Checklist for initial configuration of the protection policy

List of steps


1. Make sure the routing rules for the policy are set.
Make sure that the routing rules are set for the policy on the “Policy Setup” tab of the “Protection policy” page.

2. Configure the policy to display only the necessary countermeasures.
You can hide countermeasures not used in the policy by clicking on the icon above the list of countermeasures. The “Hide all” button disables the display of all countermeasures of the policy other than the active ones (countermeasure enabled, learning enabled, autodetection enabled).

3. Set up countermeasures.
The principle of operation of countermeasures is described in the built-in help. The parameter values are set based on the specifics of the protected service and the parameters of the traffic passing through the policy.

4. Set up automatic packet capture.
Set automatic packet capture settings on the “Packet capture” tab of the protection policy. In the event of an attack, the mechanism will automatically dump traffic according to the specified parameters and send it to the specified email.

5. Set up autodetection
Set auto-detection settings on the “Autodetection” tab of the protection policy.

  1. Set the automatic activation and deactivation parameters for each of the countermeasures, which assumed to be activated by the autodetection mechanism.

  2. Set the Policy.Status. thresholds to change the indication in the policy.

  3. Set the Incidents. thresholds, above which an incident is registered in the system. It is recommended not to set zero values for these thresholds, so that small sporadic drops would not reported as incidents.

  4. Set the PCAP. thresholds above which the automatic packet capture mechanism will be activated.

6. (Optional) Check the effect on legitimate traffic via the test mode.
Activate the protection policy test mode on the “Policy settings”" tab and make sure that the countermeasures settings are correct according to their graphs.

7. Enable protection policy.
Activate the “Enable protection” switch in the upper left corner of the policy page.

8. (Optional) Configure the log analyzer.
If log delivery of the protected Web servers is configured via syslog, it is necessary to set the rules that form the criteria for detecting anomalies in the logs of the protected server. The rules are set on the “Log Analysis” tab of the protection policy.

The rules syntax is described in the in-built help.

9. (Optional) Pin countermeasure graphs
It may be convenient to pin graphs of countermeasures under the general graph on the right side of the policy page. Pinning is done by clicking on the pin icon in the countermeasure header.