The goal of Traffic Regulation (TR) policy is to protect your system from usage spikes. A phased approach to determine the correct policy for your system is recommended.
While the baseline statistics records provide suggested policy values for the interval, you should evaluate data from multiple intervals. The values suggested are those that would avoid denying any of the connections in the interval. Choose lower values if the interval represents a workload larger than you want to allow.
After you determine the policy values to use, try running with the Log and Nolimit actions specified. Specifying the Nolimit action basically tests out the policy. The connections that would have been denied (if the Limit action was specified) are logged, but the connection is allowed to occur. After you are satisfied with the experimental policy, the policy action can be set to Limit.
This temporary rule provides statistical reports to determine normal traffic patterns for several applications. After the baseline values are determined, this rule should be replaced by rules that include the specific conditions to be regulated.
The following example is an IDS configuration file:
########################################################################
########################################################################
# TR Policies
########################################################################
#-----------------------------------------------------------------------
# TR - IDSRule
#-----------------------------------------------------------------------
IDSRule TRTcpWeb-rule
{
ConditionType TR
Priority 7
IDSTRConditionRef TRTcpWebCondition
IDSActionRef TRTcpLimit-action
}
IDSRule TRTcp-rule
{
ConditionType TR
Priority 2
IDSTRConditionRef TRTcpCondition
IDSActionRef TRTcpLog-action
IpTimeConditionRef Time1
}
#-----------------------------------------------------------------------
# TR - IDSTRCondition
#-----------------------------------------------------------------------
IDSTRCondition TRTcpWebCondition
{
Protocol Tcp
LocalPortRange 80
LocalHostAddr 10.14.243.87
TRtcpTotalConnections 1000
TRtcpPercentage 10
TRtcpLimitScope PORT_INSTANCE
}
IDSTRCondition TRTcpCondition
{
Protocol Tcp
LocalPortRange 1:1023
}
#-----------------------------------------------------------------------
# TR - IDSAction
#-----------------------------------------------------------------------
IDSAction TRTcpLimit-action
{
ActionType TR LIMIT
IDSReportSet TRTcpLimitReportSet
{
TypeActions Log
TypeActions Statistics
StatType Exception
}
}
IDSAction TRTcpLog-action
{
ActionType TR NOLIMIT
IDSReportSetRef LogStatReportSet
}
#-----------------------------------------------------------------------
# IDSReportSet
#-----------------------------------------------------------------------
IDSReportSet LogStatReportSet
{
TypeActions Log
TypeActions Statistics
}
#-----------------------------------------------------------------------
# IPTimeCondition
#-----------------------------------------------------------------------
IpTimeCondition Time1
{
TimeOfDayRange 1-22
DayOfWeekMask 0111110
}
If you are using LDAP to define policy, see IDS TCP traffic regulation policy example.
The following example is an IDS configuration file:
########################################################################
########################################################################
# TR Policies
########################################################################
#-----------------------------------------------------------------------
# TR - IDSRule
#-----------------------------------------------------------------------
IDSRule TRUdp-rule
{
ConditionType TR
Priority 2
IDSTRConditionRef TRUdpCondition
IDSActionRef TRUdpLogLimit-action
}
#-----------------------------------------------------------------------
# TR - IDSTRCondition
#-----------------------------------------------------------------------
IDSTRCondition TRUdpCondition
{
Protocol Udp
LocalPortRange 1-1023
TRUdpQueueSize Long
}
#-----------------------------------------------------------------------
# TR - IDSAction
#-----------------------------------------------------------------------
IDSAction TRUdpLogLimit-action
{
ActionType TR LIMIT
IDSReportSetRef LogStatReportSet
}
#-----------------------------------------------------------------------
# IDSReportSet
#-----------------------------------------------------------------------
IDSReportSet LogStatReportSet
{
TypeActions Log
TypeActions Statistics
}
If you are using LDAP to define policy, see IDS UDP traffic regulation policy example.