13. Network & Policy » IP Zone¶
IP Zones are hierarchical, tree-like data structures that define the boundaries of the protected network and contain per-subnet settings. You must add all your network’s prefixes (IPs/IP blocks/subnets/ranges) to the IP Zones listed in Configuration » Network & Policy!
To add a new IP Zone, go to Configuration » Network & Policy » [+] and select [IP Zone]. You only need more than one IP Zone if you want to use different per-subnet settings for different Sensors. If this is the case, it may be easier to open an existing IP Zone that already includes your IP address ranges, and duplicate it by pressing the Export menu and then by selecting the second option. The other options allow you to view the configuration of every prefix in a single window, to output the content into a CSV format that can be parsed by scripts or imported into Excel, and to generate a backup file that can be imported into another Console or IP Zone.
The IP Zone Configuration window is divided into two vertical sections. The buttons that manage prefixes are located in the upper part of the left-hand section. When a new prefix is added, the tree below automatically updates itself. The section on the right-hand side contains panels with user-provided settings for the selected prefix.
To add prefixes, click on the Add Prefix(es) menu. You can then add IP addresses or IP blocks individually or in bulk, extract them from BGP or import them from a backup file. Another way to add prefixes is to use the REST API. When entering IP addresses or IP blocks, use the CIDR notation. To enter individual hosts, use the /32 CIDR mask for IPv4 and /128 for IPv6.
Every IP Zone contains the network 0.0.0.0/0. Because it’s CIDR mask is /0, this “supernet” includes all IP addresses available for IPv4 and IPv6. For an easier configuration, every new prefix that you define inherits by default the properties of the most specific (having the biggest CIDR mask) IP class that includes it.
The Settings panel contains the following parameters:
● IP Group – You can enter a short description of the selected prefix, such as the name of the customer allocated to it. When you set the same value on multiple prefixes, you will be able to generate aggregated traffic reports. This combo box is editable, so you can enter a different value than the existing ones● IP Graphing – Set to Yes to permit graph data collection for every IP contained in the selected prefix. IP Graphing is always enabled for the subnets explicitly defined in the IP Zone. Do not enable this option on many/large subnets when not needed or without a performance impact assessment. The Graph IP Sweeps option from General Settings » Graphs & Storage can be used to prevent generating graph data for IPs that only receive traffic without sending traffic in return● IP Accounting – Set to Yes to permit the collection of daily accounting data for each IP contained in the selected prefix. IP Accounting is always enabled for the subnets explicitly defined in the IP Zone. Do not enable on many/large subnets when not needed or without a performance impact assessmentThe Inheritance column indicates whether the values were inherited from a less specific prefix or if they were locally defined.The Storage Requirements column indicates the disk space needed by each Packet Sensor and Flow Sensor interface to store the generated data. Enabling IP graphing and IP accounting for very large prefixes (e.g., 0.0.0.0/0) might generate data that could overload the Console server and quickly fill up the disk space. The storage requirements for IP graph data can be estimated only when using RRDTool. For InfluxDB it is impossible to determine the necessary disk space for storing graph data over extensive periods of time.
The Profile Anomalies panel contains the Profiling Data parameter, which manages the detection of traffic anomalies by profiling the traffic behavior of the selected prefix:
● Inherit – The value is inherited from the parent prefix● No – Do not generate profiling data for the selected prefix● Subnet – Generate profiling data for all traffic received by the prefix as a whole● IPs – Use carefully as it will generate profiling data for every IP contained in the prefix. Enabling this option is not recommended for large subnets because it can overwhelm the I/O of the server and potentially generate false positives because the traffic of single IPs is rarely predictable● Subnet + IPs – Activate both options from above