Managing mitigation actions
You can select one or more recommended mitigation actions to put into effect by making choices on the Mitigation Plan Detail page. Conversely, you can deactivate one or more mitigation actions by making selections on this page.
There are several ways to display the Mitigation Plan Detail page:
-
Go to the Administration > Mitigation > Plans and Actions page, select the Plans view, and search by host, event ID, or plan ID for the desired mitigation plan. On the list entry for the plan, click the Edit link.
-
On a Dashboard page that is displaying a Current Events dashboard widget, click the Ready link in the Mitigation plans column of the event you want to mitigate.
-
On an Event Details page, click the View mitigation plan link on the Summary tab. (This is not shown if automatic mitigation plan generation is disabled.)
-
On an Event Details page, click the event ID for an event you want to mitigate. This displays the Event Detail report. Click Mitigate on the Event Detail report.
All four of these links display the Mitigation Plan Detail page. The Migration Plan Detail page provides a summary of the plan and lists the mitigation actions. Mitigation actions are actions to block the traffic to and from specified hosts or groups of hosts.
The Actions taken section lists mitigation actions that have been put into effect. The Proposed actions section lists mitigation actions that the NetProfiler has proposed but which have not been put into effect.
The lists of hosts in the two sections provide the following information:
-
Host: Name of the host and host group whose traffic is to be blocked. You can right-click this entry to access a selection for running a traffic report for the host or host group.
-
Router: The router that the NetProfiler will use for mitigation. An inactive (gray) box indicates than router mitigation is not available.
-
Switch Port: The switch port that the NetProfiler will use for mitigation. An inactive (gray) box indicates than switch port mitigation is not available.
-
Affected Hosts: The number of hosts affected by the mitigation action. This number is linked to a page that lists the addresses of the hosts that the NetProfiler believes reside on the switch port that it has identified for the mitigation action. This provides an indication of how many other hosts may be affected when the specified switch port is shut down. Multiple hosts may be affected when the switch port is not directly connected to the host (e.g., it is connected to another switch).
-
Current: The current impact. This displays the number of peers hosts that this host has transmitted to or received from in the last minute and its traffic rate in packets per second for the last minute. The NetProfiler regularly updates these figures for all proposed actions. It updates about 2000 actions per minute.
-
History: The number of peers and packets per second of traffic reported for this host by the profile that was active at the time the host was added to the mitigation plan. This historical impact figure is not updated.
-
Comments: This displays notes that were added to the mitigation plan.
-
Actions: You can remove the proposed mitigation action against a host or host group from the mitigation plan by clicking Delete. The Actions taken section does not have an Actions column because mitigation actions must be deactivated before they can be deleted.
You can add a host to the mitigation plan by clicking Add Host and entering the address of the host. Additionally, you can click Recalculate to have the NetProfiler update its address and routing records immediately instead of at the next polling time.