Create a Zone

You are here:

Create a Zone

Perform the following steps to create a new zone:

Navigate to Configuration > Protected Objects > Zones.
On the Zones page, click Create.

Expand the Overview section and enter the following information:

Table 51 : Zone Fields
Fields	Purpose
Zone Name	Enter the name of the zone. Once a zone name is set, it cannot be modified. A zone name must contain only the alphanumeric characters (a-z, A-Z, 0-9) and the special characters such as period (.), hyphen (-), and underscore (_).
Description	Enter a description to the zone name.
IP Address(es)	Enter the IPv4 or IPv6 address and subnet for the zone. To enter multiple IPs, enter one IP per line.
Use Config Profile	Select a zone configuration profile.
Operational Mode	Select an operational mode to use with the zone.
Operational Policy	Select an operational policy to use with the zone.
Mitigator Group	Select a group of mitigation devices that acts as a mitigator.
Detector Group	Select a group of detection devices. To create a detection group, see Device Groups.
Use Config Profile	Select a Zone Config Profile. Zone Config Profile is a configuration profile that contains the common DDoS protection configurations at the zone and zone service levels. It allows user to define common countermeasure profile once and reuse it in multiple zones.

Expand the Mitigation section and enter the following information:

Table 52 : Zone Mitigation Fields
Fields	Purpose
Packet Capture Policy	Select a packet capture policy to use with the zone.
Rate Limit	Select a configured GLID for the rate Limit configuration.
Limit per address	Select the check box to apply the rate limit configured in a GLID to each individual IP address in a zone subnet.
DSCP Marking	Select the check box to mark clean traffic at the zone level. Enter the values between 1-63 in the following fields: Inbound Forward Outbound Forward
Hardware Blacklist Drop	Select the check box to enable Hardware-assisted Traffic Blocking on the TPS devices. Select one of these options: Destination Blocking—Traffic that does not match the specific destination IP rules that are defined for DDoS protection are dropped in hardware. Source Blocking—Traffic that does not match the specific source IP rules are dropped in hardware.

NOTE:

Hardware-assisted Traffic Blocking leverages the hardware chipset for traffic that goes beyond a threshold limit. When the packet drop rate exceeds the default threshold, for example—during a volumetric attack, packets get dropped in hardware rather than the CPU, this feature allows TPS to drop packets at a higher rate. It enables the CPU to focus exclusively on packets requiring further processing. This feature has some limitations. For detailed information about this feature and its limitations, see ACOS 3.2.5-P1 TPS New Features and Enhancements.

Expand the Detection section and enter the following:

Table 53 : Detection Fields

Fields

Purpose

Top-K Source IPs

Enter multiple Top-K source IP addresses for each source subnet. By default, the top-k IPs displayed is 20. The top source IPs above 20 and up to 100 is supported only from the TPS 5.0.1 version and above.

In the Sort By section, select either Max peak or Average rate for IP detection. The Sort By option allows you to track the top-k values based on their maximum peak or window average.

Top-K Destination IPs

Enter multiple Top-K destination IP addresses for each destination subnet that you want to get from the TPS device. By default, the top destination IPs displayed is 10. The maximum value can be 100. The top destination IPs is supported only on the TPS 5.0.1 devices and above.

In the Sort By section, select either Max peak or Average rate for IP detection. The Sort By option allows you to track the top-k values based on their maximum peak or window average.

Continuous Learning

Select the check box to determine the continuous learning of traffic baseline for a zone. It analyzes the observed traffic and turns the learned values into thresholds.

Service Discovery

Select the check box to enable the Service Discovery function if TPS other/UDP other are required.

Packet Rate Threshold—Enter the values between 1-255 in this field.

Packet Anomaly Detection

Select the check box to enable the detection of TCP and UDP port 0 DDoS attack. When a threshold is exceeded for a TCP or a UDP port 0, A10 Defend Orchestrator App receives an alert on the traffic surge.

Click Plus (+) sign and select the Indicator Type as Port Zero Packet Rate and enter the indicator threshold. The threshold value can be <1-255> packets per second.

Victim IP Anomaly Detection

Select the check box to enable the individual victim IP based detection when a zone is under attack.

Dynamic Traffic Threshold — Select the check box to enable the detection based on traffic thresholds dynamically determined by the detector.
Static Traffic Threshold — Select the check box to enable the detection based on the statically configured traffic threshold such as the following:
- Forward PPS — Enter the value for forward traffic packet rate threshold.
- Forward BPS— Enter the value for forward traffic byte rate threshold.
Histogram Threshold — Select the check box to enable the detection to be based on adaptive auto-learned traffic histogram thresholds.

NOTE:

The Histogram and Static Traffic Threshold check boxes should be enabled together to monitor the anomaly even after it has aged out.

NOTE:

If the “Victim IP Anomaly Detection” is selected in a zone template, the zone pushes only the “IP-Proto Other” service to the detector, irrespective whether you have selected the “IP-Proto Other” service among the discovered services under the zone template. While all other services are applied to the mitigator.

Dynamic Threshold Sensitivity

Select the sensitivity level (multiplier) for the detector used either with Continuous Learning or Zone Victim IP detection.

You can specify one of the following predefined levels:

LOW: This applies a multiplier value of 5, meaning the learned baseline threshold value will be multiplied by 5.
MEDIUM: This applies a multiplier value of 3, meaning the learned baseline threshold value will be multiplied by 3.
HIGH: This applies a multiplier value of 1.5, meaning the learned baseline threshold value will be multiplied by 1.5.
OFF: This applies a multiplier value of 1.0, meaning the learned baseline threshold value remains unchanged. This is the default setting.

Select the Custom option, if you want to specify a sensitivity level other than the predefined levels. You can specify a multiplier value in the range 1.0 to 10.

Expand the Source Ports section, click the Plus (+) sign to see further options:

Table 54 : Source Port Fields
Fields	Purpose
Protocol	Select TCP or UDP as a protocol.
Port/Range	Enter a port or port range. When a port range is entered, specify the lower port number followed by a Hyphen (-) and then the highest port number.
GLID	Select a Configure a GLID for rate limiting.
Template	Select a template from the list.
Deny	Select Deny to drop and black-list matching inbound traffic. The black-list setting is permanent and static, and changes only if this configuration changes.

Select the Use Zone Profile for Configuration check box and then select the zone profile from the Zone Config Profile.
NOTE: You can either perform step 8 or step 11. They are mutually exclusive.
Click Zone Charts to view the graph. For more information, see Zone Charts .
Click Indicator Threshold to enter the information for zones under protection. For more information, see Operational Mode - Protected.
Click Discovered Services to view the Services, Packet Rate, Actions on the pop-up window.

Expand the Services section, configure the protocol services and the designated ports for such services in the appropriate fields.

Click the Plus (+) sign to configure the additional services. Some standard protocols are pre-configured with the appropriate port number. The following is the list of Services supported:

TCP - <Port> or <Port Range> or other
UDP - <Port> or <Port Range> or other
HTTP - <Port> or <Protocol Number>
QUIC - <Port> or <Protocol Number>
DNS-TCP - <Port> or <Protocol Number>
DNS-UDP - <Port> or <Protocol Number>
SSL-L4 - <Port> or <Protocol Number>
SIP-TCP - <Port> or <Protocol Number>
SIP-UDP - <Port> or <Protocol Number>
Any TCP
Any UDP
ICMPv4
ICMPv6
GRE
IPv4 ENCAP
IPv6 ENCAP
Other
Protocol Num - <Protocol Number>

NOTE:

SIP over TCP is only supported in asymmetric mode.

NOTE:

For more information about the threshold indicators available for the protocol services, see Indicator Settings.

Depending upon the type of Zone Service, click Edit for a configured service to edit a Zone Service.

The Edit Zone Service for the selected protocol appears. For more information, see Configure a Zone Service Protection Profile.

If Protocol Num 50 is configured as the zone service, ESP Inspect is available to allow configuration of ESP payload parameters with one of the following Auth Algorithms.

AUTH_NULL – No Integrity Check Value
HMAC-SHA-1-96 – 96 bit Authentication Algorithm
HMAC-SHA-256-96 – 96 bit Authentication Algorithm
HMAC-SHA-256-128 – 128 bit Authentication Algorithm
HMAC-SHA-384-192 – 192 bit Authentication Algorithm
HMAC-SHA-512-256 – 256 bit Authentication Algorithm
HMAC-MD5-96 – 96 bit Authentication Algorithm
MAC-RIPEMD-160-96 – 96 bit Authentication Algorithm

Under Pattern Recognition (ZAPR):

Table 55 : ZAPR Fields
Fields	Purpose
Start Pattern Recognition	Select a zone service level at which you want to run the signature extraction. The signature extraction is pushed to TPS only when the mitigation is started. TPS extracts the unknown attack signatures from the attack traffic and stops extraction when TPS sends de-escalation notification to A10 Defend Orchestrator App. The extracted attack signatures are analyzed using Machine Learning techniques and converted to signature rules using Berkeley Packet Filter (BPF) expressions.
Apply Extracted Filters	Select a zone service level at which the extracted signature extraction filters are applied on the incoming traffic and the packets that match the filters are dropped. To monitor the dropped packets and packet rates, go to Mitigation > Zone Mitigation Console.
Triggered By	Select from the following options: Packet Rate Exceeds Zone Escalation You can trigger the pattern recognition when a packet rate threshold exceeds a global limit ID (GLID) or when there is zone escalation. If the option is not specified, by default the trigger is when a rate threshold exceeds a GLID.
Capture Traffic	Select from the following options: All Dropped You can capture all traffic or capture only the dropped traffic for the purpose of extracting a ZAPR filter. If the option is not specified, the default behavior will capture only the dropped traffic.

NOTE:

The Triggered By and Capture Traffic options are applicable only when the TPS v5.0.2 device is used.

Depending on the protocol selected, policy levels are configurable. A zone service configuration can have up to 5 levels that start at zero and escalate to 4. Click on the downward arrow on the Level 0 row if it exists.
Click on Plus (+) sign to add further indicator configuration for the zone service. To enter the appropriate information in the indicator configuration, see Configure a Zone Service Protection Profile.

Perform one of the following actions:
- Save—Allows you to save the changes.
- Save & Push—Allows you to save the changes and send the configurations to the device. Using this option saves time for users to send small configuration changes to the devices.

After a zone is created, the edit zone configuration page displays the Zone Charts button, which navigates you to the Zone Charts page in a new browser tab.

Depending on your topology, operational mode may be used to build a baseline for traffic thresholds for your zone services. To access the operational mode functions, go to the Configuration > Protected Objects > Zones and then select Learn from Operational Mode drop-down to get a traffic baseline for your zone. For more information see Operational Mode - Learning.