diff options
| author | 蒋维 <[email protected]> | 2021-09-18 16:54:46 +0800 |
|---|---|---|
| committer | 蒋维 <[email protected]> | 2021-09-18 16:54:46 +0800 |
| commit | 6a851d1243d7d6a7a2d3c7f07d127fc7bf7c9fda (patch) | |
| tree | 4fcf0b5c8e8e3eaacba0c77b18300563abca60bd | |
| parent | 9a78bcc03c5923113580276189ccae85d3b44c04 (diff) | |
09 log名字更改 去掉predefined apps附录 文中增加例子。
| -rw-r--r-- | TSG_Administrator's_Guide_Latest_EN.pdf | bin | 717519 -> 710570 bytes | |||
| -rw-r--r-- | TSG_Administrator's_Guide_Latest_EN.tex | 4 | ||||
| -rw-r--r-- | content/Appendix_Best_Practices.tex | 12 | ||||
| -rw-r--r-- | content/Appendix_Log_Fields_Description.tex | 4 | ||||
| -rw-r--r-- | content/Getting_Started.tex | 6 | ||||
| -rw-r--r-- | content/Monitoring.tex | 22 | ||||
| -rw-r--r-- | content/Objects.tex | 18 | ||||
| -rw-r--r-- | content/Policies.tex | 10 |
8 files changed, 50 insertions, 26 deletions
diff --git a/TSG_Administrator's_Guide_Latest_EN.pdf b/TSG_Administrator's_Guide_Latest_EN.pdf Binary files differindex 0068f46..ad195a1 100644 --- a/TSG_Administrator's_Guide_Latest_EN.pdf +++ b/TSG_Administrator's_Guide_Latest_EN.pdf diff --git a/TSG_Administrator's_Guide_Latest_EN.tex b/TSG_Administrator's_Guide_Latest_EN.tex index 645fa95..bac101c 100644 --- a/TSG_Administrator's_Guide_Latest_EN.tex +++ b/TSG_Administrator's_Guide_Latest_EN.tex @@ -120,8 +120,8 @@ \cleardoublepage \input{content/Appendix_Log_Fields_Description} % INCLUDE: Appendix_C \cleardoublepage -\input{content/Appendix_Predefined_Reports} % INCLUDE: Appendix_D -\cleardoublepage +%\input{content/Appendix_Predefined_Reports} % INCLUDE: Appendix_D +%\cleardoublepage \input{content/Appendix_TSG_Packet_Flow} % INCLUDE: Appendix_E \cleardoublepage \input{content/Appendix_Best_Practices} % INCLUDE: Appendix_F diff --git a/content/Appendix_Best_Practices.tex b/content/Appendix_Best_Practices.tex index b1a33b4..128df89 100644 --- a/content/Appendix_Best_Practices.tex +++ b/content/Appendix_Best_Practices.tex @@ -49,7 +49,7 @@ To improve your overall security posture, use the guidelines in this section to \item Specify the keywords you wish to monitor as matching criteria for Content field. \item Enable the policy and submit. \end{enumerate} - \item When the policy is matched, you can view Logs > Security Event Logs and see the mail content. + \item When the policy is matched, you can view Logs > Security Events and see the mail content. \end{enumerate} \end{description} @@ -724,7 +724,7 @@ Customize a report to analyze endpoints access of specific Data Center. For exam \addcontentsline{toc}{subsection}{The 9$^{th}$: Endpoints Details Analysis for Intercept Action} \label{sec:appendix_f:report:9th} -Customize a report to analyze endpoints details of intercept action. For example, create a report to analyze Security Event Logs about multiple dimensional endpoints information. It will include 8 charts and tables, that display endpoints statistics details, including Top Client IP, Server IP, Internal IP, External IP (by Sessions with Bandwidth), Top Domain Distribution (by Sessions with Bandwidth), Top Domain Drilldown Internal IP (by Sessions), Top Domain Drilldown Server IP (by Bandwidth), Top Subscriber ID Drilldown Domain (by Sessions). With the help of this example, you can have a better understanding of the meaning of Drilldown table and bar charts and how to create them. +Customize a report to analyze endpoints details of intercept action. For example, create a report to analyze Security Events about multiple dimensional endpoints information. It will include 8 charts and tables, that display endpoints statistics details, including Top Client IP, Server IP, Internal IP, External IP (by Sessions with Bandwidth), Top Domain Distribution (by Sessions with Bandwidth), Top Domain Drilldown Internal IP (by Sessions), Top Domain Drilldown Server IP (by Bandwidth), Top Subscriber ID Drilldown Domain (by Sessions). With the help of this example, you can have a better understanding of the meaning of Drilldown table and bar charts and how to create them. \begin{description} \item[STEP 1.] Create 8 Datasets. Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. Select the same \textbf{Log Type} for the 2 datasets: Security Event. @@ -781,28 +781,28 @@ Customize a report to analyze endpoints details of intercept action. For example \begin{enumerate} \item Select Http.Domain as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. - \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Event Logs with empty Domain. + \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Domain-by-Internal-IP-and-Sessions. \begin{enumerate} \item Select Http.Domain and Internal IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. - \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Event Logs with empty Domain. + \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Domain-by-Server-IP-and-Bandwidth. \begin{enumerate} \item Select Http.Domain and Server IP as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Bytes Sent and Bytes Received; aggregate select sum; Label set to Bytes. - \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Event Logs with empty Domain. + \item Specify \textbf{Filter}. Select Http.Domain as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain. \item Click \textbf{OK}. \end{enumerate} \item Create a Dataset with \textbf{Name} Security-Event-Top-Subscriber-ID-by-Website-Domains-and-Sessions. \begin{enumerate} \item Select Http.Domain and Subscriber ID as \textbf{Group by}. \item Specify the \textbf{Data Bindings}, add field, aggregate, and label. You can add multiple items for data bindings. Field select Log ID; Label set to Sessions. - \item Specify \textbf{Filter}. You can add multiple items. Select Http.Domain as Field; select notEmpty as Operator. Click add and select Subscriber ID as Field; select notEmpty as Operator. This configuration will exclude Security Event Logs with empty Domain and Subscriber ID. + \item Specify \textbf{Filter}. You can add multiple items. Select Http.Domain as Field; select notEmpty as Operator. Click add and select Subscriber ID as Field; select notEmpty as Operator. This configuration will exclude Security Events with empty Domain and Subscriber ID. \item Click \textbf{OK}. \end{enumerate} \end{enumerate} diff --git a/content/Appendix_Log_Fields_Description.tex b/content/Appendix_Log_Fields_Description.tex index 956b47f..fa2c0aa 100644 --- a/content/Appendix_Log_Fields_Description.tex +++ b/content/Appendix_Log_Fields_Description.tex @@ -16,8 +16,8 @@ it will display columns that the user has previously configured. The fields with \begin{longtable}{p{0.31\textwidth}|p{0.63\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Log Type}} & \textcolor{white}{Schema Type} \\\hline - Security Event Logs & All types \\\hline - Proxy Event Logs & Base, HTTP and DoH \\\hline + Security Events & All types \\\hline + Proxy Events & Base, HTTP and DoH \\\hline Session Records & All types except Radius \\\hline Radius Logs & Base and Radius \\\hline VoIP Records & Base, SIP and RTP \\ \hline diff --git a/content/Getting_Started.tex b/content/Getting_Started.tex index bef3111..95cb69d 100644 --- a/content/Getting_Started.tex +++ b/content/Getting_Started.tex @@ -183,7 +183,7 @@ Use the following workflow set up a very basic Security policy. This gives you a Then you can select the tag you just created from the list. \item (\textcolor{gold}{Optional})Specify \textbf{Effective Devices} by choosing Device Tags or leave the value empty, which means the policy is effective on all devices by default. \item (\textcolor{gold}{Optional})Select a \textbf{Schedule} or leave the value set to always. - \item Verify that \textbf{Log Session} is enabled. Only traffic that matches the Security policy rule will be logged in Security Event Logs. + \item Verify that \textbf{Log Session} is enabled. Only traffic that matches the Security policy rule will be logged in Security Events. \item (\textcolor{gold}{Optional})Enter a \textbf{Description} for the rule. \item Verify that Enabled is enabled. \item Click \textbf{OK}. @@ -198,7 +198,7 @@ Use the following workflow set up a very basic Security policy. This gives you a \item Click \textbf{Verify} to execute the \textbf{Security policy match} test. \end{enumerate} \item[STEP 3.] After the policy has been hit, view Logs to monitor the policy rule status and determine the effectiveness of the policy rule. - Select \textbf{Logs} > \textbf{Security Event Logs} and view relative information about the policy. + Select \textbf{Logs} > \textbf{Security Events} and view relative information about the policy. \end{description} @@ -246,7 +246,7 @@ You can perform the following to set up a basic proxy policy. \\ \item Select the \textbf{Protocol} and \textbf{APP ID} from the drop-down. \item Click \textbf{Verify} to execute the Proxy Policy Match test. \end{enumerate} - \item[STEP 3.] Go to \textbf{Logs} > \textbf{Proxy Event Logs} and view \textbf{Logs} to monitor the policy rule status, verify if the proxy rule has been hit and determine the effectiveness of the policy rule. + \item[STEP 3.] Go to \textbf{Logs} > \textbf{Proxy Events} and view \textbf{Logs} to monitor the policy rule status, verify if the proxy rule has been hit and determine the effectiveness of the policy rule. \end{description} %\pdfbookmark[1]{Command Line Interface}{Command Line Interface} diff --git a/content/Monitoring.tex b/content/Monitoring.tex index 5144cf2..c61851a 100644 --- a/content/Monitoring.tex +++ b/content/Monitoring.tex @@ -75,10 +75,10 @@ Log records contain columns, which are properties, activities, or behaviors asso Each log type records information for a different event type. You can see the following 6 log types in the Log pages. -• Security Event Logs +• Security Events -• Proxy Event Logs +• Proxy Events • Session Records @@ -97,10 +97,10 @@ Each log type records information for a different event type. You can see the fo \addcontentsline{toc}{subsection}{Log Types} \label{sec:monitor:log:type} -Security Event Logs and Proxy Event Logs +Security Events and Proxy Events -• Security Event Logs and Proxy Event Logs data provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. The log gives you the information to determine whether a rule is effective for access enforcement. +• Security Events and Proxy Events data provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. The log gives you the information to determine whether a rule is effective for access enforcement. Session Records @@ -132,6 +132,12 @@ GTP-C Records Please refer to \hyperlink{link:Appendix C Log Fields Description}{\color{linkblue}{Appendix C Logs Fields Description}} for more details. + +DoS Events + + +• Dos Events provides detailed statistics on the detected Dos attacks. Currently supports DNS flood, TCP SYN flood, UDP flood and ICMP flood. You can view the Source Countries, Destination Countries, Start Time, End Time, Attack Type, Severity, Sessions/s, Packets/s, Bits/s, etc. + %\pdfbookmark[2]{View Logs}{View Logs} \subsection*{\hypertarget{link:View Logs}{View Logs}} \addcontentsline{toc}{subsection}{View Logs} @@ -150,11 +156,11 @@ You can view the different log types on TSG in a tabular format. \item[STEP 3.] View additional details about log entries. \begin{enumerate} \item Click the \textbf{Log ID} for a specific log entry. The Detailed Log View has more information about the source and destination of the session, as well as a list of sessions related to the log entry. - \item (\textcolor{gold}{Optional})If you are viewing Security Event Logs and Proxy Event Logs, hover over the \textbf{Policy ID}, + \item (\textcolor{gold}{Optional})If you are viewing Security Events and Proxy Events, hover over the \textbf{Policy ID}, you can view the Policy Name, Action, Application, Destination, Source and Filter. Hover over the \textbf{Client IP} and \textbf{Server IP}, you can view the corresponding IP, Port, ASN and Location. - \item (\textcolor{gold}{Optional}) If you are viewing Radius Log, hover over the \textbf{Subscriber ID}, you can view Subscriber ID, related Security Event Logs and Session Records. - Hover over \textbf{Framed IP}, you can also view related Security Event Logs and Session Records. + \item (\textcolor{gold}{Optional}) If you are viewing Radius Log, hover over the \textbf{Subscriber ID}, you can view Subscriber ID, related Security Events and Session Records. + Hover over \textbf{Framed IP}, you can also view related Security Events and Session Records. \end{enumerate} \end{description} @@ -172,7 +178,7 @@ as a filter spotlights the particular rule you need to find without having to na TSG log filter supports search by multiple fields in AND/OR relation. You can perform exact match search and fuzzy search using Operators. To filter logs, follow these steps: \begin{description} - \item[STEP 1.] Select \textbf{Logs}. Select a log type from the list. For example, \textbf{Proxy Event Logs}. + \item[STEP 1.] Select \textbf{Logs}. Select a log type from the list. For example, \textbf{Proxy Events}. \item[STEP 2.] Select the time period picker. By default, it shows logs of \textbf{Last 1 hour}. \item[STEP 3.] Click \textbf{Add Filter} to add search term. The supported search fields are: Log ID, Policy ID, Subscriber ID, IMEI, IMSI, Phone Number, Client IP, Internal IP, Client Port, Server IP, Server Port, External IP, Action, Sled IP, Schema Type, Data Center, Application Label, FQDN Category, Session ID, TCP Client ISN, TCP Server ISN, Http.URL, Http.Domain, SSL.SNI and SSL. JA3 hash etc. diff --git a/content/Objects.tex b/content/Objects.tex index e995f9f..54a932f 100644 --- a/content/Objects.tex +++ b/content/Objects.tex @@ -320,6 +320,24 @@ The following is a basic example of how to create a customized attribute. You can \textbf{Edit} or \textbf{Delete} your customized attributes and download the Uploaded File. +\subsection*{\hypertarget{link:Predefined Applications}{Predefined Applications}} +\addcontentsline{toc}{subsection}{Predefined Applications} +\label{sec:objects:application:predefined} + +TSG supports a variety of built-in protocols and Applications. When the application is identified, the policy check determines how to treat the application. You can view all the predefined applications in the web interface. + + +The following table list some examples of system built-in applications: + +\begin{longtable}{p{0.12\textwidth}|p{0.03\textwidth}|p{0.16\textwidth}|p{0.16\textwidth}|p{0.45\textwidth}} + \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{\tabincell{l}{App\\ Name}}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{\tabincell{l}{App\\ ID}}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Category}} & \multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Subcategory}} & \textcolor{white}{Description} \\\hline + twitter & 503 & general-internet & internet-utility & Online microblogging service that enables its users to read and send text-based short messages.\\ \hline + teamviewer & 545 & networking & remote-access & TeamViewer is an application that enables a connection to a remote computer in order to perform maintenance operations. It is also possible to show the current display to a remote computer, to transfer files, and to create a VPN tunnel.\\ \hline + archive & 564 & general-internet & internet-utility & Archive.org is the site of the Internet Archive, a non-profit digital library offering free universal access to books, movies \& music, as well as more than 300 billion archived web pages.\\ \hline + qqlive & 585 & media & photo-video & QQLive is an application intended to watch TV in Peer-to-Peer mode. QQlive also classifies QQ live streaming on web browser\\ \hline + tango & 598 & collaboration & voip-video & Tango is an embedded smartphone application dedicated to audio/video-conference.\\ \hline +\end{longtable} + %\pdfbookmark[2]{Custom Application}{Custom Application} \subsection*{\hypertarget{link:Application Customization}{Application Customization}} \addcontentsline{toc}{subsection}{Application Customization} diff --git a/content/Policies.tex b/content/Policies.tex index 2d11ddf..ed72a11 100644 --- a/content/Policies.tex +++ b/content/Policies.tex @@ -219,14 +219,14 @@ The Security policy rule construct permits a combination of the required and opt \rowcolor{black}\multicolumn{1}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{\begin{tabular}{l}Required/\\Optional\end{tabular}}} & \multicolumn{1}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{Field}} & \textcolor{white}{Description}\\\hline \multirow{3}{*}{Required} & Name & A label (up to 128 characters) that identifies the rule.\\ \cline{2-3} & Action & Specifies an Allow, Deny, Monitor or Intercept action for the traffic based on the criteria you define in the rule. For more details, see \hyperlink{link:Security Actions}{\color{linkblue}{Security Policy Actions}}. \\ \cline{2-3} - & Application & The application that you wish to control. It provides application control and visibility in creating security policies that block unknown applications, while enabling, inspecting, and shaping those that are allowed. For more information, see \textbf{Objects} > \textbf{Applications} and \hyperlink{link:Appendix B Predefined Applications}{\color{linkblue}{Appendix B Predefined Application}}.\\ \hline + & Application & The application that you wish to control. It provides application control and visibility in creating security policies that block unknown applications, while enabling, inspecting, and shaping those that are allowed. For more information, see \textbf{Objects} > \textbf{Applications}.\\ \hline \multirow{9}{*}{Optional} & Source & Define host IP addresses, address groups, Subscriber ID, IP Learning, or Geographic enforcement.\\ \cline{2-3} & Destination & The location or destination for the packet. Define host IP addresses, address groups, IP Learning, or Geographic enforcement.\\ \cline{2-3} & Filter & All web traffics are compared against the filtering, giving you a way to safely control how your users interact with online content. You will have Filter available when you select only one of the following protocols: HTTP, SSL, DNS, MAIL, FTP, QUIC and SIP in Applicationfield.\\ \cline{2-3} & Tag & A keyword or phrase that help you to identify the policy. \\ \cline{2-3} & Effective Devices & Select the devices that the security rule will be applied.\\ \cline{2-3} & Schedule & Schedule when (day and time) the security rule should be in effect. \\ \cline{2-3} - & Log Session & When enabled, traffic that match security policies will be logged in Security Event Logs. \\ \cline{2-3} + & Log Session & When enabled, traffic that match security policies will be logged in Security Events. \\ \cline{2-3} & Description & A text field, up to 1024 characters, used to describe the rule. \\ \cline{2-3} & Enabled & Only enabled policies will be enforced.\\ \hline \end{longtable} @@ -589,7 +589,7 @@ when connecting through your network, that they must use their browsers only. \item Click \textbf{Verify} to execute the \textbf{Security policy match} test. \end{enumerate} \item[STEP 15.] After the policy has been hit. View \textbf{Logs} to monitor the policy rule status and determine the effectiveness of the policy rule. - Select \textbf{Logs} > \textbf{Security Event Logs} and view relative information about the policy. + Select \textbf{Logs} > \textbf{Security Events} and view relative information about the policy. \end{description} You can view detailed information about the policy you just created. To edit and delete the policy, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. @@ -641,7 +641,7 @@ The Proxy Policy rule construct permits a combination of the required and option & Tag & A keyword or phrase that help you to identify the policy. \\ \cline{2-3} & Effective Devices & Select the devices that the security rule will be applied.\\ \cline{2-3} & Schedule & Schedule when (day and time) the security rule should be in effect. \\ \cline{2-3} - & Log Session & When enabled, traffic that match security policies will be logged in Security Event Logs. \\ \cline{2-3} + & Log Session & When enabled, traffic that match security policies will be logged in Security Events. \\ \cline{2-3} & Log Option & Metadata and All: Metadata only structured logs are recorded. All provides raw log files for some special log fields, such as content of HTTP request header or HTTP response content.\\ \cline{2-3} & Description & A text field, up to 1024 characters, used to describe the rule. \\ \cline{2-3} & Enabled & Only enabled policies will be enforced.\\ \hline @@ -804,7 +804,7 @@ For more details about how TSG process packet flow, please see \textbf{\hyperlin \item Click \textbf{Verify} to execute the \textbf{Proxy Policy Match} test. \end{enumerate} \item[STEP 15.] (\textcolor{gold}{Optional})After the policy has been hit. View \textbf{Logs} to monitor the policy rule status and determine the effectiveness of the policy rule. - Select \textbf{Logs} > \textbf{Proxy Event Logs} and view relative information about the policy. + Select \textbf{Logs} > \textbf{Proxy Events} and view relative information about the policy. \end{description} |