-->
Detector与Guard交互配置说明
Part1 : Cisco Guard 和Detector 正常通讯:
A:Guard 配置
1.[email=admin@DETECTOR-conf#service]admin@DETECTOR-conf#service[/email] internode-comm
- 定义SSH通讯服务
2.[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] ssh *
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] internode-comm *
- 定义SSH可访问
B:Detector配置
1.[email=admin@DETECTOR-conf#service]admin@DETECTOR-conf#service[/email] internode-comm
- 定义SSH通讯服务
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] ssh *
[email=admin@DETECTOR-conf#permit]admin@DETECTOR-conf#permit[/email] internode-comm *
- 定义SSH可访问
2.remote-guard ssh 218.61.23.2
-- 制定Guard 通讯地址
3.[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] generate
-- 自动生成Key
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Keys were successfuly generated. Please use "key publish" to update remote-guards
--〉[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] add ssh-rsa riverhead [email=riverhead@guard]riverhead@guard[/email]
- 或手动生成Key
4.[email=admin@DETECTOR-conf#key]admin@DETECTOR-conf#key[/email] publish *
-- 发布Key
updated 1 remote-guards (out of 1) with new key
5.[email=admin@DETECTOR-conf-zone-guoqing#dynamic-filter]admin@DETECTOR-conf-zone-guoqing#dynamic-filter[/email] remote-activate forever
--手动检测是否通讯激活Zone
6.再用https上Guard 218.25.16.141, 查看Guoqing Zone 激活;
Part 2 : Detector 配置Zone
1.配置Detector Zone .但要注意使用Guard Zone 模板.
建议使用GUI 配置
2.配置Zone 参数.
建议使用GUI 配置
3.配置Guard zone
? guard-conf (from zone configuration mode)
? configure zone-name guard-conf (from global mode)
? zone zone-name guard-conf (from configuration mode)
4, 开启自动学习功能并且导出配置给Guard
[email=user@DETECTOR-conf-zone-scannet]user@DETECTOR-conf-zone-scannet[/email]# learning-params sync accept
Part3 : 手动同步Zone 到 Guard 中
? sync zone zone-name local {remote-guards | remote-guard-address-to} (in global mode)
? sync local {remote-guards | remote-guard-address-to} (in zone configuration mode)
例如:
[email=user@DETECTOR#sync]user@DETECTOR#sync[/email] zone scannet local remote-guards
[email=user@DETECTOR-conf-zone-scannet-conf-zone-scannet]user@DETECTOR-conf-zone-scannet-conf-zone-scannet[/email]# sync local 192.168.100.5
以上配置均为实践所证明。
-->
节日期间Guard 防护应急要点:
A: 如遇到业务被Bloack, 可通过Bypass 功能将被Block的地址放行,再现场抓包分析,或关闭Policy中关于Block的策略或调大阈值!
B:如遇到攻击没有防住,可手动添加 Dynamic Filter -〉filter/Strong, 注意要策略置顶。(先删掉其他Dynamic Filter )
C:如遇到添加Zone后 Guard访问变慢,可CLI 下 Reload 后,等10分钟再登陆,删除新添加的Zone配置,重新添加,添加Zone是最好添加受攻击单个地址,以免各个Zone之间地址重叠问题;
D: Guard设备重启命令: §Reload ( IP更改需要reload)
Reboot ( Reset 重启)
Poweroff ( 关电关机)
AGM模块重启: §Sup# hw-module module 2 reset cf:1 重启 MP ( Show mod 查看 )
§
§Sup# hw-module module 8 reset cf:4 重启 AP (show mod )
E: Guard Troubleshooting 命令
arp -e 查映射
arp -v 查连接
§traceroute 10.10.10.34
Show running-config
Proxy IP 一定要 与被保护的Zone 可路由, 同时与Internet 上的访问地址可路由; 且不可与接口地址复用!负责无法实现:Strong模式!
3G lic升级的步骤我总结了一下,如下
·安装XG software for 3G lic
Hw-module module 2 reset cf:1 ----切换到mp
Show module all ----确认status ok
Copy ftp://192.168.1.1/c6svc-agmXG-k9.6-0-10.bin pclc#2-fs:
看到cli提示:you now can reset the module 后
Hw-module module 2 reset cf:4
·3G lic是与安装了XG software的AGM的mac地址邦定在一起
在AGM上:show license-key unique-identifier----记录下此命令展示出的mac地址
·收到lic文件后,用text editor打开,ctrl+c 拷贝内容
·在AGM上:license-key add,粘贴刚才拷贝的lic文件的内容,然后按enter
·Show license-key验证是否是3G
·升级完成之后可以使用giga1,2,3
Product Name IC-AGM-3G-K9=
Product Description IC-AGM-3G-K9= : Guard Module 3G License
Product Qty :1
Product Authorization Key :
Sales Order Number :
Mac Address :001C5861DFA1
Options Included: No additional features have been selected for this product.
LICENSE KEY INSTALLATION INSTRUCTIONS
Attached to this email you will find a file with the ".lic" extension. This is the file that will allow you to turn your Cisco Anomaly Guard/Detector Module to operational. Do not edit the contents of the .lic file in any way or you will render this file useless.
Before you proceed, make sure that the Cisco Anomaly Guard/Detector Module is turned on and is accessible so that you are able to log into its CLI and receive admin privileges.
Follow these steps to install your Cisco 3Gbps Guard/2Gbps Detector Module software license file:
Step 1. Open the attached license file (.lic) using a text editor and copy its contents into your desktop computer's clipboard.
Step 2. Login into your Cisco Anomaly Guard/Detector Module, make sure you have admin priviliges.
Step 3. Type: "configure terminal" and press the enter key in order to enter the configuration menu.
Step 4. Type: "license-key add" and press the enter key.
Step 5. Now paste your desktop computer clipboard's contents (containing the license key) and press the enter key twice.
The Cisco Anomaly Guard/Detector Module will now process the license key and inform you whether it's valid or not.
Caution: Do not edit the contents of the .lic file in any way or the Cisco Anomaly Guard/Detector Module will fail validating the license. The contents of the file are signed and must remain intact.
You should print this email, save the attachment to a floppy/disk on key, and store both for future use if needed.
If you encounter a problem with this license file, please contact our Licensing team at 800-553-2447 or open a service request using the TAC Service Request Tool