Analyzing Recent Data on Outgoing Activity by IP Address with the Rule Wizard
The Rule Wizards analyze data on recent system activity to develop and improve rules for filtering future activity.
To develop rules to filter incoming activity by IP Address, first create a data set of recent activity, as shown in Creating a Data Set of Outgoing Activity by IP Address with the Rule Wizard.
Once you have created a data set, select 52. Work with Rule Wizard from the Work with Dynamic Filtering screen (STRFW > 2).
The Plan Outgoing IP Security screen appears:
| Plan Outgoing IP Security Type choices, press Enter. Subset . . 1=Statistics 2=Set by use 3=Allow by use 4=Delete 5=DSPFWLOG 6=Create rule 9=Add similar C>R=Current to Revised Y Allowed Y=Allow Specify revised authority in the R column. N Rejected N=Reject Y Allowed (by generic* rule) FTP/ N Rejected (by generic* rule) RE- Number of Logged Entries EXEC FTP/REX Opt IP-Address C>R 1.1.1.105 Y 87 1.1.1.137 Y 2 1.1.1.212 Y 18237 127.0.0.1 N 1 185.113.4.132 Y 38 185.113.4.146 Y 6 185.113.4.148 Y 225 Bottom F3=Exit F6=Add New F8=Print F11=Alt.view F12=Cancel |
Each line on the lower section of the screen shows activity directed toward a single IP address, as shown in the IP-Address field.
The next pair of fields shows information on outgoing activity via FTP/REXEC (including FTPLOG and TEXLOG) to that IP address.
The next set of fields appear in pairs. Each pair shows information on activity from one protocol or set of protocols, including:
The pairs of fields for each are:
- a letter on a colored background, showing how Firewall responded to the activity according to current rules
- an underscore in which you can revise the rule
The letter codes are:
- Y: Accepted
- N: Rejected
- S: Only accepted over SSL connections
- A: Accepted, without checking whether SQL statements are valid
- B: Only accepted over SSL connections, without checking whether SQL statements are valid
- L: Accepted, without either checking whether SQL statements are valid or logging the activity
- M: Only accepted over SSL connections, without either checking whether SQL statements are valid or logging the activity.
The color codes are:
- Green: A rule specifically referring to this IP address accepts this activity
- Red: A rule specifically referring to this IP address rejects this activity
- Blue: A rule for a generic set of IP addresses that includes this one accepts this activity
- Purple: A rule for a generic set of IP addresses that includes this one rejects this activity
Thus, for example, the leftmost item on the top line of the list is the letter "Y" on a blue background on the line with the IP address 1.1.1.105 in the FTP/REXEC column. That shows that, due to a generic rule, Firewall accepts all activity toward IP address 1.1.1.105 via FTP/REXEC. (In this case, the Dynamic Filtering- Outgoing IP Address Security screen shows that Firewall allows outgoing FTP requests from the range of IP addresses beginning with 1.1.1.1 with a subnet mask of 255.255.0.0.)
The remaining columns show the number of entries of requests logged toward that IP address via FTP/REXEC. In this case, there were 113 requests for outgoing FTP to 1.1.1.105.
To view the statistics on activity on a specific IP address during the time period in the data set, enter 1 in the Opt column for that IP address. The Display Statistics for Outgoing IP address window appears.
| ............................................................................... : Display Statistics for Outgoing IP address : : IP address: 1.1.1.212 : : FTP/REX : : Entries 18237 : : Rejected : : F3=Exit : : : :.............................................................................: EXEC FTP/REX Opt IP-Address C>R 1.1.1.105 Y 87 1.1.1.137 Y 2 1 1.1.1.212 Y 18237 127.0.0.1 N 1 185.113.4.132 Y 38 185.113.4.146 Y 6 185.113.4.148 Y 225 Bottom F3=Exit F6=Add New F8=Print F11=Alt.view F12=Cancel |
In this case, the window shows that of the 18237 requests for FTP/REXEC to IP address 1.1.1.212, none were rejected.
To add a new rule, press the F6 key. The Add Firewall Outgoing IP Address screen appears, as shown in Adding Firewall Rules for Outgoing Activity by IP Address with the Rule Wizard.
To add a rule for a IP address similar to an existing one, enter 9 in the Opt field for that rule. The Add Similar Incoming IP Address screen appears, as shown in Adding Firewall Rules for a Similar Incoming IP Address with the Rule Wizard.
To change rules based on activity in the data set, see Setting Firewall Rules based on Outgoing Activity by IP Address with the Rule Wizard.
To change rules manually, see Setting Firewall Rules Manually based on Outgoing IP Address with the Rule Wizard.
To delete a rule, enter 4 in the Opt field for that rule. NOTE: You are not prompted for confirmation, and the rule is immediately deleted.
To display the firewall log entries relevant to this rule, enter 5 in the Opt field for that rule. The Display Firewall Log screen appears, as shown in Displaying Firewall Logs.
To print the information from the data set, press the F8 key.