Configure WIPS Events

About this task

Use WIPS Events to configure events, filters, and threshold values for a WIPS policy.

Procedure

  1. Select Policies > WIPS.
  2. Select an existing policy from the WIPS policy list.
    The Basic dashboard opens.
  3. Select Events.

    The Excessive tab lists a series of events that can impact the performance of the network. An administrator can activate or deactivate the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action.

    An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category. Use the Excessive Action Events table to select and configure the action taken when events are triggered.

    AP events can be globally activated and deactivated as required using the Status option.

  4. Set the configurations for the following Excessive Action Events:
    Setting Description
    Name Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted
    Status Displays whether tracking is activated for each Excessive Action Event. Use the Status option to activate or cancel events as required
    Filter Expiration Set the duration between 0 to 86,400 seconds to filter the anomaly causing client. This creates a special ACL entry and frames coming from the client are silently dropped. The default setting is 0 seconds. If a station is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller or service platform
    Client Threshold Set the client threshold between 0 to 65,535 seconds after which the filter is triggered and an event generated
    Radio Threshold Set the radio threshold between 0 to 65,535 seconds after which an event is recorded to the events history
  5. Select Save to update excessive actions configuration used by the WIPS policy.
  6. Select MU Anomaly.
    The MU Anomaly Events list opens.
  7. Configure MU Anomaly Events.
    MU anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use the MU Anomaly Events dashboard to configure the intervals clients can be filtered upon the generation of each defined event.
    MU events can be globally activated and deactivated as required using the Status option.
    MU Anomaly Events configurations:
    Setting Description
    Name Displays the name of the MU anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted
    Status Displays the status of the event and whether tracking is activated for each event. Each event is not selected by default. MU events can be globally activated and deactivated as required using the Status option
  8. Select Save to update MU Anomaly Events configuration.
  9. Select AP Anomaly to configure AP Anomaly Events.
    AP anomaly events are suspicious frames sent by a neighboring access points. Use the AP Anomaly dashboard to determine whether an event is activated for tracking. AP events can be globally activated or deactivated as required using the Status option.
    AP Anomaly configurations:
    Setting Description
    Name
    Status Displays the status of the event and whether tracking is activated for each AP anomaly event. Each event is not selected by default. AP events can be globally activated and deactivated as required using the Status option
    Filter Expiration Use the spinner to set filter expiration duration for the activated AP anomaly event between 0 to 86,400 seconds
  10. Select Save to update AP Anomaly Events configuration.
9037026-01 Rev AA