Home > User Interface > Configuration > Compliance > Network Behavior Policy
|
Menu path: Configuration > Compliance Overview > Network Behavior Policy.
Abnormal device activity can be based on network access performed by those devices. Abnormal activity can be flagged and made available through Security Events. Abnormal activity detection is based on access to compromised hosts, using information in the Fingerbank database related to expected behavior, called the pristine profile. The integration with security events is covered below in Security Events.
The format and usage of this page is discussed in General GUI Usage.
Click 
or 
to add a new network behavior policy. The
fields in the New Network Behavior Policy dialog are:
| Field | Usage | Example |
|---|---|---|
| Identifier | A unique string to use as the identifier of the behavior policy. | android_blacklisted |
| Status | Indicates if the policy should be applied. |  |
| Description | A user friendly description of the behavior policy. | Android devices should not talk to blacklisted hosts |
| Devices Included | A list of Fingerbank defined devices that will be affected by this policy. All children of the selected devices will also be affected. A blank entry in this field will cause network behavior policy to affect all Fingerbank defined devices. | Android OS |
| Devices Excluded | A list of Fingerbank defined devices that will excluded from this policy. All children of the selected devices will also be excluded as well. | |
| Monitor for Blacklisted IPs | Indicates whether this policy should check for communication with blacklisted IP addresses. The blacklist is part of the Fingerbank database and is updated daily on each A3 instance. | |
| Whitelisted IPs | A comma-separated list of IP addresses to be ignored when using the blacklist. The IP address can be single addresses or CIDR ranges. | 4.4.4.4,8.8.8.0/24 |
| Blacklisted IP Hosts Window | The time window for counting references to blacklisted IPs. The window is expressed in units of seconds, minutes, or hours. | 10 minutes |
| Blacklisted IPs Threshold | The number of references to blacklisted IPs during the Blacklisted IP Hosts Window period that will trigger a security event. | 1 |
| Blacklisted Ports | A comma-separated list of outbound ports to be considered when triggering a security event. Outbound ports may be expressed as single port numbers or a range of port numbers. | 22-23,6667,8080 |
| Watched Device Attributes | Network behavior analysis compares Fingerprint device attributes against those of the values in the Devices Included list. The particular attributes used in the comparison are included in this list. This feature is disabled if this field is blank. | |
| Device Attributes Minimal Score | If the Watched Device Attributes is not empty, then if a client does not get more than this score when measured against the matching device in the Devices Included list, then an event will be triggered. | 0 |
| Device Attributes Weight | If the Watched Device Attributes is not empty, then a weighted system is used
for comparison to the score when measured against the matching device in the Devices Included list. The
default weights are listed in the shadded table. The weights from the table may be
overriden by selecting  . |
Note
Creating or modifying a network behavior policy requires that the fingerbank-collector be restarted by using the
button.There are three internal security events that can be triggered by network anomaly detection:
The use of these triggers in security events is discussed in: Security Events.
Copyright © 2020 Extreme Networks. All rights reserved. Published December 2020.