Rules

Navigate to Policy > Rules to see an overview of all rules currently configured in the system. Rules are flow-specific, i.e. they are only applied to traffic flows matching the conditions specified in the rule.

The overview table displays the rules that are defined in the system and gives a summary of their configuration (for further information, see Rules Settings). The slider switch in the first column allows you to enable () or disable () the respective rule. The buttons in last column allow you to edit or delete the rule.

You can hover the mouse on some of the entries in the Actions and Final Action columns to see a tooltip displaying the defined options.

Global rules, which are applied to all traffic, are placed at the top of the table. Rules used in correlation scenarios are grouped by scenario (see Advanced Correlation).

The rules are processed from top to bottom. It is therefore recommended to place more specific rules at the top of the table and rules that apply to a broader range of traffic at the bottom. To reorder global rules, click the ACTIVATE GLOBAL RULES REORDER button above the table. Move the rules to the desired positions using drag and drop.
Correlation scenarios can be reordered under Policy > Advanced Correlation.

To add a new global rule to the system, click the ADD GLOBAL RULE button above the overview table.

Global rules cannot be added to advanced correlation scenarios. To create rules for Advanced Correlation scenarios, you need to create them directly in the respective scenario. Click the name of the scenario to access its settings screen (see Advanced Correlation Scenario Settings). In the Rules tab, click ADD.

1. Rules Settings

When you add a new rule in a correlation scenario or edit an existing one, the settings screen is displayed.

The General section provides the following options:

Field Description
/ The slider switch indicates whether rule is enabled or disabled.
Name Enter the name of the rule.
Note Optional: Add a short description of the rule.
Statistics This section displays the number of hits per second of this rule in a time chart. By mouseover you can see the individual values in a tooltip.

In the Schedule section, you can specify a time frame during which the rule is active:

Field Description
/ Schedule Click the slider switch to enable a time schedule for the rule.
Include Click this button if you want the rule to be active during the selected period of time. Outside of this time period, the rule is inactive.
Exclude Click this button if you want the rule to be inactive during the selected period of time. Outside of this time period, the rule is active.
Schedule From the drop-down list, select the schedule you want to activate for the rule. You can only select one schedule at a time.
ADD SCHEDULE Click this button to open the schedule settings screen and create a new time schedule (see Schedules).

The Source & Destination section provides the following options:

Field Description
Source Networks Specify the source networks of the traffic flows to which the rule is to be applied. The default setting is Any, i.e. the rule matches traffic from all source networks. You can select static network objects (preceded by S:) and dynamic network objects (preceded by D:) here. You can also type in the input field to narrow down the list to the sources whose names contain the characters you are typing. Click next to an element to remove individual networks from the selection.
Destination Networks Specify the destination networks of the traffic flows to which the rule is to be applied. The default setting is Any, i.e. the rule matches traffic directed to all destination networks. You can select static network objects (preceded by S:) and dynamic network objects (preceded by D:) here. You can also type in the input field to narrow down the list to the destinations whose names contain the characters you are typing. Click next to an element to remove individual networks from the selection.
ADD DYNAMIC NETWORK OBJECT Click this button to open the dynamic network objects settings screen and create a new dynamic network object (see Dynamic Network Objects). If you click this button in a global rule, you create a global dynamic network object. If the rule belongs to an advanced correlation scenario, the dynamic network object will be created inside the scenario.
ADD STATIC NETWORK OBJECT Click this button to open the static network objects settings screen and create a new static network object (see Static Network Objects).

The Advanced Correlation Conditions section is only available for rules that are created in advanced correlation scenarios. It contains the following elements:

Field Description
Event in Event Tracking Table Enable this option to compare the traffic to the events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to use for comparison. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Select the elements you want to compare to the primary and secondary attributes of the events from the respective drop-down lists. The rule only matches the traffic if the comparison is successful.
Number of Similar Events in Event Tracking Table Enable this option to count the number of events in an event tracking table. From the drop-down list, select the Event Tracking Table you want to count the events in. Click ADD EVENT TRACKING TABLE to open the event tracking tables settings screen and create a new table (see Event Tracking Tables). Under Count all Entries with Primary Attribute equal to, specify which entries you want to count. Under Minimum Number of Entries, specify the minimum number of entries that have to be counted for the rule to match.

In the Conditions section, click the slider switches to enable the conditions you want to activate for the rule.

You can enable any number of rule conditions. Conditions are AND connected. This means, if you activate multiple conditions in a rule, the rule only matches if the traffic fulfills all active conditions.

When you enable a condition, dedicated input fields are displayed for this condition:

Field Description
Assets Enable this option to apply the rule to traffic generated by specific assets. Select the asset tags that you want to use as source and/or destination in the rule. You can create new tags by entering them in the fields. Click next to an element to remove individual tags from the selection.
Users Enable this option to apply the rule to traffic generated by specific users. Click into the field and select the respective users from the list. You can also type in the input field to narrow down the list to the users whose names contain the characters you are typing. Click next to an element to remove individual elements from the selection.
GeoIP Enable this option to check the traffic by Source Countries and/or Destination Countries. Click into the field and select the required countries from the list. You can also type in the input field to narrow down the list to the countries whose names contain the characters you are typing. Click next to an element to remove individual countries from the selection. If you enable Include, the rule matches the selected countries. If you enable Exclude, the rule matches all but the selected countries.
Layer 4 Protocol Enable this option to check the traffic by layer 4 protocols used. Click into the field and select the required protocols from the list. You can also type in the input field to narrow down the list to the protocols whose names contain the characters you are typing. Click next to an element to remove individual elements from the selection.
Layer 4 Port Enable this option to check the traffic by layer 4 ports used. Enter the Source Ports and/or Destination Ports into the fields. The port numbers have to be separated by commas.
Classification Enable this option to explicitly include or exclude applications and protocols in/from the rule. Click into the respective field and select the applications (preceded by A:) and protocols (preceded by P:) from the list. You can also type in the input fields to narrow down the list to the applications and protocols whose names contain the characters you are typing. Click next to an element to remove individual elements from the selection. Threat Defender also provides groups of applications and protocols (preceded by G:). See the appendix for a list of the available groups.
Threats Indicators Enable this option to select threat intelligence indicators to include in the rule. Select the tags you want to include by clicking into the respective field and selecting the tags from the list. You can also type in the input fields to narrow down the list to the tags whose names contain the characters you are typing. Click next to an element to remove individual elements from the selection.
Intrusion Prevention System Enable this option to specify the IPS rules that the rule is to be applied to. Click into the field and select the IPS tags from the list. You can also type in the input field to narrow down the list to the tags whose names contain the characters you are typing. Click next to an element to remove individual elements from the selection.

In the Actions section, click the slider switches to activate the actions you want to apply to traffic matching the rule:

Field Description
Log Enable this option to log rule hits to syslog, IPFIX and the reporting. Enable the Late Log option to log additional data when the flow has stopped. This way, the entire flow can be analyzed. Select the severity of the event in the logs by clicking the respective button. You can assign high, medium or low severity or log the event as notice.
Final Action Enable this option to specify how traffic matching this rule is to be handled. You can select one of the following options:
  • Allow Traffic and Skip to Next Scenario - Traffic matching this rule is permitted. No other rules are processed for this traffic.
  • Drop Traffic and Stop Processing - Traffic matching this rule is silently dropped and rule processing for this traffic ceases.
  • Reject Traffic and Stop Processing - Traffic matching this rule is actively rejected and rule processing for this traffic ceases.
Asset Tag Enable this option to tag assets that match the rule conditions. Select the Tag you want to assign or enter a new asset tag. Under Who, enter which communication participant will be tagged (i.e. the client, server or both).
Dynamic Network Object Enable this option to specify an action to be carried out for dynamic network objects:
  • Select the Operation you want to perform, i.e. add entries to or delete them from the Target Dynamic Network Object.
  • Under Host Identifier, specify what information is to be handled by the dynamic network object (IP addresses, MAC addresses, assets or all).
  • From the drop-down list, select Who the action is to be performed on (e.g. the client, server or both).
  • Specify the Target Dynamic Network Object that is the target of the operation. Click ADD DYNAMIC NETWORK OBJECT to create a new dynamic network object.
For further information, see Dynamic Network Objects.
Shape Traffic Enable this option to activate traffic shaping. Select the desired Scope from the drop-down list:
  • Select Global to shape all traffic matching the rule.
  • Select Host Inbound/Outbound to individually shape the inbound and outbound host traffic.
  • Select Host Aggregated to shape all host traffic.
Enter the desired Bandwidth. Note that inbound and outbound bandwidth is seen from the perspective of Threat Defender.
Add to Event Tracking Table Only available for rules in advanced correlation scenarios: Enable this option to add entries to an event tracking table. From the drop-down list, select the Event Tracking Table you want to add entries to. Specify what elements you want to add to the primary and secondary attributes of the new event in the respective drop-down lists.

The buttons at the bottom of the screen allow you to store your changes (SAVE) or to discard them (CANCEL).

results matching ""

    No results matching ""