LSM Users Guide

UnityOne
Local Security Manager

Users Guide
Version 2.1
Part Number: TECHD-0000000014

Publication Control Number: 030305
UnityOne is a registered trademark of TippingPoint Technologies, Inc. TippingPoint, TippingPoint
Technologies and the TippingPoint Technologies logo are also registered trademarks of TippingPoint
Technologies.
This document contains confidential information or trade secrets or both, which are the property of
TippingPoint Technologies, Inc. This document may not be copied, reproduced, or transmitted to other
in any matter, nor may any use of the information in this document be made, except for the specific
purposes for which it is transmitted to the recipient without the prior consent of TippingPoint
Technologies, Inc.
Copyright 2005 TippingPoint Technologies, Inc.
Table of Contents
About This Guide
Welcome to the UnityOne LSM
Target Audience
Organization
Conventions
Cross References
Typeface
Procedures
Screen Captures
Messages
Related Documentation
Online Help
Customer Support
Overview
UnityOne System
UnityOne Architecture
SMS Client
SMS Server
Threat Suppression Engine
IPS Devices
Local Clients
Local Security Manager Overview
Filters Page
Logs Page
Configure Page
Monitor Page
Update Page
Admin Page
Getting Started
System Requirements
SMS Configuration
xi
xi
xi
xii
xiii
xiii
xiv
xiv
xiv
xv
xvi
xvii
xviii
1
2
3
3
4
5
6
7
8
8
9
9
9
9
10
11
12
12
LSM Navigation
13
Security Notes
Logging In
Login Screen
14
14
14
LSM Users Guide V 2.1
ii
Table of Contents
Session Time-out
Logging Off
LSM Screen Layout
Launch Bar
System Stats
Main Pane
Filters
Filters Page
Managing Filters
Viewing Filters
Searching Filters
Creating New Filters
Editing a Group of Filters
Deleting Filters
Application Protection
Attack Protection Filters
Reconnaissance Filters
Security Policy Filters
Informational Filters
Application Settings
Infrastructure Protection
Advanced DDoS Filters
Advanced DDoS Filters for UnityOne-5000E
Network Equipment Protection Filters
Traffic Normalization Filters
Traffic Threshold Filters
Performance Protection
Misuse and Abuse Filters
Traffic Management Filters
Performance Protection Settings
Category Settings
Enabling Filters
Disabling Filters
Action Sets
Rate Limiting
Notification Contacts
Alert Aggregation
Setting Preferences
Logs
Logs Page
LSM Logs
Alert Log
iii
15
16
16
16
17
21
23
25
25
26
28
29
30
30
31
32
36
43
46
49
55
56
64
69
72
77
83
84
88
93
94
98
99
100
102
106
107
108
113
114
114
115
Table of Contents
Block Log
Misuse & Abuse Log
System Log
Audit Log
Packet Trace Log
Managing Logs and Reports
Viewing Logs and Reports
Downloading Log Files
Printing Log Files
Resetting Log Files
Searching Log Files
More Reports
Reports Preferences
Configure
Configure Page
Segment Configuration
Segment INHA
Link-Down Synchronization
Configure a Segment
Management Port Configuration
Management Port Options
Management Port Services
Command Line Interface (CLI)
Web Interface (LSM and SMS)
Routing Options
Time Options
Time Zones
Internal CMOS Clock
SNTP Server
SMS and NMS Configuration
Network High Availability
INHA Configuration
TNHA Configuration
TSE Configuration
TSE General Configuration
TSE Adaptive Filter Configuration
TSE Blocked Streams
TSE Rate Limited Streams
TSE Non Standard Ports
TSE Blacklisted Streams
Monitor
Monitor Page
116
117
118
119
120
121
122
122
124
125
125
126
132
135
136
137
138
139
139
142
143
145
145
147
147
148
149
151
152
152
155
157
158
159
159
161
163
165
167
170
173
174
iv
Table of Contents
Device Health
Device Health
Performance/Throughput
Module Health
High Availability
Multi-Zone Defense
Intrinsic Network HA Health
Monitor Preferences
Major Levels
Critical Levels
Discovery Scans
Discover Page
Preparing for Scans
Performing Scans
Schedule Scans
Update
Update Page
Threat Management Center
Filter Updates
Software Updates
Persistent Settings
Update States
Software Rollbacks
Persistent Settings
Deleting Previous Versions
Device Snapshots
Administration
Admin Page
Access to Admin Functions
User Access Level
Account Security Access
Security Level Capabilities
Managing Users
Valid User Data
User Security Preferences
Web Idle Timeout
Security Level
Password Expiration
Max Login Attempts
Viewing Audit and System Logs
175
175
177
179
180
181
182
183
184
184
185
186
186
187
191
193
194
195
195
196
197
197
200
200
202
202
205
206
207
207
208
208
209
209
212
213
213
214
214
216
Table of Contents
Open Source Licenses

Required Statements
License Texts
Apache License
Gnu Public License (GPL)
BSD License
gSOAP Public License
Browser Certificates
Overview
Client Authentication Message
Security Alert
Certificate Authority
Invalid Certificate Name
Example - Creating Personal Certificate
217
217
218
219
219
220
225
226
237
237
238
239
240
243
245
Troubleshooting
247
Overview
IPS Port Out-of-Service
247
247
Log Formats
Overview
Log Format
Remote Syslog Log Format
249
249
249
250
Glossary
253
Index
260
vi
Table of Contents
vii
List of Procedures
About This Guide
Overview
LSM Navigation
Log in to the LSM
15
Search for a Filter

Create a New Filter
Edit a Group of Filters
Delete a Filter
Edit an Attack Protection Filter
Edit a Vulnerability Probing Filter
Edit a Port Scans/Host Sweeps Filter
Edit a Security Policy Filter
Edit an Informational Filter
Create a Filter Exception
Delete a Filter Exception
Limit Filters to IP Addresses
Create a Global Exception
Delete a Global Setting
Create an Advanced DDoS Filter
Edit an Advanced DDoS Filter
Create an Advanced DDoS Filter for the UnityOne-5000E
Edit an Advanced DDoS Filter for the UnityOne-5000E
Edit a Network Equipment Protection Filter
Edit a Normalization Filter
Create a Traffic Threshold Filter
Edit a Traffic Threshold Filter
Reset a Traffic Threshold Filter
Edit a Misuse and Abuse Filter
Create a Traffic Management Filter
Edit a Traffic Management Filter
Limit an Performance Protection Filter to Specific IP Addresses
Delete an Performance Protection Setting
Add a Global Category Setting
Edit a Segmental Category Setting
Delete a Segmental Category Setting
Enable a Filter Category
Enable a Single Filter (Override Category Control)
Disable a Filter Category
28
29
30
31
34
40
42
45
48
51
51
54
54
55
60
62
67
68
70
75
80
82
83
87
91
92
94
94
96
97
98
98
98
99
Filters
vi
List of Procedures
Disable a Single Attack Filter (Override Category Control)

Create an Action Set
Edit an Action Set
Set Email Preferences
Create a Notification Contact
Edit a Notification Contact
Configure the Remote System Log Contact
Configure the SMS Contact
Configure the Management Console Contact
Configure the LSM Contact
Delete a Notification Contact
99
104
105
108
108
109
110
111
111
111
111
View Logs and Reports

Download a Log File
Print a Log
Reset a Log
Search a Log
View the Top Ten Filters Report
View the Attack Reports
View the Traffic Profile Report
View the Rate Limit Report
View the Traffic Threshold Report
View a DDoS Report
Select a Report Background Color
122
123
125
125
126
128
129
129
130
130
131
132
View Segment Information

Configure a Segment (including INHA)
Reboot the IPS
Change Management Port Configuration
Enable the Command Line Interface (CLI)
Configure the NMS
Enable the Web Server (LSM and SMS)
Add a Network Route
Set the IPS Time Zone
Set the Internal CMOS Clock Time
Define Primary and Secondary SNTP Servers
View or Configure SMS Information
View or Configure NMS Information
Configure INHA
Configure TNHA
Configure the TSE Connection Table Timeout
Configure the TSE Asymmetric Network
Configure the TSE Adaptive Filter Setting
Search Blocked Streams
Flush All Blocked Streams
138
141
144
144
146
146
147
148
149
151
152
154
155
156
156
160
161
163
164
164
Logs
Configure
vii
List of Procedures
Flush Selected Blocked Streams

Search Rate Limited Streams
Flush All Rate Limited Streams
Flush Selected Rate Limited Streams
Add a Non-Standard Port
Delete a Non-Standard Port
Search Blacklisted Streams
Flush All Blacklisted Streams
Flush Selected Blacklisted Streams
165
166
167
167
169
169
171
171
171
Set Monitor Preferences

Reset Monitor Preferences
Prepare a Segment for Scanning
Perform a Manual Scan
Check Scan Progress
Stop a Scan in Progress
View Scan Details
Rescan a Single Host
Edit Scan Details
Delete Scan Results
Schedule a Scan
View Scheduled Scans
184
185
187
189
189
190
190
190
190
191
191
192
Download a Filter Update

Install a Filter Update
Download a Software Update
Install a Software Update
Perform a Software Rollback
Delete Old Versions from Previous OS Versions Window
Create a Snapshot
Import a Snapshot
Restore a Snapshot
Export a Snapshot
Delete a Snapshot
195
196
199
199
201
202
203
203
204
204
204
Monitor
Update
Administration
Change Your Password
Create a New User
Modify an Existing User
Delete an Existing User
Set User Preferences
211
211
212
212
214

Creating a Personal Certificate
Installing the Personal Certificate
238
239
puLSM Users Guide V 2.1
viii
List of Procedures
Troubleshooting
Log Formats
ix
About This Guide

Explains who this guide is intended for, how the information is organized, where information
updates can be found, and how to obtain customer support if you cannot resolve a problem.
Welcome to the UnityOne LSM

Welcome to the TippingPoint (TP) UnityOne Local Security Manager (LSM). The LSM is the control
center from which you can configure, monitor, and report on the UnityOne Intrusion Prevention
System (IPS) devices in your network.
This section covers the following topics:
Target Audience on page xi

Conventions on page xiii
Related Documentation on page xvi
Customer Support on page xviii
Target Audience
This guide is intended for administrators who manage one or more Intrusion Prevention System(IPS)
devices.
xi
Knowledge, Skills, and Abilities

This guide assumes you, the reader, are familiar with general networking concepts and the following
standards and protocols:
TCP/IP
UDP
ICMP
Ethernet
Simple Network Time Protocol (SNTP)
Simple Mail Transport Protocol (SMTP)
Simple Network Management Protocol (SNMP)
Organization
The UnityOne Local Security Manager Users Guide is organized as follows:
About the Guide

Explains who this book is intended for, how the information is organized, where information updates
can be found, and how to obtain customer support if you cannot resolve a problem.
Overview
Details the UnityOne system and LSM application, user interface, and login procedures. You should
review this section to understand how to navigate through the application.
Navigation
Details the UnityOne system user interface and steps for logging in and navigating the system.
Filters
Details the information and instructions for managing filters. The sections include important
instructions for tuning, copying, and customizing filters, exceptions, action sets, and notification
contacts.
Logs
Details information and instructions for reviewing and managing compiled logs. These logs include
the alert, block, peer-to-peer, system, audit, and packet trace logs. The sections also include
information on generating reports of system behavior.
Discovery
Details the options for performing and scheduling discovery scans of hosts on your device.
Configure
Details the configuration settings and instructions for an IPS device and its segments. The sections
include important information on management port settings, routing options, time options, setting for
the SMS and NMS, network high availability (INHA and TNHA), and the Threat Suppression Engine
(TSE).
xii
Monitor
Details information for reviewing system behavior and device health. The section include information
on possible health problems your device may have according to status indicators.
Update
Details instructions and information for updating the LSM software and Digital Vaccine package
updates for the LSM.
Administration
Details the administration information for creating and managing user accounts. The section also
include details on reviewing system and audit logs.
Appendix - Open Source License

Provides the open source licenses for products and components used to develop the LSM.
Appendix - Browser Certificates

Provides information for creating and importing web browser certificates for the LSM.
Appendix - Troubleshooting
Provides troubleshooting information for the LSM.
Appendix - Log Formats

Provides the formats for downloaded logs in the LSM.
Glossary
Defines terms for the UnityOne and LSM system.
Conventions
This guide follows several procedural and typographical conventions to better provide clear and
understandable instructions and descriptions. These conventions are described in the following
sections.
This book uses the following conventions for structuring information:
Cross References
Typeface
Procedures
Messages
Cross References
When a topic is covered in depth elsewhere in this guide, or in another guide in this series, a cross
reference to the additional information is provided. Cross references help you find related topics and
information quickly.
xiii
Internal Cross References

This guide is designed to be used as an electronic document. It contains cross references to other
sections of the document that act as hyperlinks when you view the document online. The following text
is a hyperlink: Procedures.
External Cross References

Cross references to other publications are not hyperlinked. These cross references will take the form:
see <chapter name > in the Publication Name.
Typeface
This guide uses the following typeface conventions:
Bold
Code
Italic
Hyperlink
used for the names of screen elements like buttons, drop-down lists, or fields. For
example, when you are done with a dialog, you would click the OK button. See
Procedures below for an example.
used for text a user must type to use the product
used for guide titles, variables, and important terms
used for cross references in a document or links to web site
Procedures
This guide contains several step-by-step procedures that tell you how to perform a specific task. These
procedures always begin with a phrase that describes the task goal, followed by numbered steps that
describe what you must do to complete the task.
The beginning of every chapter has cross references to the procedures that it contains. These cross
references, like all cross references in this guide, are hyperlinked.
Menu Navigation
The LSM provides drop-down menu lists to navigate and choose items in the user interface. Each
instruction that requires moving through the menus uses an arrow (>) to indicate the movement.
For example, Edit > Details would indicate the selecting the Edit drop-down menu and selecting
the Details option.
Sample Procedure
STEP 1
Click the Filters tab.
STEP 2
Place your mouse cursor over the Open menu.
Screen Captures
The instructions and descriptions in this document include images of screens. These screen captures
may be cropped, focusing on specific sections of the application, such as a pane, list, or tab. Refer to the
application for full displays of the application.
xiv
Messages
Messages are special text that are emphasized by font, format, and icons. There are four types of
messages in this guide:
Warning
Caution
Note
Tip
A description of each message type with an example message follows.
Warning
Warnings tell you how to avoid physical injury to people or equipment You should carefully consider
this information prior to enacting actions or procedures that could potentially harm your staff, data, or
security.
WARNING: Do not store your user name and password on your workstation, in
your personal effects, or anywhere in or around your work area. If you store your
user name and password in any of these locations, your system security may be
compromised.
Caution
Cautions tell you how to avoid a serious loss that could cause physical damage such as the loss of data,
time, or security. You should carefully consider this information when determining a course of action
or procedure.
CAUTION: You should disable password caching in the browser you use to access the
LSM. If you do not disable password caching in your browser, and your workstation is not
secured, your system security may be compromised.
Note
Notes tell you about information that might not be obvious or that does not relate directly to the
current topic, but that may affect relevant behavior.
Note: If the IPS is not currently under SMS control, you can find out the IP
address of the last SMS that was in control by checking your Audit log from the
Logs page.
Tip
Tips are suggestions about how you can perform a task more easily or more efficiently.
Tip: You can see what percentage of disk space you are using by checking the
Monitor page.
xv
Related Documentation
The UnityOne systems have a full set of documentation. These publications are available in electronic
format on your installation CDs. For the most recent updates, check the Threat Management Center
(TMC) web site at https://tmc.tippingpoint.com.
Table ii - 1: UnityOne Documents
Audience
Hardware
Technicians
xvi
Publication
Quick Start UnityOne-50

Quick Start UnityOne-50 Thumbdrive
Quick Start UnityOne-100E
Quick Start UnityOne-100E Thumbdrive
Quick Start UnityOne-5000E
Quick Start UnityOne 200/400/1200/2400
Location
printed version in the UnityOne box,
UnityOne Documentation CD,
https://tmc.tippingpoint.com
UnityOne-50 Installation and Configuration

Guide
UnityOne-50 Thumbdrive Installation and
Configuration Guide
UnityOne-100E Installation and Configuration
Guide
UnityOne-100E Thumbdrive Installation and
Configuration Guide
UnityOne-5000E Installation and
Configuration Guide
UnityOne 200/400/1200/2400 Installation and
Configuration Guide
UnityOne Zero Power High Availability
Installation Guide
UnityOne Modular Fiber/Copper ZPHA
Installation Guide
UnityOne Security Manager System Quick Start

Guide
printed version in the UnityOne box,

https://tmc.tippingpoint.com,
LSM server
Table ii - 1: UnityOne Documents

System
Administrators
UnityOne Local Security Manager Users Guide
UnityOne Local Security Manager Online Help
available in the LSM application
Unity One Command Line Interface Reference
UnityOne Security Manager System Quick Start
Guide
hard copy in the shipping materials,

UnityOne Security Management System Users
Guide
and on the SMS server
UnityOne Security Management System Online

Online Help
available in the SMS application
UnityOne SMS Web Services API
and on the SMS server
Third Party Management for UnityOne IPS
Online Help
Each window and dialog box in the LSM application includes Help button for accessing the online help.
In the Launch Bar of the application, the Help button opens the main welcome page to the online help.
You can also click on the help button on each page of the application to review context sensitive topics.
Figure ii - 1: Help Icon and Button
Opens the online help at the opening page.
If you have problems finding help on a particular subject, you can review the Index or use the Search
tab in the navigation pane. Each page also includes related topic links to find more information on
particular subjects and functions.
xvii
Customer Support
The TippingPoint Technologies technical support phone number is 1-866-681-8324 (866-681-TECH).
TippingPoint is committed to providing quality customer support to all of its customers. Each
customer is provided with a customized support agreement that provides detailed customer and
support contact information. For the most efficient resolution of your problem, please take a moment
to gather some basic information from your records and from your system before contacting TP
customer support.
Table 3: Customer Support Information
Information
xviii
Location
Your customer number
You can find this number on your Customer Support Agreement and on
the shipping invoice that came with your UnityOne system.
Your IPS serial number
You can find this number on the shipping invoice that came with
your UnityOne system.
Your IPS software version

number
You can find this information in the LSM in the System Stats
frame, in the Update tab, or by using the CLI show version
command.
Your IPS system boot time
You can find this information in the LSM in the System Stats
frame.
Overview
The UnityOne is a high-speed, comprehensive security system that includes Intrusion Prevention
System (IPS) devices with a browsable manager called the Local Security Manager (LSM). The
Overview section provides an overview of the LSM functions and use in the UnityOne system.
Overview
Enterprise security schemes once consisted of a conglomeration of disparate, static devices from
multiple vendors. Today, TippingPoints (TP) UnityOne security system provides the advantages of a
single, integrated, highly adaptive security system that includes powerful hardware and intuitive
management interface.
This section details the UnityOne system, LSM, IPS devices, and how it all works together to provide a
quality system for the prevention of malicious attacks on your network. See Chapter 2 LSM
Navigation for more information on the user interface and accessing the system.
LSM Overview includes the following topics:
UnityOne System on page 2

UnityOne Architecture on page 3
Local Security Manager Overview on page 8
Getting Started on page 11
Note: Check the Release Notes for specific limitations and known issues regarding
the current release.
UnityOne System
The principle components of the UnityOne are the Intrusion Prevention System (IPS) devices models
UnityOne 50, 100E, 200, 400, 1200, 2400, and 5000E. The IPS models UnityOne-200, UnityOne-400,
UnityOne-1200, UnityOne-2400, and UnityOne-5000E are single units that can protect up to four
network segments. The UnityOne-50 and UnityOne-100E can protect one segment on your network. A
single IPS can be installed at the perimeter of your network, on your intranet, or both. All device
models have the uniformity and simplicity needed to achieve a high level of protection with minimal
administrative action.
An IPS protects your network segments. A segment is protected when its traffic passes through a pair
of ports on the IPS that are configured with filters and global settings. The device scans and reacts to
network traffic according to the filter instructions, or action set. Each segment and device can use a
different set of filters to manage and block traffic and malicious attacks to protect your network.
include all of the filters and information for protecting your network. Action sets in these filters provide
the instructions for the device to block, permit, and send alerts to the system. Filters include three
pillars of filter categories:
Application Protection Pillar of filter types that defend against known and unknown exploits
targeting applications and operating systems. These filters include a variety of vulnerability and
security policy filters.
Infrastructure Protection Pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attack using a combination of traffic
normalization, DDoS protection, and application, protocol, and statistical anomaly detection. These
filters include DDoS, network equipment protection, and traffic normalization filters.
Performance Protection Pillar of filter types that allow key applications to have prioritized
access to bandwidth ensuring that mission critical applications have adequate performance during
times of high congestion. These filters include misuse and abuse and traffic management filters.
Filters provide detection and response instructions for segments and devices. If a filter affects an entire
device, it overrides the segmental settings. The action sets for these filters can be set according to
category or customized settings entered per filter. Each action set can also include a set of notification
contacts to receive alerts when the device detects and responds to traffic. The UnityOne also enables
you to set exceptions and inclusions (or apply only rules) for filters. These settings can also be set and
enacted according to filter or for all categories of filters.
The UnityOne system also includes a Zero Power High Availability (ZPHA) device (optional) that
ensures constant, non-interrupted flow of network traffic. You can use the ZPHA to continue network
traffic and services by bypassing the IPS entirely when the power no longer feeds into the system, when
you need to unplug the system, and to continue service while the IPS reboots. The ZPHA is a chassis
with a set of relays that directs traffic depending on the status of power received through a USB cable
connected to the IPS device. If the power interrupts, the ZPHA bypasses the IPS device, providing
continuous network traffic.
Beyond the hardware, the UnityOne provides software to manage and customize your network
protection and intrusion prevention system. The Local Security Manager (LSM) manages a single IPS.
The LSM is a web-based management application that provides on-the-box administration,
configuration, and reporting.
To manage multiple IPS devices, you can use the Security Management System (SMS). The SMS
provides functionality beyond that provided by the LSM. Furthermore, it provides coordination across
your UnityOne system for administration, configuration, and monitoring. It provides a central point of
control for monitoring the way your IPS devices react to attack traffic, customizing that response, and
distributing your customizations to your entire network.
UnityOne Architecture
The UnityOne uses a flexible architecture that consists of an SMS Client (Java), Centralized
Management Server (SMS), IPS device(s), and Local Clients including the Local Security Manager
(LSM) and Command Line Interface (CLI). The entire UnityOne system provides intrusion prevention
protection against malicious attacks and traffic loads and local and centralized management
capabilities for 1 to 1,000 deployed systems. The following image provides an overview of the
architecture:
Figure 1 - 1: UnityOne Architecture
SMS Client
The UnityOne Security Management System (SMS) client provides services and functions to monitor,
manage, and configure the entire UnityOne system. This client is a Java-based application installed and
accessed on a computer running the appropriate Windows operating system. Each user receives a
specific user level with enhanced security measures to protect access and configuration of the system.
You can monitor the entire UnityOne system through the SMS client on a computer with the following
requirements:
One of the following operating systems:
Windows 98, 2nd edition
Windows NT, Service Pack 5 or later
Windows 2000, Service Pack 3 or later
Windows XP
Internet Explorer, version 6.0 or higher
The SMS features a policy-based operational model for scalable and uniform enterprise management.
It enables behavior and performance analysis with trending reports, correlation and real-time graphs including reports on all, specific, and top 10 attacks and their sources and destinations as well as all,
specific, and top 10 peers and filters for misuse and abuse (peer-to-peer piracy) attacks. You can
create, save, and schedule reports using report templates. All reports are run against system and audit
logs stored for each device managed by the system. These logs detail triggered filters. You can modify,
update, and control distribution of these filters according to segment groups for refined intrusion
prevention.
The SMS dashboard provides at-a-glance monitors, with launch capabilities into the targeted
management applications that provide global command and control of UnityOne. It displays the
entries for the top 5 filters triggered over the past hour in various categories, a graph of triggered filters
over the past 24 hours, the health status of devices, and update versions for software of the system.
Through the Dashboard, you gain an overview of the current performance of your system, including
notifications of updates and possible issues with devices monitored by the SMS.
SMS Server
The SMS Server of the UnityOne is an enterprise-class management platform that provides
administration, configuration, monitoring and reporting for up to 1,000 UnityOne Intrusion
Prevention Systems. It is a rack mountable device that features a state-of-the-art Java client interface.
The SMS Server processes, stores, and provides essential components and functions to manage and
protect your network.
This component centralizes functionality for use and management across the UnityOne architecture. It
provides a central point for storing and managing resources, settings, and logs. Using the SMS and
local clients, you can perform monitoring, logging, reporting, and scanning procedures. It provides the
following functionality:
Enterprise-wide Device Status and Behavior Stores, updates, and alerts clients, devices, and
logging functions of filter, device, software, and network status. The state of components in the
architecture stores in this component.
IPS Networking and Configuration Stores and configures devices according to the settings
modified, imported, or distributed by clients. These settings affect the flow and detection of traffic
according to device, segment, or segment group.
Scheduled and Pending Network Discovery Scans Stores and enacts network discovery scans
set and maintained by clients. Scan results save in the database for review and management by the
SMS and local clients.
Filter Customization Stores filter customizations in profiles as maintained by the SMS client.
These settings are distributed and imported to devices, which can be reviewed and modified by local
clients. If a device is managed by the SMS Server, the local clients cannot modify settings.
Filter and Software Distribution Monitors and maintains the distribution and import of filters,
Digital Vaccine packages, and software for the TippingPoint Operating System and SMS Client. The
SMS client and Central Management Server can distribute these packages according to segment
group settings. The Central Management Server maintains a link to the Threat Management Center
(TMC) for downloading and installing package updates.
Threat Suppression Engine

The Threat Suppression Engine (TSE) is a highly specialized, hardware-based intrusion prevention
platform consisting of state-of-the-art network processor technology and TippingPoint's own set of
custom ASICs. The TSE is a line-speed, hardware engine that contains all the functions needed for
Intrusion Prevention, including IP defragmentation, TCP flow reassembly, statistical analysis, traffic
shaping, flow blocking, flow state tracking and application-layer parsing of over 170 network protocols.
The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. As each
new packet of the traffic flow arrives, the engine re-evaluates the traffic for malicious content. The
instant the engine detects malicious traffic, it blocks all current and all subsequent packets pertaining
to the traffic flow. The block of the traffic and packets ensures that the attack never reaches its
destination.
The combination of high-speed network processors and custom ASIC chips provide the basis for IPS
technology. These highly specialized traffic classification engines enable the IPS to filter with extreme
accuracy at gigabit speeds and microsecond latencies. Unlike software-based systems whose
performance is affected by the number of filters installed, the highly-scalable capacity of the hardware
engine allows thousands of filters to run simultaneously with no impact on performance or accuracy.
IPS Devices
Intrusion Prevention System (IPS) devices protect your network by scanning, detecting, and
responding to network traffic according to the filters, action sets, and global settings maintained on
each device by a client. Each device provides intrusion prevention for your network according to the
amount of network connections and hardware capabilities.
UnityOne IPS devices are designed to handle the extremely high demands of carriers and high-density
data centers. Even while under attack, UnityOne Intrusion Prevention Systems are extremely lowlatency network infrastructure ensuring switch-like network performance. UnityOne also has built-in
intrinsic high-availability features, guaranteeing that the network keeps running in the event of system
failure.
UnityOne IPS devices are active network defense systems using the Threat Suppression Engine (TSE)
to detect and respond to attacks. UnityOne Intrusion Prevention Systems are optimized to provide high
resiliency, high availability security for remote branch offices, small-to-medium and large enterprises
and collocation facilities. Each UnityOne can protect network segments from both external and
internal attacks. UnityOne Intrusion Prevention Systems are extremely low-latency network
infrastructure ensuring switch-like network performance, even while under attack. UnityOne also has
built-in intrinsic high-availability features, guaranteeing that the network keeps running in the event
of system failure.
IPS devices provide the following segments and traffic performance:
UnityOne-50 One 10/100 segment at an aggregate 50 megabits/second

UnityOne 100E One 10/100/1000 segment at an aggregate 100 megabits/second
UnityOne-200 Two 10/100 segments at an aggregate 200 megabits/second
UnityOne-400 Four 10/100 segments at an aggregate 400 megabits/second
UnityOne-1200 Four 10/100/1000 segments at an aggregate 1.2 gigabits/second
UnityOne-2400 Four 10/100/1000 segments at an aggregate 2.0 gigabits/second
UnityOne-5000E Four 10/100/1000 segments at an aggregate 5.0 gigabits/second
Multiple UnityOne devices can be deployed to extend this unsurpassed protection to hundreds of
enterprise zones. You can monitor and manage the devices through local clients or up to 1,000 devices
through the SMS Client.
You can also implement an optional device called the Zero Power High Availability (ZPHA). This device
provides continued traffic in the event of a power loss in yourIPS devices.
High Availability
UnityOne devices are designed to guarantee that your network traffic always flows at wire speeds in the
event of internal device failure. In the case of any internal hardware or software failure, UnityOne can
automatically or manually fall back to be a simple Layer 2 switch, ensuring high-network availability.
The UnityOne provides Network High Availability settings for Intrinsic Network HA (INHA) and
Transparent Network HA (TNHA). These options enact manually or automatically, according to
settings you enter using the clients (LSM and SMS) or LCD panel for IPS devices.
Intrinsic Network High Availability is the ability of multiple LSM applications and their IPS devices to
see and direct the flow of network traffic between devices and their ports. When traffic flows through
the ports of a device, one port may have an issue occur causing an interruption in traffic. The port then
transfers the traffic flow to the other available port or device accordingly. Through the INHA, the
system routes network traffic and state information by signalling one device, its port, and its client
(LSM or SMS) of the IP address, connection table, and flow information. The target port, device, and
client then builds the information from scratch, to handle network traffic for optimum usage. It
transfers the TCP flow when fail-overs occur.
Transparent Network HA performs the same service; however, it differs by constantly updating devices
of the TCP flow information. For these networks and devices, the fail-over port/device does not have to
rebuild the information flow tables based on the information sent from the failing port/device. It
receives information from an XSL to update its connection table settings. Once updated, this type of
network HA quickly transfers fail-over traffic without having to rebuild the settings.
For more information, see Network High Availability on page 155.
Local Clients
The UnityOne provides various points of interaction, management, and configuration of the intrusion
prevention system. The clients include graphical user interfaces (GUI) and command line interfaces
(CLI). These clients include the following:
Local Security Manager (LSM) Web-based GUI for managing one IPS device. The LSM provides
HTTP and HTTPS (secure management) access. This access requires Microsoft Internet Explorer 6.0
or later. Using the LSM, you have a graphical display for reviewing, searching, and modifying
settings. The GUI interface also provides graphical reports for monitoring the device traffic,
triggered filters, and packet statistics.
Command Line Interface (CLI) Command line interface for reviewing and modifying settings
on the device. The CLI is accessible through Telnet and SSH (secure access).
LCD Panel UnityOne 50/100E/200/400/1200/2400 devices provide an LCD panel for entering and
modifying some settings for the device. These settings include HA, query the serial number,
resetting logs, and others.
Note: The IPS device allows for 10 web client connections, 10 telnet/SSH (for
CLI) connections, and 1 console connection at once.
Local Security Manager Overview

The TippingPoint Technologies Local Security Manager (LSM) is a graphical user interface (GUI) that
enables you to monitor and configure your UnityOne Intrusion Prevention System (IPS) using an
ordinary web browser.
This interface enables you to do the following with your IPS device:
Configure and manage filters to protect your networks, hardware, software, and data from intrusion
and attacks
Compile and review logs of intrusion and prevention activity on your network
Update your filter information and options with Digital Vaccine updates from the Threat
Management Center
Evaluate your network, including hosts and services, for possible threats and areas to be exploited by
malicious parties
Monitor the status of your IPS device
The interface consists of the following screens. These screens incorporate the functions and features to
configure and maintain an IPS device:
Filters Page
Logs Page
Configure Page
Monitor Page
Update Page
Admin Page
Filters Page
The Threat Management Center collects information on threats to software, hardware, and network
security throughout the world. These threats are analyzed and converted into filters. These filters
integrate with the interface to analyze data and protect systems. The filters use advanced protection
logic to accurately block attacks and cut down the possibility of false positives. The TMC provides these
filters as packages called Digital Vaccine to all UnityOne customers. The Filters page enables you to
manage these filters.
You can download, install, and manage these packages and their filters in the LSM interface. Filters
apply threat recognition data to traffic passing through specific areas of your network.
See Chapter 3 Filters
Logs Page
The Logs page enables you to view log messages sorted by the time and date they were recorded. These
messages indicate the status of IPS components, reported from the devices, or messages from the
UnityOne about components that do not respond to periodic polling. These reports and graphs provide
detailed information about the attack filters and alerts in your system.
See Chapter 4 LSM Logs
Configure Page
The Configure page enables you to view and modify the configured settings for a device and the LSM.
Through this page, you can view and set segments, modify network routes, reboot a device, and enable
or disable the use of SMS.
See Chapter 5 Configure.
Monitor Page
The Monitor page enables you to see the status of your IPS hardware. Through this page, you can view
system logs and check the current state of the hardware. You can also define the thresholds that
configure how hardware status is displayed. The information gathered by the monitor function
includes the following:
disk space and usage
memory usage
the state of the hardware (such as active and stand-by)
See Chapter 6 Monitor.
Update Page
TippingPoint is committed to providing the best means of protecting your network using the UnityOne
family of products. Therefore, from time to time, the Threat Management Center will release Software
Updates and Attack Filter Updates. The Update page enables you to review and install updates
downloaded from the TMC website (https://tmc.tippingpoint.com).
See Chapter 7 Update.
Admin Page
The LSM provides features for managing user access to the interface. The Admin page enables you to
create and manage user access to the IPS device through the LSM. Through this page, you can create
and modify user accounts, access settings, set the time-out limit, set expirations for passwords, and
view the audit and system logs.
Note: You must have the appropriate user access to use the Admin page. Not all
users can affect the access of other users.
See Chapter 8 Administration.
10
Getting Started
Prior to using the LSM interface, you need to install and configure the IPS device. Gather the following
documents depending on your product:
The Release Notes that shipped with the product. For updated release notes, visit the Threat
Management Center website (https://tmc.tippingpoint.com)
For the IPS UnityOne-50 device, read the following:
UnityOne-50 Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-50.
Quick Start UnityOne-50 Details how to unpack and install the UnityOne-50 quickly.
For the IPS UnityOne-100E device, read the following:
UnityOne-100E Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-100E.
Quick Start UnityOne-100E Details how to unpack and install the UnityOne-100E quickly.
For the IPS UnityOne 200/400/1200/2400 devices, read the following:
UnityOne 200/400/1200/2400 Installation and Configuration Guide Provides instructions for
installing and configuring the UnityOne 200/400/1200/2400 devices.
Quick Start UnityOne 200/400/1200/2400 Details how to unpack and install the UnityOne 200/
400/1200/2400 quickly.
For the IPS UnityOne-5000E device, read the following:
UnityOne-5000E Installation and Configuration Guide Provides instructions for installing and
configuring the UnityOne-5000E.
Quick Start UnityOne-5000E Details how to unpack and install the UnityOne-5000E quickly.
For the ZPHA device, read the following:
UnityOne Zero Power High Availability Installation Guide Provides installation instructions for
the Zero Power High Availability (ZPHA) device.
UnityOne Modular Fiber/Copper ZPHA Installation Guide Provides installation instructions for
the modular Zero Power High Availability (ZPHA) device, which uses fiber and/or copper
segments.
Before you use the LSM for the first time, you must complete the following:
Read the Release Notes that shipped with your IPS device. Information contained in the release notes
supersedes information in the manuals and in the online help.
Install the UnityOne device according to the instructions in the appropriate installation and
configuration guide for your UnityOne: IPS.
Complete the Out-of-Box Setup Wizard according to the instructions in the Startup Configuration
chapter of the Unity One Command Line Interface Reference. Be sure to enable the http and/or https
server.
11
System Requirements
The LSM is an online piece of software accessed using a web browser. The sites hardware and software
requirements are not as technical as systems loading the software locally. To access the LSM, you need
the following:
A networked computer running Windows NT, 9x, or 2000
Microsoft Internet Explorer (MSIE) v 6.0 or greater with 128-bit encryption and support for Java
Script and cookies
SMS Configuration
If you will maintain your IPS device using the Security Management System (SMS) or you will no
longer use the SMS, you need to configure a setting on the IPS device. This setting identifies if the
device is controlled by the SMS.
See View or Configure SMS Information on page 154.
12
LSM Navigation
LSM Navigation describes the LSM interface, how to log in, and the general sections of the
application. The Launch Bar, menus, and links are detailed with links to further information
throughout this guide.
Overview
The Local Security Manager (LSM) is a graphical user interface (GUI) that makes configuring and
monitoring your UnityOne device easy by providing user-friendly menus to help accomplish
administrative activities. You access the LSM using a user account through a browser. See Log in to the
LSM for more information.
The LSM is an application that you browse to in a web browser. You should use Microsoft Internet
Explorer, version 6 or later, to access the application. In this application, you can access a variety of
functions according to the access level of your user account.
This section details the login and navigation procedures of the LSM user interface.
LSM Navigation includes the following information:
Security Notes on page 14
Logging In on page 14
LSM Screen Layout on page 16
Note: The LSM is designed to work with Microsoft Internet Explorer (MSIE)
version 6.0 and greater. Using any other browser than MSIE may produce
unpredictable results in the display and functionality of the interface.
13
Security Notes
The LSM enables you to manage your IPS using an ordinary Web browser. It is important to note that
some browser features, such as password caching, are inappropriate for security use and should be
turned off.
CAUTION: Some browsers offer a feature that stores your user login and password for
future use. TippingPoint Technologies recommends that you turn this feature off in your
browser. It is counter to standard security practices to store login names and passwords,
especially those for sensitive network equipment, on or near a workstation.
In addition, the LSM provides two different web servers, an HTTP and an HTTPS server. Whenever
your IPS is connected to your network, you should run the HTTPS server, not the HTTP server. HTTP
servers are not secure because your user name and password travels over your network unencrypted.
You should only use the HTTP server when you are sure that communications between the IPS and the
workstation from which you access the LSM cannot be intercepted.
WARNING: The procedure Enable the Web Server (LSM and SMS) enables you to
turn on HTTP. HTTP is not a secure service because it sends unencrypted user
names and passwords over the network. If you enable HTTP, you endanger the
security of your UnityOne device. Use HTTPS instead of HTTP.
Logging In
When you log in to the LSM, you are prompted for your username and your password. This login gives
you access to the areas of the LSM permitted by your user role. User roles and access are described in
Access to Admin Functions.
Tip: Most Web browsers will not treat addresses beginning with HTTP and
HTTPS interchangeably. If your browser cannot find your LSM, make sure that you
are using http:// or https:// depending on which web server you are running.
Login Screen
There are three different situations in which you will be presented with the login screen:
When you first log in to the LSM
When you experience a Session Time-out
When you attempt to access an area that exceeds your current User Access Level
14
Log in to the LSM

STEP 1
Enter the IP address or hostname of your IPS device in your browser Address bar. For
example:
https://123.45.67.89
The LSM displays a Login page. The page includes the model and name of your device.
Figure 2 - 1: LSM Login Page
STEP 2
Enter your Username.
STEP 3
Enter your Password
STEP 4
Click Log On.
The LSM validates your account information against the permitted users of the software. If the
information is valid, the LSM software opens. If the account information is not valid, the Login page
displays.
Note: Only 10 web client and 10 SSH (for CLI) connections are allowed to connect
to a device at once.
Session Time-out
For security purposes, LSM login sessions have a 10 minute time-out. If you do not provide the LSM
with any input for ten minutes, you will be logged off.
15
Logging Off
You can log off of the LSM at any time by clicking the Log Off link in the upper right corner of the LSM
screen.
LSM Screen Layout

The LSM provides features in three main areas of the browser window:
Launch Bar Located in the upper right portion of the browser window. This area provides tabs
that open the features of the LSM. These accessed pages display in the Main pane.
System Stats Area along the left portion of the browser window. This pane displays a refreshed
view of the system statistics and settings.
Main Pane Area that occupies most of your browsers window. Each tab you access in the Launch
Bar displays a page with sets of features in this area of the window.
Figure 2 - 2: LSM Screen Layout
Launch Bar
You can access the available features of the LSM by selecting tabs from the Launch Bar. The LSM
displays the page you select in the Main Pane. Each tab displays a default page with features and
options for managing your UnityOne system.
16
The following table lists the available tabs with descriptions of their options:
Table 2 - 1: Launch Bar Tabs
tab
Feature
Description
Filters
View, enable and disable network protection filters, category

settings, and filter components (action sets and contacts).
See Chapter 3 Filters for more information.
Logs
View, download, print and reset Alert, Block, Peer-to-Peer, System,

and Audit logs. Download packet trace logs. Use the Log Index
function to query logs using specific time or ID range criteria. Use
the Top Ten Filters function to show the top 10 filter information.
See Chapter 4 LSM Logs for more information.
Configure
Configure IPS hardware and software, the Threat Suppression

Engine (TSE), and high availability, including intrinsic network HA
(INHA) and transparent network HA (TNHA).
See Chapter 2 LSM Navigation for more information.
Monitor
View the status of IPS hardware components, module health (such

as TSE and Multi-Zone Defense), and INHA.
See Chapter 6 Monitor
Update
Download and install software and Digital Vaccine (filter) updates.

See Chapter 7 Update for more information.
Admin
Create, modify, and delete users; view user or system audit log.
See Chapter 8 Administration for more information.
Help
View instructions about how to use system features; displays an

electronic version of the user guide.
System Stats
The System Stats sidebar shows information about system boot time, traffic, status, and software
versions. It refreshes itself periodically, unless you click the Freeze check box beside the refresh
counter. You can also manually refresh the System Stats sidebar by clicking the Refresh link beside the
counter.
17
The sidebar sections can be minimized and maximized by clicking the sizing icon to the right of the
section title. These sections include the following:
System Boot Time Displays the time the device booted
Packet Statistics Provides a running total of packets scanned by the LSM, including totals for
invalid, blocked, and permitted packets
Health Displays a color indicator for the current status of the system log, threshold logs, and usage
of disk space and memory. For more information on system usage, see Chapter 6 Monitor.
High Availability Indicates the state of the Intrinsic and Transparent Network HA. For more
information, see Network High Availability on page 155.
UnityOne Versions Details the current version of the LSM software installed and running. For
more information on LSM and Digital Vaccine versions, see Chapter 7 Update.
You can hide and show each portion of the System Stats using the collapse icon next the section.
Figure 2 - 3: Collapse Icon
Collapse icon for hiding and showing information on the System Stats.
The following is the System Stats sidebar:
Figure 2 - 4: System Stats Sidebar
18
System Boot Time

The system boot time shows you the date and time the IPS was last rebooted. The LSM displays the
local time according to your configured time zone. You can use the Configure page to modify the time
zone.
See Set the IPS Time Zone on page 149.
Note: If you change time zones using the procedure, the system boot time will be
adjusted to reflect the time zone change.
Packet Statistics
The Packet Statistics section provides basic traffic statistics including the following:
Total Packets Total number of packets received and scanned by the Threat Suppression Engine
Invalid Total number of packets that have been dropped because they are not properly formed
or formatted
Blocked Total number of packets that have been blocked by the Threat Suppression Engine
Permitted Total number of packets that have passed through the Threat Suppression Engine
without being blocked or dropped.
Packet counters are meant to give you a snapshot look at traffic through your network. The packet
totals give a partial account of blocked activity according to the filters. All other filter results affect the
packet totals. When the number reaches the million and billion mark, the number displays as a
decimal amount with a letter (such as G for gigabytes).
Note: The counters are not synchronized with each other, packets may be
counted more than once in some situations.
Note: For UnityOne-50: The Blocked and Permitted counts include the number
of packets dropped or allowed through by a rate limiter.
The counters display the amount of packets tracked. If the number is less than 1M, the Packet
Statistics section displays the full amount. If the amount is greater than 999,999 K, the information is
abbreviated with a unit factor. For example, 734,123K would display fully whereas 4,004,876,543
displays as 4.00B. The unit factors include, M for mega, G for giga, and T for tera. To view the full
amount, hover your mouse over the displayed amount. A Tool Tip pops up, displaying the full packet
amount.
To reset the counters, click the reset link.
19
Health
The Health section of the Statistics frame gives you a visual indicator of the hardware health of your
IPS. The Health section includes indicators for the following components:
System Log Provides compiled messages regarding the usage, actions, and errors of the system. It
displays the Logs - System Logs page. See Chapter 4 Logs.
Thresholds Provides a link to the Alert Log Search Results page displaying the Traffic
Threshold filter events. See Traffic Threshold Filters on page 77.
Performance Provides details on the congestion of filters. It runs the Performance Wizard. See
Performance/Throughput on page 177.
Disk Space Provides details on disk storage and usage. It displays the Monitor - Device Health
page. See Device Health on page 175.
Memory Provides details of memory usage. It displays the Monitor - Device Health page. See
Device Health on page 175.
The indicator next to the components indicates the current state:
Green if there are no problems
Yellow if there is a major warning
Red if there is a critical warning.
You can set the thresholds for warnings, setting when the indicator color will change based on the
usage of those components. If the System Log is other than green, you can click on the indicator to view
the error that caused the condition.
Note: When you view the logged error, the indicator resets and changes to green
under System Stats.
See Set Monitor Preferences on page 184
High Availability
The indicators listed for the High Availability section include the state for the Intrinsic and
Transparent HA. The indicator next to the component indicates the following:
Green if there are no problems
Yellow if there is a major warning
Red if there is a critical warning.
Click on the link to go to the Configure - High Availability page. See Network High Availability on
page 155.
20
UnityOne Versions
The UnityOne Versions section displays the current version numbers of the following software
components:
Model Number
TOS Software version
Digital Vaccine (Attack Filter) version
Custom Vaccine version (Optional Custom Shield Writer software application)
You can install software updates using the Update page.

See Chapter 7 Update.
Main Pane
The LSM displays all data in the central pane of the browser window. This main pane of the window
displays the pages and of the LSM based on selects you make from the Launch Bar and within each
page.
The content is formatted in a table format. The columns can be alternatively sorted in ascending or
descending order by clicking the heading name link in the top row of the table. Only the items in that
view are sorted. For example, if you are viewing items 1-10 of 600 total items, only the items displayed
on the page are sorted.
21
22
Filters
Filters describes Application Protection, Infrastructure Protection, and Performance Protection
filters and explains how to enable, disable, and modify their various features. This section also
details IP filtering, action sets, category settings, and notification contacts.
Overview
Filters apply threat recognition data to traffic passing through specific areas of your network. You can
create, modify, and manage these filters to block and protect against malicious attacks and piracy of
your bandwidth and network services. Each filter consists of instructions detailing how packets and
traffic should be investigated, processed, and blocked for the network. These instructions are action
sets.
Filters are the key to protection and prevention of malicious invasion on your network and data. The
LSM includes the following pillars of filter types:
targeting applications and operating systems. These filters include a variety of attack protection,
reconnaissance, security policy, and informational filters.
infrastructure elements such as routers and firewalls from attack using a combination of traffic
normalization, Advanced DDoS protection, and networked equipment. These filters include DDoS,
network equipment protection, and traffic normalization filters.
access to bandwidth ensuring that mission critical applications have adequate performance during
times of high congestion. These filters include misuse and abuse, IP, and congestion/mitigation
filters.
23
Filters provide rules for handling network traffic. The instructions of a filter consist of various
components that build and provide these rules for the system:
Category Defines the type of filter, such as a particular Application Protection, Infrastructure
Protection, or Performance Protection filter
Action set Provides a set of actions that are triggered and performed when managing traffic
State Indicates if the filter is enabled, disabled, or invalid
Each filter includes settings for these components. Categories dictate the default and global settings
and actions for a specific type of filter. You can modify and enhance the category or particular instance
of a filter through the action sets. These sets of actions detail the instructions that become rules for
handling network traffic. The state of the filter indicates if the system enacts the filter against specific
types of traffic.
Through action sets and category settings, you can modify action sets to affect all filters of a particular
category or directly override the action sets on a filter-by-filter basis. You can selectively enhance the
filters to match the needs of your network.
Filters includes the following topics:
24
Filters Page on page 25

Managing Filters on page 25
Application Protection on page 31
Infrastructure Protection on page 55
Performance Protection on page 83
Category Settings on page 94
Action Sets on page 100
Notification Contacts on page 106
Filters Page
When you access the Filters page, it displays the Filters - Attack/Policy Filters Main List as default.
The following is the Filters page:
Figure 3 - 1: Default Filters Page
You can do the following on this page:
Search for and view filters

Edit current and create new filters
Set global and filter level exceptions
Modify action sets for filters and categories of filters
You can access the different types of filters by selecting the Open menu. A drop-down menu displays
listing the options for the page. The menu options may change depending on the menu option you
select. The instructions in this chapter indicate when to navigate through the drop-down menu
options.
Managing Filters
This section details the general procedures for managing filters in the LSM. This section includes the
following sections:
Viewing Filters on page 26

Searching Filters on page 28
Creating New Filters on page 29
Editing a Group of Filters on page 30
Deleting Filters on page 30
25
For specific editing instructions and information about filters, see the following sections:
Performance Protection on page 83
Application Protection on page 31
Infrastructure Protection on page 55
Viewing Filters
You can view filters that are loaded on your device. The Filters page displays a summary of the active
and inactive filters that are currently loaded on your IPS device. You can sort the filters on your screen
by any of the columns with an HTML link as a heading.
Figure 3 - 2: Filters Default Page
For example, you can sort the filters by the Filter Name or Segment by clicking the column name. The
following table details the information displayed on the page.
Table 3 - 1: Filters Page Description
Column Name
26
Description
Filter Name
Each filter name is also a link to a page that contains more information and configuration
options for that filter. Click on the filter name link to view and configure filter details.
Segment
Segments are the portions of your network that you protect as discrete units. Traffic for
one segment flows in and out of one port pair on a Multi-Zone Defense (MZD) Module.
By default, a filter applies to all segments that you are protecting.
Control
The category settings for the filter.
Table 3 - 1: Filters Page Description

Column Name
Description
Action
Action refers to the action set that is performed when the filter is triggered You can click
on the links in this column to view or edit details about the action set, or you can click on
the category action link to see what the default action associated with this filter is.
State
Indicates whether the filter is currently enabled, disabled, or System Disabled.
Function
The Function column contains icons that allow you to perform filter operations. These
icons are shown in the table entitled Functions Icons
Note: The state of a filter may indicate the filter is enabled even if it is disabled
for a particular segment and enabled for others. To review the enabled/disabled
settings for a filter, review the Category Settings on page 94.
These filters have icons in the Function column indicating an available options.
Table 3 - 2: Functions Icons
Icon
Function
Description
Copy
Click the Copy icon to create a copy of the filter. You can use copies of filters to
apply filters in different ways to different segments, or to apply filters only to
certain segments.
Edit
Click the Edit icon to edit filter parameters such as whether the filter is
controlled through Category Settings or individually, what action set the filter
it uses, and what exceptions are applied to the filter.
Delete
Use the Delete icon to delete a filter that you have created (using the copy filter
icon). You cannot delete the filters that come with the LSM, but you can disable
them.
Filter
Exception
The Filter Exception icon indicates filters that have exceptions defined. You can
click the Filter Exception icon to view more information about the filter and to
see the exceptions that are defined for it.
Reset
The Reset icon resets a triggered Traffic Threshold filter. When one of these
filters triggers, you must reset it.
27
Searching Filters
You can search for a specific filter number, or for a specific substring in the filter name. You enter
searches in the Search field at the bottom of the specific Filters page. When you search for filters, you
can search according to the following:
By Filter Type By default, the Filters page open the Filters - Attack/Policy Filters Main List
page (Application Protection filters). You must access the filter type by selecting a menu item from
the Open > Application Protection, Infrastructure Protection, or Performance Protection
menus.
Filter Number You can enter a number of the filter in the search field.
Filter Name You can enter the full or partial name of the filter in the search field.
Note: The search is a string search, not a boolean search. It is not case sensitive.
Therefore, if you enter more than one word in the search box, it will only search
for that particular phrase, not for a combination of words. For example, if you
enter ICMP reply the search will not return a filter whose description is ICMP:
Echo Reply.
You cannot search by filter category. Returned results of the search include matches against the name of
the filter.
Note: To view all filters of the selected type, click the Show All Filters link. To
change types of filters, select a menu item from the Open > Application
Protection, Infrastructure Protection, or Performance Protection menus.
Search for a Filter

STEP 1
On the launch bar, click the Filters tab.
STEP 2
The Filters page displays. By default, it lists the All Filters page.
You can search for any filter through this page or select the type of filter you want to search for
from the Open > Application Protection, Infrastructure Protection, or Performance
Protection menu items.
STEP 3
Type a filter number, a word, or part of a word in the Search field. You cannot search for a category type.
Note: The search is a string search, not a boolean search. It is not case sensitive.
Therefore, if you enter more than one word in the search box, it will only search
for that particular phrase, not for a combination of words. For example, if you
enter ICMP reply the search will not return a filter whose description is ICMP:
Echo Reply.
STEP 4
28
Click the Search button. Any filters that contain the search string as their number or name
display.

By default, each active filter protects all segments that use it. When you create a new filter, you copy an
existing filter, modify the settings of the copy, and apply it to a segment or segments. The LSM includes
various filters and new filters installed with each update of Digital Vaccine from the Threat
Management Center. You can copy any of these filters and modify them for your own needs. You can
then modify the filter with custom action sets and settings to globally affect segments or monitor
specific segments.
Some filters do not require copying prior to creation. These include the following instructions:
Create a Traffic Threshold Filter on page 80
Create a Traffic Management Filter on page 91
Create a New Filter

STEP 1
STEP 2
On the Filters page, locate a filter you want to copy.

STEP A
You can search for a filter. See Search for a Filter.
STEP B
You can browse for a filter by selecting a category from the Open menu.
STEP C
You can also copy a filter when editing a filter, from the filters details/edit page.
Click the Copy icon next to the filter you want to copy or click Copy. The copy page for the filter displays.
Figure 3 - 3: Filters Copy Page
STEP 3
Select a Segment from the drop-down list. The options depend on the type of filter. You can
also select Recommended, which uses the recommended action set for the filter type.
29
STEP 4
Select either Use Category Settings or Override in the Filter Parameters section.
If you choose Override, check the Enable option and select an Action for this filter from the
drop-down list.
STEP 5
Click Copy.

You can select a group of filters from the Filters and other filter category pages. When editing a group of
filters, you can only modify the Action Set setting. To edit, you select the check boxes for filters in the
main filter category pages.
Edit a Group of Filters
STEP 1
Display the Filters - All Filters page or a main page for a filter category.
STEP 2
Select the check boxes for a set of filters.
STEP 3
Click Edit Selected. The Filters - Group Filters Edit/Details page displays.
Figure 3 - 4: Filters - Group Filters Edit/Details Page
STEP 4
STEP 5
In the Action/State section, select Use Category Settings or Override. If you select Override to use a different action set for the filter, do the following:
STEP A
Select the Override radio button in the Parameters section.
STEP B
Check the Enabled check box.
STEP C
Choose an Action from the drop-down list.
Click Save.
Deleting Filters
You can delete filters you create on the Filters page. However, you cannot delete the filters installed on
the LSM or from Digital Vaccine packages. When you create a filter through copying and editing it, you
then gain the functionality to delete that filter.
30
Delete a Filter
STEP 1
Click the Filters tab. The Filters page displays.
STEP 2
Click the Delete icon next to the filter you wish to delete. A browser confirmation box opens.
STEP 3
Click OK in the popup confirmation box to confirm the deletion

Note: You can only delete filters that you have created. Filters installed by
default cannot be deleted. You can disable default filters in the system.
Application Protection is a pillar of filter types that defend against known and unknown exploits that
target applications and operating systems of workstations and servers on a network. These filters
include a variety of attack protection and security policy filters used to detect attacks targeting
application and operating system resources on your network. Malicious attacks may probe your
network for vulnerabilities, available ports and hosts, and available applications accessible through the
network. Application Protection filters defend your network by providing an IPS device with threat
assessment, detection, and management instructions.
Through the Filters page, you can tune attack filters to meet the needs of your enterprise. You can
create a segment-specific filter or a custom filter exception. You also can alter the systems response to
an attack filter by disabling the filter, editing the action set, and modifying notification contact
settings.
These filters block traffic depending on the configured actions for the filter or filter category. These
actions are called an action set. You can set these action sets to the entire category of filters or override
specific filters to perform a different set of actions. See Action Sets on page 100 for more information.
31
Application Protection filters include the following types:

Attack Protection Filters Category of filters that protect your network from malicious attacks that
seek to find and exploit vulnerabilities in your network. These filters are enabled by default on your
UnityOne system and shield against triggering packets.
Vulnerabilities Filters Category of filters that protect potentially vulnerable software of the
network such as operating systems.
Exploit Filters Category of filters that protect against known exploits of software components.
Reconnaissance Filters Category of filters that detect and block reconnaissance scans of your
network. These filters are disabled by default.
Vulnerability Probing Filters Category of filters that detect scans for vulnerabilities in the
system. These filters protect the network from probing attacks.
Port Scans/Host Sweeps Filters Category of filters that detect port scans and host sweeps.
These filters protect against scan attacks and possible exceeded threshold limits against your
ports and hosts.
Security Policy Filters Category of filters that require deployment knowledge and/or operational
policy.
Informational Filters Category of filters that are classically used for IDS testing (e.g. Blade
signatures). These filters are disabled by default.
Attack Protection Filters

Attack Protection filters scan for, detect, and block malicious attacks that try to locate vulnerable areas
in your network security. These filters are enabled, from the start-up of your UnityOne system, to
automatically shield against triggering packets. You can change the action settings for all attack
protection filters, default or user-activated, at the category level or for individual filters. These filters
are enabled and use a Block + Notify action set by default.
Attack Protection filters detect traffic that meets one of the following criteria:
Known to be malicious
Considered suspicious
Known to have security implications
Attack Protection filters include the following types:
Vulnerabilities Filters Category of filters that protect potentially vulnerable software of the
network such as operating systems.
Exploit Filters Category of filters that protect against known exploits of software components.
32
Both types of Attack Protection filters display the same information on their respective pages. The
following is the Filters - Vulnerabilities Filters Main List page:
Figure 3 - 5: Filters - Vulnerabilities Filters Main List Page
These filters have the following settings:

Table 3 - 3: Vulnerabilities Filters Main List Details
Column
Definition
Filter Name
Name of the filter
Segment
The segment the filter is assigned to
Control
The category settings for the filter
Action
Action set assigned to the filter. If the filter is disabled, it displays

Disabled.
State
Indicates the filters state:

Enabled Displays Enabled if the filter is enabled and running
Disabled Displays an empty value if the filter is disabled. To enable,
edit the filter.
System Disabled Displays System Disabled if a filter is system
disabled. The LSM disables a filter if the adaptive filter settings are
triggered. See TSE Adaptive Filter Configuration on page 161.
Functions
Icon representing functions to manage filters
33
Attack protection filters include the following options:
Viewing Filters
Searching Filters
Deleting Filters
Vulnerabilities Filters
Attackers generally look for vulnerabilities in a network. Writing malicious code, they try to find the
weak points in a network security system to bypass filters and reach data and services. These attackers
seek use intrusion methods against areas such as software back-doors and poorly protected hosts and
ports. Vulnerability scanning checks for all potential methods that an attacker could use to infiltrate a
network and system.
Vulnerabilities filters protect these possible points of entry in a network, detecting and blocking
attempted intrusions. These filters protect vulnerable components of a computer system or network by
analyzing and blocking traffic seeking these points of entry. The filters constantly scan for possible
intrusions points, giving a warning when a vulnerability is found or when malicious attacks occur.
As security threats are recognized, the Threat Management Center (TMC) creates and releases filter
updates to protect potentially vulnerable systems.
Exploit Filters
Exploits are attacks against a network using weaknesses in software such as operating systems and
applications. These attacks usually take the form of intrusion attempts and attempts to destroy or
capture data. These filters seek to protect software from malicious attacks across a network by
detecting and blocking the request.
The two most common methods for exploiting software include email and web browsing. All web
browsers and many email clients have powerful capabilities that access applications and operating
systems. Attackers can create attachments that scan for and exploit this software.
STEP 1
On the Filters page, select the Open > Application Protection > Attack Protection
and choose one of the following menu items:
Vulnerabilities
Exploits
The appropriate filters page displays.
34
STEP 2
Do one of the following:

Select the Edit icon for a filter.
Click the linked name of the filter.
The appropriate page displays.
Figure 3 - 6: Filters - Vulnerabilities Filters Details/Edit Page
STEP 3
STEP 4
STEP 5
STEP A
STEP B
STEP C
Optionally, you can set adaptive filter settings for flow control. In the Adaptive Config State
section, select one of the following:
Use adaptive configuration settings Applies the global adaptive filter settings
Do not apply adaptive configuration settings to this filter Removes any global
adaptive filter settings for this filter
Optionally, you can add exceptions to the filter. The IP addresses you enter will not have the
filter applied. In the Exceptions section, do the following:
35
STEP 6
STEP A
Enter the Source Address.
STEP B
Enter the Destination Address.
STEP C
Click add to the table below.
Click Save.
Reconnaissance Filters
A Reconnaissance filter protect your system against malicious traffic that scans your network for
vulnerabilities. These filters constantly monitor incoming traffic, looking for any sign of network
reconnaissance. These attacks probe your system, seeking any weakness that can be exploited by
attacks. In effect, the attacks attempt to perform reconnaissance of your network to report its strengths
and weaknesses for further attacks. These filters are disabled by default.
Note: Port Scans/Host Sweeps filters are not affected by Application Settings.
When you create exceptions and apply-only settings in the Application Settings
page, they only affect Vulnerability Probing filters.
Reconnaissance filters include the following:
Vulnerability Probing Filters Filters that detect scans for vulnerabilities in the system. These
filters protect the network from probing attacks.
Port Scans/Host Sweeps Filters Filters that detect port scans and host sweeps. These filters protect
against scan attacks and possible exceeded threshold limits against your ports and hosts.
Both types of Reconnaissance filters display the same information on their respective pages.
The following is the Filters - Vulnerability Probing Filters Main List page:
Figure 3 - 7: Filters - Reconnaissance Filters Main List Page

Table 3 - 4: Reconnaissance Filters Main List Details
Column
Filter Name
36
Definition
Name of the filter
Table 3 - 4: Reconnaissance Filters Main List Details

Column
Definition
Segment
Action

Disabled.
State

edit the filter.
Timeout (seconds)
The amount of seconds for the timeout period
Threshold (hits)
The threshold amount of hits
Functions
Reconnaissance filters include the following options:
Viewing Filters
Searching Filters
Deleting Filters
Vulnerability Probing Filters

Some attacks against a network may probe the network for access holes to enter malicious code and
services. These attacks attempt to gain access to a system or attempt to compile information about a
network. Vulnerability probing attacks could directly request, ping, and access a system through
network protocols, services, and user accounts. Probes filters protect your system against potentially
malicious scans of your system. These filters protect and block vulnerability probing attacks,
37
protecting access and evaluating requests. The following is the Filters - Vulnerability Probing Filters
Main List page:
Figure 3 - 8: Filters - Vulnerability Filters Main List Page

Table 3 - 5: Vulnerability Probing Filters Main List Details
Column
38
Definition
Filter Name
Name of the filter
Segment
Control
Action

Disabled.
State

edit the filter.
Functions
Port Scans/Host Sweeps Filters

Attackers may try to scan a network for available ports or try to infiltrate a host system through its
ports and software. These attacks provide entry points for introducing malicious code to further enact
attacks through your host and ports. Scan and sweep attacks can consist of multiple probe attacks in
large amounts, sending numerous requests for access and information at once. Port Scans/Host Sweeps
filters prevent these port scan and host sweep attacks.
These filters provide segmental control, allowing for configurations per segment on the device. If you
Enable or Disable the settings for a specific segment, the change affects the specified segment only
rather than all segments on the device. The filters also support Block and Permit action sets as
configurable actions when detecting attacks.
These filters do not receive Application Settings for exceptions and inclusions. The page that displays is
the Filters - Reconnaissance Filters Main List page.
Filter Tuning
You can tune the sensitivity of Reconnaissance filters by adjusting their Timeout and Threshold
parameters. The timeout value is used in combination with the threshold value to determine whether
or not an alert is sent.
For example, with a timeout of 300 seconds, and a threshold of 100 hits, the LSM sends an alert every
time you exceed the threshold or a multiple of the thresholdat 101, 201, 301... hits detected within
the 300 second (five minute) time period.
39

STEP 1
On the Filters page, select the Open > Application Protection > Reconnaissance
> Vulnerability Probing menu item. The Filters - Vulnerability Probing Filters Main
List page displays.
STEP 2

Click the filter name link.
The Filters - Vulnerability Probing Details/Edit page displays.
Figure 3 - 9: Filters - Vulnerability Probing Details/Edit Page
STEP 3
40
STEP A
STEP B
STEP C
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
Click Save.
41

STEP 1
On the Filters page, select the Open > Application Protection > Port Scan/Host
Sweep menu item. The Filters - Reconnaissance Filters Main List page displays.
STEP 2

The Filters - Reconnaissance Details/Edit page displays.
Figure 3 - 10: Filters - Reconnaissance Details/Edit Page
STEP 3
STEP 4
STEP 5
42
STEP A
STEP B
STEP C
In the Parameters section, do the following:

STEP A
Enter the number of seconds for the Timeout.
STEP B
Enter the number of hits allowed for the Threshold.
Click Save.
Security Policy Filters

Security Policy filters act as attack and policy filters. As attack filters, these filters compare packet
contents with recognizable header or data content in the attack along with the protocol, service, and the
operating system or software the attack affects. These filters are developed at the Threat Management
Center (TMC).
Policy filters detect traffic that may or may not be malicious. This traffic may meet one of the following
criteria:
Different in its format or content from standard business practice
Aimed at specific software or operating systems
Contrary to your companys security policies
When enabled, these filters may generate false attack alerts depending on your network or application
environment. For example, false alerts could be caused by the following:
Custom or legacy software that uses standard protocols in non-standard ways
Attacks on applications or operating systems that you do not have installed
Activities that could be benign or malicious depending on where they originate
You can enable, disable, or create exceptions to user-activated shield filters according to your
environments requirements.
CAUTION: Scan your network hosts before disabling or creating exceptions to specific
attack protection filters. Some operating systems install default services which may be
vulnerable to attack. If you disable or create an exception to a filter that protects a service
that you do not know about, you may increase your networks vulnerability.
43
The following is the Filters - Security Policy Filters Main List page:
Figure 3 - 11: Filters - Security Policy Filters Main List Page

Table 3 - 6: Security Policy Filters Main List Details
Column
44
Definition
Filter Name
Name of the filter
Segment
Control
Action

Disabled.
State

edit the filter.
Functions
The Filters - Security Policy Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters

STEP 1
On the Filters page, select the Open > Application Protection > Informational
menu item. The Filters - Security Policy Filters Main List page displays.
STEP 2

The Filters- Security Policy Details/Edit page displays.
Figure 3 - 12: Filters - Security Policy Details/Edit Page
STEP 3
45
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
STEP A
STEP B
STEP C
Click Save.
Informational Filters
Informational filters provide a means for classic Intrusion Detection System (IDS) testing. These filters
allow you to perform tests against your network security. The behavior of these filters provide detailed
information as to the strength of your security. An example of these filters includes Blade signatures.
These filters are disabled by default.
46
The following is the Profile - Informational Filters Main List page:

Figure 3 -13: Filters - Informational Filters Main List Page

Table 3 - 7: Security Policy Filters Main List Details
Column
Definition
Filter Name
Name of the filter
Segment
Control
Action

Disabled.
State

edit the filter.
Functions
47
The Filters - Security Policy Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters

STEP 1
On the Filters page, select the Open > Application Protection > Informational
menu item. The Filters - Informational Filters Main List page displays.
STEP 2

The Filters - Informational Details/Edit page displays.
Figure 3 - 14: Filters - Informational Details/Edit Page
48
STEP 3
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
STEP A
STEP B
STEP C
Click Save.
Application Settings
Exceptions specify actions that occur differently for filters, such as limiting a filter to specific IP
addresses or excluding an IP from all filters. You can set exceptions and limits on individual filters or
globally to affect all filters.
In the LSM, you can add exceptions to an individual or to all Application Protection, Traffic
Normalization, and Network Equipment filters:
Filter Exceptions (specific) Exclude IP addresses from a specific Application Protection filter.
This exception only affects the modified filter.
Limit Filter to IP Addresses (global) Inclusions that limit all Application Protection, Traffic
Normalization, and Network Equipment filters to apply against a specific set of IP addresses. These
exceptions are global for all attack protection and security policy filters.
Exceptions (global) Exclude IP addresses from all Application Protection filters. These
exceptions are global for all attack protection and security policy filters.
CAUTION: The UnityOne system has specified limits for performance regarding the
number of exceptions and limit filters for Application Settings. You should not exceed the
following:
Create no more than 1 Limit Filter (apply only rules)
Create no more than 5 Exceptions
49
Tip: When you create a filter exception, the filter displays a green shield icon in
the functions column of the filters page.
This section details how to add these exceptions to Application Protection filters:
IP Restriction Filters
Filter Exceptions
Global Exceptions and Settings
IP Restriction Filters
The LSM has rules for determining when global exceptions affect custom filter exceptions. When you
create custom filter exceptions for filters that search for specific IP addresses as part of their logic, the
Threat Suppression Engine determines the exception to follow. In these instances, the LSM applies the
custom filter exception rather than the global exception.
For example, you could set exceptions on a filter that searches for a specific IP address, such as the
Vulnerability filter 0052: IP: Source IP Address Spoofed (Loopback). You could set a custom exception,
limiting the set of IP addresses, to monitor attacks against the IP addresses within a specific server
group. If you then set a global exception on IP addresses that included the address searched by this
filter, the Threat Suppression Engine would follow the rules of the custom exception, not the global
exception.
For instances of filters that search for hard-coded IP addresses and apply the IP restriction filter as an
exception (which limits the IP addresses), the LSM follows the rules of the filters exceptions. The
system then logs an alert. To end the alerts and follow global exception rules, you can disable the
individual filter.
Filter Exceptions
You can add a custom exception directly to a filter without affecting other filters. You set these custom
exceptions directly to selected Application Protection filters. When you create filter exceptions, you
specify IP addresses for that custom filter.
Note: These settings are not overridden by the Global Settings of Application
Protection Filters. See Global Exceptions and Settings on page 51.
50
The filter exception options includes the following:

STEP 1
On the Filters page, select and view one of the following pages from the Open menu items:
STEP 2
Filters - Attack/Policy Filters Main List

Filters - Attack Protection Filters Main List
Filters - Security Policy Filters Main List
Select a filter.
STEP 3
In the Exceptions section, enter the Source IP Address and Destination Address of the
exception in CIDR format.
Note: Source and Destination IP Addresses can be entered in CIDR format, as
any or as *.
STEP 4
Click the add to table below button.
STEP 5
Click Save.

STEP 1
On the Filters page, select and view one of the following pages from the Open menu items:
Filters - Attack/Policy Filters Main List
Filters - Attack Protection Filters Main List
Filters - Security Policy Filters Main List
STEP 1
Locate the filter and click the Filter Exception icon. The edit page displays.
STEP 2
On the edit page of the filter, click the Delete icon next to the exception you would like to
remove.
STEP 3
Click Save.
Global Exceptions and Settings

You can set global exceptions for all Application Protection filters. These exceptions allow traffic that
would normally trigger a filter to pass between specific addresses or address ranges without triggering
that filter. You may need to create exceptions for the following reasons:
You need to run security scanning software that simulates network attacks.
You use proprietary or legacy hardware or software that makes use of non-standard protocols or that
uses techniques similar to some network exploits.
51
You can enter global settings to do the following:

Limit filters to a specific set of IP addresses. This Inclusion setting affects all filters to only apply to
the IP addresses you set. You can also select a specific segment for the setting.
Set a global Exception to not apply the filter to a specific set of IP addresses. This setting affects all
filters. You can apply these filters to all IP addresses except those added to this list. You can also select
a specific segment for the exception.
Note: Not all Reconnaissance filters receive these settings. Port Scans/Host
Sweeps filters are not affected by Application Settings. When you create
exceptions and apply-only settings in the Application Settings page, they only
affect Vulnerability Probing filters.
For example, several of the filters are designed to sense network scanning programs. If you know that
you will be running a particular network scanning program, you can create a filter exception that
allows the scanning program to be run from a particular location on your network while still blocking
any outside entity from running a network scan.
To further enhance the exceptions, you can assign a specific segment, assigning the exception only to
the traffic of the selected segment. Segmental assignment applies the exception or restriction to a
specified segment rather than to the entire device. If you select the All Segments option, the setting
affects the traffic of all segments on a device.
When setting segmental Limit rules (apply-only rules), the limit restricts filters only to apply to the
specified segment. For devices with multiple segments, the configured Limit restricts filters to scan
and manage traffic through the specified segment without affecting the other segments on the device.
For example, setting a Limit rule to segment 1, with a listed source and destination IP address, applies
Application and Infrastructure Protection filters only against segment 1 when the IP address
52
conditions are met. To have the filter affect all traffic, you can configure a Limit rule with wildcard
characters through the CLI using the following command:
conf t protection-settings perf-limit add * * -segment 1
The following is the Filters - Application Protection Filter Settings page:

Figure 3 - 15: Filters - Application Protection Filter Settings Page

Note: Custom filters can have IP address (node or subnet) specified directly to the
filter using a filter exception. These custom filters are not affected by the
Application Settings page inclusion list for limiting filters to specific IP
addresses.
53

following:
Create no more than 1 Limit Filter (apply only rules)
STEP 1
On the Filters page, select the Open > Application Protection > Application
Settings menu item. The Filters - Application Protection Filters Settings page displays.
STEP 2
In the Limit Filters to the following IP address(es) section, do the following:

STEP A
Enter the Source IP Address.
STEP B
Enter the Destination Address in CIDR format.
STEP C
Select a Segment from the drop-down list. You can also select All Segments. Segmental assignment applies the exception or restriction to a specified segment rather
than to the entire device. If select All Segments, the setting affects the traffic of all
segments on a device.

any or as *.
STEP 3
STEP 4
Click Save.

following:
Create no more than 5 Exceptions
STEP 1
On the Filters page, select the Open > Application Protection > Application
Settings menu item. The Filters - Application Protection Filters Settings page displays.
STEP 2
In the Exceptions section, enter the Source IP Address and/or Destination Address in
CIDR format.
any or as *.
STEP 3
54
Select a Segment from the drop-down list. Segmental assignment applies the exception or
restriction to a specified segment rather than to the entire device. If you do not select a segment, the setting affects the traffic of all segments on a device.
STEP 4
STEP 5
Click Save.

STEP 1
On the Filters page, select the Open > Application Protection > Global Settings
menu item. The Filters - Application Protection Filters Settings page displays.
STEP 1
To delete an IP address limit setting or exception, click the Delete icon next to the entry.
STEP 2
Click Save.
Infrastructure Protection is a pillar of filter types that protect network bandwidth and network
infrastructure elements such as routers and firewalls from attacks. These filters use a combination of
traffic normalization, Advanced DDoS protection, and network equipment protection. Infrastructure
Protection filters include Advanced DDoS, network equipment protection, and traffic normalization
filters.
Advanced DDoS filters detect and protect a network against request floods. These attacks are called
Denial of Service attacks. The LSM provides support to detect and block these flood attacks such as
SYN floods. Reconnaissance filters detect and block anomalies in traffic patterns. Traffic normalization
filters block network traffic when the traffic is considered malicious.
Infrastructure Protection profiles include the following types of filters:
Advanced DDoS Filters Category of filters that detect and block randomized requests, unsolicited
responses, amplifiers, reflectors, zombies, bots, and indistinguishable requests attacks against the
system.
Note: Only E-Series devices include Advanced DDoS Protection option filters,
such as UnityOne-100E and UnityOne-5000E. All other IPS models (not E-Series)
running 2.x TOS do not have DDoS filter support.
If you are using a UnityOne-5000E, refer to Advanced DDoS Filters for UnityOne5000E on page 64 for instructions on Advanced DDoS filters. The screens differ
for this device model.
For more information on upgrading your system with Advanced DDoS Protection
and purchasing E-Series devices, contact your TippingPoint Sales Representative.
Network Equipment Protection Filters Category of filters that detect and block exploit based
attacks against networked equipment.
55
Traffic Normalization Filters Category of filters that detect and manage traffic on a network. These
filters are enabled and use the Block action set by default. The filters support Block and/or Notify
options for action sets and check for the following flags:
Invalid TCP header flags
Invalid IP fragments
Invalid TCP reassembly
Unsolicited requests
Traffic Threshold Filters Category of filters that detect statistical changes in traffic patterns. These
filters allow are setup by the user of the device.
Advanced DDoS Filters

If you are using a UnityOne-5000E, refer to Advanced DDoS Filters for UnityOne5000E on page 64 for instructions on Advanced DDoS filters. The screens differ
for this device model.
and purchasing E Series devices, contact your TippingPoint Sales Representative.
Advanced DDoS, or Distributed Denial of Service, filters detect denial of service attacks. These attacks
flood a network with requests, including traditional SYN floods, DNS request floods against
nameservers, and attempts to use protected systems as reflectors or amplifiers in attacks against third
parties. These filters detect direct flood attacks and attacks hidden within larger packets and requests.
Of the malicious attacks that can attack a network, DDoS attacks cause greater harm to a network.
These attacks have a multitude (in the range of thousands) of systems send TCP/ACK connections to
multiple destinations. These destinations range from 1 to 1024 IP addresses, which in turn may have
numerous connected networks and workstations. The general protections and investigation methods
used to prevent most malicious attacks do not identify these attacks: IP Source routing and TCP SYN
proxy cannot detect these attacks. DDoS disrupts these two possible solutions for locating and
blocking such attacks. DDoS filters protect a network by watching and analyzing network traffic
through past history, deeply investigating the IP connections, and thresholds received.
56
You can create the following types of Advanced DDoS filters:

SYN Proxy Protects against SYN floods of the system. An attacker floods a server with malicious
connection requests (TCP SYNs) with spoofed source IP addresses, preventing legitimate clients
from accessing the server. The IPS acts as a proxy, synthesizing and sending the SYN/ACK packet
back to the originator, waiting for the final ACK packet. After the IPS receives the ACK packet from
the originator, the IPS then "replays" the three-step sequence to the receiver.
CPS Flood Protects against Connection-Per-Second floods. Each CPS protection limits the
average number of connections that a client may open to a particular server per second. The
protection includes a threshold setting of the calculated average number of connections per second to
allow from a particular client. The network administrator can create a CPS filter for both port
A >B and port B >A traffic. The flexible settings allow customizations for in-coming and
outgoing traffic and attack detection based on network traffic needs. Because the approach is based
on an average connection-per-second rate, this implementation allows for normal fluctuations of
traffic (such as a web browser that opens 10 connections at once while downloading a complex page,
then sits idle while the user reads). As a result, the CPS protection scans and detects against the
amount of new connections averaged over a period of time.
Connection Flood Protects against Established Connection floods. The Connection Flood
protection limits the number of simultaneous open connections that occur between a client and
server. A TCP established connection attack originates an attack from an IP connection considered
safe by the network. This attack generates floods of full (3-way) established TCP connections using a
safe or accepted IP address. It attempts to flood the network by sending more connections than the
system can handle. These attacks do not harm data, but the flood can deny users access and
connections to networks and services.
When using Advanced DDoS Protection filters, you must place the IPS device in a Symmetric Network.
The device must see both sides of the traffic.
Note: Advanced DDoS Protection Filters function only in a symmetric network
configuration. You must disable Asymmetric Mode for your device. See TSE
General Configuration on page 159.
The following is the Filters - DDoS Filters Main List page:
Figure 3 - 16: Filters - DDoS Filters Main List Page
57

Table 3 - 8: DDoS Filters Main List
Column
Definition
Filter Name
Name of the filter
Destination IP
The IP address of the destination
Segment
Direction
The direction for the segment: Port A to B or Port B

to A
SYN Proxy
Indicates if SYN Proxy is enabled or disabled
CPS
Indicates the threshold setting for the CPS option.

The amount is the average number of connections
allowed per second. If it is blank, it is disabled.
Connection Flood
Indicates the threshold setting for the Connection

Flood option. The amount is the average number of
open connections allowed. If it is blank, it is
disabled.
Functions
The Filters - DDoS Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters
Note: To create an exception for a DDoS filter, you must first create the filter.
After creation, you can edit the filter to add exceptions.
58
DDoS Attacks and Solutions

DDoS filters provide protection against the following attacks:
Randomized requests Malicious source attacks random ports of the target, seeking entrance to
the network
Unsolicited responses Malicious source sends packets masked as responses to requests to the
target. Any accepted packets would attack the accepting target network.
Amplifiers Malicious source sends a flood of requests to a network that further sends the attack
to a larger network of systems. The affected network acts as an amplifier when broadcasting the
attack to other systems.
Reflectors Malicious source uses a network to reflect an attack against the networks host.
Indistinguishable requests Malicious source sends requests to services listening on a network,
seeking entrance through the services.
These filters within the Infrastructure Protection pillar protect the system through the following:
Table 3 - 9: Solutions for DDoS Attacks
Attack
Solution
Description
Randomized
Requests
Host Limiting
Provides the ability to limit access to hosts on a

per segment basis based on an algorithm which
monitors connections.
Utilizes segment deployment to enable you to
deny requests for the attacked segment/host.
Provides control of threshold settings and the
global enabling/disabling of functionality.
Unsolicited
Responses
Stateful Connection
Support
Provides control to enable/disable stateful

connection support
Amplifier
Broadcast Filter Blocking

Stateful Connection
Support
Provides control if ICMP broadcast packets are

allowed.
Provides control to enable/disable stateful
connection support.
Reflector
Session Limiting
Stateful Connection
Support
Provides the ability to limit the number of

sessions from any host. You can enable and
disable the session limiting and set the
threshold.
Provides control to enable /disable stateful
connection support.
Indistinguishable
Request
Limit Host Access

Block IP Addresses
Provides the ability to limit access to requesting

hosts on a per segment basis based on an
algorithm which monitors connections.
Blocks the offending source IP address.
Provides control of threshold settings and global
enabling/disabling of functionality.
59

STEP 1
On the Filters page, select the Open > Infrastructure Protection > DDoS menu item.
The Filters - DDoS Filters Main List page displays.
STEP 2
Click Create. The Filters - DDoS Details/Edit page displays.
Figure 3 - 17: Filters - DDoS Filters Create Page
Note: If the screen looks different, you may be accessing a UnityOne-5000E. If so,
see Advanced DDoS Filters for UnityOne-5000E on page 64.
Note: Advanced DDoS Protection Filters work in a symmetric network

60
STEP 3
Enter a Filter Name.
STEP 4
In the Filter Parameters section, do the following:

STEP A
Select the Action for the file: Block + Notify or Block.
STEP B
Select a Segment.
STEP C
Select a Direction: From Port A to Port B or From Port B to Port A.
STEP D
STEP 5
STEP 6
STEP 7
STEP 8
Enter a Destination IP address.
In the SYN Proxy section, do the following:

STEP A
Check the box Enable for SYN Proxy. Manually enabling this option provides traps
for SYN floods, rather than using firewall blocks.
STEP B
Enter the number of SYN requests allowed per second for the Threshold.
In the CPS Flood section, do the following:

STEP A
Check the box Enable for CPS Flood.
STEP B
Enter the number of maximum average connections allowed per second for the
Threshold.
In the Connection Flood section, do the following:

STEP A
Check the box Enable for Connection Flood.
STEP B
Enter the number of allowed open connections for the Threshold.
Click Create.
61

STEP 1
STEP 2

STEP 1
The Filters - DDoS Details/Edit page displays.
Figure 3 - 18: Filters - DDoS Details/Edit Page
Note: If the screen looks different, you may be accessing a UnityOne-5000E. If so,
see Advanced DDoS Filters for UnityOne-5000E on page 64.
62

STEP 2
Edit the Filter Name.
STEP 3
STEP 4
STEP 5
STEP 6
STEP 7
STEP 8
STEP A
STEP B
Select a Segment.
STEP C
STEP D
In the SYN Proxy section, do the following:

STEP A
Check the box Enable for SYN Proxy. Manually enabling this option provides traps
for SYN floods, rather than using firewall blocks.
STEP B
Enter the number of SYN requests allowed per second for the Threshold.
In the CPS Flood section, do the following:

STEP A
Check the box Enable for CPS Flood.
STEP B
Enter the number of maximum average connections allowed per second for the
Threshold.
In the Connection Flood section, do the following:

STEP A
Check the box Enable for Connection Flood.
STEP B
Enter the number of allowed open connections for the Threshold.
In the Exception(s) section, do the following:

STEP A
Enter an IP address in the Source Address.
STEP B
Click add to table below.
Click Save.
63
Advanced DDoS Filters for UnityOne-5000E

If you are using a UnityOne-100E, refer to Advanced DDoS Filters on page 56 for
instructions on Advanced DDoS filters. The screens differ for this device model.
and purchasing E Series devices, contact your TippingPoint Sales Representative.
Advanced DDoS, or Distributed Denial of Service, filters detect denial of service attacks. These attacks
flood a network with requests, including traditional SYN floods, DNS request floods against
nameservers, and attempts to use protected systems as reflectors or amplifiers in attacks against third
parties. These filters detect direct flood attacks and attacks hidden within larger packets and requests.
Of the malicious attacks that can attack a network, DDoS attacks cause greater harm to a network.
These attacks have a multitude (in the range of thousands) of systems send TCP/ACK connections to
multiple destinations. These destinations range from 1 to 1024 IP addresses, which in turn may have
numerous connected networks and workstations. The general protections and investigation methods
used to prevent most malicious attacks do not identify these attacks: IP Source routing and TCP SYN
proxy cannot detect these attacks. DDoS disrupts these two possible solutions for locating and
blocking such attacks. DDoS filters protect a network by watching and analyzing network traffic
through past history, deeply investigating the IP connections, and thresholds received.
You can create the following types of Advanced DDoS filters:
SYN Proxy Protects against SYN floods of the system. An attacker floods a server with malicious
connection requests (TCP SYNs) with spoofed source IP addresses, preventing legitimate clients
from accessing the server. The IPS acts as a proxy, synthesizing and sending the SYN/ACK packet
back to the originator, waiting for the final ACK packet. After the IPS receives the ACK packet from
the originator, the IPS then replays the three-step sequence to the receiver.
CPS Flood Protects against Connection-Per-Second floods. Each CPS protection limits the
average number of connections that a client may open to a particular server per second. The
protection includes a threshold setting of the calculated average number of connections per second to
allow from a particular client. The network administrator can create a CPS filter for both port
A >B and port B >A traffic. The flexible settings allow customizations for in-coming and
outgoing traffic and attack detection based on network traffic needs. Because the approach is based
on an average connection-per-second rate, this implementation allows for normal fluctuations of
traffic (such as a web browser that opens 10 connections at once while downloading a complex page,
then sits idle while the user reads). As a result, the CPS protection scans and detects against the
amount of new connections averaged over a period of time.
Connection Flood Protects against Established Connection floods. The Connection Flood
protection limits the number of simultaneous open connections that occur between a client and
server. A TCP established connection attack originates an attack from an IP connection considered
safe by the network. This attack generates floods of full (3-way) established TCP connections using a
64
safe or accepted IP address. It attempts to flood the network by sending more connections than the
system can handle. These attacks do not harm data, but the flood can deny users access and
connections to networks and services.
When using Advanced DDoS Protection filters, you must place the IPS device in a Symmetric Network.
The device must see both sides of the traffic.
Note: Advanced DDoS Protection Filters function only in a symmetric network
The following is the Filters - DDoS Filters Main List page:
Figure 3 - 19: Filters - DDoS Filters Main List Page for UnityOne-5000E
The Global Settings section provides the preference settings for the Advanced DDoS enabled
protection. You can select the following protection options: SYN Proxy, CPS, and Connection Floor. The
section also allows you to enter the following:
CPS Threshold Indicates the threshold setting for the CPS option. The amount is the average
number of connections allowed per second.
Connection Flood Threshold Indicates the threshold setting for the Connection Flood option.
The amount is the average number of open connections allowed.
65

Table 3 - 10: DDoS Filters List
Column
Definition
Filter Name
Name of the filter
Destination IP
The IP address of the destination
Segment
Direction
The direction for the segment: Port A to B or Port B

to A
SYN Proxy
Indicates if SYN Proxy is enabled or disabled
Functions
The Filters - DDoS Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters
Note: To create an exception for a DDoS filter, you must first create the filter.
After creation, you can edit the filter to add exceptions.
66

STEP 1
STEP 2
Click Create. The Filters - DDoS Details/Edit page displays.
Figure 3 - 20: Filters - DDoS Filters Create Page UnityOne-5000E
Note: If the screen looks different, you may be accessing a UnityOne E Series
other than a UnityOne-5000E. If so, see Advanced DDoS Filters on page 56.

STEP 3
STEP 4

STEP A
STEP B
Select a Segment.
STEP C
STEP D
STEP 5
In the Thresholds section, enter the number of SYN requests allowed per second. Settings for
CPS and Connection Flood are entered on the main DDoS page.
STEP 6
Click Create.
67

STEP 1
STEP 2

STEP 1
The Filters - DDoS Details/Edit page displays.
Figure 3 - 21: Filters - DDoS Details/Edit Page UnityOne-5000E
Note: If the screen looks different, you may be accessing a UnityOne E Series
other than a UnityOne-5000E. If so, see Advanced DDoS Filters on page 56.

68
STEP 2
STEP 3

STEP A
STEP B
Select a Segment.
STEP C
STEP D
STEP 4
In the Thresholds section, enter the number of SYN requests allowed per second. Settings for
CPS and Connection Flood are entered on the main DDoS page.
STEP 5
Click Save.
Network Equipment Protection Filters

Network attacks can broadly or specifically seek access and data to corrupt on a network. Network
equipment filters protect networked equipment from attacks that scan and search for hardware.
Networked hardware receives requests and from operating systems and services on a network. This
equipment includes peripherals such as printers and fax/modems as well as routers and integrated
phone systems. These filters detect and block the malicious attacks that target equipment accessible
through a network.
The following is the Filters - Network Equipment Protection Filters Main List page:
Figure 3 -22: Filters - Network Equipment Protection Filters Main List Page

Table 3 - 11: Network Equipment Filters Main List Details
Column
Definition
Filter Name
Name of the filter
Segment
Control
69
Table 3 - 11: Network Equipment Filters Main List Details

Column
Definition
Action

Disabled.
State

edit the filter.
Functions
You can do the following to all Network Equipment Protection filters:
Viewing Filters
Searching Filters
Deleting Filters

STEP 1
On the Filters page, select the Open > Infrastructure Protection > Network
Equipment menu item. The Filters - Network Equipment Filters Main List page displays.
STEP 2

70
The Filters - Network Equipment Details/Edit page displays.

Figure 3 - 23: Filters - Network Equipment Details/Edit Page
STEP 3
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
STEP A
STEP B
STEP C
Click Save.
71
Traffic Normalization Filters

Traffic normalization filters block network traffic when the traffic is considered malicious. These filters
allow you to set alerts to trigger when the system recognizes this traffic. Traffic pattern filters alert
when network traffic varies from normal. The system compiles statistics for normal traffic based on
monitoring of network traffic over time. Traffic normalization filters enforce valid packet processing
within the Threat Suppression Engine. They protect the engine by detecting invalid or abnormal
packets. By protecting the engine, the filters scrub the network of possible issues.
You can create and manage these filters on the Filters - Traffic Normalization Filters Main List page.
The system enables you to modify the action set of each filter. To have the system inspect and block
malformed packets, you should select Recommended or Block settings for the action set.
Recommended sets the filter to Block. If you select Permit+Notify, packets matching the rule are
logged and passed without further inspection. This action differs from normal packet processing and
can introduce vulnerabilities. When you select a non-blocking action set or create an exception to a
hardcode filter, the system notifies you.
As these filters manage traffic, you may notice not all filters result in blocked streams. The following
filters do not hold blocked datastreams:
72
7102: IP fragment invalid. The packet is dropped.

7103: IP fragment out of range. The packet is dropped.
7104: IP duplicate fragment. The packet is dropped.
7105: IP length invalid. The packet is dropped.
7121: TCP header length invalid. The packet is dropped.
The full list of Normalization filters include the following:
7101: IP Header Incomplete

7102: IP Fragment Invalid
7103: IP Fragment Out of Range
7104: IP Duplicate Fragment
7105: IP Length Invalid
7109: IP Fragment Total Length Mismatch
7110: IP Fragment Overlap
7111: IP Fragment Bad MF Bits
7120: TCP Segment Overlap With Different Data
7121: TCP Header Length Invalid
7123: TCP Flags Invalid
7124: TCP Header Incomplete
7125: TCP Length Invalid
7126: TCP Reserved Flags Invalid
7141: ICMP Header Incomplete
7142: ICMP Length Invalid
7151: UDP Header Incomplete
7152: UDP Length Invalid
7160: Ethernet Header Incomplete
7170: ARP Address Invalid
7171: ARP Header Incomplete
7172: ARP Length Invalid
7199: Unknown Traffic Normalization
73
The following is the Filters - Traffic Normalization Filters Main List page:
Figure 3 - 24: Filters - Traffic Normalization Filters Main List Page

Table 3 - 12: Traffic Normalization Filters Main List
Column
74
Definition
Filter Name
Name of the filter
Segment
Control
Action

Disabled.
State

Disabled Displays an empty value if the filter is disabled. To
enable, edit the filter.
triggered. See TSE Adaptive Filter Configuration on
page 161.
Functions
The Filters - Traffic Normalization Filters Main List page includes the following options:
Viewing Filters
Note: You can create Traffic Normalization filters with the same name as existing
filters, and in the same profile. The LSM gives each filter a unique ID, using that
ID as reference in the system.
STEP 1
On the Filters page, select the Open > Infrastructure Protection > Network
Equipment menu item. The Filters - Network Equipment Filters Main List page displays.
STEP 2

75
The Filters - Filters Details/Edit page displays.

Figure 3 - 25: Filters - Filters Details/Edit Page
STEP 3
STEP A
STEP B
STEP C
Note: If you select Recommended as the action set, this sets all filters to Block.
If you assigns the Permit+Notify action to a hardcode, packets matching the rule
are logged and passed without further inspection. This process differs from
normal packet processing and can introduce vulnerabilities. When you select a
non-blocking action set or create an exception to a Normalization filter, you
receive a notification from the system.
If you select a rate limit, it applies only to TCP, UDP, or ICMP traffic.
76
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
Click Save.
Traffic Threshold Filters

Traffic threshold filters allow you to perform bandwidth-shaping. These filters enable the UnityOne to
detect statistical changes in network traffic patterns. Using these filters, you can set your system to
accept and send a set amount of each packet, profiling and shaping the bandwidth of your system and
network.
Traffic threshold filters alert you and the system when network traffic varies from the norm. The
UnityOne system determines normal traffic patterns based on the network statistics over time. You can
set 4 types of thresholds for each filter:
minor increase Traffic is greatly over the set threshold.

major increase Traffic is slightly over the set threshold.
minor decrease Traffic is slightly below the set threshold.
major decrease Traffic is greatly under the set threshold.
Thresholds are expressed as a % of normal traffic. For example, a threshold of 120% would fire if
traffic exceeded the normal amount by 20%. A threshold of 80% would fire if the level of traffic
dropped by 20% from normal amount of traffic.
Thresholds trigger when traffic edges the set amounts. When traffic exceeds a threshold and returns to
normal levels, the system generates an alert. These alerts inform you of the triggered filter, when the
thresholds are exceeded and return to normal, and the exceeded amount. These amounts include an
amount exceeded above and below normal levels. Once the filter triggers, you must reset it to reestablish it for use in the system. The filter is not disabled, but it does require resetting.
Note: A triggered Traffic Threshold filter will not perform functions until you
manually reset it. Resetting a triggered filter is not the same as enabling or
disabling a filter. See Reset a Traffic Threshold Filter on page 83.
At times, a Traffic Threshold filter can trigger multiple times. The filter could be triggering falsely due
to threshold settings not matching the new traffic behavior of your system, or other such issues. The
77
system lists the top ten (10) filters disabled either manually or automatically on the Configure - TSE
Adaptive Filter Configuration page. See TSE Adaptive Filter Configuration on page 161.
To view the logs for traffic threshold events, you can click on the Threshold link in the System Stats
bar. Traffic Threshold filter events can be found in the alert and block logs, based on the action set of
the filter. When you click the Threshold link, the default view displays the Traffic Threshold filter
events in the Alert Log Search Results page. To review the entries in the block log, click the Logs tab
and search the block log for those results.
You can create and manage these filters on the Filters - Traffic Threshold Filters Main List page.
Note: When you create a Traffic Threshold filter, you do not need to copy the
filter first and modify it. You can create an entirely new filter. See Create a Traffic
Threshold Filter on page 80.
The following is the Filters - Traffic Threshold Filters Main List page:
Figure 3 - 26: Filters - Traffic Threshold Filters Main List Page

Table 3 - 13: Traffic Threshold Filters Main List
Column
78
Definition
Filter Name
Name of the filter
Segment
Table 3 - 13: Traffic Threshold Filters Main List

Column
Definition
Units
The number of selected units per second. The unity values include
packets, bytes, and connections.
Period
The period of time for the historical data. The period values include the
last minute, hour, day, 7 days, 30 days, and 35 days.
Threshold Above
Major % Percentage of traffic highly over the threshold

Minor % Percentage of traffic slightly over the threshold
Threshold Below
Major % Percentage of traffic highly under the threshold

Minor % Percentage of traffic slightly under the threshold
Functions
The Filters - Traffic Threshold Filters Main List page includes the following options:
Viewing Filters
79

STEP 1
On the Filters page, select the Open > Infrastructure Protection > Traffic Threshold
menu item. The Filters - Traffic Threshold Filters Main List page displays.
STEP 2

Click Create.
Select the Edit > Create New Filter menu item.
The Filters - Traffic Threshold Filters Edit page displays.
Figure 3 - 27: Filters - Traffic Threshold Filters Edit Page
STEP 3
Enter the Traffic Threshold Filter Name.
STEP 4
For Filter Parameters, modify the following:

STEP A
Select a Segment.
STEP B
Select the direction of the flow for the segment ports: A to B or B to A.
STEP C
Select the Units per Second and the amount to be based on.
The unity values include packets, bytes, and connections. The period values
include the last minute, hour, day, 7 days, 30 days, and 35 days.
STEP D
80
For Monitoring, select an option: Monitor only or Monitor with thresholds.
The monitor only option sets the system to generate a report without triggering
traffic thresholds.
STEP 5
STEP 6
For Thresholds, you can modify up to 4 thresholds for each filter: minor increase over normal, major increase over normal, minor drop below normal, and major drop below normal.
Each threshold is a percentage change from the normal baseline.
STEP A
For Above Normal Major, select the Enabled check box, enter a percentage
amount of normal, and enter an action set.
STEP B
For Above Normal Minor, select the Enabled check box, enter a percentage
STEP C
For Below Normal Major, select the Enabled check box, enter a percentage amount
of normal, and enter an action set.
STEP D
For Below Normal Minor, select the Enabled check box, enter a percentage
For the Type, select and modify one of the following:

Protocol Select the type of protocol from the drop-down list, including TCP, Other,
ICMP, and UDP.
Application Select the type of protocol and enter the Port. Select one of the following to
apply the type to: requests, replies, or both.
STEP 7
Click Save.
81

STEP 1
STEP 2

The Filters - Traffic Threshold Filters Create page displays.
Figure 3 - 28: Filters - Traffic Threshold Filters Create Page
STEP 3
Modify the Traffic Threshold Filter Name.
STEP 4
For Filter Parameters, modify the following:

STEP A
Select a Segment.
STEP B
Select the direction of the flow for the segment ports: A to B or B to A.
STEP C
Select the Units per Second and the amount to be based on.
The unity values include packets, bytes, and connections. The period values
include the last minute, hour, day, 7 days, 30 days, and 35 days.
STEP D
For Monitoring, select an option: Monitor only or Monitor with thresholds.

The monitor only option sets the system to generate a report without triggering
traffic thresholds.
82
STEP 5
STEP 6
For Thresholds, you can modify up to 4 thresholds for each filter: minor increase over normal, major increase over normal, minor drop below normal, and major drop below normal.
Each threshold is a percentage change from the normal baseline.
STEP A
For Above Normal Major, select the Enabled check box, modify the percentage
amount of normal, and modify the action set.
STEP B
For Above Normal Minor, select the Enabled check box, modify the percentage
STEP C
For Below Normal Major, select the Enabled check box, modify the percentage
STEP D
For Below Normal Minor, select the Enabled check box, modify the percentage
For the Type, select and modify one of the following:

Protocol Select the type of protocol from the drop-down list, including TCP, Other,
ICMP, and UDP.
Application Select the type of protocol and enter the Port. Select one of the following to
apply the type to: requests, replies, or both.
STEP 7
Click Save.

STEP 1
STEP 2
Locate a filter you want to reset.
STEP 3

Click the Reset icon for a filter.
Select the Edit > Reset All Filters menu item.
Click Reset All.
Performance Protection is a pillar of filter types that allow key applications to have prioritized access to
bandwidth. These filters ensure mission critical applications have adequate performance during times
of high congestion. These filters include misuse and abuse and traffic management filters.
83
Traffic management filters allow users to define policies with specific actions. Performance Protection
profiles include the following types:
Misuse and Abuse Filters Category of filters that allow you to manage policy around nonproductive or potentially illegal applications. Initially this includes peer-to-peer management, where
the user may apply block or shape actions across the category or on an individual basis.
Traffic Management Filters Category of filters that permit, rate limit or block traffic based on
header-level information such as source and destination addresses, ports, protocols, and (if
applicable) on ICMP type/code.
Misuse and Abuse Filters

Peer-to-peer protocols are primarily used to share music and video files, and essentially turn a
personal computer into a file server which make its resources as well as those of its host network
available to the peer-to-peer community. UnityOne Misuse and Abuse filters allow you to permit or
shield traffic associated with these kinds of file-sharing protocols.
Peer-to-peer protocols are primarily used to share music and video files, essentially using a personal
computer as a file server. Through this filter, any personal computer and those of its host network
become available to the peer-to-peer community as resources for file sharing. Peer-to-peer
applications like Kazaa, Gnutella, Limewire, Bearshare, iMesh, and WinMX can take up a significant
amount of bandwidth. Using these filters, you can effectively limit or block this type of traffic by setting
policies and quotas by client, server, IP address, or application.
All peer-to-peer filters are user-activated and must be enabled to block peer-to-peer traffic.
84
You can view Misuse and Abuse filters loaded on your IPS. The following is the Filters - Misuse and
Abuse Filters Main List page:
Figure 3 - 29: Filters - Misuse and Abuse Filters Main List Page
85

Table 3 - 14: Filters - Misuse and Abuse Filters Main List
Column
Definition
Filter Name
Name of the filter
Segment
Control
Action

Disabled.
State

edit the filter.
Functions
Note: Misuse and Abuse filters can only use blocking action sets: block, block +
notify, and block + notify + trace. The permit action sets are not available for
Misuse and Abuse filters.
The Filters - Misuse and Abuse Filters Main List page includes the following options:
86
Viewing Filters
Searching Filters
Deleting Filters

STEP 1
On the Filters page, select the Open > Performance Protection > Misuse and Abuse
menu item. The Filters - Misuse and Abuse Main List page displays.
STEP 2

The Filters - Misuses and Abuse Filters Details/Edit page displays.
Figure 3 - 30: Filters - Misuse and Abuse Filters Details/Edit Page
STEP 3
STEP A
STEP B
STEP C
87
STEP 4
STEP 5
STEP 6
STEP A
STEP B
STEP C
Click Save.
Traffic Management Filters

Traffic Management filters react to traffic based on a limited set of parameters including the source IP
address, destination IP address, port, protocol, or other defined values. These filters are specific to
segments, while attack filters can be applied to segments or to your entire UnityOne system.
As an example, you might define the following IP filters for your web servers in a lab that denies access
to external users:
Block traffic if the source is on an external subnet that arrives through port 80 and is destined for the
IP address of your web server.
Block traffic if the source is your web server, the source port is 80, and the destination is any external
subnet.
The scope of these policies can include any or all of the follow:
IP Based Enables you to define a single IP or CIDR to block, monitor (collect statistics), or shape
traffic
Protocol Based Enables you to select from a list of predefined protocols to block, monitor or shape
traffic. These Protocols include ICMP, UDP, TCP, and Other.
In general, more specific filters should come first. For example, a more specific IP filter might block
traffic with fully qualified source and destination IP addresses and ports. More general ones, like those
that apply to subnets, should follow.
Note: This can be a complex task. Some resources that might help you with this
process include Building Internet Firewalls, by D. Brent Chapman and
Elizabeth D. Zwicky, O'Reilly & Associates, 1995, and Firewalls and Internet
Security, by William R. Cheswick and Steven M. Bellovin, Addison-Wesley
Publishing Company, 1994.
Packets that match allow or rate-limit IP filters are inspected for other types of filters. In other
words, the system does not allow attacks through because the packet matched an allow IP filter.
88
As an example, consider the following IP filters:

Table 3 - 15: IP Filter Settings
Source
Address
Destination
Address
Protocol
Source
Port
Destination
Port
Action
any
any
UDP
any
53
Allow
any
any
UDP
any
any
Block
any
any
ICMP
any
any
20 Mbps rate-limit
any
1.2.3.4
TCP
any
80
Allow
any
any
TCP
any
80
Block
These filters perform the following:

Block all UDP traffic except DNS requests. DNS requests are inspected for attacks.
Limit all ICMP traffic to 20Mbps
Block all HTTP traffic except for server 1.2.3.4
For E-Series devices, you can also set the filters to trust traffic. Trusted filters instruct the IPS not to
inspect the traffic.
You can create and manage these filters on the Filters - Traffic Management Filters Main List page.
Note: When you create a Traffic Management filter, you do not need to copy the
filter first and modify it. You can create an entirely new filter. See Create a Traffic
Management Filter on page 91.
Tip: To rate shape traffic for bi-directionality, you must create
two filters: one for A -> B and one for B->A.
The following is the Filters - Traffic Management Filters Main List page:
Figure 3 - 31: Filters - Traffic Management Filters Main List Page
89

Table 3 - 16: Traffic Management Filters Main List
Column
Definition
Filter Name
Name of the filter
Segment
Action

Disabled.
Protocol
The protocol the filter checks for: IP, ICMP, TCP, or UDP
Source Address
The source IP address
Source Port
The source IP port
Destination Address
The destination IP address
Destination Port
The destination IP port
State
Indicates if the filter is enabled or disabled
Functions
The Filters - Traffic Management Filters Main List page includes the following options:
Viewing Filters
Searching Filters
Deleting Filters
Note: You can create Traffic Management filters with the same name as existing
filters, and in the same profile. The LSM gives each filter a unique ID, using that
ID as reference in the system.
90

STEP 1
On the Filters page, select the Open > Performance Protection > Traffic
Management menu item. The Filters - Traffic Management Filters Main List page
displays.
STEP 2

Click Create.
Select the Edit > Create Traffic Management Filter menu item.
The Filters - Traffic Management Filters Create page displays.
Figure 3 - 32: Filters - Traffic Management Filters Create Page
STEP 3
Enter the Filter Name.
STEP 4
In the Filter Parameters section, select the parameters for the filter:
STEP 5
STEP A
Select either Block or Rate Limit (and a data flow rate) for the Action.
STEP B
Select the Segment that this IP filter will protect from the drop-down list.
STEP C
Click the radio button to select the Direction of the traffic being filtered (port A to B
or B to A)
STEP D
Select Trusted for trusted traffic. This traffic will not be inspected by the IPS.
Select the Protocol this filter checks for from the drop-down list: IP, ICMP, TCP, or UDP.
91
STEP 6
Enter the source information: the IP Address and Port (if applicable).
STEP 7
Enter the destination information: the IP Address and destination Port (if applicable).
any, or as *.
STEP 8
Enter the ICMP information: the ICMP Type (if applicable, 0-255) and the ICMP Code (if
applicable, 0-255).
STEP 9
Click Create.

STEP 1
On the Filters page, select the Open > Performance Protection > Traffic
Management menu item. The Filters - Traffic Management Filters Main List page
displays.
STEP 2
Click the Edit icon of the filter you want to edit. The Traffic Management Filters Detail/Edit
page displays.
STEP 3
Modify the Traffic Management Filter Name.
STEP 4
Modify the parameters for the filter:

STEP A
Select either Block or Rate Limit (and a data flow rate) for the Action.
STEP B
Select the Segment that this IP filter will protect from the drop-down list.
STEP C
Click the radio button to select the Direction of the traffic being filtered (port A to B
or B to A)
STEP 5
Select the Protocol this filter checks for from the drop-down list: IP, ICMP, TCP, or UDP.
STEP 6
Modify the source information: the IP Address and Port (if applicable).
STEP 7
Modify the destination information: the IP Address and destination Port (if applicable).
any or as *.
92
STEP 8
Modify the ICMP information: the ICMP Type (if applicable) and the ICMP Code (if applicable).
STEP 9
Click Save.

Through the Misuse and Abuse Settings page, you can create and manage Inclusion settings for
limiting filters to a specific set of IP addresses. These settings apply to all Performance Protection
filters. Through the Filters - Performance Protection Filters Settings page, you can create, edit, and
delete these limitations.
Segmental assignment applies the exception or restriction to a specified segment rather than to the
entire device. If you select the All Segments option, the setting affects the traffic of all segments on a
device.
When setting segmental Limit rules (apply-only rules), the limit restricts filters only to apply to the
specified segment. For devices with multiple segments, the configured Limit restricts filters to scan
and manage traffic through the specified segment without affecting the other segments on the device.
For example, setting a Limit rule to segment 1, with a listed source and destination IP address, applies
Application and Infrastructure Protection filters only against segment 1 when the IP address
conditions are met. To have the filter affect all traffic, you can configure a Limit rule with wildcard
characters through the CLI using the following command:
conf t performance-settings perf-limit add * * -segment 1
The following is the Filters - Performance Protection Filters Settings page:

Figure 3 - 33: Filters - Performance Protection Filters Settings Page
You can do the following:

number of exceptions and limit filters for Application Settings. You should not create more
than 50 Limit Filters (apply only rules).
Tip: When you create a filter exception, the filter displays a green shield icon in
the functions column of the filters page.
93

following:
Create no more than 50 Limit Filters (apply only rules)
STEP 1
On the Filters page, select the Open > Performance Protection > Application
Settings menu item. The Filters - Misuse and Abuse Filters Settings page displays.
STEP 2
In the Limit Filters to the following IP addresses section, do the following:

STEP A
STEP B
STEP C
Select a Segment. Segmental assignment applies the exception or restriction to a

specified segment rather than to the entire device. If you select the All Segments
option, the setting affects the traffic of all segments on a device.

any or as *.
STEP 3
Click add to table below. The IP address appears in the address table.
STEP 4
Click Apply.

STEP 1
On the Filters page, select the Open > Performance Protection > Application
Settings menu item. The Filters - Performance Protection Filters Settings page displays.
STEP 2
In the Limit Filters to the following IP addresses section, click the Delete icon next to the
IP address that you want to remove from the table.
STEP 3
Click Apply.
Category Settings
Category Settings enable you to change, enable, and disable global action settings for filter categories.
These categories can be set for the system at large or customized according to segment. You can use
these abilities to manage many filters at once, rather than manipulating each filter one-by-one.
Each filter category is assigned a default action set. Category Settings enables you to change the
category action set for each filter category. The available actions differs between the pillar types of
filters. Each filter category has a default state that initially enables or disables all filters of that category
type.
94
When you override the category settings for a particular filter, you edit the specific filter rather than the
category. However, when you disable a filter category, all filters of that category are disabled regardless
of overridden settings.
Note: If you wish to override the category action for a particular filter, you must
also override the filters state and either enable or disable the filter individually.
However, if the category setting is enabled, the filter may still display as enabled.
See Enable a Single Filter (Override Category Control) on page 98 for more
information.
You can modify category settings globally or per segment. By default, active filters apply to all
segments on your IPS device. These are modified in the Global Category Settings table. A segmental
attack filter applies to a particular segment on the IPS you select. You might create a segmental attack
filter that has a different action set from the global filter if you want one segment to respond differently
from the rest of the system. These are added and modified in the Segment Category Settings table.
Note: The state of a filter may indicate the filter is enabled even if it is disabled
for a particular segment and enabled for others. If you set the category to be
globally enabled yet disable a filter in that category for a segment, the filter
continues to display as enabled. See Enabling Filters on page 98 and Disabling
Filters on page 99.
The Filters - Category Settings page consists of two sections. The first section details the Global
Category Settings Table, as follows:
Figure 3 - 34: Filters - Category Settings Page - Global Category Settings Table
95
The second section details the Segmental Category Settings Table, as follows:
Figure 3 - 35: Filters - Category Settings Page - Segmental Category Settings Table
You can set global category settings for filters across all segments or for specific segments. As you enter
settings in the Global Category Settings Table according to segment, the values display with the
appropriate segment in the Segmental Category Settings Table. You can edit or delete these settings
from the Segmental Category Settings Table as needed.
Add a Global Category Setting
96
STEP 1
On the Filters page, select the Open > Category Settings menu item. The Filters Category Settings page displays.
STEP 2
For each filter category in the Global Category Settings Table, select a global action from
the drop-down menu.
For Application Protection filters, these actions include the following:
Attack Protection All available actions sets and recommended

Reconnaissance All available actions sets and recommended
Security Policy All available actions sets and recommended
Informational All available actions sets and recommended
For Infrastructure Protection filters, these actions include the following:

Network Equipment All available actions sets and recommended
Traffic Normalization Block and Block + Notify
For Performance Protection filters, these actions include the following:
Misuse and Abuse All available and recommended except sets with permit actions
STEP 3
Check the Enabled box above the Category you want to enable.
STEP 4
Select a Segment: All Segments or a specific segment.
STEP 5
Click add to table below. The settings display in the Segmental Category Settings Table.
Note: Repeat the process of action and segment configuration as needed (steps 2
through 5).
STEP 6
Click Apply. A confirmation message displays.
STEP 7
Click OK.
Edit a Segmental Category Setting

STEP 1
STEP 2
In the Segmental Category Settings Table, modify settings for the Application, Infrastructure Protection, and Performance Protection category settings.
You can enable settings by choosing an action from the drop-down menu according to filter
category and clicking the enable box. Or you can disable a category by clearing any enabled
categories.
STEP 3
From the Segment drop-down menu, select a segment you want to create a category setting
from the select box.
STEP 4
Click Apply. A confirmation message displays informing you the change may take some time
to enact.
STEP 5
Click OK.
97
Delete a Segmental Category Setting

STEP 1
STEP 2
In the Segmental Category Settings Table, click the Delete icon next to the segmental category setting you want to delete.
STEP 3
to enact.
STEP 4
Click OK.
Enabling Filters
You can enable filters either on a category basis, or on an individual basis. When you enable a category
filter, you enable all of the filters in that category. These enabled filters use the global actions selected
when the filter category is enabled.
You can also enable an override of enabled setting on a particular filter. You may want a filter to enact a
different set of actions that differ from the global actions for the filters category. To override the global
settings, you directly enable a different set of actions on the filter itself.
Note: When you enable a category of filters through the Category Settings page,
you only enable filters that have not been specifically set to override category
control. Overridden filters retain the action settings set.
Note: If the category setting is enabled and you disable the filter for a particular
segment, the filter may still display as enabled.
Enable a Filter Category

STEP 1
STEP 2
Check the Enabled box above each Category Action that you want to enable.
STEP 3
to enact.
STEP 4
Click OK.
Enable a Single Filter (Override Category Control)
98
STEP 1
On the Filters page, browse to or search for a particular filter.
STEP 2
Click the Edit icon next to the filter you want to override. The edit page for the filter displays.
STEP 3
STEP 4
STEP 5
STEP 6
Click Save.
Disabling Filters
The IPS comes loaded with a comprehensive set of filters. You may not need all of these filters running
at all times. Through the LSM, you can disable all filters of a specific category. In instances when you
want to keep a few filters running of a specific category, you can override specific filters to be disabled.
You can disable filters either on a category basis or on an individual basis. When you disable a filter
category, you disable all filters in that category regardless of any overridden settings. When you disable
an overridden filter, you disable only that filter.
For example, a filter that protects a particular type of web server against attack may not be necessary if
you do not have that type of web server installed. You could disable that filters by overriding its
settings.
Disable a Filter Category

STEP 1
On the Filters page, select the Open > Category Settings menu item. The Category
Settings page displays.
STEP 2
Uncheck the Enabled box for each Category Action that you want to disable.
STEP 3
to enact.
STEP 4
Click OK.
Disable a Single Attack Filter (Override Category Control)

STEP 1
On the Filters page, browse to or search for a particular filter.
STEP 2
Click the Edit icon next to the filter you want to edit. The edit page for the filter displays.
STEP 3
Select the Use Category Settings radio button in the Parameters section. The filter changes
to use the global settings for the filter category.
99
STEP 4
Click Save.
Action Sets
Action Sets determine what the IPS does when a packet triggers a filter. An action set can contain more
than one action, and can contain more than one type of action. The types of action that can be
specified include the following:
Flow Control determines where a packet is sent after it is inspected. A permit action allows a
packet to reach its intended destination. A block action discards a packet. A rate limit action enables
you to define a maximum bandwidth.
Packet Trace allows you to capture all or part of a suspicious packet for analysis. You can set the
packet trace priority and packet trace verbosity for action sets.
Priority sets the relative importance of the information captured. Low priority items will be
discarded before medium priority items if there is a resource shortage.
Verbosity determines how much of a suspicious packet will be logged for analysis. If you
choose full verbosity, the whole packet will be recorded. If you choose partial verbosity, you can
choose how many bytes of the packet (from 64 to 1600 bytes) the packet trace log records.
Notification Contacts indicate the contacts to notify about the event. These contacts can be
systems, individuals, or groups.
Note: If you are going to create a new action set that includes an alert action, you
should view the notification contacts to see what contacts are currently defined
first. If you are going to create a notification contact for the action set, you must
do so before you create an action set. See Notification Contacts on page 106 for
more information.
Action sets include the following types of actions:
Table 3 - 17: Available Actions
Action Name
100
Description
Block (+TCP Reset) (+Blacklist)
Blocks a packet from being transferred to the network. TCP Reset is

an option for resetting blocked TCP flows. Blacklist is an option that
blocks traffic based on IP addresswhen the filters triggers, adding it
to a list of blocked IPs.
Block + Notify (+TCP Reset)

(+Blacklist)
Blocks a packet from being transferred and notifies all selected

contacts of the blocked packet. TCP Reset is an option for resetting
blocked TCP flows. Blacklist is an option that blocks traffic based on
IP addresswhen the filters triggers, adding it to a list of blocked IPs.
Table 3 - 17: Available Actions

Action Name
Description
Block + Notify + Trace (+TCP Reset)

(+Blacklist)
Blocks a packet from being transferred, notifies all selected contacts

of the blocked packet, and logs all information about the packet
according to the packet trace settings. TCP Reset is an option for
resetting blocked TCP flows. Blacklist is an option that blocks traffic
based on IP addresswhen the filters triggers, adding it to a list of
blocked IPs.
Permit + Notify
Permits a packet and notifies all selected contacts of the packet.
Permit + Notify + Trace
Permits a packet, notifies all selected contacts of the packet, and logs
all information about the packet according to the packet trace
settings
Recommended
Provides the recommended action settings according to the filter.

These settings may set different action settings per filter in a
category of filters. For example, if you set an entire category of filters
to recommended, some filters may be disabled while others are
enabled with varying action to take.
Note: Misuse and Abuse filters cannot use permit actions.
You can also add the TCP reset option to Block action sets. This option enables the device to reset
blocked TCP flows. You can set the option to reset the source or destination IP. The TCP Reset can also
affect both sides of the connection, source and destination.
Note: You should use the TCP reset option when you experience issues with
certain mail clients and servers on email related filters. Globally enabling this
option may negatively impact your system performance.
The Blacklist option, available with Block Actions, blocks packets based on the IP addresses in the
packet the triggers the filter. This allows you to block all traffic from the host that launched the attack
instead of just the one flow from that host.
When a filter with a Blacklist option triggers, the system installs two blocks: one for the flow (as is
normally done with Block actions) and another for the blacklisted IP address. You can review and flush
the blocked flows in LSM on the Configure TSE Connection Table (Blocked Streams) page and
the blacklisted IP addresses on the Configure TSE Connection Table (Blacklisted Streams).
In addition to installing the two blocks, the system enacts any further actions based on the action set,
such as notifications. If the filter action set is set to specific segment, the IP address is blocked only to
that segment and not the entire IPS.
Blacklisted IP addresses remain in effect for 3 minutes or until flushed. Blocked flows remain in effect
for 1800 seconds or until flushed. See TSE Blacklisted Streams on page 170.
101
The following is the Filters - Actions Main List page:

Figure 3 - 36: Filters - Actions Main List Page
The Filters - Actions Details/Edit page displays the following information:

Table 3 - 18: Action Set Characteristics
Column
Description
Action Set
The name of the action set
Actions(s)
The settings for the actions included in the action set
TCP Reset
The option to reset a TCP connection used with Block action sets
Blacklist
The option to block on IP for a triggered filter used with Block action sets
Packet Trace
Whether or not packet tracing is enabled
Contacts(s)
Where alerts will be sent if notification is enabled
Functions
Contains icons that allow you to perform filter operations. These icons are shown in the
table entitled Functions Icons
You can sort the action set listings by characteristics. There is a link at the top of each column on the
Actions - Main List page. Click on the link of the column by which you would like to sort. For example,
to sort by the packet trace setting, click the (Packet Trace) link at the head of the column. Only the
items in that list are sorted; if you are displaying items 1-50, then 1-50 are sorted.
Rate Limiting
A rate limiting action set defines a maximum bandwidth that can be used by traffic that matches filters
assigned to that action set. Incoming traffic in excess of this bandwidth is dropped. If two or more
filters use the same rate limiting action set, then all packets matching these filters share the bandwidth.
For example, if filters 164 (ICMP Echo Request) and 161 (ICMP Redirect Undefined Code) use the
same 10 Mbps action set, then both Echo Requests and Redirect Undefined Codes filters share the
10 Mbps pipe as opposed to each filter getting a dedicated 10Mbps pipe.
102
The supported rates are subject to restrictions according to the device model. Any of these listed rates
can be used as long as it does not exceed 25% percent of the total bandwidth of the product.
The following table details the models and their supported rates.
Table 4: Rate Limit Rates per Model
IPS
Model
Supported Rates
(listed in Kbps)
Supported Rates (listed in Mbps)
50
50, 100, 150, 200, 300, 400, 500,

600, 700, 900
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40
100E
50, 100, 150, 200, 300, 400, 500,

600, 700, 900
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83
200
100, 150, 200, 300, 400, 500, 600,

700, 900
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83
400
200, 300, 400, 500, 600, 700, 900
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200
1200
700, 800, 900
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500
2400
--
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500, 1000
5000E
--
1, 1.5, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 20, 25, 30,
35, 40, 50, 62, 83, 125, 200, 250, 320, 500, 1000
Note: The rates are not implemented exactly according to ratehigher rates are
less precise. For example, on a 5000E device, the observed rate on a 125Mbps
limiter will be closer to 130Mbps.
103
Create an Action Set

STEP 1
On the Filters page, select the Open >Action Sets menu item. The Filters - Actions Main
List displays.
STEP 2

Click Create.
Select the Edit >Create Action Set menu item.
The Filters - Actions Create page displays:
Figure 3 - 1: Filters - Actions Create Page
STEP 3
Enter an Action Set Name for the new action set.
STEP 4
For Actions, select a flow control action setting:

Permit Allows traffic
Rate Limit Limits the speed of traffic. Select a Rate.
Block Does not permit traffic
TCP Reset Used with the Block action, resets the source, destination, or both IPs of an
attack. This option resets blocked TCP flows.
Blacklist Used with the Block action, blocks an IP (source or destination) that triggers
the filter.
STEP 5
104
Optionally, click the Packet Trace checkbox:

STEP A
Select the priority from the drop-down list: low, medium, or high.
STEP B
Select the verbosity from the drop-down list. If you choose partial verbosity, choose
how many bytes of the packet to capture (between 64-1600).
STEP 6
Choose one or more Contacts by checking the box next to the appropriate Contact Name. If
there are no contacts displayed, you must Create a Notification Contact first.
STEP 7
Click Create.
Edit an Action Set

STEP 1
On the Filters page, select the Open >Action Sets menu item. The Filters - Actions Main
List displays.
STEP 2
Click the Edit icon next to an action set you want to edit. The Filters - Actions Details/Edit
page displays.
Figure 3 - 2: Filters - Actions Details/Edit
STEP 3
Enter an Action Set Name for the new action set.
STEP 4
For Actions, modify the flow control action setting:

Permit Allows traffic
Rate Limit Limits the speed of traffic. Select a Rate.
Block Does not permit traffic
TCP Reset Used with the Block action, resets the source, destination, or both IPs of an
attack. This option resets blocked TCP flows.
Blacklist Used with the Block action, blocks an IP (source or destination) that triggers
the filter.
STEP 5
Optionally, click the Packet Trace checkbox:

STEP A
Select the priority from the drop-down list: low, medium, or high.
STEP B
Select the verbosity from the drop-down list. If you choose partial verbosity, choose
how many bytes of the packet to capture (between 64-1600).
STEP 6
Choose one or more Contacts by checking the box next to the appropriate Contact Name. If
there are no contacts displayed, you must Create a Notification Contact first.
STEP 7
Click Save.
105
Notification Contacts
Alerts are messages that are sent to a specific recipient (either human or machine) when traffic flowing
through the IPS triggers a filter that requires notification. Alert Aggregation determines how
frequently alerts for the same filter will be sent. These alerts are sent to notification contacts set for
action sets.
When you create or edit an action set, you have the option to inform interested parties or contacts about
matching traffic. Contacts include the management console, which encompasses both the SMS and
LSM, email addresses, and the remote syslog. The management console is a predefined contact. All
email contacts must be added to your system.
To use email contacts, you must enter all server and domain configuration settings on the
Configuration page for the IPS device. See Chapter 5 Configure. For all contacts, you must specify an
aggregation period. The aggregation period is the amount of time that the system accrues information
about attack traffic before it sends a notification. For example, an operator may want to be notified
about all UDP flood commands that have occurred within a five-minute period.
Note: The UnityOne limits the number of email alerts sent in a minute. This
feature supplements the currently used aggregation functionality in the UnityOne.
The system by default allows the sending of ten (10) email alerts per minute. On
the first email alert, a 1 minute timer starts, counting the number of email alerts to
send according to the configured limit. Email alerts beyond the limit in a minute
are blocked. After one minute, the system resumes sending email alerts. If any
email alerts were blocked during that minute, the system logs a message to the
system log as follows:
The first time a particular filter is triggered, a notification is sent to the filter contacts. At the same
time, the aggregation timer starts counting down the aggregation period. During the aggregation
period, the system counts other matching packets, but no notification is sent. At the end of the
aggregation period, a notification, including the packet count, is sent. The timer and the counter are
reset, and continue to cycle as long as matching packets continue to arrive.
A remote syslog server is another channel that you can use to report filter triggers. Remote syslog sends
filter alerts to a syslog server on your network. If you intend to use Action Sets that include the Notify
Remote Syslog option, you must create an entry for the devices to use. The system uses collectors for
the settings. Collectors are specified by the required settings for the IP address and port, including
options for a delimiter and facility numbers for alert messages, block messages, and misuse/abuse
messages. The settings for the facilities are optional. Valid delimiters include horizontal tab, comma
106
(,), semicolon (;), and bar (|). For more information on the message and log format, see See Create a
Notification Contact for more information.
CAUTION: Only use remote syslog on a secure, trusted network. Remote syslog, in
adherence to RFC 3164, sends clear text log messages using the UDP protocol. It does not
offer any additional security protections. Therefore, you should not use remote syslog
unless you can be sure that syslog messages will not be intercepted, altered, or spoofed by
a third party.
Tip: For more information about syslog, consult the syslog server documentation
that came with your operating system or syslog software.
Alert Aggregation
Because a single packet can trigger an alert, attacks featuring large numbers of packets could
potentially flood the alert mechanism. Alert aggregation enables you to receive alert notification at
intervals to prevent this flooding.
For example, if you set the aggregation period to five minutes, you will receive an email at the first
trigger of a filter, and then subsequent alerts will be collected and then sent every five minutes.
Aggregation Period
Alert notification is controlled by the aggregation period that you configure when you Create a
Notification Contact. The aggregation period is the amount of time that the LSM accrues alerts before
it sends a notification. The first time a particular filter is triggered, a notification is sent to the alert
contact target. At the same time, the aggregation timer starts ticking down the aggregation period.
During the aggregation period, further packet triggers are counted, but no notification is sent. At the
end of the aggregation period, a second notification, including the packet count, is sent. The timer and
the counter are reset, and will continue to cycle as long as the filter in question is active.
CAUTION: Short aggregation periods can significantly affect system performance. The
shorter the aggregation period, the higher the system load. In the event of a flood attack, a
short aggregation period can lead to system performance problems.
107
Setting Preferences
The notification feature uses default email preferences to pre-fill email contact settings. When you first
set up your IPS, you must define the default email settings for email alerts. Once you define the default
from address, domain name, and SMTP server address, the IPS uses this information for all email
alerts it generates. You can only change the sender information (from) using Set Email Preferences.
You can change the recipient email address (to) when you create or edit a notification contact.
Set Email Preferences

STEP 1
On the Filters page, select the Open > Filters - Notification Contacts menu item. The
Notification Contacts Details/Edit page displays.
STEP 2
Select the Edit > Preferences menu item. The Filters - Contacts Preferences page displays.
STEP 3
Enter the Default To Email Address, such as bob@TippingPoint.com.
STEP 4
Enter the From Email Address.
STEP 5
Enter the From Domain Name, such as TippingPoint.com.
STEP 6
Enter the SMTP Server IP Address.
STEP 7
Click Save.
Note: You must be sure that the IPS can reach the SMTP server that will be
handling the email notifications. You may have to Add a Network Route on
page 148 so that the IPS can communicate with the SMTP server.
Create a Notification Contact

Note: To create a contact, you must create the preferences for the contact. These
preferences include the parameters for the SNTP server for sending the
notifications. See Set Email Preferences on page 108 for more information.
To edit the contact information for the management application, server, or syslog,
see Edit a Notification Contact on page 109.
108
STEP 1
On the Filters page, select the Open > Notification Contacts menu item. The Filters Notification Contacts Details/Edit page displays.
STEP 2
Click the Create button or select the Edit > Create Contact menu item.
STEP 3
Enter the Contacts Name
STEP 4
Enter the To Email Address
STEP 5
Enter the Aggregation Period. Longer aggregation periods improve system performance.
STEP 6
Click the Save button to save the changes.
STEP 7
Optionally, click the Test Email button. If you click the button, the IPS attempts to send an
email message, using the server defined in the default email settings, to the email contact you
are creating.
Note: If the email fails to send properly, check for the following possible causes:
1. Is default email alertsink configured? See Set Email Preferences on page 108.
2. Email server must be reachable from the IPS. In the CLI use the PING command
to see if you can reach email server IP.
3. Email server may not allow mail relaying. Make sure you use account/domain
that the email server accepts.
STEP 8
Click the Create button.
Edit a Notification Contact

STEP 1
STEP 2
Click the Edit icon for the entry you want to edit. The appropriate edit page displays.
STEP 3
Edit the contact information according to the entry:

STEP A
For SMS (SNMP), enter the name and aggregation period.
STEP B
For the Remote System Log (SYSLOG), see Create a Notification Contact on
page 108.
STEP C
For the Management Console (MGMT), enter the name and aggregation period.
STEP D
For the LSM (ALERT), enter the name and aggregation period.
STEP 4
For email contacts only, click the Test Email button. If you click the Test Email button, the IPS
will attempt to send an email to the email contact you are editing
STEP 5
Click Save. A confirmation message displays.
STEP 6
Click OK.
109
Configure the Remote System Log Contact

STEP 1
STEP 2
Click the Edit icon next to the Remote System Log entry. It has the type of SYSLOG.
Figure 3 - 3: Notification Contacts - Remote System Log
STEP 3
Edit the IP Address and Port the host that receives Remote System Log messages.
Tip: Be sure that your IPS can reach the remote system log server on your
network. If the remote system log server is on a different subnet than the IPS
management port you may have to Add a Network Route on page 148.
STEP 4
Select an Alert Facility from the drop-down menu: none or select from a range of 0 to 31.
STEP 5
Select a Block Facility from the drop-down menu: none or select from a range of 0 to 31.
STEP 6
Select a Misuse and Abuse Facility from the drop-down menu: none or select from a range
of 0 to 31.
STEP 7
Select a Delimiter for the generated logs: tab, comma, semicolon, or bar.
STEP 8
Click add to table below to add the remote syslog server.
STEP 9
Click Save.
Note: Designating a remote system log server does not automatically send attack
and shield notifications to that server. You must select the Remote System Log
contact for action sets. After you apply these changes, active filters associated
with the modified action set will send remote messages to the designated server.
110
Configure the SMS Contact

STEP 1
STEP 2
Click the Edit icon next to the SMS entry. It has the type of SNMP.
STEP 3
Edit the Contact Name. By default, it is SMS.
STEP 4
Enter the Aggregation Period for notification messages. This setting is measured by minutes.
STEP 5
Click Save.
Configure the Management Console Contact

STEP 1
STEP 2
Click the Edit icon next to the Management Console entry. It has the type of MGMT.
STEP 3
Edit the Contact Name. By default, it is Management Console.
STEP 4
STEP 5
Click Save.
Configure the LSM Contact

STEP 1
STEP 2
Click the Edit icon next to the LSM entry. It has the type of ALERT.
STEP 3
Edit the Contact Name. By default, it is LSM.
STEP 4
STEP 5
Click Save.
Delete a Notification Contact

Note: You can only delete notification contacts you created, such as an individual
or group email. You cannot delete the default entries such as SMS, Remote
System Log, Management Console, or LSM.
STEP 1
STEP 2
Click the Delete icon for the notification contact you would like to delete. A confirmation dialog message displays.
STEP 3
Click OK.
111
112
Logs
Logs describes the several logs and reports that you can view using the LSM. In this section, you
will review the information presented in the logs and how to manage the logs. Only users with
Super-user access may view all of the logs available.
Overview
The logging features of the LSM provide you with the ability to review the attacks received by the IPS
device. Through the logs and report options, you can better understand and review the amount of
packets received and attacks blocked or managed by the device. When you access the LSM, the Logs
page displays. This page clearly and quickly provides an overview of all attacks received by the system.
The information includes an optional visual graph of the attacks by severity in relation to the total
number of attacks, links to reports for the logs, and provides links to further reports to better
investigate the system and network.
Logs covers the following topics:
LSM Logs on page 114
Managing Logs and Reports on page 121
More Reports on page 126
The Logs page enables you to view log messages, sorted by the time and date they were recorded.
These messages indicate the status that IPS components report about themselves, or messages from
the UnityOne about components that do not respond to periodic polling. Many reports are available to
provide a timely update to any and all levels of the IPS operational behavior.
The Attacks by Severity graph displays at the top of the page. You can enable or disable an animation
option for the graph. This graph displays a graphical representation of attacks against the current total
of logged attacks. This total includes only the attacks compiled between resets of the system total.
When viewing a log, you can click Log Index from the Open menu to return to this page.
113
Logs Page
When you access the LSM, it displays the Logs Main List as default. The following is the Logs page:
Figure 4 - 1: Logs Page
Review and manage log information

Review graphical reports on the system
Download and print reports and logs
Search logs for specific information
LSM Logs
The LSM documents triggered filters and actions in various logs. These logs compile information
about your IPS device according to set category and action sets. When you access the LSM, the Logs
page displays. The Logs page provides the following logs:
114
Alert Log on page 115

Block Log on page 116
Misuse & Abuse Log on page 117
System Log on page 118
Audit Log on page 119
Packet Trace Log on page 120
The LSM also provides various graphical reports on the system and network traffic. See More
Reports on page 126 for more information.
When you view the log, the user listed for the logged events may include SMS, LSM, and CLI. These
entries are entered by those applications into the audit log, as a Super-User level of access.
Alert Log
The Alert log contains information about network traffic that triggers filters associated with alert
actions. These alerts include filters that notify contacts when triggered, such as specific types. Any user
can view the log, but only administrator and super-user level users can print the log. Alert log entries
include the following information:
Table 4 - 1: Alert Log Information
Column
Description
Log ID
A system assigned Log ID number
Date/Time
A date and time stamp in the format year-month-date hour:minute:second
Severity
Indicates the severity of the triggered filter. Possible values include: Critical, Major,
Minor, and Low
Filter Name
The name of the filter that was triggered
Protocol
The name of the protocol that the action affects
Segment
The segment where the alert occurred
Source Address
The source address of the triggering traffic
Dest Address
The destination address of the triggering traffic
Packet Trace
Details if a packet trace is available
Hit Count
Details how many packets have been detected
You can do the following from this page:
Viewing Logs and Reports on page 122

Downloading Log Files on page 122
Printing Log Files on page 124
Resetting Log Files on page 125
Searching Log Files on page 125
You can also download the audit log.
115
Block Log
The Block log contains information about packets that have triggered a filter with both block and alert
actions specified. The Block Log entries include the following information:
Table 4 - 2: Block Log Information
Column
Description
Log ID
Date/Time
Severity
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
116

Misuse & Abuse Log

The Misuse & Abuse log contains information about packets that have triggered a Misuse and Abuse
filter with both block and alert actions specified. The Misuse & Abuse Log entries include the following
information:
Table 4 - 3: Misuse & Abuse Log Information
Column
Description
Log ID
Date/Time
Severity
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count

117
System Log
The system log contains information about the software processes that control the UnityOne device,
including startup routines, run levels, and maintenance routines. System log entries can provide useful
troubleshooting information if you encounter problems with your UnityOne device.
Note: Any access level user can view and print the system log, but only
Administrator and Super-user level users can reset the system log.
Note: For information on adaptive aggregation messages, see TSE Adaptive

Filter Configuration on page 161.
Each system log entry contains the following information:

Table 4 - 4: System Log
Column
Description
Log ID
Log Entry Time
Severity Level
The severity level of a message indicates whether the log entry is simply informational
(INFO) or whether it indicates an error condition (ERR or CRIT)
Component
The component is an abbreviation that indicates which software component sent the
message to the log
Message
The message is the text of the log entry

118
Audit Log
The audit log keeps track of IPS user activity that may have security implications. This activity
includes user attempts (successful and unsuccessful) to do the following:
Change user information

Change IPS configuration
Gain access to controlled areas (including the audit log)
Update system software and attack protection filter packages
Change discovery scan scheduling
Change discovery host data
Change filter settings
Note: Only Super-user level users can view, print, reset, and download the audit
log. When you view the log, the user listed for the logged events may include
SMS, LSM, and CLI. These entries are entered by those applications into the audit
log, as a Super-User level of access.
Audit log entries include the following information:

Table 4 - 5: Audit Log
Column
Description
Log ID
Date and Time
Username
The login name of the user performing the action
Access Level
The access-level of the user performing the action
IP Address
The IP address from which the user connected to perform the action
Interface
The interface with which the user logged in (either WEB for the LSM or CLI for the
Command Line Interface)
Component
The area in which the user perform an action (LOGIN, LOGOUT and Launch Bar Tabs)
Result
The action performed or the result of a LOGIN or LOGOUT attempt
Action
The action performed as a result. For example, Log Files Reset.
119

Packet Trace Log

A packet trace contains all or part of a packet that triggers a filter. Packet traces can be used to analyze
attack sources and methods. If you select the packet trace action when you Create an Action Set, the
filters that use this action set will store packet information in the packet trace log. You can download
the packet trace.
Note: TCPDUMP format can be viewed using a TCPDUMP utility.
The packet trace log uses the same Log Rotation as the other logs. It is a good idea to periodically reset
the log to increase download performance.
Note: When you reset the log, any packet trace records in the log buffer will be
discarded.
During a graceful shutdown, as during an update or reboot command in the CLI, Packet Trace data
may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to disk, do the
following:
Click on any Packet Trace icon in the alert or block logs
Click on the Packet Trace (TCPDUMP) icon
120
Managing Logs and Reports

Through the Logs page, you can perform general functions on compiled information. The LSM
compiles logs and reports of data for the following:
alert log Logs network traffic, including messages and information sent from triggered filters
block log Logs an entry for every packet or attack traffic blocked by a filter
system log Logs information about the performance and running of the system. This log is useful
for tracking hardware or device issues.
audit log Logs IPS user activity
packet trace log Logs a specific amount of data from a packet when a filter with the proper
settings is triggered. The amount of bytes captured depends on the packet trace setting for a filters
action set. See Action Sets on page 100.
misuse & abuse log Logs information about packets that triggered a Misuse and Abuse filter
other reports Provides a variety of views for compiled information
The Logs page provides icons next to each entry displaying the available functions.
Icon
Function
Description
View
Click the View icon to review the compiled contents of the log or report. A page
displays providing the entries compiled and reported for each log.
Download
Click the Download icon to download an electronic copy of the log or report.
When you click the icon, a download query page displays allowing you refine
the parameters for the log or report to be downloaded.
Search
Click the Search icon to search for an entry in the log or report. The Logs page
displays a search page according to the selected log or report.
Reset
Use the Reset icon to clear a log of all current entries. The log will then begin
compiling new information.

121
Viewing Logs and Reports

Every log and report on the main Logs page can be viewed if it has the view icon. When you click this
icon, a page displays with entries captured between resets of the log.
The log view includes the following information:
Table 4 - 7: Log View Information
Column
Description
Log ID
Date/Time
Severity
Minor, and Low
Filter Name
Protocol
Segment
Source Address
Dest Address
Packet Trace
Hit Count
View Logs and Reports

STEP 1
On the Logs page, locate a log you want to view.
STEP 2
Click the View icon next to the log. A log view page displays.
STEP 3
You can browse and review the log entries. You can also review the filter that triggered the log.
Downloading Log Files

When you download log files, you enter a set of criteria for compiling and saving log entries. Log
messages are stored in a series of log files that are rotated to improve system performance and
download time.
Note: If you attempt to view a downloaded log with Notepad, log messages will
not be displayed properly. The logs are downloaded in tab-delimited format with a
line feed character terminating each line. This varies from a Windows line
termination, which uses both carriage return and line feed characters to terminate
a line. Use WordPad or a spreadsheet application to view downloaded log files on
a Windows workstation.
122
You can compile log entries using the following criteria:

Log Type The type of log you want to download.
Log Entry You can define parameters for the download to refine the entries included:
All Downloads all entries.
Current Downloads the current entries.
Time Range Range of dates and times [optional] for compiling entries.
ID Range Range of ID numbers for logged entries.
File Format Options You can save the file to a comma delimited file (CVS) or view it in Microsoft
Internet Explorer (version 6 or later).
Download a Log File
STEP 1
On the Logs page, locate a log you want to download.
STEP 2
Click the Download icon next to the log or report you want to download. The download query
page displays.
Note: If there are not any entries in the log, the download link will be disabled, or
grayed out.
STEP 3
Select a Log Type: Alert Log, Audit Log, Block Log, Peer-to-Peer Log, or System Log.
STEP 4
For Log Entry, enter the following information:

Select All to download all entries.
OR
Select Current to download all current entries.
OR
Enter a Time Range, including the date [required] in YYYY-MM-DD format and time
[optional] in HH:MM:SS format.
OR
Enter an ID Range for entries in the From and To fields.
STEP 5
For Options, check the boxes for file format options: Comma delimited format (csv) or
Open in Internet Explorer.
STEP 6
Click Download.
123
Log Rotation
IPS logs are stored on a rotating basis. By default, each type of log has two filesthe current file and the
previous file. The IPS uses a volume threshold to limit the size of each log file (4 mb). When the current
log reaches the volume threshold, it is deactivated, and a new log is started as the current log.
Whenever the current log reaches the volume threshold, it is rotated into storage, and a new log is
started as the current log.
Note: When you view logs from the LSM, you review all log entries from both of
the log files. The only time you need to consider log rotation is when you are
downloading a log file.
You can also reset the log file for each type of log. When you reset the log, you clear the current log of all
compiled entries.
For Packet Trace logs, the amount of raw data stored depends on the device model. See the following:
UnityOne-50:
Default # of files = 2
Max # of files = 10
Default Size of each file = 5MB
Other UnityOne devices:
Default # of files = 10
Max # of files = 100
Default Size of each file = 10MB
Printing Log Files

When you view a log file, you can print the log entries in a printer-friendly format. When you print the
log, it loads the results for the browser printer. You can then modify the printer settings for the
printout.
Figure 4 - 2: Printed Log
124
Note: The information displayed in the log works best when printed in a
landscape, not portrait, format.
Print a Log
STEP 1
On the Logs page, click the name of the log (hyperlink) or click the View icon next to the log
you want to print. The view page for the log displays.
STEP 2
Select Edit > Print menu item. The browsers print dialog box opens.
STEP 3
Select the print options that you want.

Note: The information displayed in the log works best when printed in a
landscape, not portrait, format.
STEP 4
Click Print.
Resetting Log Files

When you reset a log, the LSM starts a new log file beginning with the current date and time. This date
and time are set according to the system time and when you reset the log. Once you have reset a log, you
cannot undo the action.
Reset a Log
STEP 1
On the Logs page, click the Reset icon next to the log you want to reset.
STEP 2
A confirmation message displays, prompting if you want to reset the log.
STEP 3
Click OK.
Searching Log Files

A log can compile a large amount of entries. To help locate an entry, you can search the Log for specific
or groups of entries. You can search for entries according to the following:
Date Range You can search all log entries or specify a date range. You can also enter a time range.
Severity The severity includes low, minor, major, and critical events. You can select any severity
you want to search.
Filter Name You can search for logged entries based on the filter that triggered them.
Protocol You can search by name of the protocol that the action affects.
Source Address You can search for a source address of the triggering traffic.
Destination Address You can search for a destination address of the triggering traffic.
125
Search a Log
STEP 1
On the Logs page, click Search icon next to the log you want to search. The search page
displays.
STEP 2
For the Log Entry Time, choose a search option:

Choose All to search all log entries.
OR
Enter a date range for log entries. You can enter a date and time for the range, using the
formats Year-Month-Date (YYYY-MM-DD) [required] and hours minutes seconds
(HH:MM:SS) [optional].
STEP 3
Check the box next to each Severity of the alerts you wish to retrieve [optional].
STEP 4
Enter the name of the Filter Name whose alerts you would like to find [optional].
STEP 5
Enter the name of the Protocol whose alerts you would like to find [optional].
STEP 6
Enter the Source Address for alerts you would like to find. [optional].
STEP 7
Enter the Destination Address for the alerts you would like to find [optional].
STEP 8
Choose the # of Results to Display from the drop-down box [optional].
STEP 9
Click Search.
Tip: In Step 4 through Step 7, you can enter the first part of
the item you want to search for. For example you can enter
the first few letters or numbers in a filter name, or the first
few numbers of an IP address.
More Reports
The More Reports feature provides access to a set of bar graphs that provide detailed information about
the LSM system alert and traffic activity. The feature can be accessed by selecting the More Reports
Link from the Logs - Main List pane or selecting options from Open -> Reports menu. Through a
preferences page, the LSM allows you to modify the color background setting for the graph. The
options provide a custom approach to reviewing data on your system. See Reports Preferences on
page 132.
126
The More Reports fall into three categories of information:

Traffic and Filter Displays the following report types:
Top Ten Displays a bar graph of the top 10 attack filters, a hit counter, and the percentage
information for each of the filters, this is displayed by clicking the Filters link in the window
Attacks Displays a bar graph of Alert information; the display can be tailored by the following
criteria (each is a link in the window):
By Severity Number and percentage of the alerts matching low, minor, major, and
critical severity levels
By Action Number and percentage of total alert packets, invalid, blocked, and
permitted
By Protocol Number and percentage of alerts matching ICMP, UDP, TCP, AND IPOther
By Port: All Number and percentage of alerts by segments/ports
By Port: Permit Number and percentage of permits by segments/ports
By Port: Block Number and percentage of blocks by segments/ports
By Port: Misuse and Abuse Number and percentage of peer-to-peer attacks by
segments/ports
Traffic Profile Displays a bar graph of the Traffic Profile information, the display can be
tailored by the following criteria (each is a link in the window)
By Transmission Types Unicast, Broadcast, MultiCast, MAC control
By Protocol ICMP, UDP, TCP, IP-other, ARP, and Ethernet-Other
By Frame size Traffic profile by framesize, by specified byte ranges
by Port Traffic profile by port, includes all segments/ports
Rate Limit Displays a bar graph shown for each user-defined rate limit action set. Each report
displays the percentage of the rate limit bandwidth used in terms of the last 60 seconds, 60 minutes,
or 24 hours.
Traffic Thresholds Displays a bar graph for each user-defined traffic threshold. The report
displays incoming traffic for the last period of time (60 seconds, 60 minutes, 24 hours, or 35 days) in
the units specified you specified for the filter. You can use the reported information to configure
traffic thresholds tuned to a specific network configuration. The monitor only option for a Traffic
Threshold filter sets the system to generate a report without triggering traffic thresholds
127
DDoS Displays reports for Denial of Service filters and attacks. The report provides an option to
review rejected and accepted connections or SYNs according to the type of DDoS filter.
Figure 4 - 3: Reports - More Reports Page
View the Top Ten Filters Report

STEP 1
On the Logs page, do one of the following:

On the Logs Index page, click the More Reports link. This link is located above the Attacks
by Severity graph.
On the Open -> Reports menu, click Traffic and Filter.
The Reports page displays.
128
STEP 2
In the Top Ten section, click the Filters link. The graph updates displaying the top ten filters
triggered on the IPS device.
STEP 3
You can also view the report for 24 hours. Click View Chart Data - 24 Hours link.
View the Attack Reports

STEP 1

by Severity graph.
STEP 2
Select the type of attack you want to view results for under Attacks:
by severity
by action
by protocol
by port: all
by port: permit
by port: block
by port: misuse & abuse
The graph updates displaying the selected information.

STEP 3
View the Traffic Profile Report

STEP 1

by Severity graph.
STEP 2
Select a type of report under Traffic Profile:
by transmission types
by protocol
by frame size
by port
The graph updates displaying the selected information.

STEP 3
129
View the Rate Limit Report

STEP 1

by Severity graph. Click Rate Limit.
On the Open -> Reports menu, click Rate Limit.
STEP 2
Select a report under Rate Limit.
STEP 3
Select a listed Rate Limit.
STEP 4
You can then select the following information for the report:
Last 24 Hours
Last 60 minutes
Last 60 seconds
The LSM generates a report for each user-defined rate limit filter you create or configure.
STEP 5
View the Traffic Threshold Report

STEP 1

by Severity graph. Click Traffic Threshold.
On the Open -> Reports menu, click Traffic Threshold.
130
STEP 2
Select a report under Traffic Threshold.
STEP 3
Select a Traffic Threshold filter from the drop-down list.
STEP 4
You can then select the following information for the report:
Last 35 Days
Last 24 hours
Last 60 minutes
Last 60 seconds
You can use the reported information to configure traffic thresholds tuned to a specific
network configuration. The monitor only option for a Traffic Threshold filter sets the system
to generate a report without triggering traffic thresholds.
Figure 4 - 4: More Reports: Traffic Threshold
STEP 5
View a DDoS Report

STEP 1

by Severity graph. Click DDoS.
On the Open -> Reports menu, click DDoS.
131
STEP 2
You can select from the following types of reports:
STEP 3
CPS Rejected cxns

CPS Accepted cxns
Cxn Flood Rejected cxns
Cxn Flood Accepted cxns
Rejected SYNs/sec
Accepted SYNs/sec
Reports Preferences
The Logs - Report Preferences page allows you to customize your report graphs. You can change the
color of chart background by selecting a preset color or entering a color setting. The custom color
setting can create a gradient from one color to another, entered as the start and end colors. Custom
colors are entered as RRGGBB, such as FF0000 for red. See Select a Report Background Color on
page 132 for details.
The following image displays the Logs - Report Preferences page:
Figure 4 - 5: Logs - Report Preferences Page
Select a Report Background Color
132
STEP 1
On the Logs - More Reports page, click Edit -> Preferences on the drop-down menu. The
Logs - Report Preferences page displays.
STEP 2
To select a preset color, select one of the options called Blue Gradient (default), Red Fire Gradient, Dark Grey Gradient, Green Gradient, or Solid Blue Gradient.
STEP 3
To customize a color scheme, do the following:
STEP 4
STEP A
Enter an RRGGBB value for the starting color in Start Color.
STEP B
Enter an RRGGBB value for the starting color in End Color.
STEP C
Click Test. You can repeat until you are satisfied with the color.

To save the changes, click Save.
To cancel the changes, click Cancel.
To reset the color, click Restore Defaults (selects Blue Gradient).
133
134
Configure
Configure describes the configuration utilities in the LSM, and how to configure segments and
hardware components using the LSM.
Overview
The Configure page enables you to view and change configuration items for your IPS device. When
you configure the device, you can modify various settings for the segments including management,
routing, time, and Intrinsic Network HA. These segments are part of the Multi-Zone Defense (MZD)
modules that protect the segment and network from malicious traffic and attacks.
You can configure the following settings for segments, ports, and modules:
Segment information
Discovery settings to allow discovery scans on ports
Time zone information
Command Line Interface, routing, and information for ports
Non-Standard ports
Intrinsic and Transparent Network HA for segments
SMS control for these modules
NMS settings
Settings and management for the Threat Suppression Engine (TSE)
135
Configure includes the following topics:
Configure Page on page 136

Segment Configuration on page 137
Management Port Configuration on page 142
Routing Options on page 147
Time Options on page 148
Management Port Configuration on page 142
Network High Availability on page 155
TSE Configuration on page 159
Flush blocked and rate limited streams
Configure Page
To view the Configure page, you click the Configure tab on the Launch Bar. The Configure - Segment
Config page displays as default:
Figure 5 - 6: Configure Page

Modify the settings for the segments, management port, routing options, and time options
Set the SMS configuration, if applicable
Modify the Intrinsic Network HA settings
You can access the different types of configurations options by selecting the Open menu. A drop-down
menu displays listing the options for the page. The menu options may change depending on the menu
option you select. The instructions in this chapter indicate when to navigate through the drop-down
menu options.
136
Segment Configuration
UnityOne IPS Multi-Zone Defense (MZD) modules enable you to protect multiple segments of your
network. Each segment uses two ports on the MZD module: one port that interfaces with the protected
segment and one port that interfaces with the rest of the network. When you configure these ports, you
modify the routing and port options, Intrinsic and Transparent Network HA, and discovery settings.
CAUTION: After you configure a segment on the device, you need to restart the device.
Each port of the segment provides a Restart button. Make sure to click this button after
making changes to ensure proper functioning of the device.
CAUTION: If you use a copper-fiber translator (such as Netgear), you will need to turn off
auto-negotiation on the IPS device before clicking the Restart button. Netgear does not
support auto-negotiation. When the copper cable is pulled, Netgear does not attempt to
auto-negotiate with the device. The device driver will attempt to re-initialize the port
several times before timing out and placing the port in an Out-of-Service mode.
You can view the configuration information for the device segments through the Configure - Segment
Config page:
Figure 5 - 7: Configure - Segment Config Page
This page provides a summary listing of each segment including the following information:
Table 5 - 8: Segment Information
Column
Description
Segment Name
The segment name by default the segment name is a combination of the slot number
and port pair of the Defense Module that the physical connection is made through
Media
Describes whether the connection is fiber or copper
IP Address /
Subnet Mask
Shows the IP address and network mask of the segment if they are configured for
network discovery
Port
Indicates which port is being referred to by the line speed and hardware columns
Line Speed
Indicated the line speed setting for the port
137
Table 5 - 8: Segment Information

Column
Hardware
Description
Indicates if the hardware (the physical port) is turned on or off
Segment configuration includes the following:

Segment INHA
Configure a Segment

STEP 1
Click Configure on the Launch Bar.
STEP 2
The Configure - Segment Config page displays. Segment information displays as default
when you access the configure page.
STEP 3
To locate this information from within the Configure page, select the Open > Segment
Config menu item.
Segment INHA
Segment ports are designated A and B. When you configure a segment, you can assign IP and routing
information for Discovery scans and choose line options for these ports. You can also define the
Intrinsic Network High Availability (INHA) layer-2 fallback option. This determines if the device
permits all traffic or blocks all packet transfers on that segment in the event of a fallback operation.
Note: You should only assign an IP address to a segment if you want discovery
enabled on that segment. For more information on discovery scans, see Chapter 5
Discover.
Additional Gateway and Routing

You only need to assign routing options to a port if you will be running discovery outside of the subnet
on which the discovery IP address is located. If you run discovery on a different subnet, you must be
sure to configure the destination network, gateway, and mask properly or the discovery scan will not
work.
Port Options
Port options enable you to set line options for the segments ports. You can set port options without
enabling discovery. You can set the two ports in the same segment with different settings.
Note: Fiber ports can only be set to 1000 Mbps line speed and full duplex.
Although the port may negotiate different settings, you cannot arbitrarily
downgrade line speed on a fiber Gigabit Ethernet port.
138
Link-Down Synchronization, also called Sympathetic HA, allows you to configure the IPS to force both
ports down on a segment when the device detects a link state of down on one of the ports. When LinkDown Synchronization is enabled, the IPS monitors the link state for both ports on a segment. If the
link goes down on either port, both ports on the segment are disabled. This functionality propagates
the link state across the IPS. In the case of Router A and Router B, if the link to router A goes down,
then the ports both ports are disabled, resulting in the link to Router B going down, which Router B
detects. With Link-Down Synchronization, ports respond according to the configured setting. The
setting include the following:
Hub When a port goes down, the partner port is unaffected.
Breaker When a port goes down, the system disables the partner port until both ports are
manually restarted. The breaker option requires manually restarting both ports.
Wire When the port that originally went down comes back up, the system restarts the partner
port (which is the port it disabled).
In addition to the ability to enable Link-Down Synchronization for each segment, you can change the
amount of time after detecting a link is down before forcing both ports down on a segment. The default
is one second. You can configure the setting to any number of seconds in the range of zero to 240.
Once you enable Link-Down Synchronization for a segment, monitoring of that segment begins only
after link up is detected on both ports. When Link-Down Synchronization disables the ports on a
segment, two audit log messages are generated. The first message in the audit log corresponds to the
port with the link down. The second message corresponds to the segment partner. Additionally, an
error message is added to the system log indicating which port was detected with the link down,
activating Link-Down Synchronization for that segment.
Configure a Segment
When you configure a segment, including INHA, you complete the following three main steps:
STEP 1
General configuration Segment name and INHA settings
STEP 2
Discovery configuration IP address, subnet mask, routing, discovery-enabled. See Prepare a Segment for Scanning on page 123 for more information.
STEP 3
Port configuration Line speed, duplex, hardware, auto-negotiation
139
To configure a segment, you select a segment from the Configure - Segment Config page. The
Configure - Segment Details/Edit page displays:
Figure 5 - 8: Configure - Segment Details/Edit Page
140
Configure a Segment (including INHA)

STEP 1
On the Configure page, click the Segment you want to configure. The Configure - Segment
Details/Edit page displays.
STEP 2
Enter or change the Segment Name.

Note: The characters ` ' ~ ! # $ % ^ & = + | < >/? ; [ { ] } cannot be
used in the Segment Name.
STEP 3
To enable discovery on the ports, see Prepare a Segment for Scanning on page 123.
STEP 4
Specify the Intrinsic Network High Availability (INHA) layer-2 fallback action:
Click the Block All to shield all packet transfer in the event of a fallback.
OR
Click the Permit All to permit all packet transfer in the event of a fallback.
STEP 5
For Link-Down Synchronization, select an option and enter a Timeout Period between 0-240
seconds.
Hub (port goes down, partner port remains up)
Breaker (port goes down, partner taken down, both ports require manual restart)
Wire (port does down, partner taken down, automatically restarts when link reestablished)
When selected, if one interface is down for an amount of time exceeding the timeout period,
both interfaces are managed according to the selected option.
STEP 6
For each port A and B, do the following:

STEP A
To enable Discovery scans, check the Enabled check box for Discovery.
Enter the Dest Network, Gateway, and Mask and click the add to table below
button for each port (A / B) that you want to enable for scanning.
Note: You only need to enter routing options for a port if you are going to run
discovery on a subnet outside of the subnet on which the discovery IP address is
located.
STEP B
Check the Hardware: On check box to make the port active. If you enabled this
option, the Restart button is enabled.
STEP C
Check the Auto Negotiation: On check box to enable auto-negotiation for line
speed.
Note: If Auto Negotiation is on and Line Speed is set to 100 mbps, the port will
negotiate between 10 and 100 mbps. If Line Speed is set to 1000 mbps, the port
negotiates between 10, 100, and 1000 mbps.
141
STEP D
Select the Line Speed setting from the drop-down menu.
STEP E
Specify the Duplex setting: Full or Half.
STEP F
If enabled, click Restart.
CAUTION: After you configure a segment on the device, you need to restart the device.
Each port of the segment provides a Restart button. Make sure to click this button after
making changes to ensure proper functioning of the device. To restart both ports, click
Restart Both.
STEP 7
Click Save.
If the LSM has errors and refuses to locate the device, check the connections on the IPS device. If you
use a copper-fiber translator (such as Netgear) and it is disconnected or loose, the IPS device driver
will attempt to reinitialize the port several times before timing out and placing the port in an Out-ofService mode. Netgear does not support auto-negotiation. When you remove the copper cable or the
cable is loose, Netgear does not attempt to auto-negotiate with the IPS device.
To resolve this issue, do the following:
STEP 1
On the Configure - Segment Details/Edit page, clear the Auto Negotiation: On check box
for each port of the IPS device. The option disables.
STEP 2
Click Restart.
Leave auto-negotiation off. The port should reset.
Management Port Configuration

The Management Port is the fast Ethernet port through which you communicate with your UnityOne
device. When you perform initial setup of your UnityOne device, you assign network and identification
values to the management port. If your network configuration changes, you may need to change one or
more of these values.
Management port configuration includes the following topics:
142

You can manage the management port settings and reboot the IPS device through the Configure Management Port page:
Figure 5 - 9: Configure - Management Port Page

You can change the following items using the Management Port configuration options:
Table 5 - 9: LSM Management Port Configuration Options
Option
Description
Valid Input
IP Address
The IP address that you will use to make a

network connection to your UnityOne device.
A valid IP address on the

network segment the UnityOne
device is attached to in dotted
decimal IP address
(255.255.255.255) notation.
Subnet Mask
The network mask in effect on the subnet that

your UnityOne device is attached to
A valid network mask for the

network segment on which your
UnityOne device resides in
dotted decimal IP address
(255.255.255.255) notation.
Host Name
The host name of your UnityOne. It should be

the same host name as the one listed for the
UnityOne devices IP address in your network
DNS lookup.
A valid host name on your

network segment, a maximum
of 32 characters.
Host Location
A description of the location of the UnityOne

device
A maximum of 32 characters
describing where the UnityOne
device is located.
143
Table 5 - 9: LSM Management Port Configuration Options

Option
Description
Valid Input
Default Gateway
The gateway through which the UnityOne

device communicates with external network
entities, and through which external network
entities communicate with the UnityOne
device.
A network device that contains

routing tables that list the
UnityOne device and external
network entities as well
Serial Number
The serial number for your device.
Reboot the IPS

STEP 1
On the Configure page, click Open > General Config > Management Port menu
item. The Configure - Management Port page displays.
STEP 2
Click the Reboot Device button in the upper-right corner of the Configure - Management
Port page.
STEP 3
A confirmation message displays warning you to save all of your work prior to rebooting. Perform any saves prior to the reboot.
STEP 4
Click OK.
During a graceful shutdown, as during an update or reboot (in the LSM or command in the CLI),
Packet Trace data may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to
disk, do the following:
For more information on Packet Trace logs, see Packet Trace Log on page 120.
Change Management Port Configuration
STEP 1
On the Configure page, select the Open > General Config > Management Port menu
STEP 2
Enter the IP Address.
STEP 3
Enter the Network Mask.
STEP 4
Enter the Host Name.
STEP 5
If the port uses a default gateway, click the Enabled check box and enter an IP address.
STEP 6
Click Apply.
Note: If your IPS will only be communicating with devices on the same network
subnet, you do not need to enable and define a default gateway. Possible devices
that you may have to define a route or gateway for include SMS devices, time
servers (for SNTP), email servers (for email alerts), and workstations (for remote
access to the CLI or LSM).
144

You can configure how you communicate with your UnityOne device using the Management Port
Services options. Normally, you will want to enable the Command Line Interface (CLI) and the Web
(LSM) interface. Each of these interfaces may be configured using non-secure communications (Telnet
and HTTP) for setup and debugging purposes, but you should not operate the UnityOne device using
these non-secure options. During normal operations, you should use secure communications (SSH
and HTTPS) to operate the CLI and the Web interfaces.
For more information, see the following:
Command Line Interface (CLI) on page 145
Web Interface (LSM and SMS) on page 147

The Command Line Interface (CLI) can be accessed using either Telnet or SSH. Both of these access
methods require client software. Although Telnet clients are more commonly distributed with some
operating systems than with SSH clients, you should not configure the UnityOne device to run the
Telnet server during normal operations. Telnet communications are not secure, and a malicious party
could intercept device user names and passwords.
WARNING: The Management Port Services options enable you to select a Telnet
client when enabling the CLI. Telnet is not a secure service. If you enable Telnet,
you endanger the security of your UnityOne device. Use SSH instead of Telnet
when enabling the CLI.
Table 5 - 10: LSM CLI Configuration Options
Option
Description
Valid Input
SSH Enabled
Enables the SSH interface capabilities for the

CLI.
check or uncheck the option
Telnet Enabled
Enables the Telnet interface capabilities for the

CLI.
check or uncheck the option
To enable the CLI, you must do the following:

Enable the Command Line Interface (CLI) Enables the use of the CLI
Configure the NMS To use NMS commands in the CLI, you must configure the NMS settings in
the Configure - SMS Config page
145
Enable the Command Line Interface (CLI)

STEP 1
STEP 2
In the Management Port Services section, click the SSH Enabled check box. Click Telnet
Enabled for non-secure communications.
STEP 3
Click Apply. This button is not visible if the device is under control of the SMS.
Configure the NMS

STEP 1
On the Configure page, select the Open > SMS & NMS Config menu item. The
Configure - SMS Config page displays.
Figure 5 - 10: Configure - SMS Config Page
146
STEP 2
Enter the NMS IP Address.
STEP 3
Enter the NMS Port.
STEP 4
Enter the NMS Community String. You can enter 1-31 characters for this string.
STEP 5
Click Apply.

The Web interface can be accessed using either HTTP or HTTPS. All major internet browsers are
capable of displaying web content from either of these services. Although most security indifferent
sites use HTTP instead of HTTPS, you should not configure the UnityOne device to run the HTTP
server during normal operations. HTTP is not secure and a malicious party could intercept device user
names and passwords.
WARNING: The Management Port Services options enable you to turn on HTTP.
HTTP is not a secure service. If you enable HTTP, you endanger the security of
your UnityOne device. Use HTTPS instead of HTTP.
In addition, if you want to administer your UnityOne devices using a UnityOne Security Management
Server (SMS), you must enable HTTPS.
Enable the Web Server (LSM and SMS)
STEP 1
STEP 2
In the Management Port Services section, click the Enabled check box for the Web option.
STEP 3
Select HTTPS from the drop-down menu. Select HTTP for nonsecure communications.
STEP 4
Click Apply. This button is not visible if the device is under control of the SMS
Note: When you change from one web server to another, either from HTTP to
HTTPS or from HTTPS to HTTP, you must reboot your IPS for the changes to take
effect.
Routing Options
Routing options enable you to communicate with network subnets other than the subnet on which the
Management Port is located. If you will manage your UnityOne device from a different subnet you will
need to define a route between the subnet to which your workstation is connected and the subnet to
which your UnityOne Host Management Port is connected.
The following is the Configure - Routing Options page:
Figure 5 - 11: Configure - Routing Options Page
147
Add a Network Route

STEP 1
On the Configure page, select the Open > General Config > Routing Options menu
item. The Configure - Routing Options page displays.
STEP 2
Enter the destination IP address in the Dest Network field.
STEP 3
Enter the network Mask for the destination network.
STEP 4
Enter the Gateway IP address used by UnityOne to communicate with the destination network.
STEP 5
Click the add to table below button

Note: If you will be managing your IPS from a workstation on the same subnet
that the IPS management port is connected to, you do not need to define default
routes.
Time Options
The UnityOne device can either keep time internally, using its own Internal CMOS Clock, or it can use a
Simple Network Time Protocol Server (SNTP Server) to check and synchronize time periodically. In
addition, you can Set the IPS Time Zone used to display local time.
Time options includes the following topics:
Time Zones
Internal CMOS Clock
SNTP Server
148
The following is the Configure - Time Options page:

Figure 5 - 12: Configure - Time Options Page
Time Zones
The UnityOne device comes with pre-defined time zone entries. Although system logs are kept in
Universal Time (UTC), the LSM will translate UTC time values into local time values for viewing
purposes. See Table 5 - 11, Time Zone Definitions, on page 149 for the time zones you can choose
from.
Set the IPS Time Zone
STEP 1
On the Configure page, select the Open > General Config > Time Options menu
item. The Configure - Time Options page displays.
STEP 2
Select the Timezone entry you would like to use from the drop down list
STEP 3
Click the check box to Automatically adjust clock for daylight saving changes.
STEP 4
Click Apply.
You can choose from the following time zones:

Table 5 - 11: Time Zone Definitions
Time Zone
Code
Offset
from UTC
(hours)
Daylight
Savings
Time
ACST
+9.5
OFF
AU Central Standard Time
AEST
+10
OFF
AU Eastern Standard/Summer Time
Time Zone Long Name
149
150
Time Zone
Code
Offset
from UTC
(hours)
AKST
-9
OFF
Alaska Standard Time
AST
-4
OFF
Atlantic Standard Time
AWST
+8
OFF
AU Western Standard Time
CET
+1
OFF
Central Europe Time
CST
-6
OFF
Central Standard Time
EET
+2
OFF
Eastern Europe Time
EST
-5
OFF
Eastern Standard Time
GMT
OFF
Greenwich Mean Time
HST
-10
OFF
Hawaiian Standard Time
JST
+9
OFF
Japan Standard Time
KST
+9
OFF
Korea Standard Time
MSK
+3
OFF
Moscow Time
MST
-7
OFF
Mountain Standard Time
NZST
+12
ON
New Zealand Standard Time
PST
-8
OFF
Pacific Standard Time
WET
OFF
Western Europe Time
GMT-12
-12
OFF
GMT -12:00
GMT-11
-11
OFF
GMT -11:00
GMT-10
-10
OFF
GMT -10:00
GMT-9
-9
OFF
GMT -9:00
GMT-8
-8
OFF
GMT -8:00
GMT-7
-7
OFF
GMT -7:00
GMT-6
-6
OFF
GMT -6:00
GMT-5
-5
OFF
GMT -5:00
GMT-4
-4
OFF
GMT -4:00
GMT-3
-3
OFF
GMT -3:00
GMT-2
-2
OFF
GMT -2:00
Daylight
Savings
Time
Time Zone Long Name

Time Zone
Code
Offset
from UTC
(hours)
Daylight
Savings
Time
GMT-1
-1
OFF
GMT -1:00
GMT+1
+1
OFF
GMT +1:00
GMT+2
+2
OFF
GMT +2:00
GMT+3
+3
OFF
GMT +3:00
GMT+4
+4
OFF
GMT +4:00
GMT+5
+5
OFF
GMT +5:00
GMT+6
+6
OFF
GMT +6:00
GMT+7
+7
OFF
GMT +7:00
GMT+8
+8
OFF
GMT +8:00
GMT+9
+9
OFF
GMT +9:00
GMT+10
+10
OFF
GMT +10:00
GMT+11
+11
OFF
GMT +11:00
GMT+12
+12
OFF
GMT +12:00
Time Zone Long Name
Note: The UnityOne device keeps internal time information in Coordinated

Universal Time (UTC) format. Log messages and other timestamp information is
translated from UTC to the local time zone that you configure using timekeeping
options.
Internal CMOS Clock

Your UnityOne device contains an internal CMOS clock. By setting the internal CMOS clock time, you
can set the device to keep time independently.
Set the Internal CMOS Clock Time
STEP 1
STEP 2
Click the Internal CMOS clock option. You can click Set Time to Local Browser Time to
automatically populate the settings.
STEP 3
Enter the CMOS Date in YYYY-MM-DD (ex: 2002-01-30) format.
STEP 4
Enter the CMOS Time in HH:MM:SS (ex: 13:45:59) format.
STEP 5
Click Apply.
151
SNTP Server
If you choose to keep system time for your UnityOne device using a Simple Network Time Protocol
(SNTP) server, you must Define Primary and Secondary SNTP Servers. SNTP servers are central
servers that keep time coordinated with a central atomic clock. SNTP servers help keep network time
synchronized so that network events that occur on different hosts can be compared.
Tip: Be sure that you configure your various SNTP clients (both UnityOne devices
and other network devices) to use the same SNTP servers. Using the same SNTP
servers will help ensure that event times from different network entities can be
meaningfully compared.
CAUTION: Using external SNTP servers could possibly make your IPS susceptible to a
man-in-the-middle attack. It is more secure to use an SNTP server on a local, protected
network.
Define Primary and Secondary SNTP Servers
STEP 1
STEP 2
Click the SNTP Server option.
STEP 3
Enter the IP address for a Primary SNTP server.
STEP 4
Enter the IP address for a Secondary SNTP server.
STEP 5
Enter the Duration in minutes.
STEP 6
Enter the Offset in seconds.
STEP 7
Enter the Port for the server.
STEP 8
Enter the amount of seconds for a Timeout.
STEP 9
Enter the maximum amount of Retries for connecting.
STEP 10
Click Apply.
SMS and NMS Configuration

If you manage your IPS with an SMS, you can turn SMS control on and off through the LSM. Through
the LSM, you can configure the SMS, SNMP, and NMS identification information. For the SMS, this
information includes the serial number, IP address, port, and the SMS authorized IP address. For the
SNMP, this information includes the version number. And for NMS, this information includes the IP
address, port, and community string. The NMS enables applications such as HP OpenViewTM to
monitor the UnityOne device.
152
The SNMP Server provides access to interface counters and other statistics, configuration data, and
general system information via the Simple Network Management Protocol (SNMP). The SNMP server
must be enabled to use SMS management or to allow NMS access.
CAUTION: If you disable the SNMP V2 option, you disable SMS and NMS functionality. To
provide SMS functionality, enable the SNMP V2 option.
You use the Configure - SMS Config page to configure the information. If your IPS is currently under
SMS control, the serial number and the IP address of the controlling SMS are displayed on the
Configure - SMS Config page.
To communicate to the SMS, you need to configure the segments to have the following enabled:
HTTPS (HyperText Transfer Protocol, Secure) Protocol for handling secure transactions. See
Web Interface (LSM and SMS) on page 147 for instructions on configuring HTTPS.
SNMP (Simple Management Network Protocol) Protocol for managing nodes on an IP network
and monitoring various types of equipment including computers, routers, and wiring hubs
NMS (Network Management System) Protocol for monitoring the device by a restricted NMS,
such as HP OpenViewTM.
The following is the Configure - SMS Config page:
Figure 5 - 13: Configure - SMS Config Page
153
View or Configure SMS Information

STEP 1
STEP 2
To enable or disable SMS control, check or uncheck the SMS Control: Enabled check box. If
SMS is not available, the option is disabled, or grayed-out. If enabled, the page displays the
serial number, IP address and port for the SMS machine.
STEP 3
Check the Enabled check box for each version of SNMP you want to use.
Note: To communicate to the SMS, you must enable the SNMP V2.
STEP 4
Enter the SMS Authorized IP Address for the authorized IP. Enter any to allow any IP
address.
STEP 5
Click Apply.
Note: If the IPS is not currently under SMS control, you can find the IP address of
the last SMS that was in control by checking your Audit log from the Logs page.
154
View or Configure NMS Information

STEP 1
STEP 2
To enable NMS configuration, you must enable SNMP V2 in the SMS configuration values.
STEP 3
In the NMS section, enter the NMS IP Address.
STEP 4
Enter the NMS Port.
STEP 5
Enter the NMS Community String. You can enter 1-31 characters for this string.
STEP 6
Click Apply.
Network High Availability

Through the Configure page, you can modify the Network High Availability settings for Intrinsic
Network HA (INHA) and Transparent Network HA (TNHA). Intrinsic Network High Availability is the
ability of multiple LSM applications and their IPS devices to see and direct the flow of network traffic
between devices and their ports. When traffic flows through the ports of a device, one port may have
an issue occur causing an interruption in traffic. The port then transfers the traffic flow to the other
available port or device accordingly.
Through the INHA, the system routes network traffic by signalling one device, its port, and its LSM of
the IP address, connection table, and flow information. The target port, device, and LSM then builds
the information from scratch, to handle network traffic for optimum usage. It transfers the TCP flow
when fail-overs occur.
Transparent Network HA performs the same service; however, it differs by constantly updating devices
of the TCP flow information. For these networks and devices, the fail-over port/device does not have to
rebuild the information flow tables based on the information sent from the failing port/device. It
receives information from an XSL to update its connection table settings. Once updated, this type of
network HA quickly transfers fail-over traffic without having to rebuild the settings.
When you configure the settings, you set the default settings for all INHA and TNHA settings. You can
also edit this settings according to each segment through the Configure - Segment Config page. See
Segment Configuration to set the High Availability settings per segment.
Note: If your system has two IPS devices communicating through Transparent
High Availability (TNHA), a change to the global timeout for the connection table
at one IPS device will not propagate to the other IPS. You must make this change
on each device accordingly.
155
The following is the Configure - High Availability page:

Figure 5 - 14: Configure - Intrinsic Network HA Config Page
Configure INHA
STEP 1
On the Configure page, select the Open > High Availability menu item. The Configure High Availability page displays.
STEP 2
For the State, select one of the following:

Normal Overrides all INHA settings
Layer 2 Fallback Enables INHA configurations per segment
STEP 3
Click Apply.
Configure TNHA
156
STEP 1
On the Configure page, select the Open > High Availability menu item. The Configure High Availability page displays.
STEP 2
In the Transparent HA section, click the Enable check box.
STEP 3
Enter the Partner IP Address.
STEP 4
Click Apply.
INHA Configuration
A lack of reported errors or congestion through the Threat Suppression Engine (TSE) does not
guarantee that the components receive correct and error-free traffic. The Intrinsic Network HA (INHA)
must monitor the TSE for several points of failure and apply failure detection logic against the system.
All components for the INHA are checked for failure, including Broadcom, XML, TIF, LINX, FPP, RSP,
and NetPAL.
All Components
The following conditions are checked for all components (Broadcom, XSL, TIF, LINX, FPP, RSP,
NetPAL) to determine TSE failure:
Check back-pressure Presence of back-pressure indicates packets are queued for processing. It
indicates a failure if it does not process packets.
Determine traffic requirements If the IPS does not pass traffic, the ability to detect a failed TSE is
more difficult. A minimum rate of traffic must pass through the IPS for best TSE-failure detection.
Handle non-atomic nature of the data path A packet passes through each component at different
times and rates. The status of each component is determined independently of each other. INHA uses
sampling to determine if the TSE is healthy.
Discovery considerations (IPS originated traffic) Discovery is a special case where the IPS
generates packets. In these cases, responses will terminate at NetPAL. INHA must make sure this
behavior is not mistaken as a TSE failure.
Check and transmit the inbound receive counters Each component has receive counters
incremented by packets received from the previous component. The component transmit these
counters incremented as packets to the next component. These counters are the most accurate and
most complicated way of detecting TSE health.
Each component also has a specific set of functions for failure checking. See the following sections for
specific failure checking:
Broadcom
XSL
NetPAL
Broadcom
The following conditions are checked for Broadcom:
Check all ports and all MZDM switch blades Each MZDM has an XSL and a Broadcom
component. These components must be checked to validate the data passing between the MZDM
and the TSE.
Know up/down state of port pairs A downed-port must be considered by INHA so that it is not
mistakenly detected as a failed TSE.
XSL
The following conditions are checked for XSL:
Check watchdog INHA will make sure the XSL watchdog is not mistaken for a TSE failure.
157
NetPAL
The following conditions are checked for RSP and NetPAL:
Check inbound packet queue from RSP to NetPAL Packets are sent from the RSP to NetPAL
through a packet queue. INHA checks both sides of the queue to verify TSE health.
TSE Failure Detection Logic

There are two steps in determine the failure of the TSE:
STEP 1
If NetPAL is receiving packets (good TSE), it returns as OK.
STEP 2
It then determines if NetPAL should be receiving packets. If it should, it returns as FAIL.
TNHA Configuration
The Transparent Network HA (TNHA) has various configuration settings and requirements for you
should consider when configuring high availability for the LSM and UnityOne devices. When
configuring high availability, TNHA configuration includes the following:
It requires a partner IPS IP address.
TNHA can be enabled/disabled.
TNHA includes the following status states:
communication error (red) An error occurred during communication
latency (yellow) A warning occurred during communication
normal (green) Running appropriately without errors
In TNHA, data is sent to partner machine when the following situations occur:
When blocked flows occur in the connection table as they are received and added
When the user flushes the connections with the flush all option on the Config - TSE Connection
Table (Blocked Streams) page or using the clear connection-table blocks command
through the Command Line Interface (CLI). The TRHA partner is instructed to flush, or remove, the
entries.
When the user flushes individual flows from the list in the Config - TSE Connection Table (Blocked
Streams) page, a directive to flush each individual flow is sent to the TRHA partner
DDoS SYN traps are detected and installed
Note: Data may not reach peer machine if active machines are under extremely
heavy load.
158
Hardware and Software Configuration

Before configuring the TNHA settings, you must consider and perform specific hardware and software
configurations for the devices and the network. These configuration settings include the following:
The network and devices must have a secure connection to a partner for the TNHA to function.
TNHA uses SSLv3. It also communicates on TCP port 9591.
TNHA devices can only connect and communicate with a partner configured to talk to likewise
configured machines. In other words, both machines participating must point to each other.
WARNING: Security caveat: A hijacked IPS or a rogue IPS that steals the IP
address of a TRHA partner can communicate with a legitimate IPS.
TSE Configuration
The Threat Suppression Engine uses a blend of ASICs and network processors to detect threats and
anomalies in network traffic. The TSE filters malicious attacks before they become a problem using the
latest updates of operating system and Digital Vaccine packages. You can configure the settings for the
TSE to filter and react to these attacks.
You can configure the following settings for the TSE:
TSE General Configuration General settings for the TSE including the connection table timeout
and asymmetric network settings
TSE Adaptive Filter Configuration Settings for managing extreme loads of network traffic.
TSE Blocked Streams Managing options for clearing blocked streams from the connection table
TSE Rate Limited Streams Managing options for clearing rate limited streams from the
connection table
TSE Non Standard Ports Managing options for creating and deleting non-standard ports for
services
TSE Blacklisted Streams Managing options for unblocking Blocked IP addresses
TSE General Configuration

The Config - TSE General Config page allows you to set global settings for the Threat Suppression
Engine. The general configuration options for the Threat Suppression Engine (TSE) include the
following:
Connection Table Timeout The value for the global connection table timeout. This value applies
to all blocked streams in the connection table, and determines the amount of time that elapses before
that connection is cleared from the connection table. Before that period of time elapses, any
incoming packets for that stream are blocked at the box. After the connection is cleared, the
incoming connection is allowed (if its action set has changed) or re-added to the blocked list. If you
159
change the Connection Table Timeout and you are using Transparent High Availability, you will need
to set the value on the other IPS also.
Asymmetric Network By the default the UnityOne is set to Asymmetric mode. Which means the
UnityOne does not need to see both sides of a connection before notifying the user. Setting
Asymmetric mode disabled (symmetric mode) means that the UnityOne will continue to block an
attack it detects but will not alert unless a valid connection setup takes place. Symmetric mode is
useful for testing with tools such as STICK and SNOT. The UnityOne will always block an attack it
detects - regardless of this setting.
The Logging Mode section allows you to configure settings for alerts. Through the section, you can
enable or disable alerting of permitted and blocked packets. The system logs a warning and disables
alerting if it causes the device to drop packets. The default setting for this option is 10 minutes. When
the downtime expires, the system re-enables alerting and displays the amount of missed alerts
(callbacks). The settings provide configurable ranges for managing the packet loss threshold and
amount of time for disabling notifications.
The following is the Configure - TSE General Config page:
Figure 5 - 15: Configure - TSE General Config Page
Configure the TSE Connection Table Timeout

STEP 1
On the Configure page, select the Open > TSE Config > General TSE Config menu
item. The TSE General Config page displays.
STEP 2
Click the check box to enable the TSE for an Asymmetric network.
STEP 3
Enter the Connection Table Timeout. This value is 30-1800 seconds.
STEP 4
In the Logging Mode section, select one of the following:

Always log even if traffic is dropped under high load
Disable logging if needed to prevent congestion
STEP 5
160
If you select the disable logging option, do the following:
STEP 6
STEP A
Enter a congestion percentage that is required to disable logging (0.1 to 99.9).
STEP B
Enter a length of time (in seconds) in which logging is disabled before being enabled
(60 to 3600).
Click Apply.
Configure the TSE Asymmetric Network

STEP 1
On the Configure page, select the Open > TSE Config > General TSE Config menu
item. The TSE General Config page displays.
STEP 2
To enable, click the check box for the Asymmetric Network.
STEP 3
Click Apply.
TSE Adaptive Filter Configuration

The UnityOne can be configured to protect against the potential adverse affects of a defective filter. On
rare occurrences, the system may experience extreme load conditions that may cause the device to
enter High Availability due to traffic congestion caused by filter failure. To prevent the device from
entering HA, the UnityOne disables the filter causing the possible congestion of traffic. This
functionality is called adaptive filtering, which automatically manages your devices under extreme
load conditions.
Adaptive filtering works by determining the aggregation of a particular filter that fires frequently on a
system, such as thousands of times per minute or more. The system monitors each filter on a minuteby-minute basis, checking the number of times it has matched. If a filter matches more than 6000
times in a minute, it is deemed to be overactive. You can set this amount through the CLI using the
conf t tse agg-threshold command. When the filter matches the amount, the system logs a message as
adaptive aggregation with a qualifier and limits the actions taken for the filter. If the filter had an action
set to Permit and another action (such as Permit + Notify), the system sets the filter to only Permit. If
the filter was set to Block and another action (such as Block + Notify), the system sets the filter to only
Block. Once the trigger slows down to less than 2000 times per minute (or 1/3 the set threshold, if it has
been modified), the system returns the filters action set to its configured value and logs a message
detailing how many alerts were skipped.
This feature supports both automatic and manual modes:
Automatic Mode This setting enables the UnityOne to automatically disable and log any
defective filter.
Manual This setting enables the UnityOne to log any defective filter.
161
You can also use an optional setting that allows you to override the automatic disable feature on
Intrusion Prevention and Misuse and Abuse filters. You cannot use the feature on the following filters:
Traffic Management, Reconnaissance, and Traffic Normalization filters.
The following is the Configure - TSE Adaptive Filter Configuration page:
Figure 5 - 16: Configure - TSE Adaptive Filter Configuration Page
This page has the following settings:

Table 5 - 12: TSE Adaptive Filter Configuration Details
Column
162
Definition
Mode
Mode setting you can configure that indicates if the mitigation for
handling network traffic congestion is auto or manual
Ten Most Recent
Table that displays the ten most recent mitigation filters triggered
Filter Name
The name of the triggered filter
Filter State

edit the filter.
Adaptive Filter State
Indicates the adaptive state of the filter. If it displays Enabled, the filter
has been disable. The LSM disables a filter if the adaptive filter settings
are triggered.
Functions
Icon representing functions to perform. These options may include

resetting the filter and saving the packet trace.
Configure the TSE Adaptive Filter Setting

STEP 1
On the Configure page, select the Open > TSE Config > Adaptive Filter Config menu
item. The TSE Adaptive Filter Configuration page displays.
STEP 2
Select the mode:

Automatic Mode This setting enables the UnityOne to automatically disable and log
any defective filter.
Manual This setting enables the UnityOne to log any defective filter.
STEP 3
Click Apply.
TSE Blocked Streams

The LSM provides a feature for displaying the blocked streams of the connection table. A maximum of
50 blocked stream entries can be listed on the Config - TSE Connection Table (Blocked Stream)
page. The page displays the 5-tuple for each stream, including the protocol, source IP address,
destination IP address, source port, and destination port.
The page displays two tables for searching and flushing blocked streams. The first table allows you to
search the blocked streams. You can search by source and destination IP addresses and ports. The
returned streams display in this table.
The second table displays 50 of the total amount of blocked streams. You can flush these connections
from the connection table on this page. The Flush All option removes all blocked streams (including
blocked streams not displayed) from the connection table. The effect is as though the blocked streams
all timed out at the same time. You can also select blocked streams to be flushed. The Flush Selected
option only removes the blocked streams selected from the list of 50 entries. The options for flushing
the streams are displayed at the bottom of the page.
The following is the Configure - TSE Connection Table (Blocked Streams) page:
Figure 5 - 17: Configure - TSE Connection Table (Blocked Streams) Page
163

Table 5 - 13: TSE Connection Table (Blocked Streams) Details
Column
Definition
Protocol
Protocol used by the blocked connection
Src/Dest Address
Source or destination IP address of the connection
Port
Port of the connection
Src/Dest Address
Port
Segment/Port
Segment of the blocked stream
Reason
The filter link that details why the traffic connection stream was blocked.
Click the link to display and manage the filter.
Search Blocked Streams

STEP 1
On the Configure page, select the Open > TSE Config > Blocked Streams menu item.
The Configure - TSE Connection Table (Blocked Streams) page displays.
STEP 2
Enter search criteria for any of the following:

Protocol The protocol for the connection: All, TCP, UDP, ICMP
Source Address The source IP address
Source Port The source IP port
Entering 0 or 0.0.0.0 in the fields you do not want to specify allows you to search on any
of the 4 fields (combination or single). This value acts as the value any.
STEP 3
Click Search. To reset the search, click Reset.
Flush All Blocked Streams

STEP 1
STEP 2
Scroll to the bottom of the page.
STEP 3
Click Flush All.

Note: When you use the Flush All option, you remove all blocked streams,
including entries not displayed.
164
Flush Selected Blocked Streams

STEP 1
STEP 2
Select blocked streams you want to remove by checking the check box next to each listed
entry in the table.
STEP 3
STEP 4
Click Flush Selected.

Note: When you use the Flush Selected option, you remove only the blocked
streams you selected.
TSE Rate Limited Streams

The LSM provides a feature for displaying the rate limited traffic streams of the connection table. A
maximum of 50 rate limited stream entries can be listed on the Config - TSE Connection Table (Rate
Limited Stream) page. The page displays the 5-tuple for each stream, including the protocol, source IP
address, destination IP address, source port, and destination port.
The page displays two tables for searching and flushing blocked streams. The first table allows you to
search the blocked streams. You can search by source and destination IP addresses and ports. The
returned streams display in this table.
The second table displays 50 of the total amount of blocked streams. You can flush these connections
from the connection table on this page. The Flush All option removes all rate limited streams
(including streams not displayed) from the connection table. You can also flush selected rate limited
streams using the Flush Selected option. The options for flushing the streams are displayed at the
bottom of the page.
165
The following is the Configure - TSE Connection Table (Rate Limited Streams) page:
Figure 5 - 18: Configure - TSE Connection Table (Rate Limited Streams) Page

Table 5 - 14: TSE Connection Table (Rate Limited Streams) Details
Column
Definition
Protocol
Protocol used by the blocked connection
Src/Dest Address
Port
Src/Dest Address
Port
Segment/Port
Segment of the rate limited stream
Reason
The filter link that details why the traffic connection stream was blocked.
Click the link to display and manage the filter.
Search Rate Limited Streams

STEP 1
On the Configure page, select the Open > TSE Config > Rate Limited Streams menu
item. The Configure - TSE Connection Table (Rate Limited Streams) page displays.
STEP 2

166
STEP 3
Flush All Rate Limited Streams

STEP 1
STEP 2
STEP 3
Click Flush All.

Note: When you use the Flush All option, you remove all rate limited streams,
Flush Selected Rate Limited Streams

STEP 1
STEP 2
entry in the table.
STEP 3
STEP 4

Note: When you use the Flush Selected option, you remove only the rate
limited streams you selected.
TSE Non Standard Ports

The Configure - Non Standard Ports page enables you to add and manage non-standard ports
supported by the IPS device.
To enhance scanning and detection of malicious traffic, the LSM provides creation and management of
Non-Standard Ports. This feature enables you to configure additional ports associated with specific
applications, services, and protocols to expand scanning of traffic. When filters scan traffic against the
standard ports for listed services, the engine then accesses and scans traffic against the list of
additional ports. Each service supports 16 additional ports to configure.
Service types include icru (tcp), http (tcp), ms-sql (tcp), pop2 (tcp), pop3 (tcp), portmapper (tcp/
udp), rlogin (tcp), auth (tcp), dns (tcp/udp), finger (tcp), imap (tcp), rsh (tcp), smb (tcp), smtp (tcp),
snmp (tcp/udp), ssh (tcp), telnet (tcp), nntp (tcp), and ftp (tcp).
167
The following is the Configure - Non Standard Ports page:

Figure 5 - 19: Configure - Non Standard Ports Page

Table 5 - 15: Non Standard Ports Details
Column
Definition
Application
Type of application/network service
Protocol
The protocol for the application
User-Defined Ports
The list of the ports you define
System-Defined Ports
The list of supported ports per application
See the following:

Add a Non-Standard Port on page 169
Delete a Non-Standard Port on page 169
168
Add a Non-Standard Port

STEP 1
On the Configure page, select the Open > TSE Config > Non Standard Ports menu
item. The Configure - Non Standard Ports page displays.
STEP 2

Click Add Port.
Select the Edit > Add Port menu item.
The Non Standard Ports - Create page displays.
Figure 5 - 20: Non Standard Ports - Create Page
STEP 3
Select a Service Type.
STEP 4
Enter a Port Number.
STEP 5
Click Create.
Delete a Non-Standard Port

STEP 1
On the Configure page, select the Open > TSE Config > Non Standard Ports menu
item. The Configure - Non Standard Ports page displays.
STEP 2

Click Delete Port.
Select the Edit > Delete Port menu item.
The Non Standard Ports - Delete page displays.
Figure 5 - 21: Non Standard Ports - Delete Page
STEP 3
Select a Service Type.
STEP 4
Select a Port Number to delete.
STEP 5
Click Delete.
169
TSE Blacklisted Streams

The Configure - TSE Connection Table (Blacklisted Streams) page enables you to unblock IP
addresses blocked by filters. The Block action set provides an option for blocking IP addresses that
trigger the filter. Through this page, you can select and flush the blocked IPs.
When a filter with a Blacklist option triggers, the system installs two blocks: one for the flow (as is
normally done with Block actions) and another for the blacklisted IP address. You can review and flush
the blocked flows in LSM on the Configure TSE Connection Table (Blocked Streams) page. In
addition to installing the two blocks, the system enacts any further actions based on the action set,
such as notifications. If the filter action set is set to specific segment, the IP address is blocked only to
that segment and not the entire IPS.
Blacklisted IP addresses remain in effect for 3 minutes or until flushed. Blocked flows remain in effect
for 1800 seconds or until flushed.
The following is the Configure - TSE Connection Table (Blacklisted Streams) page:
Figure 5 - 22: Configure - TSE Connection Table (Blacklisted Streams) Page

Table 5 - 16: Blacklisted Streams Details
Column
Definition
Source Address
The Source IP address blocked by a filter
Destination Address
The Destination IP address blocked by a filter
Segment/Port
The segment and port blocking the IP address
Reason
Lists the filter that blocked the IP address
See the following:

Search Blacklisted Streams on page 171
Flush All Blacklisted Streams on page 171
Flush Selected Blacklisted Streams on page 171
170
Search Blacklisted Streams

STEP 1
On the Configure page, select the Open > TSE Config > Blacklisted Streams menu
item. The Configure - TSE Connection Table (Blacklisted Streams) page displays.
STEP 2

STEP 3
Flush All Blacklisted Streams

STEP 1
STEP 2
STEP 3
Click Flush All.

Note: When you use the Flush All option, you remove all rate limited streams,
Flush Selected Blacklisted Streams

STEP 1
STEP 2
entry in the table.
STEP 3
STEP 4

Note: When you use the Flush Selected option, you remove only the rate
limited streams you selected.
171
172
Monitor
Monitor describes the hardware monitoring features of the LSM and how you can view hardware
status, set thresholds, and view the hardware fault log. It includes sections on the health of your
device(s), ports, and Intrinsic Network High Availability (HA).
Overview
The Monitor page enables you to see the status of your IPS hardware and define the thresholds that
configure how hardware status is displayed. You can monitor the usage of disk space and memory, the
system log, triggered events, and the health of the IPS device. The information detailed on the Monitor
page is also displayed in the System Stats sidebar of the entire page. This pane gives a quick view of the
state of the system, device, and traffic.
Through this page, you can also perform and manage discovery scans of your network. These scans
examine your network and determine if your network is vulnerable to exploits. You can create
scheduled scans or perform manual scans as needed.
The Monitor page provides greater details on the following:
Devices
Modules, including the Multi-Zone Defense modules
Intrinsic Network HA
Discovery scans
Monitor includes the following topics:
Monitor Page on page 174

Device Health on page 175
Monitor Preferences on page 183
Discovery Scans on page 185
173
Monitor Page
The Monitor page provides the information and status of devices on the network. These components
include the health of devices, modules, and the Intrinsic Network High Availability (HA).
The Monitor - Device Health page displays as default:
Figure 6 - 1: Monitor Page

Review the status and health of ports, segments, modules, and the Intrinsic Network HA
Run and view the Performance Wizard
Set preferences for monitoring the system
You can access the different types of monitors options by selecting the Open and Edit menus. A dropdown menu displays listing the options for the page. The menu options may change depending on the
menu option you select. The instructions in this chapter indicate when to navigate through the dropdown menu options.
174
Device Health
The health, or current status, of the IPS device indicates how it is functioning on the network. You can
review the health of the device through the Monitor- Device Health page. It displays the current state
of the chassis components and modules installed in your UnityOne IPS device.
Device Health includes the following:
Device Health
Module Health
High Availability
Multi-Zone Defense
To view the page, you click Monitor tab on the Launch Bar. The Monitor - Device Health page
displays, listing the device, module, and Intrinsic Network HA status.
Device Health
The Device Health section of the Monitor - Device Health page displays the current status of a variety
of chassis components, including power modules, fans, temperature, and memory and disk space
usage.
Table 6 - 1: Device Health
Column
Description
Component
The component or resource being monitored. These components include the following:
Memory
Performance (You can click this link to see Performance/Throughput information)
The following displays for 200/400/1200/2400/5000E
Disk/boot
Disk/log
Disk/usr
Disk/opt
The following displays for 50/100E
Disk/usb0
State
The current operating status of the component or resource being monitored. The state
can be one of the following:
Active The device is active without errors
Active with Faults The device is active but has errors
Stand-by The device is waiting for traffic or usage in a stand-by mode
Out-of-service The device is not working or disabled
Diagnostic The device is running a diagnostic
175
Table 6 - 1: Device Health

Column
Description
Graph
A representation of the current status of the component or resource being monitored.

The graph watermarks the performance across segments. This watermark displays in
light blue whereas the actual segment performance is shown in dark blue. Some
segments display only light blue.
Details
Any additional information such as a specific statistic
Tip: To reduce disk usage:

Reset logs using Print Alert Log Entries, Reset the Block Log, Print Log Entries, Reset the
Audit Log or you can use the CLI command clear log. The clear log command will clear all
log entries from all log files.
Delete old boot images using Delete Old Versions from Previous Versions Window
Delete old scan data using Delete Scan Results
You can set the thresholds for these components through the preferences page. See Monitor
Preferences.
Memory Usage
The Memory Usage statistic displays usage averaged over the last refresh period. These values fluctuate
fairly frequently. If Memory Usage percentages seem consistently high, check your log for Memory
Fault messages.
Note: If IPS Health is consistently showing yellow or red warnings about Disk or
Memory Usage, but the log does not show any hardware fault messages, your
usage is spiking, but is not remaining consistently high.
If Memory Usage percentages are consistently high, it could mean that you need to adjust some filter
settings. Filters that require notification actions require more resources than filters that do not require
notification, but this difference only comes into play when network traffic matches or nearly matches
these filters.
Tip: To reduce memory and disk usage, use the LSM to make the following filter
adjustments:
176
Reduce the number of filters that use alerts

Increase aggregation periods for action sets that include alerts
Use more global filters and less segment-specific filters
Deactivate filters that do not apply to your network (for example: IIS filters are not relevant
if you only have Apache servers).
The Performance/Throughput section of the Monitor- Device Health page displays the current
performance of the system and status of the UnityOne segments.
Table 6 - 2: Performance/Throughput
Column
Description
Component
The component or resource being monitored. These components include the following:
Performance (You can click this link to enact the Performance Wizard)
Segments (displays a number of segments according to the UnityOne model).
State
The current operating status of the component or resource being monitored. The state
can be one of the following:
Active The device is active without errors
Active with Faults The device is active but has errors
Stand-by The device is waiting for traffic or usage in a stand-by mode
Out-of-service The device is not working or disabled
Diagnostic The device is running a diagnostic
Graph
A representation of the current status of the component or resource being monitored
Details
Any additional information such as a specific statistic
On the Monitor- Device Health page, you can click the segment links in the Performance/Throughput
section. The Configure - Segment Config page displays. See Segment Configuration on page 137.
On the Monitor- Device Health page, you can click the Performance link to display information and
setting for performance of the system. This page also displays when clicking the Performance link in
the System Stats pane. This link loads a Monitor - Performance page that runs a performance wizard.
The wizard runs determining the performance of your current configuration of the device. If the
wizard diagnoses the IPS as having minor or major congestion problems, the Performance Wizard
attempts to evaluate the device and provide suggestions to alleviate the load. If any of the Performance
Wizard tests indicate an issue, the LSM displays applicable improvements. Each suggestion may be
enabled or disabled with a check box.
177
The following Monitor - Performance page displays:

Figure 6 - 2: Monitor - Performance Page - Filter Settings
The Performance Wizard details the following depending on its results:

Disable Permit Action Set Filters Filters using the Permit actions set allow traffic through the
IPS, using resources for the transfer. To increase performance, you can click Disable to disable all
filters with this setting.
Set Filters to Recommended Settings The Recommended Action Set provides particular
settings per filter for the enhanced performance and optimization. To increase performance, you can
click Set Recommended to reset filters to their Recommended Action Set.
Disable Misuse and Abuse Filters Misuse and Abuse filters can hamper performance if more
are enabled. The Recommended setting for these filters is disabled. To increase performance, you can
click Disable to disable all Misuse and Abuse filters.
Disable Packet Trace Due to the amount of processing that packet trace consumes, the
Performance Wizard tests for packet trace enabled on any filter. This option allows you to turn packet
trace off for each affected filter.
If the IPS experiences congestion while close to maximizing the throughput, the wizard advises an
update to the TOS hardware. The following Monitor - Performance page displays:
Figure 6 - 3: Monitor - Performance Page - Upgrade TOS
Further suggestions are only presented to the user if the device experiences congestion while
significantly below the maximum throughput, indicating filter configuration settings may cause the
178
loss of performance. The wizard displays the filter that may cause the congestion, allowing you to make
modifications to the configuration. The following Monitor - Performance page displays:
Figure 6 - 4: Monitor - Performance Page - Configuration
Module Health
The Module Health section of the Monitor- Device Health page displays the current status of the
modules, such as Multi-zone Defense (MZD) modules, that you can install in the UnityOne IPS.
Table 6 - 3: Module Health
Column
Description
Slot
Indicates the slot used by the module. The number and description of slots differs
according to UnityOne model.
Module
A brief description of the type of module. Possible values:

Management Processor The central processing and control system for the
UnityOne system. When you click the link, it displays the Configure - Management
Port page. See Management Port Configuration on page 142.
Threat Suppression Engine The core of the IPS is the Threat Suppression Engine
(TSE). The TSE provides full threat detection and suppression at speeds up to 2.0
gigabits per second (Gbps). Receives data from the Multi-Zone Defense (MZD)
module, performs deep packet inspection on the data, and redirects the data back to
the MZD module if necessary. When you click the link, it displays the Configure - TSE
General Config page. See TSE Configuration on page 159.
Multi-Zone Defense Module An interface card that supports up to ten Gigabit
Ethernet ports over copper or fiber. When you click the link, it displays the Monitor Port Health page. See Multi-Zone Defense on page 181.
Configuration
A one-word description of the configuration of the module. Possible values:

Simplex A communications channel that can carry a signal in one direction
Duplex A communications channel that can carry signals in both directions
Module State
A description of the current operation state of the module. Possible values:

Active The module is active without errors
Active with Faults The module is active but has errors
Stand-by The module is waiting for traffic or usage in a stand-by mode
Out-of-service The module is not working or disabled
Diagnostic The module is running a diagnostic
179

Column
Description
Qualifier-1
A description of any reasons for an other-than-active state of the module
Qualifier-2
Additional description of any reasons for an other-than-active state of the module
Port State
A description of the current port state. Possible values:

Active The port is active normally without errors
Active with Faults The port is active with errors
Not Initialized The port is not out of service but the UnityOne has not initialized
the hardware
Stand-by The port is waiting for traffic or usage in a stand-by mode
Out-of-service The port is not working or disabled due to errors
Diagnostic The port is running a system check diagnostic applications or being
repaired
N/A Not available
Intrinsic
Network HA
Current operational state of the intrinsic network high availability. Possible value:
Normal
Layer-2 Fallback
For any state other than Normal, a cause description is displayed.
High Availability
The High Availability section of the Monitor- Device Health page displays the current status of the
Intrinsic and Transparent Network High Availability for the IPS.
Column
180
Description
Intrinsic
Network HA
Current operational state of the intrinsic network high availability. Possible value:
Normal
Layer-2 Fallback
For any state other than Normal, a cause description is displayed.
Transparent HA
Current operational state of the transparent network high availability. Possible value:
Enabled
Not Enabled
Multi-Zone Defense
From the Module Health table, you can select the Multi-Zone Defense Module link to manage the
modules ports. The Monitor - Port Health page displays.
Figure 6 - 5: Monitor - Port Health Page
This page displays the following information:

Column
Description
Port
The number of the port on the device
Speed
The speed of the port
Duplex
Indicates if the port is set to full or half for duplex
Configuration
A one-word description of the configuration of the module. Possible values:

Simplex A communications channel that can carry a signal in one direction
Duplex A communications channel that can carry signals in both directions
Module State
A description of the current operation state of the module. Possible values:

Active The module is active without errors
Active with Faults The module is active but has errors
Stand-by The module is waiting for traffic or usage in a stand-by mode
Out-of-service The module is not working or disabled
Diagnostic The module is running a diagnostic
Qualifier-1
A description of any reasons for an other-than-active state of the module
Qualifier-2
Additional description of any reasons for an other-than-active state of the module
Media
The type of media of the port, such as copper or fiber
Type
The type of the port, such as Ethernet
181

Intrinsic Network High Availability (INHA) is the ability of multiple LSM applications and their IPS
devices to see and direct the flow of network traffic between devices and their ports. When traffic flows
through the ports of a device, one port may have an issue occur causing an interruption in traffic. The
port then transfers the traffic flow to the other available port or device accordingly.
Through the INHA, the system routes network traffic by signalling one device, its port, and its LSM of
the IP address, connection table, and flow information. The target port, device, and LSM then builds
the information from scratch, to handle network traffic for optimum usage. It transfers the TCP flow
when fail-overs occur.
The following types of network states are available:
Active - Passive Box A is active. Box B is waiting in stand-by. When Box A recognizes a network
flow, it notifies Box B to update its connection table data.
Active - Active Box a And B are both active and recognize the flow. They update their connection
table data actively.
The Monitor - Device Health page displays the current status and description of the INHA.
When you click the Intrinsic HA link, the Configure - High Availability page displays. For
configuration details on TNHA, see Network High Availability on page 155 and INHA
Configuration on page 157.
Transparent Network HA
Transparent Network HA (TNHA) performs the same service as the INHA; however, it differs by
constantly updating devices of the TCP flow information. For these networks and devices, the fail-over
port/device does not have to rebuild the connection tables based on the information sent from the
failing port/device. It periodically receives information from an XSL to update its connection table
settings.
Once updated, this type of network HA quickly transfers fail-over traffic without having to rebuild the
settings. Network traffic and flow transfer without lag in performance or time. Network users continue
use of their services and resources without experiencing a lack of response time or slow loading and
refreshing issues.
The Monitor - Device Health page displays the current status and description of the TNHA.
When you click the Transparent HA link, the Configure - High Availability page displays. For
configuration details on TNHA, see TNHA Configuration on page 158.
182
Monitor Preferences
The Monitor - Preferences page enables you to set the thresholds at which the IPS shows hardware
statistics as an error condition. There are two types of threshold that you can set: Major Level and
Critical Level. These terms are explained in the following paragraphs. In general, the default settings
configured on the LSM should be appropriate for normal use.
You can set threshold values for the following:
Disk Usage Statistics The usage of disk space according to feature
Memory Usage The usage of system memory
These settings indicate the major and critical level limits that actively change the health, or status, of
the device on the Monitor page. You can set net limits for each device setting, or you can return the
system to its default settings.
The threshold values include the following:
Major Levels
Critical Levels
You can also set the Discovery Aging setting for discovery scans. Discovery data aging enables you to
set a scan data aging period. This aging period is used to determine whether scan data is new enough
to be used when assigning importance to an alert. If scan data is new enough, it is used to weight
alerts.
For example, a scan may show that the host corp-fiscal-22 uses only the Apache web server. Therefore,
if the Threat Suppression Engine (TSE) senses an exploit that targets Microsofts IIS aimed at corpfiscal-22, it assigns a lower priority to the alert it generates.
Once scan data is considered stale, the TSE uses the default importance of an alert trigger. For example,
if the aging period is set to one week, and the last scan of corp-fiscal-22 was performed two weeks ago,
someone might have installed new software in the intervening time. Therefore, the TSE does not deemphasize the importance of an alert based on stale scan data.
This weighting system helps to reduce false attack alerts caused by irrelevant attacks such as IIS
exploits aimed at Apache web servers or a Linux exploit aimed at a Microsoft host.
183
The Monitor - Preferences page displays as the following:

Figure 6 - 6: Monitor - Preferences Page
You can do the following for monitor preferences:

Set Monitor Preferences on page 184
Reset Monitor Preferences on page 185
Major Levels
The major level is the medium range of the threshold. When a system reaches this level of usage, it is
considered important to manage before it reaches a critical point. You should set Major Levels to give
you time to react to a problem before it becomes a crisis. For example, you should set the temperature
Major threshold higher than the normal operating temperature range, but low enough so that you
receive a warning before hardware damage may occur.
Critical Levels
The critical level is the highest level of the threshold. When a system reaches critical usage, hardware
damage is imminent. You should set Critical Levels to warn you before damage is about to occur. For
example, you should set the temperature Critical threshold at the outside edge of safe operating
temperatures.
Set Monitor Preferences
184
STEP 1
On the Monitor page, select the Edit > Preferences menu item. The Monitor Preferences page displays.
STEP 2
Do the following for Thresholds:

STEP A
For Disk Usage Threshold, enter a numeric value for the Major Levels and the
Critical Levels. The major level value must be set lower than the critical level value.
STEP B
For Memory Usage Threshold, enter a numeric value for the Major Levels and the
Critical Levels. The major level value must be set lower than the critical level value.
STEP 3
For Discovery Aging, enter a number of days in the Discovery Data Valid for field.
Note: For the Data Aging period, you can enter either a whole number (0 - 4000)
or a number with a single place decimal indicating partial days (1.5 for 1 and a
half days). Decimal values less than one must start with a zero (0). Entering 0
disables Discovery Aging.
STEP 4
Click Save.
Reset Monitor Preferences

STEP 1
On the Monitor page, select the Edit > Preferences menu item. The Monitor Preferences page displays.
STEP 2
Click the (reset to defaults) link to reset the default settings.
STEP 3
Click Save.
Discovery Scans
Through the Monitor page, you can perform and manage discovery scans, which enable you to
examine your network as it is currently configured. Through the discover features, you can also
determine if your network is vulnerable to exploits. Discovery scans can be created and performed
manually or set ahead of time. Preset scans are scheduled scans, set to run against a segment or set of
IP addresses at specific intervals and times.
You can enact various scans and watch their progress and completion through an activity page. You can
stop and restart scans as needed. Before you can run discovery scans on your device, you must
configure the IPS device to accept these types of scans.
You can do the following actions for discovery scans:
Discover Page on page 186

Preparing for Scans on page 186
Performing Scans on page 187
Schedule Scans on page 191
Monitor Preferences on page 183 (edit Discovery Aging setting)
The Discovery pages provide icons next to each entry displaying the available functions
185
Discover Page
When you access the Discover page, the Discover - Discovered Hosts page displays as default. The
following is the Discover page:
Figure 6 - 7: Discover Page
This page has icons in the Function column indicating an available options:
Icon
Function
Description
Rescan
Click the Rescan icon to rescan a single host. You can only rescan hosts
previously scanned.
Stop Scan
Click the Stop Scan icon to stop a scan that is in-progress.
Scan a segment for vulnerable sections

Review discovered hosts
Manage scans and scans results
Schedule discovery scans for the network and segments on a daily, weekly, and monthly basis
You can access the different options for discovering hosts and running scans by selecting the Open and
Edit menus. A drop-down menu displays listing the options for the page. The menu options may
change depending on the menu option you select. The instructions in this chapter indicate when to
navigate through the drop-down menu options.
Preparing for Scans

Before scanning a segment, you must configure that segment to enable scans. Discovery requires an IP
address and routing information to perform a scan. You can enable scanning on only one port of a
186
segment when that is appropriate. You should not scan the managing subnet. The VNAM port
containing the routes to the management plane will cause a loss of connection.
For example, if Port A is connected to the Internet, and Port B is connected to your Accounting subnet,
you can disable scanning on Port A, and enable scanning on Port B, because you wont want to scan the
Internet for vulnerabilities, but you will want to scan your accounting subnet for vulnerabilities.
Prepare a Segment for Scanning
STEP 1
Click Configure on the Launch Bar.
STEP 2
On the Configure page, click on the segment to be configured.
STEP 3
In the segment information, do the following:

STEP A
Enter a Segment Name.
STEP B
Enter a Discovery IP Address.
STEP C
Enter a Discovery Subnet Mask.
WARNING: You should not scan the managing subnet. The VNAM port containing
the routes to the management plane will cause a loss of connection.
STEP 4
In each port section, do the following:

STEP A
Click the Enabled check box for Discovery. This setting enables Discovery scans to
run through the port.
STEP B
Enter the Destination Network, Gateway, and Mask and click the add to table
below button for each port (A / B) that you want to enable for scanning.
Note: You only need to enter routing options for a port if you are going to run
discovery on a subnet outside of the subnet on which the discovery IP address is
located.
STEP 5
Click Save.
Performing Scans
A scan searches your network for hosts and services on those hosts that might be vulnerable to attack.
A scan usually takes approximately fifteen seconds per host, but may take as long as two minutes on
some hosts.
Note: Some operating systems purposely slow the rate of scan returns to make it
difficult for malicious parties to gain system information. To prevent such systems
from impeding scan efficiency, individual host scans timeout after two minutes. If
the scan of a particular host times out, no information about that host will be
returned.
187
When you perform scans, you can also edit the Discovery Data Aging setting on the Monitor Preferences page. See Monitor Preferences on page 183.
As each host scan is completed, the results display on the Discover - Discovered Hosts page:
Figure 6 - 8: Discover - Discovered Hosts Page
Scan results consist of the following types of information:

Table 6 - 7: Scan Results
Host
IP address of the
scanned host
Segment
segment on which
the scanned host
was sensed
Host OS
operating system
of the scanned
host
Services
number of active
services sensed on
scanned the host
Last Scan/
Modify
last time the host
was scanned or
host information
was modified
Note: The scanner attempts to sense the host operating system based on its lists
of known operating systems. If it cannot make an exact determination, it makes a
best guess. If this guess is not accurate, you can Perform a Manual Scan to
correct the information.
If you wish to see the ports and services the scanner sensed, you can View Scan Details.
Note: You can only start a discovery scan if you have at least one discovery port
enabled. See Prepare a Segment for Scanning for more information. Also, you will
not be able to perform a scan from the LSM if the device is under control of the
SMS.
188

Preparing for Scans
Schedule Scans
Monitor Preferences
Perform a Manual Scan

STEP 1
On the Monitor page, select the Edit > Start Scan menu item. The Discover - Manual
Scan page displays.
Figure 6 - 9: Discover - Manual Scan Page
STEP 2
Select the Number of ports to scan: 1,024 or 65,536.
STEP 3
Select one of the following:

Choose either the Segment to scan and the appropriate port(s).
OR
Enter an IP Address or range. If you specify range, it can be in any one of the following
formats:
123.123.123.123
123.123.123.*
123.123.123.0-15
STEP 4
Click Scan.
Check Scan Progress

STEP 1
On the Monitor page, select the Open > Scan Activity menu item. The Discover - Scan
Activity page displays.
STEP 2
Review the listed scans. These include in-progress, pending, and completed scans.
Note: You cannot delete a scan from this page.
189
Stop a Scan in Progress

STEP 1
STEP 2
The Scan Activity page displays the scans in-progress, pending, and completed scans.
STEP 3
Click the Stop Scan icon in the Functions column corresponding to the scan you would like to
stop.
View Scan Details

STEP 1
STEP 2
Locate the scan you would like to review.
STEP 3
Click the IP address of the hosts Scan Results you would like to review.
The Discovery Details/Edit page displays the IP address of the host, the last day and time a scan was
performed, and what services were discovered on what ports.
Rescan a Single Host
STEP 1
STEP 2
Locate the scan you would like to rescan.
STEP 3
Click the Rescan icon (magnifying glass) in the Functions column.
Edit Scan Details
190
STEP 1
STEP 2
Click the IP address of the hosts Scan Results you would like to edit.
STEP 3
Click the specify OS check box if you want to change the operating system determination
made by the discovery scanner.
STEP A
Select the OS Group from the Please Select OS Group drop-down menu:
Computers, Network Devices, Peripheral Devices.
STEP B
Select more specific categories of the selected OS Group from the two drop-down
menus.
STEP 4
Change the text listing for any services you want to edit.
STEP 5
Click Save.
Delete Scan Results

STEP 1
STEP 2
Locate the scan results you want to delete.
STEP 3
Click the check box(es) next to the scan result(s).
STEP 4
Click the (delete) link.
Schedule Scans
You can also schedule scans on the Discovery page. You may want a scan to run during a specific time
on selected ports and segments. You can only run scheduled scans on ports and segments set to accept
discovery scans.
Note: Prior to scheduling a scan, you must prepare a segment for discovery
scans. See Preparing for Scans.
When you schedule a scan, you set scan settings according to the following:
Frequency When the scan performs: weekly, hourly, or daily
Segment The segment and its ports to scan
IP Address The IP or range of IP addresses to scan
Schedule a Scan
Schedule a Scan
STEP 1
On the Monitor page, select the Open > Schedule Scan menu item. The Discover Schedule Scan page displays.
STEP 2
In the When to Scan section, do the following:
STEP 3
STEP A
Select a scan Frequency from the drop-down list.
STEP B
Select a start day from the Start scan every drop-down menu.
STEP C
Select the hour and minute for the scan from the time drop-down menus.
In the What to Scan section, select the Number of ports to scan: 1,024 or 65,536.
191
STEP 4
Choose one of the following:

The Segment to scan and the appropriate port(s).
OR
Enter an IP Address or range. If you specify range, it can be in any one of the following
formats:
123.123.123.123
123.123.123.*
123.123.123.0-15
STEP 5
192
STEP 1
On the Monitor page, select the Open > Schedule Scan menu item. The Discover Schedule Scan page displays.
STEP 2
Review the lists of scans set for the LSM.
Update
Update is used to update the IPS embedded operating system (UnityOne) and the attack protection
filters that the IPS uses to prevent attacks. These updates are downloaded and installed from the
Threat Management Center.
Overview
TippingPoint is committed to providing the best means of protecting your network using the UnityOne
family of products. Therefore, the Threat Management Center (TMC) releases Software Updates and
Filter Updates for the LSM. These updates include new filters and settings to detect and manage new
threats on the internet and attacking servers.
The new filters are released as packages called Digital Vaccine. For more information, visit the TMC
website (https://tmc.tippingpoint.com).
Update includes the following topics:
Update Page on page 194

Threat Management Center on page 195
Filter Updates on page 195
Software Updates on page 196
Software Rollbacks on page 200
Deleting Previous Versions on page 202
Device Snapshots on page 202
193
Update Page
The following is the Update page:
Figure 7 - 1: Update Page
Download and install updates for the LSM

Download and install new Digital Vaccine packages, adding new filters to the LSM
Roll-back to a previous software or Digital Vaccine package
Remove old versions of the software and packages
Create and manage device snapshots
You can access the different types of monitor options by selecting the Open and Edit menus. A dropdown menu displays listing the options for the page. The menu options may change depending on the
menu option you select. The instructions in this chapter indicate when to navigate through the dropdown menu options.
194
Threat Management Center

The Threat Management Center (TMC) is TippingPoints web-based location where you can download
the most recent attack protection filter and UnityOne files. The TMC develops filters to sense newly
discovered threats, and makes these filters available for download.
You can create a TMC account by visiting https://tmc.tippingpoint.com and registering. You will need
to know the serial number of one of your TippingPoint devices and your TippingPoint customer ID to
create a TMC login. If you do not know your TippingPoint customer ID, contact your TippingPoint
customer representative.
Filter Updates
When new types of attack are discovered, or when improved methods of sensing existing attacks are
developed, the Threat Management Center (TMC) creates and releases new filters to add to your filter
database. These filters are released as Digital Vaccine packages. The TMC sends notifications when you
can Download a Filter Update to your local workstation. Once you have downloaded the update, you
can Install a Filter Update on your UnityOne device. After it is installed, you can then enable a filter
category for each filter that applies to your network configuration.
Note: You cannot rollback to a previous Digital Vaccine version. If you want to
use a previous version of a Digital Vaccine, select an older version of the Digital
Vaccine package from the TMC.
STEP 1
On the Update page, click the Threat Management Center link or open another browser
window to:
STEP 2
Log in to the TMC.
STEP 3
Click the Digital Vaccine link.
STEP 4
Find the update you want and click the More Info button.
Note: You cannot rollback to a previous Digital Vaccine version. If you want to
use a previous version of a Digital Vaccine, select an older version of the Digital
Vaccine package from the TMC.
STEP 5
Click the Download Now link of the Digital Vaccine file.
STEP 6
Save the update file on your local hard disk.
195
You can then install the update through the Update page.
STEP 1
First, download an update. See Download a Filter Update. Further instructions are also
detailed on the Update page.
STEP 2
On the Update page, check the Update Status of the IPS. Read Step 2 in the Update - Main
View window. If the status is not ready or OK, click the (reset status) link.
STEP 3
Check the line that says Make sure the file you downloaded is less than: <number> Mb.
Read Step 3it has information about the size of the download file. If it is not less than suggested Mb, Delete Old Versions from Previous OS Versions Window to free disk space for the
update.
STEP 4
Check the High Priority Enabled check box (Step 4) if there is an immediate need for the
update and it is during normal working hours.
Note: This option provides the priority for downloading the package. The system
does not give priority over attacks to installing the new package. A system under
heavy attack trying to install the update would not give priority to the upgrade at
that time.
STEP 5
Check the Layer-2 Fallback check box (Step 4) to enable the option during the installation.
STEP 6
In the Install Version field, enter in the full pathname for the update file or click Browse to
select the file on your local machine.
STEP 7
Click Install.
While the new file is loaded onto your IPS, the word Uploading appears in place of the Install button.
Once the transfer is complete, a progress bar displays an in-progress percentage for the install.
When the installation completes, you are returned to the Update - Main View page. The new version
displays in the Version column of the Current Installed Versions table.
Software Updates
When improvements or additions are made to the UnityOne system, TippingPoint releases a software
update on the TMC website (https://tmc.tippingpoint.com). You can download and install updates
from this site. Prior to installing the update, you should make sure to backup any filters created and
implemented using the Custom Shield Writer. The update will overwrite these files.
CAUTION: You must read the release notes posted with your IPS software update package
on the TMC. The release notes contain information that may make the difference between a
successful software update and an unsuccessful software update.
196
When you download and install an update, the LSM automatically updates the TippingPoint Operating
System (TOS) and flashes the FPGAs.
Note: UnityOne-50 and UnityOne-100E devices do not require or use FPGAs. The
update for this device does not include a flash of FPGAs.
When you perform an update of the software, the Update page displays a set of status messages. See
Update States on page 197 for details. The settings for your filter and system settings are persisted.
See Persistent Settings on page 200 for details.
Persistent Settings
When you perform a software update, your current configuration and filter settings are persisted
forward.
Note: When you Install a Software Update, an archive copy of your current filters
settings will be saved. If you Perform a Software Rollback in the future, changes
made to your filters settings after the update will not be preserved.
During a graceful shutdown, as during an update or reboot (in the LSM or command in the CLI),
Packet Trace data may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to
disk, do the following:
For more information on Packet Trace logs, see Packet Trace Log on page 120.
Update States
The LSM provides update status on the progress of the update. The messages include <Update
State>:<qualifier>. The <Update State> indicates the state of the update. The <qualifier> provides
information about the state. The following table details the messages that display on the LCD screen
during an update of the TOS:
Table 8: IPS Update States
Update State
Ready
Description
Device is ready for an update.
197
Table 8: IPS Update States

Update State
Description
Updating
Device is in the process of updating.
UpdateCommitting
Device has rebooted and is processing the final update steps.
UpdateFailure
Device failed Update. The screen displays the reason.
Rollback
Device is in the process of rollback.
RollbackCommitting
Device has rebooted and is processing the final rollback steps.
RollbackFailure
Device failed Rollback. The screen displays the reason.
Failsafe
Device was unable to load a valid image and is running a scaledback image.
If an error occurs, the information changes. The state displays as UpdateFailure:<state> where
<state> is one of the listed states in Table 8 . The listed state displays a qualifier and message regarding
the state. The following table details the qualifier and messages:
Table 9: IPS Update Failure Messages
Update Failure Qualifier
198
Message
OK
Normal operation, no errors
InvalidUpdateState
Current action is restricted while device is in this state. Fix problem

and reset Update State.
InvalidLocation
Package file not found at that location.
RebootDuringUpdate
Device was rebooted during update. Check system log for

recommendations.
TarChecksumError
Checksum error when extracting the archive: Corrupted package.
TarExractError
File system error when extracting the archive.
ArchiveCreateFailure
File system error creating rollback archive.
SystemError
General error during update.
WrongPlatformType
Package is for a different platform. Make sure you have correct

TippingPoint supplied IPS package.
PackageReadError
General error while reading package. Possible Truncated or

Corrupted package, download new package from TMC and retry
update.
WrongPackageType
Package is of unknown type, not an OS or DV package. Make sure

you have correct TippingPoint supplied IPS package.
NotEnoughFreeSpace
Not enough available disk space. Remove older installed images.
UnsignedPackage
Package does not have proper TippingPoint digital signature.
Table 9: IPS Update Failure Messages

Update Failure Qualifier
Message
MemoryError
Memory error when installing package. Reboot may be necessary.
BadCertificate
Package does not have proper TippingPoint digital certificate.
DowngradeRevisionNotSupported
Using update to install some older versions is not supported.
PackageOpenError
Unable to open package. Make sure you have a correct TippingPointsupplied IPS package.
CannotUpdateDVWhenTSEIsBusy
Unable to update Threat Suppression Engine packages while the

system is busy reloading filters. Retry operation at a later time.

STEP 1
Click the Update button on the LSM Launch Bar
STEP 2
Click the Threat Management Center link or open another browser window to:
STEP 3
Log in to the TMC.
STEP 4
Click the Software Update link.
STEP 5
Find the update you want and click the More Info button.
STEP 6
Click the Download Now button of the IPS Software Images (UnityOne) file.
STEP 7
Save the update file on your local hard disk.
You can then install the update through the Update page.
STEP 1
Download a Software Update to your local hard disk.
STEP 2
On the Update page, check the Update Status of the IPS. Read Step 2 on the Update - Main
View page. If the status is not ready or OK, click the (reset status) link.
STEP 3
Check the line that says Make sure the file you downloaded is less than: <number> Mb.
Read Step 3 on the Update - Main View page. It has information about the size of the download file. If it is not less than suggested Mb, Delete Old Versions from Previous OS Versions
Window to free disk space for the update.
STEP 4
Check the High Priority Enabled check box (Step 4) if there is an immediate need for the
update and it is during normal working hours.
Note: This option provides the priority for downloading the package. The system
does not give priority over attacks to installing the new package. A system under
heavy attack trying to install the update would not give priority to the upgrade at
that time.
STEP 5
Check the Layer-2 Fallback check box (Step 4) to enable the option during the installation.
199
STEP 6
In the Install version field, enter in the full pathname or click Browse to select the file on
your local hard disk.
STEP 7
Click Install.
The IPS installs the updated software image. This process takes between five and ten minutes while the
boot image and configuration files are replaced.
When the installation completes, the IPS performs a soft reboot. After the reboot, you can log back in
to the system.
Note: When you update the software, the FPGA files are flashed automatically by
the system. You do not need to perform additional steps to update your TOS.
Software Rollbacks
Occasionally, you may need to rollback the customized settings or version of the software or filter. A
rollback operation reverts the currently running software or Digital Vaccine version on your UnityOne
device to a previous working version. When the rollback occurs, the system rolls back without losing
your customized settings. When you recover your system, the default values are used.
Occasionally, you may need to rollback the version of the software or filter. A rollback operation reverts
the operating system on your UnityOne device to a previous working version and deletes the currently
installed version. The system retains the settings and configurations of your system. However, not all
functionality may be available according to the version of the TOS you rollback to. For details, refer to
the release notes for that version of the software.
CAUTION: If you perform a rollback, read the release notes for both the software version
you are rolling back from and the software version you are rolling back to. You may need to
flash the FPGA files for the IPS if you rollback to an older version of the TOS, such as going
from 1.4.2 to 1.4.1. Functionality may also differ from version to version.
If you rollback to use an older version of the TOS, such as V 1.4.2 to V 1.4.1, an SMS running
the latest software cannot push profiles or Digital Vaccine packages to the device.
Note: When you update and rollback, the LSM does not lose your settings or
configurations.
When you perform a rollback of the software, the Update page displays a set of status messages. See
Update States on page 197 for details.
Persistent Settings
When you perform an operating system rollback, your current configuration settings are preserved,
but filter settings roll back to the settings that were in effect when the rollback version was archived.
200
Any changes to filter setting made after your target rollback version are deactivated, including attack
protection filter updates.
Note: When up update and rollback, you do not lose your none of the settings or
configurations were lost with the exception of renaming segments and threshold
settings.
The system retains the settings and configurations of your system. However, not all functionality may
be available according to the version of the TOS you rollback to. For details, refer to the release notes for
that version of the software.
CAUTION: If you perform a rollback, read the release notes for both the software version
you are rolling back from and the software version you are rolling back to. You may need to
flash the FPGA files for the IPS if you rollback to an older version of the TOS, such as going
from 1.4.2 to 1.4.1. Functionality may also differ from version to version.
If you rollback to use an older version of the TOS, such as V 1.4.2 to V 1.4.1, an SMS running
the latest software cannot push profiles or Digital Vaccine packages to the device.
Perform a Software Rollback
STEP 1
On the Update page, click the Rollback Icon beside the IPS OS Image listed under Current
Installed Versions. A confirmation message displays.
STEP 2
Click OK.
Figure 7 - 1: The Rollback Icon

The rollback icon indicates that there is at least one prior version of the UnityOne
software on the IPS.
The UnityOne device deletes the current operating system files and reinstalls the previous operating
system files. When the installation completes, it performs a soft reboot. After the IPS has rebooted, you
can log back into the LSM.
If you want to restore the operating system you rolled back from, you will need to reload it on your
UnityOne device using the Download a Software Update and the Install a Software Update instructions.
Note: A rollback can only revert to a software version that is currently stored on
your IPS. It will not automatically download a software image.
201
Deleting Previous Versions

After you have performed a few operating system or filter updates, you may want to delete the older
files on your system that you no longer need. If you delete these files, you cannot perform a rollback
procedure.
CAUTION: Unless you must free disk space, you should not delete the previous IPS OS
image that you were running. If your current IPS OS image should become corrupted, you
can roll back to the previous version as explained in Perform a Software Rollback.
Delete Old Versions from Previous OS Versions Window
STEP 1
On the Update page, review the list of previous versions and decide which is safe to delete.
These files are typically the oldest of several is the safest to delete.
STEP 2
Click the delete (trash can) icon in the Functions column next to the image or filter package
you would like to delete. A confirmation message displays.
STEP 3
Click OK.
Device Snapshots
You can create a snapshot of your devices settings through the Update page. You can create, manage,
and import local snapshots for your IPS device through the LSM. After restoring a snapshot, the device
will always restart
WARNING: You can apply a single snapshot to multiple devices. However,
applying the snapshot to devices managed by an SMS can cause a device ID
conflict. Do not apply a snapshot to multiple devices when managed by SMS.
WARNING: Do not perform an Update of your software while running a snapshot.
The system may experience conflicts.
The following is the Update - System Snapshots page:

Figure 1: Update - System Snapshots Page
202

Table 8: System Snapshots Details
Column
Definition
Name
Name of the snapshot
Date
The date the snapshot was generated
Software Build
The build number for the TOS software running when the snapshot was
generated
Digital Vaccine
The version number of the Digital Vaccine package running when the
snapshot was generated
Functions
Icon representing functions to manage snapshots
Create a Snapshot on page 203

Import a Snapshot on page 203
Restore a Snapshot on page 204
Export a Snapshot on page 204
Delete a Snapshot on page 204
Create a Snapshot
STEP 1
On the launch bar, click the Update tab. The Update page displays.
STEP 2
Select the Open > System Snapshots option. The Update - System Snapshots page displays.
STEP 3
Enter a name for the snapshot in Create snapshot.
STEP 4
Click Create.
Import a Snapshot
STEP 1
STEP 2
STEP 3
For Import Snapshot, click Browse. Locate the file to import. The file location and name displays on the page.
STEP 4
Click Install. The selected snapshot uploads and displays in the list of snapshots.
203
Restore a Snapshot
STEP 1
STEP 2
STEP 3
Locate the snapshot you want to restore.
STEP 4
In the Function(s) column, click the Restore button.

When you restore a snapshot, you
replace all current settings with those from the snapshot. After restoring a snapshot, the
device will always restart
WARNING: You can apply a single snapshot to multiple devices. However,
applying the snapshot to devices managed by an SMS can cause a device ID
conflict. Do not apply a snapshot to multiple devices when managed by SMS.
Export a Snapshot
STEP 1
STEP 2
STEP 3
Locate the snapshot you want to export.
STEP 4
In the Function(s) column, click the Export button.

When you export a snapshot, you
save the snapshot to a local directory to later import if needed.
Delete a Snapshot
204
STEP 1
STEP 2
STEP 3
Locate the snapshot you want to delete. Click the Delete icon.
Administration
Administration describes user characteristics and user administration tasks. This section details
how to create and manage users, update SMS software, and review logs.
Overview
The Admin page enables you to manage and view the access and usage of a system. Through this page,
you can create and maintain user access through accounts and review system logs. However, not all
users can maintain this information. You must have administrator access to open and use the features
of the Admin page.
The system include three types of users:
Operator Basic access to review the status of the system
Administrator Advanced access to monitor and manage functions in the system
Super User Full access to use and manage all functions available in the system
Administration includes the following topics:
Admin Page on page 206

Access to Admin Functions on page 207
Managing Users on page 209
User Security Preferences on page 212
Viewing Audit and System Logs on page 216
205
Admin Page
The following is the Admin page:
Figure 8 - 1: Admin Page
This page has icons in the Function column indicating an available options:
Icon
Function
Description
Edit
Click the Edit icon to edit the settings for a user account.
Delete
Click the Delete icon to remove a user from the system.
Note: You can only delete or edit an account with the proper level of access.
You can do the following on this page, depending on your access:
Change the password to your user account

Create and manage user accounts
Set user preferences
Review the Audit and System logs
You can access the different types of administrator options by selecting the Open and Edit menus. A
drop-down menu displays listing the options for the page. The menu options may change depending
on the menu option you select. The instructions in this chapter indicate when to navigate through the
drop-down menu options.
206
Access to Admin Functions

To ensure the safety and security of information in the LSM and settings for an IPS device, specific
levels of access restrict your functions and options within the system. Only super-user level users can
access the administrator functions. These functions include the following:
Create and delete user accounts

View the audit
Modify the idle timeout for access
Modify the password expiration time
All users (super-user, Administrator, and Operator) can do the following:

View the system log
Change their account password
This section includes the following:
User Access Level on page 207
Account Security Access on page 208
Security Level Capabilities on page 208
User Access Level

There are three user access levels:
Operator Base level user who monitor the system and network traffic
Administrator Enhanced user who can view, manage, and configure functions and options in
the system
Super-user User who has full access to the entire UnityOne system
As you review logs in the SMS, you may also see the following type of user levels. These users denote
the type of account according to the interface they used in the system:
SMS Indicates the user used the SMS when the messages saved to the logs
LSM Indicates the user used the LSM when the messages saved to the logs
CLI Indicates the user used the CLI when the messages saved to the logs
These messages may indicate when the user logged in, performed actions, and logged out.
207
Account Security Access

The security level and restrictions for entering user names and passwords. The default setting is 2 from
the following options:
Table 8 - 2: Account Security Levels
Level
Level Name
Description
Level 0
No Security
Checking
User names cannot have spaces in it.

Passwords are unrestricted.
Level 1
Basic Security
Checking
User names must be at least 6 characters long without

spaces.
Passwords must be at least 8.
Level 2
Maximum Security
Checking
Includes Level 1 restrictions and requires the following: 2

alphabetic characters, 1 numeric character, 1 nonalphanumeric character (special characters such as
! ? and *).
The UnityOne system uses Level 2, Maximum Security Checking, security access restrictions as
default. To modify the security level for an account, see User Security Preferences on page 212.
Note: When the no security checking option is selected, any user logging in
must still use a username defined in the LSM.
Security Level Capabilities

Security level/user capabilities are summarized in the table below.
Table 8 - 3: User Role Capabilities
Functiona
l Area
208
Operator
Administrator
Super-user
Filters
view
all
all
Attacks
view
all
all
Discover
view
all
all
Monitor
view
all
all
Logs
view (except Audit log)
view all (except Audit log)
all
Update
view
all
all
Configure
view
all except system time
all
Table 8 - 3: User Role Capabilities

Functiona
l Area
Operator
Administrator
Super-user
Admin
change own password

view system log
change own password

view system log
all, including
change Idle Timeout
change Password
Expiration
Help
view
view
view
Managing Users
Through the Admin page, you can create and maintain user accounts. These accounts determine the
access and available functions for all users of the UnityOne system. When you create or modify a user,
you must be sure to enter valid user data. Valid entries for login names and passwords are described
below.
Note: Modifications of a user ID that is currently logged in will not take effect
until that user IDs next login.
Only Super-user accounts can create and edit all aspects of a user. Administrator and Operator
accounts can only change their passwords. On this page, you can do the following:

Create a New User
Valid User Data

The LSM accepts specific formats and information for user accounts. When you create or modify an
account, you must follow requirements regarding valid user login names and secure passwords. The
LSM uses the following criteria to validate user accounts:
Valid Login Names
State and Security Level
Valid Password Data
209
Valid Login Names

When you log into the LSM, you enter a login name and password. The login name is the name of your
account displayed on the Admin page. A valid login name must meet the restrictions of the set security
level. The login name is also case sensitive. If you include capital and lowercase letters in the account
name, you must use them when logging into the system.
The levels require the following:
Level 0 Any length (1 or more) and format is allowed for the user name and password. You must
not include spaces.
Level 1 and 2 The name must contain at least six (6) characters and no spaces.
Table 8 - 4: Login Name Examples
Valid Login Names
Invalid Login Names
fjohnson
fredj (too short)
fredj123
fred j 123 (contains spaces)
freDj-123
fj123 (too short)
fRedj-*123
fj 123 (contains spaces)
State and Security Level

Super-users can enable or disable an account as needed to reflect organizational changes. Super-users
also control the security level of the account. See Security Level Capabilities on page 208 for more
information on access capabilities.
Valid Password Data

When you set a password for an account, the password should include a variety of characters to create
strong passwords. Strong passwords include a mix of upper and lower case alphabetic characters,
numeric characters, and symbols. A valid password must meet the restrictions of the set security level.
210
The levels require the following:

Level 0 No restrictions. Any length and format is allowed for the user name and password. The
password may have no characters (empty).
Level 1 It must contain at least eight (8) characters.
Level 2 It must contain at least eight (8) characters with the following restrictions:
Must contain at least two alphabetic characters
Must contain at least one numeric character
Must contain at least one non-alphanumeric charactera non-alphanumeric character includes
any character that is not a digit or a letter. You can use spaces.
Table 8 - 5: Password Examples for Level 2 Security
Valid Passwords
Invalid Passwords
my-pa55word
my-pa55 (too short)
my-b1rthday
mybirthday (must contain numeric)
myd*gsnam3
mydogsnam3 (must contain a non-alphanumeric

character)

STEP 1
On the Admin page, click on your user account (login) name or Edit icon. The Administer User Details/Edit page displays.
STEP 2
Type your new Password. See Valid Password Data for password requirements.
STEP 3
Type your new password again in the Confirm Password field. You must enter the password
exactly as you did in step 3.
STEP 4
Click Save.
Create a New User

Note: Only a user with Super-user security level can create a user account.
STEP 1
On the Admin page, select the Edit > Create User menu item or click the Create button.
The Administer - Create User page displays.
STEP 2
Enter a user Login name. See Valid Login Names for more information.
STEP 3
Select a Security Level: Operator, Administrator, Super-User.
STEP 4
Enter a Password. See Valid Password Data for more information).
STEP 5
Confirm the password by reentering it in Confirm Password.
STEP 6
Click Create.
211

Note: Only a user with a Super-user or Administrator security level can modify
another users account. Operators can only modify their own account.
STEP 1
On the Admin page, select an account (login). The Administer - User Details/Edit page
displays.
STEP 2
You can modify the security level or password of the user account. See Security Level Capabilities or Valid Password Data for more information.
STEP 3
Click Save.

Note: Only a user with Super-user security level can delete a user account.
STEP 1
On the Admin page, select an account (login).
STEP 2
Click the Delete icon next to the user you want to delete. A confirmation message displays.
STEP 3
Click OK.
User Security Preferences

The LSM enables you to configure user preferences to increase the security of the system. These
settings enable you to do the following:
Web Idle Timeout Set the idle timeout for lack of usage
Security Level Set the security level for authenticating users
Password Expiration Set the expiration time and action for passwords
Max Login Attempts Set the maximum number of failed log in attempts and action
Tip: Session timeouts and password expiration periods may be covered in your
companys information security policy. Consult your security policy to be sure you
configure these values appropriately.
212
The Administer - User Preferences page provides these options:

Figure 8 - 2: Administer - User Preferences Page
Web Idle Timeout

The LSM features an idle timeout as a security measure. If you do not interact with the LSM for more
than a defined period of time (in minutes) the LSM logs out the accounts access. This precaution helps
guard against an unauthorized person using your login session if you are unexpectedly called away
from your workstation or if you forget to log out.
See Set User Preferences on page 214.
Security Level
You can set the level of security checking that is performed when you add a new user or change a
password. Checking performed for the levels includes:
No Security Checking Any user name or password can work. User access is not authenticated
against the saved user accounts in the LSM.
Basic Security Checking User names must be between 6 and 32 characters long; passwords
must be between 8 and 32 characters long.
Maximum Security Checking User names must be between 6 and 32 characters long. Passwords
must be strong passwords, having 8 and 32 characters and containing at least one numeric character
and one non-alphanumeric character.
The UnityOne system uses Maximum Security Checking level of security access as default.
213
Password Expiration
The LSM features configurable password expiration enabling you to decide how frequently users must
change their passwords. Password expiration is configurable through the LSM to periods of anywhere
from10 days to 1 year. The default password expiration period is 90 days.
You can assign an action to the system to do the following:
Prompt the user to change the password when it expires
Notify the user when the password is expired
Disable the account
The system notifies the user five days before the expiration occurs and at each subsequent login. At
expiration, a new dialog box displays prompting the user to change the password before accessing the
LSM.
Max Login Attempts

To ensure the person logging into an account is the correct user, you can set an action on the system
when a number of login attempts fail. These failures could indicate a malicious attempt to access the
LSM. When a user fails to login after a set number of attempts, the system can do the following:
Lock out the account for a period of time
Disable the account
Create an audit event
You can control the maximum number of logins allowed and the action that occurs when this
maximum is exceeded. If you choose to lock out an account, you must also define the duration of the
lockout.
Set User Preferences
214
STEP 1
On the Admin page, select the Edit > Preferences menu item. The Administer - User
Preferences page displays.
STEP 2
To change the idle timeout, enter a number of minutes (up to 9999) for Web Idle Timeout.
STEP 3
To change the rate of page refreshes, enter a number of seconds for the Page Refresh Time.
STEP 4
To select the security level of the LSM, select a security setting from the Security Level dropdown menu:
No Security Checking Any user name or password can work
Basic Security Checking User names must be between 6 and 32 characters long;
passwords must be between 8 and 32 characters long.
Maximum Security Checking User names must be between 6 and 32 characters long.
Passwords must be between 8 and 32 characters long and must contain one numeric
character and one non-alphanumeric character.
STEP 5
To change the period of time for password expiration, select a period of time from the Password Expiration drop-down menu: Disabled, 10 days, 20 days, 30 days, 45 days, 60 days, 90
days, 6 months, or 1 year.
Note: If your password expiration period is too long, it increases the chance that
a users password will be discovered by an outsider, or that ex-employees
passwords remain valid after they leave. If your password expiration period is too
short, it increases the chances that employees will write passwords down, or use
browser features to remember passwords. Standard practice dictates that
password expiration periods should not be shorter than 30 days or longer than 90
days.
STEP 6
To assign an action to the expiration period (if not disabled in Password Expiration), select
an action from the Password Expiration Action drop-down menu:
Force User to Change Password Displays a dialog box prompt for new password.
Notify User of Expiration Displays a message informing you the password has expired
Disable Account Disables all access to the LSM using the expired account
STEP 7
To assign the number of login attempts allowed prior to disabling the account, select a number (1-10) from the Max Login Attempts drop-down menu.
STEP 8
To assign an action for the failed access, select an action from the Failed Login Action dropdown menu:
Disable Account Disables the account from usage
Lockout Account Locks the account out from access for a set period of time
Audit Event Documents the failed access to the audit log
STEP 9
To set the lockout period, select a number of minutes from the Lockout Period drop-down
menu: 1, 5, 10, 15, 30, or 60.
STEP 10
Click Save.
215
Viewing Audit and System Logs

The audit and system logs in the LSM system document the usage, triggered events, and performance
of the system. The Admin page provides links to these logs. When you access the logs, the appropriate
log page displays.
Note: Only users with Super-user security level access can view and manage the
audit log. Only users with Administrator or Super-user security level access can
manage the system log. Operators can view the system log.
To view the logs, you click the appropriate link on the Admin page. For more information, refer to the
following topics:
System Log on page 118
Audit Log on page 119
216

TippingPoint Technologies UnityOne software uses some open source components. Many open
source license agreements require user documentation to contain notification that the open source
software is included in the product.

There are many different license schemes in the open source community. Often, an open source license
requires that the end product documentation includes a notice that the software includes the open
source software, and that the documentation includes a copy of the full text of the open source license.
The UnityOne OS and its supporting software use open source software covered under the licensing
schemes listed in Table A - 1, Open Source License Types, on page 217.
Table A - 2, Apache Licensed Components, on page 218 and Table A - 3, Gnu Public Licensed (GPL)
Components, on page 218 list the open source packages that are included in the UnityOne OS.
Table A - 1: Open Source License Types
License Name
Web Reference
Apache
http://www.apache.org
http://www.gnu.org/licenses/gpl.html
BSD License
http://www.opensource.org/licenses/bsd-license.php
Mozilla Public License
http://www.mozilla.org/MPL/
GSOAP License
http://www.cs.fsu.edu/~engelen/soap.html
PCRE license
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
217
Table A - 2: Apache Licensed Components

Component
Web Reference
snprintf
http://www.ijs.si/software/snprintf/
SOAP
http://xml.apache.org/soap/index.html
Open SSL
http://www.openssl.org/
Table A - 3: Gnu Public Licensed (GPL) Components

Component
Web Reference
NMAP
http://www.nmap.org/
Nessus
http://www.nessus.org/
Table A - 4: Other Open Source Software

Component
License Name
Web Reference
GSOAP
GSOAP Public License
http://www.cs.fsu.edu/~engelen/soap.html
Ipv4 Checksum header code

from FreeBSD
BSD License
http://www.freebsd.org
PCRE
PCRE license
ftp://ftp.csx.cam.ac.uk/pub/software/
programming/pcre/
Required Statements
Required by the Apache License:
This product includes software developed by the Apache Software Foundation (http://www.apache.org/
).
Required by the gSOAP License:
Part of the software embedded in this product is gSOAP software.
Portions created by gSOAP are Copyright (C) 2001-2002 Robert A. van Engelen, Florida State
University. All Rights Reserved.
THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAP SOFTWARE AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
218
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
License Texts
The Apache, GPL, and gSOAP public licenses require that their texts be published in the user
documentation of products that use software covered by these licenses.
Apache License
The Apache Software License, Version 1.1
Copyright (c) 1999-2000 The Apache Software Foundation. All rights reserved. Redistribution and
use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following
acknowledgment: This product includes software developed by the Apache Software Foundation
(http://www.apache.org/). Alternately, this acknowledgment may appear in the software itself, if and
wherever such third-party acknowledgments normally appear.
4. The names Xerces and Apache Software Foundation must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact apache@apache.org.
5. Products derived from this software may not be called Apache, nor may Apache appear in their
name, without prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE
SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
==========================================================
This software consists of voluntary contributions made by many individuals on behalf of the Apache
219
Software Foundation and was originally based on software copyright (c) 1999, International Business
Machines, Inc., http://www.ibm.com. For more information on the Apache Software Foundation,
please see <http://www.apache.org//>.

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it
is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By
contrast, the GNU General Public License is intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users. This General Public License applies to
most of the Free Software Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by the GNU Library General Public
License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are
designed to make sure that you have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it if you want it, that you can change the
software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to
ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the
recipients all the rights that you have. You must make sure that they, too, receive or can get the source
code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which
gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that
there is no warranty for this free software. If the software is modified by someone else and passed on,
we want its recipients to know that what they have is not the original, so that any problems introduced
by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that
redistributors of a free program will individually obtain patent licenses, in effect making the program
proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
220
The precise terms and conditions for copying, distribution and modification follow.
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright
holder saying it may be distributed under the terms of this General Public License. The Program,
below, refers to any such program or work, and a work based on the Program means either the
Program or any derivative work under copyright law: that is to say, a work containing the Program or a
portion of it, either verbatim or with modifications and/or translated into another language.
(Hereinafter, translation is included without limitation in the term modification.) Each licensee is
addressed as you.
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program is
covered only if its contents constitute a work based on the Program (independent of having been made
by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to
the absence of any warranty; and give any other recipients of the Program a copy of this License along
with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer
warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based
on the Program, and copy and distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and
the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is
derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when
started running for such interactive use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there is no warranty (or else, saying that
you provide a warranty) and that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on the Program is not required to
print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not
derived from the Program, and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those sections when you distribute them
as separate works. But when you distribute the same sections as part of a whole which is a work based
221
on the Program, the distribution of the whole must be on the terms of this License, whose permissions
for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely
by you; rather, the intent is to exercise the right to control the distribution of derivative or collective
works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a
work based on the Program) on a volume of a storage or distribution medium does not bring the other
work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or
executable form under the terms of Sections 1 and 2 above provided that you also do one of the
following:
a) Accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
no more than your cost of physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an
executable work, complete source code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to control compilation and installation of the
executable. However, as a special exception, the source code distributed need not include anything that
is normally distributed (in either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of
the source code, even though third parties are not compelled to copy the source along with the object
code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under
this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and
will automatically terminate your rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses terminated so long as such parties
remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants
you permission to modify or distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by modifying or distributing the
Program (or any work based on the Program), you indicate your acceptance of this License to do so,
222
and all its terms and conditions for copying, distributing or modifying the Program or works based on
it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute or modify the Program
subject to these terms and conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties
to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of
this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License
and any other pertinent obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of the Program by all those
who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of
the free software distribution system, which is implemented by public license practices. Many people
have made generous contributions to the wide range of software distributed through that system in
reliance on consistent application of that system; it is up to the author/donor to decide if he or she is
willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of
this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by
copyrighted interfaces, the original copyright holder who places the Program under this License may
add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public
License from time to time. Such new versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of
this License which applies to it and any later version, you have the option of following the terms and
conditions either of that version or of any later version published by the Free Software Foundation. If
the Program does not specify a version number of this License, you may choose any version ever
published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution
conditions are different, write to the author to ask for permission. For software which is copyrighted by
223
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of
our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE
QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE
OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR
DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best
way to achieve this is to make it free software which everyone can redistribute and change under these
terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each
source file to most effectively convey the exclusion of warranty; and each file should have at least the
copyright line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of
author>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not,
write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
224
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive
mode:
Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY
NO WARRANTY; for details type `show w.' This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General
Public License. Of course, the commands you use may be called something other than `show w' and
`show c'; they could even be mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a
copyright disclaimer for the program, if necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes
passes at compilers) written by James Hacker.
<Signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If
your program is a subroutine library, you may consider it more useful to permit linking proprietary
applications with the library. If this is what you want to do, use the GNU Library General Public License
instead of this License.
BSD License
Copyright (c) <YEAR>, <OWNER>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
225
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE

Version 1.0
1 DEFINITIONS.
1.1. `Contributor
means each entity that creates or contributes to the creation of Modifications.
1.2. Contributor Version
means the combination of the Original Code, Compiled Code, prior Modifications used by a
Contributor, and the Modifications made by that particular Contributor.
1.3. Covered Code
means the Original Code, Compiled Code, or Modifications or the combination of the Original Code,
Compiled Code, and Modifications, in each case including portions thereof.
1.4. Electronic Distribution Mechanism
means a mechanism generally accepted in the software development community for the electronic
transfer of data.
1.5. Executable
means Covered Code in any form other than Source Code.
1.6. Initial Developer
means the individual or entity identified as the Initial Developer in the Source Code notice required by
Exhibit A.
1.7. Larger Work
means a work which combines Covered Code or portions thereof with code not governed by the terms
of this License.
1.8. License
226
means this document.

1.9. Licensable
means having the right to grant, to the maximum extent possible, whether at the time of the initial
grant or subsequently acquired, any and all of the rights conveyed herein.
1.10. Modifications
means any addition to or deletion from the substance or structure of either the Original Code,
Compiled Code, or any previous Modifications. When Covered Code is released as a series of files, a
Modification is:
A.
Any addition to or deletion from the contents of a file containing Original Code, Compiled Code, or
previous Modifications.
B.
Any new file that contains any part of the Original Code, Compiled Code, or previous Modifications.
1.11. Original Code
means Source Code of computer software code which is described in the Source Code notice required
by Exhibit A as Original Code, and which, at the time of its release under this License is not already
Covered Code governed by this License.
1.12. Source Code
means the preferred form of the Covered Code for making modifications to it, including all modules it
contains, plus any associated interface definition files, scripts used to control compilation and
installation of an Executable, or source code differential comparisons against either the Original Code
or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a
compressed or archival form, provided the appropriate decompression or de-archiving software is
widely available for no charge.
1.13. You (or Your)
means an individual or a legal entity exercising rights under, and complying with all of the terms of,
this License or a future version of this License issued under Section 6.1. For legal entities, ``You''
includes any entity which controls, is controlled by, or is under common control with You. For purposes
of this definition, ``control'' means (a) the power, direct or indirect, to cause the direction or
management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty
percent (50%) of the outstanding shares or beneficial ownership of such entity.
1.14. Compiler
means the computer software code described in Appendix A.
227
1.15. Compiled Code

means any file in any form produced by Compiler.
2 SOURCE CODE LICENSE.
2.1. The Initial Developer Grant.
The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive
license, subject to third party intellectual property claims:
(a)
under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to
use, reproduce, modify, display, perform, sublicense and distribute the Original Code or Compiled
Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and
(b)
under patents now or hereafter owned or controlled by Initial Developer, to make, have made, use and
sell (offer to sell and import) the Original Code and Compiled Code (or portions thereof), but solely
to the extent that any such patent is reasonably necessary to enable You to Utilize the Original Code and
Compiled Code (or portions thereof) and not to any greater extent that may be necessary to Utilize
further Modifications or combinations.
2.2. Contributor Grant.
Subject to third party intellectual property claims, each Contributor hereby grants You a
world-wide, royalty-free, non-exclusive license
(a)
under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use,
reproduce, modify, display, perform, sublicense and distribute the Modifications created by such
Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered
Code and/or as part of a Larger Work; and
(b)
under patents now or hereafter owned or controlled by Contributor, to make, have made, use and sell
(``offer to sell and import'') the Contributor Version (or portions thereof), but solely to the extent that
any such patent is reasonably necessary to enable You to Utilize the Contributor Version (or portions
thereof), and not to any greater extent that may be necessary to Utilize further Modifications or
combinations.
3 DISTRIBUTION OBLIGATIONS.
3.1. Application of License.
228
The Modifications which You create or to which You contribute are governed by the terms
of this License, including without limitation Section 2.2. The Source Code version of
Covered Code including Compiled Code may be distributed only under the terms of this
License or a future version of this License released under Section 6.1, and You must
include a copy of this License with every copy of the Source Code or Compiled Code You
distribute. You may not offer or impose any terms on any Source Code version that alters
or restricts the applicable version of this License or the recipients' rights hereunder.
However, You may include an additional document offering the additional rights
described in Section 3.5.
3.2. Availability of Source Code.

Any Modification which You create or to which You contribute must be made available in
Source Code form under the terms of this License either on the same media as an
Executable version or via an accepted Electronic Distribution Mechanism to anyone to
whom you made an Executable version available; and if made available via Electronic
Distribution Mechanism, must remain available for at least twelve (12) months after the
date it initially became available, or at least six (6) months after a subsequent version of
that particular Modification has been made available to such recipients. You are
responsible for notifying the Initial Developer of the Modification and the location of the
Source Code if a contact means is provided. Initial Developer will be acting as maintainer
of the Source Code and may provide an Electronic Distribution mechanism for the
Modification to be made available.
3.3. Description of Modifications.

You must cause all Covered Code to which You contribute to contain a file documenting
the changes You made to create that Covered Code and the date of any change. You must
include a prominent statement that the Modification is derived, directly or indirectly, from
Original Code or Compiled Code provided by the Initial Developer and including the
name of the Initial Developer in (a) the Source Code, and (b) in any notice in an
Executable version or related documentation in which You describe the origin or
ownership of the Covered Code.
3.4. Intellectual Property Matters.

(a) Third Party Claims.
If You have knowledge that a party claims an intellectual property right in particular functionality or
code (or its utilization under this License), you must include a text file with the source code
distribution titled ``LEGAL'' which describes the claim and the party making the claim in sufficient
detail that a recipient will know whom to contact. If you obtain such knowledge after You make Your
Modification available as described in Section 3.2, You shall promptly modify the LEGAL file in all
copies You make available thereafter and shall take other steps (such as notifying appropriate mailing
229
lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new
knowledge has been obtained.
(b) Contributor APIs.
If Contributor's Modifications include an application programming interface and Contributor has
knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must
also include this information in the LEGAL file.
(c) Representations.
Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes
that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has
sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices.
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not
possible to put such notice in a particular Source Code file due to its structure, then You
must include such notice in a location (such as a relevant directory) where a user would be
likely to look for such a notice. If You created one or more Modification(s) You may add
your name as a Contributor to the notice described in Exhibit A. You must also duplicate
this License in any documentation for the Source Code where You describe recipients'
rights or ownership rights relating to Covered Code. You may choose to offer, and to
charge a fee for, warranty, support, indemnity or liability obligations to one or more
recipients of Covered Code. However, You may do so only on Your own behalf, and not
on behalf of the Initial Developer or any Contributor. You must make it absolutely clear
than any such warranty, support, indemnity or liability obligation is offered by You alone,
and You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of warranty,
support, indemnity or liability terms You offer.
3.6. Distribution of Executable Versions.

You may distribute Covered Code in Executable form only if the requirements of Section
3.1-3.5 have been met for that Covered Code, and if You include a notice stating that the
Source Code version of the Covered Code is available under the terms of this License,
including a description of how and where You have fulfilled the obligations of Section 3.2.
The notice must be conspicuously included in any notice in an Executable version, related
documentation or collateral in which You describe recipients' rights relating to the
Covered Code. You may distribute the Executable version of Covered Code or ownership
rights under a license of Your choice, which may contain terms different from this
License, provided that You are in compliance with the terms of this License and that the
license for the Executable version does not attempt to limit or alter the recipient's rights in
the Source Code version from the rights set forth in this License. If You distribute the
Executable version under a different license You must make it absolutely clear that any
terms which differ from this License are offered by You alone, not by the Initial Developer
230
or any Contributor. You hereby agree to indemnify the Initial Developer and every
Contributor for any liability incurred by the Initial Developer or such Contributor as a
result of any such terms You offer. If you distribute executable versions containing
Covered Code as part of a product, you must reproduce the notice in Exhibit B in the
documentation and/or other materials provided with the product.
3.7. Larger Works.

You may create a Larger Work by combining Covered Code with other code not governed
by the terms of this License and distribute the Larger Work as a single product. In such a
case, You must make sure the requirements of this License are fulfilled for the Covered
Code.
3.8. Restrictions.
You may not: 1) modify, translate, reverse engineer, decompile, disassemble or otherwise
attempt to reconstruct or discover the source code of Compiler (except to the extent
applicable laws specifically prohibit such restriction); 2) sell or offer for sale, rent, lease,
sublicense, convey, or distribute Compiler; 3) transfer rights to the Covered Code or
Compiler.
4 INABILITY TO COMPLY DUE TO STATUTE OR REGULATION.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of
the Covered Code due to statute, judicial order, or regulation then You must: (a) comply with the terms
of this License to the maximum extent possible; and (b) describe the limitations and the code they
affect. Such description must be included in the LEGAL file described in Section 3.4 and must be
included with all distributions of the Source Code. Except to the extent prohibited by statute or
regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to
understand it.
5 APPLICATION OF THIS LICENSE.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to
related Covered Code.
6 VERSIONS OF THE LICENSE.
6.1. New Versions.
Grantor may publish revised and/or new versions of the License from time to time. Each
version will be given a distinguishing version number.
6.2. Effect of New Versions.
231
Once Covered Code has been published under a particular version of the License, You
may always continue to use it under the terms of that version. You may also choose to use
such Covered Code under the terms of any subsequent version of the License.
6.3. Derivative Works.

If You create or use a modified version of this License (which you may only do in order to
apply it to code which is not already Covered Code governed by this License), You must
(a) rename Your license so that the phrase ''gSOAP'' or any confusingly similar phrase do
not appear in your license (except to note that your license differs from this License) and
(b) otherwise make it clear that Your version of the license contains terms which differ
from the gSOAP Public License. (Filling in the name of the Initial Developer, Original
Code or Contributor in the notice described in Exhibit A shall not of themselves be
deemed to be modifications of this License.)
7 DISCLAIMER OF WARRANTY.
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN AS IS BASIS, WITHOUT
WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR
A PARTICULAR PURPOSE, NONINFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY
RIGHTS, AND ANY WARRANTY THAT MAY ARISE BY REASON OF TRADE USAGE, CUSTOM, OR
COURSE OF DEALING. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT THE
SOFTWARE IS PROVIDED AS IS AND THAT THE AUTHORS DO NOT WARRANT THE SOFTWARE
WILL RUN UNINTERRUPTED OR ERROR FREE. LIMITED LIABILITY THE ENTIRE RISK AS TO
RESULTS AND PERFORMANCE OF THE SOFTWARE IS ASSUMED BY YOU. UNDER NO
CIRCUMSTANCES WILL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL,
EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER,
WHETHER BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT
LIABILITY OR OTHERWISE, ARISING OUT OF OR IN ANY WAY RELATED TO THE SOFTWARE,
EVEN IF THE AUTHORS HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGE OR IF
SUCH DAMAGE COULD HAVE BEEN REASONABLY FORESEEN, AND NOTWITHSTANDING ANY
FAILURE OF ESSENTIAL PURPOSE OF ANY EXCLUSIVE REMEDY PROVIDED. SUCH LIMITATION
ON DAMAGES INCLUDES, BUT IS NOT LIMITED TO, DAMAGES FOR LOSS OF GOODWILL, LOST
PROFITS, LOSS OF DATA OR SOFTWARE, WORK STOPPAGE, COMPUTER FAILURE OR
MALFUNCTION OR IMPAIRMENT OF OTHER GOODS. IN NO EVENT WILL THE AUTHORS BE
LIABLE FOR THE COSTS OF PROCUREMENT OF SUBSTITUTE SOFTWARE OR SERVICES. YOU
ACKNOWLEDGE THAT THIS SOFTWARE IS NOT DESIGNED FOR USE IN ON-LINE EQUIPMENT IN
HAZARDOUS ENVIRONMENTS SUCH AS OPERATION OF NUCLEAR FACILITIES, AIRCRAFT
NAVIGATION OR CONTROL, OR LIFE-CRITICAL APPLICATIONS. THE AUTHORS EXPRESSLY
DISCLAIM ANY LIABILITY RESULTING FROM USE OF THE SOFTWARE IN ANY SUCH ON-LINE
EQUIPMENT IN HAZARDOUS ENVIRONMENTS AND ACCEPTS NO LIABILITY IN RESPECT OF
ANY ACTIONS OR CLAIMS BASED ON THE USE OF THE SOFTWARE IN ANY SUCH ON-LINE
EQUIPMENT IN HAZARDOUS ENVIRONMENTS BY YOU. FOR PURPOSES OF THIS PARAGRAPH,
THE TERM ``LIFE-CRITICAL APPLICATION'' MEANS AN APPLICATION IN WHICH THE
FUNCTIONING OR MALFUNCTIONING OF THE SOFTWARE MAY RESULT DIRECTLY OR
INDIRECTLY IN PHYSICAL INJURY OR LOSS OF HUMAN LIFE. THIS DISCLAIMER OF WARRANTY
232
CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS

AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
8 TERMINATION.
8.1.
This License and the rights granted hereunder will terminate automatically if You fail to comply with
terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All
sublicenses to the Covered Code which are properly granted shall survive any termination of this
License. Provisions which, by their nature, must remain in effect beyond the termination of this
License shall survive.
8.2.
If you initiate litigation by asserting a patent infringement claim (excluding declaratory judgment
actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom
You file such action is referred to as Participant) alleging that:
(a)
such Participant's Contributor Version directly or indirectly infringes any patent, then any and all
rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60
days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You
either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and
future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with
respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable
royalty and payment arrangement are not mutually agreed upon in writing by the parties or the
litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1 and/or
2.2 automatically terminate at the expiration of the 60 day notice period specified above.
(b)
any software, hardware, or device, other than such Participant's Contributor Version, directly or
indirectly infringes any patent, then any rights granted to You by such Participant under Sections
2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had
made, Modifications made by that Participant.
8.3.
If You assert a patent infringement claim against Participant alleging that such Participant's
Contributor Version directly or indirectly infringes any patent where such claim is resolved (such as by
license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value
of the licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in
determining the amount or value of any payment or license.
233
8.4.
In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding
distributors and resellers) which have been validly granted by You or any distributor hereunder prior to
termination shall survive termination.
9 LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING
NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY
OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY
OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION,
DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH
PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY
RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS
SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT
APPLY TO YOU.
10 MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of
this License is held to be unenforceable, such provision shall be reformed only to the extent necessary
to make it enforceable.
11 RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages
arising, directly or indirectly, out of its utilization of rights under this License and You agree to work
with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing
herein is intended or shall be deemed to constitute any admission of liability.
EXHIBIT A.
The contents of this file are subject to the gSOAP Public License Version 1.0 (the ``License''); you may
not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.cs.fsu.edu/~engelen/soaplicense.html
Software distributed under the License is distributed on an AS IS basis, WITHOUT
WARRANTY OF ANY KIND, either express or implied. See the License for the specific language
governing rights and limitations under the License.
The Original Code of the gSOAP Software is: stdsoap.h, stdsoap2.h, stdsoap.c,
stdsoap2.c, stdsoap.cpp, stdsoap2.cpp.
234
The Initial Developer of the Original Code is Robert A. van Engelen. Portions created by Robert van
Engelen, Gunjan Gupta, Saurabh Pant, and Yunwei Wang are Copyright (C) 2001-2002 Robert A. van
Engelen, Florida State University. All Rights Reserved.
Contributor(s): ________________________.
[Note: The text of this Exhibit A may differ slightly form the text of the notices in the Source Code files
of the Original code. You should use the text of this Exhibit A rather than the text found in the Original
Code Source Code for Your Modifications.]
EXHIBIT B.
Part of the software embedded in this product is gSOAP software.
Portions created by gSOAP are Copyright (C) 2001-2002 Robert A. van Engelen, Florida State
University. All Rights Reserved.
THE SOFTWARE IN THIS PRODUCT WAS IN PART PROVIDED BY GSOAP SOFTWARE AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
APPENDIX A.
The Compiler of the gSOAP Software is any one of the executable files provided
with the gSOAP distribution: soapcpp, soapcpp2, soapcpp.exe, soapcpp2.exe.
235
236
Browser Certificates
Details creating browser certificates for use in Internet Explorer to ensure notification messages are
no longer reported to user.
Overview
Due to the security settings of the Local Security Manager (LSM), Internet Explorer may display a
Client Authentication message followed by a Security Alert message. Messes dialogs display when you
first establish an HTTPS session with the UnityOne IPS. This appendix details how to create certificates
to remove these messages.
Browser Certificates includes the following sections:
Client Authentication Message on page 238
Security Alert on page 239
Example - Creating Personal Certificate on page 245
237
Client Authentication Message

The UnityOne IPS uses the same HTTPS channel to communicate with other TippingPoint products as
it does to communicate with LSM. During the SSL handshake, the device asks for a client certificate for
validation. This is meant for other products; however, LSM users may also be prompted for a client
certificate. You can ignore this dialog.
Figure B -1: Client Authentication Dialog Box
To remove this warning, you can create and install a personal certificate on your workstation.
The following Procedures detail how to create and install the personal certificate:
Creating a Personal Certificate on page 238
Installing the Personal Certificate on page 239
Creating a Personal Certificate
The following command generates a self-signed certificate good for 10 years. The user must have
access to a computer with OpenSSL installed on it. For the latest copy of OpenSSL, go to the OpenSSL
web site: http://www.openssl.org
STEP 1
Enter the following command:
openssl req -new -x509 -days 3650 -out cert.pem -keyout privkey.pem
This command creates two files: cert.pem and privkey.pem.

STEP 2
Enter the following command:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out

to_import.p12
This command creates the import file: to_import.p12.
238
Installing the Personal Certificate

The following instructions detail how to create the personal certificate. During the procedure, you will
import the file called to_import.p12.
STEP 1
Open Microsoft Internet Explorer (version 6.0 or later).
STEP 2
Select the Tools >Internet Options menu option.
STEP 3
Click on the Content tab. Click Certificates.
STEP 4
Click Import. The Certificate Import Wizard opens.
STEP 5
Click Next.
STEP 6
On the File to Import screen, do the following:
STEP 7
STEP A
Click Browse.
STEP B
Locate and select the file to_import.p12.
STEP C
Click Next.
On the Password screen, do the following:

STEP A
Enter your private key Password.
STEP B
Click the Mark the private key as exportable check box.
STEP C
Click Next.
STEP 8
On the Certificate Store screen, select the option Automatically select the certificate store
based on the type of certificate.
STEP 9
Click Next.
STEP 10
Click Finish. When the import completes, a message displays.
Security Alert
The Security Alert dialog in the following illustration shows two security alerts regarding certificates:
Certificate Authority on page 240 The certificate is not from an trusted certifying authority
Invalid Certificate Name on page 243 The name of the certificate is invalid
TippingPoint creates a SSL device certificate that uses TippingPoint as the ROOT Authority. This allows
TippingPoint devices to use SSL communication between the device and client application. You can
eliminate this dialog by installing the certificate into the client certification trust list and placing an
entry for the device in your local HOSTS or LMHOSTS file. The entry in the HOSTS file should name the
host by its device serial number and then its IP address. This allows the SSL client to resolve the
certificate common name.
239
Certificate Authority
The following dialog warning displays for a certificate authority security alert:
Figure B -2: Certificate Authority
You can eliminate the Certificate Authority warning with the following procedure:
STEP 1
When the warning displays, click View Certificate. The Certificate dialog box displays.
Figure B -3: Certificate Dialog Box
STEP 2
240
Select the Certification Path tab.
STEP 3
Select the Root Authority. Click View Certificate.
Figure B -4: Certification Path Tab - Root Authority
STEP 4
The Certificate Import Wizard opens. Click Next.
Figure B -5: Certificate Import Wizard
241
The Certificate Store dialog displays.

Figure B -6: Certificate Store Dialog
STEP 5
Select the Place all certificates in the following store option. The certificate store should be
Trusted Root Certificate Authorities. Click Next.
The Completing the Certificate Import Wizard dialog displays.
Figure B -7: Completing the Certificate Import Wizard Dialog
242
STEP 6
Click Finish to install the certificate. The Root Certificate Store indicates the status of the
import and displays the certificate information.
Figure B -8: Root Certificate Store Verification
STEP 7
Click Yes. The UnityOne IPS LSM login page displays.
Invalid Certificate Name

The following dialog warning displays for an invalid certificate name security alert:
Figure B -9: Invalid Certificate Name
Performing the following steps can solve the Certificate Invalid warning:
243
STEP 1
When the warning displays, click View Certificate. The Certificate dialog box displays.
Figure B -10: Certificate Dialog Box
STEP 2
On the General tab, make note of the serial number.
STEP 3
Navigate and open the local workstations HOSTS file. This file is located in
C:\WINNT\system32\drivers\etc on a Windows 2000 workstation.
Figure B -11: HOSTS File
STEP 4
244
Add a line to the file with the UnityOne's IP address and serial number.
STEP 5
When browsing to the IPS, enter the workstation name instead of the IP address in your Web
browser. This name and certificate works only on that particular workstation.
Example - Creating Personal Certificate

The following is an example of how to create you own personal certification. User entries are in bold.
For security purposes, it is suggested that you do not use the passwords provided below.
[]# openssl req -new -x509 -days 3650 -out cert.pem -keyout
privkey.pem
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.......++++++
.................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: DefaultPemPhrase
Verifying password - Enter PEM pass phrase: DefaultPemPhrase
----You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [GB]: US
State or Province Name (full name) [Berkshire]: Texas
Locality Name (eg, city) [Newbury]: Austin
Organization Name (eg, company) [My Company Ltd]: TippingPoint
Technologies
Organizational Unit Name (eg, section) []: TAC
Common Name (eg, your name or your server's hostname) []: TPTI
Email Address []: tac@tippingpoint.com
[]# openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out
to_import.p12
Enter PEM pass phrase: DefaultPemPhrase
Enter Export Password: exportPassCode
Verifying password - Enter Export Password: exportPassCode
[]#
245
246
Troubleshooting
Details troubleshooting information for using the Local Security Manager (LSM).
Overview
As you manage your network security, you may encounter issues with the LSM. Troubleshooting
includes the following sections:
IPS Port Out-of-Service on page 247
IPS Port Out-of-Service

If the LSM has errors and refuses to locate the device, check the connections on the IPS device. If you
use a copper-fiber translator (such as Netgear) and it is disconnected or loose, the IPS device driver
will attempt to re-initialize the port several times before timing out and placing the port in an Out-ofService mode. Netgear does not support auto-negotiation. When you remove the copper cable or the
cable is loose, Netgear does not attempt to auto-negotiate with the IPS device.
To resolve this issue, do the following:
STEP 1
On the Configure - Segment Details/Edit page, clear the Auto Negotiation: On check box
for each port of the IPS device. The option disables.
STEP 2
Click Restart.
Leave auto-negotiation off. The port should reset.
247
248
Log Formats
Details the format of the alert log in the Local Security Manager (LSM).
Overview
This section details the format of the alert log accessible through the LSM:
Log Format on page 249
Remote Syslog Log Format on page 250
Log Format
The following is the format of the alert, block, and peer log format for downloaded logs:
seq Unique sequence number for this log file

endTS Ending timestamp of the aggregation (time the log is written)
verbosity Info, warn, err, or crit
type Log type (alert/block/peer)
file File (alert/block/peer)
msgVer Message version (currently 'v3')
alertType A bit field that identifies a message as traffic threshold, invalid, etc.
policyUUID Id for the policy
severity Severity of the alert
sigId Signature id
protocol Protocol of the alert
src Source ip address
dst Destination ip address
249
hitcnt Hit count of the aggregation

slot:index Slot and port that alert was detected
bgnTSSecs Beginning timestamp (seconds) of the aggregation
bgnTSUsecs Beginning timestamp (microseconds) of the aggregation
period Aggregation period, in minutes. 0=no aggregation.
msgParams A string of values for special message formats, usually empty (a space).
ptFlag Packet trace flag/version, on=pt2 off=pt0 (backward compat on=pt1)
ptAlertSeq Packet trace aggregation bucket sequence number
ptBgnSeq Packet trace aggregation bucket beginning sequence number
ptEndSeq Packet trace aggregation bucket ending sequence number
len Length of message in bytes
Remote Syslog Log Format

The log format for the remote syslog is detailed below. The following is an example of packet data sent
to a collector. Make note that collectors may display the header portion of the stream differently.
<13>Jan 13 12:55:01 192.168.65.22 ALT,v4,20050113T125501+0360,"i
robot"/192.168.65.22,1017,Alert,1,1,00000002-0002-0002-0002000000000164,"0164: ICMP: EchoRequest (Ping)","0164: ICMP: Echo
Request (Ping)",icmp,216.136.107.233:0,216.136.107.91:0,20
050113T125205+0360,199," ",1,3:1
In this example, the header follows the standard syslog format. Using the previous log entry as the
example, the message is as follows:
ALT,v4,20050113T125501+0360,"i robot"/
192.168.65.22,1017,Permit,1,Low,00000002-0002-0002-0002000000000164,"0164: ICMP: EchoRequest (Ping)","0164: ICMP: Echo
Request(Ping)",icmp,216.136.107.233:0,216.136.107.91:0,20050113T125205
+0360,199," ",1,3:1
The character located between each field is the configured delimiter. In this case, the delimiter is a
comma. The following table details the fields and their descriptions.
Table D - 1 : Remote Syslog Field Descriptions
Field
250
Description
Log-type; ALT = alert, BLK = block, P2P = misuse and abuse
Version of this message format
ISO 8601 Date-Time-TZ when this alert was generated
Hostname/IP address that generated the alert; note that the quotes are required
for this release because of a bug in the hostname validation (note the space in the
name)
Sequence ID
Table D - 1 : Remote Syslog Field Descriptions

Field
Description
(reserved)
Action performed ("Block" or "Permit")
Severity ("Low", "Minor", "Major", or "Critical")
Policy UUID
10
Policy Name
11
Signiture Name
12
Protocol name ("icmp", "udp", "tcp", or "unknown")
13
Source address and port, colon delimited
14
Destination address and port, colon delimited
15
ISO 8601 Date-Time-TZ when the aggregation period started
16
Number of events since start of aggregation period
17
Traffic Threshold message parameters
18
Packet capture available on device (available = 1; none = 0)
19
Slot and segment of event
251
252
Glossary
action set
An integral part of an attack or peer-to-peer filter. It includes instructions that control the system
response when it encounters matching traffic. The conditions include the following:
action the response of the system
permit allow the data
rate limiting limit the speed of the transferred data/or only allow data of a certain speed?
block do not allow the data
packet trace the setting for scanning the packet
priority
verbosity (depth of the scan)
bytes to capture of the packet/data
contacts systems to receive an alert
Advanced DDoS filters

Advanced Denial of Service filters that detect and protect against denial of service attacks. These filters
are part of the Infrastructure Protection pillar of filters. The UnityOne-100E provides these filters
options for enhanced security protection.
These attacks flood a network with requests, including:
Connection Flood Filters on page 255
CPS Flood Filters on page 256
SYN Proxy Filters on page 259
253
aggregation period
The length of time during which multiple instances of a specific attack can occur before notification is
sent to a contact.
Pillar of filter types that defend against known and unknown exploits that target applications and
operating systems of workstations and servers on a network. These filters include a variety of attack
protection and security policy filters. These filters detect specific recognition data to recognize an
attempted attack and take specific courses of action that you define when an attempt is detected.
attack protection filter

Filter that scans for, detects, and blocks malicious attacks that try to locate vulnerable areas in your
network security. These filters are part of the Application Protection pillar of filters.
attack filter package

A package that contains attack filters developed by the Threat Management Center (TMC). Also called
Digital Vaccine.
attack traffic
Packets traversing a network that match at least one attack protection filter.
block on IP
Option for Action Sets that enables you to unblock IP addresses blocked by filters. The Block action set
provides an option for blocking IP addresses that trigger the filter. When an IP is blocked, any requests
or traffic to or from the IP through the network is not accepted by the IPS. The system blocks the IP
traffic and enacts any further actions based on the action set, such as notifcations. If the filter Action
Set is set to specific segment, the IP address may be blocked only to that segment, and not the entire
IPS.
254
category
An assessment of the likelihood that attack traffic is malicious. The TMC assesses each attack filter and
assigns it to one of the following categories:
that target applications and operating systems:
Attack Protection Filters Detect and block traffic known to be malicious, suspicious, and to
have known security implications. These include vulnerabilities and exploit filters.
Reconnaissance Filters Detect scanning of your network for vulnerabilities. These include
vulnerability probing and scans/sweeps filters.
Security Policy Filters Detect and block traffic that may or may not be malicious. This traffic
may be different in its format or content from standard business practice, aimed at specific
software or operating systems, or contrary to your companys security policies.
Informational Provide a testing method of your security system.
infrastructure elements such as routers and firewalls from attack using a combination of filter types:
DDoS Filters Detect and block denial of service and flood requests, such as SYN Requests, that
can overwhelm a system.
Reconnaissance Filters Detect and block anomalies in traffic flow.
Traffic Normalization Filters Detect and block abnormal or malicious traffic.
bandwidth access setting that ensure mission critical applications have adequate performance
during times of high congestion:
Misuse and Abuse Filters Protect the resources and usage of file sharing across networks and
personal computers.
Traffic Management Filters that protect the network by shielding against IP addresses or
permitting only a set of IP addresses.
category setting
The default action set assigned to a particular category of attack filter. Barring any action set
customizations, the system responds to an attack filter according to its category setting.
Classless Inter-Domain Routing (CIDR)

An address format is similar to an IP address except that it is followed by a slash (/) and a specified
number of bits. The number of bits indicates the significant bits in the address. In the following
example, the IP source address of a packet must match all 32 bits of the IP address specified:
10.3.4.5/32
Connection Flood Filters

Filters that protect against Established Connection floods. The filter limits the number of simultaneous
open connections that occur between a client and server. A TCP established connection attack
originates an attack from an IP connection considered safe by the network. This attack generates
255
floods of full (3-way) established TCP connections using a safe or accepted IP address. It attempts to
flood the network by sending more connections than the system can handle. These attacks do not
harm data, but the flood can deny users access and connections to networks and services.
CPS Flood Filters

Filters that protect against Connection-Per-Second (CPS) floods. The filter limits the maximum rate at
which a client may open connections to a protected server. Each filter includes a threshold setting of
the calculated average number of connections per second to allow from a particular client.
Custom Shield Writer (CSW)

An optional, stand-alone, UnityOne application that lets you write your own custom filters for use on
IPS and SMS devices.
DDoS filters
Denial of Service filters that detect denial of service attacks. These attacks flood a network with
requests, including traditional SYN floods, DNS request floods against nameservers, and attempts to
use protected systems as reflectors or amplifiers in attacks against third parties. These filters detect
direct flood attacks and attacks hidden within larger packets and requests. These filters are part of the
Infrastructure Protection pillar of filters.
Digital Vaccine
Downloadable update that includes filters for protecting your network system. These filters provide
new signature to protect against researched threats to network security. The Threat Management
Center (TMC) researches, creates, and distributes these filter packages from the following website:
https://tmc.tippingpoint.com.
exploit filters
Filters that protect software from malicious attacks across a network by detecting and blocking the
request. Exploits are attacks against a network using weaknesses in software such as operating systems
and applications. These attacks usually take the form of intrusion attempts and attempts to destroy or
capture data. These filters are part of the Application Protection pillar of filters.
filter
Policy of settings and rules for managing and blocking traffic on a network. Each filter includes an
action set that includes instructions for managing data and a category setting. The LSM includes
various types of filters, including Performance Protection, Application Protection, Infrastructure
Protection, and IP filter.
informational filters
Filters that provide a means for classic Intrusion Detection System (IDS) testing. An example of these
filters includes Blade signatures. These filters are part of the Application Protection pillar of filters.
Category, or pillar, of filter types that protect network bandwidth and network infrastructure elements
such as routers and firewalls from attack using a combination of traffic normalization, DDoS
256
protection, and application, protocol, and network equipment protection. These filters include DDoS,
network equipment protection, and traffic normalization filters.
Intrinsic Network High Availability (INHA)

Protects network availability or security against failures in the host and network processors. Userconfigurable to block or permit all packets when in fallback state. Network traffic accesses a segment.
When that segment encounters an error, it sends an update of the IP flow to the next segment,
transferring the traffic. The segment receiving the transfer builds a connection table to then receive the
IP flow.
IP filter
A filter that blocks traffic based on the source, destination, port, protocol, and other parameters of the
traffic.
Intrusion Prevention System (IPS)

The first active network-defense system that provides true intrusion prevention. Based on
breakthrough high-speed security processors, UnityOne becomes part of the network-infrastructure
and scours networks at 2 gigabits per second. Unlike intrusion detection systems, UnityOne
continually cleanses Internet and Intranet traffic, identifying and preventing attacks damage to critical
resources occurs, ensuring network integrity and ultimately improving return on investment.
Local Security Manager (LSM)

A web-based management application that provides on-the-box administration, configuration, and
reporting for a single Intrusion Prevention System (IPS).
misuse and abuse filter

Filters that use the same algorithms as attack filters, but which block peer-to-peer protocol traffic.
These protocols are primarily used to share music and video files. They essentially turn a personal
computer into a file server which make its resources as well as those of its host network available to the
peer-to-peer community. These filters are part of the Performance Protection pillar of filters.
network discovery
The process by which the UnityOne system monitors the network for changes in the hosts and services.
You can use network discovery information to tune filters.
network equipment filters

Filters that detect and block the malicious attacks that target equipment accessible through a network.
Network attacks can broadly or specifically seek access and data to corrupt on a network. These filters
are part of the Infrastructure Protection pillar of filters.
notification contacts
Recipients of alert messages. These contacts receive an email alert when a filter with the proper
notification contacts settings triggers. Contacts include staff with email accounts and the SMS
application.
257
packet trace
Allows you to capture all or part of a suspicious packet for analysis. You can set the packet trace priority
and packet trace verbosity for action sets.
Category, or pillar, of filter types that allow key applications to have prioritized access to bandwidth
ensuring that mission critical applications have adequate performance during times of high
congestion. These filters include misuse and abuse, IP, and congestion/mitigation filters.
rate limiting
Setting in an action set that defines a maximum bandwidth that can be used by traffic that matches
filters assigned to that action set. Incoming traffic in excess of this bandwidth is dropped. If two or
more filters use the same rate limiting action set, then all packets matching these filters share the
bandwidth.
reconnaissance filters
Filters that monitor for attacks that perform reconnaissance of the network. These attacks search
through your network using various methods to locate vulnerabilities. Once the attack has gathered
data by probing your system and scanning your network, it continues with pointed attacks against
those vulnerabilities. Reconnaissance filters look for these patterns and alert either the LSM or the
SMS when an attack is detected. These filters are part of the Application Protection pillar of filters.
Security Management System (SMS)

A Linux management server and Java-based client application for managing multiple IPS devices. It
provides coordination across your UnityOne system for administration, configuration, and
monitoring, attack filter customization, centralized distribution of upgrades, and enterprise-wide
reporting and trend analysis.
security policy filters

Filters that act as attack and policy filters. As attack filters, these filters compare packet contents with
recognizable header or data content in the attack along with the protocol, service, and the operating
system or software the attack affects. These attack filters requiring deployment knowledge and/or
operational policy. The Threat Management Center (TMC) develops these filters. These filters are part
of the Application Protection pillar of filters.
segment
Similar to a subnet. A segment comprises a group of hosts protected through a licensed pair of ports on
an IPS.
SNMP Server
Provides access to interface counters and other statistics, configuration data, and general system
information via the Simple Network Management Protocol (SNMP). The SNMP server must be
enabled to use SMS management or to allow NMS access.
258
sweep/scan filters
Filters that perform port scans and host sweeps to prevent any malicious code, attacks, and exceeded
threshold limits for traffic. Each filter scans a specific type of port and protocol to block attacks against
ports and hosts. These filters are part of the Application Protection pillar of filters.
SYN Proxy Filters

Filters that protect against SYN floods of the system. An attacker floods a server with malicious
connection requests (TCP SYNs) with spoofed source IP addresses, preventing legitimate clients from
accessing the server. The IPS acts as a proxy, synthesizing and sending the SYN/ACK packet back to the
originator, waiting for the final ACK packet. After the IPS receives the ACK packet from the originator,
the IPS then replays the three-step sequence to the receiver.
traffic normalization filters

Filters that block network traffic when the traffic is considered malicious. These filters allow you to set
alerts to trigger when the system recognizes this traffic. Traffic pattern filters alert when network
traffic varies from normal. These filters are part of the Infrastructure Protection pillar of filters.
Threat Management Center (TMC)

A TippingPoint service center that monitors sensors around the world for the latest attack information
and builds and distributes attack filters. The TMC is available at the following URL: https://
tmc.tippingpoint.com
Threat Suppression Engine (TSE)

Blend of Application-Specific Integrated Circuits (ASICs) and network processors to detect unknown
threats and anomalies in your network traffic at ultra-high speeds. The TSE scans and reacts to
malicious attacks before they become a problem using the latest updates of operating system and
Digital Vaccine packages.
Transparent Network High Availability (TNHA)

Protects network availability or security against failures in the host and network processors and
maintains traffic flow without losing time transferring the flow. User- configurable to block or permit
all packets when in fallback state. Network traffic accesses a segment. When that segment encounters
an error, it sends an update of the IP flow to the next segment, transferring the traffic. The segment
receiving the transfer refers to a connection table that receives constant updates from the primary
segment.
vulnerabilities filters
Filters that detect and block against vulnerabilities in the network. These filters determine is a
vulnerability exists based on traffic requests and reaction by services. These filters are part of the
Application Protection pillar of filters.
vulnerability probing filters

Filters that perform scans for vulnerabilities in the system. These filters protect and block probing
attacks, protecting access and evaluating requests. These filters are part of the Application Protection
pillar of filters.
259
Index
A
access level
user 207
account security levels
level 0 208
level 1 208
level 2 208
action set 253
blacklisted IPs 170
defined 100
action sets 100
category 255
flow control 100
notification contacts 100
packet trace 100
actions sets
Block 100
Block + Notify 100
Block + Notify + Trace 101
create 104
Permit + Notify 101
Permit + Notify + Trace 101
rate-limiting 102
Recommended 101
adaptive aggregation 161
adaptive filter 161
adaptive filter config 41, 46, 49, 71, 77, 88
add a network route 148
admin 205
page 10, 206
Administration 205
administration
user 205
administrator 207
Advanced DDoS
CPS Flood filters 56
SYN floods 56
Advanced DDoS filters 56
Connection Flood 56
aggregation
alert, alert aggregation 107
aggregation count 106
aggregation period 106, 108, 111, 254
alert aggregation 106
period 107
Application Protection 23, 31
attack protection filters 32
exploit filters 34
vulnerabilities filters 34
filter exceptions 50
informational filters 46
reconnaissance filters 36
filter tuning 39
port scans,host sweeps 39
vulnerability probing 37
security prevention filters 43
settings 49
architecture 3
asymmetric network 159, 160
attack filter 254
attack filters
contacts 106
exploit filters 34
Attacks 127
attacks by severity 113
attacks filters
enable 98
audit log
view 216
B
blacklist IPs 104, 105
blacklisted IPs 170
Block 100
Block + Notify 100
Block + Notify + Trace 101
blocked streams 163
boot time 19
browser certificates 237, 238, 239, 240,
243, 245
C
category 255
action sets 100
category settings 94
add category setting 96
delete segmental category 98
disable filter category 99
override 99
edit segmental category 97
enable filter category 98
override 98
certificate authority 240
certificates 237
client authentication message 238
example 245
security alert 239
invalid certificate name 243
CIDR 255
Classless Inter-Domain Routing 255
CLI server 145
client authentication message 238
clients
local 7
SMS 3
CMOS 148
configuration
management port 142
NMS 152
routing options 147
segment 139
segment INHA 138
SMS 152
timekeeping 148
TSE 159, 161, 163, 165
configuration network HA 155
INHA 157
TNHA 158
configuration, segment 137
Configure
SNMP 153
configure
asymmetric network 160
Link-Down Synchronization 141
logging mode 160
NMS 155
page 9, 136
remote system log 110, 111
segment 141
SMS 154
SNMP 154
TSE 160
Configure INHA 138
Connection Flood 56
connection table timeout 159
contacts, attack filters 106
CPS Flood filters 56
create
action sets 104
filters 29
Advanced DDoS 60
Advanced DDoS UnityOne5000E 67
traffic management 91
traffic threshold 80
non standard ports 167, 169
notification contact 108
user 209, 210
creating
personal certificates 245
critical thresholds 184
CSW 256
Custom Shield Writer 256
customer support xviii
D
DDoS 2, 23, 55, 256
attacks, solutions 59
amplifiers 59
indistinguishable requests 59
randomized requests 59
unsolicited responses 59
260
DDoS attacks, solutions

reflectors 59
DDoS filters 56
default
email settings 108
delete
category
segmental 98
filters 30
notification contact 111
operating system images 202
device health 173, 175
devices 6
Digital Vaccine 195
disable
filter category 99
override 99
discover
page 186
scan 187
check 189
delete 191
details 190
edit 190
in-progress 190
manual 189
rescan 190
scans
prepare 186
schedule scan 191
download
update
signature 196
E
edit
filters
Advanced DDoS 62
attack protection 34
informational 48
misuse and abuse 87
network
equipment
protection 70
normalization 75
security policy 45
email
default settings 108
email failure 109
email preferences 108
enable
filter category 98
override 98
261
enable attack filters 98

exceptions
expiration
password 212
exploit filters 34
enable 98
exceptions
Application Protection 49
Infrastructure Proection
DDoS 23
Infrastructure Protection 23, 55
Advanced DDoS 56
DDoS 55
network
equipment
protection 69
traffic normalization filters 72
traffic threshold filters 77
manage 25
view 26
overview 23
page 8, 25
Performance Protection 23, 83
misuse and abuse 84
traffic management filters 88
pillars
Infrastructure Protection 2,
255
rate-limiting 102
reset
search 28
update 195
F
filters 23, 256
action sets 100
adaptive filter config 41, 46, 49, 71,
77, 88
exploit filters 34
filter exceptions 50
filter tuning 39
port scans,host
sweeps 39
security policy filters 43
settings 49
attack filters 254
category 255
disable 99
override 99
enable 98
override 98
category settings 94
add category setting 96
delete segmental category 98
edit segmental category 97
create 29
Advanced DDoS 60
DDoS 2, 256
delete 30
edit
Advanced DDoS 62
attack protection 34
informational 48
misuse and abuse 87
network
equipment
protection 70
normalization 75
security policy 45
G
getting started 11
guide
audience xi
convention
note xv
tip xv
conventions xiii
caution xv
warning xv
organization xii
related documentation xvi
screen captures xiv
H
HA
sympathic 139
hardware
monitor 173
health
module 179, 180
performance/throughput 177
system stats 20
High 138
high availability 20, 155
INHA 157
TNHA 158
host sweeps filters 36, 39, 52

HTTP 145
I
icons 27
copy 27
delete 27
edit 27
filter exception 27
launch bar 17
reset 27
image
deleting 202
Infrastructure Protection 23, 55
Advanced DDoS filters 56
DDoS 55
network equipment protection 69
INHA 6, 139, 141, 157, 182, 257
interface
launch bar 16
main pane 21
system stats 17
Intrinsic Network High Availability 257
Intrusion Prevention System 257
IP filter 257
IPS 2, 6, 257
L
launch bar 16
icons 17
layout
LSM screen 16
level
user access 207
Link-Down Synchronization 139, 141
local clients 7
Local Security Manager 2, 257
overview 8
log
system
view 216
logging in 14
logging mode 160
login name
valid 210
logs
formats
1.4 249
page 9, 114
reports
attacks 129
DDoS 131
rate limit 130
top ten filters 128
traffic profile 129
LSM 2, 257
launch bar 16
login 14
timeout 15
main pane 21
overview 1, 8
admin page 10
configure page 9
filters page 8
getting started 11
logs page 9
monitor page 9
SMS configuration 12
system requirements 12
UnityOne 2
update page 9
packet statistics 19
system stats 17
timeout 15
LSM screen layout 16
LSM Server 145
notification contacts 106, 257

alert aggregation 106, 107
create 108
delete 111
edit 109
email alert limit 106
email failure 109
email preferences 108
email settings 108
packet count 106

password
expiration 212
valid 210
Peer-to-Peer filter 257
performance 177
Performance Wizard 177
period
alert aggregation 107
Permit + Notify 101
Permit + Notify + Trace 101
policy
action sets 100
port options 138
port scans filters 36, 39, 52
ports, non standard 167, 169
preferences
monitor 183
main pane 21
manage
filters 25
management console 111
management port
configuration 142
memory usage 176
misuse and abuse 84, 257
misuse and abuse filters 84
modify
user 209
module
health 179, 180
Intrinsic Network HA 182
Multi-Zone Defense 181
monitor 173
hardware 173
page 9, 174
preferences 183
More Reports 126
MZD 181
N
navigation
LSM 13
overview 16
network equipment protection filters 69
network HA 155, 157, 158
NMS 152, 153
configure 155
notes
security 14
O
operating system
delete old images 202
rollback 200
update 193
operator 207
options, port 138
options, routing 138
overview 1
R
rate limited streams 165
rate-limiting 102, 258
model 100E 103
model 1200 103
model 200 103
model 2400 103
model 400 103
model 50 103
model 5000E 103
Recommended 101
filter tuning 39
port scans,hostsweeps 39
related documentation xvi
remote syslog format 250
262
reports
attacks 129
DDoS 131
preferences 132
rate limit 130
top ten filters 128
traffic profile 129
Reports, Top Ten 127
requirements
system 12
reset
reset, TCP 100
results
scan 190
role
user 207
rollback
operating system 200
states, messages 197
route, add a network route 148
routing options 138, 147
S
scan
results 190
scans
check 189
delete 191
edit 190
in-progress 190
perform 187
manual 189
recan 190
view 190
schedule scan 191
search
filters 28
security alert 239
Security Management System 3, 258
SECURITY NOTES 14
security policy filters 43
segment 258
configuration 177
segment configuration 137
servers 145
services, host management port 145
signature
update
download 196
signatures
update 193
SMS 152, 258
client 3
configure 154
NMS 155
server 4
SNMP 152, 153, 258
SNTP 108, 148
software update 196
SSH 145
super-user 207
263
sychronization 139
sympathetic HA 139
SYN Proxy 56
system boot time 19
system log
view 216
system requirements 12
System Stats 17
system boot time 19
system stats 17
health 20
high availability 20
system boot time 19
versions 21
T
TCP reset 100
tech support xviii
telnet 145
Threat Management Center xviii, 259
Threat Management Center (TMC) 195
Threat Suppression Engine 5
configuration 159
adaptive filter config 161
blocked streams 163
general 159
thresholds
critical 184
throughput 177
timekeeping 148
CMOS 148
SNTP 148
timeout
LSM 15
TMC xviii, 195, 259
login 195
registration 195
TNHA 6, 158, 259
Top Ten reports 127
Traffic 127
Transparent Network High Availability 259
troubleshooting 247, 249
trusted 89
TSE 5, 159
adaptive filter config 161
blacklisted IPs 170
blocked streams 163
U
UnityOne 2
architecture 3
high availability 6
IPS 6
local clients 7
SMS client 3
SMS server 4
Threat Supression Engine 5
overview 1
update 193
Digital Vaccine 193
filter 195
filters 193
operating system 193
page 9, 194
signature
download 196
signatures 193
software 196
Update, Attack Filter 195
usage
memory 176
user
access level 207
administration 205
create 209, 210
modify 209
valid names 210
valid password 210
V
valid password data 210
valid user data 210
versions
in system stats sidebar 21
view
audit log 216
filters 26
system log 216
vulnerability probing filters 36, 37, 52

LSM Users Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

LSM Users Guide

Încărcat de

Drepturi de autor:

Formate disponibile

UnityOne

Local Security Manager

Part Number: TECHD-0000000014

LSM Users Guide V 2.1

LSM Users Guide V 2.1

LSM Users Guide V 2.1

LSM Users Guide V 2.1

Open Source Licenses

LSM Users Guide V 2.1

LSM Users Guide V 2.1

Search for a Filter

LSM Users Guide V 2.1

Disable a Single Attack Filter (Override Category Control)

View Logs and Reports

View Segment Information

LSM Users Guide V 2.1

Flush Selected Blocked Streams

Set Monitor Preferences

Download a Filter Update

Open Source Licenses

puLSM Users Guide V 2.1

LSM Users Guide V 2.1

About This Guide

Welcome to the UnityOne LSM

Target Audience on page xi

LSM Users Guide V 2.1

Knowledge, Skills, and Abilities

About the Guide

LSM Users Guide V 2.1

Appendix - Open Source License

Appendix - Browser Certificates

Appendix - Log Formats

LSM Users Guide V 2.1

Internal Cross References

External Cross References

Click the Filters tab.

Place your mouse cursor over the Open menu.

LSM Users Guide V 2.1

A description of each message type with an example message follows.

LSM Users Guide V 2.1

LSM Users Guide V 2.1

Quick Start UnityOne-50

UnityOne-50 Installation and Configuration

UnityOne Documentation CD,

UnityOne Security Manager System Quick Start

printed version in the UnityOne box,

Table ii - 1: UnityOne Documents

UnityOne Local Security Manager Users Guide

UnityOne Documentation CD,

available in the LSM application

Unity One Command Line Interface Reference

UnityOne Documentation CD,

hard copy in the shipping materials,

UnityOne Documentation CD,

UnityOne Security Management System Online

available in the SMS application

UnityOne SMS Web Services API

UnityOne Documentation CD,

UnityOne Documentation CD,

LSM Users Guide V 2.1

Your customer number

Your IPS serial number

Your IPS software version