Web: Example for Configuring Artificial Intelligence Engine

Networking Requirements

On an enterprise campus network, a network administrator can configure the AIE function on the FW to grasp the operations of the network and detect abnormal behaviors on the network in a timely manner. If traffic matches a security policy that references the AIE profile, the network administrator collects network-layer, transport-layer, and application-layer information about traffic, and then sends the collected information to the AIE of the FW for analysis and evaluation, in order to identify unknown threats and attacks on the network. After detecting a threat or attack, the FW sends a log to the administrator for further processing.

Figure 1 Application networking for artificial intelligence engine

Procedure

Configure immediate update for the AIE database to improve the threat detection capability and efficiency of the FW. For details about how to configure immediate upgrade, see Updating the Artificial Intelligence Engine Database.
Configure an IP address for each interface and add interfaces to security zones.
1. Choose Network > Interface.
2. Click corresponding to GE0/0/1 and set the parameters as follows.
  
  IP Address
  
  1.1.1.1
  
  Network Mask
  
  255.255.255.0
  
  Security Zone
  
  untrust
3. Click OK.
4. Repeat the preceding steps to set the parameters for GE0/0/3.
  
  IP Address
  
  10.1.1.1
  
  Network Mask
  
  255.255.255.0
  
  Security Zone
  
  trust
Configure an AIE profile.
1. Choose Object > Security Profiles > Artificial Intelligence Engine.
2. Click Add and set the parameters in the AIE profile as follows.
3. Click OK.
Configure a security policy to allow Internet users to access the intranet. Reference the AIE profile configured in step 3 to detect unknown threats and attacks.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add Security Policy and set the parameters as follows.
  
  Name
  
  policy_to_Intranet
  
  Source Zone
  
  untrust
  
  Destination Zone
  
  trust
  
  Source Address/Region
  
  1.1.1.1/24
  
  Action
  
  Permit
  
  Artificial Intelligence Engine
  
  aie_profile
3. Click OK.

IP Address	1.1.1.1
Network Mask	255.255.255.0
Security Zone	untrust

IP Address	10.1.1.1
Network Mask	255.255.255.0
Security Zone	trust

Name	policy_to_Intranet
Source Zone	untrust
Destination Zone	trust
Source Address/Region	1.1.1.1/24
Action	Permit
Artificial Intelligence Engine	aie_profile

Verification

After detecting threats on the network, the FW generates threat logs. The administrator can choose Monitor > Logs > Threat Logs to view threat logs of the advanced threat type, and then analyze the logs and block the threats. For example:

Configuration Scripts

#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
profile type aie name aie_profile
 description Artificial Intelligence Engine
 detection-engine dga enable 
 detection-engine cc enable
 detection-engine eca enable 
 detection-engine bruteforce enable
 detection-engine sql enable
#
security-policy
 rule name policy_to_Intranet
  source-zone untrust
  destination-zone trust
  source-address 1.1.1.0 mask 255.255.255.0
  profile aie aie_profile 
  action permit
#