Monitoring for the existence of prohibited traffic

In some cases, it is helpful to know if traffic occurs for a certain protocol or destination. For instance, traffic to address 10.1.2.3 on ports 5000 thru 5010 may indicate the existence of an online service that is prohibited in any organization. The traffic may be encrypted or otherwise unreadable and may create many incidents, so you might want to record its existence only.
  1. To record only the existence of traffic
  2. Select
    System > Settings > Protocols
    from the navigation bar.
  3. Click
    Add Protocol
    .
  4. Enter a name for the protocol in the
    Name
    field.
  5. In the
    Recognition
    section of the page, enter the following information:
    Field name
    Entry
    Ports
    5000-5010
    IP
    +,10.1.2.3/32 ,*;-,*,*
  6. Click
    Save
    .
The new protocol appears at the end of the protocol list. You can use the new protocol in policies and report filters.