beautypg.com

Amer Networks E5Web GUI User Manual

Page 685

background image

Host Based

The threshold is applied separately to connections from different IP addresses.

Network Based

The threshold is applied to all connections matching the rules as a group.

Rule Actions

When a Threshold Rule is triggered one of two responses are possible:

Audit

Leave the connection intact but log the event.

Protect

Drop the triggering connection.

Logging would be the preferred option if the appropriate triggering value cannot be determined
beforehand. Multiple actions for a given rule might consist of Audit for a given threshold while
the action might become Protect for a higher threshold.

Multiple Triggered Actions

When a rule is triggered then cOS Core will perform the associated rule actions that match the
condition that has occurred. If more than one action matches the condition then those matching
actions are applied in the order they appear in the user interface.

If several actions that have the same combination of Type and Grouping (see above for the
definition of these terms) are triggered at the same time, only the action with the highest
threshold value will be logged.

Exempted Connections

It should be noted that some advanced settings, known as Before Rules settings, can exempt
certain types of connections for remote management from examination by the cOS Core IP rule
set if they are enabled. These Before Rules settings will also exempt the connections from
Threshold Rules if they are enabled.

Threshold Rule Blacklisting

If the Protect option is used, Threshold Rules can be configured so that the source that triggered
the rule, is added automatically to a Blacklist of IP addresses or networks. If several Protect actions
with blacklisting enabled are triggered at the same time, only the first triggered blacklisting
action will be executed by cOS Core.

A host based action with blacklisting enabled will blacklist a single host when triggered. A
network based action with blacklisting enabled will blacklist the source network associated with
the rule. If the Threshold Rule is linked to a service then it is possible to block only that service.

When blacklisting is selected, the administrator can choose to leave pre-existing connections
from the triggering source unaffected, or can alternatively choose to have the connections
dropped by cOS Core.

Chapter 10: Traffic Management

685

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: