Anomaly flow ip – AirLive IAR-5000 v2 User Manual
Page 173
13. Anomaly Flow IP
AirLive IAR-5000 User’s Manual
168
When the corporate network is under an attack (which causes excessive network traffic),
IAR-5000 will take action to against it. Besides, by joining forces with an IDP-enabled
switch, you can defend various threats from the Internet, avoiding losing revenue
opportunities as a result of the network being paralyzed.
This chapter will be discussing the functionality and application of Anomaly Flow IP.
The threshold for anomaly sessions per IP address is … sessions / sec
When the number of concurrent sessions from an IP address has exceeded the
threshold, IAR-5000 will treat the IP address as an anomaly flow IP. And then, block its
packet transmission as well as mail out the alert notification to designated recipient.
Anomaly Flow IP Blocking
All sessions created by an anomaly flow IP will be dropped for the sake of keeping
others’ Internet access available.
Email Notification
The victim user and system administrator will both receive an alert notification through
an email message or a NetBIOS broadcast when an anomaly flow occurs.
Safe IP Addresses
Given that a local server is mistaken as an anomaly flow IP due to providing services to
public, then this server is suggested to be classified as a safe IP address.
Configuring to Alerts for Anomaly Flow and Block Intrusion Packets:
Step1. Navigate to System
Æ Settings Æ Settings, and then select Enable email
notification. Navigate to Anomaly Flow IP
Æ Settings, and then configure as
below:
Configure
The threshold for anomaly sessions per IP address is …
sessions / sec accordingly. (100 by default)
Tick
Enable anomaly flow IP blocking and then configure the Blocking
Time (second) accordingly. (600 by default)
Tick
Enable email notification.
Tick
Enable NetBIOS notification.
Type “172.16.0.2” in the IP address of system administrator field.
Click
on
OK to complete the settings. (Figure 13-1)
13
13.
Anomaly Flow IP