freeGuard 100 CLI User Manual
79
6 config
ips
anomaly
custom
group
6.1 anomaly
The freeGuard 100 IPS uses anomalies to identify network traffic that does not fit known or preset
traffic patterns. The freeGuard 100 IPS identifies the four statistical anomaly types for the TCP, UDP,
and ICMP protocols.
Flooding
If the number of sessions targeting a single destination in one second is
over a threshold, the destination is experiencing flooding.
Scan
If the number of sessions from a single source in one second is over a
threshold, the source is scanning.
Source session Limit
If the number of concurrent sessions from a single source is over a
threshold, the source session limit is reached.
Destination session limit If the number of concurrent sessions to a single destination is over a
threshold, the destination session limit session limit is reached.
You can enable or disable logging for each anomaly, and you can control the IPS action in response to
detecting an anomaly. In many cases you can also configure the thresholds that the anomaly uses to
detect traffic patterns that could represent an attack.
Note
: It is important to estimate the normal and expected traffic on your network before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the
thresholds too high could miss some attacks.
The list of anomalies can be updated only when the freeGuard 100 firmware image is upgraded.
Command syntax pattern
config ips anomaly <name_str>
set <keyword> <variable>
end
config ips anomaly <name_str>
unset <keyword>
end
get ips anomaly [<name_str>]
show ips anomaly [<name_str>]
Summary of Contents for freeGuard 100
Page 1: ...freeGuard 100 UTM Firewall CLI USER S MANUAL P N F0025000 Rev 1 1...
Page 3: ......
Page 7: ......
Page 87: ...80 The config ips anomaly command has 1 subcommand config limit...
Page 183: ...176...