Cisco Cisco Web Security Appliance S170 사용자 가이드
22-2
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 22 L4 Traffic Monitor
Configuring the L4 Traffic Monitor
•
Known malware address. These addresses appear in the log files as “blacklist” addresses. They
include any of the following addresses:
include any of the following addresses:
–
Any IP address or hostname that the L4 Traffic Monitor Database determines to be a known
malware site and not listed in the Allow List.
malware site and not listed in the Allow List.
–
Any IP address that is listed in the Additional Suspected Malware Addresses property and not
listed in the Allow List and not determined to be ambiguous.
listed in the Allow List and not determined to be ambiguous.
Note
You can define the Allow List and the Additional Suspected Malware Addresses properties on the Web
Security Manager > L4 Traffic Monitor Policies page.
Security Manager > L4 Traffic Monitor Policies page.
The L4 Traffic Monitor listens to and monitors network ports for rogue activity. It performs one of the
following actions on all traffic on your network:
following actions on all traffic on your network:
•
Allow. It always allows traffic to and from known allowed and unlisted addresses.
•
Monitor. It monitors traffic under the following circumstances:
–
When the Action for Suspected Malware Addresses option is set to Monitor, it always monitors
all traffic that is not to or from a known allowed address.
all traffic that is not to or from a known allowed address.
–
When the Action for Suspected Malware Addresses option is set to Block, it monitors traffic to
and from ambiguous addresses.
and from ambiguous addresses.
•
Block. When the Action for Suspected Malware Addresses option is set to Block, it blocks traffic to
and from known malware addresses.
and from known malware addresses.
The L4 Traffic Monitor Database
The L4 Traffic Monitor uses and maintains its own internal database. This database is continuously
updated with matched results for IP addresses and domain names. Additionally, the database table
receives periodic updates from the Cisco IronPort update server at the following location:
updated with matched results for IP addresses and domain names. Additionally, the database table
receives periodic updates from the Cisco IronPort update server at the following location:
https://update-manifests.ironport.com
For information about update intervals and the Cisco IronPort update server, see
.
Configuring the L4 Traffic Monitor
The L4 Traffic Monitor can be enabled as part of an initial system setup using the System Setup Wizard.
By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS
and other services.
By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS
and other services.
Note
To monitor true client IP addresses, the L4 Traffic Monitor should always be configured inside the
firewall and before network address translation (NAT). For more information about deploying the L4
Traffic Monitor, see
firewall and before network address translation (NAT). For more information about deploying the L4
Traffic Monitor, see
.
You can configure the following settings: