SIGN:OUTBOUND-CONNECTIONS

In this section we will configure the outbound connections limit.

Guardian can detect a sudden increase of outbound connections from a specific learned source node. An alert is raised by default when 100 new outbound connections are observed over a 60-seconds interval.

By default, the detection is only performed when the node is being protected. Optionally, the detection can also be performed when the node is being learned.

Optionally, we can prevent the system from creating additional destination nodes in order to preserve resources. Such nodes creation limit is disabled by default.

Some of the configuration parameters listed below can be applied either globally or to individual nodes. The configuration of an individual node has higher priority and overrides the global configuration.

Perform detection when source node is being learned


Product	Guardian
Syntax	`conf.user configure vi outbound_connections_limit learning [true\|false]`
Description	Specify whether the detection has to be performed also when the source node is being learned or only when it is being protected. Select `true` for detection also when the source node is learned, or `false` for detection only when the source node is being protected. By default `false`.
Where	CLI
To apply	It is applied automatically

Enable/disable nodes creation limit


Product	Guardian
Syntax global	`conf.user configure vi outbound_connections_limit enabled [true\|false]`
Syntax individual node	`conf.user configure vi node <ip> outbound_connections_limit enabled [true\|false]`
Description	Enable (option `true`) or disable (option `false`) the destination nodes creation limit.
Parameters	`ip`: The IP of the source node
Where	CLI
To apply	It is applied automatically

Set connections count


Product	Guardian
Syntax global	`conf.user configure vi outbound_connections_limit connections <count>`
Syntax individual node	`conf.user configure vi node <ip> outbound_connections_limit connections <count>`
Description	Set the outbound connections limit, in number of connections.
Parameters	`ip`: The IP of the source node `count`: The amount of outbound connections from a node to be observed in order to trigger the detection (default: 100)
Where	CLI
To apply	It is applied automatically

Set observation interval


Product	Guardian
Syntax global	`conf.user configure vi outbound_connections_limit interval <value>`
Syntax individual node	`conf.user configure vi node <ip> outbound_connections_limit interval <value>`
Description	Set the outbound connections observation interval, in seconds.
Parameters	`ip`: The IP of the source node `value`: The time interval during which the new outbound connections are observed.
Where	CLI
To apply	It is applied automatically

For example, we can configure the outbound connections limit to prevent a source node from creating additional destination nodes when 70 outbound connections are observed during a 30-seconds interval with the following configuration commands:


 conf.user configure vi outbound_connections_limit enabled true
 conf.user configure vi outbound_connections_limit connections 70
 conf.user configure vi outbound_connections_limit interval 30