Analyzing Recent Data on Incoming Activity by IP Address with the Rule Wizard
The Rule Wizards analyze data on recent system activity to develop and improve rules for filtering future activity.
To develop rules to filter incoming activity by IP Address, first create a data set of recent activity, as shown in Creating a Data Set of Incoming Activity by IP Address with the Rule Wizard.
Once you have created a data set, select 42. Work with Rule Wizard from the Work with Dynamic Filtering screen (STRFW > 2).
The Plan Incoming IP Security screen appears:
| Plan Incoming IP Security Type choices, press Enter. Subset . . 1=Statistics 2=Set by use 3=Allow by use 4=Delete 5=DSPFWLOG 9=Add similar C>R=Current to Revised Y Allowed Y=Allow Specify revised authority in the R column. N Rejected N=Reject Press Enter to apply revised authority. Y Allowed (by generic* rule) FTP/ N Rejected (by generic* rule) RE- Tel DB TCP RMT DDM/ Fil Number of Logged Entries EXEC net Srv SGN Srv DRDA Srv FTP/REX Telnet ---DB--- File Opt IP-Address C>R C>R C>R C>R C>R C>R C>R TCPSGN -RMT-- DDM/DRDA Srv 1.1.1.137 N N Y N N N N 24 1.1.1.139 Y S S Y N Y Y 218 Bottom F3=Exit F6=Add New F8=Print F11=Alt.view F12=Cancel |
Each line on the lower section of the screen shows activity from a single IP address, as shown in the IP-Address field.
The next set of fields appear in pairs. Each pair shows information on activity from one protocol or set of protocols, including:
- FTP/REXEC including FTPLOG and TEXLOG
- Telnet
- DB Server including SQLENT, SQL, NDB, OBJINF, and DBOPEN
- TCP Sign-in
- Remote Server
- DDM and DRDA
- File Server
The pairs of fields for each are:
- a letter on a colored background, showing how Firewall responded to the activity according to current rules
- an underscore in which you can revise the rule
The letter codes are:
- Blank or N: Reject all incoming activity
- S: Allow activity, but do not log this
- Y: Allow activity
The color codes are:
- Green: A rule specifically referring to this IP address accepts this activity
- Red: A rule specifically referring to this IP address rejects this activity
- Blue: A rule for a generic set of IP addresses that includes this one accepts this activity
- Purple: A rule for a generic set of IP addresses that includes this one rejects this activity
Thus, for example, the leftmost item on the top line of the list is the letter "N" on a red background on the line with the IP address 1.1.1.69 in the FTP/REXEC column. That indicates that a rule specifically for the IP address 1.1.1.69 rejects all activity via FTP/REXEC ( including FTPLOG and TEXLOG).
The remaining columns show the number of entries of logged activity within the selected data set from that IP address from several groups of protocols. The protocols are:
- FTP/REXEC and TCP sign-in
- Telnet and Remote Server
- Database Server including SQL access and DDM/DRDA
- File server
Thus, for example, in the fifth line of the list, the IP address 1.1.1.136 requested access to the database server four times and the file server 56 times.
To view the statistics on activity on a specific IP address during the time period in the data set, type 1 in the Opt column for that IP address and press Enter. The Display Statistics for Incoming IP address window appears.
| ............................................................................... : Display Statistics for Incoming IP address : : IP address: 1.1.1.136 : : Total FTP⁄REX Telnet DBSrv TCPSGN RMTSrv DDM⁄DRDA FilSrv : : Entries 60 4 56 : : Rejected 50 4 46 : : F3=Exit : : : :.............................................................................: EXEC net Srv SGN Srv DRDA Srv FTP⁄REX Telnet ---DB--- File Opt IP-Address C>R C>R C>R C>R C>R C>R C>R TCPSGN -RMT-- DDM⁄DRDA Srv 1.1.1.69 N N N N N N Y 1 1.1.1.71 Y Y Y Y N N Y 3 1.1.1.77 Y Y Y Y N N N 20 1.1.1.129 Y Y Y Y N N N 23 1 1.1.1.136 Y Y Y Y N N N 4 56 1.1.1.137 Y Y Y Y Y Y Y 6 1.1.1.139 Y S S Y N Y Y 7 127.0.0.1 Y N Y N N N N 19 Bottom F3=Exit F6=Add New F8=Print F11=Alt.view F12=Cancel |
In this example, we see that IP address 1.1.1.136 sent sixty requests for access: four to the database server and 56 to the file server. Fifty of them were rejected, including all four for the database server and 46 of the requests to the file server.
To add a new rule, press the F6 key. The Add Firewall Incoming IP Address screen appears, as shown in Adding Firewall Rules for Incoming Activity by IP Address with the Rule Wizard.
To add a rule for a IP address similar to an existing one, type 9 in the Opt field for that rule and press Enter. The Add Similar Incoming IP Address screen appears, as shown in Adding Firewall Rules for a Similar Incoming IP Address with the Rule Wizard.
To change rules based on activity in the data set, see Setting Firewall Rules based on Incoming Activity by IP Address with the Rule Wizard.
To change rules manually, see Setting Firewall Rules Manually based on Incoming IP Address with the Rule Wizard
To delete a rule, type 4 in the Opt field for that rule and press Enter. NOTE: You are not prompted for confirmation, and the rule is immediately deleted.
To display the firewall log entries relevant to this rule, type 5 in the Opt field for that rule and press Enter. The Display Firewall Log screen appears, as shown in Displaying Firewall Logs.
To print the information from the data set, press the F8 key.