Support User Manuals

HP (Hewlett-Packard) W.14.03 Switch User Manual

Open as PDF

of 594

Configuring Advanced Threat Protection

Using the Instrumentation Monitor

Operating Notes

■ To generate alerts for monitored events, you must enable the instru-

mentation monitoring log and/or SNMP trap. The threshold for each

monitored parameter can be adjusted to minimize false alarms (see

“Configuring Instrumentation Monitor” on page 10-25).

■ When a parameter exceeds its threshold, an alert (event log message

and/or SNMP trap) is generated to inform network administrators of

this condition. The following example shows an event log message

that occurs when the number of MAC addresses learned in the

forwarding table exceeds the configured threshold:

Standard Date/Time Prefix

for Event Log Messages

Monitored

Parameter

Threshold

Value

“inst-mon” label indicates an

Instrumentation Monitor event

Current

Value

W 05/27/06 12:10:16 inst-mon: Limit for MAC addr count (300) is exceeded (321)

Figure 10-13.Example of Event Log Message generated by Instrumentation Monitor

■ Alerts are automatically rate limited to prevent filling the log file with

redundant information. The following is an example of alerts that

occur when the device is continually subject to the same attack (too

many MAC addresses in this instance):

W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)

W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)

W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)

W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)

W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes

Figure 10-14.Example of rate limiting when multiple messages are generated

In the preceding example, if a condition is reported 4 times (persists for

more than 15 minutes) then alerts cease for 15 minutes. If after 15 minutes

the condition still exists, the alerts cease for 30 minutes, then for 1 hour,

2 hours, 4 hours, 8 hours, and after that the persisting condition is reported

once a day. As with other event log entries, these alerts can be sent to a

syslog server.

■ Known Limitations: The instrumentation monitor runs once every

five minutes. The current implementation does not track information

such as the port, MAC, and IP address from which an attack is

received.

10-24

previous next