Configure a Zone Operational Policy

You can either create a new logging template or select the predefined template named A10_Logging_Basic to create the Zone Operational Policy.

Perform the following steps to configure Zone Operational Policy:

1. Go to Configurations >> Zone Policies / Profiles >> Zone Operational Policy.
2. Click + New Policy.

Table 160 : Fields and its purpose for Create a Zone Operational Policy windows

Field	Purpose
Name	Enter a name for the policy. The supported value is a string of 1-63 characters.
Logging	Select one of the following options: Log Enable—Enables the log functionality. Log Periodic—Enables periodic timed logs.
Logging Template	Choose a zone logging template to be used by the policy and its associated zones. If there is no logging template chosen, the A10_Logging_Basic template is selected by default. The A10_Logging_Basic template is a predefined template that cannot be deleted. However, it can be edited as required.
Report Mitigator Stats	Select one of the two options to specify when the TPS mitigator should export statistics information for all zones to A10 Defend Orchestrator App: Enabled—Exports mitigation statistics to A10 Defend Orchestrator App during both peacetime and wartime, allowing the user to always view zone charts. This is the default option selected for Report Mitigation Stats. Enable on Start Mitigation—Exports mitigation statistics to A10 Defend Orchestrator App only when the mitigation is started for the zone. NOTE: TPS devices can export zone and zone service statistics to A10 Defend Orchestrator App for only a limited number of zones at a given time. When the maximum zone count is reached for statistics export, the TPS mitigator throws a "Max T2 counters reached" exception.
Start Mitigation	Select one of the options to start mitigation on a zone when receiving a DDoS escalation notification: Automatic Manual If Start Mitigation is set to Manual, Arbor PeakFlow messages and alert notifications are ignored and A10 Defend Orchestrator App will not create any incidents. However, alert messages are logged. NOTE: The Start Mitigation option Automatic and the BGP Flowspec option Manual are mutually exclusive. When Automatic is enabled, the BGP Flowspec is disabled and vice versa.
BGP	Select one of the following options: Enable—Configures the BGP network for the protected IPs or subnets of the zone. Disable—Configures the BGP Flowspec on incident creation. NOTE: BGP and BGP Flowspec are mutually exclusive. When BGP is enabled, you see BGP Routes and BGP Route Map options and BGP Flowspec is automatically disabled and vice versa.
BGP Routes	Select one of the following as the source for the routes: All Zone IPs/Subnets—Configures BGP routes for all the IPs/subnets in the zone. Top Destination IPs—Configures BGP routes for the top-K attacked IPs that are reported by a detector, on start mitigation. Top-K IP count, enter the number of top-K IP addresses to use from the reported top-K destination IPs while configuring BGP routes. Victim IP—Configures BGP routes for Victim IPs that are detected by A10 Detector or 3rd party detector.
BGP Route Map	Choose a route map you want to apply on all the attacked IPs in the zone. Route map is used when BGP route(s) are automatically created for the zone under attack. The drop-down lists the route maps that do not have RTBH enabled. NOTE: If a Route Map is not selected, a default Route map called A10-SET-NEXT-HOP will be used. NOTE: If a BGP Route Map is associated with a Zone Operational Policy, it cannot be deleted.
RTBH Route Map	Choose a route map you want to associate with the zone that is used for RTBH mitigation. The drop-down lists only those route maps that have RTBH enabled. NOTE: If an RTBH Route Map is associated with a Zone Operational Policy, it cannot be deleted. For more information, see Remotely Triggered Black Hole .
BGP Flowspec	Select one of the following options: Manual Enable—Configures BGP Flowspec rules in disabled state for the protected IPs/subnets or top-K destination IPs and attacked services on incident creation. It is recommended that you explicitly enable the Flowspec rules, in order to so, go to BGP >> Flowspec and click Enable under Actions. Auto Enable—Configures BGP Flowspec rules in enabled state for the protected IPs/subnets or top-K destination IPs and attacked services on incident creation. Disable—Configures the BGP Flowspec rules automatically on incident creation.
BGP Flowspec IPs	Select one of the following options: Zone/IP Subnets—Configures BGP flowspec for all the IPs/subnets in the zone. Top Destination IPs—Configures BGP flowspec for the top-K attacked IPs that are reported by a detector, on start mitigation. Top-K IP count—Enter the number of top-K IP addresses to use from the reported top-K destination IPs while configuring BGP flowspec.
Traffic Filtering Action	Choose one of the following options: Redirect to TPS (Extended Community/NLRI)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. To configure the outside interface IP, go to Devices >> Device List. Open the Configure Mitigation window for each mitigator in the Mitigator Group to set the interface IP. For more information, see Device List. NOTE: If Flowspec is enabled with default filtering action as Redirect to TPS (NLRI), then depending upon the format of zone subnet/destIP and source IP, mitigator outside interface IP either should use IPv4 or IPv6. Redirect to VRF—Redirect the traffic to the specified VRF. VRF Target String—Enter the VRF route target. IP Host RT—Enter Route target IP. Index—Enter Route target IP index. Redirect to TPS (Extended Community/NLRI)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. To configure the outside interface IP, go to Devices >> Device List. Open the Configure Mitigation window for each mitigator in the Mitigator Group to set the interface IP. For more information, see Device List. Redirect to VRF—Redirect the traffic to the specified VRF. VRF Target String—Enter the VRF route target. IP Host RT—Enter Route target IP. Index—Enter Route target IP index. NOTE: VRF target string and IP Host RT/Index are mutually exclusive.
Class-List Push Policy	Select one of the following options to set the policy to control whether to push or not to push the class-list to the associated zones or mitigator groups on saving the zone. Always—Always pushes the class-list to the zone and its supporting objects. This is the default. If Not Present—If a class-list does not exist on at least one device in the group, A10 Defend Orchestrator App pushes the class-list to all devices in the device group. Never—Never pushes any class-list to the device group. This behavior might cause the zone configuration push to device group fail if any of the devices do not have a class-list used by the zone. NOTE: The class-list is applicable to all actions performed on the Zone Mitigation Console even when the manual mode configuration is enabled. For example, if a zone has Zone Operational Policy for class-list set to ‘NEVER’, and for an incident on one of the zone services, if you push Src Based Policy with class-list, the class-list push is skipped but the Src Based Policy is attempted to push.
Exclude Pushing Class-Lists	Enter the names of the class-lists that should be excluded when pushing the zone or the zone services to the devices. When entering multiple class-lists, use comma to separate each class-list.
Stop Mitigation	Select one of the following options to automatically stop mitigation on a zone when all zone incidents have de-escalated to level zero. Automatic Manual
Zone Mode After Mitigation	Select one of the following options: Protected—Configures the zone in the protected mode. By default, Protected is selected. Idle—Configures the zone in the idle mode.

3. Click Submit.