Threat Defender can be set up to learn what behavior is normal during a fixed period of time, the learning phase. When this learning phase is over, Threat Defender enforces the learned behavior, allowing only the learned communication and rejecting everything else.
The learning phase is established using a schedule. During this phase, Threat Defender operates like a normal switch but gathers data about the devices in the network and their communication paths. Once this learning phase is completed, Threat Defender can use this behavior data to make filtering decisions to allow learned traffic patterns and reject unknown traffic.
2. Creating the "Learning Phase" Schedule
Set up a schedule that defines the learning phase.
- Navigate to Policy > Schedules.
- Click ADD to add a new schedule.
- Enter a Name, e.g.
- Optional: Enter a Note.
- Enter the validity period using the date pickers under Valid from and Valid until.
- Click ADD TIME RANGE to set a time during which the schedule is applied. You can add multiple time ranges.
- Under Repeat, specify how often the learning phase is to be repeated automatically.
- Click SAVE to store the schedule
3. Creating the Correlation Scenario
First, create the correlation scenario that provides the framework for the required event tracking table and rule set.
- In the WebGUI, navigate to Policy > Advanced Correlation.
- Click ADD to create a new scenario.
- Enter a Name and an optional Note.
- Click SAVE.
4. Creating the Event Tracking Table
In the correlation scenario, create an event tracking table. It stores the combinations of source (client) and destination (server) MAC address.
The following table shows the required settings of the event tracking tables:
|Name||Retention Time||Primary Attribute Type||Max. No. Primary||Secondary Attribute Type||Max. No. Secondary
- Under Maximum Number of Primary Attributes, make sure that the table is large enough to fit your network.
- Adapt the Retention Time for Event Tracking to the desired repetition intervals of the learning phase. Set it to
0if you want to store the entries indefinitely.
For detailed instructions on how to create an event tracking table, refer to Creating an Event Tracking Table.
5. Creating the Rule Set
In the correlation scenario, the following rules are needed for Threat Defender to learn traffic patterns and filter out any unknown traffic.
- Rule 1 is only applied during the learning phase. It tracks the source and destination of the traffic in the event tracking table. Outside the learning phase, this rule is ignored.
- Rule 2 is only applied outside the learning phase. If the source and destination of the detected traffic are contained in the event tracking table, the traffic is allowed. No further rules in this correlation scenario are processed for the respective traffic flows.
- Rule 3 is only applied outside the learning phase. It blocks all remaining traffic, i.e. traffic that does not match the learned communication paths.
||Add to Event Tracking Table
||Advanced Correlation Conditions:
Event in Event Tracking Table
Allow Traffic and Skip to Next Scenario
Drop Traffic and Stop Processing
Click the APPLY CHANGES button in the header to activate your configuration changes.
During the learning phase, Threat Defender learns which source and destination hosts are permitted to establish connections with each other.
When the learning phase is completed, Threat Defender investigates all traffic and only allows the connections it identified during the learning phase.