Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuring a Traffic Alarm

0

0

Article ID: KB4213 KB Last Updated: 07 Oct 2011Version: 5.0
Summary:
Configuring a Traffic Alarm
Symptoms:

Solution:

Your NetScreen supports traffic alarms when traffic exceeds thresholds that you have defined in policies. You can configure your NetScreen to alert you through one or more of the following methods whenever a traffic alarm is generated:

  • Console
  • Internal (Event Log)
  • Email
  • SNMP
  • Syslog
  • WebTrends
  • NetScreen-Global PRO

You set alarm thresholds to detect anomalous activity. To know what constitutes anomalous activity, you must first establish a baseline of normal activity. To create such a baseline for network traffic, you must observe traffic patterns over a period of time. Then, after you have determined the amount of traffic that you consider as normal, you can set alarm thresholds above that amount. Traffic exceeding that threshold triggers an alarm to call your attention to a deviation from the baseline. You can then evaluate the situation to determine what caused the deviation and whether you need to take action in response. You can also use traffic alarms to provide policy-based intrusion detection and notification of a compromised system.

Note: In this example, we have a Web server with IP address 211.20.1.5, with the name web1 in the DMZ zone. We will detect any attempts from the Untrust zone to access this Web server via Telnet. To accomplish this, we will create a policy denying Telnet traffic from any address in the Untrust zone destined to the Web server named web1 in the DMZ zone, and set a traffic alarm threshold of 64 bytes. Because the smallest size of IP packet is 64 bytes, even one Telnet packet attempting to reach the Web server from the Untrust zone will trigger this alarm.

To configure a traffic alarm, perform the following steps:

Step one: Open the WebUI. For more information on accessing the WebUI, select your product from the list below:
Step two: From the NetScreen options menu, click Objects, select Addresses, and then click List.

Image of step two

Step three: Click New.

Image of step three

Step four: In the Address Name text box, enter an Address Name.

Image of step four and five

Step five: From IP Address/Domain Name, click to select IP/Netmask. In the IP/Netmask text box, enter an IP/Netmask.

Step six: In the Zone drop-down menu, click to select DMZ.

Image of step six and seven

Step seven: Click OK.

Step eight: From the NetScreen options menu, click Policies.

Image of step eight

Step nine: In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select DMZ.

Image of step nine and ten

Step ten: Click New.

Step eleven: In the Name (optional) text box, enter a policy name.

Image of step eleven

Step twelve: Under Source Address, click to select Address Book. In the Address Book drop-down menu, click to select Any.

Image of step twelve and thirteen

Step thirteen: Under Destination Address, click to select Address Book. In the Address Book drop-down menu, click to select web1.

Step fourteen: In the Service drop-down menu, click to select TELNET. In the Action drop-down menu, click to select Deny.

Image of step fourteen

Step fifteen: Click Advanced.

Image of step fifteen

Step sixteen: Click to select Counting.

Image of step sixteen and seventeen

Step seventeen: From Alarm Threshold, enter a value in the Bytes/Sec text box.

Step eighteen: Click Return.

Image of step eighteen

Step nineteen: Click OK.

Image of step nineteen

Note: Your alarm threshold will now be set.

Image of note



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search