The Event Rate Monitoring feature monitors the rate of predefined events in a zone. The Event Rate Monitoring feature includes
basic threat detection, which is the ability of a security device to detect possible threats, anomalies, and attacks to resources
inside the firewall and to take action against them. You can configure a basic threat detection rate for events. When the
incoming rate of a certain type of event exceeds the configured threat detection rate, event rate monitoring considers this
event as a threat and takes action to stop the threat. Threat detection inspects events only on the ingress zone (if the Event
Rate Monitoring feature is enabled on the ingress zone).
The network administrator is informed about the potential threats via an alert message (syslog or high-speed logger [HSL])
and can take actions such as detecting the attack vector, detecting the zone from which the attack is coming, or configuring
devices in the network to block certain behaviors or traffic.
The Event Rate Monitoring feature monitors the following types of events:
-
Firewall drops due to basic firewall checks failure—This can include zone or zone-pair check failures, or firewall policies
configured with the drop action, and so on.
-
Firewall drops due to Layer 4 inspection failure—This can include TCP inspections that have failed because the first TCP
packet is not a synchronization (SYN) packet.
-
TCP SYN cookie attack—This can include counting the number of SYN packets that are dropped and the number of SYN cookies
that are sent as a spoofing attack.
The Event Rate Monitoring feature monitors the average rate and the burst rate of different events. Each event type has a
rate object that is controlled by an associated rate that has a configurable parameter set (the average threshold, the burst
threshold, and a time period). The time period is divided into time slots; each time slot is 1/30th of the time period.
The average rate is calculated for every event type. Each rate object holds 30 completed sampling values plus one value to
hold the current ongoing sampling period. The current sampling value replaces the oldest calculated value and the average
is recalculated. The average rate is calculated during every time period. If the average rate exceeds the average threshold,
the Event Rate Monitoring feature will consider this as a possible threat, update the statistics, and inform the network administrator.
The burst rate is implemented by using the token bucket algorithm. For each time slot, the token bucket is filled with tokens.
For each event that occurs (of a specific event type), a token is removed from the bucket. An empty bucket means that the
burst threshold is reached, and the administrator receives an alarm through the syslog or HSL. You can view the threat detection
statistics and learn about possible threats to various events in the zone from the output of the show policy-firewall stats zone command.
You must first enable basic threat detection by using the
threat-detection basic-threat command. Once basic threat detection is configured, you can configure the threat detection rate. To configure the threat
detection rate, use the
threat-detection rate command.
The following table describes the basic threat detection default settings that are applicable if the Event Rate Monitoring
feature is enabled.
Table 1. Basic Threat Detection Default Settings
Packet Drop Reason
|
Threat Detection Settings
|
Basic firewall drops
|
average-rate 400 packets per second (pps)
burst-rate 1600 pps
rate-interval 600 seconds
|
Inspection-based firewall drops
|
average-rate 400 pps
burst-rate 1600 pps
rate-interval 600 seconds
|
SYN attack firewall drops
|
average-rate 100 pps
burst-rate 200 pps
rate-interval 600 seconds
|