preceded by |
Threats Indicators |
Enable this option to select threat intelligence indicators to include in the rule. Select the tags you want to include by clicking into the respective field and selecting the tags from the list. You can also type in the input fields to narrow down the list to the tags whose names contain the characters you are typing. Click |
Intrusion Prevention System |
Enable this option to specify the IPS rules to include in the rule. Click into the field and select the IPS tags from the list. You can also type in the input field to narrow down the list to the tags whose names contain the characters you are typing. Click |
In the Actions section, click the slider switches to activate the actions you want to apply to traffic matching the rule:
Field |
Description |
|---|---|
Log |
Enable this option to log rule hits to syslog, IPFIX and the reporting. There the following additional logging options:
Select the severity of the event in the logs by clicking the respective button. You can assign high, medium or low severity or log the event as notice. |
Final Action |
Enable this option to specify how traffic matching this rule is to be handled. You can select one of the following options:
|
Asset Tag |
Enable this option to tag or untag assets that match the rule conditions:
|
Dynamic Network Object |
Enable this option to specify an action to be carried out for dynamic network objects:
For further information, see Dynamic Network Objects. |
Shape Traffic |
Enable this option to activate traffic shaping. Select the desired Scope from the drop-down list:
Enter the desired Bandwidth. Note that inbound and outbound bandwidth is seen from the perspective of Threat Defender. |
Add to Event Tracking Table |
Only available for rules in advanced correlation scenarios: Enable this option to add entries to an event tracking table. From the drop-down list, select the Event Tracking Table you want to add entries to. Specify what elements you want to add to the primary and secondary attributes of the new event in the respective drop-down lists. |
The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).