Configure a Zone Operational Policy

You can either create a new logging template or select the predefined template named A10_Logging_Basic to create the Zone Operational Policy.

Perform the following steps to configure Zone Operational Policy:

1. Go to Configuration > Zone Policies / Profiles > Zone Operational Policy.
2. Click Create. The Create Zone Operational Policy page appears.
3. Enter a name for the Zone Service Protection Policy.
4. Expand the Start Mitigation section and enter the appropriate information.

Table 81 : Zone Operational Policy Fields

Field	Purpose
Start Mitigation	Select one of the options to start mitigation on a zone when receiving a DDoS escalation notification: Automatic Manual If Start Mitigation is set to Manual, Arbor PeakFlow messages and alert notifications are ignored, and A10 Defend Orchestrator App will not create any incidents. However, alert messages are logged. NOTE: The Start Mitigation option Automatic and the BGP Flowspec option Manual are mutually exclusive. When Automatic is enabled, the BGP Flowspec is disabled and vice versa.
BGP	Select one of the following options: Enable—Configures the BGP network for the protected IPs or subnets of the zone. Disable—Configures the BGP Flowspec on incident creation. NOTE: BGP and BGP Flowspec are mutually exclusive. When BGP is enabled, you see BGP Routes and BGP Route Map options and BGP Flowspec is automatically disabled and vice versa.
BGP Routes	Select one of the following as the source for the routes: All Zone IPs/Subnets—Configures BGP routes for all the IPs/subnets in the zone. Top Destination IPs—Configures BGP routes for the top-K attacked IPs that are reported by a detector, on start mitigation. Top-K IP count, enter the number of top-K IP addresses to use from the reported top-K destination IPs while configuring BGP routes. Victim IP—Configures BGP routes for Victim IPs that are detected by A10 Detector or 3rd party detector. Withdrawal Delay —Specify hold-off timer (in minutes). Default time is 2 minutes. After the A10 Defend Orchestrator App receives a Victim IP anomaly cleared notification, the BGP route withdrawal is delayed by the specified time. NOTE: Withdrawal delay is currently supported only with Zone Victim IP detection.
BGP Route Map	Select a route map you want to apply on all the attacked IPs in the zone. Route map is used when BGP route(s) are automatically created for the zone under attack. The drop-down lists the route maps that do not have RTBH enabled. NOTE: If a Route Map is not selected, a default Route map called A10-SET-NEXT-HOP will be used. NOTE: If a BGP Route Map is associated with a Zone Operational Policy, it cannot be deleted.
RTBH Route Map	Select a route map to be associated with the zone that is used for RTBH mitigation. The drop-down lists only those route maps that have RTBH enabled. NOTE: If an RTBH Route Map is associated with a Zone Operational Policy, it cannot be deleted. For more information, see Remotely Triggered Black Hole .
BGP Flowspec	Select one of the following options: Manual Enable—Configures BGP Flowspec rules in disabled state for the protected IPs/subnets or top-K destination IPs and attacked services on incident creation. It is recommended that you explicitly enable the Flowspec rules to go to BGP > Flowspec and click Enable under Actions. Auto Enable—Configures BGP Flowspec rules in enabled state for the protected IPs/subnets or top-K destination IPs and attacked services on incident creation. Disable—Configures the BGP Flowspec rules automatically on incident creation.
BGP Flowspec IPs	Select one of the following options: Zone/IP Subnets—Configures BGP flowspec for all the IPs/subnets in the zone. Top Destination IPs—Configures BGP flowspec for the top-K attacked IPs that are reported by a detector, on start mitigation. Top-K IP count—Enter the number of top-K IP addresses to use from the reported top-K destination IPs while configuring BGP flowspec.
Traffic Filtering Action	Select one of the following options: Redirect to TPS (Extended Community/NLRI)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. To configure the outside interface IP, go to Devices > Device List. Open the Configure Mitigation window for each mitigator in the Mitigator Group to set the interface IP. For more information, see Device List. NOTE: If Flowspec is enabled with default filtering action as Redirect to TPS (NLRI), then depending upon the format of zone subnet/destIP and source IP, mitigator outside interface IP either should use IPv4 or IPv6. Redirect to VRF—Redirect the traffic to the specified VRF. VRF Target String—Enter the VRF route target. IP Host RT—Enter Route target IP. Index—Enter Route target IP index. Redirect to TPS (Extended Community/NLRI)—The router sends the traffic to the TPS device. Use the TPS outside interface IP address when redirecting traffic to TPS. To configure the outside interface IP, go to Devices > Mitigator Settings. Open the Configure Mitigation window for each mitigator in the Mitigator Group to set the interface IP. For more information, see Mitigator Settings. NOTE: VRF target string and IP Host RT/Index are mutually exclusive.
Class-List Push Policy	Select one of the following options to set the policy to control whether to push or not to push the class-list to the associated zones or mitigator groups on saving the zone. Always—Always pushes the class-list to the zone and its supporting objects. This is the default. If Not Present—If a class-list does not exist on at least one device in the group, A10 Defend Orchestrator App pushes the class-list to all devices in the device group. Never—Never pushes any class-list to the device group. This behavior might cause the zone configuration push to device group fail if any of the devices do not have a class-list used by the zone. NOTE: The class-list is applicable to all actions performed on the Zone Mitigation Console even when the manual mode configuration is enabled. For example, if a zone has Zone Operational Policy for class-list set to ‘NEVER’, and for an incident on one of the zone services, if you push Src Based Policy with class-list, the class-list push is skipped but the Src Based Policy is attempted to push.
Exclude Pushing Class-Lists	Enter the names of the class-lists that should be excluded when pushing the zone or the zone services to the devices. When entering multiple class-lists, use comma to separate each class-list.

5. Expand the Stop Mitigation section and enter the appropriate information.

   Table 82 : Stop Mitigation Policy Fields

   Field	Purpose
   Stop Mitigation	Select one of the following options to automatically stop mitigation on a zone when all zone incidents have de-escalated to level zero. Automatic Manual
   Zone Mode After Mitigation	Select one of the following options: Protected—Configures the zone in the protected mode. By default, Protected is selected. Idle—Configures the zone in the idle mode.

6. Expand the Zone Stats and Logging section and enter the appropriate information.

   Table 83 : Zone Stats and Logging

   Field	Purpose
   Zone Stats Collection	Select when the statistics from a zone should be collected. Select one of the following options: Enable only during Mitigation—Select this option if you want to collect the statistics only when mitigation is under process. Enable Always—Select this option if you want to always collect the statistics.
   Logging	Select one of the following options: Log Enable—Enables the log functionality. Log Periodic—Enables periodic timed logs.
   Log Template	Select a zone logging template to be used by the policy and its associated zones. If there is no logging template selected, the A10_Logging_Basic template is selected by default. The A10_Logging_Basic template is a predefined template that cannot be deleted. However, it can be edited as required.

7. Click Create.