Chapter 3 IPS Filtering

Traffic Threshold Filters

Note The default X family configuration does not include any Traffic Threshold filters. You must create them based on your network requirements.

Traffic threshold filters alert you and the device when network traffic varies from the norm. The device determines normal traffic patterns based on the network statistics over time. You can set four types of thresholds for each filter:

major increase — Traffic is greatly over the set threshold.

minor increase — Traffic is slightly over the set threshold.

minor decrease — Traffic is slightly below the set threshold.

major decrease — Traffic is greatly under the set threshold.

Thresholds are expressed as a “% of normal” traffic. For example, a threshold of 150% would fire if traffic exceeded the “normal” amount by 50%. A threshold of 60% would fire if the level of traffic dropped by 40% from “normal” amount of traffic.

Note Network traffic rates are inherently erratic and can vary as much as 50% above or below the normal level on a regular basis. When you set up Traffic Threshold filters, avoid setting small variation percentages for minor and major thresholds to prevent the Traffic Threshold filter from triggering too often.

You can configure an action set for each threshold level configured for the Traffic Threshold filter. When the filter triggers, the device executes the action specified for the threshold setting that triggered the filter. You can also configure traffic thresholds to monitor traffic on the network without taking any action. All traffic threshold activity is recorded in the Traffic Threshold report (Events > Reports > Traffic Threshold).

Thresholds trigger when the traffic flow is above the Above Normal threshold, or below the Below Normal threshold by the set amounts. When traffic exceeds a threshold and returns to normal levels, the device executes the action specified for the threshold that triggered the filter and generates an alert. These alerts inform you of the triggered filter, when the thresholds are exceeded and return to normal, and the exceeded amount. After the filter triggers, you must reset it to re-establish it for use in the device. The filter is not disabled, but it does require resetting.

Note A triggered Traffic Threshold filter will not be applied to traffic until you manually reset it.

Traffic Threshold filter events are recorded in the Alert and Block logs (Events > Logs), based on the action set specified for the filter. Information on traffic threshold events is also available in the Traffic Thresholds report (Events > Reports >Traffic Threshold).

For additional information on managing and configuring Traffic Threshold filters, see the following topics:

“Managing Traffic Threshold Filters” on page 39

“Create or Edit a Traffic Threshold Filter” on page 41

38 X Family LSM User’s Guide V 2.5.1