Configuring adaptive response limits

Adaptive response limits allow administrators to specify rules based on combinations of data transfer amounts and/or the amount of time on the network, and then establish priorities so that different policies can be applied both before and after the limit is reached. This allows you to provide data transfer caps, throttle data transfer after a limit has been reached, or to throttle only particular types of traffic after the limit has been reached.

VERSION INFO

In 7.0.1 and above releases in the 7.0 firmware product line, the option to set Adaptive Response Limits is based on the amount of time a user is using the network.

To implement such policies, the following steps are required:

  1. Create a network objecta logical definition created and stored in the Exinda lilbrary, can represent any network component that defines what traffic is to be monitored.

    The source network object can either be a static network object, which includes one or more subnets, or the source network object can be a dynamic network objectnetwork objects automatically updated and maintained by the Exinda appliance mapped from an Active Directory group.

  2. Create an adaptive response limit object. The adaptive response limit object allows administrators to specify the traffic to monitor using a network object, and what data limit or time limit should be applied and for what period. The appliance then dynamically creates a new network object that keeps track of the IPInternet protocol addresses that have exceeded their limit. When a time limit is specified, the time is tracked in increments of 5 minutes and starts counting down from the first flowthe network traffic between network objects for a given user.

Adding a new AR limit.

  1. Create policies intended for the traffic matching the over-the-limit network object and policies intended for the traffic matching the source network object.

Ensure that the over-the-limit policy filters the traffic using the over-the-limit network object, and that the policy appears in the policy tree before the policies intended for the users who have not exceed their quota. Traffic attempts to match the policy tree nodes in a top-down order. Since IP addresses that have exceeded their quota will match either the destination or source network object, you need those that exceed their quota to be matched against the destination node first.

When creating the adaptive response limit object, you can create exceptions such that certain IP addresses, specified by one or more network objects, can be excluded from the limit rules. By editing the adaptive response limit object, you can specify which IP addresses are exempt from the rule. The exception network object can be internal or external. By creating an exception for an internal network object, those IP addresses will not have the limit applied to them. By creating an exception for an external network object, those IP addresses in the source network object will be excluded when they are conversing with an IP in the external exception network object.

You can also create an alert that sends an email to the Exinda Appliance email recipients when a specified quota threshold has been exceeded. The email will contain all the IP addresses that have exceeded the threshold. Note that the Info Emails checkbox must be checked for each recipient on the email configuration page.

To see examples, read Quota Enforcement in the Common Use Cases section.