Monitoring for the existence of prohibited traffic
In some cases, it is helpful to know if traffic occurs for a certain protocol or destination. For instance, traffic to address 10.1.2.3 on ports 5000 thru 5010 may indicate the existence of an online service that is prohibited in any organization. The traffic may be encrypted or otherwise unreadable and may create many incidents, so you might want to record its existence only.
- To record only the existence of traffic
- SelectSystem > Settings > Protocolsfrom the navigation bar.
- ClickAdd Protocol.
- Enter a name for the protocol in theNamefield.
- In theRecognitionsection of the page, enter the following information:Field nameEntryPorts5000-5010IP+,10.1.2.3/32 ,*;-,*,*
- ClickSave.
The new protocol appears at the end of the protocol list. You can use the new protocol in policies and report filters.