Viewing Interaction Control rules in the table of allow rules

Interaction Control rules are displayed in the allow rules table in the Allow rules section of the application web interface. Interaction Control rules include the following types:

NIC rules based on Network Integrity Control technology.
CC rules based on Command Control technology.

To view relevant information about Interaction Control rules in the allow rules table, you can utilize the following capabilities:

Configure the display and order of columns in the rules table
To configure the settings for displaying the allow rules table:
1. In the Allow rules section, click the Customize table link to open the window for configuring how the table is displayed.
2. For the respective sides of network interactions, Side 1 and Side 2, select the information to display in the table. To do so, select one of the following options from the drop-down list for each side:
  - Address information. The table column displays only address information representing the side of network interaction.
  - Device names. Instead of address information corresponding to devices known to the application, the table column displays the names of these devices. All other address information is visibly displayed (for example, ranges of addresses).
3. Select the check boxes opposite the settings that you want to view in the table. You must select at least one setting.
  The following settings are available for selection:
  - Rule ID
    Unique ID of the rule
  - State (the icon)
    Current state of the rule (Enabled or Disabled).
  - Rule type.
    For Interaction Control rules, this indicates the technology of the rule (NIC or CC). The EVT type is indicated for rules that disable event registration.
  - Protocols/Commands
    For rules related to Network Integrity Control technology (NIC type) or rules that disable event registration (EVT type), this is the set of utilized protocols. For rules related to Command Control technology (CC type), this is the protocol and system commands. The protocols that are determined by the application based on the contents of network packets are italicized.
  - Side 1
    Device name/address information of one of the sides of network interaction. You can enable or disable the display of addresses and ports of address information by using the following settings:
    - MAC address
    - IP address
    - Port number
  - Side 2
    Device name/address information of the other side of network interaction. You can enable or disable the display of addresses and ports of address information by using the following settings:
    - MAC address
    - IP address
    - Port number
  - Comment
    Additional information about the rule.
  - Created.
    The date and time when the rule was created.
  - Changed.
    The date and time when the rule was last modified.
  - Origin.
    Information about the origin of the rule.
  - Rule in event.
    The name of the Process Control rule or Intrusion Detection rule that must be indicated in the event (for EVT rules).
  - Monitoring point
    The name of the monitoring point that must be indicated in the event (for EVT rules).
  - Event type
    ID and title of the event type (for EVT rules).
4. If you want to change the order in which columns are displayed, select the name of the column that needs to be moved to the left or right in the table and use the buttons containing an image of the up or down arrows.
  For the Side 1 and Side 2 columns, you can also change the order in which the address information is displayed for the sides of network interaction. To do so, select the value that you want to move to the left or right in the table and use the buttons containing an image of the up or down arrows.
The selected columns will be displayed in the allow rules table in the order you specified.
Filtering based on table columns
To filter rules by the Rule ID, Rule in event, or Event type column:
1. In the Allow rules section, click the filtering icon in the relevant column.
  The filtering window opens.
2. In the Including and Excluding fields, enter the values for rules that you want to include in the filter and/or exclude from the filter.
3. If you want to apply multiple filter conditions combined by the logical operator OR, in the filter window of the column click the Add condition button and enter the condition in the opened field.
4. If you want to delete one of the created filter conditions, in the filter window of the column click the icon.
5. Click OK.
To filter rules based on the State, Rule type, Origin or Monitoring point column:
1. In the Allow rules section, click the filtering icon in the relevant column.
  When filtering by state, rule type and origin, you can also use the corresponding buttons in the toolbar.
  
  The filtering window opens.
2. Select the check boxes opposite the values by which you want to filter events.
3. Click OK.
To filter rules by the Protocols/Commands column:
1. In the Allow rules section, click the filtering icon in the Protocols/Commands column.
  Filtering by the Protocols/Commands column is applied only for protocols. To filter rules based on the names of system commands (rules based on Command Control technology), you can use the rule search function.
  
  You will see a window containing the table of supported protocols displayed as a protocol stack tree. You can manage how tree elements are displayed by using the + and - buttons next to the names of protocols that contain protocols of subsequent layers.
  
  The table columns provide the following information:
  - Protocol – name of the protocol within the protocol stack tree.
  - EtherType – number of the next-level protocol within the Ethernet protocol (if the protocol has a defined number). It is displayed in decimal format.
  - IP number – number of the next-level protocol within the IP protocol (if the protocol has a defined number). It is indicated only for protocols within the IP protocol structure. It is displayed in decimal format.
2. If necessary, use the search field above the table to find relevant protocols.
3. In the list of protocols, select the check boxes opposite the protocols by which you want to filter events.
  If you select or clear the check box for a protocol that contains nested protocols, the check boxes for the nested protocols are also automatically selected or cleared.
4. Click OK.
To filter rules based on the Side 1 and Side 2 columns:
1. In the Allow rules section, open the Address information drop-down list.
  The filtering window opens.
2. Specify the necessary values in the following fields:
  - MAC address
  - IP address
  - Port number
3. Click OK.
To filter rules based on the Created or Changed column:
1. In the Allow rules section, click the filtering icon in the relevant column.
  The calendar opens.
2. In the calendar, specify the date for the start and end boundaries of the filtering period. To do so, select a date in the calendar (the current time will be indicated) or manually enter the value in the format DD-MM-YYYY hh:mm:ss. If you don't need to specify the date and time of the filtering period boundary, you can choose not to select a date or you can delete the current value.
3. Click OK.
Rule search
To find the relevant allow rules:

In the Allow rules section, enter your search query into the Rule search field. The search is initiated as you enter characters.

The allow rules table displays the rules that meet the search criteria.

A search is performed in all columns except the Rule ID, State, Rule type, Created, Changed, Origin and Monitoring point columns.
Resetting the defined filter and search settings
To reset the defined filter and search settings in the allow rules table:

In the toolbar in the Allow rules section, click the Default filter button (this button is displayed if search or filter settings are defined).
Sorting rules
To sort rules in the allow rules table:
1. In the Allow rules section, click the header of the column by which you want to sort.
  You can sort the rules table based on the values of any column except the Comment, Origin, Monitoring point or Event type columns.
2. When sorting rules by the Protocols/Commands, Side 1 or Side 2 column, in the drop-down list of the column header, select the setting by which you want to sort rules:
  - In the Protocols/Commands column, select the sorting settings: by protocol or by system command.
  - Depending on the values selected for display in the Side 1 or Side 2 columns, select the sorting settings: by MAC address, by IP address, or by port number.
3. If you need to sort the table based on multiple columns, press the SHIFT key and hold it down while clicking the headers of the columns by which you want to sort.
The table will be sorted by the selected column. When sorting by multiple columns, the rows of the table are sorted according to the sequence of column selection. Next to the headers of columns used for sorting, you will see icons displaying the current sorting order: in ascending order or descending order of values.
Updating the rules table
Allow rules may be modified on the Server while you are viewing the rules table. For example, the rules table becomes outdated if an application user in a different connection session changes rules or if the application optimizes the list of Interaction Control rules in learning mode.

To keep the table of allow rules up to date, you can enable automatic update of rules or manually update the table. During updates, all rules are reloaded from the Server.

To enable or disable automatic update of the allow rules table:

In the Allow rules section, use the Autoupdate toggle button.

When automatic update is enabled, the allow rules table is updated every five seconds.

To manually update the allow rules table:

In the Allow rules section, start an update of the rules table by clicking the Update link (this link is displayed on the right of the Autoupdate toggle button if the toggle button is switched off).

The allow rules table is reloaded from the Server.

Page top