Cisco Cisco Expressway 维护手册
3.
Configure the category as required:
—
State: whether protection for that category is enabled or disabled.
—
Description: a free-form description of the category.
—
Trigger level and Detection window: these settings combine to define the blocking threshold for the
category. They specify the number of failed access attempts that must occur before the block is triggered,
and the time window in which those failures must occur.
category. They specify the number of failed access attempts that must occur before the block is triggered,
and the time window in which those failures must occur.
—
Block duration: the period of time for which the block will remain in place.
4.
Click Save.
Configuring Exemptions
The Automated detection exemptions page (System > Protection > Automated detection > Exemptions) is used to
configure any IP addresses that are to be exempted always from one or more protection categories.
configure any IP addresses that are to be exempted always from one or more protection categories.
To configure exempted addresses:
1.
Go to System > Protection > Automated detection > Exemptions.
2.
Click on the Address you want to configure, or click New to specify a new address.
3.
Enter the Address and Prefix length to define the range of IPv4 addresses you want to exempt.
4.
Select the categories from which the address is to be exempted.
5.
Click Add address.
Note that if you exempt an address that is currently blocked, it will remain blocked until its block duration expires
(unless you unblock it manually via the Blocked addresses page).
(unless you unblock it manually via the Blocked addresses page).
Managing Blocked Addresses
The Blocked addresses page (System > Protection > Automated detection > Blocked addresses) is used to
manage the addresses that are currently blocked by the automated protection service:
manage the addresses that are currently blocked by the automated protection service:
■
It shows all currently blocked addresses and from which categories those addresses have been blocked.
■
You can unblock an address, or unblock an address and at the same time add it to the exemption list. Note
that if you want to permanently block an address, you must add it to the set of configured
that if you want to permanently block an address, you must add it to the set of configured
.
If you access this page via the links on the Automated detection overview page it is filtered according to your chosen
category. It also shows the amount of time left before an address is unblocked from that category.
category. It also shows the amount of time left before an address is unblocked from that category.
Investigating Access Failures and Intrusions
If you need to investigate specific access failures or intrusion attempts, you can review all the relevant triggering log
messages associated with each category. To do this:
messages associated with each category. To do this:
1.
Go to System > Protection > Automated detection > Configuration.
2.
Click on the name of the category you want to investigate.
3.
Click View all matching intrusion protection triggers for this category.
The system will display all the relevant events for that category. You can then search through the list of
triggering events for the relevant event details such as a user name, address or alias.
triggering events for the relevant event details such as a user name, address or alias.
Automated Protection Service and Clustered Systems
When the automated protection service is enabled in a clustered system:
■
Each peer maintains its own count of connection failures and the trigger threshold must be reached on each
peer for the intruder's address to be blocked by that peer.
peer for the intruder's address to be blocked by that peer.
25
Cisco Expressway Administrator Guide