Configuring a Service Learning Task

You can configure a service learning task to learn TCP or UDP services that hit the traffic threshold within the specified duration, and select the manual or automatic application of learning results. If the automatic application is adopted, top N services with heaviest traffic on devices associated with the Zone can be added to the Zone automatically.

Prerequisites

The user-defined Zones have been added and IP addresses have been configured. For details, see Adding a Zone.
The basic policies of the Zone have been configured and deployed on the associated devices. For details, see Configuring a Defense Mode.
Devices associated with the Zone have been bound to collectors. For details, see Associating the Collector with the devices.

Context

To ensure accurate learning results, enable the service learning task when traffic of the Zone is normal.

Procedure

Choose Defense > Policy Settings > Zone.
Click the Zone's state in the Service Learning column.

Configure a service learning task. For parameters, see Table 1.

**Table 1** Parameters of configuring a service learning task
Parameter	Description	Value
Start Time	Indicates the time devices associated with the Zone start service learning.	The start time must be later than the time at which service learning is enabled.
End Time	Indicates the time devices associated with the Zone stop service learning.	The end time must be later than the start time.
Traffic Threshold	If traffic of the TCP or UDP service of an IP address exceeds the threshold, add the service to learning results.	-
Confirmation Method	Determines whether to automatically add service learning results to the service list of the Zone.	If Automatic confirmation is configured, select top N services with heaviest traffic in Automatic confirmation top N for automatic confirmation.

Click Start to enable the service learning task of the Zone.
After service learning is enabled, Learning status is displayed as Learning is in progress. You can click Stop to stop the service learning task.

NOTE:
Before you modify the parameters of the learning task, stop service learning first.

Result

With enabled service learning, if the traffic of a service in the Zone exceeds Traffic Threshold, the service is displayed in service learning results.

The format of the service name is service type-port number. The traffic volume reaches the upper limit of the service traffic.
If the confirmation mode of service learning is Automatic confirmation, the system automatically adds services in the learning results to the service policy of the Zone, including service names, protocol, ports, IP addresses, and associated devices. If services of the same type and port exist on the device associated with the service policy of the Zone, add learnt IP addresses to existing services.

Choose System > Log Management > System Logs. You can view log information about whether the automatic confirmation of service learning results succeeds. If the automatic confirmation succeeds, perform the following operations to view the services confirmed to the service policy.
1. Choose Defense > Policy Settings > Zone.
2. Click of the Zone.
3. On the Defense Policy tab page, you can view the services.
  
  Click of each service to modify the basic information and configure defense policies of the service. For parameters of the defense policies, see Configuring the Zone-based Defense Policy.

Follow-up Procedure

When the confirmation mode of service learning is Automatic confirmation, service learning results are automatically applied to the defense policy of the Zone. The settings take effect after they are deployed on devices. For details, see Deploying the Defense Policy.
When the confirmation mode of service learning is Manual confirmation, confirm service learning results manually. For details, see Applying Service Learning Results.