Miscellaneous tuning

Anomaly Shield tuning can be done in the ml.ini file and in the Security Gate Expert Settings.

The ml.ini file is the configuration file for the machine learning service. It is located under /opt/airlock/ml-service/conf/ml.ini and is well documented by comments within the file.
Security Gate Expert Settings can be set over the graphical UI in Section – Security Gate.

Example

Note that any changes in the ml.ini file require restarting the ml-service:

systemctl restart airlock-ml-service

Procedure-related prerequisites

See chapter-related prerequisites.

Instruction 1 – Change time to block for action Block IP

When a BLOCK_IP action is issued, the current IP is being blocked for a certain amount of time.

The block time can be set globally in seconds in the Expert Settings of Section – Security Gate.

Example

# Default time to block: 1 hour (3600 seconds) 
# set time to block to 30 minutes (1800 seconds) 
AnomalyShield.Block.SourceIp.TimeToBlock "1800"

Instruction 2 – Changing the number of ml-service processes

The number of processes may be changed at your discretion. By limiting the number of processes, the system load impact of the ml-service can be limited.

processes	The preset number of parallel processes `2`. This means the service may only utilize 2 CPU cores by default. Note that limiting the number of concurrent processes is a measure to keep enough CPU resources available for general request processing at all times. However, on a large system with many CPU cores, it may be advisable to increase the number accordingly.

Instruction 3 – Changing the quota for ColdDB

The cold_db_max_bytes settings may be changed at your discretion.

cold_db_max_bytes	The preset quota setting for the ColdDB is `3GB`. It may be increased if the default quota does not suffice. Note that a reduction of the ColdDB space should not be considered on production systems.