HP X Unified Security Platform How Adaptive Filtering Works, Restrictions, Tuning Adaptive Filter Configuration

Chapter 3 IPS Filtering

Adaptive Filter Configuration

You can configure the global settings for the Adaptive Filter from the IPS Preferences page (IPS > IPS Preferences) and the Configure Adaptive Filter Events page (Events > Reports > Adaptive Filter). At the filter level, you have the option to disable Adaptive Filter configuration so that a filter is never impacted by Adaptive Filter settings on the device. For details, see “Edit DV Filter Category Settings” on page 29.

For additional information, see the following topics:

•“How Adaptive Filtering Works” on page 60

•“Restrictions” on page 60

•“Tuning Adaptive Filter Configuration” on page 60

How Adaptive Filtering Works

Adaptive Filtering is a mechanism to configure the Threat Suppression engine to automatically manage filter behavior when the X family device is under extreme load conditions. This feature protects your network against the potential adverse affects of a filter that interacts poorly with the network environment by preventing the device from entering High Availability mode.

Adaptive filtering works by monitoring each filter to identify any suspected of causing congestion. When it identifies a filter, it manages the filter using one of the following methods, depending on how the global or filter-level Adaptive Filtering is configured:

•Automatic Mode — This setting enables the device to automatically disable and generate a system message regarding the problematic filter.

•Manual — This setting enables the device to generate a system message regarding the problematic filter. However, the filter is not disabled.

Restrictions

You cannot configure adaptive filter settings for Traffic Threshold, Reconnaissance, or Traffic Normalization filters.

Tuning Adaptive Filter Configuration

You can view theten filters most recently affected by the Adaptive Filter Configuration in the Ten Most Recent table available on the IPS Preferences page and the Configure Adaptive Filter Events page (Events > Reports > Adaptive Filter). From this table, you can click on a filter name to change the global or filter-level AFC settings. For details on this table, see Table 5–16, “TSE Adaptive Filter Configuration Details,” on page 126. You can manage global AFC configuration by modifying the Mode and Log Severity settings on either the IPS Preferences page or the Configure Adaptive Filter Events page.

Configure the global TSE Adaptive Filter Setting

STEP 1

STEP 2

From the LSM menu, select IPS > Preferences.

On the IPS Preferences page in the Adaptive Configuration Settings table, select the mode:

•Automatic Mode — This setting enables the X family device to automatically disable and log any defective filter.

•Manual — This setting enables the device to log any defective filter without disabling it.

60 X Family LSM User’s Guide V 2.5.1