Best Practices for Using Threat Protection Rules

The following are a few guidelines that you can use when enabling and configuring Infoblox threat protection rules:

• Enable the alerting rules so you receive some warnings about possible threats. There are a couple of these rules that you can use together with other rules to get alerts before taking actions. For more information about these alert and pass rules, see TCP/UDP Flood.

• Review rules by each category so you understand their functions before enabling them. For information about rule categories, see Filtering Order for Threat Protection Rules. It is a good approach to enable rules category by category, and then observe the impact on performance. Based on your observation, adjust the threshold parameters, such as “Packet per second,” to suit your security requirements.

• Monitor unexpected hits on certain rules. These unexpected hits indicate that packets have not been filtered by the rules. You might disable rules that you have doubts about. You can configure rules in the following order and then adjust them accordingly to achieve optimal results:
  • DROP ICMP unexpected Default. For information, see Default Pass/Drop.
  • DROP BGP unexpected BGP. For information, see BGP .
  • DROP OSPF unexpected OSPF. For information, see OSPF.
  • DROP TCP DNS unexpected. For information, see Default Pass/Drop.
  • DROP UDP DNS unexpected. For information, see Default Pass/Drop.
  • DROP UDP unexpected. For information, see Default Pass/Drop.
  • DROP unexpected protocol Default Pass/Drop. For information, see Default Pass/Drop.